1 | <?php |
---|
2 | /** |
---|
3 | * Manages PAM repository connection with pwauth |
---|
4 | * |
---|
5 | * @package davical |
---|
6 | * @category Technical |
---|
7 | * @subpackage pwauth |
---|
8 | * @author Eric Seigne <eric.seigne@ryxeo.com>, |
---|
9 | * Michael B. Trausch <mike@trausch.us> |
---|
10 | * @copyright Eric Seigne |
---|
11 | * @license http://gnu.org/copyleft/gpl.html GNU GPL v2 |
---|
12 | * |
---|
13 | * Based on drivers_squid_pam.php |
---|
14 | */ |
---|
15 | |
---|
16 | require_once("auth-functions.php"); |
---|
17 | |
---|
18 | class pwauthPamDrivers |
---|
19 | { |
---|
20 | /**#@+ |
---|
21 | * @access private |
---|
22 | */ |
---|
23 | |
---|
24 | /**#@-*/ |
---|
25 | |
---|
26 | |
---|
27 | /** |
---|
28 | * Constructor. |
---|
29 | * @param string $config path where pwauth is |
---|
30 | */ |
---|
31 | function pwauthPamDrivers($config){ |
---|
32 | $this->__construct($config); |
---|
33 | } |
---|
34 | |
---|
35 | |
---|
36 | /** |
---|
37 | * The constructor |
---|
38 | * |
---|
39 | * @param string $config path where pwauth is |
---|
40 | */ |
---|
41 | function __construct($config) |
---|
42 | { |
---|
43 | global $c; |
---|
44 | if(!file_exists($config)) { |
---|
45 | $c->messages[] = |
---|
46 | sprintf(i18n('drivers_pwauth_pam : Unable to find %s file'), $config); |
---|
47 | $this->valid=false; |
---|
48 | return ; |
---|
49 | } |
---|
50 | } |
---|
51 | } |
---|
52 | |
---|
53 | |
---|
54 | /** |
---|
55 | * Check the username / password against the PAM system |
---|
56 | */ |
---|
57 | function PWAUTH_PAM_check($username, $password) { |
---|
58 | global $c; |
---|
59 | $program = $c->authenticate_hook['config']['path']; |
---|
60 | $email_base = $c->authenticate_hook['config']['email_base']; |
---|
61 | |
---|
62 | $pipe = popen(escapeshellarg($program), 'w'); |
---|
63 | $authinfo = sprintf("%s\n%s\n", $username, $password); |
---|
64 | $written = fwrite($pipe, $authinfo); |
---|
65 | dbg_error_log('pwauth', 'Bytes written: %d of %d', $written, |
---|
66 | strlen($authinfo)); |
---|
67 | $return_status = pclose($pipe); |
---|
68 | |
---|
69 | switch($return_status) { |
---|
70 | case 0: |
---|
71 | // STATUS_OK: Authentication succeeded. |
---|
72 | dbg_error_log('pwauth', 'User %s successfully authenticated', $username); |
---|
73 | if($user = getUserByName($username)) { |
---|
74 | return($user); |
---|
75 | } else { |
---|
76 | dbg_error_log('pwauth', 'User %s does not exist in local db, creating', |
---|
77 | $username); |
---|
78 | $fullname = exec(sprintf('getent passwd %s', escapeshellarg($username))); |
---|
79 | $fullname = preg_replace('{^[^:]+:[^:]+:\d+:\d+:([^:,]+)(,[^:]*):.*$}', |
---|
80 | '$1', $fullname); |
---|
81 | $user = (object) array('user_no' => 0, |
---|
82 | 'username' => $username, |
---|
83 | 'active' => 't', |
---|
84 | 'email' => sprintf('%s@%s', $username, |
---|
85 | $email_base), |
---|
86 | 'updated' => date('%r'), |
---|
87 | 'fullname' => $fullname); |
---|
88 | |
---|
89 | UpdateUserFromExternal($user); |
---|
90 | return($user); |
---|
91 | } |
---|
92 | break; |
---|
93 | |
---|
94 | /* |
---|
95 | * Note that for system configurations using PAM instead of |
---|
96 | * reading the password database directly, if PAM is unable to |
---|
97 | * read the password database, pwauth will return status 1. |
---|
98 | */ |
---|
99 | case 1: |
---|
100 | case 2: |
---|
101 | // (1) STATUS_UNKNOWN: Invalid username or password. |
---|
102 | // (2) STATUS_INVALID: Invalid password. |
---|
103 | dbg_error_log('pwauth', 'Invalid username or password (username: %s)', |
---|
104 | $username); |
---|
105 | break; |
---|
106 | |
---|
107 | case 3: |
---|
108 | // STATUS_BLOCKED: UID for username is < pwauth's MIN_UNIX_UID |
---|
109 | dbg_error_log('pwauth', 'UID for username %s is < pwauth MIN_UNIX_UID', |
---|
110 | $username); |
---|
111 | break; |
---|
112 | |
---|
113 | case 4: |
---|
114 | // STATUS_EXPIRED: The user account has expired. |
---|
115 | dbg_error_log('pwauth', 'The account for %s has expired', $username); |
---|
116 | break; |
---|
117 | |
---|
118 | case 5: |
---|
119 | // STATUS_PW_EXPIRED: The user account's password has expired. |
---|
120 | dbg_error_log('pwauth', 'The account password for user %s has expired', |
---|
121 | $username); |
---|
122 | break; |
---|
123 | |
---|
124 | case 6: |
---|
125 | // STATUS_NOLOGIN: Logins to the system are administratively disabled. |
---|
126 | dbg_error_log('pwauth', 'Logins administratively disabled (%s)', $username); |
---|
127 | break; |
---|
128 | |
---|
129 | case 7: |
---|
130 | // STATUS_MANYFAILS: Too many login failures for user account. |
---|
131 | dbg_error_log('pwauth', 'Login rejected for %s, too many failures', |
---|
132 | $username); |
---|
133 | break; |
---|
134 | |
---|
135 | case 50: |
---|
136 | // STATUS_INT_USER: Configuration error, Web server cannot use pwauth |
---|
137 | dbg_error_log('pwauth', 'config error: see pwauth man page (%s)', |
---|
138 | 'STATUS_INT_USER'); |
---|
139 | break; |
---|
140 | |
---|
141 | case 51: |
---|
142 | // STATUS_INT_ARGS: pwauth received no username/passwd to check |
---|
143 | dbg_error_log('pwauth', 'error: pwauth received no username/password'); |
---|
144 | break; |
---|
145 | |
---|
146 | case 52: |
---|
147 | // STATUS_INT_ERR: unknown error |
---|
148 | dbg_error_log('pwauth', 'error: see pwauth man page (%s)', |
---|
149 | 'STATUS_INT_ERR'); |
---|
150 | break; |
---|
151 | |
---|
152 | case 53: |
---|
153 | // STATUS_INT_NOROOT: pwauth could not read the password database |
---|
154 | dbg_error_log('pwauth', 'config error: cannot read password database (%s)', |
---|
155 | 'STATUS_INT_NOROOT'); |
---|
156 | |
---|
157 | default: |
---|
158 | // Unknown error code. |
---|
159 | dbg_error_log('pwauth', 'An unknown error (%d) has occurred', |
---|
160 | $return_status); |
---|
161 | } |
---|
162 | |
---|
163 | return(FALSE); |
---|
164 | } |
---|