auth.php

来自「sabreipb 2.1.6 utf-8中文版本！」· PHP 代码 · 共 286 行

<?php
/*
+---------------------------------------------------------------------------
|   Invision Power Dynamic v1.0.0
|   ========================================
|   by Matthew Mecham
|   (c) 2004 Invision Power Services
|   
|   ========================================
+---------------------------------------------------------------------------
|   INVISION POWER DYNAMIC IS NOT FREE SOFTWARE!
|   /dynamic/
+---------------------------------------------------------------------------
|
|   > LOG IN MODULE: LDAP (ACTIVE DIRECTORY)
|   > Script written by Matt Mecham
|   > Date started: 12:25 Fri. 4th February 2005 (AD)
|
+---------------------------------------------------------------------------
| NOTES:
| This module is part of the authentication suite of modules. It's designed
| to enable different types of authentication.
|
| RETURN CODES
| 'ERROR': Error, check array: $class->auth_errors
| 'NO_USER': No user found in LOCAL record set but auth passed in REMOTE dir
| 'WRONG_AUTH': Wrong password or username
| 'SUCCESS': Success, user and password matched
|
+---------------------------------------------------------------------------
| EXAMPLE USAGE
|
| $class = new login_method();
| $class->is_admin_auth = 0; // Boolean (0,1) Use different queries if desired
|							 // if logging into CP.
| $class->allow_create = 0;
| // $allow_create. Boolean flag (0,1) to tell the module whether its allowed
| // to create a member in the IPS product's database if the user passed authentication
| // but don't exist in the IPS product's database. Optional.
|
| $return_code = $class->authenticate( $username, $plain_text_password );
|
| if ( $return_code == 'SUCCESS' )
| {
|     print $class->member['member_name'];
| }
| else
| {
| 	  print "NO USER";
| }
+---------------------------------------------------------------------------
*/

class login_method extends login_core
{
	# Work
	var $connection_id;
	var $result;
	var $bind_id;
	var $fields;
	var $dn;
	
	/*-------------------------------------------------------------------------*/
	// Constructor
	/*-------------------------------------------------------------------------*/
	
	function login_method()
	{
		
	}
	
	/*-------------------------------------------------------------------------*/
	// Authentication
	/*-------------------------------------------------------------------------*/
	
	function authenticate( $username, $password )
	{
		//-----------------------------------------
		// Get LDAP connection
		//-----------------------------------------
		
		$this->auth_errors = array();
		
		$this->_ldap_connect();
		
		//-----------------------------------------
		// OK?
		//-----------------------------------------
		
		if ( count($this->auth_errors) )
		{
			return FALSE;
		}
		
		// IPB replaces these characters, however they
		// may be allowed by the LDAP server as a
		// requirement for passwords.  Let's send the
		// actual raw password
		
		// Tested succesfully ticket 254173

		$password = html_entity_decode($password, ENT_QUOTES);
		$html_entities = array("&#33;", "&#036;", "&#092;");
		$replacement_char = array("!", "$", "\\");
		$password = str_replace($html_entities, $replacement_char, $password);
		
		//-----------------------------------------
		// Add suffix
		//-----------------------------------------
		
		if ( $this->login_conf['ldap_username_suffix'] )
		{
			$real_username = $username.$this->login_conf['ldap_username_suffix'];
		}
		else
		{
			$real_username = $username;
		}
		
		//-----------------------------------------
		// Throw search to bind
		//-----------------------------------------
		
		$search = @ldap_search( $this->connection_id,
								$this->login_conf['ldap_base_dn'],
								$this->login_conf['ldap_uid_field']. '=' . $real_username,
								array( $this->login_conf['ldap_uid_field'] )
							  );
		//$result = ldap_get_entries($this->connection_id, $search);		print "<pre>"; print_r( $result );	 
		
		$this->result = @ldap_first_entry( $this->connection_id, $search);
		
		if ( ! $this->result )
		{
			$this->return_code = 'WRONG_AUTH';
			return;
		}
		
		$this->fields = @ldap_get_attributes( $this->connection_id, $this->result );
		
		$this->dn     = @ldap_get_dn( $this->connection_id, $this->result );
		
		//-----------------------------------------
		// Got something?
		//-----------------------------------------
		
		if ( is_array( $this->fields ) AND count( $this->fields ) > 1)
		{
			if ( ! $this->login_conf['ldap_user_requires_pass'] )
			{
				$real_password = "";
			}
			else
			{
				$real_password = $password;
			}
			
			//-----------------------------------------
			// Test bind
			//-----------------------------------------
			
			if ( @ldap_bind( $this->connection_id, $this->dn, $real_password) )
			{
				$this->_load_member( $username );
				
				if ( $this->member['id'] )
				{
					$this->return_code = 'SUCCESS';
				}
				else
				{
					//-----------------------------------------
					// Got no member - but auth passed - create?
					//-----------------------------------------
					
					if ( $this->allow_create )
					{
						$this->create_local_member( $username, $password );
					}
					else
					{
						$this->return_code = 'NO_USER';
					}
				}
			}
			else
			{
				$this->return_code = 'WRONG_AUTH';
			}
		}
		
		$this->_ldap_disconnect();
		
		return $this->return_code;
	}
	
	/*-------------------------------------------------------------------------*/
	// Load member from DB
	/*-------------------------------------------------------------------------*/
	
	function _load_member( $username )
	{
		$this->ipsclass->DB->cache_add_query( 'login_getmember', array( 'username' => strtolower($username) ) );
		$this->ipsclass->DB->cache_exec_query();
	
		$this->member = $this->ipsclass->DB->fetch_row();
	}
	
	/*-------------------------------------------------------------------------*/
	// Get LDAP connection
	/*-------------------------------------------------------------------------*/
	
	function _ldap_connect()
	{
		//-----------------------------------------
		// LDAP compiled in PHP?
		//-----------------------------------------
		
		if ( ! extension_loaded('ldap') )
		{
			$this->auth_errors[] = 'LDAP extension not available';
			return;
		}
		
		//-----------------------------------------
		// Get connection
		//-----------------------------------------
		
		if ( $this->login_conf['ldap_port'] )
		{
			$this->connection_id = ldap_connect( $this->login_conf['ldap_server'], $this->login_conf['ldap_port'] );
		}
		else
		{
			$this->connection_id = ldap_connect( $this->login_conf['ldap_server'] );
		}
		
		if ( ! $this->connection_id  )
		{
			$this->auth_errors[] = 'LDAP could not connect';
			return;
		}
		
		//-----------------------------------------
		// Server version
		//-----------------------------------------
		
		if ( $this->login_conf['ldap_port'] )
		{
			ldap_set_option($this->connection_id, LDAP_OPT_PROTOCOL_VERSION, 3);
		}
		
		//-----------------------------------------
		// Bind
		//-----------------------------------------
		
		if ( $this->login_conf['ldap_server_username'] AND $this->login_conf['ldap_server_password'] )
		{
			$this->bind_id = ldap_bind( $this->connection_id, $this->login_conf['ldap_server_username'], $this->login_conf['ldap_server_password'] );
		}
		else
		{
			# Anonymous bind
			
			$this->bind_id = ldap_bind( $this->connection_id );
		}
		
		if ( ! $this->bind_id )
		{
			$this->auth_errors[] = 'LDAP could not bind to the server';
			return;
		}
	}
	
	/*-------------------------------------------------------------------------*/
	// LDAP disconnection
	/*-------------------------------------------------------------------------*/
	
	function _ldap_disconnect()
	{
		@ldap_close( $this->connection_id );
	}
	
}

?>