search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Support for Active Directory (#463)
[openemr.git] / library / authentication / login_operations.php
bloba9bbf69d814874b7070166f4c80e643acd1ef65f
1 <?php
2 /**
3 * This is a library of commonly used functions for managing data for authentication
4 *
5 * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
17 *
18 * @package OpenEMR
19 * @author Kevin Yeh <kevin.y@integralemr.com>
20 * @link http://www.open-emr.org
21 */
22
23 require_once("$srcdir/authentication/common_operations.php");
24
25
26
27 /**
28 *
29 * @param type $username
30 * @param type $password password is passed by reference so that it can be "cleared out"
31 * as soon as we are done with it.
32 * @param type $provider
33 */
34 function validate_user_password($username,&$password,$provider)
35 {
36 $ip=$_SERVER['REMOTE_ADDR'];
37
38 $valid=false;
39
40 //Active Directory Authentication added by shachar zilbershlag <shaharzi@matrix.co.il>
41 if($GLOBALS['use_active_directory'])
42 {
43 $valid = active_directory_validation($username, $password);
44 $_SESSION['active_directory_auth'] = $valid;
45 }
46 else
47 {
48 $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID,COL_PWD,COL_SALT))
49 ." FROM ".TBL_USERS_SECURE
50 ." WHERE BINARY ".COL_UNM."=?";
51 // Use binary keyword to require case sensitive username match
52 $userSecure=privQuery($getUserSecureSQL,array($username));
53 if(is_array($userSecure))
54 {
55 $phash=oemr_password_hash($password,$userSecure[COL_SALT]);
56 if($phash!=$userSecure[COL_PWD])
57 {
58
59 return false;
60 }
61 $valid=true;
62 }
63 else
64 {
65 if((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility'])) // use old password scheme if allowed.
66 {
67 $getUserSQL="select username,id, password from users where BINARY username = ?";
68 $userInfo = privQuery($getUserSQL,array($username));
69 if($userInfo===false)
70 {
71 return false;
72 }
73
74 $username=$userInfo['username'];
75 $dbPasswordLen=strlen($userInfo['password']);
76 if($dbPasswordLen==32)
77 {
78 $phash=md5($password);
79 $valid=$phash==$userInfo['password'];
80 }
81 else if($dbPasswordLen==40)
82 {
83 $phash=sha1($password);
84 $valid=$phash==$userInfo['password'];
85 }
86 if($valid)
87 {
88 $phash=initializePassword($username,$userInfo['id'],$password);
89 purgeCompatabilityPassword($username,$userInfo['id']);
90 $_SESSION['relogin'] = 1;
91 }
92 else
93 {
94 return false;
95 }
96 }
97
98 }
99 }
100 $getUserSQL="select id, authorized, see_auth".
101 ", cal_ui, active ".
102 " from users where BINARY username = ?";
103 $userInfo = privQuery($getUserSQL,array($username));
104
105 if ($userInfo['active'] != 1) {
106 newEvent( 'login', $username, $provider, 0, "failure: $ip. user not active or not found in users table");
107 $password='';
108 return false;
109 }
110 // Done with the cleartext password at this point!
111 $password='';
112 if($valid)
113 {
114 if ($authGroup = privQuery("select * from groups where user=? and name=?",array($username,$provider)))
115 {
116 $_SESSION['authUser'] = $username;
117 $_SESSION['authPass'] = $phash;
118 $_SESSION['authGroup'] = $authGroup['name'];
119 $_SESSION['authUserID'] = $userInfo['id'];
120 $_SESSION['authProvider'] = $provider;
121 $_SESSION['authId'] = $userInfo{'id'};
122 $_SESSION['cal_ui'] = $userInfo['cal_ui'];
123 $_SESSION['userauthorized'] = $userInfo['authorized'];
124 // Some users may be able to authorize without being providers:
125 if ($userInfo['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
126 newEvent( 'login', $username, $provider, 1, "success: $ip");
127 $valid=true;
128 } else {
129 newEvent( 'login', $username, $provider, 0, "failure: $ip. user not in group: $provider");
130 $valid=false;
131 }
132
133
134
135 }
136 return $valid;
137 }
138
139 function verify_user_gacl_group($user)
140 {
141 global $phpgacl_location;
142 if (isset ($phpgacl_location)) {
143 if (acl_get_group_titles($user) == 0) {
144 newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
145 return false;
146 }
147 }
148 return true;
149 }
150
151 /* Validation of user and password using active directory. */
152 function active_directory_validation($user, $pass)
153 {
154 $valid = false;
155
156 // Create class instance
157 $ad = new Adldap\Adldap();
158
159 // Create a configuration array.
160 $config = array(
161 // Your account suffix, for example: jdoe@corp.acme.org
162 'account_suffix' => $GLOBALS['account_suffix'],
163
164 // You can use the host name or the IP address of your controllers.
165 'domain_controllers' => [$GLOBALS['domain_controllers']],
166
167 // Your base DN.
168 'base_dn' => $GLOBALS['base_dn'],
169
170 // The account to use for querying / modifying users. This
171 // does not need to be an actual admin account.
172 'admin_username' => $user,
173 'admin_password' => $pass,
174 );
175
176 // Add a connection provider to Adldap.
177 $ad->addProvider($config);
178
179 // If a successful connection is made, the provider will be returned.
180 try
181 {
182 $prov = $ad->connect();
183 $valid = $prov->auth()->attempt($user, $pass);
184 }
185 catch(Exception $e)
186 {
187
188 }
189 return $valid;
190 }
191 ?>
Mirror of official OpenEMR Sourceforge repository