You cannot access this file

ERROR: You can\'t access this file directly!

'); } include_once($config['homedir'] . "/include/functions_profile.php"); enterprise_include ('include/auth/mysql.php'); $config["user_can_update_info"] = true; $config["user_can_update_password"] = true; $config["admin_can_add_user"] = true; $config["admin_can_delete_user"] = true; $config["admin_can_disable_user"] = false; //currently not implemented $config["admin_can_make_admin"] = true; /** * process_user_login accepts $login and $pass and handles it according to current authentication scheme * * @param string $login * @param string $pass * @param boolean $api * * @return mixed False in case of error or invalid credentials, the username in case it's correct. */ function process_user_login ($login, $pass, $api = false) { global $config, $mysql_cache; // Always authenticate admins against the local database if (strtolower ($config["auth"]) == 'mysql' || is_user_admin ($login)) { return process_user_login_local ($login, $pass, $api); } else { $login_remote = process_user_login_remote ($login, $pass, $api); if ($login_remote == false && $config['fallback_local_auth'] == '1') { return process_user_login_local ($login, $pass, $api); } else { return $login_remote; } } return false; } function process_user_login_local ($login, $pass, $api = false) { global $config, $mysql_cache; // Connect to Database switch ($config["dbtype"]) { case "mysql": if (!$api) { $sql = sprintf ("SELECT `id_user`, `password` FROM `tusuario` WHERE `id_user` = '%s' AND `not_login` = 0 AND `disabled` = 0", $login); } else { $sql = sprintf ("SELECT `id_user`, `password` FROM `tusuario` WHERE `id_user` = '%s' AND `disabled` = 0", $login); } break; case "postgresql": if (!$api) { $sql = sprintf ('SELECT "id_user", "password" FROM "tusuario" WHERE "id_user" = \'%s\' AND "not_login" = 0 AND "disabled" = 0', $login); } else { $sql = sprintf ('SELECT "id_user", "password" FROM "tusuario" WHERE "id_user" = \'%s\' AND "disabled" = 0', $login); } break; case "oracle": if (!$api) { $sql = sprintf ('SELECT id_user, password FROM tusuario WHERE id_user = \'%s\' AND not_login = 0 AND disabled = 0', $login); } else { $sql = sprintf ('SELECT id_user, password FROM tusuario WHERE id_user = \'%s\' AND disabled = 0', $login); } break; } $row = db_get_row_sql ($sql); //Check that row exists, that password is not empty and that password is the same hash if ($row !== false && $row["password"] !== md5 ("") && $row["password"] == md5 ($pass)) { // Login OK // Nick could be uppercase or lowercase (select in MySQL // is not case sensitive) // We get DB nick to put in PHP Session variable, // to avoid problems with case-sensitive usernames. // Thanks to David Muñiz for Bug discovery :) return $row["id_user"]; } else { if (!user_can_login($login)) { $mysql_cache["auth_error"] = "User only can use the API."; $config["auth_error"] = "User only can use the API."; } else { $mysql_cache["auth_error"] = "User not found in database or incorrect password"; $config["auth_error"] = "User not found in database or incorrect password"; } } return false; } function process_user_login_remote ($login, $pass, $api = false) { global $config, $mysql_cache; // Remote authentication switch ($config["auth"]) { // LDAP case 'ldap': if (ldap_process_user_login ($login, $pass) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Active Directory case 'ad': if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Remote Pandora FMS case 'pandora': if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Remote Integria case 'integria': if (enterprise_hook ('remote_integria_process_user_login', array ($login, $pass)) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Unknown authentication method default: $config["auth_error"] = "User not found in database or incorrect password"; return false; break; } if ($config["auth"] === 'ldap') { $login_user_attribute = $login; if (($config['ldap_login_user_attr'] != 'name') && ($config['ldap_login_user_attr'] != null)) { $login = get_ldap_login_attr($login); } } // Authentication ok, check if the user exists in the local database if (is_user ($login)) { if (!user_can_login($login)) { return false; } if (($config["auth"] === 'ad') && (isset($config['ad_advanced_config']) && $config['ad_advanced_config'])) { $return = enterprise_hook ('prepare_permissions_groups_of_user_ad', array ($login, $pass, false, true, defined('METACONSOLE'))); if ($return === "error_permissions") { $config["auth_error"] = __("Problems with configuration permissions. Please contact with Administrator"); return false; } else { if ($return === "permissions_changed") { $config["auth_error"] = __("Your permissions have changed. Please, login again."); return false; } } } elseif ($config["auth"] === 'ldap') { if ($config['ldap_save_password']) { $update_credentials = change_local_user_pass_ldap ($login, $pass); if ($update_credentials) { $config["auth_error"] = __("Your permissions have changed. Please, login again."); return false; } } else { delete_user_pass_ldap ($login); } } return $login; } // The user does not exist and can not be created if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) { $config["auth_error"] = __("Ooops User not found in database or incorrect password"); return false; } if ($config["auth"] === 'ad' && (isset($config['ad_advanced_config']) && $config['ad_advanced_config'])) { if ( defined('METACONSOLE') ) { enterprise_include_once('include/functions_metaconsole.php'); enterprise_include_once ('meta/include/functions_groups_meta.php'); $return = groups_meta_synchronizing(); if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) { $config["auth_error"] = __('Fail the group synchronizing'); return false; } $return = meta_tags_synchronizing(); if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) { $config["auth_error"] = __('Fail the tag synchronizing'); return false; } } // Create the user if (enterprise_hook ('prepare_permissions_groups_of_user_ad', array($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth']), false, defined('METACONSOLE'))) === false) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } } elseif ($config["auth"] === 'ldap') { if ( defined('METACONSOLE') ) { enterprise_include_once('include/functions_metaconsole.php'); enterprise_include_once ('meta/include/functions_groups_meta.php'); $return = groups_meta_synchronizing(); if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) { $config["auth_error"] = __('Fail the group synchronizing'); return false; } $return = meta_tags_synchronizing(); if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) { $config["auth_error"] = __('Fail the tag synchronizing'); return false; } } // Create the user $prepare_perms = prepare_permissions_groups_of_user_ldap($login_user_attribute, $pass, array ('fullname' => $login_user_attribute, 'comments' => 'Imported from ' . $config['auth']), false, defined('METACONSOLE')); if (!$prepare_perms) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } } else { $user_info = array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth']); if ( is_metaconsole() && $config["auth"] === 'ad') $user_info['metaconsole_access_node'] = $config['ad_adv_user_node']; // Create the user in the local database if (create_user ($login, $pass, $user_info ) === false) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } profile_create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group'], false, $config['default_assign_tags']); //TODO: Check the creation in the nodes if ( is_metaconsole() ) { enterprise_include_once('include/functions_metaconsole.php'); enterprise_include_once ('meta/include/functions_groups_meta.php'); $return = groups_meta_synchronizing(); if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) { $config["auth_error"] = __('Fail the group synchronizing'); return false; } $return = meta_tags_synchronizing(); if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) { $config["auth_error"] = __('Fail the tag synchronizing'); return false; } $servers = metaconsole_get_servers(); foreach ($servers as $server) { $perfil_maestro = db_get_row('tperfil', 'id_perfil', $config['default_remote_profile']); if (metaconsole_connect($server) == NOERR ) { if (!profile_exist($perfil_maestro['name'])) { unset($perfil_maestro['id_perfil']); $id_profile = db_process_sql_insert('tperfil', $perfil_maestro); } else { $id_profile = db_get_value('id_perfil', 'tperfil', 'name', $perfil_maestro['name']); } if ($config["auth"] === 'ad') { unset($user_info['metaconsole_access_node']); $user_info['not_login'] = (int) !$config['ad_adv_user_node']; } if (create_user ($login, $pass, $user_info) === false) continue; profile_create_user_profile ($login, $id_profile, $config['default_remote_group'], false, $config['default_assign_tags']); } metaconsole_restore_db(); } } } return $login; } /** * Checks if a user is administrator. * * @param string User id. * * @return bool True is the user is admin */ function is_user_admin ($id_user) { $is_admin = (bool) db_get_value ('is_admin', 'tusuario', 'id_user', $id_user); return $is_admin; } /** * Get the user id field on a mixed structure. * * This function is needed to make auth system more compatible and independant. * * @param mixed User structure to get id. It might be a row returned from * tusuario or tusuario_perfil. If it's not a row, the int value is returned. * * @return int User id of the mixed parameter. */ function get_user_id ($user) { if (is_array ($user)) { if (isset ($user['id_user'])) return $user['id_user']; elseif (isset ($user['id_usuario'])) return $user['id_usuario']; else return false; } else { return $user; } } /** * Check is a user exists in the system * * @param mixed User id. * * @return bool True if the user exists. */ function is_user ($user) { $user = db_get_row('tusuario', 'id_user', get_user_id ($user)); if (! $user) return false; return true; } function user_can_login($user) { $not_login = db_get_value('not_login', 'tusuario', 'id_user', $user); if ($not_login != 0) { return false; } return true; } /** * Gets the users real name * * @param mixed User id. * * @return string The users full name */ function get_user_fullname ($user) { return (string) db_get_value ('fullname', 'tusuario', 'id_user', get_user_id ($user)); } /** * Gets the users email * * @param mixed User id. * * @return string The users email address */ function get_user_email ($user) { return (string) db_get_value ('email', 'tusuario', 'id_user', get_user_id ($user)); } /** * Gets a Users info * * @param mixed User id * * @return mixed An array of users */ function get_user_info ($user) { return db_get_row ("tusuario", "id_user", get_user_id ($user)); } /** * Get a list of all users in an array [username] => array (userinfo) * We can't simplify this because some auth schemes (like LDAP) automatically (or it's at least cheaper to) return all the information * Functions like get_user_info allow selection of specifics (in functions_db) * * @param string Field to order by (id_user, fullname or registered) * * @return array An array of user information */ function get_users ($order = "fullname", $filter = false, $fields = false) { if (is_array($order)) { $filter['order'] = $order['field'] . ' ' . $order['order']; } else { switch ($order) { case "registered": case "last_connect": case "fullname": break; default: $order = "fullname"; break; } $filter['order'] = $order." ASC"; } $output = array(); $result = db_get_all_rows_filter ("tusuario", $filter, $fields); if ($result !== false) { foreach ($result as $row) { $output[$row["id_user"]] = $row; } } return $output; } /** * Sets the last login for a user * * @param string User id */ function process_user_contact ($id_user) { return db_process_sql_update ("tusuario", array ("last_connect" => get_system_time ()), array ("id_user" => $id_user)); } /** * Create a new user * * @return bool false */ function create_user ($id_user, $password, $user_info) { $values = $user_info; $values["id_user"] = $id_user; $values["password"] = md5 ($password); $values["last_connect"] = 0; $values["registered"] = get_system_time (); return (@db_process_sql_insert ("tusuario", $values)) !== false; } /** * Save password history * * @return bool false */ function save_pass_history ($id_user, $password) { $values["id_user"] = $id_user; $values["password"] = md5 ($password); $values["date_begin"] = date ("Y/m/d H:i:s", get_system_time()); return (@db_process_sql_insert ("tpassword_history", $values)) !== false; } /** * Deletes the user * * @param string User id */ function delete_user ($id_user) { $result = db_process_sql_delete('tusuario_perfil', array('id_usuario' => $id_user)); if ($result === false) { return false; } $result = db_process_sql_delete('tusuario', array('id_user' => $id_user)); if ($result === false) { return false; } return true; } /** * Update the password in MD5 for user pass as id_user with * password in plain text. * * @param string user User ID * @param string password Password in plain text. * * @return mixed False in case of error or invalid values passed. Affected rows otherwise */ function update_user_password ($user, $password_new) { global $config; if (isset($config['auth']) && $config['auth'] == 'pandora') { $sql = sprintf("UPDATE tusuario SET password = '" . md5($password_new) . "', last_pass_change = '" . date("Y-m-d H:i:s", get_system_time()) . "' WHERE id_user = '" . $user . "'"); $connection = mysql_connect_db($config['rpandora_server'], $config['rpandora_dbname'], $config['rpandora_user'], $config['rpandora_pass']); $remote_pass_update = db_process_sql ($sql, 'affected_rows', $connection); if (!$remote_pass_update) { $config["auth_error"] = __('Could not changes password on remote pandora'); return false; } } return db_process_sql_update ('tusuario', array ('password' => md5 ($password_new), 'last_pass_change' => date ("Y/m/d H:i:s", get_system_time())), array ('id_user' => $user)); } /** * Update the data of a user that user is choose with * id_user. * * @param string user User ID * @param array values Associative array with index as name of field and content. * * @return mixed False in case of error or invalid values passed. Affected rows otherwise */ function update_user ($id_user, $values) { if (! is_array ($values)) return false; return db_process_sql_update ("tusuario", $values, array ("id_user" => $id_user)); } /** * Authenticate against an LDAP server. * * @param string User login * @param string User password (plain text) * * @return bool True if the login is correct, false in other case */ function ldap_process_user_login ($login, $password) { global $config; if (! function_exists ("ldap_connect")) { $config["auth_error"] = __('Your installation of PHP does not support LDAP'); return false; } // Connect to the LDAP server $ds = @ldap_connect ($config["ldap_server"], $config["ldap_port"]); if (!$ds) { $config["auth_error"] = 'Error connecting to LDAP server'; return false; } // Set the LDAP version ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["ldap_version"]); if ($config["ldap_start_tls"]) { if (!@ldap_start_tls ($ds)) { $config["auth_error"] = 'Could not start TLS for LDAP connection'; @ldap_close ($ds); return false; } } $correct_admin_bind = true; if ($config['ldap_admin_login'] != "" && $config['ldap_admin_pass'] != "") { if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'])) { $correct_admin_bind = false; } } if (!$correct_admin_bind) { $config["auth_error"] = 'Admin ldap connection fail'; @ldap_close ($ds); return false; } $dc = io_safe_output($config["ldap_base_dn"]); #Search group of this user it belong. $filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($login) . ")"; $justthese = array("objectclass=group"); $sr = ldap_search($ds, $dc, $filter, $justthese); $memberof = ldap_get_entries($ds, $sr); if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) { @ldap_close ($ds); return false; } else { $memberof = $memberof[0]; } unset($memberof["count"]); $ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : ''; $correct = false; if(!empty($ldap_base_dn)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password) ) { $correct = true; } } else { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) { $correct = true; } } @ldap_close ($ds); if ($correct) { return true; } else { $config["auth_error"] = 'User not found in database or incorrect password'; return false; } } function get_ldap_login_attr ($login) { global $config; if (! function_exists ("ldap_connect")) { $config["auth_error"] = __('Your installation of PHP does not support LDAP'); return false; } // Connect to the LDAP server $ds = @ldap_connect ($config["ldap_server"], $config["ldap_port"]); if (!$ds) { $config["auth_error"] = 'Error connecting to LDAP server'; return false; } // Set the LDAP version ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["ldap_version"]); if ($config["ldap_start_tls"]) { if (!@ldap_start_tls ($ds)) { $config["auth_error"] = 'Could not start TLS for LDAP connection'; @ldap_close ($ds); return false; } } $id_user = $login; switch ($config['ldap_login_user_attr']) { case 'mail': $dc = io_safe_output($config["ldap_base_dn"]); $correct_admin_bind = true; if ($config['ldap_admin_login'] != "" && $config['ldap_admin_pass'] != "") { if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'])) { $correct_admin_bind = false; } } if (!$correct_admin_bind) { $config["auth_error"] = 'Admin ldap connection fail'; @ldap_close ($ds); return false; } $filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($id_user) . ")"; $justthese = array("mail"); $sr = ldap_search($ds, $dc, $filter, $justthese); $info = ldap_get_entries($ds, $sr); if ($info["count"] == 0 && !isset($info[0]["mail"])) { @ldap_close ($ds); return $id_user; } else { $info = $info[0]; } $id_user = $info['mail'][0]; @ldap_close ($ds); break; } return $id_user; } /** * Checks if a user is in the autocreate blacklist. * * @param string User * * @return bool True if the user is in the blacklist, false otherwise. */ function is_user_blacklisted ($user) { global $config; $blisted_users = explode (',', $config['autocreate_blacklist']); foreach ($blisted_users as $blisted_user) { if ($user == $blisted_user) { return true; } } return false; } /** * Check permissions in LDAP for prepare to create user in Pandora. * * @param string Login * @param string Password * @param string User Info * @param string check_permissions Check if change permissions * * @return bool True if the login succeeds, false otherwise */ function prepare_permissions_groups_of_user_ldap ($id_user, $password, $user_info, $check_permissions = false, $syncronize = false) { global $config; include_once($config['homedir'] . "/include/functions_html.php"); if (! function_exists ("ldap_connect")) { return false; } // Do not allow blank passwords if ($password == "") { return false; } // Connect to the LDAP server $ds = @ldap_connect ($config["ldap_server"], $config["ldap_port"]); if (!$ds) { return false; } // Set the LDAP version ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["ldap_version"]); if ($config["ldap_start_tls"]) { if (!@ldap_start_tls ($ds)) { @ldap_close ($ds); return false; } } $dc = io_safe_output($config["ldap_base_dn"]); $correct_admin_bind = true; if ($config['ldap_admin_login'] != "" && $config['ldap_admin_pass'] != "") { if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'])) { $correct_admin_bind = false; } } if (!$correct_admin_bind) { $config["auth_error"] = 'Admin ldap connection fail'; @ldap_close ($ds); return false; } #Search group of this user it belong. $filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($id_user) . ")"; $justthese = array("objectclass=group"); $sr = ldap_search($ds, $dc, $filter, $justthese); $memberof = ldap_get_entries($ds, $sr); if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) { @ldap_close ($ds); return false; } else { $memberof = $memberof[0]; } unset($memberof["count"]); $ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : ''; $correct = false; if(!empty($ldap_base_dn)) { if (strlen($password) != 0 && @ldap_bind($ds, $memberof['dn'], $password) ) { $correct = true; } } else { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) { $correct = true; } } if (!$correct) { @ldap_close ($ds); return false; } $permissions = array(); $i = 0; $count_total = 0; $ldap_adv_perms = json_decode(io_safe_output($config['ldap_adv_perms']), true); foreach ($ldap_adv_perms as $ldap_adv_perm) { $groups = $ldap_adv_perm['groups_ldap']; if ($groups[0] == '') { $groups = array(); } else { $groups = $groups[0]; } $count_ad_adv_perms = count(explode(",", $groups)); $tags_ids = array(); $tags = implode(",", $tags); if ($tags == null) { $tags = ""; } foreach ($memberof as $member) { $member_to_compare = str_replace($config['ldap_login_attr'] . "=", "", $member); $member_to_compare = str_replace($id_user . ",", "", $member_to_compare); $member_to_compare = str_replace("," . $dc, "", $member_to_compare); if (($member_to_compare == $dc) && (empty($groups))) { $count_total++; } else { $member_to_compare = explode(",", $member_to_compare); $groups = explode(",", $groups); foreach ($groups as $g) { if ($member_to_compare[0] == $g) { $count_total++; } } } } if ($count_total > 0) { $profile_id = $ldap_adv_perm['profile']; $id_grupos = $ldap_adv_perm['group']; if (empty($profile_id)) { @ldap_close ($ds); return false; } $permissions[$i]["profile"] = $profile_id; $permissions[$i]["groups"] = $id_grupos; $permissions[$i]["tags"] = $tags; } $i++; $count_total = 0; $count_ad_adv_perms = 0; } if ( $check_permissions ) { $result = check_permission_ldap ($id_user, $password, $user_info, $permissions, $syncronize); @ldap_close ($ds); return $result; } if (!is_user ($id_user)) { if (($config['ldap_login_user_attr'] != 'name') && ($config['ldap_login_user_attr'] != null)) { switch ($config['ldap_login_user_attr']) { case 'mail': $filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($id_user) . ")"; $justthese = array("mail"); $sr = ldap_search($ds, $dc, $filter, $justthese); $info = ldap_get_entries($ds, $sr); if ($info["count"] == 0 && !isset($info[0]["mail"])) { @ldap_close ($ds); return false; } else { $info = $info[0]; } $id_user = $info['mail'][0]; $user_info['fullname'] = $id_user; break; } } $create_user = create_user_and_permisions_ldap($id_user, $password, $user_info, $permissions, $syncronize); } @ldap_close ($ds); return $create_user; } /** * Create progile with data obtaint from AD * * @param string Login * @param string Password * @param array user_info * @param array permiisons * * @return bool */ function create_user_and_permisions_ldap ($id_user, $password, $user_info, $permissions, $syncronize = false) { global $config; $values = $user_info; $values["id_user"] = $id_user; if ($config['ldap_save_password']) { $values["password"] = md5 ($password); } $values["last_connect"] = 0; $values["registered"] = get_system_time (); if ( defined("METACONSOLE") && $syncronize ) $values['metaconsole_access_node'] = $config['ldap_adv_user_node']; $user = (@db_process_sql_insert ("tusuario", $values)) !== false; if ($user) { if (!empty($permissions)) { foreach ($permissions as $permission) { $id_profile = $permission["profile"]; $id_groups = $permission["groups"]; $tags = $permission["tags"]; foreach ($id_groups as $id_group) { $profile = profile_create_user_profile( $id_user, $id_profile, $id_group, false, $tags); } if ( defined("METACONSOLE") && $syncronize ) { enterprise_include_once('include/functions_metaconsole.php'); unset($values['metaconsole_access_node']); $values['not_login'] = (int) !$config['ldap_adv_user_node']; $servers = metaconsole_get_servers(); foreach ($servers as $server) { $perfil_maestro = db_get_row('tperfil', 'id_perfil', $permission["profile"]); if (metaconsole_connect($server) == NOERR ) { if (!profile_exist($perfil_maestro['name'])) { unset($perfil_maestro['id_perfil']); $id_profile = db_process_sql_insert('tperfil', $perfil_maestro); } else { $id_profile = db_get_value('id_perfil', 'tperfil', 'name', $perfil_maestro['name']); } db_process_sql_insert ("tusuario", $values); foreach ($id_groups as $id_group) { $profile = profile_create_user_profile ($id_user, $id_profile, $id_group, false, $tags); } } metaconsole_restore_db(); } } if (!$profile) return false; } } else { $profile = profile_create_user_profile( $id_user, $config['default_remote_profile'], $config['default_remote_group'], false, $config['default_assign_tags']); if (!$profile) return false; } } return true; } /** * Check if user have right permission in pandora. This * permission depend of ldap. * * @param string Login * @param string Password * * @return string */ function check_permission_ldap ($id_user, $password, $user_info, $permissions, $syncronize = false) { global $config; include_once($config['homedir'] . "/enterprise/include/functions_metaconsole.php"); $result_user = users_get_user_by_id($id_user); $filter = array("id_usuario" => $id_user); $profiles_user = array(); $user_profiles = db_get_all_rows_filter ("tusuario_perfil", $filter); foreach ($user_profiles as $user_profile) { $profiles_user[$user_profile["id_up"]] = $user_profile["id_perfil"]; } $profiles_user_nodes = array(); $permissions_nodes = array(); if ( is_metaconsole() && $syncronize ) { $servers = metaconsole_get_servers(); foreach ($servers as $server) { if ( metaconsole_connect($server) == NOERR ) { $user_profiles_nodes = db_get_all_rows_filter ("tusuario_perfil", $filter); foreach ($user_profiles_nodes as $user_profile_node) { $profiles_user_nodes[$server['server_name']][$user_profile_node["id_up"]] = $user_profile_node["id_perfil"]; } } metaconsole_restore_db(); } foreach ($permissions as $key => $permission) { $perfil_maestro = db_get_row('tperfil', 'id_perfil', $permission['profile']); foreach ($servers as $server) { if (metaconsole_connect($server) == NOERR ) { if (profile_exist($perfil_maestro['name'])) { $id_profile = db_get_value('id_perfil', 'tperfil', 'name', $perfil_maestro['name']); $permissions_nodes[$server['server_name']][$key] = $permission; $permissions_nodes[$server['server_name']][$key]['profile'] = $id_profile; } } metaconsole_restore_db(); } } } $no_found = array(); if ($result_user) { foreach ($permissions as $permission) { $id_profile = $permission["profile"]; $id_groups = $permission["groups"]; $tags = $permission["tags"]; foreach ($id_groups as $id_group) { $filter = array("id_usuario" => $id_user, "id_perfil"=>$id_profile, "id_grupo" => $id_group); //~ Find perfil with advance permissions in //~ authentication menu. This data depends on //~ groups where this user it belong. $result_profiles = db_get_row_filter ("tusuario_perfil", $filter); if (!$result_profiles) { #If not found save in array. $no_found[] = array("id_perfil"=>$id_profile, "id_grupo" => $id_group, "tags" =>$tags); } else { #if profile is find, delete from array. db_process_sql_update("tusuario_perfil", array("tags" =>$tags), array('id_usuario' => $id_user, 'id_up' => $profiles_user[$id_profile])); unset($profiles_user[$result_profiles["id_up"]]); } } } if (is_metaconsole() && $syncronize) { $servers = metaconsole_get_servers(); foreach ($servers as $server) { foreach ($permissions_nodes[$server['server_name']] as $permission_node) { $id_profile = $permission_node["profile"]; $id_groups = $permission_node["groups"]; $tags = $permission_node["tags"]; foreach ($id_groups as $id_group) { $filter = array("id_usuario" => $id_user, "id_perfil"=>$id_profile, "id_grupo" => $id_group); if (metaconsole_connect($server) == NOERR ) { $result_profiles = db_get_row_filter ("tusuario_perfil", $filter); if (!$result_profiles) { #If not found save in array. $no_found_server[$server['server_name']][] = array("id_perfil" => $id_profile, "id_grupo" => $id_group, "tags" => $tags); } else { #if profile is find, delete from array. db_process_sql_update("tusuario_perfil", array("tags" =>$tags), array('id_usuario' => $id_user, 'id_up' => $profiles_user_nodes[$server_name][$id_profile])); unset($profiles_user_nodes[$server_name][$result_profiles["id_up"]]); } } } } metaconsole_restore_db(); } } if ( empty($profiles_user) && empty($no_found) ) { #The permmisions of user not changed return true; } else { foreach ($profiles_user as $key => $profile_user) { #The other profiles are deleted profile_delete_user_profile ($id_user, $key); } if ( is_metaconsole() && $syncronize ) { foreach ($profiles_user_nodes as $server_name => $profile_users) { $server = metaconsole_get_connection($server_name); foreach ($profile_users as $key => $profile_user) { if ( metaconsole_connect($server) == NOERR ) { profile_delete_user_profile ($id_user, $key); } } metaconsole_restore_db(); } } foreach ($no_found as $new_profiles) { #Add the missing permissions profile_create_user_profile ($id_user, $new_profiles["id_perfil"], $new_profiles["id_grupo"], false, $new_profiles["tags"]); } if ( is_metaconsole() && $syncronize ) { $servers = metaconsole_get_servers(); foreach ($servers as $server) { if ( metaconsole_connect($server) == NOERR ) { foreach ($no_found_server[$server['server_name']] as $new_profiles) { profile_create_user_profile ($id_user, $new_profiles["id_perfil"], $new_profiles["id_grupo"], false, $new_profiles["tags"]); } } metaconsole_restore_db(); } } return "permissions_changed"; } } else { return "error_permissions"; } } /** * Update local user pass from ldap user * * @param string Login * @param string Password * * @return bool */ function change_local_user_pass_ldap ($id_user, $password) { $local_user_pass = db_get_value_filter('password', 'tusuario', array('id_user' => $id_user)); $return = false; if (md5($password) !== $local_user_pass) { $values_update = array(); $values_update['password'] = md5($password); $return = db_process_sql_update('tusuario', $values_update, array('id_user' => $id_user)); } return $return; } function delete_user_pass_ldap ($id_user) { $values_update = array(); $values_update['password'] = null; $return = db_process_sql_update('tusuario', $values_update, array('id_user' => $id_user)); return; } //Reference the global use authorization error to last auth error. $config["auth_error"] = &$mysql_cache["auth_error"]; ?>