Révision 32700c57
Ajouté par Assos Assos il y a environ 5 ans
drupal7/sites/all/modules/ldap/ldap_authentication/ldap_authentication.inc | ||
---|---|---|
2 | 2 |
|
3 | 3 |
/** |
4 | 4 |
* @file |
5 |
* ldap_authentication helper functions
|
|
5 |
* Ldap_authentication helper functions.
|
|
6 | 6 |
*/ |
7 | 7 |
|
8 | 8 |
/** |
9 |
* helper function for ldap_authn_form_user_login_block_alter and ldap_authn_form_user_login_alter
|
|
10 |
*
|
|
11 |
* @todo if form is being generated on non https and is set in preferences, set warning and end form development
|
|
12 |
*/
|
|
9 |
* Helper function for ldap_authn_form_user_login_block_alter and ldap_authn_form_user_login_alter.
|
|
10 |
* |
|
11 |
* @todo if form is being generated on non https and is set in preferences, set warning and end form development |
|
12 |
*/ |
|
13 | 13 |
function _ldap_authentication_login_form_alter(&$form, &$form_state, $form_id) { |
14 | 14 |
|
15 | 15 |
if (!$auth_conf = ldap_authentication_get_valid_conf()) { |
... | ... | |
42 | 42 |
|
43 | 43 |
if ($form_id == 'user_login_block') { |
44 | 44 |
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL); |
45 |
$vars = array(
|
|
45 |
$vars = [
|
|
46 | 46 |
'show_reset_pwd' => ldap_authentication_show_reset_pwd(), |
47 | 47 |
'auth_conf' => $auth_conf, |
48 |
);
|
|
48 |
];
|
|
49 | 49 |
|
50 | 50 |
$form['links']['#markup'] = theme('ldap_authentication_user_login_block_links', $vars); |
51 | 51 |
} |
52 | 52 |
|
53 |
// Add help information for entering in username/password |
|
53 |
// Add help information for entering in username/password.
|
|
54 | 54 |
$auth_conf = ldap_authentication_get_valid_conf(); |
55 | 55 |
if ($auth_conf) { |
56 | 56 |
if (isset($auth_conf->loginUIUsernameTxt)) { |
... | ... | |
65 | 65 |
} |
66 | 66 |
} |
67 | 67 |
|
68 |
|
|
69 |
|
|
70 | 68 |
/** |
71 |
* alter user editing form (profile form) based on ldap authentication configuration |
|
72 |
* |
|
73 |
* @param array $form array from user profile |
|
74 |
* @param array $form_state from user profile |
|
75 |
* |
|
76 |
* @return NULL (alters $form by reference) |
|
77 |
*/ |
|
69 |
* Alter user editing form (profile form) based on ldap authentication configuration. |
|
70 |
* |
|
71 |
* @param array $form |
|
72 |
* array from user profile. |
|
73 |
* @param array $form_state |
|
74 |
* from user profile. |
|
75 |
* |
|
76 |
* @return NULL (alters $form by reference) |
|
77 |
*/ |
|
78 | 78 |
function _ldap_authentication_form_user_profile_form_alter(&$form, $form_state) { |
79 |
// keep in mind admin may be editing another users profile form. don't assume current global $user
|
|
79 |
// Keep in mind admin may be editing another users profile form. don't assume current global $user.
|
|
80 | 80 |
$auth_conf = ldap_authentication_get_valid_conf(); |
81 | 81 |
if ($auth_conf && ldap_authentication_ldap_authenticated($form['#user'])) { |
82 | 82 |
if ($auth_conf->emailOption == LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE) { |
... | ... | |
87 | 87 |
$form['account']['mail']['#description'] = t('This email address is automatically set and may not be changed.'); |
88 | 88 |
} |
89 | 89 |
elseif ($auth_conf->emailOption == LDAP_AUTHENTICATION_EMAIL_FIELD_ALLOW) { |
90 |
// email field is functional
|
|
90 |
// Email field is functional.
|
|
91 | 91 |
} |
92 | 92 |
|
93 | 93 |
if (!ldap_authentication_show_reset_pwd($form['#user'])) { |
94 | 94 |
/** If passwordOption = LDAP_AUTHENTICATION_PASSWORD_FIELD_HIDE then don't show the password fields, |
95 |
otherwise show the fields but in a disabled state. |
|
95 |
* otherwise show the fields but in a disabled state.
|
|
96 | 96 |
*/ |
97 |
switch ($auth_conf->passwordOption) {
|
|
98 |
|
|
99 |
case LDAP_AUTHENTICATION_PASSWORD_FIELD_HIDE:
|
|
100 |
$form['account']['current_pass']['#access'] = FALSE;
|
|
101 |
$form['account']['pass']['#access'] = FALSE;
|
|
102 |
break;
|
|
103 |
|
|
104 |
case LDAP_AUTHENTICATION_PASSWORD_FIELD_SHOW:
|
|
105 |
// Show in a disabled state since ldap_authentication_show_reset_pwd() has returned FALSE
|
|
106 |
$form['account']['current_pass']['#disabled'] = TRUE;
|
|
107 |
if ($auth_conf->ldapUserHelpLinkUrl) {
|
|
108 |
$form['account']['current_pass']['#description'] = l(t($auth_conf->ldapUserHelpLinkText), $auth_conf->ldapUserHelpLinkUrl);
|
|
109 |
}
|
|
110 |
else {
|
|
111 |
$form['account']['current_pass']['#description'] = t('The password cannot be changed using this website');
|
|
112 |
}
|
|
113 |
$form['account']['pass']['#disabled'] = TRUE;
|
|
114 |
break;
|
|
97 |
switch ($auth_conf->passwordOption) { |
|
98 |
|
|
99 |
case LDAP_AUTHENTICATION_PASSWORD_FIELD_HIDE: |
|
100 |
$form['account']['current_pass']['#access'] = FALSE; |
|
101 |
$form['account']['pass']['#access'] = FALSE; |
|
102 |
break; |
|
103 |
|
|
104 |
case LDAP_AUTHENTICATION_PASSWORD_FIELD_SHOW: |
|
105 |
// Show in a disabled state since ldap_authentication_show_reset_pwd() has returned FALSE.
|
|
106 |
$form['account']['current_pass']['#disabled'] = TRUE; |
|
107 |
if ($auth_conf->ldapUserHelpLinkUrl) { |
|
108 |
$form['account']['current_pass']['#description'] = l(t($auth_conf->ldapUserHelpLinkText), $auth_conf->ldapUserHelpLinkUrl); |
|
109 |
} |
|
110 |
else { |
|
111 |
$form['account']['current_pass']['#description'] = t('The password cannot be changed using this website'); |
|
112 |
} |
|
113 |
$form['account']['pass']['#disabled'] = TRUE; |
|
114 |
break; |
|
115 | 115 |
} |
116 | 116 |
} |
117 | 117 |
} |
... | ... | |
122 | 122 |
* $auth_conf. |
123 | 123 |
* |
124 | 124 |
* @param array $ldap_user |
125 |
* LDAP user entry |
|
125 |
* LDAP user entry.
|
|
126 | 126 |
* @param LdapAuthenticationConf $auth_conf |
127 | 127 |
* LDAP authentication configuration class. |
128 | 128 |
*/ |
129 | 129 |
function _ldap_authentication_replace_user_email(&$ldap_user, $auth_conf, $tokens) { |
130 |
// fallback template in case one was not specified.
|
|
130 |
// Fallback template in case one was not specified.
|
|
131 | 131 |
$template = '@username@localhost'; |
132 | 132 |
if (!empty($auth_conf->emailTemplate)) { |
133 | 133 |
$template = $auth_conf->emailTemplate; |
... | ... | |
136 | 136 |
} |
137 | 137 |
|
138 | 138 |
/** |
139 |
* user form validation will take care of username, pwd fields |
|
140 |
* this function validates ldap authentication specific |
|
141 |
* |
|
142 |
* @param array $form_state array from user logon form |
|
143 |
* @return null, but success or failure is indicated by: |
|
144 |
* -- form_set_error() to invalidate authentication process |
|
145 |
* -- setting $form_state['uid'] to indicate successful authentication |
|
146 |
*/ |
|
139 |
* User form validation will take care of username, pwd fields |
|
140 |
* this function validates ldap authentication specific. |
|
141 |
* |
|
142 |
* @param array $form_state |
|
143 |
* array from user logon form. |
|
144 |
* |
|
145 |
* @return null, but success or failure is indicated by: |
|
146 |
* -- form_set_error() to invalidate authentication process |
|
147 |
* -- setting $form_state['uid'] to indicate successful authentication |
|
148 |
*/ |
|
147 | 149 |
function _ldap_authentication_user_login_authenticate_validate(&$form_state, $return_user) { |
148 | 150 |
|
149 |
// Check if Flood control was triggered; if so, don't authenticate |
|
151 |
// Check if Flood control was triggered; if so, don't authenticate.
|
|
150 | 152 |
if (isset($form_state['flood_control_triggered'])) { |
151 | 153 |
return; |
152 | 154 |
} |
153 | 155 |
|
154 | 156 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0); |
155 | 157 |
|
156 |
// Default to name |
|
158 |
// Default to name.
|
|
157 | 159 |
$entered_name = $form_state['values']['name']; |
158 | 160 |
$authname_drupal_property = $form_field_name = 'name'; |
159 | 161 |
|
160 |
// Email registration module populates name even though user entered email |
|
162 |
// Email registration module populates name even though user entered email.
|
|
161 | 163 |
if (!empty($form_state['values']['email'])) { |
162 | 164 |
$entered_name = $form_state['values']['email']; |
163 | 165 |
$authname_drupal_property = 'mail'; |
164 | 166 |
$form_field_name = 'email'; |
165 | 167 |
} |
166 | 168 |
|
167 |
// $authname is the name the user is authenticated with from the logon form // patch 1599632 |
|
169 |
// $authname is the name the user is authenticated with from the logon form // patch 1599632.
|
|
168 | 170 |
$authname = $entered_name; |
169 | 171 |
|
170 |
if (empty($form_state['values']['pass']) || empty ($form_state['values'][$form_field_name])) {
|
|
172 |
if (empty($form_state['values']['pass']) || empty($form_state['values'][$form_field_name])) { |
|
171 | 173 |
return FALSE; |
172 | 174 |
} |
173 | 175 |
/* |
... | ... | |
179 | 181 |
*/ |
180 | 182 |
$sso_login = (isset($form_state['sso_login']) && $form_state['sso_login']) ? TRUE : FALSE; |
181 | 183 |
|
182 |
$watchdog_tokens = array('%username' => $authname, '%authname' => $authname); // $watchdog_tokens = array('%username' => $name); // patch 1599632 |
|
184 |
// Patch 1599632. |
|
185 |
$watchdog_tokens = ['%username' => $authname, '%authname' => $authname]; |
|
183 | 186 |
if ($detailed_watchdog_log) { |
184 | 187 |
watchdog('ldap_authentication', '%username : Beginning authentification....', $watchdog_tokens, WATCHDOG_DEBUG); |
185 | 188 |
} |
186 | 189 |
|
187 | 190 |
if (!$auth_conf = ldap_authentication_get_valid_conf()) { |
188 |
watchdog('ldap_authentication', 'Failed to get valid ldap authentication configuration.', array(), WATCHDOG_ERROR);
|
|
189 |
form_set_error('name', 'Server Error: Failed to get valid ldap authentication configuration.' . $error);
|
|
191 |
watchdog('ldap_authentication', 'Failed to get valid ldap authentication configuration.', [], WATCHDOG_ERROR);
|
|
192 |
form_set_error('name', 'Server Error: Failed to get valid ldap authentication configuration.'); |
|
190 | 193 |
return; |
191 | 194 |
} |
192 | 195 |
|
193 |
/** |
|
196 |
/**
|
|
194 | 197 |
* I. Test for previous module authentication success. |
195 | 198 |
* |
196 | 199 |
* if already succeeded at authentication, $form_state['uid'] will be set by other authentication module. |
... | ... | |
200 | 203 |
if (isset($form_state['uid']) && is_numeric($form_state['uid'])) { |
201 | 204 |
if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_MIXED || $form_state['uid'] == 1) { |
202 | 205 |
if ($detailed_watchdog_log) { |
203 |
watchdog('ldap_authentication', '%username : Previously authenticated in mixed mode or uid=1', $watchdog_tokens, WATCHDOG_DEBUG); |
|
206 |
watchdog('ldap_authentication', '%username : Previously authenticated in mixed mode or uid=1', $watchdog_tokens, WATCHDOG_DEBUG);
|
|
204 | 207 |
} |
205 |
return; // already passed a previous module's authentication validation |
|
208 |
// Already passed a previous module's authentication validation. |
|
209 |
return; |
|
206 | 210 |
} |
207 | 211 |
elseif ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) { |
208 | 212 |
if ($detailed_watchdog_log) { |
209 | 213 |
watchdog('ldap_authentication', '%username : Previously authenticated in exclusive mode or uid is not 1. Clear uid |
210 | 214 |
in form_state and attempt ldap authentication.', $watchdog_tokens, WATCHDOG_DEBUG); |
211 | 215 |
} |
212 |
$form_state['uid'] = NULL; // passed previous authentication, but only ldap should be used so override |
|
216 |
// Passed previous authentication, but only ldap should be used so override. |
|
217 |
$form_state['uid'] = NULL; |
|
213 | 218 |
} |
214 | 219 |
} |
215 | 220 |
|
216 |
/** |
|
217 |
* II. Exit if no authentication servers. |
|
218 |
*/ |
|
221 |
/**
|
|
222 |
* II. Exit if no authentication servers.
|
|
223 |
*/
|
|
219 | 224 |
if (!$auth_conf->hasEnabledAuthenticationServers()) { |
220 |
watchdog('ldap_authentication', 'No LDAP servers configured.', array(), WATCHDOG_ERROR);
|
|
225 |
watchdog('ldap_authentication', 'No LDAP servers configured.', [], WATCHDOG_ERROR);
|
|
221 | 226 |
form_set_error('name', 'Server Error: No LDAP servers configured.'); |
222 | 227 |
return; |
223 | 228 |
} |
... | ... | |
229 | 234 |
list($drupal_account, $drupal_account_is_authmapped) = ldap_authentication_corresponding_drupal_user($authname, $auth_conf, $watchdog_tokens); |
230 | 235 |
$drupal_account_exists = is_object($drupal_account); |
231 | 236 |
if ($drupal_account_exists && $drupal_account->uid == 1) { |
232 |
return; // user 1 is not allowed to ldap authenticate |
|
237 |
// User 1 is not allowed to ldap authenticate. |
|
238 |
return; |
|
233 | 239 |
} |
234 | 240 |
|
235 | 241 |
/** |
... | ... | |
243 | 249 |
return; |
244 | 250 |
} |
245 | 251 |
|
246 |
/* |
|
252 |
/**
|
|
247 | 253 |
* IV.a Workaround for the provisioning server not always getting saved in |
248 | 254 |
* the user object. So we save it in a session variable as a backup. |
249 | 255 |
*/ |
... | ... | |
268 | 274 |
$watchdog_tokens['%drupal_accountname'] = $drupal_accountname; |
269 | 275 |
|
270 | 276 |
// @todo maybe we can add more tokens? |
271 |
$email_template_tokens = array(
|
|
277 |
$email_template_tokens = [
|
|
272 | 278 |
'@username' => $drupal_accountname, |
273 |
);
|
|
279 |
];
|
|
274 | 280 |
|
275 | 281 |
$email_template_used = FALSE; |
276 | 282 |
|
... | ... | |
283 | 289 |
if (!empty($ldap_user['mail'])) { |
284 | 290 |
break; |
285 | 291 |
} |
286 |
// deliberate fallthrough
|
|
292 |
// Deliberate fallthrough.
|
|
287 | 293 |
case LDAP_AUTHENTICATION_EMAIL_TEMPLATE_ALWAYS: |
288 | 294 |
_ldap_authentication_replace_user_email($ldap_user, $auth_conf, $email_template_tokens); |
289 | 295 |
if ($detailed_watchdog_log) { |
... | ... | |
304 | 310 |
* |
305 | 311 |
*/ |
306 | 312 |
|
307 |
|
|
308 | 313 |
/** |
309 | 314 |
* VI.A: Drupal account doesn't exist with $authname used to logon, |
310 | 315 |
* but puid exists in another Drupal account; this means username has changed |
... | ... | |
318 | 323 |
if ($drupal_account) { |
319 | 324 |
$drupal_account_exists = TRUE; |
320 | 325 |
if ($drupal_accountname == $authname) { |
321 |
$user_edit = array($authname_drupal_property => $drupal_accountname);
|
|
326 |
$user_edit = [$authname_drupal_property => $drupal_accountname];
|
|
322 | 327 |
} |
323 | 328 |
else { |
324 |
$user_edit = array('name' => $drupal_accountname);
|
|
329 |
$user_edit = ['name' => $drupal_accountname];
|
|
325 | 330 |
} |
326 | 331 |
$drupal_account = user_save($drupal_account, $user_edit, 'ldap_user'); |
327 |
user_set_authmaps($drupal_account, array("authname_ldap_user" => $authname));
|
|
332 |
user_set_authmaps($drupal_account, ["authname_ldap_user" => $authname]);
|
|
328 | 333 |
$drupal_account_is_authmapped = TRUE; |
329 | 334 |
} |
330 | 335 |
} |
... | ... | |
332 | 337 |
|
333 | 338 |
/** |
334 | 339 |
* VI.B: existing Drupal account but not authmapped to ldap modules, |
335 |
* ldap authmap or disallow |
|
336 |
* |
|
340 |
* ldap authmap or disallow. |
|
337 | 341 |
*/ |
338 |
|
|
339 |
if ($drupal_account_exists && !$drupal_account_is_authmapped) { // account already exists
|
|
342 |
// Account already exists. |
|
343 |
if ($drupal_account_exists && !$drupal_account_is_authmapped) { |
|
340 | 344 |
if ($auth_conf->ldapUser->loginConflictResolve == LDAP_USER_CONFLICT_LOG) { |
341 | 345 |
if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) { |
342 | 346 |
$watchdog_tokens['%conflict_name'] = $account_with_same_email->name; |
... | ... | |
345 | 349 |
drupal_set_message(t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.'), 'error'); |
346 | 350 |
return; |
347 | 351 |
} |
348 |
else { // LDAP_authen.AC.disallow.ldap.drupal |
|
349 |
// add ldap_authentication authmap to user. account name is fine here, though cn could be used |
|
350 |
user_set_authmaps($drupal_account, array('authname_ldap_user' => $authname)); |
|
352 |
// LDAP_authen.AC.disallow.ldap.drupal. |
|
353 |
else { |
|
354 |
// Add ldap_authentication authmap to user. account name is fine here, though cn could be used. |
|
355 |
user_set_authmaps($drupal_account, ['authname_ldap_user' => $authname]); |
|
351 | 356 |
$drupal_account_is_authmapped = TRUE; |
352 | 357 |
if ($detailed_watchdog_log) { |
353 | 358 |
watchdog('ldap_authentication', 'set authmap for %username authname_ldap_user', $watchdog_tokens, WATCHDOG_DEBUG); |
... | ... | |
356 | 361 |
} |
357 | 362 |
|
358 | 363 |
/** |
359 |
* VI.C: existing Drupal account with incorrect email. fix email if appropriate
|
|
360 |
* |
|
364 |
* VI.C: existing Drupal account with incorrect email. |
|
365 |
* Fix email if appropriate.
|
|
361 | 366 |
*/ |
362 | 367 |
if ((!($auth_conf->templateUsageNeverUpdate && $email_template_used)) && |
363 | 368 |
$drupal_account_exists && |
... | ... | |
366 | 371 |
$auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY || |
367 | 372 |
$auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE |
368 | 373 |
)) { |
369 |
$user_edit = array('mail' => $ldap_user['mail']);
|
|
374 |
$user_edit = ['mail' => $ldap_user['mail']];
|
|
370 | 375 |
|
371 | 376 |
$watchdog_tokens['%username'] = $drupal_account->name; |
372 | 377 |
if (!$updated_account = user_save($drupal_account, $user_edit)) { |
373 | 378 |
watchdog('ldap_authentication', 'Failed to make changes to user %username updated %changed.', $watchdog_tokens, WATCHDOG_ERROR); |
374 | 379 |
} |
375 |
elseif ($auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ) {
|
|
380 |
elseif ($auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY) { |
|
376 | 381 |
if (isset($user_edit['mail'])) { |
377 | 382 |
$watchdog_tokens['%mail'] = $user_edit['mail']; |
378 | 383 |
drupal_set_message(t('Your e-mail has been updated to match your current account (%mail).', $watchdog_tokens), 'status'); |
... | ... | |
386 | 391 |
|
387 | 392 |
/** |
388 | 393 |
* VI.C: no existing Drupal account. consider provisioning Drupal account. |
389 |
* |
|
390 | 394 |
*/ |
391 | 395 |
if (!$drupal_account_exists) { |
392 | 396 |
|
... | ... | |
394 | 398 |
if (($auth_conf->ldapUser->acctCreation == LDAP_USER_ACCOUNTS_WITH_SAME_EMAIL_DISABLED) && ($account_with_same_email = user_load_by_mail($ldap_user['mail']))) { |
395 | 399 |
$error = TRUE; |
396 | 400 |
/** |
397 |
* username does not exist but email does. Since user_external_login_register does not deal with |
|
398 |
* mail attribute and the email conflict error needs to be caught beforehand, need to throw error here |
|
401 |
* username does not exist but email does. |
|
402 |
* Since user_external_login_register does not deal with mail attribute |
|
403 |
* and the email conflict error needs to be caught beforehand, need to |
|
404 |
* throw error here. |
|
399 | 405 |
*/ |
400 | 406 |
if ($auth_conf->templateUsageResolveConflict && (!$email_template_used)) { |
401 | 407 |
if ($detailed_watchdog_log) { |
... | ... | |
403 | 409 |
} |
404 | 410 |
_ldap_authentication_replace_user_email($ldap_user, $auth_conf, $email_template_tokens); |
405 | 411 |
$email_template_used = TRUE; |
406 |
// recheck with the template email to make sure it doesn't also exist.
|
|
412 |
// Recheck with the template email to make sure it doesn't also exist.
|
|
407 | 413 |
if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) { |
408 | 414 |
$error = TRUE; |
409 | 415 |
} |
... | ... | |
417 | 423 |
} |
418 | 424 |
} |
419 | 425 |
|
420 |
// VI.C.2 Do not provision Drupal account if provisioning disabled |
|
426 |
// VI.C.2 Do not provision Drupal account if provisioning disabled.
|
|
421 | 427 |
if (!$auth_conf->ldapUser->provisionEnabled(LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER, LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE)) { |
422 | 428 |
watchdog('ldap_user', 'Drupal account for authname=%authname account name=%account_name_attr does not exist and provisioning of Drupal accounts on authentication is not enabled', $watchdog_tokens, WATCHDOG_INFO); |
423 | 429 |
return; |
424 | 430 |
} |
425 | 431 |
|
426 |
// VI.C.3 Provision Drupal account |
|
427 | 432 |
/** |
428 |
* |
|
429 |
* new ldap_authentication provisioned account could let user_external_login_register create the account and set authmaps, but would need |
|
430 |
* to add mail and any other user->data data in hook_user_presave which would mean requerying ldap |
|
431 |
* or having a global variable. At this point the account does not exist, so there is no |
|
433 |
* VI.C.3 Provision Drupal account. |
|
434 |
* New ldap_authentication provisioned account could |
|
435 |
* letuser_external_login_register create the account and set authmaps, but |
|
436 |
* would need to add mail and any other user->data data in |
|
437 |
* hook_user_presave which would mean requerying ldap or having a global |
|
438 |
* variable. At this point the account does not exist, so there is no |
|
432 | 439 |
* reason not to create it here. |
433 | 440 |
* |
434 |
* @todo create patch for core user module's user_external_login_register to deal with new external accounts |
|
435 |
* a little tweak to add user->data and mail etc as parameters would make it more useful |
|
436 |
* for external authentication modules |
|
441 |
* @todo create patch for core user module's user_external_login_register |
|
442 |
* to deal with new external accounts a little tweak to add user->data and |
|
443 |
* mail etc as parameters would make it more useful for external |
|
444 |
* authentication modules. |
|
437 | 445 |
*/ |
438 |
|
|
439 |
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL); |
|
440 |
if ($auth_conf->ldapUser->acctCreation == LDAP_USER_ACCT_CREATION_USER_SETTINGS_FOR_LDAP && |
|
446 |
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL); |
|
447 |
if ($auth_conf->ldapUser->acctCreation == LDAP_USER_ACCT_CREATION_USER_SETTINGS_FOR_LDAP && |
|
441 | 448 |
$user_register == USER_REGISTER_ADMINISTRATORS_ONLY) { |
442 |
watchdog('ldap_user', 'Failed to create account for %drupal_accountname. Administrative user must create user.',
|
|
443 |
$watchdog_tokens, WATCHDOG_ERROR);
|
|
444 |
form_set_error('name', t('Server Error: Attempt to create account for %drupal_accountname failed. Administrative user must create user.',
|
|
445 |
$watchdog_tokens));
|
|
446 |
return;
|
|
449 |
watchdog('ldap_user', 'Failed to create account for %drupal_accountname. Administrative user must create user.', |
|
450 |
$watchdog_tokens, WATCHDOG_ERROR); |
|
451 |
form_set_error('name', t('Server Error: Attempt to create account for %drupal_accountname failed. Administrative user must create user.', |
|
452 |
$watchdog_tokens)); |
|
453 |
return; |
|
447 | 454 |
} |
448 | 455 |
|
449 | 456 |
if ($auth_conf->ldapUser->acctCreation == LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP && |
450 | 457 |
variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) == USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) { |
451 |
$user_edit = array('name' => $drupal_accountname, 'status' => 0); // if admin approval required, set status to 0. |
|
458 |
// If admin approval required, set status to 0. |
|
459 |
$user_edit = ['name' => $drupal_accountname, 'status' => 0]; |
|
452 | 460 |
} |
453 | 461 |
else { |
454 |
$user_edit = array('name' => $drupal_accountname, 'status' => 1);
|
|
462 |
$user_edit = ['name' => $drupal_accountname, 'status' => 1];
|
|
455 | 463 |
} |
456 | 464 |
|
457 | 465 |
// If the email template was used, we want to pass in the email that was |
... | ... | |
461 | 469 |
} |
462 | 470 |
|
463 | 471 |
// don't pass in ldap user to provisionDrupalAccount, because want to requery with correct attributes needed |
464 |
// this may be a case where efficiency dictates querying for all attributes |
|
472 |
// this may be a case where efficiency dictates querying for all attributes.
|
|
465 | 473 |
$drupal_account = $auth_conf->ldapUser->provisionDrupalAccount(NULL, $user_edit, $ldap_user, TRUE); |
466 | 474 |
|
467 | 475 |
if ($drupal_account === FALSE) { |
... | ... | |
470 | 478 |
return; |
471 | 479 |
} |
472 | 480 |
else { |
473 |
user_set_authmaps($drupal_account, array('authname_ldap_user' => $authname));
|
|
481 |
user_set_authmaps($drupal_account, ['authname_ldap_user' => $authname]);
|
|
474 | 482 |
// Using Rules allows emails to be fired and many other possible reactions |
475 | 483 |
// to the creation of a user. |
476 | 484 |
if (module_exists('rules')) { |
... | ... | |
489 | 497 |
*/ |
490 | 498 |
|
491 | 499 |
$form_state['uid'] = $drupal_account->uid; |
492 |
// $fake_form_state = array('uid' => $drupal_account->uid); |
|
493 |
// user_login_submit(array(), $fake_form_state); |
|
494 |
// global $user; |
|
495 |
// $form_state['uid'] = $user->uid; |
|
496 |
|
|
497 |
|
|
498 |
// the uid is returned so that special login modules, namely ldap sso, can manually call this function. |
|
499 | 500 |
return ($return_user) ? $drupal_account : NULL; |
500 | 501 |
} |
501 | 502 |
|
502 | 503 |
/** |
503 |
* given authname, determine if corresponding drupal account exists and is authmapped
|
|
504 |
* Given authname, determine if corresponding drupal account exists and is authmapped.
|
|
504 | 505 |
*/ |
505 | 506 |
function ldap_authentication_corresponding_drupal_user($authname, $auth_conf, &$watchdog_tokens) { |
506 | 507 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0); |
507 | 508 |
if (!($drupal_account = user_load_by_name($authname)) && !($drupal_account = user_load_by_mail($authname))) { |
508 |
$uid = db_query("SELECT uid FROM {authmap} WHERE authname = :authname AND module = 'ldap_user'", array(':authname' => $authname))->fetchColumn();
|
|
509 |
$uid = db_query("SELECT uid FROM {authmap} WHERE authname = :authname AND module = 'ldap_user'", [':authname' => $authname])->fetchColumn();
|
|
509 | 510 |
$drupal_account = $uid ? user_load($uid) : FALSE; |
510 | 511 |
} |
511 | 512 |
|
512 | 513 |
if (is_object($drupal_account)) { |
513 |
$authmaps = user_get_authmaps($authname); // $authmaps = user_get_authmaps($name); // patch 1599632 |
|
514 |
// Patch 1599632. |
|
515 |
$authmaps = user_get_authmaps($authname); |
|
514 | 516 |
$drupal_account_is_authmapped = isset($authmaps['ldap_user']); |
515 | 517 |
$user_data = $drupal_account->data; |
516 | 518 |
if ($drupal_account->uid == 1 && $detailed_watchdog_log) { |
... | ... | |
520 | 522 |
watchdog('ldap_authentication', '%username : Drupal User Account found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG); |
521 | 523 |
} |
522 | 524 |
} |
523 |
else { // account does not exist |
|
525 |
// Account does not exist. |
|
526 |
else { |
|
524 | 527 |
$drupal_account_is_authmapped = FALSE; |
525 | 528 |
if ($auth_conf->ldapUser->createLDAPAccounts == FALSE) { |
526 | 529 |
if ($detailed_watchdog_log) { |
... | ... | |
531 | 534 |
watchdog('ldap_authentication', '%username : Existing Drupal User Account not found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG); |
532 | 535 |
} |
533 | 536 |
} |
534 |
return array($drupal_account, $drupal_account_is_authmapped);
|
|
537 |
return [$drupal_account, $drupal_account_is_authmapped];
|
|
535 | 538 |
} |
536 | 539 |
|
540 |
/** |
|
541 |
* |
|
542 |
*/ |
|
537 | 543 |
function ldap_authentication_test_credentials($auth_conf, $sso_login, $authname, $password, &$watchdog_tokens) { |
538 | 544 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0); |
539 | 545 |
$authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC; |
... | ... | |
546 | 552 |
watchdog('ldap_authentication', '%username : Trying server %sid where bind_method = %bind_method', $watchdog_tokens, WATCHDOG_DEBUG); |
547 | 553 |
} |
548 | 554 |
|
549 |
// #1 CONNECT TO SERVER |
|
555 |
// #1 CONNECT TO SERVER.
|
|
550 | 556 |
$authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC; |
551 | 557 |
$result = $ldap_server->connect(); |
552 | 558 |
if ($result != LDAP_SUCCESS) { |
... | ... | |
556 | 562 |
watchdog('ldap_authentication', '%username : Failed connecting to %sid. Error: %err_msg', $watchdog_tokens, WATCHDOG_DEBUG); |
557 | 563 |
} |
558 | 564 |
$watchdog_tokens['%err_msg'] = NULL; |
559 |
continue; // next server, please |
|
565 |
// Next server, please. |
|
566 |
continue; |
|
560 | 567 |
} |
561 | 568 |
elseif ($detailed_watchdog_log) { |
562 | 569 |
watchdog('ldap_authentication', '%username : Success at connecting to %sid', $watchdog_tokens, WATCHDOG_DEBUG); |
... | ... | |
574 | 581 |
watchdog('ldap_authentication', 'Trying to use SSO with LDAP_SERVERS_BIND_METHOD_USER bind method.', $watchdog_tokens, WATCHDOG_ERROR); |
575 | 582 |
} |
576 | 583 |
elseif ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER && $sso_login == FALSE) { |
577 |
// with sso enabled this method of binding isn't valid
|
|
584 |
// With sso enabled this method of binding isn't valid.
|
|
578 | 585 |
foreach ($ldap_server->basedn as $basedn) { |
579 |
$search = array('%basedn', '%username');
|
|
586 |
$search = ['%basedn', '%username'];
|
|
580 | 587 |
$transformname = $ldap_server->userUsernameToLdapNameTransform($authname, $watchdog_tokens); |
581 |
$replace = array($basedn, $transformname);
|
|
588 |
$replace = [$basedn, $transformname];
|
|
582 | 589 |
$userdn = str_replace($search, $replace, $ldap_server->user_dn_expression); |
583 | 590 |
$bind_success = ($ldap_server->bind($userdn, $password, FALSE) == LDAP_SUCCESS); |
584 | 591 |
if ($bind_success) { |
... | ... | |
597 | 604 |
$watchdog_tokens['%err_text'] = NULL; |
598 | 605 |
} |
599 | 606 |
$authentication_result = ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER) ? LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS : LDAP_AUTHENTICATION_RESULT_FAIL_BIND; |
600 |
continue; // if bind fails, onto next server |
|
607 |
// If bind fails, onto next server. |
|
608 |
continue; |
|
601 | 609 |
} |
602 | 610 |
|
603 |
// #3 DOES USER EXIST IN SERVER'S LDAP |
|
611 |
// #3 DOES USER EXIST IN SERVER'S LDAP.
|
|
604 | 612 |
if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) { |
605 | 613 |
$ldap_user = $ldap_server->userUserNameToExistingLdapEntry($authname); |
606 | 614 |
} |
... | ... | |
628 | 636 |
break; |
629 | 637 |
} |
630 | 638 |
$authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_FIND; |
631 |
continue; // next server, please |
|
639 |
// Next server, please. |
|
640 |
continue; |
|
632 | 641 |
} |
633 | 642 |
|
634 | 643 |
$watchdog_tokens['%dn'] = $ldap_user['dn']; |
635 | 644 |
$watchdog_tokens['%mail'] = $ldap_user['mail']; |
636 | 645 |
|
637 | 646 |
/** |
638 |
* #4 CHECK ALLOWED AND EXCLUDED LIST AND PHP FOR ALLOWED USERS |
|
639 |
*/ |
|
640 |
|
|
647 |
* #4 CHECK ALLOWED AND EXCLUDED LIST AND PHP FOR ALLOWED USERS |
|
648 |
*/ |
|
641 | 649 |
if (!$auth_conf->allowUser($authname, $ldap_user)) { |
642 | 650 |
$authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_DISALLOWED; |
643 |
break; // regardless of how many servers, disallowed user fails |
|
651 |
// Regardless of how many servers, disallowed user fails. |
|
652 |
break; |
|
644 | 653 |
} |
645 | 654 |
|
646 | 655 |
/** |
647 |
* #5 TEST PASSWORD |
|
648 |
*/ |
|
656 |
* #5 TEST PASSWORD
|
|
657 |
*/
|
|
649 | 658 |
$credentials_pass = FALSE; |
650 | 659 |
if ($sso_login) { |
651 | 660 |
/** If we have $sso_login passed in as true from the fake form state in |
... | ... | |
658 | 667 |
* what is contained in the global $_SERVER array populated by the web |
659 | 668 |
* server authentication. |
660 | 669 |
*/ |
661 |
$credentials_pass = (boolean)($ldap_user); |
|
670 |
$credentials_pass = (boolean) ($ldap_user);
|
|
662 | 671 |
} |
663 | 672 |
elseif ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER) { |
664 |
/**
|
|
673 |
/** |
|
665 | 674 |
* With user bind method, the only way we can reach this part of the |
666 | 675 |
* code is when the pw has already been checked and $ldap_user could be |
667 | 676 |
* loaded, so we're good to go. |
668 | 677 |
*/ |
669 |
$credentials_pass = true;
|
|
678 |
$credentials_pass = TRUE;
|
|
670 | 679 |
} |
671 | 680 |
else { |
672 | 681 |
$credentials_pass = ($ldap_server->bind($ldap_user['dn'], $password, FALSE) == LDAP_SUCCESS); |
... | ... | |
678 | 687 |
$watchdog_tokens['%err_text'] = NULL; |
679 | 688 |
} |
680 | 689 |
$authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS; |
681 |
continue; // next server, please |
|
690 |
// Next server, please. |
|
691 |
continue; |
|
682 | 692 |
} |
683 | 693 |
else { |
684 | 694 |
$authentication_result = LDAP_AUTHENTICATION_RESULT_SUCCESS; |
685 | 695 |
if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) { |
686 |
$ldap_user = $ldap_server->userUserNameToExistingLdapEntry($authname); // after successful bind, lookup user again to get private attributes |
|
696 |
// After successful bind, lookup user again to get private attributes. |
|
697 |
$ldap_user = $ldap_server->userUserNameToExistingLdapEntry($authname); |
|
687 | 698 |
$watchdog_tokens['%mail'] = $ldap_user['mail']; |
688 | 699 |
} |
689 | 700 |
if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_SERVICE_ACCT || |
690 | 701 |
$ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) { |
691 |
$ldap_server->disconnect();
|
|
702 |
$ldap_server->disconnect(); |
|
692 | 703 |
} |
693 | 704 |
// Update ldapUser with the sid of the server that the user authenticated |
694 | 705 |
// on if that option was enabled in the LDAP user configuration. |
695 | 706 |
if ($auth_conf->ldapUser->drupalAcctProvisionServer == LDAP_USER_AUTH_SERVER_SID) { |
696 | 707 |
$auth_conf->ldapUser->drupalAcctProvisionServer = $ldap_server->sid; |
697 | 708 |
} |
698 |
break; //success |
|
709 |
// Success. |
|
710 |
break; |
|
699 | 711 |
} |
700 |
|
|
701 |
} // end loop through servers |
|
702 |
|
|
712 |
} |
|
713 |
// End loop through servers. |
|
703 | 714 |
$watchdog_tokens['%result'] = $result; |
704 | 715 |
$watchdog_tokens['%auth_result'] = $authentication_result; |
705 |
$watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result) ;
|
|
716 |
$watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result); |
|
706 | 717 |
if ($detailed_watchdog_log) { |
707 | 718 |
watchdog('ldap_authentication', '%username : Authentication result id=%result auth_result=%auth_result (%err_text)', $watchdog_tokens, WATCHDOG_DEBUG); |
708 | 719 |
} |
709 | 720 |
|
710 |
return array($authentication_result, $ldap_user, $ldap_server);
|
|
721 |
return [$authentication_result, $ldap_user, $ldap_server];
|
|
711 | 722 |
} |
712 | 723 |
|
724 |
/** |
|
725 |
* |
|
726 |
*/ |
|
713 | 727 |
function ldap_authentication_fail_response($authentication_result, $auth_conf, $detailed_watchdog_log, &$watchdog_tokens) { |
714 | 728 |
$watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result); |
715 |
// fail scenario 1. ldap auth exclusive and failed throw error so no other authentication methods are allowed
|
|
729 |
// Fail scenario 1. ldap auth exclusive and failed throw error so no other authentication methods are allowed.
|
|
716 | 730 |
if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) { |
717 | 731 |
if ($detailed_watchdog_log) { |
718 | 732 |
watchdog('ldap_authentication', '%username : setting error because failed at ldap and |
... | ... | |
722 | 736 |
form_set_error('name', $watchdog_tokens['%err_text']); |
723 | 737 |
} |
724 | 738 |
else { |
725 |
// fail scenario 2. simply fails ldap. return false, but don't throw form error
|
|
726 |
// don't show user message, may be using other authentication after this that may succeed. |
|
739 |
// Fail scenario 2. simply fails ldap. return false, but don't throw form error
|
|
740 |
// don't show user message, may be using other authentication after this that may succeed.
|
|
727 | 741 |
if ($detailed_watchdog_log) { |
728 | 742 |
watchdog('ldap_authentication', |
729 | 743 |
'%username : Failed ldap authentication. |
... | ... | |
737 | 751 |
} |
738 | 752 |
|
739 | 753 |
/** |
740 |
* get human readable authentication error string |
|
754 |
* Get human readable authentication error string. |
|
755 |
* |
|
756 |
* @param int $error |
|
757 |
* as LDAP_AUTHENTICATION_RESULT_* constant defined in |
|
758 |
* ldap_authentication.module. |
|
741 | 759 |
* |
742 |
* @param int $error as LDAP_AUTHENTICATION_RESULT_* constant defined in ldap_authentication.module |
|
743 | 760 |
* @return string human readable error text |
744 | 761 |
*/ |
745 | 762 |
function _ldap_authentication_err_text($error) { |
... | ... | |
747 | 764 |
$msg = t('unknown error: ' . $error); |
748 | 765 |
switch ($error) { |
749 | 766 |
case LDAP_AUTHENTICATION_RESULT_FAIL_CONNECT: |
750 |
$msg = t('Failed to connect to ldap server'); |
|
751 |
break; |
|
767 |
$msg = t('Failed to connect to ldap server');
|
|
768 |
break;
|
|
752 | 769 |
|
753 | 770 |
case LDAP_AUTHENTICATION_RESULT_FAIL_BIND: |
754 |
$msg = t('Failed to bind to ldap server'); |
|
755 |
break; |
|
771 |
$msg = t('Failed to bind to ldap server');
|
|
772 |
break;
|
|
756 | 773 |
|
757 | 774 |
case LDAP_AUTHENTICATION_RESULT_FAIL_FIND: |
758 |
$msg = t('Sorry, unrecognized username or password.'); |
|
759 |
break; |
|
775 |
$msg = t('Sorry, unrecognized username or password.');
|
|
776 |
break;
|
|
760 | 777 |
|
761 | 778 |
case LDAP_AUTHENTICATION_RESULT_FAIL_DISALLOWED: |
762 |
$msg = t('User disallowed'); |
|
763 |
break; |
|
779 |
$msg = t('User disallowed');
|
|
780 |
break;
|
|
764 | 781 |
|
765 | 782 |
case LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS: |
766 |
$msg = t('Sorry, unrecognized username or password.'); |
|
767 |
break; |
|
783 |
$msg = t('Sorry, unrecognized username or password.');
|
|
784 |
break;
|
|
768 | 785 |
|
769 | 786 |
case LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC: |
770 |
$msg = t('Sorry, unrecognized username or password.'); |
|
771 |
break; |
|
787 |
$msg = t('Sorry, unrecognized username or password.');
|
|
788 |
break;
|
|
772 | 789 |
|
773 | 790 |
case LDAP_AUTHENTICATION_RESULT_FAIL_SERVER: |
774 |
$msg = t('Authentication Server or Configuration Error.'); |
|
775 |
break; |
|
791 |
$msg = t('Authentication Server or Configuration Error.');
|
|
792 |
break;
|
|
776 | 793 |
|
777 | 794 |
} |
778 | 795 |
|
Formats disponibles : Unified diff
Weekly update of contrib modules