* constant_inc.php: add some errors for LDAP stuff

* core/authentication_api.php
  (auth_does_password_match): call ldap_authenticate() for ldap auth
* core/ldap_api.php: rewrite of ldap api
* doc/README.LDAP: update example config settings
* lang/strings_english.txt: add strings for the new LDAP errors

This is a rewrite of the LDAP api by Robert Foster <rfoster@mountainvisions.com.au>

I cleaned up quite a few things (mostly variable names and spacing) in ldap_api before committing and this hasn't been tested by me since I don't use LDAP.  So if I broke it, patches welcome! :)


git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@1636 f5dc347c-c33d-0410-90a0-b07cc1902cb9

constant_inc.php

@@ -205,6 +205,12 @@
 	define( 'ERROR_CUSTOM_FIELD_CAPTION_NOT_UNIQUE',1301 );
 	define( 'ERROR_CUSTOM_FIELD_IN_USE',			1302 );
 
+	# ERROR_LDAP_*
+	define( 'ERROR_LDAP_AUTH_FAILED',				1400 );
+	define( 'ERROR_LDAP_SERVER_CONNECT_FAILED',		1401 );
+	define( 'ERROR_LDAP_UPDATE_FAILED',				1402 );
+	define( 'ERROR_LDAP_USER_NOT_FOUND',			1402 );
+
 	# Status Legend Position
 	define( 'STATUS_LEGEND_POSITION_TOP',		1);
 	define( 'STATUS_LEGEND_POSITION_BOTTOM',	2);

core/authentication_api.php

@@ -6,7 +6,7 @@
 	# See the files README and LICENSE for details
 
 	# --------------------------------------------------------
-	# $Id: authentication_api.php,v 1.14 2002-09-22 05:24:52 jfitzell Exp $
+	# $Id: authentication_api.php,v 1.15 2002-12-04 03:16:33 jfitzell Exp $
 	# --------------------------------------------------------
 
 	###########################################################################
@@ -157,7 +157,8 @@ function auth_does_password_match( $p_user_id, $p_test_password ) {
 		$t_login_method = config_get( 'login_method' );
 
 		if ( LDAP == $t_login_method ) {
-			return ldap_uid_pass( $p_username, $p_test_password );
+ 			$t_username = user_get_field( $p_user_id, 'username' );
+			return ldap_authenticate( $t_username, $p_test_password );
 		}
 
 		$t_password = user_get_field( $p_user_id, 'password' );

core/ldap_api.php

@@ -6,97 +6,129 @@
 	# See the files README and LICENSE for details
 
 	# --------------------------------------------------------
-	# $Id: ldap_api.php,v 1.3 2002-08-27 10:08:08 jfitzell Exp $
+	# $Id: ldap_api.php,v 1.4 2002-12-04 03:16:33 jfitzell Exp $
 	# --------------------------------------------------------
 
 	###########################################################################
 	# LDAP API
 	###########################################################################
 
 	# Some simple LDAP stuff that makes the work go 'round
-	# Leigh Morresi <leighm@linuxbandwagon.com>
 
  	# --------------------
-	# Find someone email address based on their login name
-	function ldap_email($worker) {
-	    global $g_ldap_organisation,$g_ldap_server,$g_ldap_root_dn;
-
-	    $search_dn = "(&$g_ldap_organisation(uid=$worker))";
-	    $ds        = ldap_connect( "$g_ldap_server" );
-
-		if ( $ds ) {
-			$r    = ldap_bind( $ds );
-			$sr   = ldap_search( $ds, $g_ldap_root_dn, $search_dn );
-			$info = ldap_get_entries( $ds, $sr );
-			ldap_close( $ds );
-			return ($info[0]["mail"][0]);
+	# Connect and bind to the LDAP directory
+	function ldap_connect_bind( $p_binddn = '', $p_password = '' ) {
+		$t_ldap_server	= config_get( 'ldap_server' );
+		$t_ldap_port	= config_get( 'ldap_port' );
+
+		$t_ds = @ldap_connect ( $t_ldap_server, $t_ldap_port );
+		if ( $t_ds > 0 ) {
+			# If no Bind DN and Password is set, attempt to login as the configured
+			#  Bind DN.
+			if ( is_blank( $p_binddn ) && is_blank( $p_password ) ) {
+				$p_binddn	= config_get( 'ldap_bind_passwd', '' );
+				$p_password	= config_get( 'ldap_bind_dn', '' );
+			}
+
+			if ( ! is_blank( $p_binddn ) && ! is_blank( $p_password ) ) {
+				$t_br = @ldap_bind( $t_ds, $p_binddn, $p_password );
+			} else {
+				# Either the Bind DN or the Password are empty, so attempt an anonymous bind.
+				$t_br = @ldap_bind( $t_ds );
+			}
+			if ( ! $t_br ) {
+				trigger_error( ERROR_LDAP_AUTH_FAILED, ERROR );
+			}		
 		} else {
-			echo "<h4>Unable to connect to LDAP server</h4>";
-			die;
+			trigger_error( ERROR_LDAP_SERVER_CONNECT_FAILED, ERROR );
 		}
+
+		return $t_ds;
+	}
+
+ 	# --------------------
+	# Find an email address from LDAP, given a username
+	function ldap_email( $p_username ) {
+		$t_ldap_organisation	= config_get( 'ldap_organisation' );
+		$t_ldap_root_dn			= config_get( 'ldap_root_dn' );
+
+	    $t_search_filter	= "(&$t_ldap_organisation(uid=$p_username))";
+		$t_search_attrs		= array( 'uid', 'email', 'dn' );
+	    $t_ds				= ldap_connect_bind();
+
+		$t_sr	= ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
+		$t_info	= ldap_get_entries( $t_ds, $t_sr );
+		ldap_free_result( $t_sr );
+		ldap_unbind( $t_ds );
+
+		return $t_info[0]['mail'][0];
 	}
 
 	# --------------------
-	# Return true if the $uid has an assigngroup=$group tag
-	function ldap_has_group($uid,$group) {
-	    global $g_ldap_organisation,$g_ldap_server,$g_ldap_root_dn;
-
-		$search_dn = "(&$g_ldap_organisation(uid=$uid)(assignedgroup=$group))";
-		$ds        = ldap_connect( "$g_ldap_server" );
-
-		if ( $ds ) {
-			$r       = ldap_bind( $ds ); # bind to server
-			$sr      = ldap_search( $ds, $g_ldap_root_dn, $search_dn ); # query
-			$entries = ldap_count_entries( $ds, $sr );
-	        ldap_close( $ds ); # clean up
-	        return $entries;
+	# Return true if the $uid has an assigngroup=$p_group tag, false otherwise
+	function ldap_has_group( $p_username, $p_group ) {
+		$t_ldap_organisation	= config_get( 'ldap_organisation' );
+		$t_ldap_root_dn			= config_get( 'ldap_root_dn' );
+
+		$t_search_filter	= "(&$t_ldap_organisation(uid=$p_username)(assignedgroup=$p_group))";
+		$t_search_attrs		= array( "uid", "dn", "assignedgroup" );
+	    $t_ds				= ldap_connect_bind();
+
+		$t_sr		= ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
+		$t_entries	= ldap_count_entries( $t_ds, $t_sr );
+		ldap_free_result( $t_sr );
+		ldap_unbind( $t_ds );
+
+		if ( $t_entries > 0 ) {
+			return true;
 		} else {
-			echo "<h4>Unable to connect to LDAP server</h4>";
-			die;
+			return false;
 		}
 	}
+
 	# --------------------
-	# Return true if the $uid has $password (salt soon!)
-	function ldap_uid_pass($login, $pass) {
-	global $g_ldap_organisation,$g_ldap_server,$g_ldap_root_dn,$g_ldapauth_type;
+	# Attempt to authenticate the a username against the LDAP directory
+	#  return true on successful authentication, false otherwise
+	function ldap_authenticate( $p_username, $p_password ) {
+		$t_ldap_organisation	= config_get( 'ldap_organisation' );
+		$t_ldap_root_dn			= config_get( 'ldap_root_dn' );
 
-	$search_dn = "(&$g_ldap_organisation(uid=$login))";
-	$ds        = ldap_connect( "$g_ldap_server" );
+		$t_search_filter	= "(&$t_ldap_organisation(uid=$p_username))";
+		$t_search_attrs		= array( 'uid', 'dn' );
+	    $t_ds				= ldap_connect_bind();
+
+		# Search for the user id
+		$t_sr	= ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
+		$t_info	= ldap_get_entries( $t_ds, $t_sr );
 
-	if ( $ds ) {
-		$r       = ldap_bind( $ds ); # bind to server
+		$t_authenticated = false;
 
-		if ("CLEAR" == $g_ldapauth_type)
-		{
-			$crypted_pass = $pass;
-		}
-		elseif ("CRYPT" == $g_ldapauth_type)
-		{
-			$sr	= ldap_search( $ds, $g_ldap_root_dn, $search_dn ); # query without password
-			$entry	= ldap_first_entry($ds, $sr);
-			if (!($entry)) return false;
-			$values	= ldap_get_values($ds, $entry,"userpassword");
-			$salt	= $values[0][0].$values[0][1];
-			$crypted_pass=crypt($pass,$salt);
-		}
-		else
-		{
-			die ("wrong LDAP parameter g_ldapauth_type : [$g_ldapauth_type]");
-		}
+		if ( $t_info ) {
+			# Try to authenticate to each until we get a match
+			for ( $i = 0 ; $i < $t_info['count'] ; $i++ ) {
+				$t_dn = $t_info[$i]['dn'];
 
-		$search_dn = "(&$g_ldap_organisation(uid=$login)(userpassword=$crypted_pass))";
-		$sr      = ldap_search( $ds, $g_ldap_root_dn, $search_dn ); # query with password matching
-		#---------------------------
-		$entries = ldap_count_entries( $ds, $sr );
-		ldap_close( $ds ); # clean up
-		if ( $entries >= 1 ) {
-			return true;
-		} else {
-			return false;
+				# Attempt to bind with the DN and password
+				if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
+					$t_authenticated = true;
+					break; # Don't need to go any further
+				} 
+			}
 		}
-	} else {
-		die ("Unable to connect to LDAP server");
+		ldap_free_result( $t_sr );
+		ldap_unbind( $t_ds );
+
+		return $t_authenticated;
 	}
-}
+
+	# --------------------
+	# Create a new user account in the LDAP Directory.
+
+	# --------------------
+	# Update the user's account in the LDAP Directory
+
 	# --------------------
+	# Change the user's password in the LDAP Directory
+
+
 ?>

doc/README.LDAP

@@ -3,6 +3,8 @@
    Original by leighm@linuxbandwagon.com
    Updated by Adrian Spinei aspinei@yahoo.com - currently the maintaner of
    the LDAP capabilities of mantis, please direct all questions to me
+   20 Nov 2002: Updated by Robert Foster <rfoster@mountainvisions.com.au>
+                to allow for 'closed' LDAP Directories and/or Anonymous Logins
 -------------------------------------------------------------------------------
 
 Here is my attempt at providing Mantis with LDAP capabilities.
@@ -33,27 +35,28 @@ uid: tests
 userPassword: password
 objectclass: testPerson
 
-Note : the password may be in clear or taken from the /etc/passwd or /etc/shadow file
-if you prefer to keep the password in clear (very insecure !) yop should use the
-configuration option $g_ldapauth_type = 'CLEAR';
-otherwise $g_ldapauth_type = 'CRYPT'; (and the password should match /etc/passwd)
+Note : the password may be in clear, taken from the /etc/passwd or /etc/shadow file,
+or simply encrypted and added using current LDAP tools.
+
 There are some specialized software for replicating passwd to LDAP and inversely
 (eg. http://freshmeat.net/projects/cpu/)
 
-It is also required to set the following configuration items in default/config_inc1.php
+It is also required to set the following configuration items in config_inc.php
 
 
 	#############################
 	### Mantis LDAP Settings  ###
 	#############################
 
 	# --- using openldap -------------
-	$g_ldap_server="127.0.0.1";
-	$g_ldap_root_dn="dc=test,dc=com,dc=au";
-	$g_use_ldap_email=1;    ## Should we send to the LDAP email address or what MySql tells us
-	# $g_ldap_organisation="(organizationname=*Traffic)";     ## optional
-	$g_ldapauth_type = 'CLEAR';
-
+	$g_ldap_server         = "ldaps://ldap.example.com/";
+	$g_ldap_port           = "636";
+	$g_ldap_root_dn        = "dc=example, dc=com";
+	#$g_ldap_organisation  = "(organizationname=*Example)"; # optional
+	#$g_ldap_auth_type 	   = "CRYPT"; # NO LONGER USED
+	$g_use_ldap_email      = ON; # Should we send to the LDAP email address or what MySql tells us
+	$t_ldap_bind_dn        = "cn=Manager, dc=example, dc=com";
+	$t_ldap_bind_passwd    = "secret";
 
 Dont forget to change your $g_login_method to $g_login_method = LDAP;
 
@@ -69,11 +72,10 @@ will proceed.
 Email address is queried from the LDAP database if the authentication is set
 to use LDAP instead of the mySql entry.
 
-
 Hope it works as good for you as it does for me.
 
 		Leigh Morresi
 
 -------------------------------------------------------------------------------
    Mantis - LDAP capabilities documentation        leighm@linuxbandwagon.com
--------------------------------------------------------------------------------
+-------------------------------------------------------------------------------

lang/strings_english.txt

@@ -9,11 +9,11 @@
 	###########################################################################
 	# English strings for Mantis
 	# -------------------------------------------------
-	# $Revision: 1.90 $
+	# $Revision: 1.91 $
 	# $Author: jfitzell $
-	# $Date: 2002-11-25 08:06:00 $
+	# $Date: 2002-12-04 03:16:33 $
 	#
-	# $Id: strings_english.txt,v 1.90 2002-11-25 08:06:00 jfitzell Exp $
+	# $Id: strings_english.txt,v 1.91 2002-12-04 03:16:33 jfitzell Exp $
 	###########################################################################
 ?>
 <?php
@@ -187,6 +187,10 @@
 	$MANTIS_ERROR[ERROR_CUSTOM_FIELD_NOT_FOUND]= 'ERROR: Custom field not found';
 	$MANTIS_ERROR[ERROR_CUSTOM_FIELD_CAPTION_NOT_UNIQUE]= 'ERROR: This is a duplicate caption.';
 	$MANTIS_ERROR[ERROR_CUSTOM_FIELD_IN_USE]= 'ERROR: At least one project still uses this field!';
+	$MANTIS_ERROR[ERROR_LDAP_AUTH_FAILED]	= 'ERROR: LDAP Authentication Failed';
+	$MANTIS_ERROR[ERROR_LDAP_SERVER_CONNECT_FAILED]= 'ERROR: LDAP Server Connection Failed';
+	$MANTIS_ERROR[ERROR_LDAP_UPDATE_FAILED]	= 'ERROR: LDAP Record Update has failed.';
+	$MANTIS_ERROR[ERROR_LDAP_USER_NOT_FOUND]= 'ERROR: LDAP User Record Not Found.';
 
 	# General Strings
 	$s_go_back = 'Go Back';