Author: jfthomps
Date: Tue Apr 3 19:52:21 2012
New Revision: 1309118
URL: http://svn.apache.org/viewvc?rev=1309118&view=rev
Log:
VCL-418
simplify adding LDAP authentication
conf-default.php: added lookupuserbeforeauth and lookupuserfield to config
array for ldap connectors; lookupuserbeforeauth is a boolean that, when true,
configures VCL to to use the master login to lookup the full DN of the user
before doing that ldap_bind that auths the user; lookupuserfield is the ldap
attribute under which the supplied user name should be looked up in ldap
authentication.php:
-modified printLoginPageWithSkin - get the skin from the affiliation table by
calling getAffiliationTheme
-modified ldapLogin - instead of checking for the use of specific entries in
$authMechs, we check for $authMechs[$authtype]['lookupuserbeforeauth'] to
determine whether or not the full DN of the user needs to be found before doing
the ldap_bind auth
utils.php:
-modified initGlobals - set $skin by calling getAffiliationTheme instead of a
switch statement based on the affiliation name
-modified checkAccess - added code to see if the full DN of the user needs to
be looked up when responding to an API call and do so if needed
-added getAffiliationTheme
-modified main, sendHeaders, printHTMLHeader, and getNavMenu - removed
inclusion of $skin from globals since it is no longer used in these functions
Modified:
incubator/vcl/trunk/web/.ht-inc/authentication.php
incubator/vcl/trunk/web/.ht-inc/conf-default.php
incubator/vcl/trunk/web/.ht-inc/utils.php
Modified: incubator/vcl/trunk/web/.ht-inc/authentication.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authentication.php?rev=1309118&r1=1309117&r2=1309118&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authentication.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authentication.php Tue Apr 3 19:52:21 2012
@@ -201,17 +201,7 @@ function selectAuth() {
////////////////////////////////////////////////////////////////////////////////
function printLoginPageWithSkin($authtype, $servertimeout=0) {
global $authMechs, $HTMLheader, $skin, $printedHTMLheader;
- switch(getAffiliationName($authMechs[$authtype]['affiliationid'])) {
- case 'EXAMPLE1':
- $skin = 'example1';
- break;
- case 'EXAMPLE2':
- $skin = 'example2';
- break;
- default:
- $skin = 'default';
- break;
- }
+ $skin = getAffiliationTheme($authMechs[$authtype]['affiliationid']);
require_once("themes/$skin/page.php");
$HTMLheader = getHeader(0);
printHTMLHeader();
@@ -384,60 +374,34 @@ function ldapLogin($authtype, $userid, $
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
- /*if($authtype == 'EXAMPLE1 LDAP') {
+ /*if($authMechs[$authtype]['lookupuserbeforeauth']) {
# in this case, we have to look up what part of the tree the
user is in
# before we can actually look up the user
$auth = $authMechs[$authtype];
- $res = ldap_bind($ds, $auth['masterlogin'],
- $auth['masterpwd']);
- if(! $res) {
- addLoginLog($userid, $authtype,
$authMechs[$authtype]['affiliationid'], 0);
- printLoginPageWithSkin($authtype);
- return;
- }
- $search = ldap_search($ds,
- $auth['binddn'],
- "cn=$userid",
- array('dn'), 0, 3, 15);
- if($search) {
- $tmpdata = ldap_get_entries($ds, $search);
- if(! $tmpdata['count'] || ! array_key_exists('dn',
$tmpdata[0])) {
- addLoginLog($userid, $authtype,
$authMechs[$authtype]['affiliationid'], 0);
- printLoginPageWithSkin($authtype);
- return;
- }
- $ldapuser = $tmpdata[0]['dn'];
- }
- else {
- addLoginLog($userid, $authtype,
$authMechs[$authtype]['affiliationid'], 0);
- printLoginPageWithSkin($authtype);
- return;
- }
- }
- elseif($authtype == 'EXAMPLE2 LDAP') {
- # this is similar to EXAMPLE1, but here we do an anonymous bind
- $auth = $authMechs[$authtype];
- $res = ldap_bind($ds);
+ if(array_key_exists('masterlogin', $auth) &&
strlen($auth['masterlogin']))
+ $res = ldap_bind($ds, $auth['masterlogin'],
$auth['masterpwd']);
+ else
+ $res = ldap_bind($ds);
if(! $res) {
- addLoginLog($userid, $authtype,
$authMechs[$authtype]['affiliationid'], 0);
+ addLoginLog($userid, $authtype, $auth['affiliationid'],
0);
printLoginPageWithSkin($authtype);
return;
}
$search = ldap_search($ds,
$auth['binddn'],
- "uid=$userid",
+ "{$auth['lookupuserfield']}=$userid",
array('dn'), 0, 3, 15);
if($search) {
$tmpdata = ldap_get_entries($ds, $search);
if(! $tmpdata['count'] || ! array_key_exists('dn',
$tmpdata[0])) {
- addLoginLog($userid, $authtype,
$authMechs[$authtype]['affiliationid'], 0);
+ addLoginLog($userid, $authtype,
$auth['affiliationid'], 0);
printLoginPageWithSkin($authtype);
return;
}
$ldapuser = $tmpdata[0]['dn'];
}
else {
- addLoginLog($userid, $authtype,
$authMechs[$authtype]['affiliationid'], 0);
+ addLoginLog($userid, $authtype, $auth['affiliationid'],
0);
printLoginPageWithSkin($authtype);
return;
}
Modified: incubator/vcl/trunk/web/.ht-inc/conf-default.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/conf-default.php?rev=1309118&r1=1309117&r2=1309118&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/conf-default.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/conf-default.php Tue Apr 3 19:52:21 2012
@@ -121,6 +121,11 @@ $authMechs = array(
"masterlogin" => "vcluser", #
privileged login id for ldap server
"masterpwd" => "*********", #
privileged login password for ldap server
"affiliationid" => 3, # id from
affiliation id this login method is associated with
+ "lookupuserbeforeauth" => 0, # set this
to 1 to have VCL use masterlogin to lookup the full DN of the user
+ # and
use that for the ldap bind to auth the user instead of just using the userid
+ # field
from above
+ "lookupuserfield" => '', # if
lookupuserbeforeauth is set to 1, this is the attribute to use to search in ldap
+ # for
the user. Typically either 'cn', 'uid', or 'samaccountname'
"help" => "Use EXAMPLE1 LDAP if you are
using an EXAMPLE1 account"), # message to be displayed on login page about when
# to use this login mechanism*/
);
Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=1309118&r1=1309117&r2=1309118&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Tue Apr 3 19:52:21 2012
@@ -218,26 +218,10 @@ function initGlobals() {
$_SESSION['user'] = $user;
}
- $affil = $user['affiliation'];
-
# setskin
- switch($affil) {
- case 'EXAMPLE1':
- $skin = 'example1';
- require_once('themes/example1/page.php');
- break;
-
- case 'EXAMPLE2':
- $skin = 'example1';
- require_once('themes/example2/page.php');
- break;
-
- default:
- $skin = 'default';
- require_once('themes/default/page.php');
- break;
+ $skin = getAffiliationTheme($user['affiliationid']);
+ require_once("themes/$skin/page.php");
- }
$_SESSION['mode'] = $mode;
// check for and possibly clear dirty permission cache
@@ -374,7 +358,8 @@ function checkAccess() {
exit;
}
if($authMechs[$authtype]['type'] == 'ldap') {
- $ds =
ldap_connect("ldaps://{$authMechs[$authtype]['server']}/");
+ $auth = $authMechs[$authtype];
+ $ds =
ldap_connect("ldaps://{$auth['server']}/");
if(! $ds) {
printXMLRPCerror(5); # failed to
connect to auth server
dbDisconnect();
@@ -382,7 +367,43 @@ function checkAccess() {
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,
3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
- $ldapuser =
sprintf($authMechs[$authtype]['userid'], $user['unityid']);
+ if($auth['lookupuserbeforeauth']) {
+ # in this case, we have to look up what
part of the tree the user is in
+ # before we can actually look up the
user
+ $auth = $authMechs[$authtype];
+ if(array_key_exists('masterlogin',
$auth) && strlen($auth['masterlogin']))
+ $res = ldap_bind($ds,
$auth['masterlogin'], $auth['masterpwd']);
+ else
+ $res = ldap_bind($ds);
+ if(! $res) {
+ addLoginLog($user['unityid'],
$authtype, $user['affiliationid'], 0);
+ printXMLRPCerror(3); # access
denied
+ dbDisconnect();
+ exit;
+ }
+ $search = ldap_search($ds,
+ $auth['binddn'],
+
"{$auth['lookupuserfield']}={$user['unityid']}",
+ array('dn'), 0,
3, 15);
+ if($search) {
+ $tmpdata =
ldap_get_entries($ds, $search);
+ if(! $tmpdata['count'] || !
array_key_exists('dn', $tmpdata[0])) {
+
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
+ printXMLRPCerror(3);
# access denied
+ dbDisconnect();
+ exit;
+ }
+ $ldapuser = $tmpdata[0]['dn'];
+ }
+ else {
+ addLoginLog($user['unityid'],
$authtype, $user['affiliationid'], 0);
+ printXMLRPCerror(3); # access
denied
+ dbDisconnect();
+ exit;
+ }
+ }
+ else
+ $ldapuser = sprintf($auth['userid'],
$user['unityid']);
$res = ldap_bind($ds, $ldapuser, $xmlpass);
if(! $res) {
addLoginLog($user['unityid'],
$authtype, $user['affiliationid'], 0);
@@ -774,7 +795,7 @@ function stopSession() {
///
////////////////////////////////////////////////////////////////////////////////
function main() {
- global $user, $authed, $mode, $skin;
+ global $user, $authed, $mode;
print "<H2>Welcome to the Virtual Computing Lab</H2>\n";
if($authed) {
if(! empty($user['lastname']) && !
empty($user['preferredname']))
@@ -2973,6 +2994,26 @@ function getAffiliationDataUpdateText($a
////////////////////////////////////////////////////////////////////////////////
///
+/// \fn getAffiliationTheme($affilid)
+///
+/// \param $affilid - id of an affiliation
+///
+/// \return name of the affiliations's theme
+///
+/// \brief gets affiliation.theme for the specified affiliation
+///
+////////////////////////////////////////////////////////////////////////////////
+function getAffiliationTheme($affilid) {
+ $query = "SELECT theme FROM affiliation WHERE id = $affilid";
+ $qh = doQuery($query);
+ if($row = mysql_fetch_assoc($qh))
+ return $row['theme'];
+ else
+ return 'default';
+}
+
+////////////////////////////////////////////////////////////////////////////////
+///
/// \fn processInputVar($vartag, $type, $defaultvalue, $stripwhitespace)
///
/// \param $vartag - name of GET or POST variable
@@ -9998,7 +10039,7 @@ function menulistLI($page) {
///
////////////////////////////////////////////////////////////////////////////////
function sendHeaders() {
- global $mode, $user, $authed, $oldmode, $actionFunction, $skin;
+ global $mode, $user, $authed, $oldmode, $actionFunction;
global $shibauthed;
if(! $authed && $mode == "auth") {
header("Location: " . BASEURL . SCRIPT . "?mode=selectauth");
@@ -10127,7 +10168,7 @@ function sendHeaders() {
////////////////////////////////////////////////////////////////////////////////
function printHTMLHeader() {
global $mode, $user, $authed, $oldmode, $HTMLheader, $contdata;
- global $printedHTMLheader, $docreaders, $skin, $noHTMLwrappers,
$actions;
+ global $printedHTMLheader, $docreaders, $noHTMLwrappers, $actions;
if($printedHTMLheader)
return;
$refresh = 0;
@@ -10177,7 +10218,7 @@ function printHTMLHeader() {
///
////////////////////////////////////////////////////////////////////////////////
function getNavMenu($inclogout, $inchome, $homeurl=HOMEURL) {
- global $user, $docreaders, $authed, $userlookupUsers, $skin;
+ global $user, $docreaders, $authed, $userlookupUsers;
global $mode;
if($authed && $mode != 'expiredemouser')
$computermetadata = getUserComputerMetaData();
