From 957502a28b1d2afec74cad30731dc2ee101cafe3 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Sat, 18 Mar 2006 16:19:18 +0000 Subject: [PATCH] - Added init_{$auth_plugin} function which can be used to test a connection to the authentication system before actually saving the new configuration. This will hopefully stop people from locking themselves out by using an authentication system that they cannot connect to. git-svn-id: file:///svn/phpbb/trunk@5653 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/acp/acp_board.php | 36 ++++++++++++++++++++++++++ phpBB/includes/auth/auth_ldap.php | 42 +++++++++++++++++++++++++++++++ phpBB/language/en/acp/board.php | 17 +++++++------ 3 files changed, 88 insertions(+), 7 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index d39316226b..cc5b316a09 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -282,6 +282,11 @@ class acp_board continue; } + if ($config_name == 'auth_method') + { + continue; + } + $config_value = $cfg_array[$config_name]; $this->new_config[$config_name] = $config_value; @@ -313,6 +318,8 @@ class acp_board sort($auth_plugins); + $updated_auth_settings = false; + $old_auth_config = array(); foreach ($auth_plugins as $method) { if ($method && file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx)) @@ -337,11 +344,13 @@ class acp_board continue; } + $old_auth_config[$field] = $this->new_config[$field]; $config_value = $cfg_array[$field]; $this->new_config[$field] = $config_value; if ($submit) { + $updated_auth_settings = true; set_config($field, $config_value); } } @@ -350,6 +359,33 @@ class acp_board } } } + + if ($submit && (($cfg_array['auth_method'] != $this->new_config['auth_method']) || $updated_auth_settings)) + { + $method = $cfg_array['auth_method']; + if ($method && in_array($method, $auth_plugins)) + { + include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); + + $method = 'init_' . $method; + if (function_exists($method)) + { + if (($error = $method()) == true) + { + foreach ($old_auth_config as $config_name => $config_value) + { + set_config($config_name, $config_value); + } + trigger_error($error . adm_back_link($this->u_action)); + } + } + set_config('auth_method', $cfg_array['auth_method']); + } + else + { + trigger_error('NO_AUTH_PLUGIN'); + } + } } if ($submit) diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 2eedd5a17b..17c29cc5e6 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -19,6 +19,48 @@ * */ +/** +* Only allow changing authentication to ldap if we can connect to the ldap server +*/ +function init_ldap() +{ + global $config, $user; + + if (!extension_loaded('ldap')) + { + return $user->lang['LDAP_NO_LDAP_EXTENSION']; + } + + if (!($ldap = @ldap_connect($config['ldap_server']))) + { + return $user->lang['LDAP_NO_SERVER_CONNECTION']; + } + + @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + + // We'll get a notice here that we don't want, if we cannot connect to the server. + // ldap_connect only checks whether the specified server is valid, so the connection might still fail + ob_start(); + + $search = @ldap_search($ldap, $config['ldap_base_dn'], $config['ldap_uid'] . '=' . $user->data['username'], array($config['ldap_uid'])); + + if (ob_get_clean()) + { + return $user->lang['LDAP_NO_SERVER_CONNECTION']; + } + + $result = @ldap_get_entries($ldap, $search); + + @ldap_close($ldap); + + if (is_array($result) && sizeof($result) > 1) + { + return false; + } + + return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); +} + /** * Login function */ diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index fb7795a900..fa9736cae5 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -308,13 +308,16 @@ $lang = array_merge($lang, array( // Auth settings $lang = array_merge($lang, array( 'ACP_AUTH_SETTINGS_EXPLAIN' => 'phpBB2 supports authentication plug-ins, or modules. These allow you determine how users are authenticated when they log into the board. By default three plug-ins are provided; DB, LDAP and Apache. Not all methods require additional information so only fill out fields if they are relevant to the selected method.', - 'AUTH_METHOD' => 'Select an authentication method', - 'LDAP_SERVER' => 'LDAP server name', - 'LDAP_SERVER_EXPLAIN' => 'If using LDAP this is the name or IP address of the server.', - 'LDAP_DN' => 'LDAP base dn', - 'LDAP_DN_EXPLAIN' => 'This is the Distinguished Name, locating the user information, e.g. o=My Company,c=US', - 'LDAP_UID' => 'LDAP uid', - 'LDAP_UID_EXPLAIN' => 'This is the key under which to search for a given login identity, e.g. uid, sn, etc.', + 'AUTH_METHOD' => 'Select an authentication method', + 'LDAP_NO_IDENTITY' => 'Could not find a login identity for %s', + 'LDAP_NO_LDAP_EXTENSION' => 'LDAP extension not availible', + 'LDAP_NO_SERVER_CONNECTION' => 'Could not connect to LDAP server', + 'LDAP_DN' => 'LDAP base dn', + 'LDAP_DN_EXPLAIN' => 'This is the Distinguished Name, locating the user information, e.g. o=My Company,c=US', + 'LDAP_SERVER' => 'LDAP server name', + 'LDAP_SERVER_EXPLAIN' => 'If using LDAP this is the name or IP address of the server.', + 'LDAP_UID' => 'LDAP uid', + 'LDAP_UID_EXPLAIN' => 'This is the key under which to search for a given login identity, e.g. uid, sn, etc.', )); // Board defaults