ldapbaseauthenticationprovider.inc.php.svn-base

来自「PHP 知识管理系统（基于树结构的知识管理系统）, 英文原版的PHP源码。」· SVN-BASE 代码 · 共 1,049 行 · 第 1/3 页

            $this->errorRedirectToMain(_kt("failed to create user") . ": " . $oUser->message);
            exit(0);
        }

        $this->successRedirectToMain(_kt('Created new user') . ': ' . $oUser->getUsername());
        exit(0);
    }
    // }}}

    // {{{ _do_massCreateUsers
    function _do_massCreateUsers() {
        $aIds = KTUtil::arrayGet($_REQUEST, 'id');
        $oSource =& KTAuthenticationSource::get($_REQUEST['source_id']);
        $oAuthenticator = $this->getAuthenticator($oSource);
        $aNames = array();

        foreach ($aIds as $sId) {
            $aResults = $oAuthenticator->getUser($sId);
            $dn = $sId;
            $sUserName = $aResults[$this->aAttributes[1]];
            // With LDAP, if the 'uid' is null then try using the 'givenname' instead.
            // See activedirectoryauthenticationprovider.inc.php and ldapauthenticationprovider.inc.php for details.
            if($this->sAuthenticatorClass == "KTLDAPAuthenticator" && empty($sUserName)) {
                $sUserName = strtolower($aResults[$this->aAttributes[2]]);
            }
            $sName = $aResults[$this->aAttributes[0]];
            $sEmailAddress = $aResults[$this->aAttributes[4]];
            $sMobileNumber = $aResults[$this->aAttributes[5]];

            // If the user already exists append some text so the admin can see the duplicates.
            $appending = true;
            while($appending) {
                if(!PEAR::isError(User::getByUserName($sUserName))) {
                    $sUserName = $sUserName . "_DUPLICATE";
                    $appending = true;
                } else $appending = false;
            }

            $oUser = User::createFromArray(array(
                "Username" => $sUserName,
                "Name" => $sName,
                "Email" => $sEmailAddress,
                "EmailNotification" => true,
                "SmsNotification" => false,   // FIXME do we auto-act if the user has a mobile?
                "MaxSessions" => 3,
                "authenticationsourceid" => $oSource->getId(),
                "authenticationdetails" => $dn,
                "authenticationdetails2" => $sUserName,
                "password" => "",
            ));
            $aNames[] = $sName;
        }
        $this->successRedirectToMain(_kt("Added users") . ": " . join(', ', $aNames));
    }
    // }}}

    // {{{ do_addUserFromSource
    function do_addUserFromSource() {
        $submit = KTUtil::arrayGet($_REQUEST, 'submit');
        if (!is_array($submit)) {
            $submit = array();
        }
        // Check if its a mass import
        $massimport = KTUtil::arrayGet($_REQUEST, 'massimport');
        $isMassImport = ($massimport == 'on') ? true : false;

        if (KTUtil::arrayGet($submit, 'chosen')) {
            $id = KTUtil::arrayGet($_REQUEST, 'id');

            if (!empty($id)) {
                if ($isMassImport) {
                    return $this->_do_massCreateUsers();
                } else {
                    return $this->_do_editUserFromSource();
                }
            } else {
                $this->oPage->addError(_kt("No valid LDAP user chosen"));
            }
        }
        if (KTUtil::arrayGet($submit, 'create')) {
            return $this->_do_createUserFromSource();
        }
        $oSource =& KTAuthenticationSource::get($_REQUEST['source_id']);
        $oTemplate = $this->oValidator->validateTemplate('ktstandard/authentication/ldapsearchuser');

        $fields = array();
        $fields[] = new KTStringWidget(_kt("User's name"), _kt("The user's name, or part thereof, to find the user that you wish to add"), 'ldap_name', '', $this->oPage, true);
        $fields[] = new KTCheckboxWidget(_kt("Mass import"),
        _kt("Allow for multiple users to be selected to be added (will not get to manually verify the details if selected)").'.<br>'.
        _kt('The list may be long and take some time to load if the search is not filtered and there are a number of users in the system.')
        , 'massimport', $isMassImport, $this->oPage, true);

        $oAuthenticator = $this->getAuthenticator($oSource);
        $name = KTUtil::arrayGet($_REQUEST, 'ldap_name');

        if (!empty($name) || $isMassImport) {
            $aSearchResults = $oAuthenticator->searchUsers($name, array('cn', 'dn', $sIdentifierField));
            if (PEAR::isError($aSearchResults)) {
                $this->oPage->addError($aSearchResults->getMessage());
                $aSearchResults = null;
            }

            if (is_array($aSearchResults)) {
                $aSearchResultsKeys = array_keys($aSearchResults);
                $aSearchDNs = array();
                foreach ($aSearchResultsKeys as $k) {
                    if (is_array($aSearchResults[$k]['cn'])) {
                        $aSearchResults[$k]['cn'] = $aSearchResults[$k]['cn'][0];
                    }
                    $aSearchDNs[$k] = "'".$aSearchResults[$k]['dn']."'";
                }

                $sDNs = implode(',', $aSearchDNs);
                $query = "SELECT id, authentication_details_s1 AS dn FROM users
                    WHERE authentication_details_s1 IN ($sDNs)";
                $aCurUsers = DBUtil::getResultArray($query);

                // If the user has already been added, then remove from the list
                if(!PEAR::isError($aCurUsers) && !empty($aCurUsers)){
                    foreach($aCurUsers as $item){
                        $key = array_search("'".$item['dn']."'", $aSearchDNs);
                        $aKeys[] = $key;
                        unset($aSearchResults[$key]);
                    }
                }
            }
        }

        $aTemplateData = array(
            'context' => &$this,
            'fields' => $fields,
            'source' => $oSource,
            'search_results' => $aSearchResults,
            'identifier_field' => $sIdentifierField,
            'massimport' => $massimport,
        );
        return $oTemplate->render($aTemplateData);
    }
    // }}}

    // {{{ do_addGroupFromSource
    function do_addGroupFromSource() {
        $submit = KTUtil::arrayGet($_REQUEST, 'submit');
        if (!is_array($submit)) {
            $submit = array();
        }
        if (KTUtil::arrayGet($submit, 'chosen')) {
            $id = KTUtil::arrayGet($_REQUEST, 'id');
            if (!empty($id)) {
                return $this->_do_editGroupFromSource();
            } else {
                $this->oPage->addError(_kt("No valid LDAP group chosen"));
            }
        }
        if (KTUtil::arrayGet($submit, 'create')) {
            return $this->_do_createGroupFromSource();
        }
        $oSource =& KTAuthenticationSource::get($_REQUEST['source_id']);
        $oTemplate = $this->oValidator->validateTemplate('ktstandard/authentication/ldapsearchgroup');

        $fields = array();
        $fields[] = new KTStringWidget(_kt("Group's name"), _kt("The group's name, or part thereof, to find the group that you wish to add"), 'name', '', $this->oPage, true);

        $name = KTUtil::arrayGet($_REQUEST, 'name');
        if (!empty($name)) {
            $oAuthenticator = $this->getAuthenticator($oSource);
            $aSearchResults = $oAuthenticator->searchGroups($name);

            if(PEAR::isError($aSearchResults)){
                $this->addErrorMessage($aSearchResults->getMessage());
                $aSearchResults = array();
            }
        }

        $aTemplateData = array(
            'context' => &$this,
            'fields' => $fields,
            'source' => $oSource,
            'search_results' => $aSearchResults,
            'identifier_field' => 'displayName',
        );
        return $oTemplate->render($aTemplateData);
    }
    // }}}

    // {{{ _do_editGroupFromSource
    function _do_editGroupFromSource() {
        $oTemplate = $this->oValidator->validateTemplate('ktstandard/authentication/ldapaddgroup');
        $oSource =& KTAuthenticationSource::get($_REQUEST['source_id']);
        $id = KTUtil::arrayGet($_REQUEST, 'id');

        $aConfig = unserialize($oSource->getConfig());

        $oAuthenticator = $this->getAuthenticator($oSource);
        $aAttributes = $oAuthenticator->getGroup($id);

        $fields = array();
        $fields[] = new KTStaticTextWidget(_kt('LDAP DN'), _kt('The location of the group within the LDAP directory.'), 'dn', $aAttributes['dn'], $this->oPage);
        $fields[] = new KTStringWidget(_kt('Group Name'), sprintf(_kt('The name the group will enter to gain access to %s.  e.g. <strong>accountants</strong>'), APP_NAME), 'ldap_groupname', $aAttributes['cn'], $this->oPage, true);
        $fields[] = new KTCheckboxWidget(_kt('Unit Administrators'), _kt('Should all the members of this group be given <strong>unit</strong> administration privileges?'), 'is_unitadmin', false, $this->oPage, false);
        $fields[] = new KTCheckboxWidget(_kt('System Administrators'), _kt('Should all the members of this group be given <strong>system</strong> administration privileges?'), 'is_sysadmin', false, $this->oPage, false);

        $aTemplateData = array(
            'context' => &$this,
            'fields' => $fields,
            'source' => $oSource,
            'search_results' => $aSearchResults,
            'dn' => $aAttributes['dn'],
        );
        return $oTemplate->render($aTemplateData);
    }
    // }}}

    // {{{ _do_createGroupFromSource
    function _do_createGroupFromSource() {
        $oSource =& KTAuthenticationSource::get($_REQUEST['source_id']);
        $dn = KTUtil::arrayGet($_REQUEST, 'dn');
        $name = KTUtil::arrayGet($_REQUEST, 'ldap_groupname');
        if (empty($name)) { $this->errorRedirectToMain(_kt('You must specify a name for the group.')); }

        $is_unitadmin = KTUtil::arrayGet($_REQUEST, 'is_unitadmin', false);
        $is_sysadmin = KTUtil::arrayGet($_REQUEST, 'is_sysadmin', false);

        $oGroup =& Group::createFromArray(array(
            "name" => $name,
            "isunitadmin" => $is_unitadmin,
            "issysadmin" => $is_sysadmin,
            "authenticationdetails" => $dn,
            "authenticationsourceid" => $oSource->getId(),
        ));

        if (PEAR::isError($oGroup) || ($oGroup == false)) {
            $this->errorRedirectToMain(_kt("failed to create group."));
            exit(0);
        }

        $oAuthenticator = $this->getAuthenticator($oSource);
        $oAuthenticator->synchroniseGroup($oGroup);

        $this->successRedirectToMain(_kt('Created new group') . ': ' . $oGroup->getName());
        exit(0);
    }
    // }}}

    // {{{ autoSignup
    function autoSignup($sUsername, $sPassword, $aExtra, $oSource) {
        $oAuthenticator =& $this->getAuthenticator($oSource);
        $dn = $oAuthenticator->checkSignupPassword($sUsername, $sPassword);

        if (PEAR::isError($dn)) {
            return;
        }
        if (!is_string($dn)) {
            return;
        }

        if (empty($dn)) {
            return;
        }

        $aResults = $oAuthenticator->getUser($dn);
        $sUserName = $aResults[$this->aAttributes[1]];
        $sName = $aResults[$this->aAttributes[0]];
        $sEmailAddress = $aResults[$this->aAttributes[4]];
        $sMobileNumber = $aResults[$this->aAttributes[5]];

        $oUser = User::createFromArray(array(
            "Username" => $sUserName,
            "Name" => $sName,
            "Email" => $sEmailAddress,
            "EmailNotification" => true,
            "SmsNotification" => false,   // FIXME do we auto-act if the user has a mobile?
            "MaxSessions" => 3,
            "authenticationsourceid" => $oSource->getId(),
            "authenticationdetails" => $dn,
            "authenticationdetails2" => $sUserName,
            "password" => "",
        ));

        if (PEAR::isError($oUser)) {
            return;
        }

        if (!is_a($oUser, 'User')) {
            return;
        }

        $this->_createSignupGroups($dn, $oSource);

        return $oUser;
    }

    function _createSignupGroups($dn, $oSource) {

    	$config = KTConfig::getSingleton();
    	$createGroups = $config->get('ldapAuthentication/autoGroupCreation', true);
    	if (!$createGroups)
    	{
    		return;
    	}

        $oAuthenticator =& $this->getAuthenticator($oSource);
        $aGroupDNs = $oAuthenticator->getGroups($dn);
        if(PEAR::isError($aGroupDNs) || empty($aGroupDNs)) return;

        foreach ($aGroupDNs as $sGroupDN) {
            $oGroup = Group::getByAuthenticationSourceAndDetails($oSource, $sGroupDN);
            if (PEAR::isError($oGroup)) {
                $oGroup = $this->_createGroup($sGroupDN, $oSource);
                if (PEAR::isError($oGroup)) {
                    continue;
                }
            }
            $oAuthenticator->synchroniseGroup($oGroup);
        }
    }

    function _createGroup($dn, $oSource) {
        $oAuthenticator =& $this->getAuthenticator($oSource);
        $aGroupDetails = $oAuthenticator->getGroup($dn);
        $name = $aGroupDetails['cn'];
        $oGroup =& Group::createFromArray(array(
            "name" => $name,
            "isunitadmin" => false,
            "issysadmin" => false,
            "authenticationdetails" => $dn,
            "authenticationsourceid" => $oSource->getId(),
        ));
        return $oGroup;
    }
}

class KTLDAPBaseAuthenticator extends Authenticator {
    /**
     * The LDAP server to connect to
     */
    var $sLdapServer;
    var $iLdapPort;
    /**
     * The base LDAP DN to perform authentication against
     */
    var $sBaseDN;
    /**
     * The LDAP accessor class
     */
    var $oLdap;

    function KTLDAPBaseAuthenticator($oSource) {
        $this->oSource =& KTUtil::getObject('KTAuthenticationSource', $oSource);
        $aConfig = unserialize($this->oSource->getConfig());