ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Radius.php
Go to the documentation of this file.
1 <?php
2 
10 class sspmod_radius_Auth_Source_Radius extends sspmod_core_Auth_UserPassBase
11 {
15  private $servers;
16 
20  private $hostname;
21 
25  private $port;
26 
30  private $secret;
31 
35  private $timeout;
36 
40  private $retries;
41 
45  private $realm;
46 
50  private $usernameAttribute;
51 
55  private $vendor;
56 
61  private $vendorType;
62 
66  private $nasIdentifier;
67 
74  public function __construct($info, $config)
75  {
76  assert('is_array($info)');
77  assert('is_array($config)');
78 
79  // Call the parent constructor first, as required by the interface
80  parent::__construct($info, $config);
81 
82  // Parse configuration.
83  $config = SimpleSAML_Configuration::loadFromArray($config,
84  'Authentication source ' . var_export($this->authId, true));
85 
86  $this->servers = $config->getArray('servers', array());
87  /* For backwards compatibility. */
88  if (empty($this->servers)) {
89  $this->hostname = $config->getString('hostname');
90  $this->port = $config->getIntegerRange('port', 1, 65535, 1812);
91  $this->secret = $config->getString('secret');
92  $this->servers[] = array('hostname' => $this->hostname,
93  'port' => $this->port,
94  'secret' => $this->secret);
95  }
96  $this->timeout = $config->getInteger('timeout', 5);
97  $this->retries = $config->getInteger('retries', 3);
98  $this->realm = $config->getString('realm', null);
99  $this->usernameAttribute = $config->getString('username_attribute', null);
100  $this->nasIdentifier = $config->getString('nas_identifier',
101  \SimpleSAML\Utils\HTTP::getSelfHost());
102 
103  $this->vendor = $config->getInteger('attribute_vendor', null);
104  if ($this->vendor !== null) {
105  $this->vendorType = $config->getInteger('attribute_vendor_type');
106  }
107  }
108 
109 
117  protected function login($username, $password)
118  {
119  assert('is_string($username)');
120  assert('is_string($password)');
121 
122  $radius = radius_auth_open();
123 
124  /* Try to add all radius servers, trigger a failure if no one works. */
125  $success = false;
126  foreach ($this->servers as $server) {
127  if (!isset($server['port'])) {
128  $server['port'] = 1812;
129  }
130  if (!radius_add_server($radius,
131  $server['hostname'], $server['port'], $server['secret'],
132  $this->timeout, $this->retries)) {
133  SimpleSAML\Logger::info("Could not add radius server: " .
134  radius_strerror($radius));
135  continue;
136  }
137  $success = true;
138  }
139  if (!$success) {
140  throw new Exception('Error adding radius servers, no servers available');
141  }
142 
143  if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
144  throw new Exception('Error creating radius request: ' .
145  radius_strerror($radius));
146  }
147 
148  if ($this->realm === null) {
149  radius_put_attr($radius, RADIUS_USER_NAME, $username);
150  } else {
151  radius_put_attr($radius, RADIUS_USER_NAME, $username . '@' . $this->realm);
152  }
153  radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
154 
155  if ($this->nasIdentifier !== null) {
156  radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
157  }
158 
159  $res = radius_send_request($radius);
160  if ($res != RADIUS_ACCESS_ACCEPT) {
161  switch ($res) {
162  case RADIUS_ACCESS_REJECT:
163  /* Invalid username or password. */
164  throw new SimpleSAML_Error_Error('WRONGUSERPASS');
165  case RADIUS_ACCESS_CHALLENGE:
166  throw new Exception('Radius authentication error: Challenge requested, but not supported.');
167  default:
168  throw new Exception('Error during radius authentication: ' .
169  radius_strerror($radius));
170  }
171  }
172 
173  /* If we get this far, we have a valid login. */
174 
175  $attributes = array();
176 
177  if ($this->usernameAttribute !== null) {
178  $attributes[$this->usernameAttribute] = array($username);
179  }
180 
181  if ($this->vendor === null) {
182  /*
183  * We aren't interested in any vendor-specific attributes. We are
184  * therefore done now.
185  */
186  return $attributes;
187  }
188 
189  /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
190  while ($resa = radius_get_attr($radius)) {
191 
192  if (!is_array($resa)) {
193  throw new Exception('Error getting radius attributes: ' .
194  radius_strerror($radius));
195  }
196 
197  /* Use the received user name */
198  if ($resa['attr'] == RADIUS_USER_NAME) {
199  $attributes[$this->usernameAttribute] = array($resa['data']);
200  continue;
201  }
202 
203  if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
204  continue;
205  }
206 
207  $resv = radius_get_vendor_attr($resa['data']);
208  if (!is_array($resv)) {
209  throw new Exception('Error getting vendor specific attribute: ' .
210  radius_strerror($radius));
211  }
212 
213  $vendor = $resv['vendor'];
214  $attrv = $resv['attr'];
215  $datav = $resv['data'];
216 
217  if ($vendor != $this->vendor || $attrv != $this->vendorType) {
218  continue;
219  }
220 
221  $attrib_name = strtok($datav,'=');
222  $attrib_value = strtok('=');
223 
224  /* if the attribute name is already in result set,
225  add another value */
226  if (array_key_exists($attrib_name, $attributes)) {
227  $attributes[$attrib_name][] = $attrib_value;
228  } else {
229  $attributes[$attrib_name] = array($attrib_value);
230  }
231  }
232  /* end of contribution */
233 
234  return $attributes;
235  }
236 }
sspmod_radius_Auth_Source_Radius
Definition: Radius.php:10
sspmod_radius_Auth_Source_Radius\$retries
$retries
The number of retries which should be attempted.
Definition: Radius.php:40
sspmod_radius_Auth_Source_Radius\login
login($username, $password)
Attempt to log in using the given username and password.
Definition: Radius.php:117
sspmod_radius_Auth_Source_Radius\$usernameAttribute
$usernameAttribute
The attribute name where the username should be stored.
Definition: Radius.php:50
sspmod_core_Auth_UserPassBase
Definition: UserPassBase.php:12
$attributes
$attributes
Definition: serviceValidate.php:33
sspmod_radius_Auth_Source_Radius\$realm
$realm
The realm to be added to the entered username.
Definition: Radius.php:45
$password
$password
Definition: pwgen.php:17
SimpleSAML
Attribute-related utility methods.
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
$success
$success
Definition: Utf8Test.php:86
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
sspmod_radius_Auth_Source_Radius\$vendor
$vendor
The vendor for the RADIUS attributes we are interrested in.
Definition: Radius.php:55
SimpleSAML_Error_Error
Definition: Error.php:10
sspmod_radius_Auth_Source_Radius\__construct
__construct($info, $config)
Constructor for this authentication source.
Definition: Radius.php:74
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
$server
$server
Definition: getUserInfo.php:12
sspmod_radius_Auth_Source_Radius\$servers
$servers
The list of radius servers to use.
Definition: Radius.php:15
sspmod_radius_Auth_Source_Radius\$hostname
$hostname
The hostname of the radius server.
Definition: Radius.php:20
sspmod_radius_Auth_Source_Radius\$vendorType
$vendorType
The vendor-specific attribute for the RADIUS attributes we are interrested in.
Definition: Radius.php:61
sspmod_radius_Auth_Source_Radius\$nasIdentifier
$nasIdentifier
The NAS-Identifier that should be set in Access-Request packets.
Definition: Radius.php:66
sspmod_radius_Auth_Source_Radius\$port
$port
The port of the radius server.
Definition: Radius.php:25
sspmod_radius_Auth_Source_Radius\$secret
$secret
The secret used when communicating with the radius server.
Definition: Radius.php:30
$info
$info
Definition: index.php:5
sspmod_radius_Auth_Source_Radius\$timeout
$timeout
The timeout for contacting the radius server.
Definition: Radius.php:35
SimpleSAML_Configuration\loadFromArray
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
Definition: Configuration.php:269