summaryrefslogtreecommitdiffstats
path: root/src/etc/inc/auth.inc
diff options
context:
space:
mode:
Diffstat (limited to 'src/etc/inc/auth.inc')
-rw-r--r--src/etc/inc/auth.inc1627
1 files changed, 1627 insertions, 0 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
new file mode 100644
index 0000000..3c0acaa
--- /dev/null
+++ b/src/etc/inc/auth.inc
@@ -0,0 +1,1627 @@
+<?php
+/* $Id$ */
+/*
+ Copyright (C) 2010 Ermal Lu├ži
+ All rights reserved.
+
+ Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
+ All rights reserved.
+
+ Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
+ All rights reserved.
+
+ Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
+ All rights reserved.
+
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ pfSense_BUILDER_BINARIES: /usr/sbin/pw /bin/cp
+ pfSense_MODULE: auth
+*/
+
+/*
+ * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php
+ * file courtesy of Michael Retterklieber.
+ */
+if (!$do_not_include_config_gui_inc) {
+ require_once("config.gui.inc");
+}
+
+// Will be changed to false if security checks fail
+$security_passed = true;
+
+/* If this function doesn't exist, we're being called from Captive Portal or
+ another internal subsystem which does not include authgui.inc */
+if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) {
+ /* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */
+ $found_host = false;
+
+ /* Either a IPv6 address with or without a alternate port */
+ if (strstr($_SERVER['HTTP_HOST'], "]")) {
+ $http_host_port = explode("]", $_SERVER['HTTP_HOST']);
+ /* v6 address has more parts, drop the last part */
+ if (count($http_host_port) > 1) {
+ array_pop($http_host_port);
+ $http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
+ } else {
+ $http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
+ }
+ } else {
+ $http_host = explode(":", $_SERVER['HTTP_HOST']);
+ $http_host = $http_host[0];
+ }
+ if (is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or
+ strcasecmp($http_host, "localhost") == 0 or $_SERVER['SERVER_ADDR'] == "::1") {
+ $found_host = true;
+ }
+ if (strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or
+ strcasecmp($http_host, $config['system']['hostname']) == 0) {
+ $found_host = true;
+ }
+
+ if (is_array($config['dyndnses']['dyndns']) && !$found_host) {
+ foreach ($config['dyndnses']['dyndns'] as $dyndns) {
+ if (strcasecmp($dyndns['host'], $http_host) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ }
+
+ if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) {
+ foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) {
+ if (strcasecmp($rfc2136['host'], $http_host) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ }
+
+ if (!empty($config['system']['webgui']['althostnames']) && !$found_host) {
+ $althosts = explode(" ", $config['system']['webgui']['althostnames']);
+ foreach ($althosts as $ah) {
+ if (strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ }
+
+ if ($found_host == false) {
+ if (!security_checks_disabled()) {
+ display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br />Try accessing the router by IP address instead of by hostname."));
+ exit;
+ }
+ $security_passed = false;
+ }
+}
+
+// If the HTTP_REFERER is something other than ourselves then disallow.
+if (function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) {
+ if ($_SERVER['HTTP_REFERER']) {
+ if (file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) {
+ if ($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) {
+ unlink("{$g['tmp_path']}/setupwizard_lastreferrer");
+ header("Refresh: 1; url=index.php");
+ echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">";
+ echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>";
+ exit;
+ }
+ }
+ $found_host = false;
+ $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
+ $referrer_host = str_replace(array("[", "]"), "", $referrer_host);
+ if ($referrer_host) {
+ if (strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 ||
+ strcasecmp($referrer_host, $config['system']['hostname']) == 0) {
+ $found_host = true;
+ }
+
+ if (!empty($config['system']['webgui']['althostnames']) && !$found_host) {
+ $althosts = explode(" ", $config['system']['webgui']['althostnames']);
+ foreach ($althosts as $ah) {
+ if (strcasecmp($referrer_host, $ah) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ }
+
+ if (is_array($config['dyndnses']['dyndns']) && !$found_host) {
+ foreach ($config['dyndnses']['dyndns'] as $dyndns) {
+ if (strcasecmp($dyndns['host'], $referrer_host) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ }
+
+ if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) {
+ foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) {
+ if (strcasecmp($rfc2136['host'], $referrer_host) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ }
+
+ if (!$found_host) {
+ $interface_list_ips = get_configured_ip_addresses();
+ foreach ($interface_list_ips as $ilips) {
+ if (strcasecmp($referrer_host, $ilips) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ $interface_list_ipv6s = get_configured_ipv6_addresses();
+ foreach ($interface_list_ipv6s as $ilipv6s) {
+ if (strcasecmp($referrer_host, $ilipv6s) == 0) {
+ $found_host = true;
+ break;
+ }
+ }
+ if ($referrer_host == "127.0.0.1" || $referrer_host == "localhost") {
+ // allow SSH port forwarded connections and links from localhost
+ $found_host = true;
+ }
+ }
+ }
+ if ($found_host == false) {
+ if (!security_checks_disabled()) {
+ display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin.");
+ exit;
+ }
+ $security_passed = false;
+ }
+ } else {
+ $security_passed = false;
+ }
+}
+
+if (function_exists("display_error_form") && $security_passed) {
+ /* Security checks passed, so it should be OK to turn them back on */
+ restore_security_checks();
+}
+unset($security_passed);
+
+$groupindex = index_groups();
+$userindex = index_users();
+
+function index_groups() {
+ global $g, $debug, $config, $groupindex;
+
+ $groupindex = array();
+
+ if (is_array($config['system']['group'])) {
+ $i = 0;
+ foreach ($config['system']['group'] as $groupent) {
+ $groupindex[$groupent['name']] = $i;
+ $i++;
+ }
+ }
+
+ return ($groupindex);
+}
+
+function index_users() {
+ global $g, $debug, $config;
+
+ if (is_array($config['system']['user'])) {
+ $i = 0;
+ foreach ($config['system']['user'] as $userent) {
+ $userindex[$userent['name']] = $i;
+ $i++;
+ }
+ }
+
+ return ($userindex);
+}
+
+function & getUserEntry($name) {
+ global $debug, $config, $userindex;
+ if (isset($userindex[$name])) {
+ return $config['system']['user'][$userindex[$name]];
+ }
+}
+
+function & getUserEntryByUID($uid) {
+ global $debug, $config;
+
+ if (is_array($config['system']['user'])) {
+ foreach ($config['system']['user'] as & $user) {
+ if ($user['uid'] == $uid) {
+ return $user;
+ }
+ }
+ }
+
+ return false;
+}
+
+function & getGroupEntry($name) {
+ global $debug, $config, $groupindex;
+ if (isset($groupindex[$name])) {
+ return $config['system']['group'][$groupindex[$name]];
+ }
+}
+
+function & getGroupEntryByGID($gid) {
+ global $debug, $config;
+
+ if (is_array($config['system']['group'])) {
+ foreach ($config['system']['group'] as & $group) {
+ if ($group['gid'] == $gid) {
+ return $group;
+ }
+ }
+ }
+
+ return false;
+}
+
+function get_user_privileges(& $user) {
+
+ $privs = $user['priv'];
+ if (!is_array($privs)) {
+ $privs = array();
+ }
+
+ $names = local_user_get_groups($user, true);
+
+ foreach ($names as $name) {
+ $group = getGroupEntry($name);
+ if (is_array($group['priv'])) {
+ $privs = array_merge($privs, $group['priv']);
+ }
+ }
+
+ return $privs;
+}
+
+function userHasPrivilege($userent, $privid = false) {
+
+ if (!$privid || !is_array($userent)) {
+ return false;
+ }
+
+ $privs = get_user_privileges($userent);
+
+ if (!is_array($privs)) {
+ return false;
+ }
+
+ if (!in_array($privid, $privs)) {
+ return false;
+ }
+
+ return true;
+}
+
+function local_backed($username, $passwd) {
+
+ $user = getUserEntry($username);
+ if (!$user) {
+ return false;
+ }
+
+ if (is_account_disabled($username) || is_account_expired($username)) {
+ return false;
+ }
+
+ if ($user['password']) {
+ if (crypt($passwd, $user['password']) == $user['password']) {
+ return true;
+ }
+ }
+
+ if ($user['md5-hash']) {
+ if (md5($passwd) == $user['md5-hash']) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+function local_sync_accounts() {
+ global $debug, $config;
+ conf_mount_rw();
+
+ /* remove local users to avoid uid conflicts */
+ $fd = popen("/usr/sbin/pw usershow -a", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $line = explode(":", fgets($fd));
+ if (((!strncmp($line[0], "_", 1)) || ($line[2] < 2000) || ($line[2] > 65000)) && ($line[0] != "admin")) {
+ continue;
+ }
+ /*
+ * If a crontab was created to user, pw userdel will be interactive and
+ * can cause issues. Just remove crontab before run it when necessary
+ */
+ unlink_if_exists("/var/cron/tabs/{$line[0]}");
+ $cmd = "/usr/sbin/pw userdel -n '{$line[0]}'";
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ mwexec($cmd);
+ }
+ pclose($fd);
+ }
+
+ /* remove local groups to avoid gid conflicts */
+ $gids = array();
+ $fd = popen("/usr/sbin/pw groupshow -a", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $line = explode(":", fgets($fd));
+ if (!strncmp($line[0], "_", 1)) {
+ continue;
+ }
+ if ($line[2] < 2000) {
+ continue;
+ }
+ if ($line[2] > 65000) {
+ continue;
+ }
+ $cmd = "/usr/sbin/pw groupdel {$line[2]}";
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ mwexec($cmd);
+ }
+ pclose($fd);
+ }
+
+ /* make sure the all group exists */
+ $allgrp = getGroupEntryByGID(1998);
+ local_group_set($allgrp, true);
+
+ /* sync all local users */
+ if (is_array($config['system']['user'])) {
+ foreach ($config['system']['user'] as $user) {
+ local_user_set($user);
+ }
+ }
+
+ /* sync all local groups */
+ if (is_array($config['system']['group'])) {
+ foreach ($config['system']['group'] as $group) {
+ local_group_set($group);
+ }
+ }
+
+ conf_mount_ro();
+
+}
+
+function local_user_set(& $user) {
+ global $g, $debug;
+
+ if (empty($user['password'])) {
+ log_error("There is something wrong in your config because user {$user['name']} password is missing!");
+ return;
+ }
+
+ conf_mount_rw();
+
+ $home_base = "/home/";
+ $user_uid = $user['uid'];
+ $user_name = $user['name'];
+ $user_home = "{$home_base}{$user_name}";
+ $user_shell = "/etc/rc.initial";
+ $user_group = "nobody";
+
+ // Ensure $home_base exists and is writable
+ if (!is_dir($home_base)) {
+ mkdir($home_base, 0755);
+ }
+
+ $lock_account = false;
+ /* configure shell type */
+ /* Cases here should be ordered by most privileged to least privileged. */
+ if (userHasPrivilege($user, "user-shell-access") || userHasPrivilege($user, "page-all")) {
+ $user_shell = "/bin/tcsh";
+ } elseif (userHasPrivilege($user, "user-copy-files")) {
+ $user_shell = "/usr/local/bin/scponly";
+ } elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
+ $user_shell = "/usr/local/sbin/ssh_tunnel_shell";
+ } elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
+ $user_shell = "/sbin/nologin";
+ } else {
+ $user_shell = "/sbin/nologin";
+ $lock_account = true;
+ }
+
+ /* Lock out disabled or expired users, unless it's root/admin. */
+ if ((is_account_disabled($user_name) || is_account_expired($user_name)) && ($user_uid != 0)) {
+ $user_shell = "/sbin/nologin";
+ $lock_account = true;
+ }
+
+ /* root user special handling */
+ if ($user_uid == 0) {
+ $cmd = "/usr/sbin/pw usermod -q -n root -s /bin/sh -H 0";
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ $fd = popen($cmd, "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
+ $user_group = "wheel";
+ $user_home = "/root";
+ $user_shell = "/etc/rc.initial";
+ }
+
+ /* read from pw db */
+ $fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r");
+ $pwread = fgets($fd);
+ pclose($fd);
+ $userattrs = explode(":", trim($pwread));
+
+ /* determine add or mod */
+ if (($userattrs[0] != $user['name']) || (!strncmp($pwread, "pw:", 3))) {
+ $user_op = "useradd -m -k /etc/skel -o";
+ } else {
+ $user_op = "usermod";
+ }
+
+ $comment = str_replace(array(":", "!", "@"), " ", $user['descr']);
+ /* add or mod pw db */
+ $cmd = "/usr/sbin/pw {$user_op} -q -u {$user_uid} -n {$user_name}".
+ " -g {$user_group} -s {$user_shell} -d {$user_home}".
+ " -c ".escapeshellarg($comment)." -H 0 2>&1";
+
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ $fd = popen($cmd, "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
+
+ /* create user directory if required */
+ if (!is_dir($user_home)) {
+ mkdir($user_home, 0700);
+ }
+ @chown($user_home, $user_name);
+ @chgrp($user_home, $user_group);
+
+ /* write out ssh authorized key file */
+ if ($user['authorizedkeys']) {
+ if (!is_dir("{$user_home}/.ssh")) {
+ @mkdir("{$user_home}/.ssh", 0700);
+ @chown("{$user_home}/.ssh", $user_name);
+ }
+ $keys = base64_decode($user['authorizedkeys']);
+ @file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
+ @chown("{$user_home}/.ssh/authorized_keys", $user_name);
+ } else {
+ unlink_if_exists("{$user_home}/.ssh/authorized_keys");
+ }
+
+ $un = $lock_account ? "" : "un";
+ exec("/usr/sbin/pw {$un}lock {$user_name} -q");
+
+ conf_mount_ro();
+}
+
+function local_user_del($user) {
+ global $debug;
+
+ /* remove all memberships */
+ local_user_set_groups($user);
+
+ /* Don't remove /root */
+ if ($user['uid'] != 0) {
+ $rmhome = "-r";
+ }
+
+ /* read from pw db */
+ $fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r");
+ $pwread = fgets($fd);
+ pclose($fd);
+ $userattrs = explode(":", trim($pwread));
+
+ if ($userattrs[0] != $user['name']) {
+ log_error("Tried to remove user {$user['name']} but got user {$userattrs[0]} instead. Bailing.");
+ return;
+ }
+
+ /* delete from pw db */
+ $cmd = "/usr/sbin/pw userdel -n {$user['name']} {$rmhome}";
+
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ mwexec($cmd);
+
+ /* Delete user from groups needs a call to write_config() */
+ local_group_del_user($user);
+}
+
+function local_user_set_password(&$user, $password) {
+
+ $user['password'] = crypt($password);
+ $user['md5-hash'] = md5($password);
+
+ // Converts ascii to unicode.
+ $astr = (string) $password;
+ $ustr = '';
+ for ($i = 0; $i < strlen($astr); $i++) {
+ $a = ord($astr{$i}) << 8;
+ $ustr .= sprintf("%X", $a);
+ }
+
+}
+
+function local_user_get_groups($user, $all = false) {
+ global $debug, $config;
+
+ $groups = array();
+ if (!is_array($config['system']['group'])) {
+ return $groups;
+ }
+
+ foreach ($config['system']['group'] as $group) {
+ if ($all || (!$all && ($group['name'] != "all"))) {
+ if (is_array($group['member'])) {
+ if (in_array($user['uid'], $group['member'])) {
+ $groups[] = $group['name'];
+ }
+ }
+ }
+ }
+
+ if ($all) {
+ $groups[] = "all";
+ }
+
+ sort($groups);
+
+ return $groups;
+
+}
+
+function local_user_set_groups($user, $new_groups = NULL) {
+ global $debug, $config, $groupindex;
+
+ if (!is_array($config['system']['group'])) {
+ return;
+ }
+
+ $cur_groups = local_user_get_groups($user, true);
+ $mod_groups = array();
+
+ if (!is_array($new_groups)) {
+ $new_groups = array();
+ }
+
+ if (!is_array($cur_groups)) {
+ $cur_groups = array();
+ }
+
+ /* determine which memberships to add */
+ foreach ($new_groups as $groupname) {
+ if ($groupname == '' || in_array($groupname, $cur_groups)) {
+ continue;
+ }
+ $group = & $config['system']['group'][$groupindex[$groupname]];
+ $group['member'][] = $user['uid'];
+ $mod_groups[] = $group;
+ }
+ unset($group);
+
+ /* determine which memberships to remove */
+ foreach ($cur_groups as $groupname) {
+ if (in_array($groupname, $new_groups)) {
+ continue;
+ }
+ if (!isset($config['system']['group'][$groupindex[$groupname]])) {
+ continue;
+ }
+ $group = & $config['system']['group'][$groupindex[$groupname]];
+ if (is_array($group['member'])) {
+ $index = array_search($user['uid'], $group['member']);
+ array_splice($group['member'], $index, 1);
+ $mod_groups[] = $group;
+ }
+ }
+ unset($group);
+
+ /* sync all modified groups */
+ foreach ($mod_groups as $group) {
+ local_group_set($group);
+ }
+}
+
+function local_group_del_user($user) {
+ global $config;
+
+ if (!is_array($config['system']['group'])) {
+ return;
+ }
+
+ foreach ($config['system']['group'] as $group) {
+ if (is_array($group['member'])) {
+ foreach ($group['member'] as $idx => $uid) {
+ if ($user['uid'] == $uid) {
+ unset($config['system']['group']['member'][$idx]);
+ }
+ }
+ }
+ }
+}
+
+function local_group_set($group, $reset = false) {
+ global $debug;
+
+ $group_name = $group['name'];
+ $group_gid = $group['gid'];
+ $group_members = '';
+ if (!$reset && !empty($group['member']) && count($group['member']) > 0) {
+ $group_members = implode(",", $group['member']);
+ }
+
+ if (empty($group_name)) {
+ return;
+ }
+
+ /* read from group db */
+ $fd = popen("/usr/sbin/pw groupshow {$group_name} 2>&1", "r");
+ $pwread = fgets($fd);
+ pclose($fd);
+
+ /* determine add or mod */
+ if (!strncmp($pwread, "pw:", 3)) {
+ $group_op = "groupadd";
+ } else {
+ $group_op = "groupmod";
+ }
+
+ /* add or mod group db */
+ $cmd = "/usr/sbin/pw {$group_op} {$group_name} -g {$group_gid} -M '{$group_members}' 2>&1";
+
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ mwexec($cmd);
+
+}
+
+function local_group_del($group) {
+ global $debug;
+
+ /* delete from group db */
+ $cmd = "/usr/sbin/pw groupdel {$group['name']}";
+
+ if ($debug) {
+ log_error(sprintf(gettext("Running: %s"), $cmd));
+ }
+ mwexec($cmd);
+}
+
+function ldap_test_connection($authcfg) {
+ global $debug, $config, $g;
+
+ if ($authcfg) {
+ if (strstr($authcfg['ldap_urltype'], "Standard")) {
+ $ldapproto = "ldap";
+ } else {
+ $ldapproto = "ldaps";
+ }
+ $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
+ $ldapport = $authcfg['ldap_port'];
+ if (!empty($ldapport)) {
+ $ldapserver .= ":{$ldapport}";
+ }
+ $ldapbasedn = $authcfg['ldap_basedn'];
+ $ldapbindun = $authcfg['ldap_binddn'];
+ $ldapbindpw = $authcfg['ldap_bindpw'];
+ } else {
+ return false;
+ }
+
+ /* first check if there is even an LDAP server populated */
+ if (!$ldapserver) {
+ return false;
+ }
+
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($authcfg);
+
+ /* connect and see if server is up */
+ $error = false;
+ if (!($ldap = ldap_connect($ldapserver))) {
+ $error = true;
+ }
+
+ if ($error == true) {
+ log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
+ return false;
+ }
+
+ return true;
+}
+
+function ldap_setup_caenv($authcfg) {
+ global $g;
+ require_once("certs.inc");
+
+ unset($caref);
+ if (empty($authcfg['ldap_caref']) || !strstr($authcfg['ldap_urltype'], "SSL")) {
+ putenv('LDAPTLS_REQCERT=never');
+ return;
+ } else {
+ $caref = lookup_ca($authcfg['ldap_caref']);
+ if (!$caref) {
+ log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
+ /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
+ putenv('LDAPTLS_REQCERT=hard');
+ return;
+ }
+ if (!is_dir("{$g['varrun_path']}/certs")) {
+ @mkdir("{$g['varrun_path']}/certs");
+ }
+ if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
+ @unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
+ }
+ file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt']));
+ @chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
+ putenv('LDAPTLS_REQCERT=hard');
+ /* XXX: Probably even the hashed link should be created for this? */
+ putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
+ putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
+ }
+}
+
+function ldap_test_bind($authcfg) {
+ global $debug, $config, $g;
+
+ if ($authcfg) {
+ if (strstr($authcfg['ldap_urltype'], "Standard")) {
+ $ldapproto = "ldap";
+ } else {
+ $ldapproto = "ldaps";
+ }
+ $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
+ $ldapport = $authcfg['ldap_port'];
+ if (!empty($ldapport)) {
+ $ldapserver .= ":{$ldapport}";
+ }
+ $ldapbasedn = $authcfg['ldap_basedn'];
+ $ldapbindun = $authcfg['ldap_binddn'];
+ $ldapbindpw = $authcfg['ldap_bindpw'];
+ $ldapver = $authcfg['ldap_protver'];
+ if (empty($ldapbndun) || empty($ldapbindpw)) {
+ $ldapanon = true;
+ } else {
+ $ldapanon = false;
+ }
+ } else {
+ return false;
+ }
+
+ /* first check if there is even an LDAP server populated */
+ if (!$ldapserver) {
+ return false;
+ }
+
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($authcfg);
+
+ /* connect and see if server is up */
+ $error = false;
+ if (!($ldap = ldap_connect($ldapserver))) {
+ $error = true;
+ }
+
+ if ($error == true) {
+ log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
+ return false;
+ }
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
+
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
+ if ($ldapanon == true) {
+ if (!($res = @ldap_bind($ldap))) {
+ @ldap_close($ldap);
+ return false;
+ }
+ } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ @ldap_close($ldap);
+ return false;
+ }
+
+ @ldap_unbind($ldap);
+
+ return true;
+}
+
+function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
+ global $debug, $config, $g;
+
+ if (!function_exists("ldap_connect")) {
+ return;
+ }
+
+ $ous = array();
+
+ if ($authcfg) {
+ if (strstr($authcfg['ldap_urltype'], "Standard")) {
+ $ldapproto = "ldap";
+ } else {
+ $ldapproto = "ldaps";
+ }
+ $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
+ $ldapport = $authcfg['ldap_port'];
+ if (!empty($ldapport)) {
+ $ldapserver .= ":{$ldapport}";
+ }
+ $ldapbasedn = $authcfg['ldap_basedn'];
+ $ldapbindun = $authcfg['ldap_binddn'];
+ $ldapbindpw = $authcfg['ldap_bindpw'];
+ $ldapver = $authcfg['ldap_protver'];
+ if (empty($ldapbindun) || empty($ldapbindpw)) {
+ $ldapanon = true;
+ } else {
+ $ldapanon = false;
+ }
+ $ldapname = $authcfg['name'];
+ $ldapfallback = false;
+ $ldapscope = $authcfg['ldap_scope'];
+ } else {
+ return false;
+ }
+
+ /* first check if there is even an LDAP server populated */
+ if (!$ldapserver) {
+ log_error(gettext("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined."));
+ return $ous;
+ }
+
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($authcfg);
+
+ /* connect and see if server is up */
+ $error = false;
+ if (!($ldap = ldap_connect($ldapserver))) {
+ $error = true;
+ }
+
+ if ($error == true) {
+ log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
+ return $ous;
+ }
+
+ $ldapfilter = "(|(ou=*)(cn=Users))";
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
+
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
+ if ($ldapanon == true) {
+ if (!($res = @ldap_bind($ldap))) {
+ log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname));
+ @ldap_close($ldap);
+ return $ous;
+ }
+ } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind to server %s."), $ldapname));
+ @ldap_close($ldap);
+ return $ous;
+ }
+
+ if ($ldapscope == "one") {
+ $ldapfunc = "ldap_list";
+ } else {
+ $ldapfunc = "ldap_search";
+ }
+
+ $search = @$ldapfunc($ldap, $ldapbasedn, $ldapfilter);
+ $info = @ldap_get_entries($ldap, $search);
+
+ if (is_array($info)) {
+ foreach ($info as $inf) {
+ if (!$show_complete_ou) {
+ $inf_split = explode(",", $inf['dn']);
+ $ou = $inf_split[0];
+ $ou = str_replace("OU=", "", $ou);
+ $ou = str_replace("CN=", "", $ou);
+ } else {
+ if ($inf['dn']) {
+ $ou = $inf['dn'];
+ }
+ }
+ if ($ou) {
+ $ous[] = $ou;
+ }
+ }
+ }
+
+ @ldap_unbind($ldap);
+
+ return $ous;
+}
+
+function ldap_get_groups($username, $authcfg) {
+ global $debug, $config;
+
+ if (!function_exists("ldap_connect")) {
+ return;
+ }
+
+ if (!$username) {
+ return false;
+ }
+
+ if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
+ $username_split = explode("@", $username);
+ $username = $username_split[0];
+ }
+
+ if (stristr($username, "\\")) {
+ $username_split = explode("\\", $username);
+ $username = $username_split[0];
+ }
+
+ //log_error("Getting LDAP groups for {$username}.");
+ if ($authcfg) {
+ if (strstr($authcfg['ldap_urltype'], "Standard")) {
+ $ldapproto = "ldap";
+ } else {
+ $ldapproto = "ldaps";
+ }
+ $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
+ $ldapport = $authcfg['ldap_port'];
+ if (!empty($ldapport)) {
+ $ldapserver .= ":{$ldapport}";
+ }
+ $ldapbasedn = $authcfg['ldap_basedn'];
+ $ldapbindun = $authcfg['ldap_binddn'];
+ $ldapbindpw = $authcfg['ldap_bindpw'];
+ $ldapauthcont = $authcfg['ldap_authcn'];
+ $ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
+ $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']);
+ $ldapfilter = "({$ldapnameattribute}={$username})";
+ $ldaptype = "";
+ $ldapver = $authcfg['ldap_protver'];
+ if (empty($ldapbindun) || empty($ldapbindpw)) {
+ $ldapanon = true;
+ } else {
+ $ldapanon = false;
+ }
+ $ldapname = $authcfg['name'];
+ $ldapfallback = false;
+ $ldapscope = $authcfg['ldap_scope'];
+ } else {
+ return false;
+ }
+
+ $ldapdn = $_SESSION['ldapdn'];
+
+ /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */
+ $ldapgroupattribute = strtolower($ldapgroupattribute);
+ $memberof = array();
+
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($authcfg);
+
+ /* connect and see if server is up */
+ $error = false;
+ if (!($ldap = ldap_connect($ldapserver))) {
+ $error = true;
+ }
+
+ if ($error == true) {
+ log_error(sprintf(gettext("ERROR! ldap_get_groups() Could not connect to server %s."), $ldapname));
+ return memberof;
+ }
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
+
+ /* bind as user that has rights to read group attributes */
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
+ if ($ldapanon == true) {
+ if (!($res = @ldap_bind($ldap))) {
+ log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname));
+ @ldap_close($ldap);
+ return false;
+ }
+ } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind to server %s."), $ldapname));
+ @ldap_close($ldap);
+ return memberof;
+ }
+
+ /* get groups from DN found */
+ /* use ldap_read instead of search so we don't have to do a bunch of extra work */
+ /* since we know the DN is in $_SESSION['ldapdn'] */
+ //$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute));
+ if ($ldapscope == "one") {
+ $ldapfunc = "ldap_list";
+ } else {
+ $ldapfunc = "ldap_search";
+ }
+
+ $search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute));
+ $info = @ldap_get_entries($ldap, $search);
+
+ $countem = $info["count"];
+
+ if (is_array($info[0][$ldapgroupattribute])) {
+ /* Iterate through the groups and throw them into an array */
+ foreach ($info[0][$ldapgroupattribute] as $member) {
+ if (stristr($member, "CN=") !== false) {
+ $membersplit = explode(",", $member);
+ $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
+ }
+ }
+ }
+
+ /* Time to close LDAP connection */
+ @ldap_unbind($ldap);
+
+ $groups = print_r($memberof, true);
+
+ //log_error("Returning groups ".$groups." for user $username");
+
+ return $memberof;
+}
+
+function ldap_format_host($host) {
+ return is_ipaddrv6($host) ? "[$host]" : $host ;
+}
+
+function ldap_backed($username, $passwd, $authcfg) {
+ global $debug, $config;
+
+ if (!$username) {
+ return;
+ }
+
+ if (!function_exists("ldap_connect")) {
+ return;
+ }
+
+ if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
+ $username_split = explode("@", $username);
+ $username = $username_split[0];
+ }
+ if (stristr($username, "\\")) {
+ $username_split = explode("\\", $username);
+ $username = $username_split[0];
+ }
+
+ if ($authcfg) {
+ if (strstr($authcfg['ldap_urltype'], "Standard")) {
+ $ldapproto = "ldap";
+ } else {
+ $ldapproto = "ldaps";
+ }
+ $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
+ $ldapport = $authcfg['ldap_port'];
+ if (!empty($ldapport)) {
+ $ldapserver .= ":{$ldapport}";
+ }
+ $ldapbasedn = $authcfg['ldap_basedn'];
+ $ldapbindun = $authcfg['ldap_binddn'];
+ $ldapbindpw = $authcfg['ldap_bindpw'];
+ if (empty($ldapbindun) || empty($ldapbindpw)) {
+ $ldapanon = true;
+ } else {
+ $ldapanon = false;
+ }
+ $ldapauthcont = $authcfg['ldap_authcn'];
+ $ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
+ $ldapextendedqueryenabled = $authcfg['ldap_extended_enabled'];
+ $ldapextendedquery = $authcfg['ldap_extended_query'];
+ $ldapfilter = "";
+ if (!$ldapextendedqueryenabled) {
+ $ldapfilter = "({$ldapnameattribute}={$username})";
+ } else {
+ $ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
+ }
+ $ldaptype = "";
+ $ldapver = $authcfg['ldap_protver'];
+ $ldapname = $authcfg['name'];
+ $ldapscope = $authcfg['ldap_scope'];
+ } else {
+ return false;
+ }
+
+ /* first check if there is even an LDAP server populated */
+ if (!$ldapserver) {
+ if ($ldapfallback) {
+ log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager."));
+ return local_backed($username, $passwd);
+ } else {
+ log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined."));
+ }
+
+ return false;
+ }
+
+ /* Setup CA environment if needed. */
+ ldap_setup_caenv($authcfg);
+
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+ ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
+
+ /* Make sure we can connect to LDAP */
+ $error = false;
+ if (!($ldap = ldap_connect($ldapserver))) {
+ $error = true;
+ }
+
+ if ($error == true) {
+ log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
+ return false;
+ }
+
+ /* ok, its up. now, lets bind as the bind user so we can search it */
+ $error = false;
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
+ if ($ldapanon == true) {
+ if (!($res = @ldap_bind($ldap))) {
+ $error = true;
+ }
+ } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
+ $error = true;
+ }
+
+ if ($error == true) {
+ @ldap_close($ldap);
+ log_error(sprintf(gettext("ERROR! Could not bind to server %s."), $ldapname));
+ return false;
+ }
+
+ /* Get LDAP Authcontainers and split em up. */
+ $ldac_splits = explode(";", $ldapauthcont);
+
+ /* setup the usercount so we think we haven't found anyone yet */
+ $usercount = 0;
+
+ /*****************************************************************/
+ /* We First find the user based on username and filter */
+ /* Then, once we find the first occurrence of that person */
+ /* We set session variables to point to the OU and DN of the */
+ /* Person. To later be used by ldap_get_groups. */
+ /* that way we don't have to search twice. */
+ /*****************************************************************/
+ if ($debug) {
+ log_auth(sprintf(gettext("Now Searching for %s in directory."), $username));
+ }
+ /* Iterate through the user containers for search */
+ foreach ($ldac_splits as $i => $ldac_split) {
+ $ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split;
+ $ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter;
+ $ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}";
+ /* Make sure we just use the first user we find */
+ if ($debug) {
+ log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter)));
+ }
+ if ($ldapscope == "one") {
+ $ldapfunc = "ldap_list";
+ } else {
+ $ldapfunc = "ldap_search";
+ }
+ /* Support legacy auth container specification. */
+ if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) {
+ $search = @$ldapfunc($ldap,$ldac_split,$ldapfilter);
+ } else {
+ $search = @$ldapfunc($ldap,$ldapsearchbasedn,$ldapfilter);
+ }
+ if (!$search) {
+ log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
+ continue;
+ }
+ $info = ldap_get_entries($ldap, $search);
+ $matches = $info['count'];
+ if ($matches == 1) {
+ $userdn = $_SESSION['ldapdn'] = $info[0]['dn'];
+ $_SESSION['ldapou'] = $ldac_split[$i];
+ $_SESSION['ldapon'] = "true";
+ $usercount = 1;
+ break;
+ }
+ }
+
+ if ($usercount != 1) {
+ @ldap_unbind($ldap);
+ log_error(gettext("ERROR! Either LDAP search failed, or multiple users were found."));
+ return false;
+ }
+
+ /* Now lets bind as the user we found */
+ $passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd;
+ if (!($res = @ldap_bind($ldap, $userdn, $passwd))) {
+ log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap)));
+ @ldap_unbind($ldap);
+ return false;
+ }
+
+ if ($debug) {
+ $userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn;
+ log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
+ }
+
+ /* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
+ @ldap_unbind($ldap);
+
+ return true;
+}
+
+function radius_backed($username, $passwd, $authcfg, &$attributes = array()) {
+ global $debug, $config;
+ $ret = false;
+
+ require_once("radius.inc");
+
+ $rauth = new Auth_RADIUS_PAP($username, $passwd);
+ if ($authcfg) {
+ $radiusservers = array();
+ $radiusservers[0]['ipaddr'] = $authcfg['host'];
+ $radiusservers[0]['port'] = $authcfg['radius_auth_port'];
+ $radiusservers[0]['sharedsecret'] = $authcfg['radius_secret'];
+ $radiusservers[0]['timeout'] = $authcfg['radius_timeout'];
+ } else {
+ return false;
+ }
+
+ /* Add new servers to our instance */
+ foreach ($radiusservers as $radsrv) {
+ $timeout = (is_numeric($radsrv['timeout'])) ? $radsrv['timeout'] : 5;
+ $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret'], $timeout);
+ }
+
+ if (PEAR::isError($rauth->start())) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $rauth->getError();
+ if ($debug) {
+ printf(gettext("Radius start: %s<br />\n"), $retvalue['error']);
+ }
+ }
+
+ // XXX - billm - somewhere in here we need to handle securid challenge/response
+
+ /* Send request */
+ $result = $rauth->send();
+ if (PEAR::isError($result)) {
+ $retvalue['auth_val'] = 1;
+ $retvalue['error'] = $result->getMessage();
+ if ($debug) {
+ printf(gettext("Radius send failed: %s<br />\n"), $retvalue['error']);
+ }
+ } else if ($result === true) {
+ if ($rauth->getAttributes()) {
+ $attributes = $rauth->listAttributes();
+ }
+ $retvalue['auth_val'] = 2;
+ if ($debug) {
+ printf(gettext("Radius Auth succeeded")."<br />\n");
+ }
+ $ret = true;
+ } else {
+ $retvalue['auth_val'] = 3;
+ if ($debug) {
+ printf(gettext("Radius Auth rejected")."<br />\n");
+ }
+ }
+
+ // close OO RADIUS_AUTHENTICATION
+ $rauth->close();
+
+ return $ret;
+}
+
+/*
+ $attributes must contain a "class" key containing the groups and local
+ groups must exist to match.
+*/
+function radius_get_groups($attributes) {
+ $groups = array();
+ if (!empty($attributes) && is_array($attributes) && !empty($attributes['class'])) {
+ $groups = explode(";", $attributes['class']);
+ foreach ($groups as & $grp) {
+ $grp = trim($grp);
+ if (strtolower(substr($grp, 0, 3)) == "ou=") {
+ $grp = substr($grp, 3);
+ }
+ }
+ }
+ return $groups;
+}
+
+function get_user_expiration_date($username) {
+ $user = getUserEntry($username);
+ if ($user['expires']) {
+ return $user['expires'];
+ }
+}
+
+function is_account_expired($username) {
+ $expirydate = get_user_expiration_date($username);
+ if ($expirydate) {
+ if (strtotime("-1 day") > strtotime(date("m/d/Y", strtotime($expirydate)))) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+function is_account_disabled($username) {
+ $user = getUserEntry($username);
+ if (isset($user['disabled'])) {
+ return true;
+ }
+
+ return false;
+}
+
+function auth_get_authserver($name) {
+ global $config;
+
+ if (is_array($config['system']['authserver'])) {
+ foreach ($config['system']['authserver'] as $authcfg) {
+ if ($authcfg['name'] == $name) {
+ return $authcfg;
+ }
+ }
+ }
+ if ($name == "Local Database") {
+ return array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']);
+ }
+}
+
+function auth_get_authserver_list() {
+ global $config;
+
+ $list = array();
+
+ if (is_array($config['system']['authserver'])) {
+ foreach ($config['system']['authserver'] as $authcfg) {
+ /* Add support for disabled entries? */
+ $list[$authcfg['name']] = $authcfg;
+ }
+ }
+
+ $list["Local Database"] = array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']);
+ return $list;
+}
+
+function getUserGroups($username, $authcfg, &$attributes = array()) {
+ global $config;
+
+ $allowed_groups = array();
+
+ switch ($authcfg['type']) {
+ case 'ldap':
+ $allowed_groups = @ldap_get_groups($username, $authcfg);
+ break;
+ case 'radius':
+ $allowed_groups = @radius_get_groups($attributes);
+ break;
+ default:
+ $user = getUserEntry($username);
+ $allowed_groups = @local_user_get_groups($user, true);
+ break;
+ }
+
+ $member_groups = array();
+ if (is_array($config['system']['group'])) {
+ foreach ($config['system']['group'] as $group) {
+ if (in_array($group['name'], $allowed_groups)) {
+ $member_groups[] = $group['name'];
+ }
+ }
+ }
+
+ return $member_groups;
+}
+
+function authenticate_user($username, $password, $authcfg = NULL, &$attributes = array()) {
+
+ if (!$authcfg) {
+ return local_backed($username, $password);
+ }
+
+ $authenticated = false;
+ switch ($authcfg['type']) {
+ case 'ldap':
+ if (ldap_backed($username, $password, $authcfg)) {
+ $authenticated = true;
+ }
+ break;
+ case 'radius':
+ if (radius_backed($username, $password, $authcfg, $attributes)) {
+ $authenticated = true;
+ }
+ break;
+ default:
+ /* lookup user object by name */
+ if (local_backed($username, $password)) {
+ $authenticated = true;
+ }
+ break;
+ }
+
+ return $authenticated;
+}
+
+function session_auth() {
+ global $config, $_SESSION, $page;
+
+ // Handle HTTPS httponly and secure flags
+ $currentCookieParams = session_get_cookie_params();
+ session_set_cookie_params(
+ $currentCookieParams["lifetime"],
+ $currentCookieParams["path"],
+ NULL,
+ ($config['system']['webgui']['protocol'] == "https"),
+ true
+ );
+
+ if (!session_id()) {
+ session_start();
+ }
+
+ // Detect protocol change
+ if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) {
+ return false;
+ }
+
+ /* Validate incoming login request */
+ $attributes = array();
+ if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
+ $authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
+ if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes) ||
+ authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+ // Generate a new id to avoid session fixation
+ session_regenerate_id();
+ $_SESSION['Logged_In'] = "True";
+ $_SESSION['Username'] = $_POST['usernamefld'];
+ $_SESSION['user_radius_attributes'] = $attributes;
+ $_SESSION['last_access'] = time();
+ $_SESSION['protocol'] = $config['system']['webgui']['protocol'];
+ if (!isset($config['system']['webgui']['quietlogin'])) {
+ log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
+ }
+ if (isset($_POST['postafterlogin'])) {
+ return true;
+ } else {
+ if (empty($page)) {
+ $page = "/";
+ }
+ header("Location: {$page}");
+ }
+ exit;
+ } else {
+ /* give the user an error message */
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
+ if (isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ }
+ }
+
+ /* Show login page if they aren't logged in */
+ if (empty($_SESSION['Logged_In'])) {
+ return false;
+ }
+
+ /* If session timeout isn't set, we don't mark sessions stale */
+ if (!isset($config['system']['webgui']['session_timeout'])) {
+ /* Default to 4 hour timeout if one is not set */
+ if ($_SESSION['last_access'] < (time() - 14400)) {
+ $_GET['logout'] = true;
+ $_SESSION['Logout'] = true;
+ } else {
+ $_SESSION['last_access'] = time();
+ }
+ } else if (intval($config['system']['webgui']['session_timeout']) == 0) {
+ /* only update if it wasn't ajax */
+ if (!isAjax()) {
+ $_SESSION['last_access'] = time();
+ }
+ } else {
+ /* Check for stale session */
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
+ $_GET['logout'] = true;
+ $_SESSION['Logout'] = true;
+ } else {
+ /* only update if it wasn't ajax */
+ if (!isAjax()) {
+ $_SESSION['last_access'] = time();
+ }
+ }
+ }
+
+ /* user hit the logout button */
+ if (isset($_GET['logout'])) {
+
+ if ($_SESSION['Logout']) {
+ log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
+ } else {
+ log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
+ }
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ if (isset($_COOKIE[session_name()])) {
+ setcookie(session_name(), '', time()-42000, '/');
+ }
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+
+ if (isAjax()) {
+ return false;
+ }
+
+ /* redirect to page the user is on, it'll prompt them to login again */
+ header("Location: {$scriptName}");
+
+ return false;
+ }
+
+ /*
+ * this is for debugging purpose if you do not want to use Ajax
+ * to submit a HTML form. It basically disables the observation
+ * of the submit event and hence does not trigger Ajax.
+ */
+ if ($_GET['disable_ajax']) {
+ $_SESSION['NO_AJAX'] = "True";
+ }
+
+ /*
+ * Same to re-enable Ajax.
+ */
+ if ($_GET['enable_ajax']) {
+ unset($_SESSION['NO_AJAX']);
+ }
+
+ return true;
+}
+
+?>
OpenPOWER on IntegriCloud