From 1b77946646ed5b4bc2d74ca2753a49d83227cb2c Mon Sep 17 00:00:00 2001
From: Martin Haase <martin.haase@daasi.de>
Date: Wed, 15 Jun 2011 15:45:01 +0000
Subject: [PATCH] resolved TG-1135 and TG-1223
git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@10190 7c539038-3410-0410-b1ec-0f2a7bf1c452
---
.../AutoReg/runAutoregClient.sh | 2 +-
.../WebAuthN/PutAttributes.php | 17 ++++-
.../WebAuthN/TextGrid-WebAuth.php | 12 +++-
.../secure/portal.cgi | 1 +
.../tglib/LDAP.class.php | 72 ++++++++++++++++++-
.../tglib/WebUtils.class.php | 6 +-
6 files changed, 103 insertions(+), 7 deletions(-)
diff --git a/info.textgrid.middleware.tgauth.webauth/AutoReg/runAutoregClient.sh b/info.textgrid.middleware.tgauth.webauth/AutoReg/runAutoregClient.sh
index d899225..676d89b 100755
--- a/info.textgrid.middleware.tgauth.webauth/AutoReg/runAutoregClient.sh
+++ b/info.textgrid.middleware.tgauth.webauth/AutoReg/runAutoregClient.sh
@@ -4,4 +4,4 @@ cd /usr/local/bin/VOMRSclient/bin
export CLASSPATH="/usr/local/bin/VOMRSclient/lib/*:."
-java -Daxis.socketSecureFactory=org.glite.security.trustmanager.axis.AXISSocketFactory -DsslConfigFile=auth.properties Autoreg "$@"
\ No newline at end of file
+java -Daxis.socketSecureFactory=org.glite.security.trustmanager.axis.AXISSocketFactory -DsslConfigFile=auth.properties Autoreg "$@"
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/PutAttributes.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/PutAttributes.php
index 825e80a..18c8b66 100755
--- a/info.textgrid.middleware.tgauth.webauth/WebAuthN/PutAttributes.php
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/PutAttributes.php
@@ -7,8 +7,10 @@
// #######################################################
include("../tglib/RBAC.class.php");
+include("../tglib/LDAP.class.php");
include("../tglib/WebUtils.class.php");
+
$configfile = "../../../config_tgwebauth.xml";
$util = new WebUtils;
@@ -71,8 +73,21 @@ foreach ($attributes as $a) {
//fwrite ($file, "putting these attrs: ". serialize ($newattributes) ."\n");
//fclose ($file);
-
+// write in RBAC
$res = $rbac->setAttributes($newattributes, $Sid, $loginmode );
+
+// write in LDAP if it is a textgrid.de account and something relevant changed
+// AND if setAttributes returned success, i.e. the SID was valid
+if (stripos($remote_user, "@textgrid.de") > 0 && is_object($res) && $res->result == true) {
+ $ldap = new LDAP ( $configfile );
+ $ldapres = $ldap->setUserAttributes($newattributes, $remote_user);
+ if ($ldapres["success"] == FALSE) {
+ echo "Could not modify base data in community LDAP: ";
+ echo $ldapres["detail"];
+ exit;
+ }
+}
+
if ((is_array($res) && $res['success'] == FALSE) || (is_object($res) && $res->result == FALSE)) {
echo "something went wrong". serialize($res);
exit;
diff --git a/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php b/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
index 82f5df7..7bbfdd9 100644
--- a/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
+++ b/info.textgrid.middleware.tgauth.webauth/WebAuthN/TextGrid-WebAuth.php
@@ -45,8 +45,8 @@ if (isset ($_REQUEST["loginname"]) && strlen($_REQUEST["loginname"]) > 0
// Variant 2: Shibboleth gave us the right REMOTE_USER.
-// We create a Session here, also for Variant1
-if (isset ($_SERVER["REMOTE_USER"])) { // this holds for shib, too
+// We create a Session here in RBAC, also for Variant1
+if (isset ($_SERVER["REMOTE_USER"])) { // this holds for both shib and ldap authN
// now creating session, activating roles, etc, in RBAC
@@ -106,7 +106,13 @@ if ($rbac->enoughUserAttributes( $Sid ) && isset ($_SERVER["REMOTE_USER"])) {
} else {
// now presenting the form, let JavaScript take care for the non-empty-check and the help
// the form will return either displaying the Sid or just an ACK
- $util->printAttributeForm( $attributes, $ProvidedAttributes, $AttributeMap, $Sid, $authZinstance, $_SERVER["REMOTE_USER"]);
+ if (isset ($_SERVER["REMOTE_USER"])) {
+ $util->printAttributeForm( $attributes, $ProvidedAttributes, $AttributeMap, $Sid, $authZinstance, $_SERVER["REMOTE_USER"]);
+ } else if (isset ($_REQUEST["ePPN"])) { // direct invocation of userdata modification dialogue
+ $util->printAttributeForm( $attributes, null, null, $Sid, $authZinstance, $_REQUEST["ePPN"]);
+ } else {
+ echo "Could not modify attributes, not enough information";
+ }
}
?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.webauth/secure/portal.cgi b/info.textgrid.middleware.tgauth.webauth/secure/portal.cgi
index 188b43a..0590da9 100644
--- a/info.textgrid.middleware.tgauth.webauth/secure/portal.cgi
+++ b/info.textgrid.middleware.tgauth.webauth/secure/portal.cgi
@@ -98,6 +98,7 @@ sub handleSuccess
{
my $certificate = $cgi->param("certificate");
my $userDetails = $cgi->param("portalData");
+
@all = split "\\|", $userDetails;
$eppn = $all[0];
$sid = $all[1];
diff --git a/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php b/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php
index 16abe8b..64646c1 100644
--- a/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php
+++ b/info.textgrid.middleware.tgauth.webauth/tglib/LDAP.class.php
@@ -19,6 +19,12 @@ class LDAP {
protected $filter;
protected $IDattribute;
protected $LDAPname;
+ public $availableAttributes = array("o", "sn", "givenName", "cn", "mail");
+ public $AttributeMap = Array ('surname' => 'sn',
+ 'organisation' => 'o',
+ 'givenname' => 'givenName',
+ 'displayname' => 'cn',
+ 'mail' => 'mail');
public function __construct( $configfilepath ) {
$config = new DOMDocument();
@@ -33,6 +39,9 @@ class LDAP {
$this->filter = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='filter']")->item(0)->nodeValue;
$this->IDattribute = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='IDattribute']")->item(0)->nodeValue;
$this->LDAPname = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='name']")->item(0)->nodeValue;
+ $this->setAttributesDN = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='setAttributesDN']")->item(0)->nodeValue;
+ $this->setAttributesPW = $xpath->query("/c:conf/c:authn[@type='community']/c:key[@name='setAttributesPW']")->item(0)->nodeValue;
+
}
public function authenticate ($login, $password) {
@@ -65,7 +74,7 @@ class LDAP {
public function getUserAttributes () {
$rethash = array();
- foreach (array("o", "sn", "givenName", "cn", "mail") as $a) {
+ foreach ($this->availableAttributes as $a) {
if ( isset($this->UserAttributes[$a])) {
$vals = array();
for ($i=0; $i<$this->UserAttributes[$a]['count']; $i++) {
@@ -77,6 +86,67 @@ class LDAP {
return $rethash;
}
+ public function setUserAttributes ($attrHash, $remote_user) {
+
+ $arrModify = Array();
+ $needsModification = FALSE;
+ $sendOutMail = FALSE;
+
+ foreach ($attrHash as $a) {
+ if (in_array($a->name, array_keys ($this->AttributeMap))) {
+ $arrModify[$this->AttributeMap[$a->name]][] = $a->value;
+ $needsModification = TRUE;
+ if ($a->name === "mail") {
+ $sendOutMail = $a->value;
+ }
+ }
+ }
+
+ if (! $needsModification ) {
+ return array("success" => TRUE,
+ "detail" => "Nothing to do");
+ }
+
+
+ $ldapconn = ldap_connect( $this->ldaphost, $this->ldapport );
+ // ldap_connect always returns a handle, does not connect yet
+ // or return array("success" => FALSE, "detail" => "Cannot connect to {$ldaphost}!");
+
+ ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+ //ldap_start_tls( $ldapconn );
+
+ $bound = ldap_bind($ldapconn, $this->setAttributesDN , $this->setAttributesPW);
+ if (!$bound) {
+ return array("success" => FALSE,
+ "detail" => "Authentication failed, reason: " . ldap_error ($ldapconn));
+ } else {
+ $filter = "(". $this->IDattribute."=".$remote_user.")";
+ $result = ldap_search( $ldapconn, $this->basedn, $filter);
+ if ($result === FALSE ) {
+ return array("success" => FALSE,
+ "detail" => "Could not find this user with the filter: ".$filter . ldap_error ($ldapconn));
+ }
+ $entry = ldap_first_entry( $ldapconn , $result );
+ $oldmailsArr = ldap_get_values ($ldapconn, $entry, "mail");
+ if ($sendOutMail !== FALSE) {
+ $this->sendmailOut($oldmailsArr, $sendOutMail );
+ }
+
+ $modifyResult = ldap_modify($ldapconn, ldap_get_dn($ldapconn, $entry), $arrModify);
+
+ if ($modifyResult == FALSE ) {
+ return array("success" => FALSE,
+ "detail" => "Could not modify this user:" . ldap_error ($ldapconn));
+ }
+ return array("success" => TRUE, "detail" => "Alles bestens");
+ }
+ }
+
+ public function sendmailOut($oldmailsArr, $newMail ) {
+
+ }
+
+
}
?>
\ No newline at end of file
diff --git a/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php b/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
index ac2c36a..41284c2 100644
--- a/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
+++ b/info.textgrid.middleware.tgauth.webauth/tglib/WebUtils.class.php
@@ -212,6 +212,8 @@ class WebUtils {
echo "</head>\n<body>\n";
echo "<h2>$title</h2>\n";
+ // echo "This is what we got for sure:". serialize ($providedAttrs);
+ // echo $remote_user .serialize ( $attrMap );
echo "<form name=\"Formular\" action=\"PutAttributes.php\" method=\"post\" onsubmit=\"return chkFormular()\">\n";
echo "<table>\n";
@@ -223,7 +225,9 @@ class WebUtils {
$providedreadonly = "";
if (isset($attrMap[$a->name]) && isset($providedAttrs[$attrMap[$a->name]])) {
$oldval = $providedAttrs[$attrMap[$a->name]];
- $providedreadonly = " readonly=\"readonly\"";
+ if (stripos($remote_user, "@textgrid.de") === FALSE) {
+ $providedreadonly = " readonly=\"readonly\"";
+ }
}
if ($this->isBoolean ($a)) {
if ($oldval === "TRUE") {
--
GitLab