authenticated = false;
$account_suffix = get_option('AD_Integration_account_suffix');
$domain_controllers = explode(';', get_option('AD_Integration_domain_controllers'));
$base_dn = get_option('AD_Integration_base_dn');
$bind_user = get_option('AD_Integration_bind_user');
$bind_pwd = get_option('AD_Integration_bind_pwd');
$port = get_option('AD_Integration_port');
$use_tls = get_option('AD_Integration_use_tls');
$append_suffix_to_new_users = get_option('AD_Integration_append_suffix_to_new_users');
$authorize_by_group = (bool)get_option('AD_Integration_authorize_by_group');
$auto_create_user = (bool)get_option('AD_Integration_auto_create_user');
$auto_update_user = (bool)get_option('AD_Integration_auto_update_user');
$max_login_attempts = (int)get_option('AD_Integration_max_login_attempts');
$block_time = (int)get_option('AD_Integration_block_time');
// Check for maximum login attempts
if ($max_login_attempts > 0) {
$failed_logins = $this->_get_failed_logins_within_time($username, $block_time);
if ($failed_logins >= $max_login_attempts) {
$this->authenticated = false;
$this->_display_blocking_page($username);
die();
}
}
$this->adldap = new adLDAP(array(
"account_suffix" => $account_suffix,
"base_dn" => $base_dn,
"domain_controllers" => $domain_controllers,
"ad_username" => $bind_user, // AD Bind User
"ad_password" => $bind_pwd, // password
"ad_port" => $port, // AD port
"use_tls" => $use_tls // secure?
));
if ( $this->adldap->authenticate($username, $password) )
{
$this->authenticated = true;
}
if ( $this->authenticated == false )
{
$this->authenticated = false;
$this->_store_failed_login($username);
return false;
}
// Cleanup old database entries
$this->_cleanup_failed_logins($seconds, $username);
// Check the authorization
if ($authorize_by_group) {
if ($this->_check_authorization_by_group($username)) {
$this->authenticated = true;
} else {
$this->authenticated = false;
return false;
}
}
$ad_username = $username;
// should the account suffix be used for the new username?
if ($append_suffix_to_new_users) {
$username .= $account_suffix;
}
// Create new users automatically, if configured
$user = get_userdatabylogin($username);
if (! $user or $user->user_login != $username) {
$user_role = $this->_get_user_role_equiv($ad_username);
if ($auto_create_user || $user_role != '' ) {
// create user
$userinfo = $this->adldap->user_info($ad_username,
array("sn", "givenname", "mail")
);
$userinfo = $userinfo[0];
$email = $userinfo['mail'][0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
$this->_create_user($ad_username, $email, $first_name, $last_name, $user_role);
}
else {
// Bail out to avoid showing the login form
return new WP_Error('invalid_username', __('ERROR: This user exists in Active Directory, but has not been granted access to this installation of WordPress.'));
}
} else {
// update known users if configured
if ($auto_create_user) {
if ($auto_update_user) {
// Update users role
$user_role = $this->_get_user_role_equiv($ad_username);
$userinfo = $this->adldap->user_info($ad_username, array("sn", "givenname", "mail"));
$userinfo = $userinfo[0];
$email = $userinfo['mail'][0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
$this->_update_user($ad_username, $email, $first_name, $last_name, $user_role);
}
}
}
}
/*
* Skip the password check, since we've externally authenticated.
*/
function override_password_check($check, $password, $hash, $user_id) {
if ( $this->authenticated == true )
{
return true;
}
else
{
return $check;
}
}
/*
* Generate a password for the user. This plugin does not
* require the user to enter this value, but we want to set it
* to something nonobvious.
*/
function generate_password($username, $password1, $password2) {
$password1 = $password2 = $this->_get_password();
}
/*
* Used to disable certain display elements, e.g. password
* fields on profile screen.
*/
function disable_password_fields($show_password_fields) {
return false;
}
/*
* Used to disable certain login functions, e.g. retrieving a
* user's password.
*/
function disable_function() {
die('Disabled');
}
/*************************************************************
* Functions
*************************************************************/
/**
* Stores the username and the current time in the db.
*
* @param $username
* @return unknown_type
*/
function _store_failed_login($username) {
global $wpdb;
$table_name = $wpdb->prefix . "adintegration";
$sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . $wpdb->escape($username)."'," . time() . ")";
$results = $wpdb->query($sql);
}
/**
* Determines the number of failed login attempts of specific user within a specific time from now to the past.
*
* @param $username
* @param $seconds number of seconds
* @return number of failed login attempts
*/
function _get_failed_logins_within_time($username, $seconds) {
global $wpdb;
$table_name = $wpdb->prefix . "adintegration";
$time = time() - (int)$seconds;
$sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".$wpdb->escape($username)."' AND failed_login_time >= $time";
return $wpdb->get_var($sql);
}
/**
* Deletes entries from store where the time of failed logins is more than the specified seconds ago.
* Deletes also all entries of a user, if its username is given .
*
* @param $seconds
* @param $username
* @return
*/
function _cleanup_failed_logins($seconds, $username = NULL) {
global $wpdb;
$table_name = $wpdb->prefix . "adintegration";
$time = time() - (int)$seconds;
$sql = "DELETE FROM $table_name WHERE failed_login_time < $time";
if ($username != NULL) {
$sql .= " OR user_login = '".$wpdb->escape($username)."'";
}
$results = $wpdb->query($sql);
}
/**
* Get the rest of the time an account is blocked.
*
* @param $username
* @return int seconds the account is blocked, or 0
*/
function _get_rest_of_blocking_time($username) {
global $wpdb;
$table_name = $wpdb->prefix . "adintegration";
$time = time() - (int)$seconds;
$block_time = (int)get_option('AD_Integration_block_time');
$sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".$wpdb->escape($username)."'";
$max_time = $wpdb->get_var($sql);
if ($max_time == NULL ) {
return 0;
}
return ($max_time + $block_time) - time();
}
/**
* Generate a random password.
*
* @param int $length Length of the password
* @return password as string
*/
function _get_password($length = 10) {
return substr(md5(uniqid(microtime())), 0, $length);
}
/*
* Create a new WordPress account for the specified username.
*/
function _create_user($username, $email, $first_name, $last_name, $role = '') {
$password = $this->_get_password();
$email_domain = get_option('AD_Integration_default_email_domain');
$append_suffix_to_new_users = get_option('AD_Integration_append_suffix_to_new_users');
if ( $email == '' )
{
$email = $username . '@' . $email_domain;
}
if ($append_suffix_to_new_users) {
$username .= get_option('AD_Integration_account_suffix');
}
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
wp_create_user($username, $password, $email);
$user_id = username_exists($username);
if ( !$user_id ) {
die("Error creating user!");
} else {
update_usermeta($user_id, 'first_name', $first_name);
update_usermeta($user_id, 'last_name', $last_name);
if ( $role != '' )
{
wp_update_user(array("ID" => $user_id, "role" => $role));
}
}
}
/**
* Updates a specific Wordpress user account
*/
function _update_user($username, $email, $first_name, $last_name, $role = '') {
$email_domain = get_option('AD_Integration_default_email_domain');
$append_suffix_to_new_users = get_option('AD_Integration_append_suffix_to_new_users');
if ( $email == '' )
{
$email = $username . '@' . $email_domain;
}
if ($append_suffix_to_new_users) {
$username .= get_option('AD_Integration_account_suffix');
}
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
$user_id = username_exists($username);
if ( !$user_id ) {
die("Error updating user!");
} else {
update_usermeta($user_id, 'first_name', $first_name);
update_usermeta($user_id, 'last_name', $last_name);
if ( $role != '' )
{
wp_update_user(array("ID" => $user_id, "role" => $role));
}
}
}
/**
* Checks if the user is member of the group allowed to login
*
* @param $username
* @return boolean
*/
function _check_authorization_by_group($username) {
if (get_option('AD_Integration_authorize_by_group')) {
$group = get_option('AD_Integration_authorization_group');
return $this->adldap->user_ingroup($username, $group, true);
} else {
return true;
}
}
/**
* Get the first matching role from the list of role equivalent groups the user belongs to.
*
* @param $ad_username
* @return string matching role
*/
function _get_user_role_equiv($ad_username)
{
$role_equiv_groups = get_option('AD_Integration_role_equivalent_groups');
$role_equiv_groups = explode(';', $role_equiv_groups);
$user_role = '';
foreach ( $role_equiv_groups as $whatever => $role_group)
{
$role_group = explode('=', $role_group);
if ( count($role_group) != 2 )
{
next;
}
$ad_group = $role_group[0];
$corresponding_role = $role_group[1];
if ( $this->adldap->user_ingroup($ad_username, $ad_group, true ) )
{
$user_role = $corresponding_role;
break;
}
}
return $user_role;
}
/*
function _add_users_for_role_equivalent_groups($ad_username, $ad_password)
{
$authenticated = false;
$account_suffix = get_option('AD_Integration_account_suffix');
$domain_controllers = explode(';',
get_option('AD_Integration_domain_controllers')
);
$base_dn = get_option('AD_Integration_base_dn');
$this->adldap = new adLDAP(array(
"account_suffix" => $account_suffix,
"base_dn" => "DC=qc,DC=ads",
"domain_controllers" => $domain_controllers
));
if ( $this->adldap->authenticate($ad_username, $ad_password) )
{
$authenticated = true;
}
if ( $authenticated == false )
{
return "Cannot log on to Active Directory system with the provided credentials.";
echo $ad_username . $ad_password;
}
$users_added = "";
$letters = array('a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j',
'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's',
't', 'u', 'v', 'w', 'x', 'y', 'z');
$prefixes = array();
foreach ( $letters as $l1 )
foreach ( $letters as $l2 )
$prefixes[] = $l1 . $l2;
$users = array();
foreach ( $prefixes as $prefix )
{
$users_new = array_merge($users,
$this->adldap->listUsersWithNames($prefix . "*"));
$users = $users_new;
}
$role_equiv_groups = get_option('AD_Integration_role_equivalent_groups');
$role_equiv_groups = explode(';', $role_equiv_groups);
foreach ( $users as $check_username => $user )
{
$wp_user = get_userdatabylogin(
$check_username . $account_suffix);
if ( ! $wp_user or $wp_user->user_login != $check_username)
{
$user_role = $this->_get_user_role_equiv($this->adldap, $check_username);
if ( $user_role != '' )
{
$userinfo = $this->adldap->user_info($check_username,
array("sn", "givenname", "mail")
);
$userinfo = $userinfo[0];
$email = $userinfo['mail'][0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
$this->_create_user($check_username . $account_suffix,
$email, $first_name,
$last_name, $user_role);
$users_added .= " $check_username$account_suffix";
}
}
}
if ( $users_added != "" )
{
return "The following users were created: $users_added";
}
else
{
return "No users were added. (This can occur if you do not have sufficient AD permissions, or you provided incorrect login information.)";
}
}
*/
/**
* Show a blocking page for blocked accounts.
*
* @param $username
*/
function _display_blocking_page($username) {
$seconds = $this->_get_rest_of_blocking_time($username);
?>
>
<?php bloginfo('name'); ?> › <?php echo $title; ?>
.
Instant User Creation for Role Equivalent Groups
*/ ?>
prefix . "adintegration";
if($wpdb->get_var("show tables like '$table_name'") != $table_name) {
$sql = "CREATE TABLE " . $table_name . " (
id bigint(20) NOT NULL AUTO_INCREMENT,
user_login varchar(60),
failed_login_time bigint(11),
UNIQUE KEY id (id)
);";
require_once(ABSPATH . 'wp-admin/includes/upgrade.php');
dbDelta($sql);
// store db version in the options
add_option("AD_Integration_db_version", $adintegration_db_version);
}
}
// create the needed tables on plugin activation
register_activation_hook(__FILE__,'adintegration_install');
// Load the plugin hooks, etc.
$AD_Integration_plugin = new ADIntegrationPlugin();
?>