summaryrefslogtreecommitdiffstats
path: root/libglue/auth.php
diff options
context:
space:
mode:
Diffstat (limited to 'libglue/auth.php')
-rw-r--r--libglue/auth.php399
1 files changed, 399 insertions, 0 deletions
diff --git a/libglue/auth.php b/libglue/auth.php
new file mode 100644
index 00000000..0ef41e8c
--- /dev/null
+++ b/libglue/auth.php
@@ -0,0 +1,399 @@
+<?
+/* ------------------- CVS INFO ----------------------
+ *
+ * $Source: /data/cvsroot/ampache/libglue/auth.php,v $
+ * last modified by $Author: vollmerk $ at $Date: 2003/11/27 10:19:28 $
+ *
+ * Libglue, a free php library for handling authentication
+ * and session management.
+ *
+ * Written and distributed by Oregon State University.
+ * http://oss.oregonstate.edu/libglue
+ *
+ * ---------------------------------------------------
+ */
+
+//
+// Attempt to authenticate using the services in
+// auth_methods, and returns an auth_config object
+// which describes the results of the authentication
+// attempt
+function authenticate($username, $password)
+{
+ // First thing to do is check for the gone fishing file:
+ $stopfile = libglue_param('stop_auth');
+ if ( file_exists($stopfile) )
+ {
+ echo "We should tell the users here that no one can log in.\n";
+ exit();
+ }
+
+ $methods = libglue_param('auth_methods');
+ if(!is_array($methods))
+ {
+ $auth = call_user_func("auth_$methods",$username,$password);
+ }
+ else
+ {
+ foreach($methods as $method)
+ {
+ $auth = call_user_func("auth_$method", $username,$password);
+ if($auth['success'] == 1) break;
+ }
+ }
+ return $auth;
+}
+
+function get_ldap_user ($username,$fields=0)
+{
+ $auth = array();
+
+ $auth_dn = libglue_param('ldap_auth_dn');
+ $user_dn = libglue_param('ldap_user_dn');
+ $filter = libglue_param('ldap_filter');
+ $host = libglue_param('ldap_host');
+ $pass = libglue_param('ldap_pass');
+ $ldapfields = libglue_param('ldap_fields');
+ $protocol = libglue_param('ldap_version');
+
+ // can we even connect?
+ if ( $ldap_link = @ldap_connect( $host ) )
+ {
+
+ //Snazzy new protocol stuff
+ if(!empty($protocol)) ldap_set_option($ldap_link,
+ LDAP_OPT_PROTOCOL_VERSION,
+ $protocol);
+
+ // now try and bind with system credentials for searching.
+ if ( @ldap_bind($ldap_link, $filter."".$auth_dn, $pass) )
+ {
+ // now search and retrieve our user data
+ $ldap_uid = libglue_param('ldap_uidfield');
+ $ldap_username = libglue_param('ldap_usernamefield');
+
+ //force uid and username to be part of the query
+ if(!in_array($ldap_uid,$ldapfields)) $ldapfields[] = $ldap_uid;
+ if(!in_array($ldap_username,$ldapfields)) $ldapfields[] = $ldap_username;
+
+ $sr = ldap_search($ldap_link, $user_dn, "(".$filter."".$username.")", $ldapfields, 0, 1);
+/* $sr = @ldap_search($ldap_link, $user_dn, "(".$filter."".$username.")");*/
+
+ //info will contain a 1-element array with our user's info
+ $info = ldap_get_entries($ldap_link, $sr);
+
+ foreach($ldapfields as $field)
+ {
+ $auth[$field] = $info[0][$field][0];
+ }
+ $sess_username = libglue_param('user_username');
+ $sess_id = libglue_param('user_id');
+ $auth[$sess_username] = $username;
+ $auth[$sess_id] = $info[0][$ldap_uid][0];
+ }
+
+ //
+ // Here means we couldn't use the service.
+ // So it's most likely config related.
+ // Check the username and password?
+ //
+ else
+ { $auth['error'] = libglue_param('bad_auth_cred'); }
+ }
+
+ //
+ // This most often will mean we can't reach the server.
+ // Perhaps it's down, or we mistyped the address.
+ //
+ else
+ { $auth['error'] = libglue_param('connect_error'); }
+
+ // Done with the link, give it back
+ ldap_close($ldap_link);
+
+ $auth_methods = libglue_param('auth_methods');
+ if(!is_array($auth_methods)) $auth_methods = array($auth_methods);
+ if(in_array('sso',$auth_methods,TRUE)) $auth['type'] = 'sso';
+ else $auth['type'] = 'ldap';
+ return $auth;
+}
+
+function get_mysql_user ($username,$fields=null)
+{
+ $auth = array();
+ $dbh = dbh();
+ $user_table = libglue_param('mysql_table');
+ $mysql_uid = libglue_param('mysql_uidfield');
+ $mysql_username = libglue_param('mysql_usernamefield');
+ $mysql_fields = libglue_param('mysql_fields');
+ $sql = "SELECT ";
+ if(is_null($fields)) $sql .= " * ";
+ else
+ {
+ if(!is_array($fields)) $fields = array($fields);
+ foreach($fields as $field)
+ {
+ $sql .= "$field,";
+ }
+ $sql = substr($sql, 0, strlen($sql)-1);
+ }
+
+ $sql .= " FROM $user_table WHERE $mysql_username = '$username'";
+ $result = mysql_query($sql, $dbh);
+
+ foreach($ldapfields as $field)
+ {
+ $auth[$field] = $info[0][$field][0];
+ }
+ $sess_username = libglue_param('user_username');
+ $sess_id = libglue_param('user_id');
+ $auth[$sess_username] = $username;
+ $auth[$sess_id] = $info[0][$ldap_uid][0];
+
+ $auth['type'] = 'mysql';
+ return $auth;
+}
+
+
+function auth_ldap ($username, $password)
+{
+ $auth = array();
+ $auth['success'] = 0; // don't want to keep setting this
+ $auth_dn = libglue_param('ldap_auth_dn');
+ $user_dn = libglue_param('ldap_user_dn');
+ $filter = libglue_param('ldap_filter');
+ $host = libglue_param('ldap_host');
+ $pass = libglue_param('ldap_pass');
+ $ldapfields = libglue_param('ldap_fields');
+ // Did we get fed proper variables?
+ if(!$username || !$password)
+ {
+ $auth['error'] = libglue_param('empty_field');
+ // I'm not a huge fan of returning here,
+ // but why force more logic?
+ return $auth;
+ }
+
+ // can we even connect?
+ if ( $ldap_link = @ldap_connect( $host ) )
+ {
+ // now try and bind with system credentials for searching.
+ if ( @ldap_bind($ldap_link, $filter."".$auth_dn, $pass) )
+ {
+ // now search and retrieve our user data
+ $ldap_uid = libglue_param('ldap_uidfield');
+ $ldap_username = libglue_param('ldap_usernamefield');
+
+ //force uid and username to be part of the query
+ if(!in_array($ldap_uid,$ldapfields)) $ldapfields[] = $ldap_uid;
+ if(!in_array($ldap_username,$ldapfields)) $ldapfields[] = $ldap_username;
+
+ $sr = ldap_search($ldap_link, $user_dn, "(".$filter."".$username.")", $ldapfields, 0, 1);
+ //info will contain a 1-element array with our user's info
+ $info = @ldap_get_entries($ldap_link, $sr);
+
+ //
+ // The real authentication:
+ // binding here with the user's credentials
+ //
+ //if ( ldap_bind($ldap_link, $user_dn, $password) ) {
+ if ( ($info["count"] == 1) && (@ldap_bind($ldap_link,
+ $info[0]['dn'],
+ $password) ) )
+ {
+ $auth['info'] = array();
+ foreach($ldapfields as $field)
+ {
+ $auth['info'][$field] = $info[0][$field][0];
+ }
+ $sess_username = libglue_param('user_username');
+ $sess_id = libglue_param('user_id');
+ $auth['info'][$sess_username] = $username;
+ $auth['info'][$sess_id] = $info[0][$ldap_uid][0];
+ $auth['success'] = 1;
+ }
+ else
+ {
+ // show the error here, better than anything I can come up with
+ // most likely bad username or password
+ // We'll handle two cases, where the username doesn't exist,
+ // and where more than 1 exists separately in case we
+ // decide to do some logging or something fancy someday
+ if($info["count"] == 0)
+ {
+ $auth['error'] = libglue_param('login_failed');
+ }
+ else
+ {
+ // We could return the error here
+ // EXCEPT that we want the error message to be the same
+ // for a bad password as a bad username
+ // $auth->error = ldap_error($ldap_link);
+ $auth['error'] = libglue_param('login_failed');
+ }
+ }
+ }
+
+ //
+ // Here means we couldn't use the service.
+ // So it's most likely config related.
+ // Check the username and password?
+ //
+ else
+ {
+ $auth['error'] = libglue_param('bad_auth_cred');
+ }
+ }
+
+ //
+ // This most often will mean we can't reach the server.
+ // Perhaps it's down, or we mistyped the address.
+ //
+ else
+ {
+ $auth['error'] = libglue_param('connect_error');
+ }
+
+ // Done with the link, give it back
+ ldap_close($ldap_link);
+ $auth['type'] = 'ldap';
+ return $auth;
+}
+
+/*
+ * MySQL authentication.
+ * returns true/false depending on whether the user was authenticated
+ * successfully
+ * The crypt settings below assume the php crypt() function created the passwords.
+ * But hopson updated it to use mysql PASSWORD() instead
+ */
+
+function auth_mysql($username, $password) {
+
+ $auth = array();
+ $auth['success'] = 0;
+
+ // Did we get fed proper variables?
+ if(!$username or !$password) {
+ $auth['error'] = 'Empty username/password';
+ return $auth;
+ }
+
+ //
+ // Retrieve config parameters set in config.php
+ //
+ $dbhost = libglue_param('mysql_host');
+ $dbuser = libglue_param('mysql_user');
+ $dbpass = libglue_param('mysql_pass');
+ $dbname = libglue_param('mysql_db');
+ $passfield = libglue_param('mysql_passcol');
+ $table = libglue_param('mysql_table');
+ $usercol = libglue_param('mysql_usercol');
+ $other = libglue_param('mysql_other');
+ $fields = libglue_param('mysql_fields');
+
+
+ $mysql_uidfield = libglue_param('mysql_uidfield');
+ $mysql_usernamefield = libglue_param('mysql_usernamefield');
+
+ if(!preg_match("/$mysql_uidfield/",$fields)) $fields .= ",$mysql_uidfield";
+ if(!preg_match("/$mysql_usernamefield/",$fields)) $fields .= ",$mysql_usernamefield";
+
+ if($other == '') $other = '1=1';
+
+ if ($mysql_link = @mysql_connect($dbhost,$dbuser,$dbpass))
+ {
+ //
+ // now retrieve the stored password to use as salt
+ // for password checking
+ //
+ $sql = "SELECT $passfield FROM $table" .
+ " WHERE $usercol = '$username' " .
+ " AND $other LIMIT 1";
+ @mysql_select_db($dbname, $mysql_link);
+ $result = @mysql_query($sql, $mysql_link);
+ $row = @mysql_fetch_array($result);
+
+ $password_check_sql = "PASSWORD('$password')";
+
+ $sql = "SELECT version()";
+ $db_results = @mysql_query($sql, $mysql_link);
+ $version = @mysql_fetch_array($db_results);
+
+ $mysql_version = substr(preg_replace("/(\d+)\.(\d+)\.(\d+).*/","$1$2$3",$version[0]),0,3);
+
+ if ($mysql_version > "409" AND substr($row[0],0,1) !== "*") {
+ $password_check_sql = "OLD_PASSWORD('$password')";
+ }
+
+ $sql = "SELECT $fields FROM $table" .
+ " WHERE $usercol = '$username'" .
+ " AND $passfield = $password_check_sql" .
+ " AND $other LIMIT 1";
+ $rs = @mysql_query($sql, $mysql_link);
+ //This should only fail on a badly formed query.
+ if(!$rs)
+ {
+ $auth['error'] = @mysql_error();
+ }
+
+ //
+ // Retrieved the right info, set auth->success and info.
+ //
+ if (@mysql_num_rows($rs) == 1)
+ {
+ // username and password are successful
+ $row = mysql_fetch_array($rs);
+ $sess_username = libglue_param('user_username');
+ $sess_id = libglue_param('user_id');
+ $auth[$info][$sess_username] = $row[$mysql_usernamefield];
+ $auth[$info][$sess_id] = $row[$mysql_uidfield];
+ $auth[$info] = $row;
+ $auth['info'] = $row;
+ $auth['success'] = 1;
+ }
+
+ //
+ // We didn't find anything matching. No user, bad password, ?
+ //
+ else
+ {
+ $auth['error'] = libglue_param('login_failed');
+ }
+ }
+
+ //
+ // Couldn't connect to database at all.
+ //
+ else
+ {
+ $auth['error'] = libglue_param('bad_auth_cred');
+ }
+
+ $auth['type'] = 'mysql';
+ return $auth;
+
+} // auth_mysql
+
+
+function auth_sso ($username, $password)
+{
+ $auth = new auth_response();
+ $auth->success = 0;
+ $auth->error = "SSO Authentication failed.";
+ return $auth;
+}
+
+// This is the auth_response class that will be returned during
+// and authentication - this allows us to set some variables
+// by the session for later lookup
+class auth_response {
+ var $username;
+ var $userid;
+ var $error;
+ var $success;
+ var $info;
+}
+
+
+?>
generated by cgit (git 2.34.1) at 2025-08-13 13:33:44 +0000