Compare revisions

Thomas Lake · Thomas Lake · Imran Hussain · Imran Hussain · Imran Hussain · 0ded7b1d
--- a/lib/ldap-auth.php
+++ b/lib/ldap-auth.php
@@ -12,7 +12,7 @@ will return "nope" if the user/pass passed is inavlid

 Example usage:

-include_once("ldap-auth.php");
+require "ldap-auth.php";

 isAuthd = ldapAuth("usaername", "password");

@@ -29,6 +29,8 @@ if (isAuthd == "sucs"){
 // we don't care about warnings, we write our own
 error_reporting(E_ERROR | E_PARSE);

+define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);
+
 function ldapAuth($username, $password)
 {

@@ -45,24 +47,29 @@ function ldapAuth($username, $password)
            $username = implode("@", $s);
        }

+        // filter out everything but A-Z a-z 0-9 . - _ from username
+        $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $username);
+
+        // if safeusername isn't the same as username just error out
+        if ($safeusername != $username) {
+            return "nope";
+        }
+
        // ldap servers
        $sucsLDAPServer = 'silver.sucs.swan.ac.uk';
-        $lisLDAPServer = 'ccs-suld1.swan.ac.uk';
-
-        // lis auth stuffs
-        $lisUsernameOu = substr($username, -1);
-        $lisOtherOu = "Moved";
+        $issLDAPServer = '192.168.10.16';

        // how to bind
-        $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org";
-        $lisBindDn1 = "cn=$username,ou=$lisUsernameOu,ou=Students,ou=SWANSEA,o=SWANUNI";
-        $lisBindDn2 = "cn=$username,ou=$lisOtherOu,ou=Students,ou=SWANSEA,o=SWANUNI";
+        $sucsBindDn = "uid=$safeusername,ou=People,dc=sucs,dc=org";
+        $issBindDn = "cn=$safeusername,ou=Students,ou=Active,ou=Resources,o=Swansea";

        // Main auth

        // Try and connect to silver
        $ldapconnSUCS = ldap_connect($sucsLDAPServer) or die("Could not connect to SUCS LDAP server.");

+        ldap_set_option($ldapconnSUCS,LDAP_OPT_PROTOCOL_VERSION,3);
+
        if ($ldapconnSUCS) {

            //echo "Connected to $sucsLDAPServer <br>";
@@ -73,28 +80,28 @@ function ldapAuth($username, $password)
            if ($ldapbindSUCS) {
                //echo "Auth'd as $username using SUCS LDAP<br>";
                return "sucs";
-                // turns out they didn't give us valid sucs creds, lets try lis now
+                // turns out they didn't give us valid sucs creds, lets try iss now
            } else {

-                // try and connect to the lis ldap server
-                $ldapconnLIS = ldap_connect($lisLDAPServer) or die("Could not connect to uni LDAP server.");
-                //echo "Connected to $lisLDAPServer <br>";
+                // try and connect to the iss ldap server
+                $ldapconnISS = ldap_connect($issLDAPServer) or die("Could not connect to uni LDAP server.");
+                // echo "Connected to $issLDAPServer <br>";
+
+                ldap_set_option($ldapconnISS,LDAP_OPT_PROTOCOL_VERSION,3);

                // lets try and bind to the uni ldap
-                $ldapbindLIS1 = ldap_bind($ldapconnLIS, $lisBindDn1, $password);
-                if ($ldapbindLIS1) {
-                    //echo "Auth'd as $username using uni LDAP using ou=$lisUsernameOu<br>";
+                $ldapbindiss = ldap_bind($ldapconnISS, $issBindDn, $password);
+
+                /*if (ldap_get_option($ldapconnISS, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
+                   echo "Error Binding to LDAP: $extended_error";
+                }*/
+
+                if ($ldapbindiss) {
+                    //echo "Auth'd as $username using uni LDAP using ou=$issUsernameOu<br>";
                    return "uni";
                } else {
-                    $ldapbindLIS2 = ldap_bind($ldapconnLIS, $lisBindDn2, $password);
-                    if ($ldapbindLIS2) {
-                        //echo "Auth'd as $username using uni LDAP using ou=moved<br>";
-                        return "uni";
-                        // shit, couldn't bind to anything
-                    } else {
-                        //exit("Invalid Username or Password");
-                        return "nope";
-                    }
+                    //exit("Invalid Username or Password");
+                    return "nope";
                }
            }
        }

--- a/lib/session.php
+++ b/lib/session.php
@@ -116,7 +116,15 @@ class Session

        // Is this a login attempt ?
        if ($submit != '' && $session_user != '' && $session_pass != '') {
-            $this->session_init($session_user, $session_pass);
+            // filter out everything but A-Z a-z 0-9 . - _ from username
+            $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $session_user);
+            if ($safeusername != $session_user) {
+                trigger_error("Invalid username", E_USER_NOTICE);
+                $this->newsession();
+                return;
+            } elseif ($safeusername == $session_user) {
+                $this->session_init($safeusername, $session_pass);
+            }
        }

        // Retrieve session information
No results found