[3733] | 1 | <?php |
---|
| 2 | /** |
---|
| 3 | * Manages PAM repository connection with SQUID help |
---|
| 4 | * |
---|
| 5 | * @package davical |
---|
| 6 | * @category Technical |
---|
| 7 | * @subpackage ldap |
---|
| 8 | * @author Eric Seigne <eric.seigne@ryxeo.com> |
---|
| 9 | * @copyright Eric Seigne |
---|
| 10 | * @license http://gnu.org/copyleft/gpl.html GNU GPL v2 |
---|
| 11 | */ |
---|
| 12 | |
---|
| 13 | require_once("auth-functions.php"); |
---|
| 14 | |
---|
| 15 | class squidPamDrivers |
---|
| 16 | { |
---|
| 17 | /**#@+ |
---|
| 18 | * @access private |
---|
| 19 | */ |
---|
| 20 | |
---|
| 21 | /**#@-*/ |
---|
| 22 | |
---|
| 23 | |
---|
| 24 | /** |
---|
| 25 | * Constructor. |
---|
| 26 | * @param string $config path where /usr/lib/squid/pam_auth is |
---|
| 27 | */ |
---|
| 28 | function squidPamDrivers($config){ |
---|
| 29 | $this->__construct($config); |
---|
| 30 | } |
---|
| 31 | |
---|
| 32 | |
---|
| 33 | /** |
---|
| 34 | * The constructor |
---|
| 35 | * |
---|
| 36 | * @param string $config path where /usr/lib/squid/pam_auth is |
---|
| 37 | */ |
---|
| 38 | function __construct($config) |
---|
| 39 | { |
---|
| 40 | global $c; |
---|
| 41 | if (! file_exists($config)){ |
---|
| 42 | $c->messages[] = sprintf(i18n( 'drivers_squid_pam : Unable to find %s file'), $config ); |
---|
| 43 | $this->valid=false; |
---|
| 44 | return ; |
---|
| 45 | } |
---|
| 46 | } |
---|
| 47 | } |
---|
| 48 | |
---|
| 49 | |
---|
| 50 | /** |
---|
| 51 | * Check the username / password against the PAM system |
---|
| 52 | */ |
---|
| 53 | function SQUID_PAM_check($username, $password ){ |
---|
| 54 | global $c; |
---|
| 55 | |
---|
| 56 | /** |
---|
| 57 | * @todo Think of the children! This is a horribly insecure use of unvalidated user input! Probably it should be done with a popen or something, and it seems remarkably dodgy to expect that naively quoted strings will work in any way reliably. |
---|
| 58 | * Meanwhile, I've quickly hacked something basic in place to improve the situation. No quotes/backslashes in passwords for YOU! |
---|
| 59 | */ |
---|
| 60 | $username = str_replace("'","",str_replace('"',"",str_replace('\\',"",$username))); |
---|
| 61 | $password = str_replace("'","",str_replace('"',"",str_replace('\\',"",$password))); |
---|
| 62 | $cmd = "echo '" . $username . "' '" . $password . "' | " . $c->authenticate_hook['config']['script'] . " -n common-auth"; |
---|
| 63 | $auth_result = exec($cmd); |
---|
| 64 | if ( $auth_result == "OK") { |
---|
| 65 | if ( $usr = getUserByName($username) ) { |
---|
| 66 | return $usr; |
---|
| 67 | } |
---|
| 68 | else { |
---|
| 69 | dbg_error_log( "PAM", "user %s doesn't exist in local DB, we need to create it",$username ); |
---|
| 70 | $fullname = exec('getent passwd "'.$username.'"' ); |
---|
| 71 | $fullname = preg_replace( '{^[^:]+:[^:]+:\d+:\d+:([^:,]+)(,?[^:]*):.*$}', '$1', $fullname ); |
---|
| 72 | $usr = (object) array( |
---|
| 73 | 'user_no' => 0, |
---|
| 74 | 'username' => $username, |
---|
| 75 | 'active' => 't', |
---|
| 76 | 'email' => $username . "@" . $c->authenticate_hook['config']['email_base'], |
---|
| 77 | 'updated' => date(), |
---|
| 78 | 'fullname' => $fullname |
---|
| 79 | ); |
---|
| 80 | |
---|
| 81 | UpdateUserFromExternal( $usr ); |
---|
| 82 | return $usr; |
---|
| 83 | } |
---|
| 84 | } |
---|
| 85 | else { |
---|
| 86 | dbg_error_log( "PAM", "User %s is not a valid username (or password was wrong)", $username ); |
---|
| 87 | return false; |
---|
| 88 | } |
---|
| 89 | |
---|
| 90 | } |
---|