[3733] | 1 | <?php |
---|
| 2 | /** |
---|
| 3 | * Manages PAM repository connection with pwauth |
---|
| 4 | * |
---|
| 5 | * @package davical |
---|
| 6 | * @category Technical |
---|
| 7 | * @subpackage pwauth |
---|
| 8 | * @author Eric Seigne <eric.seigne@ryxeo.com>, |
---|
| 9 | * Michael B. Trausch <mike@trausch.us> |
---|
| 10 | * @copyright Eric Seigne |
---|
| 11 | * @license http://gnu.org/copyleft/gpl.html GNU GPL v2 |
---|
| 12 | * |
---|
| 13 | * Based on drivers_squid_pam.php |
---|
| 14 | */ |
---|
| 15 | |
---|
| 16 | require_once("auth-functions.php"); |
---|
| 17 | |
---|
| 18 | class pwauthPamDrivers |
---|
| 19 | { |
---|
| 20 | /**#@+ |
---|
| 21 | * @access private |
---|
| 22 | */ |
---|
| 23 | |
---|
| 24 | /**#@-*/ |
---|
| 25 | |
---|
| 26 | |
---|
| 27 | /** |
---|
| 28 | * Constructor. |
---|
| 29 | * @param string $config path where pwauth is |
---|
| 30 | */ |
---|
| 31 | function pwauthPamDrivers($config){ |
---|
| 32 | $this->__construct($config); |
---|
| 33 | } |
---|
| 34 | |
---|
| 35 | |
---|
| 36 | /** |
---|
| 37 | * The constructor |
---|
| 38 | * |
---|
| 39 | * @param string $config path where pwauth is |
---|
| 40 | */ |
---|
| 41 | function __construct($config) |
---|
| 42 | { |
---|
| 43 | global $c; |
---|
| 44 | if(!file_exists($config)) { |
---|
| 45 | $c->messages[] = |
---|
| 46 | sprintf(i18n('drivers_pwauth_pam : Unable to find %s file'), $config); |
---|
| 47 | $this->valid=false; |
---|
| 48 | return ; |
---|
| 49 | } |
---|
| 50 | } |
---|
| 51 | } |
---|
| 52 | |
---|
| 53 | |
---|
| 54 | /** |
---|
| 55 | * Check the username / password against the PAM system |
---|
| 56 | */ |
---|
| 57 | function PWAUTH_PAM_check($username, $password) { |
---|
| 58 | global $c; |
---|
| 59 | $program = $c->authenticate_hook['config']['path']; |
---|
| 60 | $email_base = $c->authenticate_hook['config']['email_base']; |
---|
| 61 | |
---|
| 62 | $pipe = popen(escapeshellarg($program), 'w'); |
---|
| 63 | $authinfo = sprintf("%s\n%s\n", $username, $password); |
---|
| 64 | $written = fwrite($pipe, $authinfo); |
---|
| 65 | dbg_error_log('pwauth', 'Bytes written: %d of %d', $written, |
---|
| 66 | strlen($authinfo)); |
---|
| 67 | $return_status = pclose($pipe); |
---|
| 68 | |
---|
| 69 | switch($return_status) { |
---|
| 70 | case 0: |
---|
| 71 | // STATUS_OK: Authentication succeeded. |
---|
| 72 | dbg_error_log('pwauth', 'User %s successfully authenticated', $username); |
---|
| 73 | if($user = getUserByName($username)) { |
---|
| 74 | return($user); |
---|
| 75 | } else { |
---|
| 76 | dbg_error_log('pwauth', 'User %s does not exist in local db, creating', |
---|
| 77 | $username); |
---|
| 78 | $fullname = exec(sprintf('getent passwd %s', escapeshellarg($username))); |
---|
| 79 | $fullname = preg_replace('{^[^:]+:[^:]+:\d+:\d+:([^:,]+)(,[^:]*):.*$}', |
---|
| 80 | '$1', $fullname); |
---|
| 81 | $user = (object) array('user_no' => 0, |
---|
| 82 | 'username' => $username, |
---|
| 83 | 'active' => 't', |
---|
| 84 | 'email' => sprintf('%s@%s', $username, |
---|
| 85 | $email_base), |
---|
| 86 | 'updated' => date('%r'), |
---|
| 87 | 'fullname' => $fullname); |
---|
| 88 | |
---|
| 89 | UpdateUserFromExternal($user); |
---|
| 90 | return($user); |
---|
| 91 | } |
---|
| 92 | break; |
---|
| 93 | |
---|
| 94 | /* |
---|
| 95 | * Note that for system configurations using PAM instead of |
---|
| 96 | * reading the password database directly, if PAM is unable to |
---|
| 97 | * read the password database, pwauth will return status 1. |
---|
| 98 | */ |
---|
| 99 | case 1: |
---|
| 100 | case 2: |
---|
| 101 | // (1) STATUS_UNKNOWN: Invalid username or password. |
---|
| 102 | // (2) STATUS_INVALID: Invalid password. |
---|
| 103 | dbg_error_log('pwauth', 'Invalid username or password (username: %s)', |
---|
| 104 | $username); |
---|
| 105 | break; |
---|
| 106 | |
---|
| 107 | case 3: |
---|
| 108 | // STATUS_BLOCKED: UID for username is < pwauth's MIN_UNIX_UID |
---|
| 109 | dbg_error_log('pwauth', 'UID for username %s is < pwauth MIN_UNIX_UID', |
---|
| 110 | $username); |
---|
| 111 | break; |
---|
| 112 | |
---|
| 113 | case 4: |
---|
| 114 | // STATUS_EXPIRED: The user account has expired. |
---|
| 115 | dbg_error_log('pwauth', 'The account for %s has expired', $username); |
---|
| 116 | break; |
---|
| 117 | |
---|
| 118 | case 5: |
---|
| 119 | // STATUS_PW_EXPIRED: The user account's password has expired. |
---|
| 120 | dbg_error_log('pwauth', 'The account password for user %s has expired', |
---|
| 121 | $username); |
---|
| 122 | break; |
---|
| 123 | |
---|
| 124 | case 6: |
---|
| 125 | // STATUS_NOLOGIN: Logins to the system are administratively disabled. |
---|
| 126 | dbg_error_log('pwauth', 'Logins administratively disabled (%s)', $username); |
---|
| 127 | break; |
---|
| 128 | |
---|
| 129 | case 7: |
---|
| 130 | // STATUS_MANYFAILS: Too many login failures for user account. |
---|
| 131 | dbg_error_log('pwauth', 'Login rejected for %s, too many failures', |
---|
| 132 | $username); |
---|
| 133 | break; |
---|
| 134 | |
---|
| 135 | case 50: |
---|
| 136 | // STATUS_INT_USER: Configuration error, Web server cannot use pwauth |
---|
| 137 | dbg_error_log('pwauth', 'config error: see pwauth man page (%s)', |
---|
| 138 | 'STATUS_INT_USER'); |
---|
| 139 | break; |
---|
| 140 | |
---|
| 141 | case 51: |
---|
| 142 | // STATUS_INT_ARGS: pwauth received no username/passwd to check |
---|
| 143 | dbg_error_log('pwauth', 'error: pwauth received no username/password'); |
---|
| 144 | break; |
---|
| 145 | |
---|
| 146 | case 52: |
---|
| 147 | // STATUS_INT_ERR: unknown error |
---|
| 148 | dbg_error_log('pwauth', 'error: see pwauth man page (%s)', |
---|
| 149 | 'STATUS_INT_ERR'); |
---|
| 150 | break; |
---|
| 151 | |
---|
| 152 | case 53: |
---|
| 153 | // STATUS_INT_NOROOT: pwauth could not read the password database |
---|
| 154 | dbg_error_log('pwauth', 'config error: cannot read password database (%s)', |
---|
| 155 | 'STATUS_INT_NOROOT'); |
---|
| 156 | |
---|
| 157 | default: |
---|
| 158 | // Unknown error code. |
---|
| 159 | dbg_error_log('pwauth', 'An unknown error (%d) has occurred', |
---|
| 160 | $return_status); |
---|
| 161 | } |
---|
| 162 | |
---|
| 163 | return(FALSE); |
---|
| 164 | } |
---|