summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ldap_authentication/LdapAuthenticationConf.class.php5
-rw-r--r--ldap_authentication/ldap_authentication.inc450
-rw-r--r--ldap_authentication/tests/ldap_authentication.test3
-rw-r--r--ldap_authorization/tests/BasicTests.test4
-rw-r--r--ldap_user/ldap_user.info1
5 files changed, 254 insertions, 209 deletions
diff --git a/ldap_authentication/LdapAuthenticationConf.class.php b/ldap_authentication/LdapAuthenticationConf.class.php
index 9b6dc41..b9b7770 100644
--- a/ldap_authentication/LdapAuthenticationConf.class.php
+++ b/ldap_authentication/LdapAuthenticationConf.class.php
@@ -237,7 +237,7 @@ class LdapAuthenticationConf {
* @todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter
* and most of this function should go in ldap_authentication_allowuser_results_alter
*/
- public function allowUser($name, $ldap_user, $account_exists = NULL) {
+ public function allowUser($name, $ldap_user) {
/**
* do one of the exclude attribute pairs match
@@ -245,9 +245,6 @@ class LdapAuthenticationConf {
$ldap_user_conf = ldap_user_conf();
// if user does not already exists and deferring to user settings AND user settings only allow
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
- if (!$account_exists && $ldap_user_conf->acctCreation == LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP && $user_register == USER_REGISTER_ADMINISTRATORS_ONLY) {
- return FALSE;
- }
foreach ($this->excludeIfTextInDn as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
diff --git a/ldap_authentication/ldap_authentication.inc b/ldap_authentication/ldap_authentication.inc
index faf254f..26b4c7f 100644
--- a/ldap_authentication/ldap_authentication.inc
+++ b/ldap_authentication/ldap_authentication.inc
@@ -123,18 +123,17 @@ function _ldap_authentication_form_user_profile_form_alter(&$form, $form_state)
/**
* user form validation will take care of username, pwd fields
- * this function validates ldap autentication specific issues
- * ldap authentication exclusively
+ * this function validates ldap authentication specific
*
* @param array $form_state array from user logon form
- * @return NULL (form_set_error() calls throw validation errors)
+ * @return null, but success or failure is indicated by:
+ * -- form_set_error() to invalidate authentication process
+ * -- setting $form_state['uid'] to indate successful authentication
*/
function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
$authname = $form_state['values']['name']; // $authname is the name the user is authenticated with from the logon form // patch 1599632
- $accountname = $authname; // $accountname is used as the drupal account name $account->name property.
- $pass = $form_state['values']['pass'];
/*
* If a fake form state was passed into this function from
@@ -145,68 +144,261 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
*/
$sso_login = (isset($form_state['sso_login']) && $form_state['sso_login']) ? TRUE : FALSE;
- $watchdog_tokens = array('%username' => $authname); // $watchdog_tokens = array('%username' => $name); // patch 1599632
+ $watchdog_tokens = array('%username' => $authname, '%authname' => $authname); // $watchdog_tokens = array('%username' => $name); // patch 1599632
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', '%username : Beginning authentification....', $watchdog_tokens, WATCHDOG_DEBUG);
}
-
+
if (!$auth_conf = ldap_authentication_get_valid_conf()) {
watchdog('ldap_authentication', 'Failed to get valid ldap authentication configuration.', array(), WATCHDOG_ERROR);
form_set_error('name', 'Server Error: Failed to get valid ldap authentication configuration.' . $error);
- return FALSE;
+ return;
}
- // if already succeeded at authentication, see if LDAP Exclusive is set
+ /**
+ * I. Test for previous module authentication success.
+ *
+ * if already succeeded at authentication, $form_state['uid'] will be set by other authentication module.
+ * - if LDAP Mixed mode is set, return and don't disrupt authentication process
+ * - otherwise override other authenication by setting $form_state['uid'] = NULL
+ */
if (isset($form_state['uid']) && is_numeric($form_state['uid'])) {
if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_MIXED || $form_state['uid'] == 1) {
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', '%username : Previously authenticated in mixed mode or uid=1', $watchdog_tokens, WATCHDOG_DEBUG);
}
- return; // already passed previous authentication validation
+ return; // already passed a previous module's authentication validation
}
elseif ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', '%username : Previously authenticated in exclusive mode or uid is not 1. Clear uid
in form_state and attempt ldap authentication.', $watchdog_tokens, WATCHDOG_DEBUG);
}
- $form_state['uid'] = NULL; // passed previous authentication, but only ldap should be used
+ $form_state['uid'] = NULL; // passed previous authentication, but only ldap should be used so override
}
}
+ /**
+ * II. Exit if no authentication servers.
+ */
if (!$auth_conf->hasEnabledAuthenticationServers()) {
watchdog('ldap_authentication', 'No LDAP servers configured.', array(), WATCHDOG_ERROR);
form_set_error('name', 'Server Error: No LDAP servers configured.');
+ return;
}
- if ($detailed_watchdog_log) {
- watchdog('ldap_authentication', '%username : user_load_by_name(%username)', $watchdog_tokens, WATCHDOG_DEBUG);
+ /**
+ * III. determine if corresponding drupal account exists for $authname
+ */
+ $drupal_account_is_authmapped = FALSE;
+ list($drupal_account, $drupal_account_is_authmapped) = ldap_authentication_corresponding_drupal_user($authname, $auth_conf, $watchdog_tokens);
+ $drupal_account_exists = is_object($drupal_account);
+ if ($drupal_account_exists && $drupal_account->uid == 1) {
+ return; // user 1 is not allowed to ldap authenticate
}
- if (!($account = user_load_by_name($authname))) {
- $uid = db_query("SELECT uid FROM {authmap} WHERE authname = :authname AND module = 'ldap_user'", array(':authname' => $authname))->fetchColumn();
- $account = $uid ? user_load($uid) : FALSE;
+ /**
+ * IV. test credentials and if available get corresponding ldap user and ldap server
+ */
+ list($authentication_result, $ldap_user, $ldap_server_authenticated_on) = ldap_authentication_test_credentials($auth_conf, $sso_login, $authname, $form_state['values']['pass'], $watchdog_tokens);
+ if ($authentication_result != LDAP_AUTHENTICATION_RESULT_SUCCESS) {
+ ldap_authentication_fail_response($authentication_result, $auth_conf, $detailed_watchdog_log, $watchdog_tokens);
+ return;
}
- if (is_object($account)) {
- if ($account->uid == 1) {
- if ($detailed_watchdog_log) {
- watchdog('ldap_authentication', '%username : Drupal username maps to user 1, so do not authenticate with ldap', $watchdog_tokens, WATCHDOG_DEBUG);
+ /**
+ * V. if account_name_attr is set, drupal username is different than authname
+ */
+ if ($ldap_server_authenticated_on->account_name_attr != '') {
+ $watchdog_tokens['%account_name_attr'] = $ldap_server_authenticated_on->account_name_attr;
+ $drupal_accountname = $ldap_user['attr'][ldap_server_massage_text($ldap_server_authenticated_on->account_name_attr, 'attr_name', LDAP_SERVER_MASSAGE_QUERY_ARRAY)][0];
+ if (!$drupal_accountname) {
+ watchdog('ldap_authentication', 'Derived drupal username from attribute %account_name_attr returned no username for authname %authname.', $watchdog_tokens, WATCHDOG_ERROR);
+ return;
+ }
+ }
+ else {
+ $drupal_accountname = $authname;
+ }
+ $watchdog_tokens['%drupal_accountname'] = $drupal_accountname;
+
+ /**
+ * VI. Find or create corresponding drupal account and set authmaps
+ *
+ * at this point, the following are know:
+ * - a corresponding ldap account has been found
+ * - user's credentials tested against it and passed
+ * - their drupal accountname has been derived
+ *
+ */
+
+
+ /**
+ * VI.A: Drupal account doesn't exist with $authname used to logon,
+ * but puid exists in another Drupal account; this means username has changed
+ * and needs to be saved in Drupal account
+ *
+ */
+ if (!$drupal_account_exists && $ldap_server_authenticated_on) {
+ $puid = $ldap_server_authenticated_on->userPuidFromLdapEntry($ldap_user['attr']);
+ if ($puid) {
+ $drupal_account = $ldap_server_authenticated_on->userUserEntityFromPuid($puid);
+ if ($drupal_account) {
+ $drupal_account_exists = TRUE;
+ $user_edit = array('name' => $drupal_accountname);
+ $drupal_account = user_save($drupal_account, $user_edit, 'ldap_user');
+ user_set_authmaps($drupal_account, array("authname_ldap_user" => $authname));
+ $drupal_account_is_authmapped = TRUE;
}
- return FALSE; // user 1 must use drupal authentication
}
- else {
- $account_exists = TRUE;
- $user_data = $account->data;
- $authmaps = user_get_authmaps($authname); // $authmaps = user_get_authmaps($name); // patch 1599632
- $ldap_authentication_authmap = isset($authmaps['ldap_user']);
- $no_authmaps = (boolean)(count($authmaps));
+ }
+
+ /**
+ * VI.B: existing Drupal account but not authmapped to ldap modules,
+ * ldap authmap or disallow
+ *
+ */
+
+ if ($drupal_account_exists && !$drupal_account_is_authmapped) { // account already exists
+ if ($auth_conf->ldapUser->loginConflictResolve == LDAP_USER_CONFLICT_LOG) {
+ if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) {
+ $watchdog_tokens['%conflict_name'] = $account_with_same_email->name;
+ watchdog('ldap_authentication', 'LDAP user with DN %dn has a naming conflict with a local drupal user %conflict_name', $watchdog_tokens, WATCHDOG_ERROR);
+ }
+ drupal_set_message(t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.'), 'error');
+ return;
+ }
+ else { // LDAP_authen.AC.disallow.ldap.drupal
+ // add ldap_authentication authmap to user. account name is fine here, though cn could be used
+ user_set_authmaps($drupal_account, array('authname_ldap_user' => $authname));
+ $drupal_account_is_authmapped = TRUE;
if ($detailed_watchdog_log) {
- watchdog('ldap_authentication', '%username : Drupal User Account found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG);
+ watchdog('ldap_authentication', 'set authmap for %username authname_ldap_user', $watchdog_tokens, WATCHDOG_DEBUG);
}
}
}
+
+ /**
+ * VI.C: existing Drupal account with incorrect email. fix email if appropriate
+ *
+ */
+ if ($drupal_account_exists && $drupal_account->mail != $ldap_user['mail'] && (
+ $auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ||
+ $auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE
+ )) {
+ $user_edit = array('mail' => $ldap_user['mail']);
+
+ $watchdog_tokens['%username'] = $drupal_account->name;
+ if (!$updated_account = user_save($drupal_account, $user_edit)) {
+ watchdog('ldap_authentication', 'Failed to make changes to user %username updated %changed.', $watchdog_tokens, WATCHDOG_ERROR);
+ }
+ elseif ($auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ) {
+ if (isset($user_edit['mail'])) {
+ $watchdog_tokens['%mail'] = $user_edit['mail'];
+ drupal_set_message(t('Your e-mail has been updated to match your current account (%mail).', $watchdog_tokens), 'status');
+ }
+ if (isset($user_edit['name'])) {
+ $watchdog_tokens['%new_username'] = $user_edit['name'];
+ drupal_set_message(t('Your old account username %username has been updated to %new_username.', $watchdog_tokens), 'status');
+ }
+ }
+ }
+
+ /**
+ * VI.C: no existing Drupal account. consider provisioning Drupal account.
+ *
+ */
+ if (!$drupal_account_exists) {
+
+ // VI.C.1 Do not provision Drupal account if another account has same email.
+ if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) {
+ /**
+ * username does not exist but email does. Since user_external_login_register does not deal with
+ * mail attribute and the email conflict error needs to be caught beforehand, need to throw error here
+ */
+ $watchdog_tokens['%duplicate_name'] = $account_with_same_email->name;
+ watchdog('ldap_authentication', 'LDAP user with DN %dn has email address
+ (%mail) conflict with a drupal user %duplicate_name', $watchdog_tokens, WATCHDOG_ERROR);
+ drupal_set_message(t('Another user already exists in the system with the same email address. You should contact the system administrator in order to solve this conflict.'), 'error');
+ return;
+ }
+
+ // VI.C.2 Do not provision Drupal account if provisioning disabled
+ if (!$auth_conf->ldapUser->provisionEnabled(LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER, LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE)) {
+ watchdog('ldap_user', 'Drupal account for authname=%authname account name=%account_name_attr does not exist and provisioning of Drupal accounts on authentication is not enabled', $watchdog_tokens, WATCHDOG_INFO);
+ return;
+ }
+
+ // VI.C.3 Provision Drupal account
+ /**
+ *
+ * new ldap_authentication provisioned account could let user_external_login_register create the account and set authmaps, but would need
+ * to add mail and any other user->data data in hook_user_presave which would mean requerying ldap
+ * or having a global variable. At this point the account does not exist, so there is no
+ * reason not to create it here.
+ *
+ * @todo create patch for core user module's user_external_login_register to deal with new external accounts
+ * a little tweak to add user->data and mail etc as parameters would make it more useful
+ * for external authentication modules
+ */
+
+ if ($auth_conf->ldapUser->acctCreation == LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP &&
+ variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) == USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
+ $user_edit = array('name' => $drupal_accountname, 'status' => 0); // if admin approval required, set status to 0.
+ }
+ else {
+ $user_edit = array('name' => $drupal_accountname, 'status' => 1);
+ }
+
+ // don't pass in ldap user to provisionDrupalAccount, because want to requery with correct attributes needed
+ // this may be a case where efficiency dictates querying for all attributes
+ $drupal_account = $auth_conf->ldapUser->provisionDrupalAccount(NULL, $user_edit, NULL, TRUE);
+
+ if ($drupal_account === FALSE) {
+ watchdog('ldap_user', 'Failed to find or create %drupal_accountname on logon.', $watchdog_tokens, WATCHDOG_ERROR);
+ form_set_error('name', t('Server Error: Failed to create Drupal user account for %drupal_accountname', $watchdog_tokens));
+ return;
+ }
+ }
+
+ /**
+ * we now have valid, ldap authenticated username with an account authmapped to ldap_authentication.
+ * since user_external_login_register can't deal with user mail attribute and doesn't do much else, it is not
+ * being used here.
+ *
+ * without doing the user_login_submit,
+ * [#1009990]
+ */
+ $fake_form_state = array('uid' => $drupal_account->uid);
+ user_login_submit(array(), $fake_form_state);
+ global $user;
+ $form_state['uid'] = $user->uid;
+
+}
+
+/**
+ * given authname, determine if corresponding drupal account exists and is authmapped
+ */
+function ldap_authentication_corresponding_drupal_user($authname, $auth_conf, &$watchdog_tokens) {
+ $detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
+ if (!($drupal_account = user_load_by_name($authname))) {
+ $uid = db_query("SELECT uid FROM {authmap} WHERE authname = :authname AND module = 'ldap_user'", array(':authname' => $authname))->fetchColumn();
+ $drupal_account = $uid ? user_load($uid) : FALSE;
+ }
+
+ if (is_object($drupal_account)) {
+ $authmaps = user_get_authmaps($authname); // $authmaps = user_get_authmaps($name); // patch 1599632
+ $drupal_account_is_authmapped = isset($authmaps['ldap_user']);
+ $user_data = $drupal_account->data;
+ if ($drupal_account->uid == 1 && $detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Drupal username maps to user 1, so do not authenticate with ldap', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ elseif ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Drupal User Account found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ }
else { // account does not exist
- $account_exists = FALSE;
+ $drupal_account_is_authmapped = FALSE;
if ($auth_conf->ldapUser->createLDAPAccounts == FALSE) {
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', '%username : Drupal User Account not found and configuration is set to not create new accounts.', $watchdog_tokens, WATCHDOG_DEBUG);
@@ -216,7 +408,14 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
watchdog('ldap_authentication', '%username : Existing Drupal User Account not found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG);
}
}
+ return array($drupal_account, $drupal_account_is_authmapped);
+}
+function ldap_authentication_test_credentials($auth_conf, $sso_login, $authname, $password, &$watchdog_tokens) {
+ $detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC;
+ $ldap_user = FALSE;
+ $ldap_server = NULL;
foreach ($auth_conf->enabledAuthenticationServers as $sid => $ldap_server) {
$watchdog_tokens['%sid'] = $sid;
$watchdog_tokens['%bind_method'] = $ldap_server->bind_method;
@@ -279,7 +478,7 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
$transformname = $ldap_server->userUsernameToLdapNameTransform($authname, $watchdog_tokens);
$replace = array($basedn, $transformname);
$userdn = str_replace($search, $replace, $ldap_server->user_dn_expression);
- $bind_success = ($ldap_server->bind($userdn, $pass) == LDAP_SUCCESS);
+ $bind_success = ($ldap_server->bind($userdn, $password) == LDAP_SUCCESS);
if ($bind_success) {
break;
}
@@ -337,9 +536,7 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
* #4 CHECK ALLOWED AND EXCLUDED LIST AND PHP FOR ALLOWED USERS
*/
- $allow = $auth_conf->allowUser($authname, $ldap_user, $account_exists);
-
- if (!$allow) {
+ if (!$auth_conf->allowUser($authname, $ldap_user)) {
$authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_DISALLOWED;
break; // regardless of how many servers, disallowed user fails
}
@@ -362,7 +559,7 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
$credentials_pass = (boolean)($ldap_user);
}
else {
- $credentials_pass = ($ldap_server->bind($ldap_user['dn'], $pass) == LDAP_SUCCESS);
+ $credentials_pass = ($ldap_server->bind($ldap_user['dn'], $password) == LDAP_SUCCESS);
}
if (!$credentials_pass) {
if ($detailed_watchdog_log) {
@@ -379,11 +576,6 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
$ldap_user = $ldap_server->userUserNameToExistingLdapEntry($authname); // after successful bind, lookup user again to get private attributes
$watchdog_tokens['%mail'] = $ldap_user['mail'];
}
- if ($ldap_server->account_name_attr != '') {
- $accountname = $ldap_user['attr'][ldap_server_massage_text($ldap_server->account_name_attr, 'attr_name', LDAP_SERVER_MASSAGE_QUERY_ARRAY)][0];
- }
- $watchdog_tokens['%account_name_attr'] = $accountname;
-
if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_SERVICE_ACCT ||
$ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
$ldap_server->disconnect();
@@ -399,21 +591,24 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
if ($detailed_watchdog_log) {
watchdog('ldap_authentication', '%username : Authentication result id=%result auth_result=%auth_result (%err_text)', $watchdog_tokens, WATCHDOG_DEBUG);
}
+
+ return array($authentication_result, $ldap_user, $ldap_server);
+}
- if ($authentication_result != LDAP_AUTHENTICATION_RESULT_SUCCESS) {
- $watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result);
- // fail scenario 1. ldap auth exclusive and failed throw error
- if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
- if ($detailed_watchdog_log) {
- watchdog('ldap_authentication', '%username : setting error because failed at ldap and
- LDAP_AUTHENTICATION_EXCLUSIVE is set to true. So need to stop authentication of Drupal user that is not user 1.
- error message: %err_text', $watchdog_tokens, WATCHDOG_DEBUG);
- }
- form_set_error('name', $watchdog_tokens['%err_text']);
+function ldap_authentication_fail_response($authentication_result, $auth_conf, $detailed_watchdog_log, &$watchdog_tokens) {
+ $watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result);
+ // fail scenario 1. ldap auth exclusive and failed throw error so no other authentication methods are allowed
+ if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : setting error because failed at ldap and
+ LDAP_AUTHENTICATION_EXCLUSIVE is set to true. So need to stop authentication of Drupal user that is not user 1.
+ error message: %err_text', $watchdog_tokens, WATCHDOG_DEBUG);
}
- else {
- // fail scenario 2. simply fails ldap. return false.
- // don't show user message, may be using other authentication after this that may succeed.
+ form_set_error('name', $watchdog_tokens['%err_text']);
+ }
+ else {
+ // fail scenario 2. simply fails ldap. return false, but don't throw form error
+ // don't show user message, may be using other authentication after this that may succeed.
if ($detailed_watchdog_log) {
watchdog('ldap_authentication',
'%username : Failed ldap authentication.
@@ -422,159 +617,10 @@ function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
$watchdog_tokens,
WATCHDOG_DEBUG
);
- }
- }
- return FALSE;
- }
-
- /**
- * case 0: account doesn't exist with $name used to logon,
- * but puid exists in another user; that is username has changed
- *
- */
-
- $user_edit = array(); // array of attributes that are changing for existing users
- if (!$account_exists && isset($auth_conf->enabledAuthenticationServers[$ldap_user['sid']])) {
- $ldap_server = $auth_conf->enabledAuthenticationServers[$ldap_user['sid']];
- $puid = $ldap_server->userPuidFromLdapEntry($ldap_user['attr']);
- if ($puid) {
- $account = $ldap_server->userUserEntityFromPuid($puid);
- if ($account) {
- $account_exists = TRUE;
- $user_edit['name'] = $accountname;
- $account = user_save($account, $user_edit, 'ldap_user');
- user_set_authmaps($account, array("authname_ldap_user" => $authname));
- }
- }
- }
-
- /**
- * case 1: previously drupal authenticated user authenticated successfully on ldap
- *
- */
- if (!$account_exists && ($account = user_load_by_name($accountname))) {
- user_set_authmaps($account, array('authname_ldap_user' => $authname));
- $account_exists = TRUE;
- }
- if (!$account_exists) {
-
- if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) {
- // dpm('account with same email');
- /**
- * username does not exist but email does. Since user_external_login_register does not deal with
- * mail attribute and the email conflict error needs to be caught beforehand, need to throw error here
- */
- $watchdog_tokens['%duplicate_name'] = $account_with_same_email->name;
- watchdog('ldap_authentication', 'LDAP user with DN %dn has email address
- (%mail) conflict with a drupal user %duplicate_name', $watchdog_tokens, WATCHDOG_ERROR);
- drupal_set_message(t('Another user already exists in the system with the same email address. You should contact the system administrator in order to solve this conflict.'), 'error');
- return FALSE;
- }
-
- if (!$auth_conf->ldapUser->provisionEnabled(LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER, LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE)) {
- watchdog('ldap_user', 'Drupal account for authname=%authname account name=%account_name_attr does not exist and provisioning of Drupal accounts on authentication is not enabled', $watchdog_tokens);
- return FALSE;
- }
- /**
- *
- * new ldap_authentication provisioned account could let user_external_login_register create the account and set authmaps, but would need
- * to add mail and any other user->data data in hook_user_presave which would mean requerying ldap
- * or having a global variable. At this point the account does not exist, so there is no
- * reason not to create it here.
- *
- * @todo create patch for user_external_login_register to deal with new external accounts
- * a little tweak to add user->data and mail etc as parameters would make it more useful
- * for external authentication modules
- */
- ldap_servers_module_load_include('inc', 'ldap_servers', 'ldap_servers.functions');
-
- // $ldap_user['sid'] = $sid;
- $account = NULL;
- $user_edit = array('name' => $accountname, 'status' => 1);
- $user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
- if ($auth_conf->ldapUser->acctCreation == LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP && $user_register == USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
- $user_edit['status'] = 0; // if admin approval required, set status to 1.
- }
-
- // don't pass in ldap user, because want to requery with correct attributes needed
- // this may be a case where efficiency dictates querying for all attributes
- $account = $auth_conf->ldapUser->provisionDrupalAccount($account, $user_edit, NULL, TRUE);
- if ($account === FALSE) {
- // need to throw error that account was not created so logging in is not happenning via ldap
- }
- }
- else { // account already exists
- if ($ldap_authentication_authmap == FALSE) {
- if ($auth_conf->ldapUser->loginConflictResolve == LDAP_USER_CONFLICT_LOG) {
- if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) {
- $watchdog_tokens['%conflict_name'] = $account_with_same_email->name;
- watchdog('ldap_authentication', 'LDAP user with DN %dn has a naming conflict with a local drupal user %conflict_name', $watchdog_tokens, WATCHDOG_ERROR);
- }
- drupal_set_message(t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.'), 'error');
- return FALSE;
- }
- else { // LDAP_authen.AC.disallow.ldap.drupal
- // add ldap_authentication authmap to user. account name is fine here, though cn could be used
- user_set_authmaps($account, array('authname_ldap_user' => $authname));
- if ($detailed_watchdog_log) {
- watchdog('ldap_authentication', 'set authmap for %username authname_ldap_user', $watchdog_tokens, WATCHDOG_DEBUG);
- }
- }
- }
-
-
- /**
- * @todo. mail, name, and all other attributes should be synched in this case. need to
- * generalise this instead of dealing with mail and name individually.
- *
- * $account = ldap_user_synch_drupal_account($ldap_user);
- */
-
- if ($account->mail != $ldap_user['mail'] && (
- $auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ||
- $auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE
- )) {
- $user_edit['mail'] = $ldap_user['mail'];
- }
-
- if (count($user_edit)) {
- $watchdog_tokens['%username'] = $account->name;
- if (!$updated_account = user_save($account, $user_edit)) {
- watchdog('ldap_authentication', 'Failed to make changes to user %username updated %changed.', $watchdog_tokens, WATCHDOG_ERROR);
- }
- elseif ($auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ) {
- if (isset($user_edit['mail'])) {
- $watchdog_tokens['%mail'] = $user_edit['mail'];
- drupal_set_message(t('Your e-mail has been updated to match your current account (%mail).', $watchdog_tokens), 'status');
- }
- if (isset($user_edit['name'])) {
- $watchdog_tokens['%new_username'] = $user_edit['name'];
- drupal_set_message(t('Your old account username %username has been updated to %new_username.', $watchdog_tokens), 'status');
- }
- }
}
}
-
- /**
- * we now have valid, ldap authenticated username with an account authmapped to ldap_authentication.
- * since user_external_login_register can't deal with user mail attribute and doesn't do much else, it is not
- * being used here.
- */
-
- /**
- * without doing the user_login_submit,
- * [#1009990]
- *
- */
- $fake_form_state = array('uid' => $account->uid);
- user_login_submit(array(), $fake_form_state);
- global $user;
- $form_state['uid'] = $user->uid;
- return $user;
-
}
-
-
+
/**
* get human readable authentication error string
*
diff --git a/ldap_authentication/tests/ldap_authentication.test b/ldap_authentication/tests/ldap_authentication.test
index 54fa226..491d9e3 100644
--- a/ldap_authentication/tests/ldap_authentication.test
+++ b/ldap_authentication/tests/ldap_authentication.test
@@ -28,7 +28,8 @@ class LdapAuthenticationTestCase extends LdapTestCase {
parent::setUp(array(
'ldap_authentication',
'ldap_authorization',
- 'ldap_authorization_drupal_role'
+ 'ldap_authorization_drupal_role',
+ 'ldap_test',
)); // don't need any real servers, configured, just ldap_servers code base
variable_set('ldap_simpletest', 2);
}
diff --git a/ldap_authorization/tests/BasicTests.test b/ldap_authorization/tests/BasicTests.test
index cf9b1c4..4185440 100644
--- a/ldap_authorization/tests/BasicTests.test
+++ b/ldap_authorization/tests/BasicTests.test
@@ -357,7 +357,7 @@ function testFlags() {
'error_message' => '',
);
$this->consumerAdminConf['drupal_role']->save();
- debug('mappings'); debug($this->consumerAdminConf['drupal_role']->mappings);
+// debug('mappings'); debug($this->consumerAdminConf['drupal_role']->mappings);
$edit = array(
'name' => 'hpotter',
@@ -366,7 +366,7 @@ function testFlags() {
$this->drupalPost('user', $edit, t('Log in'));
$new_role_created = in_array($new_role, array_values(user_roles()));
- debug("roles"); debug(user_roles());
+ // debug("roles"); debug(user_roles());
$roles_by_name = array_flip(user_roles());
$hpotter = user_load_by_name('hpotter');
$hpotter = user_load($hpotter->uid, TRUE);
diff --git a/ldap_user/ldap_user.info b/ldap_user/ldap_user.info
index 4b42c82..b7038a1 100644
--- a/ldap_user/ldap_user.info
+++ b/ldap_user/ldap_user.info
@@ -4,6 +4,7 @@ package = Lightweight Directory Access Protocol
dependencies[] = ldap_servers
dependencies[] = entity
dependencies[] = number
+
core = 7.x
files[] = ldap_user.api.php