auth/radius/auth.php

   1 <?php
   2 // This file is part of Moodle - http://moodle.org/
   3 //
   4 // Moodle is free software: you can redistribute it and/or modify
   5 // it under the terms of the GNU General Public License as published by
   6 // the Free Software Foundation, either version 3 of the License, or
   7 // (at your option) any later version.
   8 //
   9 // Moodle is distributed in the hope that it will be useful,
  10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 // GNU General Public License for more details.
  13 //
  14 // You should have received a copy of the GNU General Public License
  15 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 /**
  18  * Authentication Plugin: RADIUS Authentication
  19  *
  20  * Authenticates against a RADIUS server.
  21  * Contributed by Clive Gould <clive@ce.bromley.ac.uk>
  22  * CHAP support contributed by Stanislav Tsymbalov http://www.tsymbalov.net/
  23  *
  24  * @package auth_radius
  25  * @author Martin Dougiamas
  26  * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
  27  */
  28
  29 defined('MOODLE_INTERNAL') || die();
  30
  31 require_once($CFG->libdir.'/authlib.php');
  32
  33 /**
  34  * RADIUS authentication plugin.
  35  */
  36 class auth_plugin_radius extends auth_plugin_base {
  37
  38     /**
  39      * Constructor.
  40      */
  41     public function __construct() {
  42         $this->authtype = 'radius';
  43         $this->config = get_config('auth/radius');
  44     }
  45
  46     /**
  47      * Old syntax of class constructor for backward compatibility.
  48      */
  49     public function auth_plugin_radius() {
  50         self::__construct();
  51     }
  52
  53     /**
  54      * Returns true if the username and password work and false if they are
  55      * wrong or don't exist.
  56      *
  57      * @param string $username The username
  58      * @param string $password The password
  59      * @return bool Authentication success or failure.
  60      */
  61     function user_login ($username, $password) {
  62         require_once 'Auth/RADIUS.php';
  63         require_once 'Crypt/CHAP.php';
  64
  65         // Added by Clive on 7th May for test purposes
  66         // printf("Username: $username <br/>");
  67         // printf("Password: $password <br/>");
  68         // printf("host: $this->config->host <br/>");
  69         // printf("nasport: $this->config->nasport <br/>");
  70         // printf("secret: $this->config->secret <br/>");
  71
  72         // Added by Stanislav Tsymbalov on 12th March 2008 only for test purposes
  73         //$type = 'PAP';
  74         //$type = 'CHAP_MD5';
  75         //$type = 'MSCHAPv1';
  76         //$type = 'MSCHAPv2';
  77         $type = $this->config->radiustype;
  78         if (empty($type)) {
  79             $type = 'PAP';
  80         }
  81
  82         $classname = 'Auth_RADIUS_' . $type;
  83         $rauth = new $classname($username, $password);
  84         $rauth->addServer($this->config->host, $this->config->nasport, $this->config->secret);
  85
  86         $rauth->username = $username;
  87
  88         switch($type) {
  89         case 'CHAP_MD5':
  90         case 'MSCHAPv1':
  91             $classname = $type == 'MSCHAPv1' ? 'Crypt_CHAP_MSv1' : 'Crypt_CHAP_MD5';
  92             $crpt = new $classname;
  93             $crpt->password = $password;
  94             $rauth->challenge = $crpt->challenge;
  95             $rauth->chapid = $crpt->chapid;
  96             $rauth->response = $crpt->challengeResponse();
  97             $rauth->flags = 1;
  98             // If you must use deprecated and weak LAN-Manager-Responses use this:
  99             // $rauth->lmResponse = $crpt->lmChallengeResponse();
 100             // $rauth->flags = 0;
 101             break;
 102
 103         case 'MSCHAPv2':
 104             $crpt = new Crypt_CHAP_MSv2;
 105             $crpt->username = $username;
 106             $crpt->password = $password;
 107             $rauth->challenge = $crpt->authChallenge;
 108             $rauth->peerChallenge = $crpt->peerChallenge;
 109             $rauth->chapid = $crpt->chapid;
 110             $rauth->response = $crpt->challengeResponse();
 111             break;
 112
 113         default:
 114             $rauth->password = $password;
 115             break;
 116         }
 117
 118         if (!$rauth->start()) {
 119             printf("Radius start: %s<br/>\n", $rauth->getError());
 120             exit;
 121         }
 122
 123         $result = $rauth->send();
 124         if ($rauth->isError($result)) {
 125             printf("Radius send failed: %s<br/>\n", $result->getMessage());
 126             exit;
 127         } else if ($result === true) {
 128             // printf("Radius Auth succeeded<br/>\n");
 129             return true;
 130         } else {
 131             // printf("Radius Auth rejected<br/>\n");
 132             return false;
 133         }
 134
 135         // get attributes, even if auth failed
 136         if (!$rauth->getAttributes()) {
 137             printf("Radius getAttributes: %s<br/>\n", $rauth->getError());
 138         } else {
 139             $rauth->dumpAttributes();
 140         }
 141
 142         $rauth->close();
 143     }
 144
 145     function prevent_local_passwords() {
 146         return true;
 147     }
 148
 149     /**
 150      * Returns true if this authentication plugin is 'internal'.
 151      *
 152      * @return bool
 153      */
 154     function is_internal() {
 155         return false;
 156     }
 157
 158     /**
 159      * Returns true if this authentication plugin can change the user's
 160      * password.
 161      *
 162      * @return bool
 163      */
 164     function can_change_password() {
 165         return false;
 166     }
 167
 168     /**
 169      * Prints a form for configuring this authentication plugin.
 170      *
 171      * This function is called from admin/auth.php, and outputs a full page with
 172      * a form for configuring this plugin.
 173      *
 174      * @param array $page An object containing all the data for this page.
 175      */
 176     function config_form($config, $err, $user_fields) {
 177         global $OUTPUT;
 178
 179         include "config.html";
 180     }
 181
 182     /**
 183      * Processes and stores configuration data for this authentication plugin.
 184      */
 185     function process_config($config) {
 186         // set to defaults if undefined
 187         if (!isset ($config->host)) {
 188             $config->host = '127.0.0.1';
 189         }
 190         if (!isset ($config->nasport)) {
 191             $config->nasport = '1812';
 192         }
 193         if (!isset($config->radiustype)) {
 194             $config->radiustype = 'PAP';
 195         }
 196         if (!isset ($config->secret)) {
 197             $config->secret = '';
 198         }
 199         if (!isset($config->changepasswordurl)) {
 200             $config->changepasswordurl = '';
 201         }
 202
 203         // save settings
 204         set_config('host',    $config->host,    'auth/radius');
 205         set_config('nasport', $config->nasport, 'auth/radius');
 206         set_config('secret',  $config->secret,  'auth/radius');
 207         set_config('changepasswordurl', $config->changepasswordurl, 'auth/radius');
 208         set_config('radiustype', $config->radiustype, 'auth/radius');
 209
 210         return true;
 211     }
 212
 213 }
 214
 215