[system] / trunk / webwork2 / lib / WeBWorK / Authen / LDAP.pm Repository:
ViewVC logotype

View of /trunk/webwork2/lib/WeBWorK/Authen/LDAP.pm

Parent Directory Parent Directory | Revision Log Revision Log


Revision 6975 - (download) (as text) (annotate)
Wed Jul 20 23:56:29 2011 UTC (6 years, 4 months ago) by gage
File size: 4111 byte(s)
added LDAP patch


    1 ################################################################################
    2 # WeBWorK Online Homework Delivery System
    3 # Copyright  2000-2007 The WeBWorK Project, http://openwebwork.sf.net/
    4 # $CVSHeader: webwork2/lib/WeBWorK/Authen/LDAP.pm,v 1.4 2007/08/13 22:59:54 sh002i Exp $
    5 #
    6 # This program is free software; you can redistribute it and/or modify it under
    7 # the terms of either: (a) the GNU General Public License as published by the
    8 # Free Software Foundation; either version 2, or (at your option) any later
    9 # version, or (b) the "Artistic License" which comes with this package.
   10 #
   11 # This program is distributed in the hope that it will be useful, but WITHOUT
   12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
   13 # FOR A PARTICULAR PURPOSE.  See either the GNU General Public License or the
   14 # Artistic License for more details.
   15 ################################################################################
   16 
   17 package WeBWorK::Authen::LDAP;
   18 use base qw/WeBWorK::Authen/;
   19 
   20 use strict;
   21 use warnings;
   22 use WeBWorK::Debug;
   23 use Net::LDAP qw/LDAP_INVALID_CREDENTIALS/;
   24 
   25 sub checkPassword {
   26   my ($self, $userID, $possibleClearPassword) = @_;
   27   my $ce = $self->{r}->ce;
   28   my $failover = $ce->{authen}{ldap_options}{failover};
   29 
   30   debug("LDAP module is doing the password checking.\n");
   31 
   32   # check against LDAP server
   33   my $ret = $self->ldap_authen_uid($userID, $possibleClearPassword);
   34   return 1 if ($ret == 1);
   35 
   36     #return 0 if ($userID !~ /admin/);
   37 
   38   # optional: fail over to superclass checkPassword
   39   if (($failover eq "all" or $failover == 1) || ($failover eq "local" and $ret < 0)) {
   40     $self->write_log_entry("AUTH LDAP: authentication failed, deferring to superclass");
   41     return $self->SUPER::checkPassword($userID, $possibleClearPassword);
   42   }
   43 
   44   # fail by default
   45   return 0;
   46 }
   47 
   48 sub ldap_authen_uid {
   49   my ($self, $uid, $password) = @_;
   50   my $ce = $self->{r}->ce;
   51   my $hosts = $ce->{authen}{ldap_options}{net_ldap_hosts};
   52   my $opts = $ce->{authen}{ldap_options}{net_ldap_opts};
   53   my $base = $ce->{authen}{ldap_options}{net_ldap_base};
   54         my $searchdn = $ce->{authen}{ldap_options}{searchDN};
   55   my $bindAccount = $ce->{authen}{ldap_options}{bindAccount};
   56         my $bindpassword = $ce->{authen}{ldap_options}{bindPassword};
   57   # Be backwards-compatible with releases that hardcode this value.
   58   my $rdn = "sAMAccountName";
   59   if (defined $ce->{authen}{ldap_options}{net_ldap_rdn}) {
   60     $rdn = $ce->{authen}{ldap_options}{net_ldap_rdn};
   61   }
   62 
   63 
   64 
   65   # connect to LDAP server
   66   my $ldap = new Net::LDAP($hosts, @$opts);
   67   if (not defined $ldap) {
   68     warn "AUTH LDAP: couldn't connect to any of ", join(", ", @$hosts), ".\n";
   69     return 0;
   70   }
   71 
   72   my $msg;
   73 
   74 
   75   if($bindAccount){
   76         # bind with a bind USER
   77           $msg = $ldap->bind( $searchdn, password => $bindpassword );
   78           if ($msg->is_error) {
   79                   warn "AUTH LDAP: bind error ", $msg->code, ": ", $msg->error_text, ".\n";
   80                   return 0;
   81     }
   82   }
   83   else{
   84   # bind anonymously
   85     $msg = $ldap->bind;
   86     if ($msg->is_error) {
   87       warn "AUTH LDAP: bind error ", $msg->code, ": ", $msg->error_text, ".\n";
   88       return 0;
   89     }
   90   }
   91 
   92   # look up user's DN
   93   $msg = $ldap->search(base => $base, filter => "$rdn=$uid");
   94   if ($msg->is_error) {
   95     warn "AUTH LDAP: search error ", $msg->code, ": ", $msg->error_text, ".\n",$searchdn,"\n",$base,"\n",$uid,"\n";
   96     return 0;
   97   }
   98   if ($msg->count > 1) {
   99     warn "AUTH LDAP: more than one result returned when searching for UID '$uid'.\n";
  100     return 0;
  101   }
  102   if ($msg->count == 0) {
  103     $self->write_log_entry("AUTH LDAP: UID not found");
  104     return -1;
  105   }
  106   my $dn = $msg->shift_entry->dn;
  107   if (not defined $dn) {
  108     warn "AUTH LDAP: got null DN when looking up UID '$uid'.\n";
  109     return 0;
  110   }
  111 
  112   # re-bind as user. if that works, we've authenticated!
  113   $msg = $ldap->bind($dn, password => $password);
  114   if ($msg->code == LDAP_INVALID_CREDENTIALS) {
  115     $self->write_log_entry("AUTH LDAP: server rejected password for UID.");
  116     return 0;
  117   }
  118   if ($msg->is_error) {
  119     warn "AUTH LDAP: bind error ", $msg->code, ": ", $msg->error_text, ".\n";
  120     return 0;
  121   }
  122 
  123   # it worked! we win!
  124   return 1;
  125 }
  126 
  127 1;

aubreyja at gmail dot com
ViewVC Help
Powered by ViewVC 1.0.9