mirror of
https://github.com/nuxsmin/sysPass.git
synced 2026-03-13 03:46:58 +01:00
ac9f4543c1
Closes #15 Multiple users and groups can now be allowed to access to an account. Upgrade process (requires maintenance mode on). Split methods on new classes. Bugfixes.
204 lines
7.3 KiB
PHP
204 lines
7.3 KiB
PHP
<?php
|
|
|
|
/**
|
|
* sysPass
|
|
*
|
|
* @author nuxsmin
|
|
* @link http://syspass.org
|
|
* @copyright 2012 Rubén Domínguez nuxsmin@syspass.org
|
|
*
|
|
* This file is part of sysPass.
|
|
*
|
|
* sysPass is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* sysPass is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
defined('APP_ROOT') || die(_('No es posible acceder directamente a este archivo'));
|
|
|
|
/**
|
|
* Esta clase es la encargada de realizar la autentificación de usuarios de sysPass.
|
|
*/
|
|
class SP_Auth {
|
|
|
|
static $userLogin;
|
|
static $userPass;
|
|
static $userName;
|
|
static $userEmail;
|
|
|
|
/**
|
|
* @brief Autentificación de usuarios con LDAP
|
|
* @return bool
|
|
*/
|
|
public static function authUserLDAP() {
|
|
if (SP_Config::getValue('ldapenabled', 0) === 0 || !SP_Util::ldapIsAvailable()) {
|
|
return FALSE;
|
|
}
|
|
|
|
$searchBase = SP_Config::getValue('ldapbase');
|
|
$ldapserver = SP_Config::getValue('ldapserver');
|
|
$ldapgroup = SP_Config::getValue('ldapgroup');
|
|
$bindDN = SP_Config::getValue('ldapbinduser');
|
|
$bindPass = SP_Config::getValue('ldapbindpass');
|
|
|
|
if (!$searchBase || !$ldapserver || !$ldapgroup || !$bindDN || !$bindPass) {
|
|
return FALSE;
|
|
}
|
|
|
|
$ldapAccess = FALSE;
|
|
$message['action'] = __FUNCTION__;
|
|
|
|
// Conexión al servidor LDAP
|
|
if (!$ldapConn = @ldap_connect($ldapserver)) {
|
|
$message['text'][] = _('No es posible conectar con el servidor de LDAP') . " '" . $ldapserver . "'";
|
|
$message['text'][] = 'LDAP ERROR: ' . ldap_error($ldapConn) . '(' . ldap_errno($ldapConn) . ')';
|
|
|
|
SP_Common::wrLogInfo($message);
|
|
return FALSE;
|
|
}
|
|
|
|
@ldap_set_option($ldapConn, LDAP_OPT_NETWORK_TIMEOUT, 10); // Set timeout
|
|
@ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3); // Set LDAP version
|
|
|
|
if (!@ldap_bind($ldapConn, $bindDN, $bindPass)) {
|
|
$message['text'][] = _('Error al conectar (bind)');
|
|
$message['text'][] = 'LDAP ERROR: ' . ldap_error($ldapConn) . '(' . ldap_errno($ldapConn) . ')';
|
|
|
|
SP_Common::wrLogInfo($message);
|
|
return FALSE;
|
|
}
|
|
|
|
$filter = '(&(|(samaccountname=' . self::$userLogin . ')(cn=' . self::$userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)))';
|
|
$filterAttr = array("dn", "displayname", "samaccountname", "mail", "memberof", "lockouttime", "fullname", "groupmembership", "mail");
|
|
|
|
$searchRes = @ldap_search($ldapConn, $searchBase, $filter, $filterAttr);
|
|
|
|
if (!$searchRes) {
|
|
$message['text'][] = _('Error al buscar el DN del usuario');
|
|
$message['text'][] = 'LDAP ERROR: ' . ldap_error($ldapConn) . '(' . ldap_errno($ldapConn) . ')';
|
|
|
|
SP_Common::wrLogInfo($message);
|
|
return FALSE;
|
|
}
|
|
|
|
if (@ldap_count_entries($ldapConn, $searchRes) === 1) {
|
|
$searchUser = @ldap_get_entries($ldapConn, $searchRes);
|
|
|
|
if (!$searchUser) {
|
|
$message['text'][] = _('Error al localizar el usuario en LDAP');
|
|
$message['text'][] = 'LDAP ERROR: ' . ldap_error($ldapConn) . '(' . ldap_errno($ldapConn) . ')';
|
|
|
|
SP_Common::wrLogInfo($message);
|
|
return FALSE;
|
|
}
|
|
|
|
$userDN = $searchUser[0]["dn"];
|
|
}
|
|
|
|
if (@ldap_bind($ldapConn, $userDN, self::$userPass)) {
|
|
@ldap_unbind($ldapConn);
|
|
|
|
foreach ($searchUser as $entryValue) {
|
|
if (is_array($entryValue)) {
|
|
foreach ($entryValue as $entryAttr => $attrValue) {
|
|
if (is_array($attrValue)) {
|
|
if ($entryAttr == "groupmembership" || $entryAttr == "memberof") {
|
|
foreach ($attrValue as $group) {
|
|
if (is_int($group)) {
|
|
continue;
|
|
}
|
|
|
|
preg_match('/^cn=([\w\s-]+),.*/i', $group, $groupName);
|
|
|
|
// Comprobamos que el usuario está en el grupo indicado
|
|
if ($groupName[1] == $ldapgroup || $group == $ldapgroup) {
|
|
$ldapAccess = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
} elseif ($entryAttr == "displayname" | $entryAttr == "fullname") {
|
|
self::$userName = $attrValue[0];
|
|
} elseif ($entryAttr == "mail") {
|
|
self::$userEmail = $attrValue[0];
|
|
} elseif ($entryAttr == "lockouttime") {
|
|
if ($attrValue[0] > 0)
|
|
return FALSE;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
$message['text'][] = _('Error al conectar con el usuario');
|
|
$message['text'][] = 'LDAP ERROR: ' . ldap_error($ldapConn) . '(' . ldap_errno($ldapConn) . ')';
|
|
|
|
SP_Common::wrLogInfo($message);
|
|
return ldap_errno($ldapConn);
|
|
}
|
|
|
|
return $ldapAccess;
|
|
}
|
|
|
|
/**
|
|
* @brief Autentificación de usuarios con MySQL
|
|
* @return bool
|
|
*
|
|
* Esta función comprueba la clave del usuario. Si el usuario necesita ser migrado desde phpPMS,
|
|
* se ejecuta el proceso para actualizar la clave.
|
|
*/
|
|
public static function authUserMySQL() {
|
|
if (SP_Users::checkUserIsMigrate(self::$userLogin)) {
|
|
if (!SP_Users::migrateUser(self::$userLogin, self::$userPass)) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
$query = "SELECT user_login,"
|
|
. "user_pass "
|
|
. "FROM usrData "
|
|
. "WHERE user_login = '" . DB::escape(self::$userLogin) . "' "
|
|
. "AND user_isMigrate = 0 "
|
|
. "AND user_pass = SHA1(CONCAT(user_hashSalt,'" . DB::escape(self::$userPass) . "')) LIMIT 1";
|
|
|
|
if (DB::doQuery($query, __FUNCTION__) === FALSE) {
|
|
return FALSE;
|
|
}
|
|
|
|
if (count(DB::$last_result) == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/**
|
|
* @brief Comprobar si un usuario está deshabilitado
|
|
* @return bool
|
|
*/
|
|
public static function checkUserIsDisabled() {
|
|
$query = "SELECT user_isDisabled "
|
|
. "FROM usrData "
|
|
. "WHERE user_login = '" . DB::escape(self::$userLogin) . "' LIMIT 1";
|
|
$queryRes = DB::getResults($query, __FUNCTION__);
|
|
|
|
if ($queryRes === FALSE) {
|
|
return FALSE;
|
|
}
|
|
|
|
if ($queryRes->user_isDisabled == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
}
|