[geeklog-cvs] Auth_Enterprise/Server/providers AELDAPProvider.class.php,NONE,1.1
tony at iowaoutdoors.org
tony at iowaoutdoors.org
Thu Jun 24 18:02:58 EDT 2004
Update of /var/cvs/Auth_Enterprise/Server/providers
In directory www:/tmp/cvs-serv4480
Added Files:
AELDAPProvider.class.php
Log Message:
This adds basic LDAP authentication support to Auth_Enterprise. This file assumes that all privilege/group management (i.e. authorization data) is done via the PEAR::DB. Authentication and password changes are done over ldap. NOTE the password change stuff hasn't been added yet. Also, this implementation will delgate password aging, password strength, etc to the database.
--- NEW FILE: AELDAPProvider.class.php ---
<?php
/**
* Auth_Enterprise
*
* This source file is subject to version 2.02 of the PHP license, that is bundled with this package
* in the file LICENSE, and is available at through the world-wide-web at
* http://www.php.net/license/2_02.txt. If you did not receive a copy of the PHP license and are
* unable to obtain it through the world-wide-web, please send a note to license at php.net so we can
* mail you a copy immediately.
*
* @author Ozzyie Chen <ozzyie at doit.wisc.edu>
* @author Tony Bibbs <tony at geeklog.net>
* @copyright 2004
* @version $Id: AELDAPProvider.class.php,v 1.1 2004/06/24 22:02:55 tony Exp $
*
*/
/**
* Bring in the base Auth_Enterprise provider
*/
require_once 'Auth_Enterprise/Server/providers/AEBasePearDBProvider.class.php';
/**
* The Auth_Enterprise server configuration file
*/
require_once 'Auth_Enterprise/Server/AEServerConfig.php';
/**
* Auth_Enteprise LDAP database provider
*
* This extends the base PEAR::DB server provider and simply implements the authenticate() and
* createAccount() and change password methods against the LDAP datasource.
*
* @author Ozzyie Chen <ozzyie at doit.wisc.edu>
* @author Tony Bibbs <tony at geeklog.net>
* @package net.geeklog.auth_enterprise.server
*
*/
class AELDAPProvider extends AEBasePearDBProvider {
/**
* Handle to an LDAP connection
*/
protected $ldapConn = null;
/**
* Sets app ID and establish LDAP connection
*
* @author Ozzyie Chen <ozzyie at doit.wisc.edu>
* @param string $appId Application ID
*
*/
public function __construct($appId)
{
global $gConf;
// Call constructor on parent first
parent::__construct($appId);
// Try connecting to the LDAP server
$this->ldapConn = ldap_connect($gConf[AE_PROVIDER_LDAP]['ldapHost'],
$gConf[AE_PROVIDER_LDAP]['ldapPort']);
if (!$this->ldapConn) {
// Throw LDAP connection exception
throw new AEUnableToConnect('Unable to connect to LDAP server');
}
// Set LDAP protocol version
ldap_set_option($this->ldapConn, LDAP_OPT_PROTOCOL_VERSION, $gConf[AE_PROVIDER_LDAP]['ldapProtocolVersion']);
}
/**
* Binds to the LDAP server with a specific set of credentials
*
* @author Tony Bibbs <tony at geeklog.net>
* @access protected
* @param string $dn
* @param string $userPassword Password to bind with
*/
protected function doBind($dn, $userPassword)
{
if (empty($userPassword)) {
if (!ldap_bind($this->ldapConn, $dn)) {
// Throw LDAP bind exception
throw new AELDAPBindError('LDAP bind failed');
}
} else {
//print "$dn"; exit;
//print_r($this->ldapConn); exit;
if (!ldap_bind($this->ldapConn, $dn, $userPassword)) {
// Throw LDAP bind exception
throw new AELDAPBindError('LDAP bind failed');
}
}
}
/**
* Authenticates user against an LDAP repository
*
* @author Ozzyie Chen <ozzyie at doit.wisc.edu>
* @access protected
* @param string $userName User to authenticate
* @param string $password Password to authenticate with
*
*/
public function authenticate($userName, $password)
{
global $gConf;
try {
$this->doBind("cn=$userName,ou=people,{$gConf[AE_PROVIDER_LDAP]['ldapDC']}", $password);
} catch (AELDAPBindError $e) {
throw new AEInvalidUserCredentials($e->getMessage());
} catch (Exception $e) {
throw $e;
}
// OK, authentication worked, get data for the user
$prepStmt = $this->db->prepare('SELECT user_name,user_password,user_account_locked,
user_failed_attempts,user_pwd_last_set FROM ae_user
WHERE user_name = ?');
$result = $this->db->execute($prepStmt, array($userName));
if (DB::isError($result)) {
throw new AESQLException($result->toString());
}
$this->isAuthenticated = true;
if ($result->numRows() > 0) {
$user = $this->mapResultToUserObject($result);
// Ensure the account hasn't been locked
// Do we need to do this for LDAP or can LDAP
// report this?
if ($user->getAccountLocked()) {
throw new AEAccountLocked();
}
// Check to see if password has expired.
if ($user->isPasswordExpired()) {
throw new AEPasswordExpired();
}
$user->setAppId($appId);
try {
// We get the groups as those will be sent back in user object
$user->setGroups($this->getGroups($user->getUserName()));
$user->setPrivileges($this->getPrivileges($user->getUserName()));
} catch (AESQLException $e) {
throw $e;
} catch (Exception $e) {
throw $e;
}
return $user;
} else {
// Hrm no data for the user exists. This is an obvious error
throw new AEUnknownException('LDAP authenticated fine but the user is not in the database');
}
}
}
?>
More information about the geeklog-cvs
mailing list