Author: jfthomps
Date: Tue Apr  3 19:52:21 2012
New Revision: 1309118

URL: http://svn.apache.org/viewvc?rev=1309118&view=rev
Log:
VCL-418
simplify adding LDAP authentication

conf-default.php: added lookupuserbeforeauth and lookupuserfield to config 
array for ldap connectors; lookupuserbeforeauth is a boolean that, when true, 
configures VCL to to use the master login to lookup the full DN of the user 
before doing that ldap_bind that auths the user; lookupuserfield is the ldap 
attribute under which the supplied user name should be looked up in ldap

authentication.php:
-modified printLoginPageWithSkin - get the skin from the affiliation table by 
calling getAffiliationTheme
-modified ldapLogin - instead of checking for the use of specific entries in 
$authMechs, we check for $authMechs[$authtype]['lookupuserbeforeauth'] to 
determine whether or not the full DN of the user needs to be found before doing 
the ldap_bind auth

utils.php:
-modified initGlobals - set $skin by calling getAffiliationTheme instead of a 
switch statement based on the affiliation name
-modified checkAccess - added code to see if the full DN of the user needs to 
be looked up when responding to an API call and do so if needed
-added getAffiliationTheme
-modified main, sendHeaders, printHTMLHeader, and getNavMenu - removed 
inclusion of $skin from globals since it is no longer used in these functions

Modified:
    incubator/vcl/trunk/web/.ht-inc/authentication.php
    incubator/vcl/trunk/web/.ht-inc/conf-default.php
    incubator/vcl/trunk/web/.ht-inc/utils.php

Modified: incubator/vcl/trunk/web/.ht-inc/authentication.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authentication.php?rev=1309118&r1=1309117&r2=1309118&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authentication.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authentication.php Tue Apr  3 19:52:21 2012
@@ -201,17 +201,7 @@ function selectAuth() {
 
////////////////////////////////////////////////////////////////////////////////
 function printLoginPageWithSkin($authtype, $servertimeout=0) {
        global $authMechs, $HTMLheader, $skin, $printedHTMLheader;
-       switch(getAffiliationName($authMechs[$authtype]['affiliationid'])) {
-               case 'EXAMPLE1':
-                       $skin = 'example1';
-                       break;
-               case 'EXAMPLE2':
-                       $skin = 'example2';
-                       break;
-               default:
-                       $skin = 'default';
-                       break;
-       }
+       $skin = getAffiliationTheme($authMechs[$authtype]['affiliationid']);
        require_once("themes/$skin/page.php");
        $HTMLheader = getHeader(0);
        printHTMLHeader();
@@ -384,60 +374,34 @@ function ldapLogin($authtype, $userid, $
        }
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
-       /*if($authtype == 'EXAMPLE1 LDAP') {
+       /*if($authMechs[$authtype]['lookupuserbeforeauth']) {
                # in this case, we have to look up what part of the tree the 
user is in
                #   before we can actually look up the user
                $auth = $authMechs[$authtype];
-               $res = ldap_bind($ds, $auth['masterlogin'],
-                                $auth['masterpwd']);
-               if(! $res) {
-                       addLoginLog($userid, $authtype, 
$authMechs[$authtype]['affiliationid'], 0);
-                       printLoginPageWithSkin($authtype);
-                       return;
-               }
-               $search = ldap_search($ds,
-                                     $auth['binddn'], 
-                                     "cn=$userid",
-                                     array('dn'), 0, 3, 15);
-               if($search) {
-                       $tmpdata = ldap_get_entries($ds, $search);
-                       if(! $tmpdata['count'] || ! array_key_exists('dn', 
$tmpdata[0])) {
-                               addLoginLog($userid, $authtype, 
$authMechs[$authtype]['affiliationid'], 0);
-                               printLoginPageWithSkin($authtype);
-                               return;
-                       }
-                       $ldapuser = $tmpdata[0]['dn'];
-               }
-               else {
-                       addLoginLog($userid, $authtype, 
$authMechs[$authtype]['affiliationid'], 0);
-                       printLoginPageWithSkin($authtype);
-                       return;
-               }
-       }
-       elseif($authtype == 'EXAMPLE2 LDAP') {
-               # this is similar to EXAMPLE1, but here we do an anonymous bind
-               $auth = $authMechs[$authtype];
-               $res = ldap_bind($ds);
+               if(array_key_exists('masterlogin', $auth) && 
strlen($auth['masterlogin']))
+                       $res = ldap_bind($ds, $auth['masterlogin'], 
$auth['masterpwd']);
+               else
+                       $res = ldap_bind($ds);
                if(! $res) {
-                       addLoginLog($userid, $authtype, 
$authMechs[$authtype]['affiliationid'], 0);
+                       addLoginLog($userid, $authtype, $auth['affiliationid'], 
0);
                        printLoginPageWithSkin($authtype);
                        return;
                }
                $search = ldap_search($ds,
                                      $auth['binddn'], 
-                                     "uid=$userid",
+                                     "{$auth['lookupuserfield']}=$userid",
                                      array('dn'), 0, 3, 15);
                if($search) {
                        $tmpdata = ldap_get_entries($ds, $search);
                        if(! $tmpdata['count'] || ! array_key_exists('dn', 
$tmpdata[0])) {
-                               addLoginLog($userid, $authtype, 
$authMechs[$authtype]['affiliationid'], 0);
+                               addLoginLog($userid, $authtype, 
$auth['affiliationid'], 0);
                                printLoginPageWithSkin($authtype);
                                return;
                        }
                        $ldapuser = $tmpdata[0]['dn'];
                }
                else {
-                       addLoginLog($userid, $authtype, 
$authMechs[$authtype]['affiliationid'], 0);
+                       addLoginLog($userid, $authtype, $auth['affiliationid'], 
0);
                        printLoginPageWithSkin($authtype);
                        return;
                }

Modified: incubator/vcl/trunk/web/.ht-inc/conf-default.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/conf-default.php?rev=1309118&r1=1309117&r2=1309118&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/conf-default.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/conf-default.php Tue Apr  3 19:52:21 2012
@@ -121,6 +121,11 @@ $authMechs = array(
                                   "masterlogin" => "vcluser",       # 
privileged login id for ldap server
                                   "masterpwd" => "*********",       # 
privileged login password for ldap server
                                   "affiliationid" => 3,             # id from 
affiliation id this login method is associated with
+                                  "lookupuserbeforeauth" => 0,      # set this 
to 1 to have VCL use masterlogin to lookup the full DN of the user
+                                                                    #   and 
use that for the ldap bind to auth the user instead of just using the userid
+                                                                    #   field 
from above
+                                  "lookupuserfield" => '',          # if 
lookupuserbeforeauth is set to 1, this is the attribute to use to search in ldap
+                                                                    #   for 
the user.  Typically either 'cn', 'uid', or 'samaccountname'
                                   "help" => "Use EXAMPLE1 LDAP if you are 
using an EXAMPLE1 account"), # message to be displayed on login page about when
                                                                                
                        #   to use this login mechanism*/
 );

Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=1309118&r1=1309117&r2=1309118&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Tue Apr  3 19:52:21 2012
@@ -218,26 +218,10 @@ function initGlobals() {
                $_SESSION['user'] = $user;
        }
 
-       $affil = $user['affiliation'];
-
        # setskin
-       switch($affil) {
-               case 'EXAMPLE1':
-                       $skin = 'example1';
-                       require_once('themes/example1/page.php');
-                       break;
-
-               case 'EXAMPLE2':
-                       $skin = 'example1';
-                       require_once('themes/example2/page.php');
-                       break;
-
-               default:
-                       $skin = 'default';
-                       require_once('themes/default/page.php');
-                       break;
+       $skin = getAffiliationTheme($user['affiliationid']);
+       require_once("themes/$skin/page.php");
 
-       }
        $_SESSION['mode'] = $mode;
 
        // check for and possibly clear dirty permission cache
@@ -374,7 +358,8 @@ function checkAccess() {
                                exit;
                        }
                        if($authMechs[$authtype]['type'] == 'ldap') {
-                               $ds = 
ldap_connect("ldaps://{$authMechs[$authtype]['server']}/");
+                               $auth = $authMechs[$authtype];
+                               $ds = 
ldap_connect("ldaps://{$auth['server']}/");
                                if(! $ds) {
                                        printXMLRPCerror(5);    # failed to 
connect to auth server
                                        dbDisconnect();
@@ -382,7 +367,43 @@ function checkAccess() {
                                }
                                ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 
3);
                                ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
-                               $ldapuser = 
sprintf($authMechs[$authtype]['userid'], $user['unityid']);
+                               if($auth['lookupuserbeforeauth']) {
+                                       # in this case, we have to look up what 
part of the tree the user is in
+                                       #   before we can actually look up the 
user
+                                       $auth = $authMechs[$authtype];
+                                       if(array_key_exists('masterlogin', 
$auth) && strlen($auth['masterlogin']))
+                                               $res = ldap_bind($ds, 
$auth['masterlogin'], $auth['masterpwd']);
+                                       else
+                                               $res = ldap_bind($ds);
+                                       if(! $res) {
+                                               addLoginLog($user['unityid'], 
$authtype, $user['affiliationid'], 0);
+                                               printXMLRPCerror(3);   # access 
denied
+                                               dbDisconnect();
+                                               exit;
+                                       }
+                                       $search = ldap_search($ds,
+                                                             $auth['binddn'], 
+                                                             
"{$auth['lookupuserfield']}={$user['unityid']}",
+                                                             array('dn'), 0, 
3, 15);
+                                       if($search) {
+                                               $tmpdata = 
ldap_get_entries($ds, $search);
+                                               if(! $tmpdata['count'] || ! 
array_key_exists('dn', $tmpdata[0])) {
+                                                       
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
+                                                       printXMLRPCerror(3);   
# access denied
+                                                       dbDisconnect();
+                                                       exit;
+                                               }
+                                               $ldapuser = $tmpdata[0]['dn'];
+                                       }
+                                       else {
+                                               addLoginLog($user['unityid'], 
$authtype, $user['affiliationid'], 0);
+                                               printXMLRPCerror(3);   # access 
denied
+                                               dbDisconnect();
+                                               exit;
+                                       }
+                               }
+                               else
+                                       $ldapuser = sprintf($auth['userid'], 
$user['unityid']);
                                $res = ldap_bind($ds, $ldapuser, $xmlpass);
                                if(! $res) {
                                        addLoginLog($user['unityid'], 
$authtype, $user['affiliationid'], 0);
@@ -774,7 +795,7 @@ function stopSession() {
 ///
 
////////////////////////////////////////////////////////////////////////////////
 function main() {
-       global $user, $authed, $mode, $skin;
+       global $user, $authed, $mode;
        print "<H2>Welcome to the Virtual Computing Lab</H2>\n";
        if($authed) {
                if(! empty($user['lastname']) && ! 
empty($user['preferredname']))
@@ -2973,6 +2994,26 @@ function getAffiliationDataUpdateText($a
 
 
////////////////////////////////////////////////////////////////////////////////
 ///
+/// \fn getAffiliationTheme($affilid)
+///
+/// \param $affilid - id of an affiliation
+///
+/// \return name of the affiliations's theme
+///
+/// \brief gets affiliation.theme for the specified affiliation
+///
+////////////////////////////////////////////////////////////////////////////////
+function getAffiliationTheme($affilid) {
+       $query = "SELECT theme FROM affiliation WHERE id = $affilid";
+       $qh = doQuery($query);
+       if($row = mysql_fetch_assoc($qh))
+               return $row['theme'];
+       else
+               return 'default';
+}
+
+////////////////////////////////////////////////////////////////////////////////
+///
 /// \fn processInputVar($vartag, $type, $defaultvalue, $stripwhitespace)
 ///
 /// \param $vartag - name of GET or POST variable
@@ -9998,7 +10039,7 @@ function menulistLI($page) {
 ///
 
////////////////////////////////////////////////////////////////////////////////
 function sendHeaders() {
-       global $mode, $user, $authed, $oldmode, $actionFunction, $skin;
+       global $mode, $user, $authed, $oldmode, $actionFunction;
        global $shibauthed;
        if(! $authed && $mode == "auth") {
                header("Location: " . BASEURL . SCRIPT . "?mode=selectauth");
@@ -10127,7 +10168,7 @@ function sendHeaders() {
 
////////////////////////////////////////////////////////////////////////////////
 function printHTMLHeader() {
        global $mode, $user, $authed, $oldmode, $HTMLheader, $contdata;
-       global $printedHTMLheader, $docreaders, $skin, $noHTMLwrappers, 
$actions;
+       global $printedHTMLheader, $docreaders, $noHTMLwrappers, $actions;
        if($printedHTMLheader)
                return;
        $refresh = 0;
@@ -10177,7 +10218,7 @@ function printHTMLHeader() {
 ///
 
////////////////////////////////////////////////////////////////////////////////
 function getNavMenu($inclogout, $inchome, $homeurl=HOMEURL) {
-       global $user, $docreaders, $authed, $userlookupUsers, $skin;
+       global $user, $docreaders, $authed, $userlookupUsers;
        global $mode;
        if($authed && $mode != 'expiredemouser')
                $computermetadata = getUserComputerMetaData();


Reply via email to