| <?php |
| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| /** |
| * |
| * @package Org_Apache_Oodt_Security |
| * @author Chris A. Mattmann |
| * @author Andrew F. Hart |
| * @version $Revision$ |
| * |
| * PHP Single Sign On Library for EDRN PHP-based products. |
| * |
| */ |
| |
| class Org_Apache_Oodt_Security_SingleSignOn { |
| |
| private $connectionStatus; |
| |
| private $conn; |
| |
| public function __construct() { |
| $this->connectionStatus = 1; |
| } |
| |
| public function getCurrentUsername() { |
| return $this->getSingleSignOnUsername(); |
| } |
| |
| public function isLoggedIn() { |
| return ($this->getSingleSignOnUsername() != null); |
| } |
| |
| public function login($username, $password) { |
| // first check to see if we are already signed in |
| if ($this->getSingleSignOnUsername() <> "" |
| && strcmp($this->getSingleSignOnUsername(), $username) == 0) { |
| // we're logged in already |
| return true; |
| } else { |
| // log in via LDAP |
| $ldaprdn = "uid=" . $username . ',' . SSO_BASE_DN; |
| $ldappass = $password; |
| |
| // connect to ldap server |
| $ldapconn = $this->connect(SSO_LDAP_HOST, SSO_LDAP_PORT); |
| if ($ldapconn) { |
| |
| // binding to ldap server |
| $ldapbind = @ ldap_bind($ldapconn, $ldaprdn, $ldappass); |
| |
| // verify binding |
| if ($ldapbind) { |
| $this->createSingleSignOnCookie($username, $password); |
| return true; |
| } else { |
| return false; |
| } |
| |
| } else { |
| $this->connectionStatus = 0; |
| return false; |
| } |
| } |
| |
| } |
| |
| public function logout() { |
| $this->clearSingleSignOnInfo(); |
| } |
| |
| public function getLastConnectionStatus() { |
| return ($this->connectionStatus == 1); |
| } |
| |
| public function retrieveGroupsForUser($username,$searchDirectory = SSO_BASE_DN) { |
| // attempt to connect to ldap server |
| $ldapconn = $this->connect(SSO_LDAP_HOST,SSO_LDAP_PORT); |
| $groups = array(); |
| if ($ldapconn) { |
| $filter = "(&(objectClass=groupOfUniqueNames)" |
| ."(uniqueMember=uid={$username}," . SSO_BASE_DN . "))"; |
| $result = ldap_search($ldapconn,$searchDirectory,$filter,array('cn')); |
| |
| if ($result) { |
| $entries = ldap_get_entries($ldapconn,$result); |
| foreach ($entries as $rawGroup) { |
| if (isset($rawGroup['cn'][0]) |
| && $rawGroup['cn'][0] != '') { |
| $groups[] = $rawGroup['cn'][0]; |
| } |
| } |
| } |
| } |
| |
| return $groups; |
| } |
| |
| /** |
| * |
| * retrieves the set of attributes from the users ldap entry |
| * @param string $username user for which attributes will be returned |
| * @param array $attributes ldap attributes to retrieve |
| * @param string $searchDirectory optional path to users ldap entry |
| */ |
| public function retrieveUserAttributes($username,$attributes,$searchDirectory = SSO_BASE_DN) { |
| // attempt to connect to ldap server |
| $ldapconn = $this->connect(SSO_LDAP_HOST,SSO_LDAP_PORT); |
| $attr = array(); |
| |
| if ($ldapconn) { |
| // get user attributes |
| $filter = "uid=".$username; |
| $result = ldap_search($ldapconn,$searchDirectory,$filter,$attributes); |
| if ($result) { |
| $entries = ldap_get_entries($ldapconn,$result); |
| return $entries; |
| } else { |
| return array(); |
| } |
| } |
| } |
| |
| |
| public function changePassword($newPass,$encryptionMethod = "SHA") { |
| if ($this->isLoggedIn()) { |
| $user = "uid={$this->getSingleSignOnUsername()}," . SSO_BASE_DN ; |
| $entry = array(); |
| |
| switch (strtoupper($encryptionMethod)) { |
| case "SHA": |
| $entry['userPassword'] = "{SHA} " . base64_encode(pack("H*",sha1($newPass))); |
| break; |
| case "MD5": |
| $entry['userPassword'] = "{MD5} " . base64_encode(pack("H*",md5($newPass))); |
| break; |
| default: |
| throw new Exception("Unsupported encryption method requested"); |
| } |
| |
| if (ldap_mod_replace($this->conn,$user,$entry)) { |
| return true; |
| } else { |
| return false; |
| } |
| } else { |
| return false; |
| } |
| } |
| |
| public function connect($server,$port) { |
| if ($conn = ldap_connect($server,$port)) { |
| // Connection established |
| $this->connectionStatus = 1; |
| ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); |
| ldap_set_option($conn, LDAP_OPT_DEBUG_LEVEL, 7); |
| ldap_set_option($conn, LDAP_OPT_REFERRALS, 0); |
| $this->conn = $conn; |
| return $conn; |
| } else { |
| // Connection failed |
| return false; |
| } |
| } |
| |
| private function clearSingleSignOnInfo() { |
| $oldCookie = $_COOKIE[SSO_COOKIE_KEY]; |
| setcookie(SSO_COOKIE_KEY, $oldCookie, 1, "/"); |
| } |
| |
| private function getSingleSignOnUsername() { |
| $theCookie = $_COOKIE[SSO_COOKIE_KEY]; |
| if ($theCookie <> "") { |
| $userpass = base64_decode(urldecode($theCookie)); |
| $userpassArr = explode(":", $userpass); |
| return $userpassArr[0]; |
| } else |
| return null; |
| } |
| |
| private function createSingleSignOnCookie($username, $password) { |
| if (!isset ($_COOKIE[SSO_COOKIE_KEY])) { |
| $theCookieStrUnencoded = $username . ":" . $password; |
| $theCookieStrEncoded = "\"".base64_encode($theCookieStrUnencoded)."\""; |
| setcookie(SSO_COOKIE_KEY, $theCookieStrEncoded, time() + (86400 * 7), "/"); // expire in 1 day |
| } |
| } |
| } |
| ?> |