You cannot access this file

ERROR: You can\'t access this file directly!
'); } $config["user_can_update_info"] = false; $config["user_can_update_password"] = false; $config["admin_can_add_user"] = false; $config["admin_can_delete_user"] = false; $config["admin_can_disable_user"] = false; //Not implemented $config["admin_can_make_admin"] = false; //Required and optional keys for this function to work $req_keys = array ("ldap_server", "ldap_base_dn", "ldap_login_attr", "ldap_admin_group_name", "ldap_admin_group_attr", "ldap_admin_group_type", "ldap_user_filter", "ldap_user_attr"); $opt_keys = array ("ldap_port", "ldap_start_tls", "ldap_version", "ldap_admin_dn", "ldap_admin_pwd"); global $ldap_cache; //Needs to be globalized because process_config () function calls this file first and the variable would be local and subsequently lost $ldap_cache = array (); $ldap_cache["error"] = ""; $ldap_cache["ds"] = ""; //Put each required key in a variable. foreach ($req_keys as $key) { if (!isset ($config["auth"][$key])) { user_error ("Required key ".$key." not set", E_USER_ERROR); } } // Convert group name to lower case to prevent problems $config["auth"]["ldap_admin_group_attr"] = strtolower ($config["auth"]["ldap_admin_group_attr"]); $config["auth"]["ldap_admin_group_type"] = strtolower ($config["auth"]["ldap_admin_group_type"]); foreach ($opt_keys as $key) { if (!isset ($config["auth"][$key])) { switch ($key) { case "ldap_start_tls": $config["auth"][$key] = false; continue; case "ldap_version": $config["auth"][$key] = 0; continue; case "ldap_admin_dn": case "ldap_admin_pwd": $config["auth"][$key] = ""; continue; default: //Key not implemented continue; } } } //Reference the global use authorization error to last ldap error. $config["auth_error"] = &$ldap_cache["error"]; unset ($req_keys, $opt_keys); /** * process_user_login accepts $login and $pass and handles it according to current authentication scheme * * @param string $login * @param string $pass * * @return mixed False in case of error or invalid credentials, the username in case it's correct. */ function process_user_login ($login, $pass) { if (!ldap_valid_login ($login, $pass)) { return false; } global $config; $profile = get_db_value ("id_usuario", "tusuario_perfil", "id_usuario", $login); if ($profile === false && empty ($config["auth"]["create_user_undefined"])) { $config["auth_error"] = "No profile"; //Error message, don't translate return false; //User doesn't have a profile so doesn't have access } elseif ($profile === false && !empty ($config["auth"]["create_user_undefined"])) { $ret = create_user_profile ($login); //User doesn't have a profile but we are asked to create one if ($ret === false) { $config["auth_error"] = "Profile creation failed"; //Error message, don't translate return false; //We couldn't create the profile for some or another reason } } return $login; } /** * Checks if a user is administrator. * * @param string User id. * * @return bool True is the user is admin */ function is_user_admin ($user_id) { $admins = get_user_admins (); if (in_array ($user_id, $admins)) { return true; } return false; } /** * Checks if a user exists * * @param string User id. * * @return bool True if the user exists */ function is_user ($id_user) { $user = get_user_info ($id_user); if (empty ($user)) return false; return true; } /** * Gets the users real name * * @param string User id. * * @return string The users full name */ function get_user_fullname ($id_user) { $info = get_user_info ($id_user); if (empty ($info)) { //User doesn't exist return ''; } return (string) $info["fullname"]; } /** * Gets the users email * * @param string User id. * * @return string The users email address */ function get_user_email ($id_user) { $info = get_user_info ($id_user); return (string) $info["email"]; } /** * Get the user id field on a mixed structure. * * This function is needed to make auth system more compatible and independant. * * @param mixed User structure to get id. It might be a row returned from * tusuario or tusuario_perfil. If it's not a row, the int value is returned. */ function get_user_id ($user) { if (is_array ($user)) /* FIXME: Is this right? */ return $user['id_user']; return (int) $user; } /** * Gets the users info * * @param string User id. * * @return array User info */ function get_user_info ($id_user) { global $ldap_cache; if (!empty ($ldap_cache[$id_user])) { return $ldap_cache[$id_user]; } $ldap_cache[$id_user] = ldap_load_user ($id_user); if ($ldap_cache[$id_user] === false) { return array (); } return $ldap_cache[$id_user]; } /** * Get all users that are defined in the admin group in LDAP * * @return array Array of users or empty array */ function get_user_admins () { global $ldap_cache, $config; if (! empty ($ldap_cache["cached_admins"])) { return $ldap_cache["cached_admins"]; } else { $ldap_cache["cached_admins"] = array (); } if (ldap_connect_bind ()) { $search_filter = "(".$config["auth"]["ldap_admin_group_attr"]."=*)"; $sr = ldap_search ( $ldap_cache["ds"], $config["auth"]["ldap_admin_group_name"], $search_filter, array ($config["auth"]["ldap_admin_group_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server (get_user_admins): ' . ldap_error ($ldap_cache["ds"]); } else { $admins = ldap_get_entries( $ldap_cache["ds"], $sr); for( $x = 0; $x < $admins[0][$config["auth"]["ldap_admin_group_attr"]]['count']; $x++) { if ($config["auth"]["ldap_admin_group_type"] != 'posixgroup') { $ldap_cache["cached_admins"][] = stripdn ($admins[0][$config["auth"]["ldap_admin_group_attr"]][$x]); } else { $ldap_cache["cached_admins"][] = $admins[0][$config["auth"]["ldap_admin_group_attr"]][$x]; } } @ldap_free_result($sr); } @ldap_close ($ldap_cache["ds"]); } return $ldap_cache["cached_admins"]; } /** * Sets the last login for a user. LDAP doesn't have this (or it's inherent to the login process) * * @param string User id */ function process_user_contact ($id_user) { //Empty function } /** * LDAP user functions based on webcalendar's implementation * * File from webcalendar (GPL) project: * $Id: user-ldap.php,v 1.42.2.1 2007/08/17 14:39:00 umcesrjones Exp $ * * Note: this application assumes that usernames (logins) are unique. */ /** * Function to search the dn for a given user. Error messages in $ldap_cache["error"]; * * @param string User login * * @return mixed The DN if the user is found, false in other case */ function ldap_search_user ($login) { global $ldap_cache, $config; $nick = false; if (ldap_connect_bind ()) { $sr = @ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], "(&(".$config["auth"]["ldap_login_attr"]."=".$login.")".$config["auth"]["ldap_user_filter"].")", array_values ($config["auth"]["ldap_user_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server: ' . ldap_error ($ldap_cache["ds"]); } else { $info = @ldap_get_entries ($ldap_cache["ds"], $sr ); if ( $info['count'] != 1 ) { $ldap_cache["error"] .= 'Invalid user'; } else { $nick = $info[0]['dn']; } @ldap_free_result ($sr); } @ldap_close ($ldap_cache["ds"]); } return $nick; } /** * Function to validate the user and password for a given login. Error messages in $ldap_cache["error"]; * * @param string User login * @param string User password (plain text) * * @return bool True if the login is correct, false in other case */ function ldap_valid_login ($login, $password) { global $ldap_cache, $config; if (! function_exists ("ldap_connect")) { die ("Your installation of PHP does not support LDAP"); } $ret = false; if (!empty ($config["auth"]["ldap_port"])) { $ds = @ldap_connect ($config["auth"]["ldap_server"], $config["auth"]["ldap_port"]); //Since this is a separate bind, we don't store it global } else { $ds = @ldap_connect ($config["auth"]["ldap_server"]); //Since this is a separate bind we don't store it global } if ($ds) { if ($config["auth"]["ldap_version"] > 0) { ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["auth"]["ldap_version"]); } if ($config["auth"]["ldap_start_tls"] && !@ldap_start_tls ($ds)) { $ldap_cache["error"] .= 'Could not start TLS for LDAP connection'; return $ret; } if (ldap_search_user ($login)) { $r = @ldap_bind ($ds, $config["auth"]["ldap_login_attr"]."=".$login.",".$config["auth"]["ldap_base_dn"], $password); if (!$r) { $ldap_cache["error"] .= 'Invalid login'; //$ldap_cache["error"] .= ': incorrect password'; // uncomment for debugging } else { $ret = true; } } else { $ldap_cache["error"] .= 'Invalid login'; //$ldap_cache["error"] .= ': no such user'; } @ldap_close ($ds); } else { $ldap_cache["error"] .= 'Error connecting to LDAP server'; } return $ret; } /** * Function to load user information according to PandoraFMS structure. Error messages in $ldap_cache["error"]; * * @param string User login * * @return mixed Array with the information, false in other case */ function ldap_load_user ($login) { global $ldap_cache, $config; $ret = false; $time = get_system_time (); if (ldap_connect_bind ()) { $sr = ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], "(&(".$config["auth"]["ldap_login_attr"]."=".$login.")".$config["auth"]["ldap_user_filter"].")", array_values ($config["auth"]["ldap_user_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server (load_user): ' . ldap_error( $ldap_cache["ds"] ); } else { $info = @ldap_get_entries ($ldap_cache["ds"], $sr); if ($info['count'] != 1) { $ldap_cache["error"] .= 'Invalid login'; //$ldap_cache["error"] .= ', could not load user'; //Uncomment for debugging } else { $ret = array (); foreach ($config["auth"]["ldap_user_attr"] as $internal_key => $ldap_key) { $ret["last_connect"] = $time; $ret["registered"] = $time; $ret["is_admin"] = is_user_admin ($info[0][$config["auth"]["ldap_user_attr"]["id_user"]][0]); if (isset ($info[0][$ldap_key])) { $ret[$internal_key] = $info[0][$ldap_key][0]; } else { $ret[$internal_key] = ''; } } } @ldap_free_result ($sr); } @ldap_close ( $ldap_cache["ds"] ); } else { $ldap_cache["error"] .= 'Could not connect to LDAP server'; } return $ret; } /** * Function to create a new user. We don't do LDAP admin in Pandora, so not implemented. * * @return bool false */ function create_user () { global $ldap_cache; $ldap_cache["error"] .= 'Creating users not supported.'; return false; } /** * Function to update a user. We don't do LDAP admin in Pandora, so not implemented. * * @return bool false */ function process_user () { global $ldap_cache; $ldap_cache["error"] .= 'Updating users not supported.'; return false; } /** * Function to update a user password. We don't do LDAP admin in Pandora, so not implemented. * * @return bool false */ function update_user_password ($user, $password_old, $password_new) { global $ldap_cache; $ldap_cache["error"] = 'Changing passwords not supported'; return false; } /** * Delete a user (preferences etc.) from the pandora database (NOT from LDAP) * * @param string $user User to delete * * @return bool True if successfully deleted, false otherwise */ function delete_user ($user) { global $ldap_cache; $ldap_cache["error"] = 'Deleting users not supported'; return false; } /** * Function to get all users (for LDAP this also includes the admin users which you have to get separate) * * @param string Order currently not done for LDAP * * @return array List if successful, empty array otherwise */ function get_users ($order = false) { global $ldap_cache, $config; if (!empty ($ldap_cache["cached_users"])) { return $ldap_cache["cached_users"]; } $ldap_cache["cached_users"] = array (); $time = get_system_time (); if (ldap_connect_bind ()) { $sr = @ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], $config["auth"]["ldap_user_filter"], array_values ($config["auth"]["ldap_user_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server (get_users): ' . ldap_error( $ldap_cache["ds"] ); } else { ldap_sort ($ldap_cache["ds"], $sr, $config["auth"]["ldap_user_attr"]["fullname"]); $info = @ldap_get_entries( $ldap_cache["ds"], $sr ); for ( $i = 0; $i < $info['count']; $i++ ) { foreach ($config["auth"]["ldap_user_attr"] as $internal_key => $ldap_key) { $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]]["last_connect"] = $time; if (isset ($info[$i][$ldap_key])) { $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]][$internal_key] = $info[$i][$ldap_key][0]; } else { $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]][$internal_key] = ''; } $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]]["is_admin"] = is_user_admin ($info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]); } } @ldap_free_result($sr); } @ldap_close ( $ldap_cache["ds"] ); } //Admins are also users and since they can be in separate channels in LDAP, we merge them $ldap_cache["cached_users"] = $ret; return $ldap_cache["cached_users"]; } /** * Strip everything but the username (uid) from a dn. * Example: path description * stripdn(uid=jeffh,ou=people,dc=example,dc=com) returns jeffh * @param string dn the dn you want to strip the uid from. * @return string userid */ function stripdn ($dn) { list ($uid, $trash) = explode (',', $dn, 2); list ($trash, $user) = explode ('=', $uid); return ($user); } /** * Connects and binds to the LDAP server * Tries to connect as $config["auth"]["ldap_admin_dn"] if we set it. * @return boolean Bind result or false */ function ldap_connect_bind () { global $ldap_cache, $config; if (! function_exists ('ldap_connect')) { die ('Your installation of PHP does not support LDAP'); } $ret = false; if (!empty ($config["auth"]["ldap_port"]) && !is_resource ($ldap_cache["ds"])) { $ldap_cache["ds"] = @ldap_connect ($config["auth"]["ldap_server"], $config["auth"]["ldap_port"]); } elseif (!is_resource ($ldap_cache["ds"])) { $ldap_cache["ds"] = @ldap_connect ($config["auth"]["ldap_server"]); } else { return true; } if ($ldap_cache["ds"]) { if (!empty ($config["auth"]["ldap_version"])) { ldap_set_option($ldap_cache["ds"], LDAP_OPT_PROTOCOL_VERSION, $config["auth"]["ldap_version"]); } if (!empty ($config["auth"]["ldap_start_tls"])) { if (!ldap_start_tls ($ldap_cache["ds"])) { $ldap_cache["error"] .= 'Could not start TLS for LDAP connection'; return $ret; } } if (!empty ($config["auth"]["ldap_admin_dn"])) { $r = @ldap_bind ($ldap_cache["ds"], $config["auth"]["ldap_admin_dn"], $config["auth"]["ldap_admin_pwd"]); } else { $r = @ldap_bind ($ldap_cache["ds"]); } if (!$r) { $ldap_cache["error"] .= 'Invalid bind login for LDAP Server or (in case of OpenLDAP 2.x) could not connect'; return $ret; } return true; } else { $ldap_cache["error"] .= 'Error connecting to LDAP server'; return $ret; } } ?>