Skip to content
Snippets Groups Projects
Commit 31415adb authored by Eric Rasmussen's avatar Eric Rasmussen
Browse files

clean up the CAS login

parent 70a6ad2e
Branches
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 88 additions and 317 deletions
cas_auth/start.php
+ 88
317
View file @ 31415adb
......@@ -4,7 +4,7 @@
*
* @package cas_auth
* @license http://www.gnu.org/licenses/gpl.html
* @author Xavier Roussel <xavier.roussel@uvsq.fr>
* @author Xavier Roussel <xavier.roussel@uvsq.fr> (Modified for UNL CAS by Eric Rasmussen)
* @copyright UVSQ 2008
* @link http://www.uvsq.fr
*/
......@@ -52,8 +52,7 @@
* @param string
* @return array Associative array.
*/
function formatPostalAddress()
{
function formatPostalAddress() {
/* this is a faculty postal address
Currently of the form:
### ___ UNL 68588-####
......@@ -92,63 +91,53 @@
}
return $address;
}
}
}
// Include main cas lib
include_once 'cas/CAS.php';
$casInitialized = false;
include_once 'cas/CAS.php';
/**
* CAS Authentication init
*
*/
function cas_auth_init()
{
// global config
function cas_auth_init() {
global $CONFIG;
// plugin config
$config = find_plugin_settings('cas_auth');
// todo : send message to user
if (!$config) return false;
// CAS auth required
if ( $_REQUEST['loginwith'] == 'UNLlogin' && !isset($_REQUEST['ticket']) )
{
createCas();
}
// CAS auth done
if ( $_REQUEST['loginwith'] == 'UNLlogin' && (isset($_REQUEST['ticket']) || isset($_REQUEST['email'])) )
{
// Check CAS auth the CAS way just in case
if ( checkCas() ) {
if (!$config)
return false;
if ($_GET['loginwith'] == 'UNLlogin') {
if (checkCas()) {
$_SESSION['loggedWithCAS'] = true;
$cas_user = getUserCas();
if(ldapAuthenticate( $cas_user )) {
if (casAuthenticate($cas_user)) {
system_message(elgg_echo('loginok'));
$cas_user = str_replace('-','_',$cas_user);
//user is logged in now, this is the last step - forward based on whether they have logged in before
$lastlogin_date = $_SESSION['user']->last_login;
if (!$lastlogin_date){
if (!$lastlogin_date) {
forward('mod/profile/edit.php?firstlogin=yes');
}
forward("pg/profile/unl_" . $cas_user);
} else {
register_error(elgg_echo('loginerror'));
}
else register_error(elgg_echo('loginerror'));
} else {
createCas();
}
else register_error(elgg_echo('loginerror'));
}
// The CAS ticket is lost, log out
if ( $_SESSION['loggedWithCAS'] && !checkCas() ) {
if ($_SESSION['loggedWithCAS'] && !checkCas()) {
$_SESSION['loggedWithCAS'] = false;
forward($CONFIG->url.'/action/logout');
}
}
}
......@@ -157,10 +146,9 @@
// Register the initialisation function
register_elgg_event_handler('init','system','cas_auth_init');
// Register CAS logout to main logout only if user logged with CAS
if (isset($_SESSION['loggedWithCAS']) && $_SESSION['loggedWithCAS']===true) {
if (isset($_SESSION['loggedWithCAS']) && $_SESSION['loggedWithCAS']==true) {
register_elgg_event_handler('logout', 'user', 'logoutCas');
}
}
/* set up login page */
register_page_handler('login', 'login_page_handler');
......@@ -175,7 +163,6 @@
}
}
/**
* CAS client initialization
*
......@@ -186,6 +173,7 @@
phpCAS::client(CAS_VERSION_2_0, $config->casurl, (int) $config->casport , $config->casuri );
$GLOBALS[casInitialized] = true;
}
return true;
}
/**
......@@ -195,6 +183,7 @@
function createCas() {
initCas();
phpCAS::forceAuthentication();
return true;
}
/**
......@@ -207,7 +196,8 @@
if (phpCAS::checkAuthentication()) {
return true;
}
else return false;
else
return false;
}
/**
......@@ -227,307 +217,88 @@
global $CONFIG;
initCas();
phpCAS::logout($CONFIG->url.'/action/logout');
return true;
}
/**
* LDAP authentication
*
* @param string $username Go around PAM handler credentials (CAS can't return a password)
* @return boolean
*/
function ldapAuthenticate($username)
{
// Nothing to do if LDAP module not installed
// if (!function_exists('ldap_connect')) {
// return false;
// }
// Get configuration settings
// $config = find_plugin_settings('ldap_auth');
// Nothing to do if not configured
// if (!$config)
// {
// return false;
// }
if (empty($username)) {
/**
* Perform an CAS authentication check
*
* @param string $username
* @return boolean
*/
function casAuthenticate($username){
if (empty($username))
return false;
}
// Perform the authentication
return ldapCheck(/*$config, */$username);
}
/**
* Perform an LDAP authentication check
*
* @param ElggPlugin $config
* @param string $username
* @return boolean
*/
function ldapCheck(/*$config, */$username)
{
/* $host = $config->hostname;
// No point continuing
if(empty($host))
{
error_log("LDAP error: no host configured.");
return;
}
$port = $config->port;
$version = $config->version;
$basedn = $config->basedn;
$filter_attr = $config->filter_attr;
$search_attr = $config->search_attr;
$bind_dn = $config->ldap_bind_dn;
$bind_pwd = $config->ldap_bind_pwd;
$user_create = $config->user_create;
$start_tls = $config->start_tls;
($user_create == 'on') ? $user_create = true : $user_create = false;
($start_tls == 'on') ? $start_tls = true : $start_tls = false;
$port ? $port : $port = 389;
$version ? $version : $version = 3;
$filter_attr ? $filter_attr : $filter_attr = 'uid';
$basedn ? $basedn = array_map('trim', explode(':', $basedn)) : $basedn = array();
if (!empty($search_attr))
{
// $search_attr as in "email:email_address, name:name_name";
$pairs = array_map('trim',explode(',', $search_attr));
// we're making this copy for use in the peoplefinderservices call later
// we dont want to call peoplefinderservices here since we dont need to every time a SSO user logs in
$casusername = $username;
//We're going to make every UNL SSO user have an elgg profile name as such: unl_erasmussen2
//and not allow friends of unl who register via elgg to pick names that begin with "unl_"
//This way, we won't have to deal with the case where someone registers erasmussen2 on elgg, then
//the real erasmussen2 signs in for the first time with UNL SSO and is logged in as the elgg user erasmussen2
//rather then having a new account created.
$username = 'unl_' . $username;
//Replace the hyphen in a student's name with an underscore
$username = str_replace('-','_',$username);
$values = array();
if ($user = get_user_by_username($username)) {
// User exists, login
return login($user);
} else {
// Valid login but user doesn't exist
$pf_user_info = peoplefinderServices($casusername);
foreach ($pairs as $pair)
{
$parts = array_map('trim', explode(':', $pair));
$name = $pf_user_info->cn;
$values[$parts[0]] = $parts[1];
if (isset($_REQUEST['email'])) {
$email = $_REQUEST['email'];
} else {
if($pf_user_info->mail)
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php?e=' . $pf_user_info->mail);
else
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php');
}
$search_attr = $values;
}
else
{
$search_attr = array('dn' => 'dn');
}
*/
/* // Create a connection
if ($ds = ldapConnect($host, $port, $version, $bind_dn, $bind_pwd))
{
if ($start_tls and !ldap_start_tls($ds)) return false;
// Perform a search
foreach ($basedn as $this_ldap_basedn)
{
$ldap_user_info = ldapDoAuth($ds, $this_ldap_basedn, $username, $filter_attr, $search_attr);
if($ldap_user_info)
{
*/
// we're making this copy for use in the peoplefinderservices call later
// we dont want to call peoplefinderservices here since we dont need to every time a SSO user logs in
$casusername = $username;
//We're going to make every UNL SSO user have an elgg profile name as such: unl_erasmussen2
//and not allow friends of unl who register via elgg to pick names that begin with "unl_"
//This way, we won't have to deal with the case where someone registers erasmussen2 on elgg, then
//the real erasmussen2 signs in for the first time with UNL SSO and is logged in as the elgg user erasmussen2
//rather then having a new account created.
$username = 'unl_' . $username;
//Replace the hyphen in a student's name with an underscore
$username = str_replace('-','_',$username);
try {
if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true)) {
$thisuser = get_user($user_guid);
if ($user = get_user_by_username($username))
{
// User exists, login
return login($user);
//pre-populate profile fields with data from Peoplefinder Services
$address = $pf_user_info->formatPostalAddress();
$thisuser->profile_country = 'USA';
$thisuser->profile_state = $address['region'];
$thisuser->profile_city = $address['locality'];
if($address['locality'] == 'Omaha') {
$thisuser->longitude = -95.9;
$thisuser->latitude = 41.25;
} else { //this is going to cover Lincoln and everyone else
$thisuser->longitude = -96.7;
$thisuser->latitude = 40.82;
}
else
{
// Valid login but user doesn't exist
$pf_user_info = peoplefinderServices($casusername);
//if ($user_create)
//{
// $name = $ldap_user_info['firstname'];
$name = $pf_user_info->cn;
// if (isset($ldap_user_info['lastname']))
// {
// $name = $name . " " . $ldap_user_info['lastname'];
// }
//
/* if(!empty($pf_user_info->mail))
{
($pf_user_info->mail) ? $email = $pf_user_info->mail : $email = null;
}
else*/ if( isset($_REQUEST['email']) ){
$email = $_REQUEST['email'];
}
else
{
if($pf_user_info->mail)
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php?e=' . $pf_user_info->mail);
else
forward($CONFIG->url . 'mod/cas_auth/views/default/account/getemail.php');
}
/* if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true))
{
// Success, credentials valid and account has been created
return login(get_user($user_guid));
}
else
{
register_error(elgg_echo("registerbad"));
return false;
}
*/
try {
if ($user_guid = register_user($username, 'generic', $name, $email, false, 0, '', true))
{
$thisuser = get_user($user_guid);
//pre-populate profile fields with data from Peoplefinder Services
$address = $pf_user_info->formatPostalAddress();
$thisuser->profile_country = 'USA';
$thisuser->profile_state = $address['region'];
$thisuser->profile_city = $address['locality'];
if($address['locality'] == 'Omaha') {
$thisuser->longitude = -95.9;
$thisuser->latitude = 41.25;
} else { //this is going to cover Lincoln and everyone else
$thisuser->longitude = -96.7;
$thisuser->latitude = 40.82;
}
return login($thisuser);
} else {
register_error(elgg_echo("registerbad"));
}
} catch (RegistrationException $r) {
register_error($r->getMessage());
}
//}
//else
//{
// register_error(elgg_echo("ldap_auth:no_account"));
// return false;
//}
}
/* }
}
// Close the connection
ldap_close($ds);
return false;
}
else
{
return false;
}
*/ }
/**
* Create an LDAP connection
*
* @param string $host
* @param int $port
* @param int $version
* @param string $bind_dn
* @param string $bind_pwd
* @return mixed LDAP link identifier on success, or false on error
*/
/* function ldapConnect($host, $port, $version, $bind_dn, $bind_pwd)
{
$ds = @ldap_connect($host, $port);
@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version);
// Start the LDAP bind process
$ldapbind = null;
if ($ds)
{
if ($bind_dn != '')
{
$ldapbind = @ldap_bind($ds, $bind_dn, $bind_pwd);
}
else
{
// Anonymous bind
$ldapbind = @ldap_bind($ds);
return login($thisuser);
} else {
register_error(elgg_echo("registerbad"));
}
} catch (RegistrationException $r) {
register_error($r->getMessage());
}
}
else
{
// Unable to connect
error_log('Unable to connect to the LDAP server: '.ldap_error($ds));
return false;
}
if (!$ldapbind)
{
error_log('Unable to bind to the LDAP server with provided credentials: '.ldap_error($ds));
ldap_close($ds);
return false;
}
return $ds;
}
*/
/**
* Performs actual LDAP authentication
*
* @param object $ds LDAP link identifier
* @param string $basedn
* @param string $username
* @param string $filter_attr
* @param string $search_attr
* @return mixed array with search attributes or false on error
*/
/* function ldapDoAuth($ds, $basedn, $username, $filter_attr, $search_attr)
{
$sr = @ldap_search($ds, $basedn, $filter_attr ."=". $username, array_values($search_attr));
if(!$sr)
{
error_log('Unable to perform LDAP search: '.ldap_error($ds));
return false;
}
$entry = ldap_get_entries($ds, $sr);
if(!$entry or !$entry[0])
{
return false; // didn't find username
}
// We have a bind, a valid login
foreach (array_keys($search_attr) as $attr)
{
$ldap_user_info[$attr] = $entry[0][$search_attr[$attr]][0];
}
return $ldap_user_info;
}
*/
}
/**
* Gets a UNL SSO user's info from Peoplefinder Services
*
* @param string $username
* @return array of information from PF Services
*/
function peoplefinderServices($username)
{
function peoplefinderServices($username){
$pfrecord = unserialize(file_get_contents('http://peoplefinder.unl.edu/service.php?uid=' . $username . '&format=php'));
return $pfrecord;
}
?>
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment