14 const STAGEID =
'sspmod_negotiate_Auth_Source_Negotiate.StageId';
43 assert(
'is_array($info)');
44 assert(
'is_array($config)');
46 if (!extension_loaded(
'krb5')) {
47 throw new Exception(
'KRB5 Extension not installed');
55 $this->backend =
$config->getString(
'fallback');
56 $this->hostname =
$config->getString(
'hostname');
57 $this->port =
$config->getInteger(
'port', 389);
58 $this->referrals =
$config->getBoolean(
'referrals',
true);
59 $this->enableTLS =
$config->getBoolean(
'enable_tls',
false);
60 $this->debugLDAP =
$config->getBoolean(
'debugLDAP',
false);
61 $this->timeout =
$config->getInteger(
'timeout', 30);
62 $this->keytab =
$config->getString(
'keytab');
64 $this->attr =
$config->getString(
'attr',
'uid');
65 $this->subnet =
$config->getArray(
'subnet',
null);
66 $this->admin_user =
$config->getString(
'adminUser',
null);
67 $this->admin_pw =
$config->getString(
'adminPassword',
null);
68 $this->attributes =
$config->getArray(
'attributes',
null);
85 assert(
'is_array($state)');
88 $state[
'LogoutState'] = array(
89 'negotiate:backend' => $this->backend,
101 $disabled =
$session->getData(
'negotiate:disable',
'session');
104 (!empty(
$_COOKIE[
'NEGOTIATE_AUTOLOGIN_DISABLE_PERMANENT']) &&
105 $_COOKIE[
'NEGOTIATE_AUTOLOGIN_DISABLE_PERMANENT'] ==
'True')
120 if (!empty(
$_SERVER[
'HTTP_AUTHORIZATION'])) {
131 list($mech,
$data) = explode(
' ',
$_SERVER[
'HTTP_AUTHORIZATION'], 2);
132 if (strtolower($mech) ==
'basic') {
135 if (strtolower($mech) !=
'negotiate') {
140 $auth =
new KRB5NegotiateAuth($this->keytab);
143 $reply =
$auth->doAuthentication();
144 }
catch (Exception $e) {
151 $user =
$auth->getAuthenticatedUser();
154 if ($lookup !==
null) {
155 $state[
'Attributes'] = $lookup;
157 $state[
'LogoutState'] = array(
158 'negotiate:backend' =>
null,
191 if (array_key_exists(
'negotiate:disable',
$spMetadata)) {
216 if ($this->subnet ===
null) {
220 foreach ($this->subnet as $cidr) {
241 $json_url = json_encode(
$url);
243 header(
'HTTP/1.1 401 Unauthorized');
244 header(
'WWW-Authenticate: Negotiate',
false);
248 <script type=
"text/javascript">window.location = $json_url</script>
249 <title>Redirect to login</title>
252 <p>Your browser seems to have Javascript disabled. Please click <a href=
"$url">here</a>.</p>
281 }
catch (Exception $e) {
302 $pos = strpos($user,
'@');
303 if ($pos ===
false) {
306 $uid = substr($user, 0, $pos);
310 $dn = $this->ldap->searchfordn($this->
base, $this->attr, $uid);
311 return $this->ldap->getAttributes($dn, $this->attributes);
325 if ($this->admin_user ===
null) {
330 'Negotiate - authenticate(): Binding as system user '.var_export($this->admin_user,
true)
333 if (!$this->ldap->bind($this->admin_user, $this->admin_pw)) {
334 $msg =
'Unable to authenticate system user (LDAP_INVALID_CREDENTIALS) '.var_export($this->admin_user,
true);
351 assert(
'is_array($state)');
358 $session->setData(
'negotiate:disable',
'session',
true, 24 * 60 * 60);
const EOF
How fgetc() reports an End Of File.
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
An exception for terminatinating execution or to throw for unit testing.
static ipCIDRcheck($cidr, $ip=null)
Check whether an IP address is part of a CIDR.
static loginCompleted($state)
Called when a login operation has finished.
static getById($authId, $type=null)
Retrieve authentication source.
static completeAuth(&$state)
Complete authentication.
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
static saveState(&$state, $stage, $rawId=false)
Save the state.
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
static getSessionFromRequest()
Retrieves the current session.
logout(&$state)
Log out from this authentication source.
sendNegotiate($params)
Send the actual headers and body of the 401.
static fallBack(&$state)
Passes control of the login process to a different module.
authenticate(&$state)
The inner workings of the module.
lookupUserData($user)
Strips away the realm of the Kerberos identifier, looks up what attributes to fetch from SP metadata ...
checkMask()
checkMask() looks up the subnet config option and verifies that the client is within that range.
adminBind()
Elevates the LDAP connection to allow restricted lookups if so configured.
spDisabledInMetadata($spMetadata)
__construct($info, $config)
Constructor for this authentication source.
if(!array_key_exists('StateId', $_REQUEST)) $id
Attribute-related utility methods.
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']