summaryrefslogtreecommitdiff
path: root/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication
diff options
context:
space:
mode:
authorTorsten Grote <grote@kolabsys.com>2012-08-14 13:29:52 (GMT)
committerTorsten Grote <grote@kolabsys.com>2012-08-14 13:29:52 (GMT)
commit8a7a4f8e58df35a10fda833a9904eb8fd961a1ca (patch)
tree35e2f907372d637f76c0e3c3ac1c0f27f2dc1391 /kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication
parent146e20fc2d0941a6783641f26b3ea074dc03fc84 (diff)
downloadkolab.org-www-8a7a4f8e58df35a10fda833a9904eb8fd961a1ca.tar.gz
upgrade to drupal 7.15
Diffstat (limited to 'kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication')
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConf.class.php232
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConfAdmin.class.php614
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/README.txt40
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.admin.inc62
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.inc559
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.info22
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.install110
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.module412
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.theme.inc132
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/LdapServerTestData.ldapauthen1.inc225
-rw-r--r--kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/ldap_authentication.test543
11 files changed, 2951 insertions, 0 deletions
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConf.class.php b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConf.class.php
new file mode 100644
index 0000000..75d0c3a
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConf.class.php
@@ -0,0 +1,232 @@
+<?php
+// $Id: LdapAuthenticationConf.class.php,v 1.4.2.2 2011/02/08 20:05:41 johnbarclay Exp $
+
+/**
+ * @file
+ * This class represents an ldap_authentication module's configuration
+ * It is extended by LdapAuthenticationConfAdmin for configuration and other admin functions
+ */
+
+class LdapAuthenticationConf {
+
+ // no need for LdapAuthenticationConf id as only one instance will exist per drupal install
+
+ public $sids = array(); // server configuration ids being used for authentication
+ public $servers = array(); // ldap server object
+ public $inDatabase = FALSE;
+ public $authenticationMode = LDAP_AUTHENTICATION_MODE_DEFAULT;
+ public $loginUIUsernameTxt;
+ public $loginUIPasswordTxt;
+ public $ldapUserHelpLinkUrl;
+ public $ldapUserHelpLinkText = LDAP_AUTHENTICATION_HELP_LINK_TEXT_DEFAULT;
+ public $loginConflictResolve = LDAP_AUTHENTICATION_CONFLICT_RESOLVE_DEFAULT;
+ public $acctCreation = LDAP_AUTHENTICATION_ACCT_CREATION_DEFAULT;
+ public $emailOption = LDAP_AUTHENTICATION_EMAIL_FIELD_DEFAULT;
+ public $emailUpdate = LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DEFAULT;
+ public $ssoEnabled = FALSE;
+ public $ssoRemoteUserStripDomainName = FALSE;
+ public $seamlessLogin = FALSE;
+ public $ldapImplementation = FALSE;
+ public $cookieExpire = LDAP_AUTHENTICATION_COOKIE_EXPIRE;
+
+ public $apiPrefs = array();
+ public $createLDAPAccounts; // should an drupal account be created when an ldap user authenticates
+ public $createLDAPAccountsAdminApproval; // create them, but as blocked accounts
+
+ /**
+ * Advanced options. whitelist / blacklist options
+ *
+ * these are on the fuzzy line between authentication and authorization
+ * and determine if a user is allowed to authenticate with ldap
+ *
+ */
+
+ public $allowOnlyIfTextInDn = array(); // eg ou=education that must be met to allow ldap authentication
+ public $excludeIfTextInDn = array();
+ public $allowTestPhp = NULL; // code that returns boolean TRUE || FALSE for allowing ldap authentication
+ public $excludeIfNoAuthorizations = LDAP_AUTHENTICATION_EXCL_IF_NO_AUTHZ_DEFAULT;
+
+ public $saveable = array(
+ 'sids',
+ 'authenticationMode',
+ 'loginConflictResolve',
+ 'acctCreation',
+ 'loginUIUsernameTxt',
+ 'loginUIPasswordTxt',
+ 'ldapUserHelpLinkUrl',
+ 'ldapUserHelpLinkText',
+ 'emailOption',
+ 'emailUpdate',
+ 'allowOnlyIfTextInDn',
+ 'excludeIfTextInDn',
+ 'allowTestPhp',
+ 'excludeIfNoAuthorizations',
+ 'ssoRemoteUserStripDomainName',
+ 'seamlessLogin',
+ 'ldapImplementation',
+ 'cookieExpire',
+ );
+
+ /** are any ldap servers that are enabled associated with ldap authentication **/
+ public function enabled_servers() {
+ return !(count(array_filter(array_values($this->sids))) == 0);
+ }
+ function __construct() {
+ $this->load();
+ }
+
+
+ function load() {
+
+ if ($saved = variable_get("ldap_authentication_conf", FALSE)) {
+ $this->inDatabase = TRUE;
+ foreach ($this->saveable as $property) {
+ if (isset($saved[$property])) {
+ $this->{$property} = $saved[$property];
+ }
+ }
+ foreach ($this->sids as $sid => $is_enabled) {
+ if ($is_enabled) {
+ $this->servers[$sid] = ldap_servers_get_servers($sid, 'enabled', TRUE);
+ }
+ }
+
+ }
+ else {
+ $this->inDatabase = FALSE;
+ }
+
+ $this->ssoEnabled = module_exists('ldap_sso');
+ $this->apiPrefs['requireHttps'] = variable_get('ldap_servers_require_ssl_for_credentails', 1);
+ $this->apiPrefs['encryption'] = variable_get('ldap_servers_encryption', LDAP_SERVERS_ENC_TYPE_CLEARTEXT);
+
+ // determine account creation configuration
+ $user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
+ if ($this->acctCreation == LDAP_AUTHENTICATION_ACCT_CREATION_DEFAULT || $user_register == USER_REGISTER_VISITORS) {
+ $this->createLDAPAccounts = TRUE;
+ $this->createLDAPAccountsAdminApproval = FALSE;
+ }
+ elseif ($user_register == USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
+ $this->createLDAPAccounts = FALSE;
+ $this->createLDAPAccountsAdminApproval = TRUE;
+ }
+ else {
+ $this->createLDAPAccounts = FALSE;
+ $this->createLDAPAccountsAdminApproval = FALSE;
+ }
+
+ }
+
+ /**
+ * Destructor Method
+ */
+ function __destruct() {
+
+
+ }
+
+
+ /**
+ * decide if a username is excluded or not
+ *
+ * return boolean
+ */
+ public function allowUser($name, $ldap_user_entry) {
+
+ /**
+ * do one of the exclude attribute pairs match
+ */
+ $exclude = FALSE;
+ foreach ($this->excludeIfTextInDn as $test) {
+ if (stripos($ldap_user_entry['dn'], $test) !== FALSE) {
+ return FALSE;// if a match, return FALSE;
+ }
+ }
+
+
+ /**
+ * evaluate php if it exists
+ */
+ if ($this->allowTestPhp) {
+ if (module_exists('php')) {
+ global $_name, $_ldap_user_entry;
+ $_name = $name;
+ $_ldap_user_entry = $ldap_user_entry;
+ $code = '<?php ' . "global \$_name; \n global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
+ $code_result = php_eval($code);
+ $_name = NULL;
+ $_ldap_user_entry = NULL;
+ if ((boolean)($code_result) == FALSE) {
+ return FALSE;
+ }
+ }
+ else {
+ drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
+ $tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
+ watchdog('warning', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
+ return FALSE;
+ }
+ }
+
+ /**
+ * do one of the allow attribute pairs match
+ */
+ if (count($this->allowOnlyIfTextInDn)) {
+ $fail = TRUE;
+ foreach ($this->allowOnlyIfTextInDn as $test) {
+ if (stripos($ldap_user_entry['dn'], $test) !== FALSE) {
+ $fail = FALSE;
+ }
+ }
+ if ($fail) {
+ return FALSE;
+ }
+
+ }
+ /**
+ * is excludeIfNoAuthorizations option enabled and user not granted any groups
+ */
+
+ if ($this->excludeIfNoAuthorizations) {
+ if (!module_exists('ldap_authorization')) {
+ drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
+ $tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
+ watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
+ return FALSE;
+ }
+ $user = new stdClass();
+ $user->name = $name;
+ $user->ldap_authenticated = TRUE; // fake user property added for query
+ $consumers = ldap_authorization_get_consumers();
+ $has_enabled_consumers = FALSE;
+
+ foreach ($consumers as $consumer_type => $consumer_config) {
+ $consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
+ if ($consumer_obj->consumerConf->status) {
+ $has_enabled_consumers = TRUE;
+ list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
+ if (count(array_filter(array_values($authorizations))) > 0) {
+ return TRUE;
+ }
+ }
+ }
+
+ if (!$has_enabled_consumers) {
+ drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
+ $tokens = array('!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'));
+ watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens);
+ return FALSE;
+ }
+
+ return FALSE;
+ }
+
+
+ /**
+ * default to allowed
+ */
+ return TRUE;
+ }
+
+
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConfAdmin.class.php b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConfAdmin.class.php
new file mode 100644
index 0000000..3600ac1
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConfAdmin.class.php
@@ -0,0 +1,614 @@
+<?php
+// $Id: LdapAuthenticationConfAdmin.class.php,v 1.4.2.1 2011/02/08 06:01:00 johnbarclay Exp $
+
+/**
+ * @file
+ * This classextends by LdapAuthenticationConf for configuration and other admin functions
+ */
+module_load_include('php', 'ldap_authentication', 'LdapAuthenticationConf.class');
+
+class LdapAuthenticationConfAdmin extends LdapAuthenticationConf {
+
+ protected function setTranslatableProperties() {
+
+ /**
+ * 0. Logon Options
+ */
+
+ $values['authenticationModeOptions'] = array(
+ LDAP_AUTHENTICATION_MIXED => t('Mixed mode. Drupal authentication is tried first. On failure, LDAP authentication is performed.'),
+ LDAP_AUTHENTICATION_EXCLUSIVE => t('Only LDAP Authentication is allowed except for user 1.
+ If selected, (1) reset password links will be replaced with links to ldap end user documentation below.
+ (2) The reset password form will be left available at user/password for user 1; but no links to it
+ will be provided to anonymous users.
+ (3) Password fields in user profile form will be removed except for user 1.'),
+ );
+
+ $values['authenticationServersDescription'] = t('Check all LDAP server configurations to use in authentication.
+ Each will be tested for authentication until successful or
+ until each is exhausted. In most cases only one server configuration is selected.');
+
+ /**
+ * 1. User Login Interface
+ */
+ $values['loginUIUsernameTxtDescription'] = t('Text to be displayed to user below the username field of
+ the user login screen.');
+
+ $values['loginUIPasswordTxtDescription'] = t('Text to be displayed to user below the password field of
+ the user login screen.');
+
+ $values['ldapUserHelpLinkUrlDescription'] = t('URL to LDAP user help/documentation for users resetting
+ passwords etc. Should be of form http://domain.com/. Could be the institutions ldap password support page
+ or a page within this drupal site that is available to anonymous users.');
+
+ $values['ldapUserHelpLinkTextDescription'] = t('Text for above link e.g. Account Help or Campus Password Help Page');
+
+
+ /**
+ * 2. LDAP User Restrictions
+ */
+
+ $values['allowOnlyIfTextInDnDescription'] = t('A list of text such as ou=education
+ or cn=barclay that at least one of be found in user\'s dn string. Enter one per line
+ such as <pre>ou=education') . "\n" . t('ou=engineering</pre> This test will be case insensitive.');
+
+ $values['excludeIfTextInDnDescription'] = t('A list of text such as ou=evil
+ or cn=bad that if found in a user\'s dn, exclude them from ldap authentication.
+ Enter one per line such as <pre>ou=evil') . "\n" . t('cn=bad</pre> This test will be case insensitive.');
+
+ $values['allowTestPhpDescription'] = t('PHP code which should print 1
+ for allowing ldap authentication or 0 for not allowed. Available variables are:
+ $_name and $_ldap_user_entry See readme.txt for more info.');
+
+ $values['excludeIfNoAuthorizationsDescription'] = t('If the user is not granted any drupal roles,
+ organic groups, etc. by LDAP Authorization, login will be denied. LDAP Authorization must be
+ enabled for this to work.');
+
+
+
+ /**
+ * 3. Drupal Account Provisioning and Syncing
+ */
+ $values['loginConflictResolveDescription'] = t('What should be done if a local Drupal or other external
+ authentication account already exists with the same login name.');
+ $values['loginConflictOptions'] = array(
+ LDAP_AUTHENTICATION_CONFLICT_LOG => t('Disallow login and log the conflict'),
+ LDAP_AUTHENTICATION_CONFLICT_RESOLVE => t('Associate local account with the LDAP entry. This option
+ is useful for creating accounts and assigning roles before an ldap user authenticates.'),
+ );
+
+
+ $values['acctCreationOptions'] = array(
+ LDAP_AUTHENTICATION_ACCT_CREATION_LDAP_BEHAVIOR => t('Create accounts automatically for ldap authenticated users.
+ Account creation settings at /admin/config/people/accounts/settings will only affect non-ldap authenticated accounts.'),
+ LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP => t('Use account creation policy
+ at /admin/config/people/accounts/settings under for both Drupal and LDAP Authenticated users.
+ "Visitors" option automatically creates and account when they successfully LDAP authenticate.
+ "Admin" and "Admin with approval" do not allow user to authenticate until the account is approved.'),
+ );
+
+
+ /**
+ * 4. Email
+ */
+
+ $values['emailOptionOptions'] = array(
+ LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE => t('Don\'t show an email field on user forms. LDAP derived email will be used for user and connot be changed by user'),
+ LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE => t('Show disabled email field on user forms with LDAP derived email. LDAP derived email will be used for user and connot be changed by user'),
+ );
+
+ $values['emailUpdateOptions'] = array(
+ LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY => t('Update stored email if LDAP email differs at login and notify user.'),
+ LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE => t('Update stored email if LDAP email differs at login but don\'t notify user.'),
+ LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE => t('Don\'t update stored email if LDAP email differs at login.'),
+ );
+
+
+ /**
+ * 5. Single Sign-On / Seamless Sign-On
+ */
+
+ $values['ldapImplementationOptions'] = array(
+ 'mod_auth_sspi' => t('mod_auth_sspi'),
+ 'mod_auth_kerb' => t('mod_auth_kerb'),
+ );
+
+ $values['cookieExpirePeriod'] = array(0 => t('Immediately')) +
+ drupal_map_assoc(array(3600, 86400, 604800, 2592000, 31536000, 315360000), 'format_interval')
+ + array(-1 => t('Never'));
+
+ $values['ssoEnabledDescription'] = '<strong>' . t('Single Sign on is enabled.') .
+ '</strong> ' . t('To disable it, disable the LDAP SSO Module on the ') . l('Modules Form', 'admin/modules') . '.<p>' .
+ t('Single Sign-On enables ' .
+ 'users of this site to be authenticated by visiting the URL ' .
+ '"user/login/sso, or automatically if selecting "automated ' .
+ 'single sign-on" below. Set up of LDAP authentication must be ' .
+ 'performed on the web server. Please review the !readme file ' .
+ 'for more information.', array('!readme' =>
+ l(t('README.txt'), drupal_get_path('module', 'ldap_sso') . '/README.txt')))
+ . '</p>';
+
+ $values['ssoRemoteUserStripDomainNameDescription'] = t('Useful when the ' .
+ 'WWW server provides authentication in the form of user@realm and you ' .
+ 'want to have both SSO and regular forms based authentication ' .
+ 'available. Otherwise duplicate accounts with conflicting e-mail ' .
+ 'addresses may be created.');
+ $values['seamlessLogInDescription'] = t('This requires that you ' .
+ 'have operational NTLM or Kerberos authentication turned on for at least ' .
+ 'the path user/login/sso, or for the whole domain.');
+ $values['cookieExpireDescription'] = t('If using the seamless login, a ' .
+ 'cookie is necessary to prevent automatic login after a user ' .
+ 'manually logs out. Select the lifetime of the cookie.');
+ $values['ldapImplementationDescription'] = t('Select the type of ' .
+ 'authentication mechanism you are using.');
+
+ foreach ($values as $property => $default_value) {
+ $this->$property = $default_value;
+ }
+ }
+
+ /**
+ * 0. Logon Options
+ */
+ public $authenticationModeDefault = LDAP_AUTHENTICATION_MIXED;
+ public $authenticationModeOptions;
+
+ protected $authenticationServersDescription;
+ protected $authenticationServersOptions = array();
+
+ /**
+ * 1. User Login Interface
+ */
+ protected $loginUIUsernameTxtDescription;
+ protected $loginUIPasswordTxtDescription;
+ protected $ldapUserHelpLinkUrlDescription;
+ protected $ldapUserHelpLinkTextDescription;
+
+
+ /**
+ * 2. LDAP User Restrictions
+ */
+
+ protected $allowOnlyIfTextInDnDescription;
+ protected $excludeIfTextInDnDescription;
+ protected $allowTestPhpDescription;
+
+ /**
+ * 3. Drupal Account Provisioning and Syncing
+ */
+ public $loginConflictResolveDescription;
+ public $loginConflictResolveDefault = LDAP_AUTHENTICATION_CONFLICT_LOG; // LDAP_CONFLICT_RESOLVE;
+ public $loginConflictOptions;
+
+ public $acctCreationDescription = '';
+ public $acctCreationDefault = LDAP_AUTHENTICATION_ACCT_CREATION_DEFAULT;
+ public $acctCreationOptions;
+
+
+ /**
+ * 4. Email
+ */
+
+ public $emailOptionDefault = LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE;
+ public $emailOptionOptions;
+
+ public $emailUpdateDefault = LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY;
+ public $emailUpdateOptions;
+
+
+ /**
+ * 5. Single Sign-On / Seamless Sign-On
+ */
+
+ public $ssoEnabledDescription;
+ public $ssoRemoteUserStripDomainNameDescription;
+ public $ldapImplementationOptions;
+ public $cookieExpirePeriod;
+ public $seamlessLogInDescription;
+ public $cookieExpireDescription;
+ public $ldapImplementationDescription;
+
+
+ public $errorMsg = NULL;
+ public $hasError = FALSE;
+ public $errorName = NULL;
+
+ public function clearError() {
+ $this->hasError = FALSE;
+ $this->errorMsg = NULL;
+ $this->errorName = NULL;
+ }
+
+ public function save() {
+ foreach ($this->saveable as $property) {
+ $save[$property] = $this->{$property};
+ }
+ variable_set('ldap_authentication_conf', $save);
+ }
+
+ static public function getSaveableProperty($property) {
+ $ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
+ return isset($ldap_authentication_conf[$property]) ? $ldap_authentication_conf[$property] : FALSE;
+
+ }
+
+ static public function uninstall() {
+ variable_del('ldap_authentication_conf');
+ }
+
+ public function __construct() {
+ parent::__construct();
+ $this->setTranslatableProperties();
+ if ($servers = ldap_servers_get_servers(NULL, 'enabled')) {
+ foreach ($servers as $sid => $ldap_server) {
+ $enabled = ($ldap_server->status) ? 'Enabled' : 'Disabled';
+ $this->authenticationServersOptions[$sid] = $ldap_server->name . ' (' . $ldap_server->address . ') Status: ' . $enabled;
+ }
+ }
+ }
+
+
+ public function drupalForm() {
+
+ if (count($this->authenticationServersOptions) == 0) {
+ $message = ldap_servers_no_enabled_servers_msg('configure LDAP Authentication');
+ $form['intro'] = array(
+ '#type' => 'item',
+ '#markup' => t('<h1>LDAP Authentication Settings</h1>') . $message,
+ );
+ return $form;
+ }
+
+ $tokens = array(); // not sure what the tokens would be for this form?
+
+ $form['intro'] = array(
+ '#type' => 'item',
+ '#markup' => t('<h1>LDAP Authentication Settings</h1>'),
+ );
+
+ $form['logon'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Logon Options'),
+ '#collapsible' => TRUE,
+ '#collapsed' => FALSE,
+ );
+
+ $form['logon']['authenticationMode'] = array(
+ '#type' => 'radios',
+ '#title' => t('Allowable Authentications'),
+ '#required' => 1,
+ '#default_value' => $this->authenticationMode,
+ '#options' => $this->authenticationModeOptions,
+ );
+
+
+ $form['logon']['authenticationServers'] = array(
+ '#type' => 'checkboxes',
+ '#title' => t('Authentication LDAP Server Configurations'),
+ '#required' => FALSE,
+ '#default_value' => $this->sids,
+ '#options' => $this->authenticationServersOptions,
+ '#description' => $this->authenticationServersDescription
+ );
+
+ $form['login_UI'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('User Login Interface'),
+ '#collapsible' => TRUE,
+ '#collapsed' => FALSE,
+ );
+
+ $form['login_UI']['loginUIUsernameTxt'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Username Description Text'),
+ '#required' => 0,
+ '#default_value' => $this->loginUIUsernameTxt,
+ '#description' => $this->loginUIUsernameTxtDescription,
+ );
+
+ $form['login_UI']['loginUIPasswordTxt'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Password Description Text'),
+ '#required' => 0,
+ '#default_value' => $this->loginUIPasswordTxt,
+ '#description' => $this->loginUIPasswordTxtDescription,
+ );
+
+ $form['login_UI']['ldapUserHelpLinkUrl'] = array(
+ '#type' => 'textfield',
+ '#title' => t('LDAP Account User Help URL'),
+ '#required' => 0,
+ '#default_value' => $this->ldapUserHelpLinkUrl,
+ '#description' => $this->ldapUserHelpLinkUrlDescription,
+ );
+
+
+ $form['login_UI']['ldapUserHelpLinkText'] = array(
+ '#type' => 'textfield',
+ '#title' => t('LDAP Account User Help Link Text'),
+ '#required' => 0,
+ '#default_value' => $this->ldapUserHelpLinkText,
+ '#description' => $this->ldapUserHelpLinkTextDescription,
+ );
+
+ $form['restrictions'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('LDAP User "Whitelists" and Restrictions'),
+ '#collapsible' => TRUE,
+ '#collapsed' => FALSE,
+ );
+
+
+ $form['restrictions']['allowOnlyIfTextInDn'] = array(
+ '#type' => 'textarea',
+ '#title' => t('Allow Only Text Test'),
+ '#default_value' => $this->arrayToLines($this->allowOnlyIfTextInDn),
+ '#cols' => 50,
+ '#rows' => 3,
+ '#description' => t($this->allowOnlyIfTextInDnDescription, $tokens),
+ );
+
+ $form['restrictions']['excludeIfTextInDn'] = array(
+ '#type' => 'textarea',
+ '#title' => t('Excluded Text Test'),
+ '#default_value' => $this->arrayToLines($this->excludeIfTextInDn),
+ '#cols' => 50,
+ '#rows' => 3,
+ '#description' => t($this->excludeIfTextInDnDescription, $tokens),
+ );
+
+ $form['restrictions']['allowTestPhp'] = array(
+ '#type' => 'textarea',
+ '#title' => t('PHP to Test for Allowed LDAP Users'),
+ '#default_value' => $this->allowTestPhp,
+ '#cols' => 50,
+ '#rows' => 3,
+ '#description' => t($this->allowTestPhpDescription, $tokens),
+ '#disabled' => (boolean)(!module_exists('php')),
+ );
+ if (!module_exists('php')) {
+ $form['restrictions']['allowTestPhp']['#title'] .= ' <em>' . t('php module currently disabled') . '</em>';
+ }
+
+
+ $form['restrictions']['excludeIfNoAuthorizations'] = array(
+ '#type' => 'checkbox',
+ '#title' => t('New and lightly tested feature. Use with caution! Requires LDAP Authorization to be enabled and configured. Deny access to users without Ldap Authorization Module authorization mappings such as Drupal roles.'),
+ '#default_value' => $this->excludeIfNoAuthorizations,
+ '#description' => t($this->excludeIfNoAuthorizationsDescription, $tokens),
+ '#disabled' => (boolean)(!module_exists('ldap_authorization')),
+ );
+
+
+ $form['drupal_accounts'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Drupal User Account Creation'),
+ '#collapsible' => TRUE,
+ '#collapsed' => FALSE,
+ );
+
+ $form['drupal_accounts']['loginConflictResolve'] = array(
+ '#type' => 'radios',
+ '#title' => t('Existing Drupal User Account Conflict'),
+ '#required' => 1,
+ '#default_value' => $this->loginConflictResolve,
+ '#options' => $this->loginConflictOptions,
+ '#description' => t( $this->loginConflictResolveDescription),
+ );
+
+
+ $form['drupal_accounts']['acctCreation'] = array(
+ '#type' => 'radios',
+ '#title' => t('Account Creation for LDAP Authenticated Users'),
+ '#required' => 1,
+ '#default_value' => $this->acctCreation,
+ '#options' => $this->acctCreationOptions,
+ '#description' => t($this->acctCreationDescription),
+ );
+
+ $form['email'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Email'),
+ '#collapsible' => TRUE,
+ '#collapsed' => FALSE,
+ );
+
+ $form['email']['emailOption'] = array(
+ '#type' => 'radios',
+ '#title' => t('Email Behavior'),
+ '#required' => 1,
+ '#default_value' => $this->emailOption,
+ '#options' => $this->emailOptionOptions,
+ );
+
+ $form['email']['emailUpdate'] = array(
+ '#type' => 'radios',
+ '#title' => t('Email Update'),
+ '#required' => 1,
+ '#default_value' => $this->emailUpdate,
+ '#options' => $this->emailUpdateOptions,
+ );
+
+
+ /**
+ * Begin single sign-on settings
+ */
+ $form['sso'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Single Sign-On'),
+ '#collapsible' => TRUE,
+ '#collapsed' => (boolean)(!$this->ssoEnabled),
+ );
+
+/**
+ $form['sso']['ssoEnabled'] = array(
+ '#type' => 'checkbox',
+ '#title' => t('Enable Single Sign-On'),
+ '#description' => t($this->ssoEnabledDescription),
+ '#default_value' => $this->ssoEnabled,
+ '#disabled' => (boolean)(!module_exists('ldap_sso')),
+ );
+**/
+ if ($this->ssoEnabled) {
+
+ $form['sso']['enabled'] = array(
+ '#type' => 'markup',
+ '#markup' => $this->ssoEnabledDescription,
+ );
+
+ }
+ else {
+ $form['sso']['disabled'] = array(
+ '#type' => 'markup',
+ '#markup' => '<p><em>' . t('LDAP Single Sign-On module must be enabled for options below to work.')
+ . ' ' . t('It is currently disabled.')
+ . ' ' . l('Modules Form', 'admin/modules') . '</p></em>',
+ );
+
+
+
+ }
+ $form['sso']['ssoRemoteUserStripDomainName'] = array(
+ '#type' => 'checkbox',
+ '#title' => t('Strip REMOTE_USER domain name'),
+ '#description' => t($this->ssoRemoteUserStripDomainNameDescription),
+ '#default_value' => $this->ssoRemoteUserStripDomainName,
+ '#disabled' => (boolean)(!$this->ssoEnabled),
+ );
+
+ $form['sso']['seamlessLogin'] = array(
+ '#type' => 'checkbox',
+ '#title' => t('Turn on automated single sign-on'),
+ '#description' => t($this->seamlessLogInDescription),
+ '#default_value' => $this->seamlessLogin,
+ '#disabled' => (boolean)(!$this->ssoEnabled),
+ );
+
+ $form['sso']['cookieExpire'] = array(
+ '#type' => 'select',
+ '#title' => t('Cookie Lifetime'),
+ '#description' => t($this->cookieExpireDescription),
+ '#default_value' => $this->cookieExpire,
+ '#options' => $this->cookieExpirePeriod,
+ '#disabled' => (boolean)(!$this->ssoEnabled),
+ );
+
+ $form['sso']['ldapImplementation'] = array(
+ '#type' => 'select',
+ '#title' => t('Authentication Mechanism'),
+ '#description' => t($this->ldapImplementationDescription),
+ '#default_value' => $this->ldapImplementation,
+ '#options' => $this->ldapImplementationOptions,
+ '#disabled' => (boolean)(!$this->ssoEnabled),
+ );
+
+ $form['submit'] = array(
+ '#type' => 'submit',
+ '#value' => 'Save',
+ );
+
+ return $form;
+}
+
+/**
+ * validate form, not object
+ */
+ public function drupalFormValidate($values) {
+
+ $this->populateFromDrupalForm($values);
+
+ $errors = $this->validate();
+
+ return $errors;
+ }
+
+/**
+ * validate object, not form
+ */
+ public function validate() {
+ $errors = array();
+
+ $enabled_servers = ldap_servers_get_servers(NULL, 'enabled');
+ if ($this->ssoEnabled) {
+ foreach ($this->sids as $sid) {
+ if ($enabled_servers[$sid]->bind_method == LDAP_SERVERS_BIND_METHOD_USER || $enabled_servers[$sid]->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
+ $methods = array(
+ LDAP_SERVERS_BIND_METHOD_USER => 'Bind with Users Credentials',
+ LDAP_SERVERS_BIND_METHOD_ANON_USER => 'Anonymous Bind for search, then Bind with Users Credentials',
+ );
+ $tokens = array(
+ '!edit' => l($enabled_servers[$sid]->name, LDAP_SERVERS_INDEX_BASE_PATH . '/edit/' . $sid),
+ '%sid' => $sid,
+ '%bind_method' => $methods[$enabled_servers[$sid]->bind_method],
+ );
+
+ $errors['ssoEnabled'] = t('Single Sign On is not valid with the server !edit (id=%sid) because that server configuration uses %bind_method. Since the user\'s credentials are never available to this module with single sign on enabled, there is no way for the ldap module to bind to the ldap server with credentials.', $tokens);
+ }
+ }
+ }
+ return $errors;
+ }
+
+ protected function populateFromDrupalForm($values) {
+ $this->authenticationMode = ($values['authenticationMode']) ? (int)$values['authenticationMode'] : NULL;
+ $this->sids = $values['authenticationServers'];
+ $this->allowOnlyIfTextInDn = $this->linesToArray($values['allowOnlyIfTextInDn']);
+ $this->excludeIfTextInDn = $this->linesToArray($values['excludeIfTextInDn']);
+ $this->allowTestPhp = $values['allowTestPhp'];
+ $this->loginConflictResolve = ($values['loginConflictResolve']) ? (int)$values['loginConflictResolve'] : NULL;
+ $this->acctCreation = ($values['acctCreation']) ? (int)$values['acctCreation'] : NULL;
+ $this->loginUIUsernameTxt = ($values['loginUIUsernameTxt']) ? (string)$values['loginUIUsernameTxt'] : NULL;
+ $this->loginUIPasswordTxt = ($values['loginUIPasswordTxt']) ? (string)$values['loginUIPasswordTxt'] : NULL;
+ $this->ldapUserHelpLinkUrl = ($values['ldapUserHelpLinkUrl']) ? (string)$values['ldapUserHelpLinkUrl'] : NULL;
+ $this->ldapUserHelpLinkText = ($values['ldapUserHelpLinkText']) ? (string)$values['ldapUserHelpLinkText'] : NULL;
+ $this->excludeIfNoAuthorizations = ($values['excludeIfNoAuthorizations']) ? (int)$values['excludeIfNoAuthorizations'] : NULL;
+ $this->emailOption = ($values['emailOption']) ? (int)$values['emailOption'] : NULL;
+ $this->emailUpdate = ($values['emailUpdate']) ? (int)$values['emailUpdate'] : NULL;
+ // $this->ssoEnabled = ($values['ssoEnabled']) ? (int)$values['ssoEnabled'] : NULL;
+ $this->ssoRemoteUserStripDomainName = ($values['ssoRemoteUserStripDomainName']) ? (int)$values['ssoRemoteUserStripDomainName'] : NULL;
+ $this->seamlessLogin = ($values['seamlessLogin']) ? (int)$values['seamlessLogin'] : NULL;
+ $this->cookieExpire = ($values['cookieExpire']) ? (int)$values['cookieExpire'] : NULL;
+ $this->ldapImplementation = ($values['ldapImplementation']) ? (string)$values['ldapImplementation'] : NULL;
+ }
+
+ public function drupalFormSubmit($values) {
+
+ $this->populateFromDrupalForm($values);
+ try {
+ $save_result = $this->save();
+ }
+ catch (Exception $e) {
+ $this->errorName = 'Save Error';
+ $this->errorMsg = t('Failed to save object. Your form data was not saved.');
+ $this->hasError = TRUE;
+ }
+
+ }
+
+ protected function arrayToLines($array) {
+ $lines = "";
+ if (is_array($array)) {
+ $lines = join("\n", $array);
+ }
+ elseif (is_array(@unserialize($array))) {
+ $lines = join("\n", unserialize($array));
+ }
+ return $lines;
+ }
+
+ protected function linesToArray($lines) {
+ $lines = trim($lines);
+
+ if ($lines) {
+ $array = preg_split('/[\n\r]+/', $lines);
+ foreach ($array as $i => $value) {
+ $array[$i] = trim($value);
+ }
+ }
+ else {
+ $array = array();
+ }
+ return $array;
+ }
+
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/README.txt b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/README.txt
new file mode 100644
index 0000000..4533a85
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/README.txt
@@ -0,0 +1,40 @@
+
+
+
+=======================================
+PHP to Test for Allowed LDAP Users
+=======================================
+
+Two variables are available:
+
+(1) $_name - the username ldap server configuration has mapped user to such as "jdoe" etc. How this is derived is configured in ldap_servers module.
+
+
+
+(2) $_ldap_user_entry - their ldap entry as returned from php ldap extension.
+
+$_ldap_user_entry is something like:
+
+array(
+ 'dn' => 'cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu',
+ 'mail' => array( 0 => 'jkool@guests.myuniversity.edu', 'count' => 1),
+ 'sAMAccountName' => array( 0 => 'jkool', 'count' => 1),
+ 'memberOf' => array( 0 => 'cn=sysadmins,ou=it,dc=ad,dc=myuniversity,dc=edu', 'count' => 1),
+ );
+
+
+Result should print 1 for allowed or 0 for disallowed. The function used to evaluate the code is php_eval() in php.module
+
+---------------------------------
+Examples:
+
+
+//exclude users with guests.myuniversity.edu email address
+if (strpos($_ldap_user_entry['attr']['mail'][0], '@guests.myuniversity.edu') === FALSE) {
+ print 1;
+}
+else {
+ print 0;
+}
+
+
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.admin.inc b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.admin.inc
new file mode 100644
index 0000000..eb60148
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.admin.inc
@@ -0,0 +1,62 @@
+<?php
+// $Id: ldap_authentication.admin.inc,v 1.1.4.2 2011/02/08 06:01:00 johnbarclay Exp $
+
+/**
+ * @file
+ * Administrative page callbacks for the ldap_authentication module.
+ */
+
+
+/**
+ * form for adding, updating, and deleting a single ldap authorization mapping
+ *
+ * @param <type> $form
+ * @param <type> $form_state
+ * @return array drupal form array
+ */
+function ldap_authentication_admin_form($form, &$form_state) {
+ ldap_server_module_load_include('php', 'ldap_authentication', 'LdapAuthenticationConfAdmin.class');
+ $auth_conf = new LdapAuthenticationConfAdmin();
+ return $auth_conf->drupalForm();
+}
+
+
+/**
+ * validate handler for the ldap_authentication_admin_form
+ */
+function ldap_authentication_admin_form_validate($form, &$form_state) {
+
+ ldap_server_module_load_include('php', 'ldap_authentication', 'LdapAuthenticationConfAdmin.class');
+ $auth_conf = new LdapAuthenticationConfAdmin();
+ $errors = $auth_conf->drupalFormValidate($form_state['values']);
+ foreach ($errors as $error_name => $error_text) {
+ form_set_error($error_name, t($error_text));
+ }
+
+}
+
+
+/**
+ * submit handler function for ldap_authorization_admin_form
+ */
+
+function ldap_authentication_admin_form_submit($form, &$form_state) {
+ ldap_server_module_load_include('php', 'ldap_authentication', 'LdapAuthenticationConfAdmin.class');
+ $auth_conf = new LdapAuthenticationConfAdmin();
+ $auth_conf->drupalFormSubmit($form_state['values']); // add form data to object and save or create
+
+ if (!$auth_conf->enabled_servers()) {
+ drupal_set_message(t('No LDAP servers are enabled for authentication,
+ so no LDAP Authentication can take place. This essentially disables
+ LDAP Authentication.'), 'warning');
+ }
+ if ($auth_conf->hasError == FALSE) {
+ drupal_set_message(t('LDAP Authentication configuration saved'), 'status');
+ drupal_goto(LDAP_SERVERS_MENU_BASE_PATH . '/authentication');
+ }
+ else {
+ form_set_error($auth_conf->errorName, $auth_conf->errorMsg);
+ $auth_conf->clearError();
+ }
+
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.inc b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.inc
new file mode 100644
index 0000000..e97a69a
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.inc
@@ -0,0 +1,559 @@
+<?php
+// $Id: ldap_authentication.inc,v 1.1.2.3 2011/02/18 15:17:09 johnbarclay Exp $
+
+/**
+ * @file
+ * ldap_authn provides authentication against ldap server.
+ */
+
+/**
+ * helper function for ldap_authn_form_user_login_block_alter and ldap_authn_form_user_login_alter
+ *
+ * hook_user is gone in drupal 7 so functionality can be replaced by
+ * altering login form submit and validate functions
+ * http://drupal.org/update/modules/6/7#remove_op
+ *
+ * if form is being generated on non https and is set in preferences, set warning and end form development
+ * add submit functions to form
+ * - make sure submit function is in the correct order; that is if ldap precedes drupal, make _ldap_authn_login_form_submit first.
+ * do not remove other authentication submit functions, just reorder.
+ */
+function _ldap_authentication_login_form_alter(&$form, &$form_state, $form_id) {
+
+/**
+ * make sure ldap_authentication is configured and valid first
+ */
+
+ if (!$auth_conf = ldap_authentication_get_valid_conf()) {
+ return;
+ }
+ elseif (!$auth_conf->enabled_servers()) {
+ return;
+ }
+
+ /**
+ *
+ * add validate function to test for ldap authentication
+ * should be placed after user_login_authenticate_validate
+ * 1. user_login_name_validate
+ * 2. user_login_authenticate_validate
+ * 3. external authentication validate functions
+ * 4. user_login_final_validate
+ *
+ * as articulated above user_login_default_validators() in user.module
+ *
+ * without any other external authentication modules, this array will start out as:
+ * array('user_login_name_validate', 'user_login_authenticate_validate', 'user_login_final_validate')
+ */
+
+ if (@in_array('user_login_authenticate_validate', $form['#validate'])) {
+ $new_validation_sequence = array();
+ foreach ($form['#validate'] as $validate_function_name) {
+ if ($validate_function_name == 'user_login_authenticate_validate') {
+ if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_MIXED) {
+ // if mixed mode, allow drupal authentication first
+ $new_validation_sequence[] = 'user_login_authenticate_validate';
+ $new_validation_sequence[] = 'ldap_authentication_user_login_authenticate_validate';
+ }
+ elseif ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
+ // see drupal.org/node/1009990 and drupal.org/node/1022362 change back when fixed.
+ $new_validation_sequence[] = 'user_login_authenticate_validate';
+ $new_validation_sequence[] = 'ldap_authentication_user_login_authenticate_validate';
+ }
+ else { // misconfigured ldap authentication, restore to original validation sequence
+ $new_validation_sequence[] = 'user_login_authenticate_validate';
+ }
+ }
+ else {
+ $new_validation_sequence[] = $validate_function_name;
+ }
+ }
+ $form['#validate'] = $new_validation_sequence;
+ }
+
+ if ($form_id == 'user_login_block') {
+ $user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
+ $vars = array(
+ 'show_reset_pwd' => ldap_authentication_show_reset_pwd(),
+ 'auth_conf' => $auth_conf,
+ );
+
+ $form['links']['#markup'] = theme('ldap_authentication_user_login_block_links', $vars);
+ }
+ ldap_servers_disable_http_check($form);
+
+ // Add help information for entering in username/password
+ $auth_conf = ldap_authentication_get_valid_conf();
+ if ($auth_conf) {
+ if (isset($auth_conf->loginUIUsernameTxt)) {
+ $form['name']['#description'] = t($auth_conf->loginUIUsernameTxt);
+ }
+ if (isset($auth_conf->loginUIPasswordTxt)) {
+ $form['pass']['#description'] = t($auth_conf->loginUIPasswordTxt);
+ }
+ }
+}
+
+
+
+
+function _ldap_authentication_form_user_profile_form_alter(&$form, $form_state) {
+ // keep in mind admin may be editing another users profile form. don't assume current global $user
+ $auth_conf = ldap_authentication_get_valid_conf();
+ if ($auth_conf && ldap_authentication_ldap_authenticated($form['#user'])) {
+ if ($auth_conf->emailOption == LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE) {
+ $form['account']['mail']['#type'] = 'hidden';
+ }
+ elseif ($auth_conf->emailOption == LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE) {
+ $form['account']['mail']['#disabled'] = TRUE;
+ $form['account']['mail']['#description'] = t('This email address is automatically set and may not be changed.');
+ }
+
+ if (!ldap_authentication_show_reset_pwd($form['#user'])) {
+ $form['account']['current_pass']['#disabled'] = TRUE;
+ if ($auth_conf->ldapUserHelpLinkUrl) {
+ $form['account']['current_pass']['#description'] = l(t($auth_conf->ldapUserHelpLinkText), $auth_conf->ldapUserHelpLinkUrl);
+ }
+ else {
+ $form['account']['current_pass']['#description'] = t('The password cannot be changed using this website');
+ }
+ $form['account']['pass']['#disabled'] = TRUE;
+ }
+ }
+}
+
+
+/**
+ * user form validation will take care of username, pwd fields
+ *
+ * this may validate if the user exists in ldap in the case of using
+ * ldap authentication exclusively
+ */
+function _ldap_authentication_user_login_authenticate_validate(&$form_state) {
+
+ $detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
+ $authname = $form_state['values']['name']; // $name = $form_state['values']['name']; // patch 1599632
+ $pass = $form_state['values']['pass'];
+
+ /*
+ * If a fake form state was passed into this function from
+ * _ldap_authentication_user_login_sso(), there will be a value outside of the
+ * form_state[values] array to let us know that we are not authenticating with
+ * a password, but instead just looking up a username/dn in LDAP since the web
+ * server already authenticated the user.
+ */
+ $sso_login = (isset($form_state['sso_login']) && $form_state['sso_login']) ? TRUE : FALSE;
+
+
+ $watchdog_tokens = array('%username' => $authname); // $watchdog_tokens = array('%username' => $name); // patch 1599632
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Beginning authentification....', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+
+ if (!$auth_conf = ldap_authentication_get_valid_conf()) {
+ watchdog('ldap_authentication', 'Failed to get valid ldap authentication configuration.', array(), WATCHDOG_ERROR);
+ form_set_error('name', 'Server Error: Failed to get valid ldap authentication configuration.' . $error);
+ return FALSE;
+ }
+
+ // if already succeeded at authentication, see if LDAP Exclusive is set
+ if (isset($form_state['uid']) && is_numeric($form_state['uid'])) {
+ if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_MIXED || $form_state['uid'] == 1) {
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Previously authenticated in mixed mode or uid=1', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ return; // already passed previous authentication validation
+ }
+ elseif ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Previously authenticated in exclusive mode or uid is not 1. Clear uid
+ in form_state and attempt ldap authentication.', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ $form_state['uid'] = NULL; // passed previous authentication, but only ldap should be used
+ }
+ }
+
+ if (!count($auth_conf->servers)) {
+ watchdog('ldap_authentication', 'No LDAP servers configured.', array(), WATCHDOG_ERROR);
+ form_set_error('name', 'Server Error: No LDAP servers configured.');
+ }
+
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : user_load_by_name(%username)', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+
+ if(!($account = user_load_by_name($authname))) {
+ $uid = db_query("SELECT uid FROM {authmap} WHERE authname = :authname AND module = 'ldap_authentication'", array(':authname' => $authname))->fetchColumn();
+ $account = $uid ? user_load($uid) : FALSE;
+ }
+
+ if (is_object($account)) {
+ if ($account->uid == 1) {
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Drupal username maps to user 1, so do not authenticate with ldap', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ return FALSE; // user 1 must use drupal authentication
+ }
+ else {
+ $account_exists = TRUE;
+ $user_data = $account->data;
+ $authmaps = user_get_authmaps($authname); // $authmaps = user_get_authmaps($name); // patch 1599632
+ $ldap_authentication_authmap = isset($authmaps['ldap_authentication']);
+ $no_authmaps = (boolean)(count($authmaps));
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Drupal User Account found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ }
+ }
+ else { // account does not exist
+ $account_exists = FALSE;
+ if ($auth_conf->createLDAPAccounts == FALSE) {
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Drupal User Account not found and configuration is set to not create new accounts.', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ }
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Existing Drupal User Account not found. Continuing on to attempt ldap authentication', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ }
+
+ foreach ($auth_conf->servers as $sid => $ldap_server) {
+ $watchdog_tokens['%sid'] = $sid;
+ $watchdog_tokens['%bind_method'] = $ldap_server->bind_method;
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Trying server %sid where bind_method = %bind_method', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+
+ // #1 CONNECT TO SERVER
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC;
+ $result = $ldap_server->connect();
+ if ($result != LDAP_SUCCESS) {
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_CONNECT;
+ $watchdog_tokens['%err_msg'] = $ldap_server->errorMsg('ldap');
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Failed connecting to %sid. Error: %err_msg', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ $watchdog_tokens['%err_msg'] = NULL;
+ continue; // next server, please
+ }
+ elseif ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Success at connecting to %sid', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+
+ // #2 BIND TO SERVER
+ $bind_success = FALSE;
+ if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_SERVICE_ACCT ||
+ $ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER
+ ) {
+ $bind_success = ($ldap_server->bind() == LDAP_SUCCESS);
+ }
+ elseif ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
+ $bind_success = ($ldap_server->bind(NULL, NULL, TRUE) == LDAP_SUCCESS);
+ }
+ elseif ($sso_login) {
+ watchdog('ldap_authentication', 'Trying to use SSO with LDAP_SERVERS_BIND_METHOD_USER bind method.', $watchdog_tokens, WATCHDOG_ERROR);
+ }
+ elseif ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER && $sso_login == FALSE) {
+ // with sso enabled this method of binding isn't valid
+ foreach ($ldap_server->basedn as $basedn) {
+ $search = array('%basedn', '%username');
+ $transformname = $ldap_server->drupalToLdapNameTransform($authname, $watchdog_tokens);
+ $replace = array($basedn, $transformname);
+ $userdn = str_replace($search, $replace, $ldap_server->user_dn_expression);
+ $bind_success = ($ldap_server->bind($userdn, $pass) == LDAP_SUCCESS);
+ if ($bind_success) {
+ break;
+ }
+ }
+ }
+ else {
+ watchdog('ldap_authentication', 'No bind method set in ldap_server->bind_method in _ldap_authentication_user_login_authenticate_validate.', $watchdog_tokens, WATCHDOG_ERROR);
+ }
+
+ if (!$bind_success) {
+ if ($detailed_watchdog_log) {
+ $watchdog_tokens['%err_text'] = $ldap_server->errorMsg('ldap');
+ watchdog('ldap_authentication', '%username : Trying server %sid where bind_method = %bind_method. Error: %err_text', $watchdog_tokens, WATCHDOG_DEBUG);
+ $watchdog_tokens['%err_text'] = NULL;
+ }
+ $authentication_result = ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER) ? LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS : LDAP_AUTHENTICATION_RESULT_FAIL_BIND;
+ continue; // if bind fails, onto next server
+ }
+
+ // #3 DOES USER EXIST IN SERVER'S LDAP
+ if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
+ $ldap_user = $ldap_server->user_lookup($authname);
+ }
+ elseif ($sso_login) {
+ $ldap_user = $ldap_server->user_lookup($authname);
+ if ($detailed_watchdog_log) {
+ $watchdog_tokens['%result'] = var_export($result, TRUE);
+ watchdog('ldap_authentication', '%username : attempting single sign-on
+ login in bind_method of LDAP_SERVERS_BIND_METHOD_USER. Result of
+ user_lookup: <pre>%result</pre>', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ }
+ else {
+ $ldap_user = $ldap_server->user_lookup($authname);
+ }
+
+ if (!$ldap_user) {
+ if ($detailed_watchdog_log) {
+ $watchdog_tokens['%err_text'] = $ldap_server->errorMsg('ldap');
+ watchdog('ldap_authentication', '%username : Trying server %sid where bind_method = %bind_method. Error: %err_text', $watchdog_tokens, WATCHDOG_DEBUG);
+ $watchdog_tokens['%err_text'] = NULL;
+ }
+ if ($ldap_server->ldapErrorNumber()) {
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_SERVER;
+ break;
+ }
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_FIND;
+ continue; // next server, please
+ }
+
+ $watchdog_tokens['%dn'] = $ldap_user['dn'];
+ $watchdog_tokens['%mail'] = $ldap_user['mail'];
+
+ /**
+ * #4 CHECK ALLOWED AND EXCLUDED LIST AND PHP FOR ALLOWED USERS
+ */
+ $allow = $auth_conf->allowUser($authname, $ldap_user);
+ if (!$allow) {
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_DISALLOWED;
+ break; // regardless of how many servers, disallowed user fails
+ }
+
+ /**
+ * #5 TEST PASSWORD
+ */
+ $credentials_pass = FALSE;
+ if ($sso_login) {
+ /** If we have $sso_login passed in as true from the fake form state in
+ * passed from _ldap_authentication_user_login_sso(), we will be relying
+ * on the webserver for actually authenticating the user, either by NTLM
+ * or user/password if configured as a fallback. Since the webserver has
+ * already authenticated the user, and the web server only contains the
+ * user's LDAP user name, instead of binding on the username/pass, we
+ * simply look up the user's account in LDAP, and make sure it matches
+ * what is contained in the global $_SERVER array populated by the web
+ * server authentication.
+ */
+ $credentials_pass = (boolean)($ldap_user);
+ }
+ else {
+ $credentials_pass = ($ldap_server->bind($ldap_user['dn'], $pass) == LDAP_SUCCESS);
+ }
+ if (!$credentials_pass) {
+ if ($detailed_watchdog_log) {
+ $watchdog_tokens['%err_text'] = $ldap_server->errorMsg('ldap');
+ watchdog('ldap_authentication', '%username : Testing user credentials on server %sid where bind_method = %bind_method. Error: %err_text', $watchdog_tokens, WATCHDOG_DEBUG);
+ $watchdog_tokens['%err_text'] = NULL;
+ }
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS;
+ continue; // next server, please
+ }
+ else {
+ $authentication_result = LDAP_AUTHENTICATION_RESULT_SUCCESS;
+ if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
+ $ldap_user = $ldap_server->user_lookup($authname); // after successful bind, lookup user again to get private attributes
+ $watchdog_tokens['%mail'] = $ldap_user['mail'];
+ }
+ if ($ldap_server->account_name_attr != '') {
+ $accountname = $ldap_user['attr'][$ldap_server->account_name_attr][0];
+ }
+ else {
+ $accountname = $authname;
+ }
+ $watchdog_tokens['%account_name_attr'] = $accountname;
+ break; //success
+ }
+
+ if ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_SERVICE_ACCT ||
+ $ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
+ $ldap_server->disconnect();
+ }
+
+ } // end loop through servers
+
+
+
+
+
+ $watchdog_tokens['%result'] = $result;
+ $watchdog_tokens['%auth_result'] = $authentication_result;
+ $watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result) ;
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : Authentication result id=%result auth_result=%auth_result (%err_text)', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+
+ if ($authentication_result != LDAP_AUTHENTICATION_RESULT_SUCCESS) {
+ $watchdog_tokens['%err_text'] = _ldap_authentication_err_text($authentication_result);
+ // fail scenario 1. ldap auth exclusive and failed throw error
+ if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', '%username : setting error because failed at ldap and
+ LDAP_AUTHENTICATION_EXCLUSIVE is set to true. So need to stop authentication of Drupal user that is not user 1.
+ error message: %err_text', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ form_set_error('name', $watchdog_tokens['%err_text']);
+ }
+ else {
+ // fail scenario 2. simply fails ldap. return false.
+ // don't show user message, may be using other authentication after this that may succeed.
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication',
+ '%username : Failed ldap authentication.
+ User may have authenticated successfully by other means in a mixed authentication site.
+ LDAP Authentication Error #: %auth_result error message: %err_text',
+ $watchdog_tokens,
+ WATCHDOG_DEBUG
+ );
+ }
+ }
+ return FALSE;
+ }
+
+ /**
+ * case 1: previously drupal authenticated user authenticated successfully on ldap
+ *
+ */
+ if (!$account_exists && ($account = user_load_by_name($accountname))) {
+ user_set_authmaps($account, array('authname_ldap_authentication' => $authname));
+ $account_exists = TRUE;
+ }
+ if (!$account_exists) {
+ if ($account_with_same_email = user_load_by_mail($ldap_user['mail'])) {
+ /**
+ * username does not exist but email does. Since user_external_login_register does not deal with
+ * mail attribute and the email conflict error needs to be caught beforehand, need to throw error here
+ */
+ $watchdog_tokens['%duplicate_name'] = $account_with_same_email->name;
+ watchdog('ldap_authentication', 'LDAP user with DN %dn has email address
+ (%mail) conflict with a drupal user %duplicate_name', $watchdog_tokens, WATCHDOG_ERROR);
+ drupal_set_message(t('Another user already exists in the system with the same email address. You should contact the system administrator in order to solve this conflict.'), 'error');
+ return FALSE;
+
+ }
+ /**
+ *
+ * new ldap_authentication provisioned account could let user_external_login_register create the account and set authmaps, but would need
+ * to add mail and any other user->data data in hook_user_presave which would mean requerying ldap
+ * or having a global variable. At this point the account does not exist, so there is no
+ * reason not to create it here.
+ *
+ * @todo create patch for user_external_login_register to deal with new external accounts
+ * a little tweak to add user->data and mail etc as parameters would make it more useful
+ * for external authentication modules
+ */
+ ldap_server_module_load_include('inc', 'ldap_servers', 'ldap_servers.functions');
+
+
+ $account = ldap_create_drupal_account($authname, $accountname, $ldap_user['mail'], $ldap_user['dn'], $sid);
+ if ($account === FALSE) {
+ // need to throw error that account was not created
+ }
+
+
+ }
+ else { // account already exists
+ if ($ldap_authentication_authmap == FALSE) { // LDAP_authen.AC.disallow.ldap.drupal
+ if ($auth_conf->loginConflictResolve == LDAP_AUTHENTICATION_CONFLICT_LOG) {
+ $watchdog_tokens['%conflict_name'] = $account_with_same_email->name;
+ watchdog('ldap_authentication', 'LDAP user with DN %dn has a naming conflict with a local drupal user %conflict_name', $watchdog_tokens, WATCHDOG_ERROR);
+ drupal_set_message(t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.'), 'error');
+ return FALSE;
+ }
+ else { // LDAP_authen.AC.disallow.ldap.drupal
+ // add ldap_authentication authmap to user. account name is fine here, though cn could be used
+ user_set_authmaps($account, array('authname_ldap_authentication' => $authname));
+ if ($detailed_watchdog_log) {
+ watchdog('ldap_authentication', 'set authmap for %username authname_ldap_authentication', $watchdog_tokens, WATCHDOG_DEBUG);
+ }
+ }
+ }
+
+ if ($account->mail != $ldap_user['mail'] && (
+ $auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ||
+ $auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE
+ )) {
+ $edit = array('mail' => $ldap_user['mail']);
+ if (!$updated_account = user_save($account, $edit)) {
+ $watchdog_tokens = array('%username' => $account->name, '%old' => $account->mail, '%new' => $ldap_user['mail']);
+ watchdog('ldap_authentication', 'User e-mail for %username update from %old to %new failed because of system problems.', $watchdog_tokens, WATCHDOG_ERROR);
+ }
+ elseif ($auth_conf->emailUpdate == LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY ) {
+ $message_tokens = array('@mail' => $ldap_user['mail']);
+ drupal_set_message(t('Your e-mail has been updated to match your LDAP account (@mail).', $message_tokens), 'status');
+ }
+ }
+ }
+
+ /**
+ * we now have valid, ldap authenticated username with an account authmapped to ldap_authentication.
+ * since user_external_login_register can't deal with user mail attribute and doesn't do much else, it is not
+ * being used here.
+ */
+
+
+ /**
+ * without doing the user_login_submit,
+ * [#1009990]
+ *
+ */
+ $fake_form_state = array('uid' => $account->uid);
+ user_login_submit(array(), $fake_form_state);
+ global $user;
+ $form_state['uid'] = $user->uid;
+ return $user;
+
+}
+
+
+
+function _ldap_authentication_err_text($error) {
+
+ $msg = t('unknown error: ' . $error);
+ switch ($error) {
+ case LDAP_AUTHENTICATION_RESULT_FAIL_CONNECT:
+ $msg = "Failed to connect to ldap server";
+ break;
+
+ case LDAP_AUTHENTICATION_RESULT_FAIL_BIND:
+ $msg = "Failed to bind to ldap server";
+ break;
+
+ case LDAP_AUTHENTICATION_RESULT_FAIL_FIND:
+ $msg = t('Sorry, unrecognized username or password.');
+ break;
+
+ case LDAP_AUTHENTICATION_RESULT_FAIL_DISALLOWED:
+ $msg = "User disallowed";
+ break;
+
+ case LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS:
+ $msg = t('Sorry, unrecognized username or password.');
+ break;
+
+ case LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC:
+ $msg = t('Sorry, unrecognized username or password.');
+ break;
+
+ case LDAP_AUTHENTICATION_RESULT_FAIL_SERVER:
+ $msg = t('Authentication Server or Configuration Error.');
+ break;
+
+ }
+
+ return $msg;
+}
+
+function ldap_authentication_redirect_to_ldap_help() {
+
+ if ($auth_conf = ldap_authentication_get_valid_conf() && $auth_conf->ldapUserHelpLinkUrl) {
+ drupal_goto($auth_conf->ldapUserHelpLinkUrl);
+ }
+ else {
+ return "Misconfigured LDAP Help Link";
+ }
+
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.info b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.info
new file mode 100644
index 0000000..76234bb
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.info
@@ -0,0 +1,22 @@
+name = LDAP Authentication
+description = "Implements LDAP authentication"
+package = "Lightweight Directory Access Protocol"
+dependencies[] = ldap_servers
+core = 7.x
+configure = admin/config/people/ldap/authentication
+files[] = LdapAuthenticationConf.class.php
+files[] = LdapAuthenticationConfAdmin.class.php
+
+files[] = ldap_authentication.module
+files[] = ldap_authentication.install
+files[] = ldap_authentication.inc
+files[] = ldap_authentication.theme.inc
+files[] = ldap_authentication.admin.inc
+files[] = tests/ldap_authentication.test
+
+; Information added by drupal.org packaging script on 2012-06-14
+version = "7.x-1.0-beta11"
+core = "7.x"
+project = "ldap"
+datestamp = "1339643179"
+
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.install b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.install
new file mode 100644
index 0000000..23e0fcf
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.install
@@ -0,0 +1,110 @@
+<?php
+// $Id: ldap_authentication.install,v 1.1.4.2 2011/02/08 06:01:00 johnbarclay Exp $
+
+/**
+ * @file
+ * Install, update and uninstall functions for the LDAP authentication module.
+ */
+
+
+/**
+ * Implements hook_requirements().
+ */
+function ldap_authentication_requirements($phase) {
+ $requirements = array();
+ if ($phase != "install" && db_table_exists('ldapauth')) {
+
+ $requirements['ldap_authentication_ldap_integration']['title'] = t('LDAP Integration LDAP Auth Upgrade Concern');
+ $requirements['ldap_authentication_ldap_integration']['severity'] = REQUIREMENT_WARNING;
+ $requirements['ldap_authentication_ldap_integration']['value'] = NULL;
+ $requirements['ldap_authentication_ldap_integration']['description'] = t('Upgrade from Drupal 6 LDAP Auth to Drupal 7
+ LDAP Authentication is not automatic. LDAP Authentication will need to be configured by hand.
+ Some harmless data will remain in the user.data field in the user table. Records in
+ the authmap table will cause conflicts and should be removed or changed to ldap_authentication
+ as the module (see http://drupal.org/node/1183192).
+ See http://drupal.org/node/1023016, http://drupal.org/node/1183192.
+ This message will go away when the ldapauth database table is removed.');
+ }
+ // check that ldapauth not installed.
+ return $requirements;
+}
+
+/**
+ * Implements hook_install().
+ */
+function ldap_authentication_install() {
+}
+
+/**
+ * Implements hook_uninstall().
+ */
+function ldap_authentication_uninstall() {
+ //$result = db_query('DELETE FROM {variables} WHERE name like "ldap_authentication_%"');
+ variable_del('ldap_authentication_conf');
+}
+
+/**
+ * just notes and psuedo code for now. need a place to keep track
+ * of what a cross grade function would do
+ */
+
+
+/**
+ * ldap_authentication and ldap_sso. enable ldap_sso if sso was enabled in ldap_authentication previously
+ */
+function ldap_authentication_update_7100() {
+ // if sso is enabled in ldap authentication, enable module ldap_sso
+ module_load_include('inc', 'ldap_servers','ldap_servers.functions');
+ ldap_server_module_load_include('php', 'ldap_authentication', 'LdapAuthenticationConfAdmin.class');
+ $sso_enabled = LdapAuthenticationConfAdmin::getSaveableProperty('ssoEnabled');
+ if ($sso_enabled) {
+ module_enable(array('ldap_sso'));
+ return t('Enabled new LDAP SSO module if Single Sign on was previously enabled. Code for LDAP Single Sign On was moved to new "LDAP SSO" included module.');
+ }
+}
+
+
+function ldap_authentication_ldap_integration6_to_ldap7() {
+
+ // fix authmaps
+ // UPDATE {authmap} SET module = 'ldap_authentication' WHERE module = 'ldapauth'
+
+ // load all users and setup user data array
+
+/**
+ * CREATE TABLE `ldapauth` (
+ `sid` TINYINT(4) NOT NULL AUTO_INCREMENT,
+ `name` VARCHAR(255) NOT NULL,
+ `status` TINYINT(4) NOT NULL DEFAULT '0',
+ `server` VARCHAR(255) NOT NULL,
+ `port` INT(11) NOT NULL DEFAULT '389',
+ `tls` TINYINT(4) NOT NULL DEFAULT '0',
+ `encrypted` TINYINT(4) NOT NULL DEFAULT '0',
+ `basedn` TEXT NULL,
+ `user_attr` VARCHAR(255) NULL DEFAULT NULL,
+ `mail_attr` VARCHAR(255) NULL DEFAULT NULL,
+ `binddn` VARCHAR(255) NULL DEFAULT NULL,
+ `bindpw` VARCHAR(255) NULL DEFAULT NULL,
+ `login_php` TEXT NULL,
+ `filter_php` TEXT NULL,
+ `weight` INT(11) NOT NULL DEFAULT '0',
+ `ldapgroups_in_dn` TINYINT(4) NOT NULL DEFAULT '0',
+ `ldapgroups_dn_attribute` VARCHAR(255) NULL DEFAULT NULL,
+ `ldapgroups_attr` VARCHAR(255) NULL DEFAULT NULL,
+ `ldapgroups_in_attr` TINYINT(4) NOT NULL DEFAULT '0',
+ `ldapgroups_as_entries` TINYINT(4) NOT NULL DEFAULT '0',
+ `ldapgroups_entries` TEXT NULL,
+ `ldapgroups_entries_attribute` VARCHAR(255) NULL DEFAULT NULL,
+ `ldapgroups_mappings` TEXT NULL,
+ `ldapgroups_mappings_filter` TINYINT(4) NOT NULL DEFAULT '0',
+ `ldapgroups_filter_php` TEXT NULL,
+ `ldapgroups_groups` TEXT NULL,
+ PRIMARY KEY (`name`),
+ INDEX `sid` (`sid`)
+)
+COLLATE='utf8_general_ci'
+ENGINE=InnoDB
+ROW_FORMAT=DEFAULT
+AUTO_INCREMENT=2
+ */
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.module b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.module
new file mode 100644
index 0000000..fb60fac
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.module
@@ -0,0 +1,412 @@
+<?php
+// $Id: ldap_authentication.module,v 1.1.4.3 2011/02/08 20:05:41 johnbarclay Exp $
+
+/**
+ * @file
+ * This module injects itself into Drupal's Authentication stack.
+ */
+
+/**
+ * @todo fix advanced help for ../ldap/authentication settings page
+ *
+ */
+define('LDAP_AUTHENTICATION_PROJECT_TAG', 'ldap');
+
+define('LDAP_AUTHENTICATION_MIXED', 1);
+define('LDAP_AUTHENTICATION_EXCLUSIVE', 2);
+define('LDAP_AUTHENTICATION_MODE_DEFAULT', 1);
+
+define('LDAP_AUTHENTICATION_EXCL_IF_NO_AUTHZ_DEFAULT', 0);
+define('LDAP_AUTHENTICATION_CONFLICT_LOG', 1);
+define('LDAP_AUTHENTICATION_CONFLICT_RESOLVE', 2);
+define('LDAP_AUTHENTICATION_CONFLICT_RESOLVE_DEFAULT', 2);
+
+define('LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY', 1);
+define('LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE', 2);
+define('LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE', 3);
+define('LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DEFAULT', 1);
+
+define('LDAP_AUTHENTICATION_EMAIL_ALLOW_DRUPAL_EMAIL', 1);
+define('LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE', 2);
+define('LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE', 3);
+define('LDAP_AUTHENTICATION_EMAIL_FIELD_DEFAULT', 3);
+
+define('LDAP_AUTHENTICATION_RESULT_FAIL_CONNECT', 1);
+define('LDAP_AUTHENTICATION_RESULT_FAIL_BIND', 2);
+define('LDAP_AUTHENTICATION_RESULT_FAIL_FIND', 3);
+define('LDAP_AUTHENTICATION_RESULT_FAIL_DISALLOWED', 4);
+define('LDAP_AUTHENTICATION_RESULT_FAIL_CREDENTIALS', 5);
+define('LDAP_AUTHENTICATION_RESULT_SUCCESS', 6);
+define('LDAP_AUTHENTICATION_RESULT_FAIL_GENERIC', 7);
+define('LDAP_AUTHENTICATION_RESULT_FAIL_SERVER' , 8);
+
+define('LDAP_AUTHENTICATION_ACCT_CREATION_DEFAULT', 4);
+define('LDAP_AUTHENTICATION_ACCT_CREATION_USER_SETTINGS_FOR_LDAP', 1);
+define('LDAP_AUTHENTICATION_ACCT_CREATION_LDAP_BEHAVIOR', 4);
+
+define('LDAP_AUTHENTICATION_HELP_LINK_TEXT_DEFAULT', 'Logon Help');
+
+define('LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG' , 'The site logon is currently not working due to a configuration error. Please see logs for additional details.');
+define('LDAP_AUTHENTICATION_COOKIE_EXPIRE', 0);
+
+/**
+ * Implements hook_menu().
+ */
+function ldap_authentication_menu() {
+ $items = array();
+
+ $items['admin/config/people/ldap/authentication'] = array(
+ 'title' => 'Authentication',
+ 'description' => 'Configure LDAP Authentication',
+ 'page callback' => 'drupal_get_form',
+ 'page arguments' => array('ldap_authentication_admin_form'),
+ 'access arguments' => array('administer site configuration'),
+ 'type' => MENU_LOCAL_TASK,
+ 'weight' => 2,
+ 'file' => 'ldap_authentication.admin.inc',
+ );
+
+ return $items;
+}
+
+ /**
+ * Implements hook_menu_alter().
+ * since menu items are cached, only useful to add or alter callbacks
+ * for ldap authentication driven menu items.
+ *
+ */
+function ldap_authentication_menu_alter(&$items) {
+ ldap_server_module_load_include('inc', 'ldap_authentication', 'ldap_authentication');
+ $items['user/password']['access callback'] = 'ldap_authentication_show_reset_pwd';
+ $auth_conf = ldap_authentication_get_valid_conf();
+ if (@$auth_conf->ldapUserHelpLinkUrl) {
+ $items['user/ldaphelp'] = array(
+ 'title' => $auth_conf->ldapUserHelpLinkText,
+ 'page callback' => 'drupal_goto',
+ 'page arguments' => array($auth_conf->ldapUserHelpLinkUrl),
+ 'access callback' => 'ldap_authentication_show_ldap_help_link',
+ 'type' => MENU_LOCAL_TASK,
+ );
+ }
+}
+
+
+function ldap_authentication_theme() {
+ return array(
+ 'ldap_authentication_user_login_block_links' => array(
+ 'variables' => array('ldap_user_help_link' => NULL, 'user_register' => TRUE),
+ 'render element' => 'element',
+ 'file' => 'ldap_authentication.theme.inc'
+ ),
+ 'ldap_authentication_user_pass_message' => array(
+ 'variables' => array('show_reset_pwd' => NULL, 'auth_conf' => TRUE),
+ 'render element' => 'element',
+ 'file' => 'ldap_authentication.theme.inc'
+ ),
+ 'ldap_authentication_user_pass_validate_ldap_authenticated' => array(
+ 'variables' => array('account' => NULL, 'auth_conf' => TRUE),
+ 'render element' => 'element',
+ 'file' => 'ldap_authentication.theme.inc'
+ ),
+ 'ldap_authentication_login_message' => array(
+ 'render element' => 'element',
+ 'variables' => array('message' => NULL),
+ 'file' => 'ldap_authentication.theme.inc'
+ ),
+ 'ldap_authentication_message_not_found' => array(
+ 'render element' => 'element',
+ 'variables' => array('message' => NULL),
+ 'file' => 'ldap_authentication.theme.inc'
+ ),
+ 'ldap_authentication_message_not_authenticated' => array(
+ 'render element' => 'element',
+ 'variables' => array('message' => NULL),
+ 'file' => 'ldap_authentication.theme.inc'
+ ),
+ );
+}
+
+
+/**
+ * Implements hook_help().
+ */
+
+function ldap_authentication_help($path, $arg) {
+
+ $authentication_help = t('LDAP authentication allows authentication against an LDAP server. It
+ may be used alongside other authentication means such as built in drupal authentication,
+ open id, etc. More detailed help is available on drupal.org at !helplink.',
+ array(
+ '!helplink' => l(LDAP_SERVERS_DRUPAL_HELP_URL, LDAP_SERVERS_DRUPAL_HELP_URL),
+ ));
+
+ switch ($path) {
+ case 'admin/config/people/ldap/authentication':
+ $output = '<p>' . $authentication_help . '</p>';
+ return $output;
+
+ case 'admin/help#ldap_authentication':
+ $output = '<p>' . $authentication_help . '</p>';
+ return $output;
+ }
+}
+
+/**
+ * Implements hook_info().
+ */
+function ldap_authentication_info($field = 0) {
+ $info['name']= 'ldap_authentication';
+ $info['protocol'] = 'LDAP';
+
+ if ($field) {
+ return $info[$field];
+ }
+
+ return $info;
+}
+
+
+/**
+ *
+ * @param object $user
+ * @return boolean
+ * true if user is recorded as ldap authenticated and identified (ldap_authentified)
+ *
+ * notes to developers
+ * - make user object explicit for clarity; don't default to current user as admins could be editing profile pages
+ * - don't use $user->data['ldap_authentified'] as it is geared toward ldap_authentication data, not where the user is currently ldap authenticated
+ * -
+ */
+function ldap_authentication_ldap_authenticated($user) {
+
+ if (is_numeric($user)) {
+ $user = @user_load((int)$user);
+ }
+ if (!is_object($user) || $user->uid == 0) {
+ return FALSE;
+ }
+
+ $authmaps = db_query("SELECT module, authname FROM {authmap} WHERE uid = :uid", array(':uid' => $user->uid))->fetchAllKeyed();
+ return isset($authmaps['ldap_authentication']);
+
+}
+
+/**
+ * A user access callback for using the single sign-on URL, denying access to
+ * authenticated users, and granting access to anonymous users and menu
+ * administrators viewing the menu item.
+ *
+ */
+function _ldap_authentication_user_access() {
+ return (boolean)(!$GLOBALS['user']->uid || !empty($GLOBALS['menu_admin']));
+}
+
+
+
+/**
+ * get LdapAuthenticationConf object
+ *
+ * @return object LdapAuthenticationConf object if configured, otherwise FALSE
+ *
+ */
+
+function ldap_authentication_get_valid_conf() {
+
+ static $auth_conf;
+ if (is_object($auth_conf)) {
+ return $auth_conf;
+ }
+ ldap_server_module_load_include('php', 'ldap_authentication', 'LdapAuthenticationConf.class');
+
+ $auth_conf = new LdapAuthenticationConf();
+ return ($auth_conf->inDatabase) ? $auth_conf : FALSE;
+
+}
+
+/**
+ * Implements hook_ldap_ldap_server_in_use().
+ */
+function ldap_authentication_ldap_server_in_use($sid, $server_name) {
+
+ $use_warnings = array();
+ $auth_conf = ldap_authentication_get_valid_conf();
+ if (in_array($sid, array_keys($auth_conf->sids)) && $auth_conf->sids[$sid] == 1) {
+ $use_warnings[] = t('This server (%server_name) may not be deleted or
+ disabled because it is being used for ldap authentication.',
+ array('%server_name' => $server_name));
+ }
+ return $use_warnings;
+}
+
+function ldap_authentication_show_reset_pwd($user = NULL) {
+
+ if (!$user) {
+ global $user;
+ }
+ $auth_conf = ldap_authentication_get_valid_conf();
+ if (current_path() == 'user/password' || $user->uid == 1 || !$auth_conf) {
+ return TRUE;
+ // always show at user/passwordurl. otherwise user 1 will not be able to reset password.
+ // LDAP_authen.login_forms.MM.user1, LDAP_authen.login_forms.EM.user1
+ }
+
+ if ($user->uid == 0) {
+ // hide reset password for anonymous users if ldap only authentication, otherwise show
+ // LDAP_authen.login_forms.MM.anon, LDAP_authen.login_forms.EM.anon
+ return ($auth_conf->authenticationMode != LDAP_AUTHENTICATION_EXCLUSIVE);
+ }
+ else {
+ // authenticated user. hide if ldap authenticated otherwise show.
+ // LDAP_authen.login_forms.EM.ldap, LDAP_authen.login_forms.EM.drupal,
+ // LDAP_authen.login_forms.MM.drupal, LDAP_authen.login_forms.MM.ldap
+ return (!ldap_authentication_ldap_authenticated($user));
+ }
+
+}
+
+
+/**
+ * Implements hook_form_FORM_ID_alter().
+ */
+
+function ldap_authentication_form_user_pass_alter(&$form, $form_state) {
+ // the following could be in a theme preproces function
+ $auth_conf = ldap_authentication_get_valid_conf();
+ $form['ldap_warning'] = array(
+ '#type' => 'item',
+ '#markup' => theme('ldap_authentication_user_pass_message', array('auth_conf' => $auth_conf)),
+ '#weight' => 10,
+ );
+
+ // need to insert before user_pass_validate
+ array_unshift($form['#validate'], 'ldap_authentication_user_pass_validate');
+}
+
+
+function ldap_authentication_user_pass_validate(&$form_state) {
+ $name_or_mail = trim($form_state['name']['#value']);
+ if ($account = user_load_by_mail($name_or_mail)) {
+
+ }
+ else {
+ $account = user_load_by_name($name_or_mail);
+ }
+
+ if (ldap_authentication_ldap_authenticated($account)) {
+ $vars = array(
+ 'account' => $account,
+ 'auth_conf' => ldap_authentication_get_valid_conf(),
+ );
+ form_set_error('name', theme('ldap_authentication_user_pass_validate_ldap_authenticated', $vars));
+ }
+}
+/**
+ * Implements hook_form_FORM_ID_alter().
+ */
+
+function ldap_authentication_form_user_register_alter(&$form, $form_state) {
+
+}
+
+/**
+ * Implements hook_form_FORM_ID_alter(). for user_profile_form
+ */
+function ldap_authentication_form_user_profile_form_alter(&$form, $form_state) {
+ ldap_server_module_load_include('inc', 'ldap_authentication', 'ldap_authentication');
+ _ldap_authentication_form_user_profile_form_alter($form, $form_state, 'user_login');
+
+}
+
+
+/**
+ * Implements hook_form_FORM_ID_alter(). for user_login
+ */
+function ldap_authentication_form_user_login_alter(&$form, &$form_state) {
+ ldap_server_module_load_include('inc', 'ldap_authentication', 'ldap_authentication');
+ _ldap_authentication_login_form_alter($form, $form_state, 'user_login');
+
+}
+
+/**
+ * Implements hook_form_FORM_ID_alter(). for user_login_block
+ */
+function ldap_authentication_form_user_login_block_alter(&$form, &$form_state) {
+ ldap_server_module_load_include('inc', 'ldap_authentication', 'ldap_authentication');
+ _ldap_authentication_login_form_alter($form, $form_state, 'user_login_block');
+
+}
+
+/**
+ * validate function for user logon forms.
+ */
+function ldap_authentication_user_login_authenticate_validate($form, &$form_state) {
+ ldap_server_module_load_include('inc', 'ldap_authentication', 'ldap_authentication');
+ return _ldap_authentication_user_login_authenticate_validate($form_state);
+}
+
+/**
+ * submit function for user logon forms
+ */
+function ldap_authentication_login_form_submit(&$form, $form_state) {
+ ldap_server_module_load_include('inc', 'ldap_authentication', 'ldap_authentication');
+ _ldap_authentication_login_form_submit($form, $form_state);
+
+}
+
+
+/**
+ * Implements hook_user_presave().
+ * A user account is about to be created or updated.
+ */
+
+function ldap_authentication_user_presave(&$edit, $account, $category = NULL) {
+
+}
+
+
+/**
+ * Implements hook_user_insert().
+ *
+ * A user account was created.
+ * The module should save its custom additions to the user object into the database.
+ */
+
+function ldap_authentication_user_insert(&$edit, $account, $category) {
+
+}
+
+
+/**
+ * Implements hook_user_update().
+ *
+ * A user account was updated.
+ * Modules may use this hook to update their user data in a custom storage after a user account has been updated.
+ */
+
+
+function ldap_authentication_user_update($edit, $user, $category) {
+
+}
+
+function ldap_authentication_show_ldap_help_link($user = NULL) {
+ global $user;
+
+ if (!$auth_conf = ldap_authentication_get_valid_conf()) {
+ return FALSE;
+ }
+
+ if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_MIXED) {
+ return (ldap_authentication_ldap_authenticated($user));
+ // LDAP_authen.login_forms.MM.* // show ldap help only if ldap authenticated in mixed mode
+
+ }
+ elseif ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
+ if ($user->uid == 0 || ldap_authentication_ldap_authenticated($user)) {
+ // LDAP_authen.login_forms.EM.anon, LDAP_authen.login_forms.EM.ldap
+ return TRUE;
+ }
+ else {
+ return FALSE; // LDAP_authen.login_forms.EM.user1, LDAP_authen.login_forms.EM.drupal
+ }
+ }
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.theme.inc b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.theme.inc
new file mode 100644
index 0000000..cec6bac
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/ldap_authentication.theme.inc
@@ -0,0 +1,132 @@
+<?php
+// $Id: ldap_authentication.theme.inc,v 1.1.2.1 2011/02/08 06:01:00 johnbarclay Exp $
+
+
+/**
+ * @file
+ * theming functions for ldap_authentication module
+ *
+ */
+
+/**
+ * Returns HTML for user login block links.
+ * @param $variables
+ * An associative array containing:
+ * - hide_reset_pwd (boolean) whether reset password link should be visible
+ * - auth_conf: object with ldap authentication configuration data
+ *
+ * @ingroup themeable
+ */
+function theme_ldap_authentication_user_login_block_links($variables) {
+ extract($variables);
+
+ // the code below modified from user.module user_login_block function
+ $items = array();
+ if (variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL)) {
+ $items[] = l(t('Create new account'), 'user/register', array('attributes' => array('title' => t('Create a new user account.'))));
+ }
+ if ($show_reset_pwd) {
+ $items[] = l(t('Request new password'), 'user/password', array('attributes' => array('title' => t('Request new password via e-mail.'))));
+ }
+ elseif ($auth_conf->ldapUserHelpLinkUrl) {
+ $items[] = l(t($auth_conf->ldapUserHelpLinkText), $auth_conf->ldapUserHelpLinkUrl);
+ }
+
+ $output = theme('item_list', array('items' => $items));
+ return $output;
+}
+
+/**
+ * Returns HTML warning text for request new password/password reset form.
+ * @param $variables
+ * An associative array containing:
+ * - auth_conf: object with ldap authentication configuration data
+ *
+ * @ingroup themeable
+ */
+function theme_ldap_authentication_user_pass_message($variables) {
+ extract($variables);
+ if ($auth_conf->authenticationMode == LDAP_AUTHENTICATION_EXCLUSIVE) {
+ $msg = t('This page is only useful for the site administrator. All other users
+ need to reset their passwords');
+ if ($auth_conf->ldapUserHelpLinkUrl) {
+ $msg .= ' ' . t('at') . ' ' . l(t($auth_conf->ldapUserHelpLinkText), $auth_conf->ldapUserHelpLinkUrl) . '.';
+ }
+ else {
+ $msg .= ' ' . t('with one of your organizations password management sites.');
+ }
+ }
+ else { // mixed mode
+ $msg = ""; // warning will come up on validation. we do not know if the user is ldap authenticated or not until they submit form.
+ }
+
+ return $msg;
+}
+
+/**
+ * Returns HTML warning text when an ldap authenticated user tries to reset their password.
+ * @param $variables
+ * An associative array containing:
+ * - auth_conf: object with ldap authentication configuration data
+ * - account: user object
+ *
+ * @ingroup themeable
+ */
+function theme_ldap_authentication_user_pass_validate_ldap_authenticated($variables) {
+ extract($variables);
+ // already know user exists and is ldap authenticated
+
+ if ($auth_conf->ldapUserHelpLinkUrl) {
+ $msg = t('You may not reset your password here. You must reset your password via the directions at')
+ . ' ' . l(t($auth_conf->ldapUserHelpLinkText), $auth_conf->ldapUserHelpLinkUrl);
+ }
+ else {
+ $msg = t('You may not reset your password here. You must reset your password via one of your
+ organization\'s password management sites.');
+ }
+ return $msg;
+}
+
+
+/**
+ * The following three functions are theme callbacks for various messages
+ * from NTLM/seamless login integration.
+ *
+ * Provides a theme callback for successful login messages. The reason for
+ * using theme callbacks instead of a simple t() function is to provide the
+ * ability to have more complex message handling performed; an example would
+ * be to use the Real Name module to say "Welcome, User Name" upon successful
+ * login.
+ * @param $message
+ * A text string containing a translatable success message
+ *
+ * @ingroup themeable
+ */
+function theme_ldap_authentication_login_message($variables) {
+ extract($variables);
+ return $message;
+}
+
+/**
+ * Provides a theme callback for user not found messages.
+ * @param $message
+ * A text string containing a translatable "user not found" message
+ *
+ * @ingroup themeable
+ */
+function theme_ldap_authentication_message_not_found($variables) {
+ extract($variables);
+ return $message;
+}
+
+/**
+ * Provides a theme callback for authentication failure messages.
+ * @param $message
+ * A text string containing a translatable "authentication failure" message
+ *
+ * @ingroup themeable
+ */
+function theme_ldap_authentication_message_not_authenticated($variables) {
+ extract($variables);
+ return $message;
+}
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/LdapServerTestData.ldapauthen1.inc b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/LdapServerTestData.ldapauthen1.inc
new file mode 100644
index 0000000..ae56824
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/LdapServerTestData.ldapauthen1.inc
@@ -0,0 +1,225 @@
+<?php
+// $Id: LdapServerTest.class.inc,v 1.4.2.1 2011/02/08 06:01:00 johnbarclay Exp $
+
+/**
+ * @file
+ * test configurations for LdapServerTest.class.php
+ * file name should be of form LdapServerTestData.<sid>.inc
+ * where sid is the server id data is used for.
+ *
+ */
+
+$test_data = array();
+
+/**
+ * $test_data['properties'] are all the initial properties of the instantiated LdapServerTest object
+ */
+
+$test_data['servers']['ldapauthen1']['properties'] = array(
+
+ 'sid' => 'ldapauthen1',
+ 'name' => 'Test LDAP Server 1 for LDAP Authentication' ,
+ 'inDatabase' => TRUE,
+ 'status' => 1,
+ 'type' => 'ad',
+ 'address' => 'ad.myuniversity.edu',
+ 'port' => 389,
+ 'tls' => FALSE,
+ 'bind_method' => LDAP_SERVERS_BIND_METHOD_SERVICE_ACCT,
+ 'basedn' => array(
+ 'ou=campus accounts,dc=ad,dc=myuniversity,dc=edu',
+ 'ou=education,dc=ad,dc=myuniversity,dc=edu',
+ 'ou=guest accounts,dc=ad,dc=myuniversity,dc=edu',
+ ),
+ 'binddn' => 'cn=service-account,dc=ad,dc=myuniversity,dc=edu',
+ 'bindpw' => 'goodpwd',
+ 'user_dn_expression' => 'user_dn_expression',
+ 'user_attr' => 'sAMAccountName',
+ 'mail_attr' => 'mail',
+ 'ldapToDrupalUserPhp' => NULL,
+ 'testingDrupalUsername' => 'jdoe',
+ 'groupObjectClass' => 'group',
+
+ );
+
+/**
+ *
+ * method responses are stored in array $test_data['methodResponses']
+ * where keys are:
+ * <method_name>
+ * parameter1,
+ * parameter2,
+ * ...
+ *
+ * and value is the response test ldap server is expected to return. values
+ * can be scalar, array, object, etc, depending on what the method being mimicked
+ * is expected to return
+ */
+
+$test_data['servers']['ldapauthen1']['methodResponses']['connect'] = LDAP_SUCCESS;
+
+$test_data['servers']['ldapauthen1']['search_results']['member=cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu']['ou=groups,dc=ad,dc=myuniversity,dc=edu'] = array(
+ 0 => array('count' => 1, 'dn' => 'cn=content editors,ou=groups,dc=ad,dc=myuniversity,dc=edu'),
+ 1 => array('count' => 1, 'dn' => 'cn=content approvers,ou=groups,dc=ad,dc=myuniversity,dc=edu'),
+ 'count' => 2,
+ );
+
+$test_data['servers']['ldapauthen1']['search_results']['member=cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu']['ou=groups,dc=ad,dc=myuniversity,dc=edu'] = array(
+ 0 => array('count' => 1, 'dn' => 'cn=content editors,ou=groups,dc=ad,dc=myuniversity,dc=edu'),
+ 'count' => 1,
+ );
+
+/**
+ * fake user data array below 'attr' should mimick ldap user result data
+ */
+$test_data['servers']['ldapauthen1']['users']['cn=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu']['attr'] = array(
+ 'dn' => 'cn=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu',
+ 'mail' => array( 0 => 'jdoe@myuniversity.edu', 'count' => 1),
+ 'sAMAccountName' => array( 0 => 'jdoe', 'count' => 1),
+ 'password' => array( 0 => 'goodpwd', 'count' => 1),
+ );
+
+
+$test_data['servers']['ldapauthen1']['users']['cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu']['attr'] = array(
+ 'dn' => 'cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu',
+ 'mail' => array( 0 => 'jkool@guests.myuniversity.edu', 'count' => 1),
+ 'sAMAccountName' => array( 0 => 'jkool', 'count' => 1),
+ 'password' => array( 0 => 'goodpwd', 'count' => 1),
+ 'memberOf' => array( 0 => 'cn=sysadmins,ou=it,dc=ad,dc=myuniversity,dc=edu', 'count' => 1),
+ );
+
+$test_data['servers']['ldapauthen1']['users']['cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu']['attr'] = array(
+ 'dn' => 'cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu',
+ 'mail' => array( 0 => 'unkool@nowhere.myuniversity.edu', 'count' => 1),
+ 'sAMAccountName' => array( 0 => 'jkool', 'count' => 1),
+ 'password' => array( 0 => 'goodpwd', 'count' => 1),
+ 'memberOf' => array( 0 => 'cn=unknown_people,ou=nowhere,dc=ad,dc=myuniversity,dc=edu', 'count' => 1),
+ );
+
+$test_data['servers']['ldapauthen1']['users']['cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu']['attr'] = array(
+ 'dn' => 'cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu',
+ 'mail' => array( 0 => 'verykool@myuniversity.edu', 'count' => 1),
+ 'sAMAccountName' => array( 0 => 'verykool', 'count' => 1),
+ 'password' => array( 0 => 'goodpwd', 'count' => 1),
+ 'meMBErof' => array(
+ 0 => 'cn=sysadmins,ou=it,dc=ad,dc=myuniversity,dc=edu',
+ 1 => 'CN=NETadmins,ou=it,dc=ad,dc=myuniversity,dc=edu',
+ 'count' => 2,
+ ),
+ );
+
+
+/**
+ * test users should include service account if one is being used
+ */
+$test_data['servers']['ldapauthen1']['users']['cn=service-account,dc=ad,dc=myuniversity,dc=edu']['attr'] = array(
+ 'dn' => 'cn=service-account,dc=ad,dc=myuniversity,dc=edu',
+ 'mail' => array( 0 => 'service-account@myuniversity.edu', 'count' => 1),
+ 'sAMAccountName' => array( 0 => 'service-account', 'count' => 1),
+ 'memberOf' => array(
+ 0 => 'CN=service_accounts,OU=ServiceAccountGroups,DC=ad,DC=myuniversity,DC=edu',
+ 'count' => 2,
+ ),
+ 'password' => array( 0 => 'goodpwd', 'count' => 1),
+ );
+
+
+/** the ldap_authentication data is keyed on the test id such
+ * that the same ldap test data above can be reused for all authentication configurations
+ */
+
+$test_data['ldap_authentication']['MixedModeUserLogon'] = array(
+ 'sids' => array('ldapauthen1' => 'ldapauthen1'),
+ 'authenticationMode' => LDAP_AUTHENTICATION_MIXED,
+ 'loginConflictResolve' => LDAP_AUTHENTICATION_CONFLICT_LOG,
+ 'acctCreation' => LDAP_AUTHENTICATION_ACCT_CREATION_LDAP_BEHAVIOR,
+ 'ldapUserHelpLinkUrl' => '',
+ 'ldapUserHelpLinkText' => '',
+ 'emailOption' => LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE,
+ 'emailUpdate' => LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE,
+ 'allowOnlyIfTextInDn' => NULL,
+ 'excludeIfTextInDn' => NULL,
+ 'allowTestPhp' => NULL,
+ 'excludeIfNoAuthorizations' => LDAP_AUTHENTICATION_EXCL_IF_NO_AUTHZ_DEFAULT,
+ );
+
+$test_data['ldap_authentication']['ExclusiveModeUserLogon'] = array(
+ 'sids' => array('ldapauthen1' => 'ldapauthen1'),
+ 'authenticationMode' => LDAP_AUTHENTICATION_EXCLUSIVE,
+ 'loginConflictResolve' => LDAP_AUTHENTICATION_CONFLICT_LOG,
+ 'acctCreation' => LDAP_AUTHENTICATION_ACCT_CREATION_LDAP_BEHAVIOR,
+ 'ldapUserHelpLinkUrl' => '',
+ 'ldapUserHelpLinkText' => '',
+ 'emailOption' => LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE,
+ 'emailUpdate' => LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE,
+ 'allowOnlyIfTextInDn' => NULL,
+ 'excludeIfTextInDn' => NULL,
+ 'allowTestPhp' => NULL,
+ 'excludeIfNoAuthorizations' => LDAP_AUTHENTICATION_EXCL_IF_NO_AUTHZ_DEFAULT,
+ );
+
+$test_data['ldap_authentication']['WL1'] = array(
+ 'sids' => array('ldapauthen1' => 'ldapauthen1'),
+ 'authenticationMode' => LDAP_AUTHENTICATION_EXCLUSIVE,
+ 'loginConflictResolve' => LDAP_AUTHENTICATION_CONFLICT_LOG,
+ 'acctCreation' => LDAP_AUTHENTICATION_ACCT_CREATION_LDAP_BEHAVIOR,
+ 'ldapUserHelpLinkUrl' => '',
+ 'ldapUserHelpLinkText' => '',
+ 'emailOption' => LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE,
+ 'emailUpdate' => LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE,
+ 'allowOnlyIfTextInDn' => NULL,
+ 'excludeIfTextInDn' => NULL,
+ 'allowTestPhp' => NULL,
+ 'excludeIfNoAuthorizations' => 0,
+ );
+
+// single sign on tests
+$test_data['ldap_authentication']['MixedModeUserLogonSSO'] = $test_data['ldap_authentication']['MixedModeUserLogon'];
+$test_data['ldap_authentication']['MixedModeUserLogonSSO']['ssoRemoteUserStripDomainName'] = FALSE;
+$test_data['ldap_authentication']['MixedModeUserLogonSSO']['seamlessLogin'] = TRUE;
+$test_data['ldap_authentication']['MixedModeUserLogonSSO']['ldapImplementation'] = 'mod_auth_sspi';
+$test_data['ldap_authentication']['MixedModeUserLogonSSO']['cookieExpire'] = 3600;
+
+$test_data['ldap_authentication']['ExclusiveModeUserLogonSSO'] = $test_data['ldap_authentication']['ExclusiveModeUserLogon'];
+$test_data['ldap_authentication']['ExclusiveModeUserLogonSSO']['ssoRemoteUserStripDomainName'] = FALSE;
+$test_data['ldap_authentication']['ExclusiveModeUserLogonSSO']['seamlessLogin'] = FALSE;
+$test_data['ldap_authentication']['ExclusiveModeUserLogonSSO']['ldapImplementation'] = 'mod_auth_sspi';
+$test_data['ldap_authentication']['ExclusiveModeUserLogonSSO']['cookieExpire'] = 3600;
+
+
+
+
+$test_data['ldap_authorization_conf']['consumer_conf']['sid'] = 'ldapauthen1';
+
+$test_data['ldap_authorization_conf']['consumer_conf']['consumerType'] = 'drupal_role'; // change as desired
+$test_data['ldap_authorization_conf']['consumer_conf']['consumerModule'] = 'ldap_authorization_drupal_role';
+
+$test_data['ldap_authorization_conf']['consumer_conf']['description'] = 'UIUC AD';
+$test_data['ldap_authorization_conf']['consumer_conf']['status'] = 1;
+$test_data['ldap_authorization_conf']['consumer_conf']['onlyApplyToLdapAuthenticated'] = 1;
+
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromDn'] = 1;
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromDnAttr'] = 'ou';
+
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromAttr'] = 0;
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromAttrAttr'] = array();
+
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromEntry'] = 0;
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromEntryEntries'] = NULL;
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromEntryEntriesAttr'] = NULL;
+$test_data['ldap_authorization_conf']['consumer_conf']['deriveFromEntryMembershipAttr'] = NULL;
+
+
+$test_data['ldap_authorization_conf']['consumer_conf']['mappings'][] = array('Campus Accounts', 'campus accounts');
+$test_data['ldap_authorization_conf']['consumer_conf']['mappings'][] = array('guest accounts', 'guests');
+$test_data['ldap_authorization_conf']['consumer_conf']['mappings'][] = array('special guests', 'special guests');
+$test_data['ldap_authorization_conf']['consumer_conf']['mappings'][] = array('cn=sysadmins,ou=it,dc=ad,dc=myuniversity,dc=edu', 'sysadmins');
+
+$test_data['ldap_authorization_conf']['consumer_conf']['useMappingsAsFilter'] = 1;
+
+$test_data['ldap_authorization_conf']['consumer_conf']['synchOnLogon'] = 1;
+$test_data['ldap_authorization_conf']['consumer_conf']['synchManually'] = 1;
+
+$test_data['ldap_authorization_conf']['consumer_conf']['revokeLdapProvisioned'] = 1;
+$test_data['ldap_authorization_conf']['consumer_conf']['createConsumers'] = 1;
+$test_data['ldap_authorization_conf']['consumer_conf']['regrantLdapProvisioned'] = 1;
diff --git a/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/ldap_authentication.test b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/ldap_authentication.test
new file mode 100644
index 0000000..4da5dc2
--- /dev/null
+++ b/kolab.org/www/drupal-7.15/sites/all/modules/ldap/ldap_authentication/tests/ldap_authentication.test
@@ -0,0 +1,543 @@
+<?php
+// $Id$
+
+/**
+ * @file
+ * ldap_authentication simpletests
+ *
+ */
+require_once(drupal_get_path('module', 'ldap_servers') . '/tests/LdapTestFunctions.class.php');
+
+class LdapAuthenticationTestCase extends DrupalWebTestCase {
+ public static function getInfo() {
+ return array(
+ 'name' => 'LDAP Authentication Tests',
+ 'description' => 'Test ldap authentication.',
+ 'group' => 'LDAP Authentication'
+ );
+ }
+
+ public $module_name = 'ldap_authentication';
+ public $testFunctions;
+ public $testData;
+ public $sid;
+
+ function setUp($addl_modules = array()) {
+ parent::setUp(array('ldap_authentication', 'ldap_authorization', 'ldap_authorization_drupal_role')); // don't need any real servers, configured, just ldap_servers code base
+ variable_set('ldap_simpletest', 1);
+ variable_set('ldap_help_watchdog_detail', 0);
+ }
+
+
+ function tearDown() {
+ parent::tearDown();
+ variable_del('ldap_help_watchdog_detail');
+ variable_del('ldap_simpletest');
+ }
+
+
+ /**
+ * prepTestData create an ldap_authorization configuration and stores fake ldap server configuration.
+ *
+ * @param string $testid the name of the test. used to determine which configuration file to include
+ * @return object consumer configuration object (class = LdapAuthorizationConsumerConfAdmin)
+ *
+ */
+ function prepTestData($sid, $testid) {
+ $this->testFunctions = new LdapTestFunctions();
+
+ include(drupal_get_path('module', 'ldap_authentication') . '/tests/LdapServerTestData.' . $sid . '.inc');
+ $this->testFunctions->prepTestServers($test_data['servers']);
+ $this->testData = $test_data;
+ $authentication_conf = (is_array($testid)) ? $testid : $test_data['ldap_authentication'][$testid];
+ $this->testFunctions->configureAuthentication($authentication_conf);
+
+
+
+ // set up authorization conf. needed for some tests.
+ $consumer_conf = $test_data['ldap_authorization_conf']['consumer_conf'];
+ $consumer_obj = ldap_authorization_get_consumer_object($consumer_conf['consumerType']);
+ $consumer_conf_admin = new LdapAuthorizationConsumerConfAdmin($consumer_obj, TRUE);
+ foreach ($consumer_conf as $property_name => $property_value) {
+ $consumer_conf_admin->{$property_name} = $property_value;
+ }
+ $consumer_conf_admin->save();
+
+
+ }
+
+ public function AttemptLogon($dn, $goodpwd = TRUE) {
+
+ $this->drupalLogout();
+ $user = $this->testData['servers'][$this->sid]['users'][$dn]['attr'];
+ $parts = ldap_explode_dn($dn, 0);
+ $cn_parts = explode('=', $parts[0]);
+ $edit = array(
+ 'name' => ldap_pear_unescape_dn_value($cn_parts[1]),
+ 'pass' => $user['password'][0],
+ );
+ $user = user_load_by_name($edit['name']);
+ if ($user) {
+ user_delete($user->uid);
+ }
+ $this->drupalPost('user', $edit, t('Log in'));
+ }
+
+ /**
+ * difficult to test install and uninstall since setUp does module enabling and installing.
+ */
+ function testInstall() {
+ $sid = 'ldapauthen1';
+ include(drupal_get_path('module', 'ldap_authentication') . '/tests/LdapServerTestData.' . $sid . '.inc');
+ $testid = $this->module_name . ': setup success';
+ // just to give warning if setup doesn't succeed. may want to take these out at some point.
+
+ $setup_success = (
+ module_exists('ldap_authentication') &&
+ module_exists('ldap_servers')
+ );
+
+ $this->assertTrue($setup_success, ' ldap_authentication setup successful', $testid);
+
+ }
+
+
+/**
+ * LDAP Authentication Mixed Mode User Logon Test (ids = LDAP_authen.MM.ULT.*)
+ */
+
+
+ function testMixedModeUserLogon() {
+
+ $sid = 'ldapauthen1';
+ $testid = 'MixedModeUserLogon';
+ $this->prepTestData($sid, $testid);
+ $ldap_servers = ldap_servers_get_servers($sid, 'enabled');
+ $this->assertTrue(count($ldap_servers) == 1, ' ldap_authentication test server setup successful', $testid);
+
+ /**
+ * LDAP_authen.MM.ULT.user1.goodpwd -- result: Successful logon as user 1
+ */
+
+ $user1 = user_load(1);
+ $password = $this->randomString(20);
+ require_once(DRUPAL_ROOT . '/includes/password.inc');
+ $account = array(
+ 'name' => $user1->name,
+ 'pass' => user_hash_password(trim($password)),
+ );
+ db_update('users')
+ ->fields($account)
+ ->condition('uid', 1)
+ ->execute();
+
+ $edit = array(
+ 'name' => $user1->name,
+ 'pass' => $password,
+ );
+
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'User 1 successfully authenticated', $testid);
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.MM.ULT.user1.badpwd -- result: Drupal logon error message. **/
+
+ $edit = array(
+ 'name' => $user1->name,
+ 'pass' => 'mydabpassword',
+ );
+
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'User 1 failed with bad password', $testid);
+ $this->drupalLogout();
+
+ /** LDAP_authen.MM.ULT.drupal.goodpwd - result: Successful logon **/
+
+ $drupal_user = $this->drupalCreateUser();
+ $raw_pass = $drupal_user->pass_raw;
+ $edit = array(
+ 'name' => $drupal_user->name,
+ 'pass' => $raw_pass,
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'Drupal user successfully authenticated', $testid);
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.MM.ULT.drupal.badpwd - result: Drupal logon error message. **/
+ $edit = array(
+ 'name' => $drupal_user->name,
+ 'pass' => 'mydabpassword',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'Drupal user with bad password failed to authenticate.', $testid);
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.MM.ULT.ldap.newaccount.badpwd - result: Drupal logon error message. **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'mydabpassword',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'New Ldap user with bad password failed to authenticate.', $testid);
+ $this->drupalGet('user/logout');
+
+
+ /** LDAP_authen.MM.ULT.ldap.newaccount.goodpwd - result: Successful logon, with user record created and authmapped to ldap **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'goodpwd',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'New Ldap user with good password authenticated.');
+ $this->assertTrue($this->testFunctions->ldapUserIsAuthmapped('jkool'), 'Ldap user properly authmapped.', $testid);
+ $this->drupalGet('user/logout');
+
+
+ /** LDAP_authen.MM.ULT.existingacct.badpwd - result: Drupal logon error message. **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'mydabpassword',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'Existing Ldap user with bad password failed to authenticate.', $testid);
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.MM.ULT.existingacct.goodpwd - result: Successful logon. **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'goodpwd',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'Existing Ldap user with good password authenticated.');
+ $this->assertTrue($this->testFunctions->ldapUserIsAuthmapped('jkool'), 'Existing Ldap user still properly authmapped.', $testid);
+ $this->drupalGet('user/logout');
+ }
+
+
+/**
+ * LDAP Authentication Exclusive Mode User Logon Test (ids = LDAP_authen.EM.ULT.*)
+ */
+ function testExclusiveModeUserLogon() {
+
+ $sid = 'ldapauthen1';
+ $testid = 'ExclusiveModeUserLogon';
+ $this->prepTestData($sid, $testid);
+ $ldap_servers = ldap_servers_get_servers($sid, 'enabled');
+ $this->assertTrue(count($ldap_servers) == 1, ' ldap_authentication test server setup successful', $testid);
+
+ /**
+ * LDAP_authen.EM.ULT.user1.goodpwd -- result: Successful logon as user 1
+ */
+
+ $user1 = user_load(1);
+ $password = $this->randomString(20);
+ require_once(DRUPAL_ROOT . '/includes/password.inc');
+ $account = array(
+ 'name' => $user1->name,
+ 'pass' => user_hash_password(trim($password)),
+ );
+ db_update('users')
+ ->fields($account)
+ ->condition('uid', 1)
+ ->execute();
+
+ $edit = array(
+ 'name' => $user1->name,
+ 'pass' => $password,
+ );
+
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'User 1 successfully authenticated', $testid);
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.EM.ULT.user1.badpwd -- result: Drupal logon error message. **/
+
+ $edit = array(
+ 'name' => $user1->name,
+ 'pass' => 'mydabpassword',
+ );
+
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'User 1 failed with bad password', $testid );
+ $this->drupalLogout();
+
+ /** LDAP_authen.EM.ULT.drupal.goodpwd - result: failed logon **/
+
+ $drupal_user = $this->drupalCreateUser();
+ $raw_pass = $drupal_user->pass_raw;
+ $edit = array(
+ 'name' => $drupal_user->name,
+ 'pass' => $raw_pass,
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'Drupal user successfully authenticated', $testid );
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.EM.ULT.drupal.badpwd - result: Drupal logon error message. **/
+ $edit = array(
+ 'name' => $drupal_user->name,
+ 'pass' => 'mydabpassword',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'Drupal user with bad password failed to authenticate.', $testid );
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.EM.ULT.ldap.newaccount.badpwd - result: Drupal logon error message. **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'mydabpassword',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'New Ldap user with bad password failed to authenticate.', $testid );
+ $this->drupalGet('user/logout');
+
+
+ /** LDAP_authen.EM.ULT.ldap.newaccount.goodpwd - result: Successful logon, with user record created and authmapped to ldap **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'goodpwd',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'New Ldap user with good password authenticated.');
+ $this->assertTrue($this->testFunctions->ldapUserIsAuthmapped('jkool'), 'Ldap user properly authmapped.', $testid );
+ $this->drupalGet('user/logout');
+
+
+ /** LDAP_authen.EM.ULT.existingacct.badpwd - result: Drupal logon error message. **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'mydabpassword',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Sorry, unrecognized username or password'), 'Existing Ldap user with bad password failed to authenticate.', $testid );
+ $this->drupalGet('user/logout');
+
+ /** LDAP_authen.MM.ULT.existingacct.goodpwd - result: Successful logon. **/
+ $edit = array(
+ 'name' => 'jkool',
+ 'pass' => 'goodpwd',
+ );
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'Existing Ldap user with good password authenticated.');
+ $this->assertTrue($this->testFunctions->ldapUserIsAuthmapped('jkool'), 'Existing Ldap user still properly authmapped.', $testid );
+ $this->drupalGet('user/logout');
+ }
+
+
+
+ function testAuthenticationWhitelistTests() {
+ require_once(drupal_get_path('module', 'ldap_authentication') . '/LdapAuthenticationConfAdmin.class.php');
+
+ $sid = 'ldapauthen1';
+ $this->sid = $sid;
+ $testid = 'WL1';
+ $this->prepTestData($sid, $testid);
+ $ldap_servers = ldap_servers_get_servers($sid, 'enabled');
+ $this->assertTrue(count($ldap_servers) == 1, ' ldap_authentication test server setup successful', $testid);
+
+ // these 2 modules are configured in setup, but disabled for most authentication tests
+ module_disable(array('ldap_authorization_drupal_role', 'ldap_authorization'));
+
+ /**
+ * LDAP_authen.WL.user1 test for user 1 being excluded from white and black list tests
+ */
+
+ $user1 = user_load(1);
+ $password = $this->randomString(20);
+ require_once(DRUPAL_ROOT . '/includes/password.inc');
+ $account = array(
+ 'name' => $user1->name,
+ 'pass' => user_hash_password(trim($password)),
+ );
+ db_update('users')
+ ->fields($account)
+ ->condition('uid', 1)
+ ->execute();
+
+ $edit = array(
+ 'name' => $user1->name,
+ 'pass' => $password,
+ );
+
+ $this->drupalPost('user', $edit, t('Log in'));
+ $this->assertText(t('Member for'), 'User 1 successfully authenticated in LDAP_authen.WL.user1', $testid);
+ $this->drupalGet('user/logout');
+
+ module_enable(array('ldap_authorization'));
+ module_enable(array('ldap_authorization_drupal_role'));
+
+
+ /**
+ * prep LDAP_authen.WL.allow
+ */
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->allowOnlyIfTextInDn = array('ou=guest accounts');
+ $authenticationConf->save();
+
+
+ /**
+ * LDAP_authen.WL.allow.match -- desirect_result: authenticate success
+ */
+
+ $this->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Member for'), 'User able to authenticate because in white list (allowOnlyIfTextInDn).', $testid);
+
+ /**
+ * LDAP_authen.WL.allow.miss -- desirect_result: authenticate fail
+ */
+
+ $this->attemptLogon('cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Sorry, unrecognized username or password'), 'User unable to authenticate because not in white list (allowOnlyIfTextInDn).', $testid);
+
+
+ /**
+ * undo LDAP_authen.WL.allow settings
+ */
+
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->allowOnlyIfTextInDn = array();
+ $authenticationConf->save();
+
+ /**
+ * prep LDAP_authen.WL.exclude
+ */
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->excludeIfTextInDn = array('cn=unkool');
+ $authenticationConf->save();
+
+
+ /**
+ * LDAP_authen.WL.exclude.match -- desirect_result: authenticate fail
+ */
+
+ $this->attemptLogon('cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Sorry, unrecognized username or password'), 'User unable to authenticate in exclude list (excludeIfTextInDn).', $testid);
+
+ /**
+ * LDAP_authen.WL.exclude.miss-- desirect_result: authenticate success
+ */
+
+ $this->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Member for'), 'Able to authenticate because not in exclude list (allowOnlyIfTextInDn).', $testid);
+
+ /**
+ * undo LDAP_authen.WL.allow settings
+ */
+
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->excludeIfTextInDn = array();
+ $authenticationConf->save();
+
+
+ /**
+ * prep LDAP_authen.WL.php
+ */
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->allowTestPhp = "\n
+ //exclude users with guests.myuniversity.edu email address \n
+ if (strpos(\$_ldap_user_entry['attr']['mail'][0], '@guests.myuniversity.edu') === FALSE) {\n
+ print 1;\n
+ }\n
+ else {
+ print 0;\n
+ }
+ ";
+
+ $authenticationConf->save();
+
+ /**
+ * LDAP_authen.WL.php.php disabled -- desired result: authenticate fail with warning the authentication disabled
+ */
+ module_disable(array('php'));
+ $this->attemptLogon('cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG, 'With php disabled and php code in whitelist, refuse authentication. (allowTestPhp).', $testid);
+ module_enable(array('php'));
+
+
+ /**
+ * LDAP_authen.WL.php.true -- desired result: authenticate success
+ */
+ $this->attemptLogon('cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Member for'), 'Able to authenticate because php returned true (allowTestPhp).', $testid);
+
+ /**
+ * LDAP_authen.WL.php.false-- desired result: authenticate fail
+ */
+
+ $this->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('User disallowed'), 'User unable to authenticate because php returned false (allowTestPhp).', $testid);
+
+
+ /**
+ * clear LDAP_authen.WL.php
+ */
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->allowTestPhp = '';
+ $authenticationConf->save();
+ /*** multiple options used in whitelist **/
+
+ /**
+ * LDAP_authen.WL.allow[match].exclude[match] -- desired result: authenticate fail
+ */
+
+
+
+ /**
+ * LDAP_authen.WL.allow[match].exclude[miss] -- desired result: authenticate success
+ */
+
+
+ /**
+ * LDAP_authen.WL.exclude[match].*-- desirect_result: authenticate fail
+ */
+
+
+
+ /**
+ * LDAP_authen.WL.exclude[match].php[false] -- desired result: authenticate fail
+ */
+
+
+ /**
+ * LDAP_authen.WL1.excludeIfNoAuthorizations.hasAuthorizations
+ * test for excludeIfNoAuthorizations set to true and consumer granted authorizations
+ */
+
+ // these 2 modules are configured in setup, but disabled for most authentication tests
+ module_disable(array('ldap_authorization_drupal_role', 'ldap_authorization'));
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->excludeIfNoAuthorizations = 1;
+ $authenticationConf->save();
+
+ /**
+ * LDAP_authen.WL1.excludeIfNoAuthorizations.failsafe
+ * test for excludeIfNoAuthorizations set to true and ldap_authorization disabled
+ * to make sure authentication fails completely
+ */
+
+
+ $this->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG, t('Authentication prohibited when excludeIfNoAuthorizations = true and LDAP Authorization disabled. LDAP_authen.WL1.excludeIfNoAuthorizations.failsafe'), $testid);
+
+ module_enable(array('ldap_authorization_drupal_role'), TRUE);
+ $this->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Member for'), 'User able to authenticate because of excludeIfNoAuthorizations setting.', $testid);
+
+ /**
+ * LDAP_authen.WL1.excludeIfNoAuthorizations.hasNoAuthorizations
+ * test for excludeIfNoAuthorizations set to true and No consumer granted authorizations
+ */
+
+ $this->attemptLogon('cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu');
+ $this->assertText(t('Sorry, unrecognized username or password'), 'User unable to authenticate because of excludeIfNoAuthorizations setting.', $testid);
+
+ $authenticationConf = new LdapAuthenticationConfAdmin();
+ $authenticationConf->excludeIfNoAuthorizations = 0;
+ $authenticationConf->save();
+ module_disable(array('ldap_authorization_drupal_role', 'ldap_authorization'));
+
+
+}
+
+
+}