116 lines
4.9 KiB
PHP
116 lines
4.9 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Authenticate using HTTP login.
|
|
*
|
|
* @author Yorn de Jong
|
|
* @package simpleSAMLphp
|
|
*/
|
|
class sspmod_authpwauth_Auth_Source_PwAuth extends sspmod_core_Auth_UserPassBase {
|
|
|
|
protected $pwauth_bin_path;
|
|
protected $mail_domain;
|
|
|
|
public function __construct($info, $config) {
|
|
assert('is_array($info)');
|
|
assert('is_array($config)');
|
|
|
|
/* Call the parent constructor first, as required by the interface. */
|
|
parent::__construct($info, $config);
|
|
|
|
$this->pwauth_bin_path = $config['pwauth_bin_path'];
|
|
if (array_key_exists('mail_domain', $config)) {
|
|
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
|
|
}
|
|
}
|
|
|
|
public function login($username, $password) {
|
|
$username = strtolower( $username );
|
|
|
|
$handle = popen($this->pwauth_bin_path, 'w');
|
|
if ($handle === FALSE) {
|
|
die("Error opening pipe to pwauth");
|
|
return false;
|
|
}
|
|
|
|
$data = "$username\n$password\n";
|
|
if (fwrite($handle, $data) !== strlen($data)) {
|
|
die("Error writing to pwauth pipe");
|
|
return false;
|
|
}
|
|
|
|
# Is the password valid?
|
|
$result = pclose( $handle );
|
|
if ($result !== 0) {
|
|
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
|
|
die("pwauth returned $result for username $username");
|
|
}
|
|
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
|
|
}
|
|
/*
|
|
$ldap = ldap_connect('129.241.210.159', 389);
|
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
ldap_start_tls($ldap);
|
|
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
|
|
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
|
|
$entry = ldap_first_entry($ldap, $search);
|
|
$dn = ldap_get_dn($ldap, $entry);
|
|
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
|
|
ldap_modify_batch($ldap, $dn, [
|
|
#[
|
|
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
|
|
# 'attrib' => 'unicodePwd',
|
|
# 'values' => [$password],
|
|
#],
|
|
[
|
|
#'modtype' => LDAP_MODIFY_BATCH_ADD,
|
|
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
|
|
'attrib' => 'unicodePwd',
|
|
'values' => [$newpassword],
|
|
],
|
|
]);
|
|
*/
|
|
|
|
#0 - Login OK.
|
|
#1 - Nonexistant login or (for some configurations) incorrect password.
|
|
#2 - Incorrect password (for some configurations).
|
|
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
|
|
#4 - Login ID has expired.
|
|
#5 - Login's password has expired.
|
|
#6 - Logins to system have been turned off (usually by /etc/nologin file).
|
|
#7 - Limit on number of bad logins exceeded.
|
|
#50 - pwauth was not run with real uid SERVER_UID. If you get this
|
|
# this error code, you probably have SERVER_UID set incorrectly
|
|
# in pwauth's config.h file.
|
|
#51 - pwauth was not given a login & password to check. The means
|
|
# the passing of data from mod_auth_external to pwauth is messed
|
|
# up. Most likely one is trying to pass data via environment
|
|
# variables, while the other is trying to pass data via a pipe.
|
|
#52 - one of several possible internal errors occured.
|
|
|
|
|
|
$uid = $username;
|
|
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
|
|
|
|
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
|
|
array_shift($groups);
|
|
array_shift($groups);
|
|
array_pop($groups);
|
|
|
|
$info = posix_getpwnam($uid);
|
|
$group = $info['gid'];
|
|
if (!in_array($group, $groups)) {
|
|
$groups[] = $group;
|
|
}
|
|
$result = array(
|
|
'uid' => array($uid),
|
|
'cn' => array($cn),
|
|
'group' => $groups,
|
|
);
|
|
if (isset($this->mail_domain)) {
|
|
$result['mail'] = array($uid.$this->mail_domain);
|
|
}
|
|
return $result;
|
|
}
|
|
}
|