r107409 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r107408‎ | r107409 | r107410 >
Date:20:03, 27 December 2011
Author:laner
Status:resolved (Comments)
Tags:
Comment:
* Removed deprecated features
** Old style preference retrieval has been removed
** Old style group based restrictions have been removed
* Removed unused features
** The username synching was never used, as support wasn't added to core for it, so it's been removed
* Debug message clean up. Removed redundant messages, clarified other messages
* Added wrapper functions for all ldap_* functions used; did this to remove usage of @ldap_* in a cleaner way
Modified paths:
  • /trunk/extensions/LdapAuthentication/LdapAuthentication.php (modified) (history)
  • /trunk/extensions/LdapAuthentication/LdapAutoAuthentication.php (modified) (history)

Diff [purge]

Index: trunk/extensions/LdapAuthentication/LdapAutoAuthentication.php
@@ -26,6 +26,7 @@
2727
2828 $autoauthname = $wgAuth->getConf( 'AutoAuthUsername' );
2929 $wgAuth->printDebug( "Calling authenticate with username ($autoauthname).", NONSENSITIVE );
 30+
3031 // The user hasn't already been authenticated, let's check them
3132 $authenticated = $wgAuth->authenticate( $autoauthname );
3233 if ( !$authenticated ) {
@@ -35,7 +36,7 @@
3637 return false;
3738 }
3839
39 - // We need the username that MediaWiki will always use, *not* the one we
 40+ // We need the username that MediaWiki will always use, not necessarily the one we
4041 // get from LDAP.
4142 $mungedUsername = $wgAuth->getCanonicalName( $autoauthname );
4243
@@ -111,4 +112,5 @@
112113
113114 return true;
114115 }
 116+
115117 }
Index: trunk/extensions/LdapAuthentication/LdapAuthentication.php
@@ -61,11 +61,9 @@
6262 $wgLDAPUpdateLDAP = array();
6363 $wgLDAPPasswordHash = array();
6464 $wgLDAPMailPassword = array();
65 -$wgLDAPRetrievePrefs = array();
6665 $wgLDAPPreferences = array();
6766 $wgLDAPDisableAutoCreate = array();
6867 $wgLDAPDebug = 0;
69 -$wgLDAPGroupDN = ""; //Deprecated
7068 $wgLDAPGroupUseFullDN = array();
7169 $wgLDAPLowerCaseUsername = array();
7270 $wgLDAPLowerCaseUsernameScheme = array();
@@ -83,9 +81,6 @@
8482 $wgLDAPAuthAttribute = array();
8583 $wgLDAPAutoAuthUsername = "";
8684 $wgLDAPAutoAuthDomain = "";
87 -$wgLDAPUniqueAttribute = array(); //Currently unused
88 -$wgLDAPUniqueBlockLogin = array(); //Currently unused
89 -$wgLDAPUniqueRenameUser = array(); //Currently unused
9085 $wgPasswordResetRoutes['domain'] = true;
9186
9287 define( "LDAPAUTHVERSION", "2.0a" );
@@ -115,7 +110,7 @@
116111 define( "SENSITIVE", 2 );
117112 define( "HIGHLYSENSITIVE", 3 );
118113
119 -class LdapAuthenticationPlugin extends AuthPlugin {
 114+class LdapAuthenticationextends AuthPlugin {
120115
121116 // ldap connection resource
122117 var $ldapconn;
@@ -145,6 +140,185 @@
146141 // the user we are currently bound as
147142 var $boundAs;
148143
 144+ /**
 145+ * Wrapper for ldap_connect
 146+ */
 147+ public static function ldap_connect( $hostname=null, $port=389 ) {
 148+ wfSuppressWarnings();
 149+ $ret = ldap_connect( $hostname, $port );
 150+ wfRestoreWarnings();
 151+ return $ret;
 152+ }
 153+
 154+ /**
 155+ * Wrapper for ldap_bind
 156+ */
 157+ public static function ldap_bind( $ldapconn, $dn=null, $password=null ) {
 158+ wfSuppressWarnings();
 159+ $ret = ldap_bind( $ldapconn, $dn, $password );
 160+ wfRestoreWarnings();
 161+ return $ret;
 162+ }
 163+
 164+ /**
 165+ * Wrapper for ldap_unbind
 166+ */
 167+ public static function ldap_unbind( $ldapconn ) {
 168+ if ( $ldapconn ) {
 169+ wfSuppressWarnings();
 170+ $ret = ldap_unbind( $ldapconn );
 171+ wfRestoreWarnings();
 172+ } else {
 173+ $ret = false;
 174+ }
 175+ return $ret;
 176+ }
 177+
 178+ /**
 179+ * Wrapper for ldap_modify
 180+ */
 181+ public static function ldap_modify( $ldapconn, $dn, $entry ) {
 182+ wfSuppressWarnings();
 183+ $ret = ldap_modify( $ldapconn, $dn, $entry );
 184+ wfRestoreWarnings();
 185+ return $ret;
 186+ }
 187+
 188+ /**
 189+ * Wrapper for ldap_add
 190+ */
 191+ public static function ldap_add( $ldapconn, $dn, $entry ) {
 192+ wfSuppressWarnings();
 193+ $ret = ldap_add( $ldapconn, $dn, $entry );
 194+ wfRestoreWarnings();
 195+ return $ret;
 196+ }
 197+
 198+ /**
 199+ * Wrapper for ldap_delete
 200+ */
 201+ public static function ldap_delete( $ldapconn, $dn ) {
 202+ wfSuppressWarnings();
 203+ $ret = ldap_delete( $ldapconn, $dn );
 204+ wfRestoreWarnings();
 205+ return $ret;
 206+ }
 207+
 208+ /**
 209+ * Wrapper for ldap_search
 210+ */
 211+ public static function ldap_search( $ldapconn, $basedn, $filter, $attributes=null, $attrsonly=null, $sizelimit=null, $timelimit=null, $deref=null ) {
 212+ wfSuppressWarnings();
 213+ if ( $attributes ) {
 214+ if ( $attrsonly ) {
 215+ if ( $sizelimit ) {
 216+ if ( $timelimit ) {
 217+ if ( $deref ) {
 218+ $ret = ldap_search( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit, $deref );
 219+ } else {
 220+ $ret = ldap_search( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit );
 221+ }
 222+ } else {
 223+ $ret = ldap_search( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit );
 224+ }
 225+ } else {
 226+ $ret = ldap_search( $ldapconn, $basedn, $filter, $attributes, $attrsonly );
 227+ }
 228+ } else {
 229+ $ret = ldap_search( $ldapconn, $basedn, $filter, $attributes );
 230+ }
 231+ } else {
 232+ $ret = ldap_search( $ldapconn, $basedn, $filter );
 233+ }
 234+ wfRestoreWarnings();
 235+ return $ret;
 236+ }
 237+
 238+ /**
 239+ * Wrapper for ldap_read
 240+ */
 241+ public static function ldap_read( $ldapconn, $basedn, $filter, $attributes=null, $attrsonly=null, $sizelimit=null, $timelimit=null, $deref=null ) {
 242+ wfSuppressWarnings();
 243+ if ( $attributes ) {
 244+ if ( $attrsonly ) {
 245+ if ( $sizelimit ) {
 246+ if ( $timelimit ) {
 247+ if ( $deref ) {
 248+ $ret = ldap_read( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit, $deref );
 249+ } else {
 250+ $ret = ldap_read( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit );
 251+ }
 252+ } else {
 253+ $ret = ldap_read( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit );
 254+ }
 255+ } else {
 256+ $ret = ldap_read( $ldapconn, $basedn, $filter, $attributes, $attrsonly );
 257+ }
 258+ } else {
 259+ $ret = ldap_read( $ldapconn, $basedn, $filter, $attributes );
 260+ }
 261+ } else {
 262+ $ret = ldap_read( $ldapconn, $basedn, $filter );
 263+ }
 264+ wfRestoreWarnings();
 265+ return $ret;
 266+ }
 267+
 268+ /**
 269+ * Wrapper for ldap_list
 270+ */
 271+ public static function ldap_list( $ldapconn, $basedn, $filter, $attributes=null, $attrsonly=null, $sizelimit=null, $timelimit=null, $deref=null ) {
 272+ wfSuppressWarnings();
 273+ if ( $attributes ) {
 274+ if ( $attrsonly ) {
 275+ if ( $sizelimit ) {
 276+ if ( $timelimit ) {
 277+ if ( $deref ) {
 278+ $ret = ldap_list( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit, $deref );
 279+ } else {
 280+ $ret = ldap_list( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit );
 281+ }
 282+ } else {
 283+ $ret = ldap_list( $ldapconn, $basedn, $filter, $attributes, $attrsonly, $sizelimit );
 284+ }
 285+ } else {
 286+ $ret = ldap_list( $ldapconn, $basedn, $filter, $attributes, $attrsonly );
 287+ }
 288+ } else {
 289+ $ret = ldap_list( $ldapconn, $basedn, $filter, $attributes );
 290+ }
 291+ } else {
 292+ $ret = ldap_list( $ldapconn, $basedn, $filter );
 293+ }
 294+ wfRestoreWarnings();
 295+ return $ret;
 296+ }
 297+
 298+ /**
 299+ * Wrapper for ldap_get_entries
 300+ */
 301+ public static function ldap_get_entries( $ldapconn, $resultid ) {
 302+ wfSuppressWarnings();
 303+ $ret = ldap_get_entries( $ldapconn, $resultid );
 304+ wfRestoreWarnings();
 305+ return $ret;
 306+ }
 307+
 308+ /**
 309+ * Wrapper for ldap_count_entries
 310+ */
 311+ public static function ldap_count_entries( $ldapconn, $resultid ) {
 312+ wfSuppressWarnings();
 313+ $ret = ldap_count_entries( $ldapconn, $resultid );
 314+ wfRestoreWarnings();
 315+ return $ret;
 316+ }
 317+
 318+ /**
 319+ * Get the user's domain as defined in the user's session.
 320+ *
 321+ * @return string
 322+ */
149323 public function getSessionDomain() {
150324 if ( isset( $_SESSION['wsDomain'] ) ) {
151325 return $_SESSION['wsDomain'];
@@ -153,6 +327,12 @@
154328 }
155329 }
156330
 331+ /**
 332+ * Get configuration defined by admin, or return default value
 333+ *
 334+ * @param string $preference
 335+ * @return mixed
 336+ */
157337 public function getConf( $preference ) {
158338 $domain = $this->getSessionDomain();
159339 switch ( $preference ) {
@@ -290,13 +470,6 @@
291471 } else {
292472 return false;
293473 }
294 - case 'RetrievePrefs':
295 - global $wgLDAPRetrievePrefs;
296 - if ( isset( $wgLDAPRetrievePrefs[$domain] ) ) {
297 - return $wgLDAPRetrievePrefs[$domain];
298 - } else {
299 - return false;
300 - }
301474 case 'Preferences':
302475 global $wgLDAPPreferences;
303476 if ( isset( $wgLDAPPreferences[$domain] ) ) {
@@ -311,13 +484,6 @@
312485 } else {
313486 return false;
314487 }
315 - case 'GroupDN':
316 - global $wgLDAPGroupDN;
317 - if ( isset( $wgLDAPGroupDN[$domain] ) ) {
318 - return $wgLDAPGroupDN[$domain];
319 - } else {
320 - return '';
321 - }
322488 case 'GroupUseFullDN':
323489 global $wgLDAPGroupUseFullDN;
324490 if ( isset( $wgLDAPGroupUseFullDN[$domain] ) ) {
@@ -328,6 +494,7 @@
329495 case 'LowerCaseUsername':
330496 global $wgLDAPLowerCaseUsername;
331497 if ( isset( $wgLDAPLowerCaseUsername[$domain] ) ) {
 498+ $this->printDebug( "Configuration set to lowercase username.", NONSENSITIVE );
332499 return $wgLDAPLowerCaseUsername[$domain];
333500 } else {
334501 return false;
@@ -431,27 +598,6 @@
432599 case 'AutoAuthDomain':
433600 global $wgLDAPAutoAuthDomain;
434601 return $wgLDAPAutoAuthDomain;
435 - case 'UniqueAttribute':
436 - global $wgLDAPUniqueAttribute;
437 - if ( isset( $wgLDAPUniqueAttribute[$domain] ) ) {
438 - return $wgLDAPUniqueAttribute[$domain];
439 - } else {
440 - return '';
441 - }
442 - case 'UniqueBlockLogin':
443 - global $wgLDAPUniqueBlockLogin;
444 - if ( isset( $wgLDAPUniqueBlockLogin[$domain] ) ) {
445 - return $wgLDAPUniqueBlockLogin[$domain];
446 - } else {
447 - return false;
448 - }
449 - case 'UniqueRenameUser':
450 - global $wgLDAPUniqueRenameUser;
451 - if ( isset( $wgLDAPUniqueRenameUser[$domain] ) ) {
452 - return $wgLDAPUniqueRenameUser[$domain];
453 - } else {
454 - return false;
455 - }
456602 }
457603 }
458604
@@ -479,7 +625,7 @@
480626
481627 $this->connect();
482628 if ( $this->ldapconn ) {
483 - $this->printDebug( "Successfully connected", NONSENSITIVE );
 629+ $this->printDebug( "PHP's LDAP connect method returned true (note, this does not imply it connected to the server).", NONSENSITIVE );
484630
485631 $searchstring = $this->getSearchString( $username );
486632
@@ -487,17 +633,15 @@
488634 // anything back, then the user exists.
489635 if ( $this->useAutoAuth() && $searchstring != '' ) {
490636 // getSearchString is going to bind, but will not unbind
491 - // Let's clean up
492 - @ldap_unbind();
 637+ LdapAuthentication::ldap_unbind( $this->ldapconn );
493638 return true;
494639 }
495640
496641 // Search for the entry.
497 - $entry = @ldap_read( $this->ldapconn, $searchstring, "objectclass=*" );
 642+ $entry = LdapAuthentication::ldap_read( $this->ldapconn, $searchstring, "objectclass=*" );
498643
499644 // getSearchString is going to bind, but will not unbind
500 - // Let's clean up
501 - @ldap_unbind();
 645+ LdapAuthentication::ldap_unbind( $this->ldapconn );
502646 if ( !$entry ) {
503647 $this->printDebug( "Did not find a matching user in LDAP", NONSENSITIVE );
504648 return false;
@@ -506,7 +650,7 @@
507651 return true;
508652 }
509653 } else {
510 - $this->printDebug( "Failed to connect", NONSENSITIVE );
 654+ $this->printDebug( "PHP's LDAP method returned false, this likely implies a misconfiguration of the plugin.", NONSENSITIVE );
511655 return false;
512656 }
513657 }
@@ -532,8 +676,6 @@
533677 $encryptionType = $this->getConf( 'EncryptionType' );
534678 switch( $encryptionType ) {
535679 case "ldapi":
536 - # this is a really dirty place to put this,
537 - # but it is easy and avoids another config option.
538680 $this->printDebug( "Using ldapi", SENSITIVE );
539681 $serverpre = "ldapi://";
540682 break;
@@ -546,7 +688,7 @@
547689 $serverpre = "ldap://";
548690 }
549691
550 - // Make a space separated list of server strings with the ldap:// or ldaps://
 692+ // Make a space separated list of server strings with the connection type
551693 // string added.
552694 $servers = "";
553695 $tmpservers = $this->getConf( 'ServerNames' );
@@ -560,7 +702,7 @@
561703 $this->printDebug( "Using servers: $servers", SENSITIVE );
562704
563705 // Connect and set options
564 - $this->ldapconn = @ldap_connect( $servers );
 706+ $this->ldapconn = LdapAuthentication::ldap_connect( $servers );
565707 ldap_set_option( $this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3 );
566708 ldap_set_option( $this->ldapconn, LDAP_OPT_REFERRALS, 0 );
567709
@@ -570,7 +712,7 @@
571713 }
572714 }
573715
574 - // TLS needs to be started after the connection is made
 716+ // TLS needs to be started after the connection resource is available
575717 if ( $encryptionType == "tls" ) {
576718 $this->printDebug( "Using TLS", SENSITIVE );
577719 if ( !ldap_start_tls( $this->ldapconn ) ) {
@@ -620,14 +762,11 @@
621763
622764 $this->connect();
623765 if ( $this->ldapconn ) {
624 - $this->printDebug( "Connected successfully", NONSENSITIVE );
625 -
626766 // Mediawiki munges the username before authenticate is called,
627767 // this can mess with authentication, group pulling/restriction,
628768 // preference pulling, etc. Let's allow the admin to use
629769 // a lowercased username if needed.
630770 if ( $this->getConf( 'LowerCaseUsername') ) {
631 - $this->printDebug( "Lowercasing the username: $username", NONSENSITIVE );
632771 $username = strtolower( $username );
633772 }
634773
@@ -638,7 +777,7 @@
639778 // return true, and will let anyone in!
640779 if ( '' == $this->userdn ) {
641780 $this->printDebug( "User DN is blank", NONSENSITIVE );
642 - @ldap_unbind();
 781+ LdapAuthentication::ldap_unbind( $this->ldapconn );
643782 $this->markAuthFailed();
644783 return false;
645784 }
@@ -647,8 +786,6 @@
648787 // user to make sure the password is correct.
649788 if ( !$this->useAutoAuth() ) {
650789 $this->printDebug( "Binding as the user", NONSENSITIVE );
651 -
652 - // Let's see if the user can authenticate.
653790 $bind = $this->bindAs( $this->userdn, $password );
654791 if ( !$bind ) {
655792 $this->markAuthFailed();
@@ -676,12 +813,12 @@
677814 $filter = "(" . $aa . ")";
678815 $attributes = array( "dn" );
679816
680 - $entry = ldap_read( $this->ldapconn, $this->userdn, $filter, $attributes );
681 - $info = ldap_get_entries( $this->ldapconn, $entry );
 817+ $entry = LdapAuthentication::ldap_read( $this->ldapconn, $this->userdn, $filter, $attributes );
 818+ $info = LdapAuthentication::ldap_get_entries( $this->ldapconn, $entry );
682819
683820 if ( $info["count"] < 1 ) {
684821 $this->printDebug( "Failed auth attribute check", NONSENSITIVE );
685 - @ldap_unbind();
 822+ LdapAuthentication::ldap_unbind( $this->ldapconn );
686823 $this->markAuthFailed();
687824 return false;
688825 }
@@ -691,22 +828,15 @@
692829 $this->getGroups( $username );
693830
694831 if ( !$this->checkGroups( $username ) ) {
695 - @ldap_unbind();
 832+ LdapAuthentication::ldap_unbind( $this->ldapconn );
696833 $this->markAuthFailed();
697834 return false;
698835 }
699836
700837 $this->getPreferences();
701838
702 - if ( !$this->synchUsername( $username ) ) {
703 - @ldap_unbind();
704 - $this->markAuthFailed();
705 - return false;
706 - }
707 -
708 - @ldap_unbind();
 839+ LdapAuthentication::ldap_unbind( $this->ldapconn );
709840 } else {
710 - $this->printDebug( "Failed to connect", NONSENSITIVE );
711841 $this->markAuthFailed();
712842 return false;
713843 }
@@ -815,7 +945,6 @@
816946
817947 $this->connect();
818948 if ( $this->ldapconn ) {
819 - $this->printDebug( "Connected successfully", NONSENSITIVE );
820949 $this->userdn = $this->getSearchString( $user->getName() );
821950
822951 $this->printDebug( "Binding as the writerDN", NONSENSITIVE );
@@ -830,10 +959,9 @@
831960 // domain credentials for security reasons.
832961 $password = '';
833962
834 - $success = @ldap_modify( $this->ldapconn, $this->userdn, $values );
 963+ $success = LdapAuthentication::ldap_modify( $this->ldapconn, $this->userdn, $values );
835964
836 - // Let's clean up
837 - @ldap_unbind();
 965+ LdapAuthentication::ldap_unbind( $this->ldapconn );
838966 if ( $success ) {
839967 $this->printDebug( "Successfully modified the user's password", NONSENSITIVE );
840968 return true;
@@ -842,7 +970,6 @@
843971 return false;
844972 }
845973 } else {
846 - $this->printDebug( "Failed to connect", NONSENSITIVE );
847974 return false;
848975 }
849976 }
@@ -881,7 +1008,6 @@
8821009
8831010 $this->connect();
8841011 if ( $this->ldapconn ) {
885 - $this->printDebug( "Connected successfully", NONSENSITIVE );
8861012 $this->userdn = $this->getSearchString( $user->getName() );
8871013
8881014 $this->printDebug( "Binding as the writerDN", NONSENSITIVE );
@@ -895,17 +1021,16 @@
8961022 if ( '' != $this->realname ) { $values["cn"] = $this->realname; }
8971023 if ( '' != $this->lang ) { $values["preferredlanguage"] = $this->lang; }
8981024
899 - if ( 0 != sizeof( $values ) && @ldap_modify( $this->ldapconn, $this->userdn, $values ) ) {
 1025+ if ( 0 != sizeof( $values ) && LdapAuthentication::ldap_modify( $this->ldapconn, $this->userdn, $values ) ) {
9001026 $this->printDebug( "Successfully modified the user's attributes", NONSENSITIVE );
901 - @ldap_unbind();
 1027+ LdapAuthentication::ldap_unbind( $this->ldapconn );
9021028 return true;
9031029 } else {
9041030 $this->printDebug( "Failed to modify the user's attributes", NONSENSITIVE );
905 - @ldap_unbind();
 1031+ LdapAuthentication::ldap_unbind( $this->ldapconn );
9061032 return false;
9071033 }
9081034 } else {
909 - $this->printDebug( "Failed to Connect", NONSENSITIVE );
9101035 return false;
9111036 }
9121037 }
@@ -960,7 +1085,7 @@
9611086 return true;
9621087 }
9631088
964 - if ( $this->getConf( 'RequiredGroups' ) || $this->getConf( 'GroupDN' ) ) {
 1089+ if ( $this->getConf( 'RequiredGroups' ) ) {
9651090 $this->printDebug( "The wiki is requiring users to be in specific groups, and cannot add users as this would be a security hole.", NONSENSITIVE );
9661091 // It is possible that later we can add users into
9671092 // groups, but since we don't support it, we don't want
@@ -984,8 +1109,6 @@
9851110
9861111 $this->connect();
9871112 if ( $this->ldapconn ) {
988 - $this->printDebug( "Successfully connected", NONSENSITIVE );
989 -
9901113 $writeloc = $this->getConf( 'WriteLocation' );
9911114 $this->userdn = $this->getSearchString( $username );
9921115 if ( '' == $this->userdn ) {
@@ -997,13 +1120,12 @@
9981121 } else {
9991122 $this->printDebug( "wgLDAPWriteLocation is not set, failing", NONSENSITIVE );
10001123 // getSearchString will bind, but will not unbind
1001 - @ldap_unbind();
 1124+ LdapAuthentication::ldap_unbind( $this->ldapconn );
10021125 return false;
10031126 }
10041127 }
10051128
10061129 $this->printDebug( "Binding as the writerDN", NONSENSITIVE );
1007 -
10081130 $bind = $this->bindAs( $writer, $this->getConf( 'WriterPassword' ) );
10091131 if ( !$bind ) {
10101132 $this->printDebug( "Failed to bind as the writerDN; add failed", NONSENSITIVE );
@@ -1025,7 +1147,7 @@
10261148 wfRunHooks( 'LDAPSetCreationValues', array( $this, $username, &$values, $writeloc, &$this->userdn, &$result ) );
10271149 if ( ! $result ) {
10281150 $this->printDebug( "Failed to add user because LDAPSetCreationValues returned false", NONSENSITIVE );
1029 - @ldap_unbind();
 1151+ LdapAuthentication::ldap_unbind( $this->ldapconn );
10301152 return false;
10311153 }
10321154
@@ -1035,17 +1157,16 @@
10361158 }
10371159
10381160 $this->printDebug( "Adding user", NONSENSITIVE );
1039 - if ( @ldap_add( $this->ldapconn, $this->userdn, $values ) ) {
 1161+ if ( LdapAuthentication::ldap_add( $this->ldapconn, $this->userdn, $values ) ) {
10401162 $this->printDebug( "Successfully added user", NONSENSITIVE );
1041 - @ldap_unbind();
 1163+ LdapAuthentication::ldap_unbind( $this->ldapconn );
10421164 return true;
10431165 } else {
10441166 $this->printDebug( "Failed to add user", NONSENSITIVE );
1045 - @ldap_unbind();
 1167+ LdapAuthentication::ldap_unbind( $this->ldapconn );
10461168 return false;
10471169 }
10481170 } else {
1049 - $this->printDebug( "Failed to connect; add failed", NONSENSITIVE );
10501171 return false;
10511172 }
10521173 }
@@ -1099,7 +1220,7 @@
11001221
11011222 // If we aren't pulling preferences, we don't want to accidentally
11021223 // overwrite anything.
1103 - if ( $this->getConf( 'RetrievePrefs' ) || $this->getConf( 'Preferences' ) ) {
 1224+ if ( $this->getConf( 'Preferences' ) ) {
11041225 $this->printDebug( "Setting user preferences.", NONSENSITIVE );
11051226
11061227 if ( '' != $this->lang ) {
@@ -1119,13 +1240,7 @@
11201241 $user->setEmail( $this->email );
11211242 $user->confirmEmail();
11221243 }
1123 - if ( $this->getConf( 'UniqueBlockLogin' ) || $this->getConf( 'UniqueRenameUser' ) ) {
11241244
1125 - if ( '' != $this->externalid ) {
1126 - $user->setExternalID( $this->externalid );
1127 - }
1128 - }
1129 -
11301245 $saveSettings = true;
11311246 }
11321247
@@ -1228,11 +1343,8 @@
12291344 } else {
12301345 $this->connect();
12311346 if ( $this->ldapconn ) {
1232 - $this->printDebug( "Successfully connected", NONSENSITIVE );
12331347 $this->userdn = $this->getSearchString( $username );
12341348 wfRunHooks( 'SetUsernameAttributeFromLDAP', array( &$this->LDAPUsername, $this->userInfo ) );
1235 - } else {
1236 - $this->printDebug( "Failed to connect in getCanonicalName, this is non-critical, but may indicate a misconfiguration.", NONSENSITIVE );
12371349 }
12381350 }
12391351
@@ -1334,14 +1446,14 @@
13351447
13361448 $this->printDebug( "Using base: $base", SENSITIVE );
13371449
1338 - $entry = @ldap_search( $this->ldapconn, $base, $filter, $attributes );
1339 - if ( @ldap_count_entries($this->ldapconn,$entry)==0 ) {
 1450+ $entry = LdapAuthentication::ldap_search( $this->ldapconn, $base, $filter, $attributes );
 1451+ if ( LdapAuthentication::ldap_count_entries( $this->ldapconn, $entry ) == 0 ) {
13401452 $this->printDebug( "Couldn't find an entry", NONSENSITIVE );
13411453 $this->fetchedUserInfo = false;
13421454 return '';
13431455 }
13441456
1345 - $this->userInfo = @ldap_get_entries( $this->ldapconn, $entry );
 1457+ $this->userInfo = LdapAuthentication::ldap_get_entries( $this->ldapconn, $entry );
13461458 $this->fetchedUserInfo = true;
13471459 if ( isset( $this->userInfo[0][$searchattr] ) ) {
13481460 $username = $this->userInfo[0][$searchattr][0];
@@ -1381,8 +1493,8 @@
13821494 // Don't fetch the same data more than once
13831495 // TODO: use memcached here
13841496
1385 - $entry = @ldap_read( $this->ldapconn, $userdn, "objectclass=*", array( '*', 'memberof' ) );
1386 - $userInfo = @ldap_get_entries( $this->ldapconn, $entry );
 1497+ $entry = LdapAuthentication::ldap_read( $this->ldapconn, $userdn, "objectclass=*", array( '*', 'memberof' ) );
 1498+ $userInfo = LdapAuthentication::ldap_get_entries( $this->ldapconn, $entry );
13871499 if ( $userInfo["count"] < 1 ) {
13881500 return;
13891501 } else {
@@ -1434,97 +1546,9 @@
14351547 break;
14361548 }
14371549 }
1438 - } elseif ( $this->getConf( 'RetrievePrefs' ) ) {
1439 - // DEPRECATED. Kept for backwards compatibility.
1440 - $this->printDebug( "Retrieving preferences", NONSENSITIVE );
1441 - $this->printDebug( '$wgLDAPRetrievePrefs is a DEPRECATED option, please use $wgLDAPPreferences.', NONSENSITIVE );
1442 -
1443 - if ( isset( $this->userInfo[0]["mail"] ) ) {
1444 - $this->email = $this->userInfo[0]["mail"][0];
1445 - }
1446 - if ( isset( $this->userInfo[0]["preferredlanguage"] ) ) {
1447 - $this->lang = $this->userInfo[0]["preferredlanguage"][0];
1448 - }
1449 - if ( isset( $this->userInfo[0]["displayname"] ) ) {
1450 - $this->nickname = $this->userInfo[0]["displayname"][0];
1451 - }
1452 - if ( isset( $this->userInfo[0]["cn"] ) ) {
1453 - $this->realname = $this->userInfo[0]["cn"][0];
1454 - }
1455 -
1456 - $this->printDebug( "Retrieved: $this->email, $this->lang, $this->nickname, $this->realname", SENSITIVE );
14571550 }
14581551 }
14591552
1460 - function synchUsername( $username ) {
1461 - $this->printDebug( "Entering synchUsername", NONSENSITIVE );
1462 -
1463 - $this->userInfo = $this->getUserInfo();
1464 - if ( is_null( $this->userInfo ) ) {
1465 - $this->printDebug( "Failed to get preferences", NONSENSITIVE );
1466 - }
1467 -
1468 - // Are we blocking login/renaming users on unique external ID mismatches?
1469 - // *** WARNING ***
1470 - // This needs to be fixed before use! This probably does not work correctly
1471 - // with all options. It is probably a good idea to refactor the username stuff
1472 - // in general (as it is currently somewhat of a kludge). Also, MediaWiki does
1473 - // not currently have support for this.
1474 - // *** WARNING ***
1475 - if ( $this->getConf( 'UniqueBlockLogin' ) || $this->getConf( 'UniqueRenameUser' ) ) {
1476 -
1477 - $this->printDebug( "Checking for username change in LDAP.", SENSITIVE );
1478 -
1479 - // Get the user's unique attribute from LDAP
1480 - $ldapuniqueattr = $this->getConf( 'UniqueAttribute' );
1481 - if ( $ldapuniqueattr ) {
1482 - $this->externalid = $this->info[0][$ldapuniqueattr][0];
1483 - } else {
1484 - return false;
1485 - }
1486 -
1487 - $this->printDebug( "Retrieved external id: $this->externalid", SENSITIVE );
1488 -
1489 - $retrievedusername = User::whoIsExternalID( "$this->externalid" );
1490 -
1491 - $this->printDebug( "Username (in MediaWiki database) of fetched external id: $retrievedusername", SENSITIVE );
1492 -
1493 - // See if the username returned from the database matches the username given
1494 - if ( $retrievedusername != '' && ( $username != $retrievedusername ) ) {
1495 - if ( $this->getConf( 'UniqueBlockLogin' ) ) {
1496 -
1497 - $this->printDebug( "Usernames do not match, blocking login.", SENSITIVE );
1498 - return false;
1499 - } elseif ( $this->getConf( 'UniqueRenameUser' ) ) {
1500 -
1501 - $this->printDebug( "Usernames do not match, renaming user in database.", SENSITIVE );
1502 -
1503 - $olduser = User::newFromName( $retrievedusername );
1504 - $uid = $olduser->idForName();
1505 -
1506 - // Ensure we don't require the same class twice
1507 - if ( !class_exists( 'RenameuserSQL' ) ) {
1508 - require( 'Renameuser/SpecialRenameuser_body.php' );
1509 - }
1510 -
1511 - // Make a new rename user object with: from, to, uid of from
1512 - $rename = new RenameuserSQL( $retrievedusername, $username, $uid );
1513 - $rename->rename();
1514 -
1515 - // For the time being we can't just allow the user to log in
1516 - // as MediaWiki will try to create the user account after we
1517 - // do a rename. If we don't return false, the user will get
1518 - // a database error
1519 - return false;
1520 - }
1521 - }
1522 -
1523 - $this->printDebug( "Usernames matched or the user doesn't exist in the database yet.", SENSITIVE );
1524 - }
1525 -
1526 - return true;
1527 - }
1528 -
15291553 /**
15301554 * Checks to see whether a user is in a required group.
15311555 *
@@ -1535,18 +1559,6 @@
15361560 function checkGroups( $username ) {
15371561 $this->printDebug( "Entering checkGroups", NONSENSITIVE );
15381562
1539 - // Old style groups, non-nestable and fairly limited on group type (full DN
1540 - // versus username). DEPRECATED
1541 - $groupdn = $this->getConf( 'GroupDN' );
1542 - if ( $groupdn ) {
1543 - $this->printDebug( "Checking for (old style) group membership", NONSENSITIVE );
1544 - // we need to do a subbase search for the entry
1545 - $filter = "(member=" . $this->getLdapEscapedString( $this->userdn ) . ")";
1546 - $info = @ldap_get_entries( $this->ldapconn, @ldap_search( $this->ldapconn, $groupdn, $filter ) );
1547 -
1548 - return ( $info["count"] >= 1 );
1549 - }
1550 -
15511563 $excgroups = $this->getConf( 'ExcludedGroups' );
15521564 if ( $excgroups ) {
15531565 $this->printDebug( "Checking for excluded group membership", NONSENSITIVE );
@@ -1565,7 +1577,6 @@
15661578 }
15671579 }
15681580
1569 - // New style group checking
15701581 $reqgroups = $this->getConf( 'RequiredGroups' );
15711582 if ( $reqgroups ) {
15721583 $this->printDebug( "Checking for (new style) group membership", NONSENSITIVE );
@@ -1647,10 +1658,10 @@
16481659 }
16491660 } else {
16501661 $this->printDebug( "Searching for the groups", NONSENSITIVE );
1651 - $this->userLDAPGroups = $this->searchGroups( $usertopass );
 1662+ $this->userLDAPGroups = LdapAuthentication::ldap_searchGroups( $usertopass );
16521663
16531664 if ( $this->getConf( 'GroupSearchNestedGroups' ) ) {
1654 - $this->userLDAPGroups = $this->searchNestedGroups( $this->userLDAPGroups );
 1665+ $this->userLDAPGroups = LdapAuthentication::ldap_searchNestedGroups( $this->userLDAPGroups );
16551666 $this->printDebug( "Got the following nested groups:", SENSITIVE, $this->userLDAPGroups["dn"] );
16561667 }
16571668 }
@@ -1658,7 +1669,7 @@
16591670 // Only find all groups if the user has any groups; otherwise, we are
16601671 // just wasting a search.
16611672 if ( $this->getConf( 'GroupsPrevail' ) && count( $this->userLDAPGroups ) != 0 ) {
1662 - $this->allLDAPGroups = $this->searchGroups( '*' );
 1673+ $this->allLDAPGroups = LdapAuthentication::ldap_searchGroups( '*' );
16631674 }
16641675 }
16651676 }
@@ -1686,7 +1697,7 @@
16871698
16881699 $groupstosearch = array( "short" => array(), "dn" => array() );
16891700 foreach ( $groups["dn"] as $group ) {
1690 - $returnedgroups = $this->searchGroups( $group );
 1701+ $returnedgroups = LdapAuthentication::ldap_searchGroups( $group );
16911702 $this->printDebug( "Group $group is in the following groups:", SENSITIVE, $returnedgroups["dn"] );
16921703 foreach ( $returnedgroups["dn"] as $searchme ) {
16931704 if ( in_array( $searchme, $searchedgroups["dn"] ) ) {
@@ -1712,8 +1723,7 @@
17131724
17141725 $searchedgroups = array_merge_recursive( $groups, $searchedgroups );
17151726
1716 - // Mmmmmm. Tail recursion. Tasty.
1717 - return $this->searchNestedGroups( $groupstosearch, $searchedgroups );
 1727+ return LdapAuthentication::ldap_searchNestedGroups( $groupstosearch, $searchedgroups );
17181728 }
17191729
17201730 /**
@@ -1753,8 +1763,8 @@
17541764 if ( $dn != "*" ) {
17551765 $PGfilter = "(&(distinguishedName=$value)(objectclass=user))";
17561766 $this->printDebug( "User Filter: $PGfilter", SENSITIVE );
1757 - $PGinfo = @ldap_search( $this->ldapconn, $base, $PGfilter );
1758 - $PGentries = @ldap_get_entries( $this->ldapconn, $PGinfo );
 1767+ $PGinfo = LdapAuthentication::ldap_search( $this->ldapconn, $base, $PGfilter );
 1768+ $PGentries = LdapAuthentication::ldap_get_entries( $this->ldapconn, $PGinfo );
17591769 if ( $PGentries ) {
17601770 $Usid = $PGentries[0]['objectsid'][0];
17611771 $PGrid = $PGentries[0]['primarygroupid'][0];
@@ -1777,8 +1787,8 @@
17781788 }
17791789 $PGfilter = "(&(objectSid=$PGsid_string)(objectclass=$objectclass))";
17801790 $this->printDebug( "Primary Group Filter: $PGfilter", SENSITIVE );
1781 - $info = @ldap_search( $this->ldapconn, $base, $PGfilter );
1782 - $PGentries = @ldap_get_entries( $this->ldapconn, $info );
 1791+ $info = LdapAuthentication::ldap_search( $this->ldapconn, $base, $PGfilter );
 1792+ $PGentries = LdapAuthentication::ldap_get_entries( $this->ldapconn, $info );
17831793 array_shift( $PGentries );
17841794 $dnMember = strtolower( $PGentries[0]['dn'] );
17851795 $groups["dn"][] = $dnMember;
@@ -1798,7 +1808,7 @@
17991809
18001810 $this->printDebug( "Search string: $filter", SENSITIVE );
18011811
1802 - $info = @ldap_search( $this->ldapconn, $base, $filter );
 1812+ $info = LdapAuthentication::ldap_search( $this->ldapconn, $base, $filter );
18031813 if ( !$info ) {
18041814 $this->printDebug( "No entries returned from search.", SENSITIVE );
18051815
@@ -1807,7 +1817,7 @@
18081818 return array( "short" => array(), "dn" => array() );
18091819 }
18101820
1811 - $entries = @ldap_get_entries( $this->ldapconn, $info );
 1821+ $entries = LdapAuthentication::ldap_get_entries( $this->ldapconn, $info );
18121822
18131823 if ( $entries ){
18141824 // We need to shift because the first entry will be a count
@@ -1985,13 +1995,12 @@
19861996 function bindAs( $userdn = null, $password = null ) {
19871997 // Let's see if the user can authenticate.
19881998 if ( $userdn == null || $password == null ) {
1989 - $bind = @ldap_bind( $this->ldapconn );
 1999+ $bind = LdapAuthentication::ldap_bind( $this->ldapconn );
19902000 } else {
1991 - $bind = @ldap_bind( $this->ldapconn, $userdn, $password );
 2001+ $bind = LdapAuthentication::ldap_bind( $this->ldapconn, $userdn, $password );
19922002 }
19932003 if ( !$bind ) {
19942004 $this->printDebug( "Failed to bind as $userdn", NONSENSITIVE );
1995 - $this->printDebug( "with password: $password", HIGHLYSENSITIVE );
19962005 return false;
19972006 }
19982007 $this->boundAs = $userdn;
@@ -2022,9 +2031,9 @@
20232032 function getLdapEscapedString( $string ) {
20242033 // Make the string LDAP compliant by escaping *, (, ) , \ & NUL
20252034 return str_replace(
2026 - array( "\\", "(", ")", "*", "\x00" ), // replace this
2027 - array( "\\5c", "\\28", "\\29", "\\2a", "\\00" ), // with this
2028 - $string // in this
 2035+ array( "\\", "(", ")", "*", "\x00" ),
 2036+ array( "\\5c", "\\28", "\\29", "\\2a", "\\00" ),
 2037+ $string
20292038 );
20302039 }
20312040
@@ -2068,11 +2077,11 @@
20692078 }
20702079 }
20712080
2072 -// The following was derived from the SSL Authentication plugin
 2081+// The auto-auth code was originally derived from the SSL Authentication plugin
20732082 // http://www.mediawiki.org/wiki/SSL_authentication
20742083
20752084 /**
2076 - * Sets up the SSL authentication piece of the LDAP plugin.
 2085+ * Sets up the auto-authentication piece of the LDAP plugin.
20772086 *
20782087 * @access public
20792088 */

Follow-up revisions

RevisionCommit summaryAuthorDate
r107410Fixing a very obvious mistake.laner20:12, 27 December 2011
r107420Fix bad search and replace.laner20:52, 27 December 2011
r107421Follow up to r107420. These calls shouldn't be staticlaner20:56, 27 December 2011

Comments

#Comment by Nikerabbit (talk | contribs)   08:24, 5 January 2012

This code hurts my eyes.

#Comment by MarkAHershberger (talk | contribs)   17:54, 5 January 2012

Does this even work: 

+class LdapAuthenticationextends AuthPlugin {
#Comment by Reedy (talk | contribs)   17:55, 5 January 2012

Already fixed in trunk

Status & tagging log