Ldapauth

Version

This change is compatible with playsms 0.9.5.3

Caution

PlaySMS is storing PLAINTEXT PASSWORDS in it's database. In the code below when you authenticate against LDAP also the password in plaintext is written to the playsms database. This is due to the fact that there are additional functions like valid and isadmin which do utilize the password to perform their actions. This might be a improvement for the future to use hashes instead of plaintext passwords.

Summary

This change in the playsms code will allow the authentication of users against an LDAP directory. In the LDAP directory a flat structure is expected. See the description for the LDAP Import plugin. The authentication type is defined in the config file (you can use the existing one with users from DB). The group "playsms" or any other for that matter (has to be defined in the config file) conatains the members which can login to playsms. The idea behind is to import the users from LDAP and then authenticate them during login against LDAP but further on all the additional information for users is fetched from DB. This means if you add a user in playsms group in LDAP but do not sync it into playsms it probably won't work because the user data are not available for playsms. This could be solved so that when the user logs into playsms (and is authenticated against LDAP) but the user doesn't exist in playsms_DB the user will be automagically imported. I'll do this probably soon anyway. Just in case the admin user is always validated against the DB shouldn't the LDAP be available.

config.php

// Authentication types supported
define ( "AUTH_USE_LDAP", 0 ); 
define ( "AUTH_USE_DB",   1 );
 
// LDAP connection configuration
$core_config['ldap']['host']  = 'lietadlo';
$core_config['ldap']['port']  = 389;
$core_config['ldap']['prot']  = 3;
$core_config['ldap']['user']  = "ou=people,dc=maxcrc,dc=com";
$core_config['ldap']['group'] = "ou=groups,dc=maxcrc,dc=com";
 
// Authentication type used
// DB - authenticates users from the DB
// LDAP - authenticates users agains LDAP
$core_config['auth_type'] = AUTH_USE_LDAP;

fn_auth.php

define ( 'LDAP_OPT_DIAGNOSTIC_MESSAGE', 0x0032);
 
function validatelogin_LDAP ($username,$password) {
    global $core_config;
    $ticket = false;
    $fulldn_username = "uid=".$username.",".$core_config['ldap']['user'];
    logger_print ( "u:".$username." p:".$password." t:".$ticket, 1, "login" );
    $ds=ldap_connect( $core_config['ldap']['host'], $core_config['ldap']['port'] );
    if ( preg_match( '/^\d*$/', $core_config['ldap']['prot']) == 1 ) {
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $core_config['ldap']['prot']);
    }
    if ($ds) {
        logger_print ( "Connected", 3, "login" );
        $br=ldap_bind($ds, $fulldn_username, $password);
        if ( $br ) {
            //logger_print ( "group: ".$core_config['ldap']['group'], 3, "login" );
            //logger_print ( "username: ".$username, 3, "login" );
            // check if in the playsms group the user is
            $sr = ldap_search($ds, $core_config['ldap']['group'], "(&(cn=playsms)(memberUid=".$username."))", array ("cn") );
            if ($sr) {
                logger_print ( "Authenticated", 3, "login" );
                // to avoid modifying further code valid, isadmin we simply write the password into the playsms db
                // yes this is bad. yes plaintext passwords in the db are bad. 
                $db_query = "UPDATE "._DB_PREF_."_tblUser SET password='$password' WHERE username='$username' LIMIT 1";
                if (@dba_affected_rows($db_query))
                {
                    $ticket = md5(mktime().$username);
                } else {
                    logger_print ( "Can't write password to DB", 3, "login" );
                }
            } else {
                logger_print ( "Not in group", 3, "login" );
                logger_print ( print_r($sr,true),3,"login");
            }
        } else {
            if (ldap_get_option($ds, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
                logger_print ( $extended_error, 3, "login" );
            }
        }
    }
    ldap_close($ds);
    logger_print ( "LDAP result ".$ticket, 3, "login" );
    return $ticket; 
}
 
function validatelogin_DB($username,$password) {
    $db_query = "SELECT password FROM "._DB_PREF_."_tblUser WHERE username='$username'";
    $db_result = dba_query($db_query);
    $db_row = dba_fetch_array($db_result);
    $res_password = trim($db_row['password']);
    if ($password && $res_password && ($password==$res_password)) {
        $ticket = md5(mktime().$username);
        return $ticket;
    } else {
        return false;
    }
}
 
function validatelogin ($username,$password) {
    global $core_config;
 
    // special case admin can login always with DB password
    if ( $username == 'admin' ) {
        return validatelogin_DB ('admin',$password);
    }
    // the other users are configurable agains what they should be authenticated
    switch ( $core_config['auth_type'] ) {
        case AUTH_USE_DB :
            return validatelogin_DB ($username,$password);
            break;
        case AUTH_USE_LDAP:
            return validatelogin_LDAP ($username,$password);
            break;
    }
}
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.