Commit a81033a2 authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Authentification Ldap : extraction de méthode publique dans l'adapter.

parent ec05438c
......@@ -43,6 +43,11 @@ class Ldap extends AbstractAdapter implements ServiceManagerAwareInterface, Even
*/
protected $options;
/**
* @var string
*/
protected $usernameUsurpe;
/**
*
* @param AuthEvent $e
......@@ -63,43 +68,17 @@ class Ldap extends AbstractAdapter implements ServiceManagerAwareInterface, Even
$username = $e->getRequest()->getPost()->get('identity');
$credential = $e->getRequest()->getPost()->get('credential');
// si 2 logins sont fournis, cela active l'usurpation d'identité (à n'utiliser que pour les tests) :
// - le format attendu est "loginUsurpateur=loginUsurpé"
// - le mot de passe attendu est celui du compte usurpateur (loginUsurpateur)
$usernameUsurpe = null;
if (strpos($username, self::USURPATION_USERNAMES_SEP) > 0) {
list($username, $usernameUsurpe) = explode(self::USURPATION_USERNAMES_SEP, $username, 2);
if (!in_array($username, $this->getOptions()->getUsurpationAllowedUsernames())) {
$usernameUsurpe = null;
}
}
// // username is the only identity source supported
// $fields = $this->getZfcUserOptions()->getAuthIdentityFields();
// if ('username' !== ($mode = array_shift($fields))) {
// throw new UnexpectedValueException("Username is the only identity source supported by the LDAP adapter.");
// }
// LDAP auth
$result = $this->getLdapAuthAdapter()->setUsername($username)->setPassword($credential)->authenticate();
$failure = !$result->isValid();
// verif existence du login usurpé
if ($usernameUsurpe) {
if (!$this->getLdapAuthAdapter()->getLdap()->searchEntries("(supannAliasLogin=$usernameUsurpe)")) {
$usernameUsurpe = null;
}
}
$success = $this->authenticateUsername($username, $credential);
// Failure!
if ($failure) {
if (! $success) {
$e->setCode(AuthenticationResult::FAILURE)
->setMessages(array('LDAP bind failed.'));
$this->setSatisfied(false);
return false;
}
$e->setIdentity($usernameUsurpe ?: $username);
$e->setIdentity($this->usernameUsurpe ?: $username);
$this->setSatisfied(true);
$storage = $this->getStorage()->read();
$storage['identity'] = $e->getIdentity();
......@@ -110,6 +89,40 @@ class Ldap extends AbstractAdapter implements ServiceManagerAwareInterface, Even
$this->getEventManager()->trigger('userAuthenticated', $e);
}
/**
* Authentifie l'identifiant et le mot de passe spécifiés.
*
* @param string $username Identifiant de connexion
* @param string $credential Mot de passe
* @return boolean
*/
public function authenticateUsername($username, $credential)
{
// si 2 logins sont fournis, cela active l'usurpation d'identité (à n'utiliser que pour les tests) :
// - le format attendu est "loginUsurpateur=loginUsurpé"
// - le mot de passe attendu est celui du compte usurpateur (loginUsurpateur)
$this->usernameUsurpe = null;
if (strpos($username, self::USURPATION_USERNAMES_SEP) > 0) {
list($username, $this->usernameUsurpe) = explode(self::USURPATION_USERNAMES_SEP, $username, 2);
if (!in_array($username, $this->getOptions()->getUsurpationAllowedUsernames())) {
$this->usernameUsurpe = null;
}
}
// LDAP auth
$result = $this->getLdapAuthAdapter()->setUsername($username)->setPassword($credential)->authenticate();
$success = $result->isValid();
// verif existence du login usurpé
if ($this->usernameUsurpe) {
if (!$this->getLdapAuthAdapter()->getLdap()->searchEntries("(supannAliasLogin=$this->usernameUsurpe)")) {
$this->usernameUsurpe = null;
}
}
return $success;
}
/**
* @param ModuleOptions $options
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment