1407 |
1407 |
}
|
1408 |
1408 |
$ldapauthcont = $authcfg['ldap_authcn'];
|
1409 |
1409 |
$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
|
|
1410 |
$ldapgroupattribute = $authcfg['ldap_attr_member'];
|
1410 |
1411 |
$ldapextendedqueryenabled = $authcfg['ldap_extended_enabled'];
|
1411 |
1412 |
$ldapextendedquery = $authcfg['ldap_extended_query'];
|
1412 |
1413 |
$ldapfilter = "";
|
1413 |
1414 |
if (!$ldapextendedqueryenabled) {
|
1414 |
1415 |
$ldapfilter = "({$ldapnameattribute}={$username})";
|
1415 |
1416 |
} else {
|
1416 |
|
$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
|
|
1417 |
if (isset($authcfg['ldap_rfc2307'])) {
|
|
1418 |
$ldapfilter = "({$ldapnameattribute}={$username})";
|
|
1419 |
$ldapgroupfilter = "(&({$ldapgroupattribute}={$username})({$ldapextendedquery}))";
|
|
1420 |
} else {
|
|
1421 |
$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
|
|
1422 |
}
|
1417 |
1423 |
}
|
1418 |
1424 |
$ldaptype = "";
|
1419 |
1425 |
$ldapver = $authcfg['ldap_protver'];
|
... | ... | |
1513 |
1519 |
/* Support legacy auth container specification. */
|
1514 |
1520 |
if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) {
|
1515 |
1521 |
$search = @$ldapfunc($ldap, $ldac_split, $ldapfilter);
|
|
1522 |
if (isset($ldapgroupfilter)) {
|
|
1523 |
$groupsearch = @$ldapfunc($ldap, $ldac_split, $ldapgroupfilter);
|
|
1524 |
}
|
1516 |
1525 |
} else {
|
1517 |
1526 |
$search = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapfilter);
|
|
1527 |
if (isset($ldapgroupfilter)) {
|
|
1528 |
$groupsearch = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapgroupfilter);
|
|
1529 |
}
|
|
1530 |
}
|
|
1531 |
|
|
1532 |
if (isset($ldapgroupfilter) && !$groupsearch) {
|
|
1533 |
log_error(sprintf(gettext("Extended group search resulted in error: %s"), ldap_error($ldap)));
|
|
1534 |
continue;
|
1518 |
1535 |
}
|
1519 |
1536 |
if (!$search) {
|
1520 |
1537 |
log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
|
1521 |
1538 |
continue;
|
1522 |
1539 |
}
|
|
1540 |
if (isset($groupsearch)) {
|
|
1541 |
$validgroup = ldap_count_entries($ldap, $groupsearch);
|
|
1542 |
if ($debug) {
|
|
1543 |
log_auth(sprintf(gettext("LDAP group search: %s results."), $validgroup));
|
|
1544 |
}
|
|
1545 |
}
|
1523 |
1546 |
$info = ldap_get_entries($ldap, $search);
|
1524 |
1547 |
$matches = $info['count'];
|
1525 |
1548 |
if ($matches == 1) {
|
... | ... | |
1559 |
1582 |
log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
|
1560 |
1583 |
}
|
1561 |
1584 |
|
|
1585 |
if ($debug && isset($ldapgroupfilter) && $validgroup < 1) {
|
|
1586 |
log_auth(sprintf(gettext('Logged in successfully as %1$s but did not match any field in extended query.'), $username));
|
|
1587 |
}
|
|
1588 |
|
1562 |
1589 |
/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
|
1563 |
1590 |
@ldap_unbind($ldap);
|
1564 |
1591 |
|
|
1592 |
if (isset($ldapgroupfilter) && $validgroup < 1) {
|
|
1593 |
return false;
|
|
1594 |
}
|
|
1595 |
|
1565 |
1596 |
return true;
|
1566 |
1597 |
}
|
1567 |
1598 |
|