Location: PHPKode > scripts > NConf > nconf-1.3.0-0/nconf/include/login_check.php
<?php
# USER login default
# for other methods, expand this file and configure it in the config part
# --> AUTH_TYPE

# information what is needed after this script:
# - check username and pw
# - set $_SESSION['group'] to GROUP_USER or GROUP_ADMIN
# - optional parameters
#   - $_SESSION['username'] for "welcome username, and history entries"

NConf_DEBUG::open_group("Authentication");
# authentication type
message($debug, "Authentication type: ".AUTH_TYPE);
message($debug, "Encryption type: ".PASSWD_ENC);

# Handle loginname
if ( defined("AUTH_METHOD") AND AUTH_METHOD == "basic") {
    message($debug, "Auth method: ".AUTH_METHOD);
    $user_loginname = $_SERVER['PHP_AUTH_USER'];
    $_POST["password"] = $_SERVER['PHP_AUTH_PW'];
}else{
    $user_loginname = $_POST["username"];
}



# prepare password function
function prepare_password ($password, $clean = FALSE){
    # if encryption is also in password, it has to be in UPPERCASE ( {crypt} -> {CRYPT}, {MD5} etc...
    if ( preg_match('/(^\{.*\})(.*)/', $password, $matched) ){
        # will find [0]:whole string, [1]:crypt type, [2]:password
        $crypt = strtoupper($matched[1]);
        $pw = $matched[2];

        if ($crypt == "{CLEAR}" OR $clean == TRUE){
            # {Clear} info is not needed. cut away!
            $password = $pw;
        }else{
            $password = $crypt.$pw;
        }
    }

    return $password;

}

# See what encryption is supported, perhaps for later use...
# (PHP 5 >= 5.1.2, PECL hash >= 1.1)
#NConf_DEBUG::set(hash_algos(), 'DEBUG', "Available hash algorithms");
#
# echo("DES is " . CRYPT_STD_DES."<br>Extended DES is ".CRYPT_EXT_DES."<br>MD5 is ".CRYPT_MD5."<br>BlowFish is ".CRYPT_BLOWFISH);


##
##
##
##############################################################################################
if (AUTH_TYPE == "file"){
    # Read file
    $filename = "config/.file_accounts.php";
    if ( (file_exists($filename)) AND ( $file = fopen($filename, "r") ) ){
        while ( $row = fgets($file) ) {
            # Do not use commented rows(#) or blank rows
            if ( $row != "" AND !preg_match("/^\s*(#|\/\*|\*\/|<\?|\?>)/", $row) ){
                $user = explode("::", $row);
                # check uppercase crypt part, remove {CLEAR} if exists
                $password = prepare_password($user[1], TRUE);
    
                $user_array[$user[0]] = array("password" => $password,     "group" => $user[2],   "name" => $user[3]);
            }
        }
        fclose($file);
        # Authentification
        if ( isset($user_array["$user_loginname"]) ){
            message($debug, "existing pw is: ".$user_array[$user_loginname]["password"]);
            $user_pwd = encrypt_password($_POST["password"], FALSE, $user_array[$user_loginname]["password"]);
            if ( $user_array[$user_loginname]["password"] == $user_pwd ){
                #pw ok, set group
                $_SESSION['group']      = $user_array[$user_loginname]["group"];
 
                # get Welcome name
                if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($user_array[$user_loginname]["name"]) ){
                    $_SESSION["userinfos"]['username']   = $user_array[$user_loginname]["name"];
                }else{
                    $_SESSION["userinfos"]['username']   = $user_loginname;
                }
            }else{
                #PW not ok, login failed
                message('ERROR', TXT_LOGIN_FAILED);
            }
        }else{
            #User not found
            message('ERROR', TXT_LOGIN_FAILED);
        }
    
    }else{
        #FILE not found
        message('ERROR', "Account-file not found : $filename");
    }


##############################################################################################

}elseif (AUTH_TYPE == "sql"){
    ##########
    # login check function
    //function auth_by_sql($username, $passwd, $sqlquery){
    function auth_by_sql($sqlquery, $login = FALSE){
        # Connect to external database if given
        if ( defined("AUTH_DBNAME") ){
            # if AUTH config is given, use it
            $auth_db_link = mysql_connect(AUTH_DBHOST,AUTH_DBUSER, AUTH_DBPASS, TRUE);
            mysql_select_db(AUTH_DBNAME, $auth_db_link);
            $result = db_handler($sqlquery, 'getOne', "Authentication by sql");
            mysql_close($auth_db_link);
        }else{
            # otherwise just use the NConf DB connection
            $result = db_handler($sqlquery, 'getOne', "Authentication by sql using NConf DB");
        }

        if ($result AND $login === TRUE) {
            # get Welcome name
            if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($result) ){
                $_SESSION["userinfos"]['username'] = $result;
            }else{
                $_SESSION["userinfos"]['username']   = $_POST["username"];
            }
            return TRUE;
        }elseif ($result AND $login === FALSE) {
            return $result;
        }else{
            return FALSE;
        }

    }
    ##########

    if (PASSWD_ENC == "crypt"){
       $sql_get_password = 'SELECT attr_value AS user_password, fk_id_item AS user_id
                FROM ConfigAttrs, ConfigValues, ConfigClasses
                WHERE id_attr = fk_id_attr
                AND id_class = fk_id_class
                AND config_class = "contact"
                AND attr_name = "user_password"
                HAVING fk_id_item = ( 
                    SELECT fk_id_item
                    FROM ConfigAttrs, ConfigValues, ConfigClasses
                    WHERE id_attr = fk_id_attr
                    AND id_class = fk_id_class
                    AND config_class = "contact"
                    AND fk_id_item = user_id
                    AND attr_name = "contact_name"
                    AND attr_value = "'.escape_string($user_loginname).'" )'; 
        $user_password = auth_by_sql($sql_get_password);
        # clean {CRYPT}
        $password = prepare_password($user_password, TRUE);
        # encrypt password with saved password (as salt)
        $user_pwd = encrypt_password($_POST["password"], TRUE, $password);
        
    }else{
        $user_pwd = encrypt_password($_POST["password"]);
    }

    # Prepare querys
    $auth_sqlquery_USER = AUTH_SQLQUERY_USER;
    $auth_sqlquery_USER = str_replace("!!!USERNAME!!!", $user_loginname, $auth_sqlquery_USER);
    $auth_sqlquery_USER = str_replace("!!!PASSWORD!!!", $user_pwd, $auth_sqlquery_USER);
    if ( defined("AUTH_SQLQUERY_ADMIN") ){
        $auth_sqlquery_ADMIN = AUTH_SQLQUERY_ADMIN;
        $auth_sqlquery_ADMIN = str_replace("!!!USERNAME!!!", $user_loginname, $auth_sqlquery_ADMIN);
        $auth_sqlquery_ADMIN = str_replace("!!!PASSWORD!!!", $user_pwd, $auth_sqlquery_ADMIN);
    }

    # Authentification
    if ( ( defined("AUTH_SQLQUERY_ADMIN") ) AND auth_by_sql($auth_sqlquery_ADMIN, TRUE) ){
        $_SESSION['group'] = GROUP_ADMIN;
        NConf_DEBUG::set("admin", 'DEBUG', 'Group permissions:');
    }elseif ( auth_by_sql($auth_sqlquery_USER, TRUE) ){
        $_SESSION['group'] = GROUP_USER;
        NConf_DEBUG::set("user", 'DEBUG', 'Group permissions:');
    }else{
        message('ERROR', TXT_LOGIN_FAILED);
    }

    # needed database reload, otherwise the connection is lost
    relaod_nconf_db_connection();

##############################################################################################

}elseif (AUTH_TYPE == "ldap") {
    $ldapconnection = ldap_connect(LDAP_SERVER, LDAP_PORT);
    ldap_set_option($ldapconnection, LDAP_OPT_PROTOCOL_VERSION, 3);

    # Check ldap connection
    if($ldapconnection) {
        NConf_DEBUG::set("success", 'DEBUG', 'ldap connection');

        # Try to logon user to ldap
        $ldap_user_dn = str_replace(USER_REPLACEMENT,$user_loginname,BASE_DN);
        NConf_DEBUG::set($ldap_user_dn, 'DEBUG', 'ldap user dn');

        $user_pwd = $_POST["password"];
        $ldap_response = @ldap_bind($ldapconnection, $ldap_user_dn, $user_pwd);
        if($ldap_response and $user_loginname and $user_pwd) {
            NConf_DEBUG::set("success", 'DEBUG', 'ldap bind');
            # If user login was successfull, look for group
            # admins are in group : ADMIN_GROUP
            # normal nconf user are in group : USER_GROUP
            # all other do not have access

            # AdminUsers
            $sr = ldap_search($ldapconnection, GROUP_DN, ADMIN_GROUP);
            $results = ldap_get_entries($ldapconnection,$sr);
            # debug
            $debug_entry = NConf_HTML::swap_content($results, "<b>LDAP</b> ldap_get_entries:", FALSE, FALSE);
            message($debug, $debug_entry);

            
            $Admin_user_array = $results[0]["memberuid"];
            # remove field count
            unset($Admin_user_array["count"]);


            # BasicUsers
            $sr = ldap_search($ldapconnection, GROUP_DN, USER_GROUP);
            $results = ldap_get_entries($ldapconnection,$sr);
            $Basic_user_array = $results[0]["memberuid"];
            # remove field count
            unset($Basic_user_array["count"]);


            # Users Infos
            $justthese = array("cn");
            //$justthese = array("cn", "description", "uid");
            $sr = ldap_read($ldapconnection, $ldap_user_dn, "(objectclass=*)", $justthese);
            $results = ldap_get_entries($ldapconnection,$sr);

            # get Welcome name
            if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($results[0]["cn"][0]) ){
                $_SESSION["userinfos"]["username"]  = $results[0]["cn"][0];
            }else{
                $_SESSION["userinfos"]['username']  = $user_loginname;
            }

            //$_SESSION["userinfos"]["useremail"] = $results[0]["description"][0];
            //$_SESSION["userinfos"]["uid"]       = $results[0]["uid"][0];
     
            #Check if user is in Basic userlist
            #or in Admin userlist
            if (in_array($user_loginname, $Admin_user_array) ){
                $_SESSION['group'] = GROUP_ADMIN;
                message($info, $_SESSION["group"].' access granted', "yes");
            }elseif (in_array($user_loginname, $Basic_user_array) ){
                $_SESSION['group'] = GROUP_USER;
                message($info, $_SESSION["group"].' access granted', "yes");
            }else{
                message('ERROR', TXT_LOGIN_NOT_AUTHORIZED);
            }
            

        } else {

            NConf_DEBUG::set("failed", 'DEBUG', 'ldap bind');
            message('ERROR', TXT_LOGIN_FAILED);

        }


    } else {

        NConf_DEBUG::set("could not connect", 'DEBUG', 'ldap connection');
        message('ERROR', "Cannot connect to LDAP server");

    }


}elseif (AUTH_TYPE == "ad_ldap") {
    $ldapconnection = ldap_connect(AD_LDAP_SERVER, AD_LDAP_PORT);
    NConf_DEBUG::set(AD_LDAP_SERVER, 'DEBUG', 'AD LDAP SERVER');
    ldap_set_option($ldapconnection, LDAP_OPT_PROTOCOL_VERSION, 3);

    # Try to logon user to ldap
    $ldap_user_dn = str_replace(USER_REPLACEMENT,$user_loginname,AD_BASE_DN);
    NConf_DEBUG::set($ldap_user_dn, 'DEBUG', 'ldap user dn');

    $user_pwd = $_POST["password"];
    $ldap_response = @ldap_bind($ldapconnection, $ldap_user_dn, $user_pwd);

    if($ldap_response and $user_loginname and $user_pwd) {
        NConf_DEBUG::set("success", 'DEBUG', 'ldap bind');
        # If user login was successfull, look for group
        # admins are in group : ADMIN_GROUP
        # normal nconf user are in group : USER_GROUP
        # all other do not have access

        // for filter (read just some attributes )
        //$justthese = array("cn", "description", "uid");
        //NConf_DEBUG::set($userfilter, 'DEBUG', 'userfilter');

        # check if user is member of admin group
        $admin_group_dn = AD_ADMIN_GROUP;
        if ( AD_GROUP_DN != "" ){
            $admin_group_dn .= ','.AD_GROUP_DN;
        }
        NConf_DEBUG::set($admin_group_dn, 'DEBUG', 'admin_group_dn');

        if (AD_ADMIN_GROUP == "" AND AD_USER_GROUP == ""){
            $userattrs = ldap_search($ldapconnection, $ldap_user_dn, "(objectclass=*)" );
            $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
            NConf_DEBUG::set($userattrs_result, 'DEBUG', 'user authenticated (limited)' );
            NConf_DEBUG::set("please have a look at the content in the previous message to get more information about the user (look for the memberof attribute to get the groups of the authenticated user)", 'DEBUG', "information for the admin");
        }else{
            $userattrs = ldap_search($ldapconnection, $ldap_user_dn, '('.AD_GROUP_ATTRIBUTE.'='.$admin_group_dn.')' );
            $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
            NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check "admin" group permission');
            if ($userattrs_result["count"] == 1){
                # user identified as admin
                $_SESSION['group'] = GROUP_ADMIN;
                NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted');

            }else{
                # check if user is member of admin group
                $user_group_dn = AD_USER_GROUP;
                if ( AD_GROUP_DN != "" ){
                    $user_group_dn .= ','.AD_GROUP_DN;
                }
                NConf_DEBUG::set($user_group_dn, 'DEBUG', 'user_group_dn');

                # user was not in admin group, check for user membership
                $userattrs = ldap_search($ldapconnection, $ldap_user_dn, '('.AD_GROUP_ATTRIBUTE.'='.$user_group_dn.')' );
                $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
                NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check "user" group permission');
                if ($userattrs_result["count"] == 1){
                    $_SESSION['group'] = GROUP_USER;
                    NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted');
                }else{
                    NConf_DEBUG::set(TXT_LOGIN_NOT_AUTHORIZED, 'ERROR');
                }
            }

        }

        # Users Infos
        # get Welcome name
        if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($userattrs_result[0][AD_USERNAME_ATTRIBUTE][0]) ){
            $_SESSION["userinfos"]["username"]  = $userattrs_result[0][AD_USERNAME_ATTRIBUTE][0];
        }else{
            $_SESSION["userinfos"]['username']  = $user_loginname;
        }

    } else {

        NConf_DEBUG::set("Can not connect to active directory server", 'DEBUG', 'ldap bind');
        NConf_DEBUG::set(ldap_error($ldapconnection), 'DEBUG', "error message") ;
        NConf_DEBUG::set(TXT_LOGIN_FAILED, 'ERROR');

    }



}else{
    # no AUTH TYPE matched.. cant login :
    
    NConf_DEBUG::set("No authentication type set in config, login restricted", 'ERROR');

}


// Log to history
if (!empty($_SESSION["group"]) ){
    history_add("general", "login", "access granted (".$_SESSION['group'].")");
}else{
    history_add("general", "login", "access denied (user: ".$user_loginname.")");
}
NConf_DEBUG::close_group();
?>
Return current item: NConf