| 1407 |
1407 |
}
|
| 1408 |
1408 |
$ldapauthcont = $authcfg['ldap_authcn'];
|
| 1409 |
1409 |
$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
|
|
1410 |
$ldapgroupattribute = $authcfg['ldap_attr_member'];
|
| 1410 |
1411 |
$ldapextendedqueryenabled = $authcfg['ldap_extended_enabled'];
|
| 1411 |
1412 |
$ldapextendedquery = $authcfg['ldap_extended_query'];
|
| 1412 |
1413 |
$ldapfilter = "";
|
| 1413 |
1414 |
if (!$ldapextendedqueryenabled) {
|
| 1414 |
1415 |
$ldapfilter = "({$ldapnameattribute}={$username})";
|
| 1415 |
1416 |
} else {
|
| 1416 |
|
$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
|
|
1417 |
if (isset($authcfg['ldap_rfc2307'])) {
|
|
1418 |
$ldapfilter = "({$ldapnameattribute}={$username})";
|
|
1419 |
$ldapgroupfilter = "(&({$ldapgroupattribute}={$username})({$ldapextendedquery}))";
|
|
1420 |
} else {
|
|
1421 |
$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
|
|
1422 |
}
|
| 1417 |
1423 |
}
|
| 1418 |
1424 |
$ldaptype = "";
|
| 1419 |
1425 |
$ldapver = $authcfg['ldap_protver'];
|
| ... | ... | |
| 1513 |
1519 |
/* Support legacy auth container specification. */
|
| 1514 |
1520 |
if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) {
|
| 1515 |
1521 |
$search = @$ldapfunc($ldap, $ldac_split, $ldapfilter);
|
|
1522 |
if (isset($ldapgroupfilter)) {
|
|
1523 |
$groupsearch = @$ldapfunc($ldap, $ldac_split, $ldapgroupfilter);
|
|
1524 |
}
|
| 1516 |
1525 |
} else {
|
| 1517 |
1526 |
$search = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapfilter);
|
|
1527 |
if (isset($ldapgroupfilter)) {
|
|
1528 |
$groupsearch = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapgroupfilter);
|
|
1529 |
}
|
|
1530 |
}
|
|
1531 |
|
|
1532 |
if (isset($ldapgroupfilter) && !$groupsearch) {
|
|
1533 |
log_error(sprintf(gettext("Extended group search resulted in error: %s"), ldap_error($ldap)));
|
|
1534 |
continue;
|
| 1518 |
1535 |
}
|
| 1519 |
1536 |
if (!$search) {
|
| 1520 |
1537 |
log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
|
| 1521 |
1538 |
continue;
|
| 1522 |
1539 |
}
|
|
1540 |
if (isset($groupsearch)) {
|
|
1541 |
$validgroup = ldap_count_entries($ldap, $groupsearch);
|
|
1542 |
if ($debug) {
|
|
1543 |
log_auth(sprintf(gettext("LDAP group search: %s results."), $validgroup));
|
|
1544 |
}
|
|
1545 |
}
|
| 1523 |
1546 |
$info = ldap_get_entries($ldap, $search);
|
| 1524 |
1547 |
$matches = $info['count'];
|
| 1525 |
1548 |
if ($matches == 1) {
|
| ... | ... | |
| 1559 |
1582 |
log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
|
| 1560 |
1583 |
}
|
| 1561 |
1584 |
|
|
1585 |
if ($debug && isset($ldapgroupfilter) && $validgroup < 1) {
|
|
1586 |
$userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn;
|
|
1587 |
log_auth(sprintf(gettext('Logged in successfully as %1$s but did not match any field in extended query.'), $username));
|
|
1588 |
}
|
|
1589 |
|
| 1562 |
1590 |
/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
|
| 1563 |
1591 |
@ldap_unbind($ldap);
|
| 1564 |
1592 |
|
|
1593 |
if (isset($ldapgroupfilter) && $validgroup < 1) {
|
|
1594 |
return false;
|
|
1595 |
}
|
|
1596 |
|
| 1565 |
1597 |
return true;
|
| 1566 |
1598 |
}
|
| 1567 |
1599 |
|