inc/drivers_pwauth_pam.php

   1 <?php
   2 /**
   3  * Manages PAM repository connection with pwauth
   4  *
   5  * @package   davical
   6  * @category Technical
   7  * @subpackage   pwauth
   8  * @author    Eric Seigne <eric.seigne@ryxeo.com>,
   9  *   Michael B. Trausch <mike@trausch.us>,
  10  *   Andrew McMillan <andrew@mcmillan.net.nz>
  11  * @copyright Eric Seigne
  12  * @license   http://gnu.org/copyleft/gpl.html GNU GPL v2 or later
  13  *
  14  * Based on drivers_squid_pam.php
  15  */
  16
  17 require_once("auth-functions.php");
  18
  19 class pwauthPamDrivers
  20 {
  21   /**#@+
  22    * @access private
  23    */
  24
  25   /**#@-*/
  26
  27
  28   /**
  29    * The constructor
  30    *
  31    * @param string $config path where pwauth is
  32    */
  33   function __construct($config)
  34   {
  35     global $c;
  36     if(!file_exists($config)) {
  37       $c->messages[] = sprintf(i18n('drivers_pwauth_pam : Unable to find %s file'), $config);
  38       $this->valid=false;
  39       return ;
  40     }
  41   }
  42 }
  43
  44
  45 /**
  46  * Check the username / password against the PAM system
  47  */
  48 function PWAUTH_PAM_check($username, $password) {
  49   global $c;
  50   $program = $c->authenticate_hook['config']['path'];
  51   $email_base = $c->authenticate_hook['config']['email_base'];
  52
  53   $pipe = popen(escapeshellarg($program), 'w');
  54   $authinfo = sprintf("%s\n%s\n", $username, $password);
  55   $written = fwrite($pipe, $authinfo);
  56   dbg_error_log('pwauth', 'Bytes written: %d of %d', $written, strlen($authinfo));
  57   $return_status = pclose($pipe);
  58
  59   switch($return_status) {
  60     case 0:
  61       // STATUS_OK: Authentication succeeded.
  62       dbg_error_log('pwauth', 'User %s successfully authenticated', $username);
  63       $principal = new Principal('username',$username);
  64       if ( !$principal->Exists() ) {
  65         dbg_error_log('pwauth', 'User %s does not exist in local db, creating', $username);
  66         $pwent = posix_getpwnam($username);
  67         $gecos = explode(',',$pwent['gecos']);
  68         $fullname = $gecos[0];
  69         $principal->Create( array(
  70                               'username' => $username,
  71                               'user_active' => 't',
  72                               'email' => sprintf('%s@%s', $username, $email_base),
  73                               'fullname' => $fullname
  74                           ));
  75         if ( ! $principal->Exists() ) {
  76           dbg_error_log( "PAM", "Unable to create local principal for '%s'", $username );
  77           return false;
  78         }
  79         CreateHomeCalendar($username);
  80       }
  81       return $principal;
  82       break;
  83
  84     /*
  85      * Note that for system configurations using PAM instead of
  86      * reading the password database directly, if PAM is unable to
  87      * read the password database, pwauth will return status 1.
  88      */
  89     case 1:
  90     case 2:
  91       // (1) STATUS_UNKNOWN: Invalid username or password.
  92       // (2) STATUS_INVALID: Invalid password.
  93       dbg_error_log('pwauth', 'Invalid username or password (username: %s)', $username);
  94       break;
  95
  96     case 3:
  97       // STATUS_BLOCKED: UID for username is < pwauth's MIN_UNIX_UID
  98       dbg_error_log('pwauth', 'UID for username %s is < pwauth MIN_UNIX_UID',
  99                   $username);
 100       break;
 101
 102     case 4:
 103       // STATUS_EXPIRED: The user account has expired.
 104       dbg_error_log('pwauth', 'The account for %s has expired', $username);
 105       break;
 106
 107     case 5:
 108       // STATUS_PW_EXPIRED: The user account's password has expired.
 109       dbg_error_log('pwauth', 'The account password for user %s has expired',
 110                   $username);
 111       break;
 112
 113     case 6:
 114       // STATUS_NOLOGIN: Logins to the system are administratively disabled.
 115       dbg_error_log('pwauth', 'Logins administratively disabled (%s)', $username);
 116       break;
 117
 118     case 7:
 119       // STATUS_MANYFAILS: Too many login failures for user account.
 120       dbg_error_log('pwauth', 'Login rejected for %s, too many failures',
 121                   $username);
 122       break;
 123
 124     case 50:
 125       // STATUS_INT_USER: Configuration error, Web server cannot use pwauth
 126       dbg_error_log('pwauth', 'config error: see pwauth man page (%s)',
 127                   'STATUS_INT_USER');
 128       break;
 129
 130     case 51:
 131       // STATUS_INT_ARGS: pwauth received no username/passwd to check
 132       dbg_error_log('pwauth', 'error: pwauth received no username/password');
 133       break;
 134
 135     case 52:
 136       // STATUS_INT_ERR: unknown error
 137       dbg_error_log('pwauth', 'error: see pwauth man page (%s)',
 138                   'STATUS_INT_ERR');
 139       break;
 140
 141     case 53:
 142       // STATUS_INT_NOROOT: pwauth could not read the password database
 143       dbg_error_log('pwauth', 'config error: cannot read password database (%s)',
 144                   'STATUS_INT_NOROOT');
 145       break;
 146
 147     default:
 148       // Unknown error code.
 149       dbg_error_log('pwauth', 'An unknown error (%d) has occurred',
 150                   $return_status);
 151   }
 152
 153   return(FALSE);
 154 }