3 * This is a library of commonly used functions for managing data for authentication
5 * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
19 * @author Kevin Yeh <kevin.y@integralemr.com>
20 * @link http://www.open-emr.org
23 require_once("$srcdir/authentication/common_operations.php");
29 * @param type $username
30 * @param type $password password is passed by reference so that it can be "cleared out"
31 * as soon as we are done with it.
32 * @param type $provider
34 function validate_user_password($username,&$password,$provider)
36 $ip=$_SERVER['REMOTE_ADDR'];
40 //Active Directory Authentication added by shachar zilbershlag <shaharzi@matrix.co.il>
41 if($GLOBALS['use_active_directory'])
43 $valid = active_directory_validation($username, $password);
44 $_SESSION['active_directory_auth'] = $valid;
48 $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID
,COL_PWD
,COL_SALT
))
49 ." FROM ".TBL_USERS_SECURE
50 ." WHERE BINARY ".COL_UNM
."=?";
51 // Use binary keyword to require case sensitive username match
52 $userSecure=privQuery($getUserSecureSQL,array($username));
53 if(is_array($userSecure))
55 $phash=oemr_password_hash($password,$userSecure[COL_SALT
]);
56 if($phash!=$userSecure[COL_PWD
])
65 if((!isset($GLOBALS['password_compatibility'])||
$GLOBALS['password_compatibility'])) // use old password scheme if allowed.
67 $getUserSQL="select username,id, password from users where BINARY username = ?";
68 $userInfo = privQuery($getUserSQL,array($username));
74 $username=$userInfo['username'];
75 $dbPasswordLen=strlen($userInfo['password']);
76 if($dbPasswordLen==32)
78 $phash=md5($password);
79 $valid=$phash==$userInfo['password'];
81 else if($dbPasswordLen==40)
83 $phash=sha1($password);
84 $valid=$phash==$userInfo['password'];
88 $phash=initializePassword($username,$userInfo['id'],$password);
89 purgeCompatabilityPassword($username,$userInfo['id']);
90 $_SESSION['relogin'] = 1;
100 $getUserSQL="select id, authorized, see_auth".
102 " from users where BINARY username = ?";
103 $userInfo = privQuery($getUserSQL,array($username));
105 if ($userInfo['active'] != 1) {
106 newEvent( 'login', $username, $provider, 0, "failure: $ip. user not active or not found in users table");
110 // Done with the cleartext password at this point!
114 if ($authGroup = privQuery("select * from groups where user=? and name=?",array($username,$provider)))
116 $_SESSION['authUser'] = $username;
117 $_SESSION['authPass'] = $phash;
118 $_SESSION['authGroup'] = $authGroup['name'];
119 $_SESSION['authUserID'] = $userInfo['id'];
120 $_SESSION['authProvider'] = $provider;
121 $_SESSION['authId'] = $userInfo{'id'};
122 $_SESSION['userauthorized'] = $userInfo['authorized'];
123 // Some users may be able to authorize without being providers:
124 if ($userInfo['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
125 newEvent( 'login', $username, $provider, 1, "success: $ip");
128 newEvent( 'login', $username, $provider, 0, "failure: $ip. user not in group: $provider");
138 function verify_user_gacl_group($user)
140 global $phpgacl_location;
141 if (isset ($phpgacl_location)) {
142 if (acl_get_group_titles($user) == 0) {
143 newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
150 /* Validation of user and password using active directory. */
151 function active_directory_validation($user, $pass)
155 // Create class instance
156 $ad = new Adldap\
Adldap();
158 // Create a configuration array.
160 // Your account suffix, for example: jdoe@corp.acme.org
161 'account_suffix' => $GLOBALS['account_suffix'],
163 // You can use the host name or the IP address of your controllers.
164 'domain_controllers' => [$GLOBALS['domain_controllers']],
167 'base_dn' => $GLOBALS['base_dn'],
169 // The account to use for querying / modifying users. This
170 // does not need to be an actual admin account.
171 'admin_username' => $user,
172 'admin_password' => $pass,
175 // Add a connection provider to Adldap.
176 $ad->addProvider($config);
178 // If a successful connection is made, the provider will be returned.
181 $prov = $ad->connect();
182 $valid = $prov->auth()->attempt($user, $pass);