From 2bd238906d9dbe6512e08e08d5f213ca065e43f3 Mon Sep 17 00:00:00 2001 From: shachar058 Date: Wed, 8 Mar 2017 10:05:28 +0200 Subject: [PATCH] Support for Active Directory (#463) --- interface/main/left_nav.php | 2 +- interface/usergroup/user_admin.php | 12 ++- interface/usergroup/user_info.php | 3 + interface/usergroup/usergroup_admin_add.php | 6 +- library/ESign/Form/Controller.php | 10 ++- library/auth.inc | 12 +++ library/authentication/login_operations.php | 129 +++++++++++++++++++--------- library/authentication/password_change.php | 30 +++++-- library/globals.inc.php | 30 +++++++ 9 files changed, 179 insertions(+), 55 deletions(-) diff --git a/interface/main/left_nav.php b/interface/main/left_nav.php index da175cb72..10c6a0ca9 100644 --- a/interface/main/left_nav.php +++ b/interface/main/left_nav.php @@ -1569,7 +1569,7 @@ if (!empty($reg)) { genMiscLink('RTop','adm','0',xl('BatchCom'),'batchcom/batchcom.php'); ?> - + diff --git a/interface/usergroup/user_admin.php b/interface/usergroup/user_admin.php index 82e6bd8e1..91b25e74f 100644 --- a/interface/usergroup/user_admin.php +++ b/interface/usergroup/user_admin.php @@ -205,7 +205,7 @@ function submitform() { top.restoreSession(); var flag=0; - + if(document.forms[0].clearPass.value!="") { //Checking for the strong password if the 'secure password' feature is enabled @@ -220,6 +220,7 @@ function submitform() { } }//If pwd null ends here + //Request to reset the user password if the user was deactived once the password expired. if((document.forms[0].pwd_expires.value != 0) && (document.forms[0].clearPass.value == "")) { if((document.forms[0].user_type.value != "Emergency Login") && (document.forms[0].pre_active.value == 0) && (document.forms[0].active.checked == 1) && (document.forms[0].grace_time.value != "") && (document.forms[0].current_date.value) > (document.forms[0].grace_time.value)) @@ -355,16 +356,19 @@ $bg_count=count($acl_name); : " disabled> - : - * + + : + * + + : * - +    diff --git a/interface/usergroup/user_info.php b/interface/usergroup/user_info.php index 932fa686a..ab13ca87b 100644 --- a/interface/usergroup/user_info.php +++ b/interface/usergroup/user_info.php @@ -1,6 +1,9 @@ diff --git a/interface/usergroup/usergroup_admin_add.php b/interface/usergroup/usergroup_admin_add.php index 54a2ae11e..a4fe2fcd0 100644 --- a/interface/usergroup/usergroup_admin_add.php +++ b/interface/usergroup/usergroup_admin_add.php @@ -162,7 +162,11 @@ function authorized_clicked() { - + + + + + diff --git a/library/ESign/Form/Controller.php b/library/ESign/Form/Controller.php index f2143c18d..f31d27f3f 100644 --- a/library/ESign/Form/Controller.php +++ b/library/ESign/Form/Controller.php @@ -28,6 +28,7 @@ require_once $GLOBALS['srcdir'].'/ESign/Abstract/Controller.php'; require_once $GLOBALS['srcdir'].'/ESign/Form/Configuration.php'; require_once $GLOBALS['srcdir'].'/ESign/Form/Factory.php'; require_once $GLOBALS['srcdir'].'/ESign/Form/Log.php'; +require_once $GLOBALS['srcdir'].'/authentication/login_operations.php'; class Form_Controller extends Abstract_Controller { @@ -86,7 +87,14 @@ class Form_Controller extends Abstract_Controller $lock = ( $this->getRequest()->getParam( 'lock', '' ) == 'on' ) ? true : false; } $amendment = $this->getRequest()->getParam( 'amendment', '' ); - if ( confirm_user_password( $_SESSION['authUser'], $password ) ) { + + if($GLOBALS['use_active_directory']) { + $valid = active_directory_validation($_SESSION['authUser'], $password); + }else { + $valid = confirm_user_password($_SESSION['authUser'], $password); + } + + if ($valid) { $factory = new Form_Factory( $formId, $formDir, $encounterId ); $signable = $factory->createSignable(); if ( $signable->sign( $_SESSION['authUserID'], $lock, $amendment ) ) { diff --git a/library/auth.inc b/library/auth.inc index a8baad201..200f6c118 100644 --- a/library/auth.inc +++ b/library/auth.inc @@ -120,6 +120,18 @@ if (!isset($_SESSION["last_update"])) { function authCheckSession () { if (isset($_SESSION['authId'])) { + // If active directory was used, check a different session variable (as there is no password in database). + if($GLOBALS['use_active_directory']) + { + if($_SESSION['active_directory_auth']) + { + return true; + } + else + { + return false; + } + } $authDB = privQuery("select ".implode(",",array(TBL_USERS.".".COL_ID, TBL_USERS.".".COL_UNM, TBL_USERS_SECURE.".".COL_PWD, diff --git a/library/authentication/login_operations.php b/library/authentication/login_operations.php index beb3bf00d..a9bbf69d8 100644 --- a/library/authentication/login_operations.php +++ b/library/authentication/login_operations.php @@ -36,56 +36,66 @@ function validate_user_password($username,&$password,$provider) $ip=$_SERVER['REMOTE_ADDR']; $valid=false; - $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID,COL_PWD,COL_SALT)) - ." FROM ".TBL_USERS_SECURE - ." WHERE BINARY ".COL_UNM."=?"; - // Use binary keyword to require case sensitive username match - $userSecure=privQuery($getUserSecureSQL,array($username)); - if(is_array($userSecure)) + + //Active Directory Authentication added by shachar zilbershlag + if($GLOBALS['use_active_directory']) { - $phash=oemr_password_hash($password,$userSecure[COL_SALT]); - if($phash!=$userSecure[COL_PWD]) - { - - return false; - } - $valid=true; + $valid = active_directory_validation($username, $password); + $_SESSION['active_directory_auth'] = $valid; } else { - if((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility'])) // use old password scheme if allowed. + $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID,COL_PWD,COL_SALT)) + ." FROM ".TBL_USERS_SECURE + ." WHERE BINARY ".COL_UNM."=?"; + // Use binary keyword to require case sensitive username match + $userSecure=privQuery($getUserSecureSQL,array($username)); + if(is_array($userSecure)) { - $getUserSQL="select username,id, password from users where BINARY username = ?"; - $userInfo = privQuery($getUserSQL,array($username)); - if($userInfo===false) + $phash=oemr_password_hash($password,$userSecure[COL_SALT]); + if($phash!=$userSecure[COL_PWD]) { - return false; - } - $username=$userInfo['username']; - $dbPasswordLen=strlen($userInfo['password']); - if($dbPasswordLen==32) - { - $phash=md5($password); - $valid=$phash==$userInfo['password']; - } - else if($dbPasswordLen==40) - { - $phash=sha1($password); - $valid=$phash==$userInfo['password']; - } - if($valid) - { - $phash=initializePassword($username,$userInfo['id'],$password); - purgeCompatabilityPassword($username,$userInfo['id']); - $_SESSION['relogin'] = 1; + return false; } - else + $valid=true; + } + else + { + if((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility'])) // use old password scheme if allowed. { - return false; + $getUserSQL="select username,id, password from users where BINARY username = ?"; + $userInfo = privQuery($getUserSQL,array($username)); + if($userInfo===false) + { + return false; + } + + $username=$userInfo['username']; + $dbPasswordLen=strlen($userInfo['password']); + if($dbPasswordLen==32) + { + $phash=md5($password); + $valid=$phash==$userInfo['password']; + } + else if($dbPasswordLen==40) + { + $phash=sha1($password); + $valid=$phash==$userInfo['password']; + } + if($valid) + { + $phash=initializePassword($username,$userInfo['id'],$password); + purgeCompatabilityPassword($username,$userInfo['id']); + $_SESSION['relogin'] = 1; + } + else + { + return false; + } } + } - } $getUserSQL="select id, authorized, see_auth". ", cal_ui, active ". @@ -137,4 +147,45 @@ function verify_user_gacl_group($user) } return true; } + +/* Validation of user and password using active directory. */ +function active_directory_validation($user, $pass) +{ + $valid = false; + + // Create class instance + $ad = new Adldap\Adldap(); + + // Create a configuration array. + $config = array( + // Your account suffix, for example: jdoe@corp.acme.org + 'account_suffix' => $GLOBALS['account_suffix'], + + // You can use the host name or the IP address of your controllers. + 'domain_controllers' => [$GLOBALS['domain_controllers']], + + // Your base DN. + 'base_dn' => $GLOBALS['base_dn'], + + // The account to use for querying / modifying users. This + // does not need to be an actual admin account. + 'admin_username' => $user, + 'admin_password' => $pass, + ); + + // Add a connection provider to Adldap. + $ad->addProvider($config); + + // If a successful connection is made, the provider will be returned. + try + { + $prov = $ad->connect(); + $valid = $prov->auth()->attempt($user, $pass); + } + catch(Exception $e) + { + + } + return $valid; +} ?> diff --git a/library/authentication/password_change.php b/library/authentication/password_change.php index ab9bfbaa8..65efd02e7 100644 --- a/library/authentication/password_change.php +++ b/library/authentication/password_change.php @@ -97,16 +97,28 @@ function update_password($activeUser,$targetUser,&$currentPwd,&$newPwd,&$errMsg, } else { // If this is an administrator changing someone else's password, then check that they have the password right + if($GLOBALS['use_active_directory']) { + $valid = active_directory_validation($_SESSION['authUser'], $currentPwd); + if(!$valid) + { + $errMsg=xl("Incorrect password!"); + return false; + }else{ + $newPwd = md5(uniqid()); + } + }else { + + $adminSQL=" SELECT ".implode(",",array(COL_PWD,COL_SALT)) + ." FROM ".TBL_USERS_SECURE + ." WHERE ".COL_ID."=?"; + $adminInfo=privQuery($adminSQL,array($activeUser)); + $hash_admin = oemr_password_hash($currentPwd,$adminInfo[COL_SALT]); + if($hash_admin!=$adminInfo[COL_PWD]) + { + $errMsg=xl("Incorrect password!"); + return false; + } - $adminSQL=" SELECT ".implode(",",array(COL_PWD,COL_SALT)) - ." FROM ".TBL_USERS_SECURE - ." WHERE ".COL_ID."=?"; - $adminInfo=privQuery($adminSQL,array($activeUser)); - $hash_admin = oemr_password_hash($currentPwd,$adminInfo[COL_SALT]); - if($hash_admin!=$adminInfo[COL_PWD]) - { - $errMsg=xl("Incorrect password!"); - return false; } if(!acl_check('admin', 'users')) { diff --git a/library/globals.inc.php b/library/globals.inc.php index de29a5866..5c488aecd 100644 --- a/library/globals.inc.php +++ b/library/globals.inc.php @@ -1669,6 +1669,36 @@ $GLOBALS_METADATA = array( ), ), + // Active Directory Tab + // + 'Active Directory' => array( + + 'use_active_directory' => array( + xl('Use Active Directory'), + 'bool', + '0', + xl('If enabled, uses the specified active directory for login and authentication.') + ), + 'account_suffix' => array( + xl('Suffix Of Account'), + 'text', + '', + xl('The suffix of the account.') + ), + 'base_dn' => array( + xl('Domains Base'), + 'text', + '', + xl('Users is the standard windows CN, replace the DC stuff with your domain.') + ), + 'domain_controllers' => array( + xl('Domains Controllers'), + 'text', + '', + xl('The IP address of your domain controller(s).') + ), + ), + // Notifications Tab // 'Notifications' => array( -- 2.11.4.GIT
:  *:  *:  *