');
define('WPDIRAUTH_ERROR_TITLE',__('Directory Authentication Error: '));
define('WPDIRAUTH_LDAP_RETURN_KEYS',serialize(array('sn', 'givenname', 'mail')));
define('WPDIRAUTH_EMAIL_NEWUSER_NOTIFY','You have been added to the site %s as %s %s. You may login to the site using your institution\'s %s (%s) and password at the following address: %s');
if (function_exists('wp_authenticate') || function_exists('wp_setcookie') || !function_exists('ldap_connect')) {
/**
* SAFE MODE
*/
/**
* SAFE MODE: wpDirAuth plugin configuration panel.
* Processes and outputs the wpDirAuth configuration form, with a conflict message.
*
* @return void
*/
function wpDirAuth_safeConflictMessage()
{
$wpDARef = WPDIRAUTH_SIGNATURE;
if (!function_exists('ldap_connect')) {
$message = <<<________EOS
Sorry, but your PHP install does not seem to have access to the LDAP features.
wpDirAuth is now running in safe mode.'
Quote from the PHP manual LDAP section:
LDAP support in PHP is not enabled by default. You will need to use the
--with-ldap[=DIR] configuration option when compiling PHP to enable LDAP
support. DIR is the LDAP base install directory. To enable SASL support,
be sure --with-ldap-sasl[=DIR] is used, and that sasl.h exists on the system.
________EOS;
}
else {
$message = <<<________EOS
Sorry, but another plugin seems to be conflicting with wpDirAuth.
wpDirAuth is now running in safe mode as to not impair the other plugin's operations.'
The wp_authenticate and wp_setcookie WordPress
pluggable functions
have already been redefined, and wpDirAuth cannot provide directory authentication
without having access to these functions.
Please disable any WP plugins that deal with authentication in order to use wpDirAuth.
Unfortunately, we cannot provide you with more info as to which plugin is in conflict.
________EOS;
}
echo <<<________EOS
Directory Authentication Options: Plugin Conflict
$message
$wpDARef
________EOS;
}
/**
* SAFE MODE: Adds the `Directory Auth.` menu entry in the Wordpress Admin section.
* Also activates the wpDirAuth config panel, with a conflict message, as a callback function.
*
* @uses wpDirAuth_safeConflictMessage
*/
function wpDirAuth_safeAddMenu()
{
if (function_exists('add_options_page')) {
add_options_page(
'Directory Authentication Options: Plugin Conflict',
'!! Directory Auth. !!',
9,
basename(__FILE__),
'wpDirAuth_safeConflictMessage'
);
}
}
/**
* SAFE MODE: Add custom WordPress actions.
*
* @uses wpDirAuth_safeAddMenu
*/
if (function_exists('add_action')) {
add_action('admin_menu', 'wpDirAuth_safeAddMenu');
}
}
else {
/**
* STANDARD MODE
*/
/**
* Cookie marker.
* Generates a random string to be used as salt for the password
* hash cookie checks in wp_setcookie and wp_authenticate
*
* @return string 55 chars-long salty goodness (md5 + uniqid)
*/
function wpDirAuth_makeCookieMarker()
{
$cookieMarker = md5(
$_SERVER['SERVER_SIGNATURE']
.$_SERVER['HTTP_USER_AGENT']
.$_SERVER['REMOTE_ADDR']
).uniqid(microtime(),true);
update_option("dirAuthCookieMarker",$cookieMarker);
return $cookieMarker;
}
/**
* LDAP bind test
* Tries two different documented method of php-based ldap binding.
* Note: passing params by reference, no need for copies (unlike in
* wpDirAuth_auth where it is desirable).
*
* @param object &$connection LDAP connection
* @param string &$username LDAP username
* @param string &$password LDAP password
* @param string $baseDn
* @return boolean Binding status
* */
function wpDirAuth_bindTest(&$connection, &$username, &$password,$baseDn)
{
$password = strtr($password, array("\'"=>"'"));
if ( ($isBound = @ldap_bind($connection, $username, $password)) === false ) {
// @see wpLDAP comment at http://ashay.org/?page_id=133#comment-558
$isBound = @ldap_bind($connection,"uid=$username,$baseDn", $password);
}
return $isBound;
}
/**
* put your comment there...
*
* @param string $dc name of domain controller to connect to
* @param integer $enableSsl ssl config option
* @return resource
*/
function wpDirAuth_establishConnection($dc,$enableSsl){
/**
* Only setup protocol value if ldaps is required to help with older AD
* @see http://groups.google.com/group/wpdirauth-support/browse_thread/thread/7b744c7ad66a4829
*/
$protocol = ($enableSsl) ? 'ldaps://' : '';
/**
* Scan for and use alternate server port, but only if ssl is disabled.
* @see Parameters constraint at http://ca.php.net/ldap_connect
*/
if (strstr($dc, ':')) list($dc, $port) = explode(':', $dc);
switch($enableSsl){
case 1:
$connection = ldap_connect($protocol.$dc);
break;
case 2:
case 0:
default:
if(isset($port)){
$connection = ldap_connect($dc,$port);
} else {
$connection = ldap_connect($dc);
}
break;
}
/**
* Copes with W2K3/AD issue.
* @see http://bugs.php.net/bug.php?id=30670
*/
if (@ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3)) {
@ldap_set_option($connection, LDAP_OPT_REFERRALS, 0);
}
//they want to start TLS
if($enableSsl == 2){
if(!ldap_start_tls($connection)){
return new WP_Error('tls_failed_to_start',__('wpDirAuth error: tls failed to start'));
}
}
return $connection;
}
/**
* put your comment there...
*
* @param array $controllers list of domain controllers to connect to
* @return mixed array of shuffled controllers or WP_Error
*/
function wpDirAuth_shuffleControllers($controllers){
if (count($controllers) > 1) {
// shuffle the domain controllers for pseudo load balancing and fault tolerance.
shuffle($controllers);
} elseif (count($controllers) == 0) {
return new WP_Error('no_controllers',__(' wpDirAuth config error: no domain controllers specified.'));
}
return $controllers;
}
/**
* Custom LDAP authentication module.
* The returned keys are in the same format used by WP for
* the wp_insert_user and wp_update_user functions.
*
* @param string $username LDAP username
* @param string $password LDAP password
* @return WP_Error object OR array Directory email, last_name and first_name
*
* @uses WPDIRAUTH_DEFAULT_FILTER
* @uses WPDIRAUTH_ERROR_TITLE
* @uses wpDirAuth_bindTest
* @uses wpDirAuth_retrieveUserDetails
* @uses wpDirAuth_shuffleControllers
* @uses wpDirAuth_establishConnection
*/
function wpDirAuth_auth($username, $password)
{
global $error, $pwd;
$errorTitle = WPDIRAUTH_ERROR_TITLE;
$controllers = explode(',', get_option('dirAuthControllers'));
$baseDn = get_option('dirAuthBaseDn');
$preBindUser = get_option('dirAuthPreBindUser');
$preBindPassword = get_option('dirAuthPreBindPassword');
$accountSuffix = get_option('dirAuthAccountSuffix');
$filter = get_option('dirAuthFilter');
$enableSsl = get_option('dirAuthEnableSsl');
$boolUseGroups = get_option('dirAuthUseGroups');
if($boolUseGroups == 1){
$strAuthGroups = get_option('dirAuthGroups');
}
$returnKeys = unserialize(WPDIRAUTH_LDAP_RETURN_KEYS);
$isBound = $isPreBound = $isLoggedIn = false;
if ($accountSuffix) $username .= $accountSuffix;
if (!$filter) $filter = WPDIRAUTH_DEFAULT_FILTER;
$filterQuery = "($filter=$username)";
$controllers = wpDirAuth_shuffleControllers($controllers);
if(is_wp_error($controllers)){
return $controllers;
}
// Connection pool loop - Haha, PooL LooP
foreach ($controllers as $dc) {
$connection = wpDirAuth_establishConnection($dc,$enableSsl);
if(is_wp_error($connection)){
return $connection;
}
if ($preBindUser && $preBindPassword) {
/**
* Use case 1: Servers requiring pre-binding with admin defined
* credentials to search for the user's full DN before attempting
* to login.
* @see http://dev.wp-plugins.org/ticket/681
*/
if ( $isPreBound = wpDirAuth_bindTest($connection, $preBindUser, $preBindPassword,$baseDn) === true ) {
if ( ($results = @ldap_search($connection, $baseDn, $filterQuery, $returnKeys)) !== false ) {
if ( ($userDn = @ldap_get_dn($connection, ldap_first_entry($connection, $results))) !== false ) {
if ( ($isBound = wpDirAuth_bindTest($connection, $userDn, $password,$baseDn)) === true ) {
$isLoggedIn = true; // valid server, valid login, move on
break; // valid server, valid login, move on
}
}
}
}
}
elseif ( ($isBound = wpDirAuth_bindTest($connection, $username, $password,$baseDn)) === true ) {
/**
* Use case 2: Servers that will not let you bind anonymously
* but will let the end user bind directly.
* @see http://groups.google.com/group/wpdirauth-support/browse_thread/thread/8fd16c05266fc832
*/
$isLoggedIn = true;
break; // valid server, valid login, move on
}
elseif ( ($isBound = @ldap_bind($connection)) === true ) {
/**
* Use case 3: Servers that might require a full user DN to
* actually login and therefore let you bind anonymously first .
* Try ldap_search + ldap_get_dn before attempting a login.
* @see http://wordpress.org/support/topic/129814?replies=34#post-603644
*/
if ( ($results = @ldap_search($connection, $baseDn, $filterQuery, $returnKeys)) !== false ) {
if ( ($userDn = @ldap_get_dn($connection, ldap_first_entry($connection, $results))) !== false ) {
$isInDirectory = true; // account exists in directory
if ( ($isBound = wpDirAuth_bindTest($connection, $userDn, $password,$baseDn)) === true ) {
$isLoggedIn = true; // valid server, valid login, move on
break; // valid server, valid login, move on
}
}
}
}
}
if ( ($preBindUser && $preBindPassword) && ( ! $isPreBound ) ) {
return new WP_Error ('no_directory_or_prebinding', $errorTitle
. __(' wpDirAuth config error: No directory server available for authentication, OR pre-binding credentials denied.'));
}
elseif ( ( $isInDirectory ) && ( ! $isBound ) ) {
return new WP_Error ('could_not_bind_as_user', $errorTitle
. __(' Incorrect password.'));
}
elseif ( ! $isBound && ! $isPreBound ) {
return new WP_Error ('no_directory_available', $errorTitle
. __(' wpDirAuth config error: No directory server available for authentication.'));
}
elseif ( ! $isLoggedIn) {
/**
* @desc wp-hack was echo'ing out $username verbatim which allowed a XSS vulnerability. Encoded $username before echoing'
*/
return new WP_Error ('could_not_authenticate', $errorTitle
. __(' Could not authenticate user. Please check your credentials.')
. " [" . htmlentities($username,ENT_QUOTES,'UTF-8') . "]");
}
else {
if($boolUseGroups == 1){
//the user is authenticated, but we want to make sure they are a member of the groups given
/**
* We need to get the DN's for each Authentication Group CN that was given to us.
*/
$aryAuthGroupsDN = array();
$aryAuthGroups = explode(',',$strAuthGroups);
$aryAttribs = array('distinguishedname');
foreach($aryAuthGroups as $strAuthGroup){
$strAuthGroup = 'cn='.$strAuthGroup;
$rscLDAPSearch = ldap_search($connection,$baseDn,$strAuthGroup,$aryAttribs);
$arySearchResults = ldap_get_entries($connection,$rscLDAPSearch);
wpDirAuthPrintDebug($arySearchResults,'search results for ' . $strAuthGroup);
if(isset($arySearchResults[0]['dn'])){
$aryAuthGroupsDN[] = $arySearchResults[0]['dn'];
}
}
if(count($aryAuthGroupsDN) == 0){
return new WP_Error('no_auth_groups_found',$errorTitle.__('No Authentication Groups found based on given group CN'));
}
$strFilterQuery = '(&'.$filterQuery.'(|';
foreach($aryAuthGroupsDN as $strAuthGroupDN){
$strFilterQuery .= '(memberOf='.$strAuthGroupDN.')';
}
$strFilterQuery .= '))';
if(($rscLDAPSearchGroupMember = ldap_search($connection,$baseDn,$strFilterQuery)) !== false){
$arySearchResultsMember = ldap_get_entries($connection,$rscLDAPSearchGroupMember);
if($arySearchResultsMember['count'] !== 1){
return new WP_Error('not_member_of_auth_group',$errorTitle
. __('User authenticated but is not a member of an Authentication Group(s)'));
}
}
}
/**
* Search for profile, if still needed.
* @see $results in preceding loop: Use case 3
*/
if (!$results){
return wpDirAuth_retrieveUserDetails($connection,$baseDn,$filterQuery);
} else {
return wpDirAuth_retrieveUserDetails($connection,$baseDn,$filterQuery,$results);
}
}
}
/**
* Runs stripslashes, html_entity_decode, then strip_tags with
* allowed html if requested.
*
* No input sashimi for us (hopefully).
*
* @param string $value Value to `sanitize`
* @param boolean $allowed Set to true for WPDIRAUTH_ALLOWED_TAGS
* @return string Cleaner value.
*
* @uses WPDIRAUTH_ALLOWED_TAGS
*/
function wpDirAuth_sanitize($value, $allowed = false)
{
$allowed = ($allowed) ? WPDIRAUTH_ALLOWED_TAGS : '';
return strip_tags(html_entity_decode(stripslashes($value)), $allowed);
}
/**
* wpDirAuth plugin configuration panel.
* Processes and outputs the wpDirAuth configuration form.
*
* @return void
*
* @uses WPDIRAUTH_DEFAULT_FILTER
* @uses WPDIRAUTH_DEFAULT_LOGINSCREENMSG
* @uses WPDIRAUTH_DEFAULT_CHANGEPASSMSG
* @uses WPDIRAUTH_ALLOWED_TAGS
* @uses wpDirAuth_makeCookieMarker
* @uses wpDirAuth_sanitize
*/
function wpDirAuth_optionsPanel()
{
global $userdata;
$wpDARef = WPDIRAUTH_SIGNATURE;
$allowedHTML = htmlentities(WPDIRAUTH_ALLOWED_TAGS);
$curUserIsDirUser = get_usermeta($userdata->ID, 'wpDirAuthFlag');
if ($curUserIsDirUser) {
echo <<<____________EOS
Directory Authentication Options
Because any changes made to directory authentication
options can adversly affect your session when logged in
as a directory user, you must be logged in as a
WordPress-only administrator user to update these settings.
If such a user no longer exists in the database, please
create a new one
using the appropriate WordPress admin tool.
$wpDARef
____________EOS;
return;
}
if ($_POST) {
$enableSsl = 0; //default
$boolUseGroups = 0; //default
// Booleans
$enable = intval($_POST['dirAuthEnable']) == 1 ? 1 : 0;
$requireSsl = intval($_POST['dirAuthRequireSsl']) == 1 ? 1 : 0;
$TOS = intval($_POST['dirAuthTOS']) == 1 ? 1 : 0;
//integers
if(intval($_POST['dirAuthEnableSsl']) == 1 || intval($_POST['dirAuthEnableSsl']) == 2){
$enableSsl = intval($_POST['dirAuthEnableSsl']);
}
// Strings, no HTML
$controllers = wpDirAuth_sanitize($_POST['dirAuthControllers']);
$baseDn = wpDirAuth_sanitize($_POST['dirAuthBaseDn']);
$preBindUser = wpDirAuth_sanitize($_POST['dirAuthPreBindUser']);
$preBindPassword = wpDirAuth_sanitize($_POST['dirAuthPreBindPassword']);
$preBindPassCheck = wpDirAuth_sanitize($_POST['dirAuthPreBindPassCheck']);
$accountSuffix = wpDirAuth_sanitize($_POST['dirAuthAccountSuffix']);
$filter = wpDirAuth_sanitize($_POST['dirAuthFilter']);
$institution = wpDirAuth_sanitize($_POST['dirAuthInstitution']);
$strAuthGroups = wpDirAuth_sanitize($_POST['dirAuthGroups']);
$strMarketingSSOID= wpDirAuth_sanitize(($_POST['dirAuthMarketingSSOID']));
if($strAuthGroups != ''){
$boolUseGroups = 1;
}
// Have to be allowed to contain some HTML
$loginScreenMsg = wpDirAuth_sanitize($_POST['dirAuthLoginScreenMsg'], true);
$changePassMsg = wpDirAuth_sanitize($_POST['dirAuthChangePassMsg'], true);
update_option('dirAuthEnable', $enable);
update_option('dirAuthEnableSsl', $enableSsl);
update_option('dirAuthRequireSsl', $requireSsl);
update_option('dirAuthControllers', $controllers);
update_option('dirAuthBaseDn', $baseDn);
update_option('dirAuthPreBindUser', $preBindUser);
update_option('dirAuthAccountSuffix', $accountSuffix);
update_option('dirAuthFilter', $filter);
update_option('dirAuthInstitution', $institution);
update_option('dirAuthLoginScreenMsg', $loginScreenMsg);
update_option('dirAuthChangePassMsg', $changePassMsg);
update_option('dirAuthTOS', $TOS);
update_option('dirAuthUseGroups', $boolUseGroups);
update_option('dirAuthGroups', $strAuthGroups);
update_option('dirAuthMarketingSSOID', $strMarketingSSOID);
// Only store/override the value if a new one is being sent a bind user is set.
if ( $preBindUser && $preBindPassword && ($preBindPassCheck == $preBindPassword) )
update_option('dirAuthPreBindPassword', $preBindPassword);
// Clear the stored password if the Bind DN is null
elseif ( ! $preBindUser)
update_option('dirAuthPreBindPassword', '');
if (get_option('dirAuthEnable') && !get_option('dirAuthCookieMarker'))
wpDirAuth_makeCookieMarker();
echo 'Your new settings were saved successfully.
Directory Authentication Options
Powered by $wpDARef.
________EOS;
}
/**
* Adds the `Directory Auth.` menu entry in the Wordpress Admin section, and the `Add Directory Authenticated User` to the Users menu
* Also activates the wpDirAuth config panel as a callback function.
*
* @uses wpDirAuth_optionsPanel
* @uses wpDirAuth_add_user_panel
*/
function wpDirAuth_addMenu()
{
if (function_exists('add_options_page')) {
add_options_page(
'Directory Authentication Options',
'Directory Auth.',
9,
basename(__FILE__),
'wpDirAuth_optionsPanel'
);
}
if(function_exists('add_users_page')){
add_users_page(
'Add Directory Authentication Users',
'Add Dir Auth User',
'administrator',
basename(__FILE__),
'wpDirAuth_add_user_panel'
);
}
}
/**
* Extending WP's login_form.
* Enforces the admin defined SSL login preferences and adds a directory
* login related message to the standard WP login screen.
*
* @uses WPDIRAUTH_DEFAULT_LOGINSCREENMSG
*/
function wpDirAuth_loginFormExtra()
{
if (get_option('dirAuthEnable')) {
if (isset($_SERVER['SCRIPT_URI']) && preg_match('|^http|',$_SERVER['SCRIPT_URI'])) {
$selfURL = $_SERVER['SCRIPT_URI'];
}
else {
/**
* $_SERVER['SCRIPT_URI'] seems to be unavilable in some PHP
* installs, and $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF']
* have been known to sometimes have the same issue.
* Thanks to Todd Beverly for helping out with this one. :)
* @see http://wordpress.org/support/topic/129814?replies=27#post-605423
*/
$selfURL = sprintf(
'http%s://%s%s',
(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 's' : ''),
$_SERVER['HTTP_HOST'],
(isset($_SERVER['REQUEST_URI'])
? $_SERVER['REQUEST_URI']
: $_SERVER["SCRIPT_NAME"].'?'.$_SERVER['QUERY_STRING'])
);
}
if (get_option('dirAuthRequireSsl') && (!preg_match('|^https|',$selfURL))) {
$sslURL = str_replace('http://','https://',$selfURL);
$refreshJS = '" />';
$refreshMeta = '';
$refreshMsg = 'Please access the encrypted version of this page.';
if (headers_sent()) {
echo $refreshJS.$refreshMeta.''.$refreshMsg.'