View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007478 | mantisbt | authentication | public | 2006-09-27 04:55 | 2014-11-25 12:33 |
Reporter | roel | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | new | Resolution | open | ||
Summary | 0007478: MS Active Directory Authentication | ||||
Description | Moving discussion from -dev list to here. Synopsis: Holger: First of all there's a new option to configure in the config_inc.php. It's Victor: Did you check the implementation at: Instead of updating the users table, you can use the configuration to Do we really need a per user configuration? One option is to have a Obiously the per user approach is more flexible as long as it doesn't Roel: (about original patch):
(about Victor's remarks):
I've attached a new patch, based on Holder's, with the following changes:
Victor: The db configuration supports a default for all users / all projects, The problem with the preferences as they are, is that whenever a I guess this is a general issue that we have to put a pattern for. Ideas are welcome. | ||||
Tags | patch | ||||
Attached Files | mantisbt_ads_v2.patch (25,412 bytes)
Index: account_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_page.php,v retrieving revision 1.51 diff -u -r1.51 account_page.php --- account_page.php 17 Jul 2005 21:56:21 -0000 1.51 +++ account_page.php 25 Sep 2006 10:45:56 -0000 @@ -52,7 +52,7 @@ $row = user_get_row( auth_get_current_user_id() ); extract( $row, EXTR_PREFIX_ALL, 'u' ); - $t_ldap = ( LDAP == config_get( 'login_method' ) ); + $t_ldap = ( LDAP == $row['login_method'] ); #config_get( 'login_method' ) ); # In case we're using LDAP to get the email address... this will pull out # that version instead of the one in the DB @@ -72,7 +72,7 @@ <center><div style="color:red; width:75%"> <?php echo lang_get( 'verify_warning' ); - if ( helper_call_custom_function( 'auth_can_change_password', array() ) ) { + if ( helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { echo '<br />' . lang_get( 'verify_change_password' ); } ?> @@ -93,7 +93,7 @@ </td> </tr> -<?php if ( !helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <!-- With LDAP --> +<?php if ( !helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { ?> <!-- With LDAP --> <!-- Username --> <tr class="row-1"> Index: account_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v retrieving revision 1.40 diff -u -r1.40 account_update.php --- account_update.php 30 Nov 2004 13:02:57 -0000 1.40 +++ account_update.php 25 Sep 2006 10:45:56 -0000 @@ -68,7 +68,7 @@ } # Update password if the two match and are not empty - if ( !is_blank( $f_password ) ) { + if ( !is_blank( $f_password ) ) { if ( $f_password != $f_password_confirm ) { trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { Index: config_defaults_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/config_defaults_inc.php,v retrieving revision 1.312 diff -u -r1.312 config_defaults_inc.php --- config_defaults_inc.php 22 Sep 2006 22:18:08 -0000 1.312 +++ config_defaults_inc.php 25 Sep 2006 10:45:57 -0000 @@ -832,6 +832,16 @@ # The LDAP Protocol Version, if 0, then the protocol version is not set. $g_ldap_protocol_version = 0; + ############################# + # Mantis ADS Settings + ############################# + # --- using MS Active Directory ------------- + $g_ads_server = 'ldap://ads.example.com.au/'; + $g_ads_port = '389'; + $g_ads_domain = 'myDomain'; # ADS domain like 'myDomain' + $g_ads_bind_name = ''; + $g_ads_bind_passwd = ''; + ############################ # Status Settings ############################ @@ -1083,10 +1093,26 @@ # example: $g_set_status_threshold = array( ACKNOWLEDGED => MANAGER, CONFIRMED => DEVELOPER, CLOSED => MANAGER ); $g_set_status_threshold = array(); + # --- login method strings -------- + # Don't change this + $g_login_method_strings[PLAIN] = "Plain"; + $g_login_method_strings[CRYPT] = "Crypt"; + $g_login_method_strings[CRYPT_FULL_SALT] = "Crypt full salt"; + $g_login_method_strings[MD5] = "MD5"; + $g_login_method_strings[LDAP] = "LDAP"; + $g_login_method_strings[BASIC_AUTH] = "Basic Auth"; + $g_login_method_strings[HTTP_AUTH] = "HTTP Auth"; + $g_login_method_strings[ADS] = "Active Directory"; + # --- login method ---------------- - # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or ADS # You can simply change this at will. Mantis will try to figure out how the passwords were encrypted. + # ATTENTION: This might soon be depricated $g_login_method = MD5; + + # Enter here your allowed login methods. This values will be choosable when create new user + # e.g. array(LDAP, ADS, MD5, CRYPT) + $g_login_methods = array(MD5, ADS); # --- limit reporters ------------- # Set to ON if you wish to limit reporters to only viewing bugs that they report. @@ -1768,4 +1794,4 @@ # The maximum number of issues to keep in the recently visited list. $g_recently_visited_count = 5; -?> \ No newline at end of file +?> Index: login.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login.php,v retrieving revision 1.36 diff -u -r1.36 login.php --- login.php 7 Aug 2005 16:01:37 -0000 1.36 +++ login.php 25 Sep 2006 10:45:57 -0000 @@ -20,13 +20,15 @@ $f_perm_login = gpc_get_bool( 'perm_login' ); $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) ); $f_from = gpc_get_string( 'from', '' ); + $f_login_method = user_get_field( user_get_id_by_name($f_username), 'login_method' ); + - if ( BASIC_AUTH == config_get( 'login_method' ) ) { + if ( BASIC_AUTH == $f_login_method ) { #config_get( 'login_method' ) ) { $f_username = $_SERVER['REMOTE_USER']; $f_password = $_SERVER['PHP_AUTH_PW']; } - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { #config_get( 'login_method' ) ) { if ( !auth_http_is_logout_pending() ) { if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) @@ -45,7 +47,7 @@ } else { $t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1'; - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { #config_get( 'login_method' ) ) { auth_http_prompt(); exit; } Index: login_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login_page.php,v retrieving revision 1.56 diff -u -r1.56 login_page.php --- login_page.php 24 Jul 2006 01:31:28 -0000 1.56 +++ login_page.php 25 Sep 2006 10:45:57 -0000 @@ -23,21 +23,22 @@ $f_return = gpc_get_string( 'return', '' ); # Check for HTTP_AUTH. HTTP_AUTH is handled in login.php - - if ( HTTP_AUTH == config_get( 'login_method' ) ) { - $t_uri = "login.php"; - - if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { - $t_uri = "login_anon.php"; - } - - if ( $f_return ) { - $t_uri .= "?return=" . urlencode( $f_return ); - } - - print_header_redirect( $t_uri ); - exit; - } + # + #if ( HTTP_AUTH == config_get( 'login_method' ) ) { + # $t_uri = "login.php"; + # + # if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { + # $t_uri = "login_anon.php"; + # } + # + # if ( $f_return ) { + # $t_uri .= "?return=" . urlencode( $f_return ); + # } + # + # print_header_redirect( $t_uri ); + # exit; + #} + # THIS IS CHECKED IN login.php ANYWAYS html_page_top1(); html_page_top2a(); @@ -127,7 +128,7 @@ # # Warning, if plain passwords are selected - if ( config_get( 'login_method' ) === PLAIN ) { + if ( in_array( PLAIN, $g_login_methods ) ){ #config_get( 'login_method' ) === PLAIN ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> Plain password authentication is used, this will expose your passwords to administrators.</font></p>'; echo '</div>'; @@ -135,7 +136,7 @@ # Generate a warning if administrator/root is valid. $t_admin_user_id = user_get_id_by_name( 'administrator' ); - if ( $t_admin_user_id !== false ) { + if ( $t_admin_user_id !== false ) { if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> You should disable the default "administrator" account or change its password.</font></p>'; Index: manage_user_create.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create.php,v retrieving revision 1.22 diff -u -r1.22 manage_user_create.php --- manage_user_create.php 21 Mar 2005 20:48:55 -0000 1.22 +++ manage_user_create.php 25 Sep 2006 10:45:57 -0000 @@ -22,6 +22,7 @@ $f_password = gpc_get_string( 'password', '' ); $f_password_verify = gpc_get_string( 'password_verify', '' ); $f_email = gpc_get_string( 'email' ); + $f_login_method = gpc_get_string( 'login_method' ); $f_access_level = gpc_get_string( 'access_level' ); $f_protected = gpc_get_bool( 'protected' ); $f_enabled = gpc_get_bool( 'enabled' ); @@ -58,7 +59,7 @@ } } - $t_cookie = user_create( $f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $f_realname ); + $t_cookie = user_create( $f_username, $f_password, $f_email, $f_login_method, $f_access_level, $f_protected, $f_enabled, $f_realname ); if ( $t_cookie === false ) { $t_redirect_url = 'manage_user_page.php'; Index: manage_user_create_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create_page.php,v retrieving revision 1.19 diff -u -r1.19 manage_user_create_page.php --- manage_user_create_page.php 21 Mar 2005 20:48:55 -0000 1.19 +++ manage_user_create_page.php 25 Sep 2006 10:45:57 -0000 @@ -75,6 +75,21 @@ ?> <tr <?php echo helper_alternate_class() ?>> <td class="category"> + <?php echo lang_get( 'login_method' ) ?> + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'>".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> <?php echo lang_get( 'access_level' ) ?> </td> <td> Index: manage_user_edit_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_edit_page.php,v retrieving revision 1.16 diff -u -r1.16 manage_user_edit_page.php --- manage_user_edit_page.php 26 Mar 2006 10:35:33 -0000 1.16 +++ manage_user_edit_page.php 25 Sep 2006 10:45:57 -0000 @@ -69,6 +69,16 @@ </td> </tr> +<!-- Login Method --> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> + <?php echo lang_get( 'login_method' ) ?>: + </td> + <td> + <?php echo $g_login_method_strings[$t_user['login_method']]; ?> + </td> +</tr> + <!-- Access Level --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> Index: admin/schema.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/admin/schema.php,v retrieving revision 1.11 diff -u -r1.11 schema.php --- admin/schema.php 14 Aug 2006 08:32:57 -0000 1.11 +++ admin/schema.php 25 Sep 2006 10:45:57 -0000 @@ -303,7 +303,8 @@ login_count I NOTNULL DEFAULT '0', lost_password_request_count I2 NOTNULL DEFAULT '0', failed_login_count I2 NOTNULL DEFAULT '0', - cookie_string C(64) NOTNULL DEFAULT \" '' \" + cookie_string C(64) NOTNULL DEFAULT \" '' \", + login_method I2 NOTNULL DEFAULT '0' ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_cookie_string',config_get('mantis_user_table'),'cookie_string',Array('UNIQUE'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE'))); @@ -325,4 +326,4 @@ body XS NOTNULL ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_email_id',config_get('mantis_email_table'),'email_id')); -?> \ No newline at end of file +?> Index: core/authentication_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/authentication_api.php,v retrieving revision 1.55 diff -u -r1.55 authentication_api.php --- core/authentication_api.php 23 Apr 2006 12:32:59 -0000 1.55 +++ core/authentication_api.php 25 Sep 2006 10:45:58 -0000 @@ -74,7 +74,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) { $t_user_id = user_get_id_by_name( $p_username ); - $t_login_method = config_get( 'login_method' ); + $t_login_method = user_get_field($t_user_id, 'login_method'); #config_get( 'login_method' ); if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { @@ -118,7 +118,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -201,22 +201,25 @@ # Return true if the password for the user id given matches the given # password (taking into account the global login method) function auth_does_password_match( $p_user_id, $p_test_password ) { - $t_configured_login_method = config_get( 'login_method' ); - - if ( LDAP == $t_configured_login_method ) { - return ldap_authenticate( $p_user_id, $p_test_password ); - } + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); #config_get( 'login_method' ); + switch ($t_user_login_method) + { + case ADS: return ads_authenticate( $p_user_id, $p_test_password ); break; + case LDAP: return ldap_authenticate( $p_user_id, $p_test_password ); break; + default: break; + } + $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array(MD5, CRYPT, PLAIN); foreach ( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if ( auth_process_plain_password( $p_test_password, $t_login_method, $t_password) == $t_password ) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method - if ( ( $t_login_method != $t_configured_login_method ) || - ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { + if ( ( $t_login_method != $t_user_login_method ) || + ( ( CRYPT == $t_user_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { user_set_password( $p_user_id, $p_test_password, true ); } @@ -235,13 +238,9 @@ # When encrypting a password to compare to a stored password, the stored # password should be passed in as salt. If the auth method is CRYPT then # crypt() will extract the appropriate portion of the stored password as its salt - function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) { - $t_login_method = config_get( 'login_method' ); - if ( $p_method !== null ) { - $t_login_method = $p_method; - } + function auth_process_plain_password( $p_password, $p_login_method, $p_salt=null ) { - switch ( $t_login_method ) { + switch ( $p_login_method ) { case CRYPT: # a null salt is the same as no salt, which causes a salt to be generated # otherwise, use the salt given Index: core/constant_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/constant_inc.php,v retrieving revision 1.58 diff -u -r1.58 constant_inc.php --- core/constant_inc.php 12 Aug 2006 08:04:13 -0000 1.58 +++ core/constant_inc.php 25 Sep 2006 10:45:58 -0000 @@ -103,8 +103,9 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); - - # file upload methods + define( 'ADS', 7 ); + + # file upload methods define( 'DISK', 1 ); define( 'DATABASE', 2 ); define( 'FTP', 3 ); @@ -286,6 +287,9 @@ define( 'ERROR_SIGNUP_NOT_MATCHING_CAPTCHA', 1904 ); define( 'ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED', 1905 ); + # ERROR_ADS_* + define( 'ERROR_ADS_SERVER_CONNECT_FAILED', 2000 ); + # ERROR_FILTER_NOT_FOUND define( 'ERROR_FILTER_NOT_FOUND', 2000 ); define( 'ERROR_FILTER_TOO_OLD', 2001 ); Index: core/custom_function_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/custom_function_api.php,v retrieving revision 1.27 diff -u -r1.27 custom_function_api.php --- core/custom_function_api.php 18 May 2006 05:53:44 -0000 1.27 +++ core/custom_function_api.php 25 Sep 2006 10:45:58 -0000 @@ -128,9 +128,9 @@ # -------------------- # Hook for authentication # can Mantis update the password - function custom_function_default_auth_can_change_password( ) { + function custom_function_default_auth_can_change_password( $p_login_method ) { $t_can_change = array( PLAIN, CRYPT, CRYPT_FULL_SALT, MD5 ); - if ( in_array( config_get( 'login_method' ), $t_can_change ) ) { + if ( in_array( $p_login_method, $t_can_change ) ) { return true; } else { return false; @@ -347,4 +347,4 @@ # html_api.php. For each button, this function needs to generate the enclosing '<td>' and '</td>'. function custom_function_default_print_bug_view_page_custom_buttons( $p_bug_id ) { } -?> \ No newline at end of file +?> Index: core/ldap_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/ldap_api.php,v retrieving revision 1.19 diff -u -r1.19 ldap_api.php --- core/ldap_api.php 22 Apr 2006 01:52:14 -0000 1.19 +++ core/ldap_api.php 25 Sep 2006 10:45:58 -0000 @@ -153,4 +153,5 @@ # -------------------- # Change the user's password in the LDAP Directory + ?> Index: core/user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.107 diff -u -r1.107 user_api.php --- core/user_api.php 29 Oct 2005 09:52:52 -0000 1.107 +++ core/user_api.php 25 Sep 2006 10:45:58 -0000 @@ -13,6 +13,7 @@ require_once( $t_core_dir . 'email_api.php' ); require_once( $t_core_dir . 'ldap_api.php' ); + require_once( $t_core_dir . 'ads_api.php' ); ### User API ### @@ -326,17 +327,18 @@ # -------------------- # Create a user. # returns false if error, the generated cookie string if ok - function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { + function user_create( $p_username, $p_password, $p_email='', $p_login_method=MD5, $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { if ( null === $p_access_level ) { $p_access_level = config_get( 'default_new_account_access_level'); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, 'MD5' ); $c_username = db_prepare_string( $p_username ); $c_realname = db_prepare_string( $p_realname ); $c_password = db_prepare_string( $t_password ); $c_email = db_prepare_string( $p_email ); + $c_login_method = db_prepare_int( $p_login_method ); $c_access_level = db_prepare_int( $p_access_level ); $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); @@ -352,10 +354,10 @@ $query = "INSERT INTO $t_user_table ( username, email, password, date_created, last_visit, - enabled, access_level, login_count, cookie_string, realname ) + enabled, access_level, login_count, cookie_string, realname, login_method ) VALUES ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ", - $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')"; + $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname', '$c_login_method')"; db_query( $query ); # Create preferences for the user @@ -1054,12 +1056,13 @@ # Set the user's password to the given string, encoded as appropriate function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) { $c_user_id = db_prepare_int( $p_user_id ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); if ( !$p_allow_protected ) { user_ensure_unprotected( $p_user_id ); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, $t_user_login_method ); $t_user_table = config_get( 'mantis_user_table' ); $query = "UPDATE $t_user_table SET password='$t_password' @@ -1120,8 +1123,9 @@ if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { # Create random password $t_email = user_get_field( $p_user_id, 'email' ); + $t_user_login_method = user_get_field ( $p_user_id, 'login_method' ); $t_password = auth_generate_random_password( $t_email ); - $t_password2 = auth_process_plain_password( $t_password ); + $t_password2 = auth_process_plain_password( $t_password, $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password2 ); @@ -1132,7 +1136,8 @@ } } else { # use blank password, no emailing - $t_password = auth_process_plain_password( '' ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + $t_password = auth_process_plain_password( '', $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password ); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero( $p_user_id ); Index: lang/strings_dutch.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_dutch.txt,v retrieving revision 1.108 diff -u -r1.108 strings_dutch.txt --- lang/strings_dutch.txt 25 Sep 2006 05:16:48 -0000 1.108 +++ lang/strings_dutch.txt 25 Sep 2006 10:45:58 -0000 @@ -384,6 +384,7 @@ $s_update_user_button = 'Gebruiker aanpassen'; $s_verify_warning = 'Uw account is gecontroleerd. Het accountbevestigingsbericht dat u heeft ontvangen is niet langer bruikbaar.'; $s_verify_change_password = 'Hier dient een wachtwoord ingegeven te worden om opnieuw te kunnen aanmelden.'; +$s_login_method = 'Aanmeldings-methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Standaard accountinstellingen'; Index: lang/strings_english.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_english.txt,v retrieving revision 1.280 diff -u -r1.280 strings_english.txt --- lang/strings_english.txt 25 Sep 2006 05:16:48 -0000 1.280 +++ lang/strings_english.txt 25 Sep 2006 10:45:59 -0000 @@ -262,6 +262,7 @@ $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_*.php files.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'ADS Server Connection Failed'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; @@ -380,6 +381,7 @@ $s_update_user_button = 'Update User'; $s_verify_warning = 'Your account information has been verified. The account confirmation message you have received is now invalid.'; $s_verify_change_password = 'You must set a password here to allow you to log in again.'; +$s_login_method = 'Authentication method'; # account_prefs_page.php $s_default_account_preferences_title = 'Account Preferences'; Index: lang/strings_german.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_german.txt,v retrieving revision 1.145 diff -u -r1.145 strings_german.txt --- lang/strings_german.txt 25 Sep 2006 05:16:48 -0000 1.145 +++ lang/strings_german.txt 25 Sep 2006 10:45:59 -0000 @@ -385,6 +385,7 @@ $s_update_user_button = 'Benutzer aktualisieren'; $s_verify_warning = 'Ihre Kontoinformationen wurden �berpr�ft. Die von Ihnen erhaltene Konto Best�tigungsmeldung ist jetzt ung�ltig.'; $s_verify_change_password = 'Sie m�ssen hier ein Pa�wort vergeben, um sich wieder anmelden zu k�nnen.'; +$s_login_method = 'Authentifizierungs-Methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Kontoeinstellungen'; ads_api.php (3,364 bytes)
<?php # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org # Copyright (C) 2002 - 2004 Mantis Team - mantisbt-dev@lists.sourceforge.net # This program is distributed under the terms and conditions of the GPL # See the README and LICENSE files for details # -------------------------------------------------------- # $Id: ads_api.php,v 1.01 2006/09/21 01:52:14 hkaufmann Exp $ # -------------------------------------------------------- ########################################################################### # Active Directory API ########################################################################### # -------------------- # Connect to the ADS directory function ads_connect() { # Get ads configuration $t_ads_server = config_get( 'ads_server' ); $t_ads_port = config_get( 'ads_port' ); # Connection to ADS-Server $t_ds = @ldap_connect ( $t_ads_server, $t_ads_port); # Trigger error if ( !$t_ds ) { trigger_error( ERROR_ADS_SERVER_CONNECT_FAILED, ERROR ); } return $t_ds; } # -------------------- # Bind to the ADS directory function ads_bind( $p_ds, $p_bindname = '', $p_password = '' ) { # If no Bind DN and Password is set, attempt to login as the configured Bind DN. if ( is_blank( $p_bindname ) && is_blank( $p_password ) ) { $p_bindname = config_get( 'ads_bind_name', '' ); $p_password = config_get( 'ads_bind_passwd', '' ); } # Try bind if ( !is_blank( $p_bindname ) && !is_blank( $p_password ) ) { # Get domain $t_ads_domain = config_get( 'ads_domain' ) ; $t_bindname = "$t_ads_domain\\$p_bindname"; $t_br = @ldap_bind( $p_ds, $t_bindname, $p_password ); } # If either bindname or password is empty try anonymous bind else { $t_br = @ldap_bind( $p_ds ); } return $t_br; } # -------------------- # Attempt to authenticate the user against the MS Active Directory # return true on successful authentication, false otherwise function ads_authenticate( $p_user_id, $p_password ) { # if password is empty and Active Directory allows anonymous login, then # the user will be able to login, so we need to check for this special case. if ( is_blank( $p_password ) ) { return false; } # Connection to ADS-Server $t_ds = ads_connect(); # Get username $t_username = user_get_field( $p_user_id, 'username' ); # Try bind if ( ads_bind($t_ds, $t_username, $p_password) ) $t_authenticated = true; else $t_authenticated = false; # Unbind ldap_unbind( $t_ds ); return $t_authenticated; } # -------------------- # Create a new user account in the Active Directory. # -------------------- # Update the user's account in the Active Directory # -------------------- # Change the user's password in the Active Directory ?> mantisbt_ads_v3.patch (28,371 bytes)
? core/ads_api.php Index: account_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_page.php,v retrieving revision 1.51 diff -u -r1.51 account_page.php --- account_page.php 17 Jul 2005 21:56:21 -0000 1.51 +++ account_page.php 4 Oct 2006 09:21:19 -0000 @@ -52,7 +52,7 @@ $row = user_get_row( auth_get_current_user_id() ); extract( $row, EXTR_PREFIX_ALL, 'u' ); - $t_ldap = ( LDAP == config_get( 'login_method' ) ); + $t_ldap = ( LDAP == $row['login_method'] ); # In case we're using LDAP to get the email address... this will pull out # that version instead of the one in the DB @@ -72,7 +72,7 @@ <center><div style="color:red; width:75%"> <?php echo lang_get( 'verify_warning' ); - if ( helper_call_custom_function( 'auth_can_change_password', array() ) ) { + if ( helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { echo '<br />' . lang_get( 'verify_change_password' ); } ?> @@ -93,7 +93,7 @@ </td> </tr> -<?php if ( !helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <!-- With LDAP --> +<?php if ( !helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { ?> <!-- With LDAP --> <!-- Username --> <tr class="row-1"> Index: account_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v retrieving revision 1.40 diff -u -r1.40 account_update.php --- account_update.php 30 Nov 2004 13:02:57 -0000 1.40 +++ account_update.php 22 Sep 2006 07:53:31 -0000 @@ -68,7 +68,7 @@ } # Update password if the two match and are not empty - if ( !is_blank( $f_password ) ) { + if ( !is_blank( $f_password ) ) { if ( $f_password != $f_password_confirm ) { trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { Index: config_defaults_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/config_defaults_inc.php,v retrieving revision 1.311 diff -u -r1.311 config_defaults_inc.php --- config_defaults_inc.php 16 Sep 2006 18:02:05 -0000 1.311 +++ config_defaults_inc.php 22 Sep 2006 14:19:45 -0000 @@ -831,6 +831,16 @@ # The LDAP Protocol Version, if 0, then the protocol version is not set. $g_ldap_protocol_version = 0; + ############################# + # Mantis ADS Settings + ############################# + # --- using MS Active Directory ------------- + $g_ads_server = 'ldap://ads.example.com.au/'; + $g_ads_port = '389'; + $g_ads_domain = 'myDomain'; # ADS domain like 'myDomain' + $g_ads_bind_name = ''; + $g_ads_bind_passwd = ''; + ############################ # Status Settings ############################ @@ -1082,10 +1092,26 @@ # example: $g_set_status_threshold = array( ACKNOWLEDGED => MANAGER, CONFIRMED => DEVELOPER, CLOSED => MANAGER ); $g_set_status_threshold = array(); + # --- login method strings -------- + # Don't change this + $g_login_method_strings[PLAIN] = "Plain"; + $g_login_method_strings[CRYPT] = "Crypt"; + $g_login_method_strings[CRYPT_FULL_SALT] = "Crypt full salt"; + $g_login_method_strings[MD5] = "MD5"; + $g_login_method_strings[LDAP] = "LDAP"; + $g_login_method_strings[BASIC_AUTH] = "Basic Auth"; + $g_login_method_strings[HTTP_AUTH] = "HTTP Auth"; + $g_login_method_strings[ADS] = "Active Directory"; + # --- login method ---------------- - # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or ADS # You can simply change this at will. Mantis will try to figure out how the passwords were encrypted. + # ATTENTION: This might soon be depricated $g_login_method = MD5; + + # Enter here your allowed login methods. This values will be choosable when create new user + # e.g. array(LDAP, ADS, MD5, CRYPT) + $g_login_methods = array(MD5); # --- limit reporters ------------- # Set to ON if you wish to limit reporters to only viewing bugs that they report. @@ -1767,4 +1793,4 @@ # The maximum number of issues to keep in the recently visited list. $g_recently_visited_count = 5; -?> \ No newline at end of file +?> Index: login.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login.php,v retrieving revision 1.36 diff -u -r1.36 login.php --- login.php 7 Aug 2005 16:01:37 -0000 1.36 +++ login.php 4 Oct 2006 09:23:26 -0000 @@ -20,13 +20,15 @@ $f_perm_login = gpc_get_bool( 'perm_login' ); $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) ); $f_from = gpc_get_string( 'from', '' ); + $f_login_method = user_get_field( user_get_id_by_name($f_username), 'login_method' ); + - if ( BASIC_AUTH == config_get( 'login_method' ) ) { + if ( BASIC_AUTH == $f_login_method ) { $f_username = $_SERVER['REMOTE_USER']; $f_password = $_SERVER['PHP_AUTH_PW']; } - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { if ( !auth_http_is_logout_pending() ) { if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) @@ -45,7 +47,7 @@ } else { $t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1'; - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { auth_http_prompt(); exit; } Index: login_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login_page.php,v retrieving revision 1.56 diff -u -r1.56 login_page.php --- login_page.php 24 Jul 2006 01:31:28 -0000 1.56 +++ login_page.php 4 Oct 2006 09:25:48 -0000 @@ -22,23 +22,6 @@ $f_cookie_error = gpc_get_bool( 'cookie_error' ); $f_return = gpc_get_string( 'return', '' ); - # Check for HTTP_AUTH. HTTP_AUTH is handled in login.php - - if ( HTTP_AUTH == config_get( 'login_method' ) ) { - $t_uri = "login.php"; - - if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { - $t_uri = "login_anon.php"; - } - - if ( $f_return ) { - $t_uri .= "?return=" . urlencode( $f_return ); - } - - print_header_redirect( $t_uri ); - exit; - } - html_page_top1(); html_page_top2a(); @@ -127,7 +110,7 @@ # # Warning, if plain passwords are selected - if ( config_get( 'login_method' ) === PLAIN ) { + if ( in_array( PLAIN, $g_login_methods ) ){ echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> Plain password authentication is used, this will expose your passwords to administrators.</font></p>'; echo '</div>'; @@ -135,7 +118,7 @@ # Generate a warning if administrator/root is valid. $t_admin_user_id = user_get_id_by_name( 'administrator' ); - if ( $t_admin_user_id !== false ) { + if ( $t_admin_user_id !== false ) { if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> You should disable the default "administrator" account or change its password.</font></p>'; Index: manage_user_create.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create.php,v retrieving revision 1.22 diff -u -r1.22 manage_user_create.php --- manage_user_create.php 21 Mar 2005 20:48:55 -0000 1.22 +++ manage_user_create.php 22 Sep 2006 13:01:23 -0000 @@ -22,6 +22,7 @@ $f_password = gpc_get_string( 'password', '' ); $f_password_verify = gpc_get_string( 'password_verify', '' ); $f_email = gpc_get_string( 'email' ); + $f_login_method = gpc_get_string( 'login_method' ); $f_access_level = gpc_get_string( 'access_level' ); $f_protected = gpc_get_bool( 'protected' ); $f_enabled = gpc_get_bool( 'enabled' ); @@ -58,7 +59,7 @@ } } - $t_cookie = user_create( $f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $f_realname ); + $t_cookie = user_create( $f_username, $f_password, $f_email, $f_login_method, $f_access_level, $f_protected, $f_enabled, $f_realname ); if ( $t_cookie === false ) { $t_redirect_url = 'manage_user_page.php'; Index: manage_user_create_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create_page.php,v retrieving revision 1.19 diff -u -r1.19 manage_user_create_page.php --- manage_user_create_page.php 21 Mar 2005 20:48:55 -0000 1.19 +++ manage_user_create_page.php 22 Sep 2006 12:48:19 -0000 @@ -75,6 +75,21 @@ ?> <tr <?php echo helper_alternate_class() ?>> <td class="category"> + <?php echo lang_get( 'login_method' ) ?> + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'>".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> <?php echo lang_get( 'access_level' ) ?> </td> <td> Index: manage_user_edit_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_edit_page.php,v retrieving revision 1.16 diff -u -r1.16 manage_user_edit_page.php --- manage_user_edit_page.php 26 Mar 2006 10:35:33 -0000 1.16 +++ manage_user_edit_page.php 4 Oct 2006 10:01:29 -0000 @@ -69,6 +69,25 @@ </td> </tr> +<!-- Login Method --> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> + <?php echo lang_get( 'login_method' ) ?>: + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'"; + if ( $t_user['login_method'] == $g_login_methods[$i] ) echo " SELECTED"; + echo ">".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> + <!-- Access Level --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> @@ -116,10 +135,12 @@ <!-- RESET AND DELETE --> <div class="border-center"> <!-- Reset Button --> +<?php if ( $t_user['login_method'] != 7 ) { ?> <form method="post" action="manage_user_reset.php"> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /> </form> +<?php } ?> <!-- Delete Button --> <?php if ( !( ( ADMINISTRATOR <= $t_user['access_level'] ) && ( 1 >= user_count_level( ADMINISTRATOR ) ) ) ) { ?> Index: manage_user_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_update.php,v retrieving revision 1.38 diff -u -r1.38 manage_user_update.php --- manage_user_update.php 26 Mar 2006 10:35:33 -0000 1.38 +++ manage_user_update.php 4 Oct 2006 10:08:55 -0000 @@ -24,6 +24,7 @@ $f_email = gpc_get_string( 'email', '' ); $f_username = gpc_get_string( 'username', '' ); $f_realname = gpc_get_string( 'realname', '' ); + $f_login_method = gpc_get_string( 'login_method', '' ); $f_access_level = gpc_get_int( 'access_level' ); $f_user_id = gpc_get_int( 'user_id' ); @@ -49,6 +50,7 @@ $c_enabled = db_prepare_bool( $f_enabled ); $c_user_id = db_prepare_int( $f_user_id ); $c_access_level = db_prepare_int( $f_access_level ); + $c_login_method = db_prepare_int( $f_login_method ); $t_user_table = config_get( 'mantis_user_table' ); @@ -67,7 +69,7 @@ } # if the user is already protected and the admin is not removing the - # protected flag then don't update the access level and enabled flag. + # protected flag then don't update the access level, login_method and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. if ( $f_protected && $t_old_protected ) { @@ -77,7 +79,7 @@ WHERE id='$c_user_id'"; } else { $query = "UPDATE $t_user_table - SET username='$c_username', email='$c_email', + SET username='$c_username', email='$c_email', login_method='$c_login_method', access_level='$c_access_level', enabled='$c_enabled', protected='$c_protected', realname='$c_realname' WHERE id='$c_user_id'"; Index: admin/schema.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/admin/schema.php,v retrieving revision 1.11 diff -u -r1.11 schema.php --- admin/schema.php 14 Aug 2006 08:32:57 -0000 1.11 +++ admin/schema.php 4 Oct 2006 08:46:28 -0000 @@ -303,7 +303,8 @@ login_count I NOTNULL DEFAULT '0', lost_password_request_count I2 NOTNULL DEFAULT '0', failed_login_count I2 NOTNULL DEFAULT '0', - cookie_string C(64) NOTNULL DEFAULT \" '' \" + cookie_string C(64) NOTNULL DEFAULT \" '' \", + login_method I2 NOTNULL DEFAULT '0' ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_cookie_string',config_get('mantis_user_table'),'cookie_string',Array('UNIQUE'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE'))); @@ -325,4 +326,4 @@ body XS NOTNULL ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_email_id',config_get('mantis_email_table'),'email_id')); -?> \ No newline at end of file +?> Index: core/authentication_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/authentication_api.php,v retrieving revision 1.55 diff -u -r1.55 authentication_api.php --- core/authentication_api.php 23 Apr 2006 12:32:59 -0000 1.55 +++ core/authentication_api.php 4 Oct 2006 09:33:30 -0000 @@ -74,7 +74,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) { $t_user_id = user_get_id_by_name( $p_username ); - $t_login_method = config_get( 'login_method' ); + $t_login_method = user_get_field($t_user_id, 'login_method'); if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { @@ -118,7 +118,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -201,22 +201,25 @@ # Return true if the password for the user id given matches the given # password (taking into account the global login method) function auth_does_password_match( $p_user_id, $p_test_password ) { - $t_configured_login_method = config_get( 'login_method' ); - - if ( LDAP == $t_configured_login_method ) { - return ldap_authenticate( $p_user_id, $p_test_password ); - } + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + switch ($t_user_login_method) + { + case ADS: return ads_authenticate( $p_user_id, $p_test_password ); break; + case LDAP: return ldap_authenticate( $p_user_id, $p_test_password ); break; + default: break; + } + $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array(MD5, CRYPT, PLAIN); foreach ( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if ( auth_process_plain_password( $p_test_password, $t_login_method, $t_password) == $t_password ) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method - if ( ( $t_login_method != $t_configured_login_method ) || - ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { + if ( ( $t_login_method != $t_user_login_method ) || + ( ( CRYPT == $t_user_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { user_set_password( $p_user_id, $p_test_password, true ); } @@ -235,13 +238,9 @@ # When encrypting a password to compare to a stored password, the stored # password should be passed in as salt. If the auth method is CRYPT then # crypt() will extract the appropriate portion of the stored password as its salt - function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) { - $t_login_method = config_get( 'login_method' ); - if ( $p_method !== null ) { - $t_login_method = $p_method; - } + function auth_process_plain_password( $p_password, $p_login_method, $p_salt=null ) { - switch ( $t_login_method ) { + switch ( $p_login_method ) { case CRYPT: # a null salt is the same as no salt, which causes a salt to be generated # otherwise, use the salt given Index: core/constant_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/constant_inc.php,v retrieving revision 1.58 diff -u -r1.58 constant_inc.php --- core/constant_inc.php 12 Aug 2006 08:04:13 -0000 1.58 +++ core/constant_inc.php 22 Sep 2006 12:46:27 -0000 @@ -103,8 +103,9 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); - - # file upload methods + define( 'ADS', 7 ); + + # file upload methods define( 'DISK', 1 ); define( 'DATABASE', 2 ); define( 'FTP', 3 ); @@ -286,6 +287,9 @@ define( 'ERROR_SIGNUP_NOT_MATCHING_CAPTCHA', 1904 ); define( 'ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED', 1905 ); + # ERROR_ADS_* + define( 'ERROR_ADS_SERVER_CONNECT_FAILED', 2000 ); + # ERROR_FILTER_NOT_FOUND define( 'ERROR_FILTER_NOT_FOUND', 2000 ); define( 'ERROR_FILTER_TOO_OLD', 2001 ); Index: core/custom_function_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/custom_function_api.php,v retrieving revision 1.27 diff -u -r1.27 custom_function_api.php --- core/custom_function_api.php 18 May 2006 05:53:44 -0000 1.27 +++ core/custom_function_api.php 22 Sep 2006 09:31:40 -0000 @@ -128,9 +128,9 @@ # -------------------- # Hook for authentication # can Mantis update the password - function custom_function_default_auth_can_change_password( ) { + function custom_function_default_auth_can_change_password( $p_login_method ) { $t_can_change = array( PLAIN, CRYPT, CRYPT_FULL_SALT, MD5 ); - if ( in_array( config_get( 'login_method' ), $t_can_change ) ) { + if ( in_array( $p_login_method, $t_can_change ) ) { return true; } else { return false; @@ -347,4 +347,4 @@ # html_api.php. For each button, this function needs to generate the enclosing '<td>' and '</td>'. function custom_function_default_print_bug_view_page_custom_buttons( $p_bug_id ) { } -?> \ No newline at end of file +?> Index: core/ldap_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/ldap_api.php,v retrieving revision 1.19 diff -u -r1.19 ldap_api.php --- core/ldap_api.php 22 Apr 2006 01:52:14 -0000 1.19 +++ core/ldap_api.php 4 Oct 2006 08:26:42 -0000 @@ -153,4 +153,5 @@ # -------------------- # Change the user's password in the LDAP Directory + ?> Index: core/user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.107 diff -u -r1.107 user_api.php --- core/user_api.php 29 Oct 2005 09:52:52 -0000 1.107 +++ core/user_api.php 22 Sep 2006 13:01:37 -0000 @@ -13,6 +13,7 @@ require_once( $t_core_dir . 'email_api.php' ); require_once( $t_core_dir . 'ldap_api.php' ); + require_once( $t_core_dir . 'ads_api.php' ); ### User API ### @@ -326,17 +327,18 @@ # -------------------- # Create a user. # returns false if error, the generated cookie string if ok - function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { + function user_create( $p_username, $p_password, $p_email='', $p_login_method=MD5, $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { if ( null === $p_access_level ) { $p_access_level = config_get( 'default_new_account_access_level'); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, 'MD5' ); $c_username = db_prepare_string( $p_username ); $c_realname = db_prepare_string( $p_realname ); $c_password = db_prepare_string( $t_password ); $c_email = db_prepare_string( $p_email ); + $c_login_method = db_prepare_int( $p_login_method ); $c_access_level = db_prepare_int( $p_access_level ); $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); @@ -352,10 +354,10 @@ $query = "INSERT INTO $t_user_table ( username, email, password, date_created, last_visit, - enabled, access_level, login_count, cookie_string, realname ) + enabled, access_level, login_count, cookie_string, realname, login_method ) VALUES ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ", - $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')"; + $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname', '$c_login_method')"; db_query( $query ); # Create preferences for the user @@ -1054,12 +1056,13 @@ # Set the user's password to the given string, encoded as appropriate function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) { $c_user_id = db_prepare_int( $p_user_id ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); if ( !$p_allow_protected ) { user_ensure_unprotected( $p_user_id ); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, $t_user_login_method ); $t_user_table = config_get( 'mantis_user_table' ); $query = "UPDATE $t_user_table SET password='$t_password' @@ -1120,8 +1123,9 @@ if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { # Create random password $t_email = user_get_field( $p_user_id, 'email' ); + $t_user_login_method = user_get_field ( $p_user_id, 'login_method' ); $t_password = auth_generate_random_password( $t_email ); - $t_password2 = auth_process_plain_password( $t_password ); + $t_password2 = auth_process_plain_password( $t_password, $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password2 ); @@ -1132,7 +1136,8 @@ } } else { # use blank password, no emailing - $t_password = auth_process_plain_password( '' ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + $t_password = auth_process_plain_password( '', $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password ); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero( $p_user_id ); Index: lang/strings_dutch.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_dutch.txt,v retrieving revision 1.99 diff -u -r1.99 strings_dutch.txt --- lang/strings_dutch.txt 21 Mar 2006 12:40:24 -0000 1.99 +++ lang/strings_dutch.txt 4 Oct 2006 09:32:40 -0000 @@ -379,6 +379,7 @@ $s_update_user_button = 'Gebruiker aanpassen'; $s_verify_warning = 'Uw account is gecontroleerd. Het accountbevestigingsbericht dat u heeft ontvangen is niet langer bruikbaar.'; $s_verify_change_password = 'Hier dient een wachtwoord ingegeven te worden om opnieuw te kunnen aanmelden.'; +$s_login_method = 'Aanmeldings-methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Standaard accountinstellingen'; Index: lang/strings_english.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_english.txt,v retrieving revision 1.276 diff -u -r1.276 strings_english.txt --- lang/strings_english.txt 12 Aug 2006 08:04:14 -0000 1.276 +++ lang/strings_english.txt 22 Sep 2006 12:24:59 -0000 @@ -259,6 +259,7 @@ $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_*.php files.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'ADS Server Connection Failed'; #$s_login_error = 'Your account may be disabled or blocked (due to too many failed login attempts) or the username/password you entered is incorrect.'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; @@ -378,6 +379,7 @@ $s_update_user_button = 'Update User'; $s_verify_warning = 'Your account information has been verified. The account confirmation message you have received is now invalid.'; $s_verify_change_password = 'You must set a password here to allow you to log in again.'; +$s_login_method = 'Authentication method'; # account_prefs_page.php $s_default_account_preferences_title = 'Account Preferences'; Index: lang/strings_german.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_german.txt,v retrieving revision 1.139 diff -u -r1.139 strings_german.txt --- lang/strings_german.txt 20 Feb 2006 09:08:46 -0000 1.139 +++ lang/strings_german.txt 22 Sep 2006 12:24:29 -0000 @@ -260,6 +260,7 @@ $MANTIS_ERROR[ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED] = 'Max. Anzahl der in Bearbeitung befindlichen Anfragen erreicht. Bitte setzen Sie sich mit Ihrem Systemadministrator in Verbindung.'; $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'Diese Operation w�rde eine Schleife in der Unterprojekthierarchie erzeugen.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'Sie k�nnen die Zugangsrechte des einzigen System-ADMINISTRATORS nicht �ndern.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'Verbindung zum ADS Server fehlgeschlagen'; #$s_login_error = 'Your account may be disabled or blocked (due to too many failed login attempts) or the username/password you entered is incorrect.'; $s_login_error = 'Benutzername oder Passwort falsch.'; @@ -379,6 +380,7 @@ $s_update_user_button = 'Benutzer aktualisieren'; $s_verify_warning = 'Ihre Kontoinformationen wurden �berpr�ft. Die von Ihnen erhaltene Konto Best�tigungsmeldung ist jetzt ung�ltig.'; $s_verify_change_password = 'Sie m�ssen hier ein Pa�wort vergeben, um sich wieder anmelden zu k�nnen.'; +$s_login_method = 'Authentifizierungs-Methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Kontoeinstellungen'; mantisbt_ads_v4.patch (28,953 bytes)
? core/ads_api.php Index: account_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_page.php,v retrieving revision 1.51 diff -u -r1.51 account_page.php --- account_page.php 17 Jul 2005 21:56:21 -0000 1.51 +++ account_page.php 4 Oct 2006 09:21:19 -0000 @@ -52,7 +52,7 @@ $row = user_get_row( auth_get_current_user_id() ); extract( $row, EXTR_PREFIX_ALL, 'u' ); - $t_ldap = ( LDAP == config_get( 'login_method' ) ); + $t_ldap = ( LDAP == $row['login_method'] ); # In case we're using LDAP to get the email address... this will pull out # that version instead of the one in the DB @@ -72,7 +72,7 @@ <center><div style="color:red; width:75%"> <?php echo lang_get( 'verify_warning' ); - if ( helper_call_custom_function( 'auth_can_change_password', array() ) ) { + if ( helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { echo '<br />' . lang_get( 'verify_change_password' ); } ?> @@ -93,7 +93,7 @@ </td> </tr> -<?php if ( !helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <!-- With LDAP --> +<?php if ( !helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { ?> <!-- With LDAP --> <!-- Username --> <tr class="row-1"> Index: account_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v retrieving revision 1.40 diff -u -r1.40 account_update.php --- account_update.php 30 Nov 2004 13:02:57 -0000 1.40 +++ account_update.php 22 Sep 2006 07:53:31 -0000 @@ -68,7 +68,7 @@ } # Update password if the two match and are not empty - if ( !is_blank( $f_password ) ) { + if ( !is_blank( $f_password ) ) { if ( $f_password != $f_password_confirm ) { trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { Index: config_defaults_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/config_defaults_inc.php,v retrieving revision 1.314 diff -u -r1.314 config_defaults_inc.php --- config_defaults_inc.php 1 Oct 2006 00:31:42 -0000 1.314 +++ config_defaults_inc.php 5 Oct 2006 09:10:10 -0000 @@ -842,6 +842,16 @@ # The LDAP Protocol Version, if 0, then the protocol version is not set. $g_ldap_protocol_version = 0; + ############################# + # Mantis ADS Settings + ############################# + # --- using MS Active Directory ------------- + $g_ads_server = 'ldap://ads.example.com.au/'; + $g_ads_port = '389'; + $g_ads_domain = 'myDomain'; # ADS domain like 'myDomain' + $g_ads_bind_name = ''; + $g_ads_bind_passwd = ''; + ############################ # Status Settings ############################ @@ -1093,10 +1103,26 @@ # example: $g_set_status_threshold = array( ACKNOWLEDGED => MANAGER, CONFIRMED => DEVELOPER, CLOSED => MANAGER ); $g_set_status_threshold = array(); + # --- login method strings -------- + # Don't change this + $g_login_method_strings[PLAIN] = "Plain"; + $g_login_method_strings[CRYPT] = "Crypt"; + $g_login_method_strings[CRYPT_FULL_SALT] = "Crypt full salt"; + $g_login_method_strings[MD5] = "MD5"; + $g_login_method_strings[LDAP] = "LDAP"; + $g_login_method_strings[BASIC_AUTH] = "Basic Auth"; + $g_login_method_strings[HTTP_AUTH] = "HTTP Auth"; + $g_login_method_strings[ADS] = "Active Directory"; + # --- login method ---------------- - # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or ADS # You can simply change this at will. Mantis will try to figure out how the passwords were encrypted. + # ATTENTION: This might soon be depricated $g_login_method = MD5; + + # Enter here your allowed login methods. This values will be choosable when create new user + # e.g. array(LDAP, ADS, MD5, CRYPT) + $g_login_methods = array(MD5); # --- limit reporters ------------- # Set to ON if you wish to limit reporters to only viewing bugs that they report. @@ -1778,4 +1804,4 @@ # The maximum number of issues to keep in the recently visited list. $g_recently_visited_count = 5; -?> \ No newline at end of file +?> Index: login.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login.php,v retrieving revision 1.36 diff -u -r1.36 login.php --- login.php 7 Aug 2005 16:01:37 -0000 1.36 +++ login.php 4 Oct 2006 09:23:26 -0000 @@ -20,13 +20,15 @@ $f_perm_login = gpc_get_bool( 'perm_login' ); $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) ); $f_from = gpc_get_string( 'from', '' ); + $f_login_method = user_get_field( user_get_id_by_name($f_username), 'login_method' ); + - if ( BASIC_AUTH == config_get( 'login_method' ) ) { + if ( BASIC_AUTH == $f_login_method ) { $f_username = $_SERVER['REMOTE_USER']; $f_password = $_SERVER['PHP_AUTH_PW']; } - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { if ( !auth_http_is_logout_pending() ) { if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) @@ -45,7 +47,7 @@ } else { $t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1'; - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { auth_http_prompt(); exit; } Index: login_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login_page.php,v retrieving revision 1.56 diff -u -r1.56 login_page.php --- login_page.php 24 Jul 2006 01:31:28 -0000 1.56 +++ login_page.php 4 Oct 2006 09:25:48 -0000 @@ -22,23 +22,6 @@ $f_cookie_error = gpc_get_bool( 'cookie_error' ); $f_return = gpc_get_string( 'return', '' ); - # Check for HTTP_AUTH. HTTP_AUTH is handled in login.php - - if ( HTTP_AUTH == config_get( 'login_method' ) ) { - $t_uri = "login.php"; - - if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { - $t_uri = "login_anon.php"; - } - - if ( $f_return ) { - $t_uri .= "?return=" . urlencode( $f_return ); - } - - print_header_redirect( $t_uri ); - exit; - } - html_page_top1(); html_page_top2a(); @@ -127,7 +110,7 @@ # # Warning, if plain passwords are selected - if ( config_get( 'login_method' ) === PLAIN ) { + if ( in_array( PLAIN, $g_login_methods ) ){ echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> Plain password authentication is used, this will expose your passwords to administrators.</font></p>'; echo '</div>'; @@ -135,7 +118,7 @@ # Generate a warning if administrator/root is valid. $t_admin_user_id = user_get_id_by_name( 'administrator' ); - if ( $t_admin_user_id !== false ) { + if ( $t_admin_user_id !== false ) { if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> You should disable the default "administrator" account or change its password.</font></p>'; Index: manage_user_create.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create.php,v retrieving revision 1.22 diff -u -r1.22 manage_user_create.php --- manage_user_create.php 21 Mar 2005 20:48:55 -0000 1.22 +++ manage_user_create.php 22 Sep 2006 13:01:23 -0000 @@ -22,6 +22,7 @@ $f_password = gpc_get_string( 'password', '' ); $f_password_verify = gpc_get_string( 'password_verify', '' ); $f_email = gpc_get_string( 'email' ); + $f_login_method = gpc_get_string( 'login_method' ); $f_access_level = gpc_get_string( 'access_level' ); $f_protected = gpc_get_bool( 'protected' ); $f_enabled = gpc_get_bool( 'enabled' ); @@ -58,7 +59,7 @@ } } - $t_cookie = user_create( $f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $f_realname ); + $t_cookie = user_create( $f_username, $f_password, $f_email, $f_login_method, $f_access_level, $f_protected, $f_enabled, $f_realname ); if ( $t_cookie === false ) { $t_redirect_url = 'manage_user_page.php'; Index: manage_user_create_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create_page.php,v retrieving revision 1.19 diff -u -r1.19 manage_user_create_page.php --- manage_user_create_page.php 21 Mar 2005 20:48:55 -0000 1.19 +++ manage_user_create_page.php 22 Sep 2006 12:48:19 -0000 @@ -75,6 +75,21 @@ ?> <tr <?php echo helper_alternate_class() ?>> <td class="category"> + <?php echo lang_get( 'login_method' ) ?> + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'>".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> <?php echo lang_get( 'access_level' ) ?> </td> <td> Index: manage_user_edit_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_edit_page.php,v retrieving revision 1.16 diff -u -r1.16 manage_user_edit_page.php --- manage_user_edit_page.php 26 Mar 2006 10:35:33 -0000 1.16 +++ manage_user_edit_page.php 5 Oct 2006 09:20:46 -0000 @@ -69,6 +69,25 @@ </td> </tr> +<!-- Login Method --> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> + <?php echo lang_get( 'login_method' ) ?>: + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'"; + if ( $t_user['login_method'] == $g_login_methods[$i] ) echo " SELECTED"; + echo ">".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> + <!-- Access Level --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> @@ -116,10 +135,12 @@ <!-- RESET AND DELETE --> <div class="border-center"> <!-- Reset Button --> +<?php if ( $t_user['login_method'] != ADS ) { ?> <form method="post" action="manage_user_reset.php"> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /> </form> +<?php } ?> <!-- Delete Button --> <?php if ( !( ( ADMINISTRATOR <= $t_user['access_level'] ) && ( 1 >= user_count_level( ADMINISTRATOR ) ) ) ) { ?> @@ -132,11 +153,13 @@ <br /> <div align="center"> <?php + if ( $t_user['login_method'] != ADS ) { if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { echo lang_get( 'reset_password_msg' ); } else { echo lang_get( 'reset_password_msg2' ); } + } ?> </div> Index: manage_user_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_update.php,v retrieving revision 1.38 diff -u -r1.38 manage_user_update.php --- manage_user_update.php 26 Mar 2006 10:35:33 -0000 1.38 +++ manage_user_update.php 4 Oct 2006 10:08:55 -0000 @@ -24,6 +24,7 @@ $f_email = gpc_get_string( 'email', '' ); $f_username = gpc_get_string( 'username', '' ); $f_realname = gpc_get_string( 'realname', '' ); + $f_login_method = gpc_get_string( 'login_method', '' ); $f_access_level = gpc_get_int( 'access_level' ); $f_user_id = gpc_get_int( 'user_id' ); @@ -49,6 +50,7 @@ $c_enabled = db_prepare_bool( $f_enabled ); $c_user_id = db_prepare_int( $f_user_id ); $c_access_level = db_prepare_int( $f_access_level ); + $c_login_method = db_prepare_int( $f_login_method ); $t_user_table = config_get( 'mantis_user_table' ); @@ -67,7 +69,7 @@ } # if the user is already protected and the admin is not removing the - # protected flag then don't update the access level and enabled flag. + # protected flag then don't update the access level, login_method and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. if ( $f_protected && $t_old_protected ) { @@ -77,7 +79,7 @@ WHERE id='$c_user_id'"; } else { $query = "UPDATE $t_user_table - SET username='$c_username', email='$c_email', + SET username='$c_username', email='$c_email', login_method='$c_login_method', access_level='$c_access_level', enabled='$c_enabled', protected='$c_protected', realname='$c_realname' WHERE id='$c_user_id'"; Index: admin/schema.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/admin/schema.php,v retrieving revision 1.11 diff -u -r1.11 schema.php --- admin/schema.php 14 Aug 2006 08:32:57 -0000 1.11 +++ admin/schema.php 4 Oct 2006 08:46:28 -0000 @@ -303,7 +303,8 @@ login_count I NOTNULL DEFAULT '0', lost_password_request_count I2 NOTNULL DEFAULT '0', failed_login_count I2 NOTNULL DEFAULT '0', - cookie_string C(64) NOTNULL DEFAULT \" '' \" + cookie_string C(64) NOTNULL DEFAULT \" '' \", + login_method I2 NOTNULL DEFAULT '0' ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_cookie_string',config_get('mantis_user_table'),'cookie_string',Array('UNIQUE'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE'))); @@ -325,4 +326,4 @@ body XS NOTNULL ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_email_id',config_get('mantis_email_table'),'email_id')); -?> \ No newline at end of file +?> Index: core/authentication_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/authentication_api.php,v retrieving revision 1.55 diff -u -r1.55 authentication_api.php --- core/authentication_api.php 23 Apr 2006 12:32:59 -0000 1.55 +++ core/authentication_api.php 4 Oct 2006 09:33:30 -0000 @@ -74,7 +74,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) { $t_user_id = user_get_id_by_name( $p_username ); - $t_login_method = config_get( 'login_method' ); + $t_login_method = user_get_field($t_user_id, 'login_method'); if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { @@ -118,7 +118,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -201,22 +201,25 @@ # Return true if the password for the user id given matches the given # password (taking into account the global login method) function auth_does_password_match( $p_user_id, $p_test_password ) { - $t_configured_login_method = config_get( 'login_method' ); - - if ( LDAP == $t_configured_login_method ) { - return ldap_authenticate( $p_user_id, $p_test_password ); - } + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + switch ($t_user_login_method) + { + case ADS: return ads_authenticate( $p_user_id, $p_test_password ); break; + case LDAP: return ldap_authenticate( $p_user_id, $p_test_password ); break; + default: break; + } + $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array(MD5, CRYPT, PLAIN); foreach ( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if ( auth_process_plain_password( $p_test_password, $t_login_method, $t_password) == $t_password ) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method - if ( ( $t_login_method != $t_configured_login_method ) || - ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { + if ( ( $t_login_method != $t_user_login_method ) || + ( ( CRYPT == $t_user_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { user_set_password( $p_user_id, $p_test_password, true ); } @@ -235,13 +238,9 @@ # When encrypting a password to compare to a stored password, the stored # password should be passed in as salt. If the auth method is CRYPT then # crypt() will extract the appropriate portion of the stored password as its salt - function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) { - $t_login_method = config_get( 'login_method' ); - if ( $p_method !== null ) { - $t_login_method = $p_method; - } + function auth_process_plain_password( $p_password, $p_login_method, $p_salt=null ) { - switch ( $t_login_method ) { + switch ( $p_login_method ) { case CRYPT: # a null salt is the same as no salt, which causes a salt to be generated # otherwise, use the salt given Index: core/constant_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/constant_inc.php,v retrieving revision 1.58 diff -u -r1.58 constant_inc.php --- core/constant_inc.php 12 Aug 2006 08:04:13 -0000 1.58 +++ core/constant_inc.php 22 Sep 2006 12:46:27 -0000 @@ -103,8 +103,9 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); - - # file upload methods + define( 'ADS', 7 ); + + # file upload methods define( 'DISK', 1 ); define( 'DATABASE', 2 ); define( 'FTP', 3 ); @@ -286,6 +287,9 @@ define( 'ERROR_SIGNUP_NOT_MATCHING_CAPTCHA', 1904 ); define( 'ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED', 1905 ); + # ERROR_ADS_* + define( 'ERROR_ADS_SERVER_CONNECT_FAILED', 2000 ); + # ERROR_FILTER_NOT_FOUND define( 'ERROR_FILTER_NOT_FOUND', 2000 ); define( 'ERROR_FILTER_TOO_OLD', 2001 ); Index: core/custom_function_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/custom_function_api.php,v retrieving revision 1.27 diff -u -r1.27 custom_function_api.php --- core/custom_function_api.php 18 May 2006 05:53:44 -0000 1.27 +++ core/custom_function_api.php 22 Sep 2006 09:31:40 -0000 @@ -128,9 +128,9 @@ # -------------------- # Hook for authentication # can Mantis update the password - function custom_function_default_auth_can_change_password( ) { + function custom_function_default_auth_can_change_password( $p_login_method ) { $t_can_change = array( PLAIN, CRYPT, CRYPT_FULL_SALT, MD5 ); - if ( in_array( config_get( 'login_method' ), $t_can_change ) ) { + if ( in_array( $p_login_method, $t_can_change ) ) { return true; } else { return false; @@ -347,4 +347,4 @@ # html_api.php. For each button, this function needs to generate the enclosing '<td>' and '</td>'. function custom_function_default_print_bug_view_page_custom_buttons( $p_bug_id ) { } -?> \ No newline at end of file +?> Index: core/ldap_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/ldap_api.php,v retrieving revision 1.19 diff -u -r1.19 ldap_api.php --- core/ldap_api.php 22 Apr 2006 01:52:14 -0000 1.19 +++ core/ldap_api.php 4 Oct 2006 08:26:42 -0000 @@ -153,4 +153,5 @@ # -------------------- # Change the user's password in the LDAP Directory + ?> Index: core/user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.107 diff -u -r1.107 user_api.php --- core/user_api.php 29 Oct 2005 09:52:52 -0000 1.107 +++ core/user_api.php 22 Sep 2006 13:01:37 -0000 @@ -13,6 +13,7 @@ require_once( $t_core_dir . 'email_api.php' ); require_once( $t_core_dir . 'ldap_api.php' ); + require_once( $t_core_dir . 'ads_api.php' ); ### User API ### @@ -326,17 +327,18 @@ # -------------------- # Create a user. # returns false if error, the generated cookie string if ok - function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { + function user_create( $p_username, $p_password, $p_email='', $p_login_method=MD5, $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { if ( null === $p_access_level ) { $p_access_level = config_get( 'default_new_account_access_level'); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, 'MD5' ); $c_username = db_prepare_string( $p_username ); $c_realname = db_prepare_string( $p_realname ); $c_password = db_prepare_string( $t_password ); $c_email = db_prepare_string( $p_email ); + $c_login_method = db_prepare_int( $p_login_method ); $c_access_level = db_prepare_int( $p_access_level ); $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); @@ -352,10 +354,10 @@ $query = "INSERT INTO $t_user_table ( username, email, password, date_created, last_visit, - enabled, access_level, login_count, cookie_string, realname ) + enabled, access_level, login_count, cookie_string, realname, login_method ) VALUES ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ", - $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')"; + $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname', '$c_login_method')"; db_query( $query ); # Create preferences for the user @@ -1054,12 +1056,13 @@ # Set the user's password to the given string, encoded as appropriate function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) { $c_user_id = db_prepare_int( $p_user_id ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); if ( !$p_allow_protected ) { user_ensure_unprotected( $p_user_id ); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, $t_user_login_method ); $t_user_table = config_get( 'mantis_user_table' ); $query = "UPDATE $t_user_table SET password='$t_password' @@ -1120,8 +1123,9 @@ if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { # Create random password $t_email = user_get_field( $p_user_id, 'email' ); + $t_user_login_method = user_get_field ( $p_user_id, 'login_method' ); $t_password = auth_generate_random_password( $t_email ); - $t_password2 = auth_process_plain_password( $t_password ); + $t_password2 = auth_process_plain_password( $t_password, $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password2 ); @@ -1132,7 +1136,8 @@ } } else { # use blank password, no emailing - $t_password = auth_process_plain_password( '' ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + $t_password = auth_process_plain_password( '', $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password ); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero( $p_user_id ); Index: lang/strings_dutch.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_dutch.txt,v retrieving revision 1.108 diff -u -r1.108 strings_dutch.txt --- lang/strings_dutch.txt 25 Sep 2006 05:16:48 -0000 1.108 +++ lang/strings_dutch.txt 5 Oct 2006 09:10:27 -0000 @@ -384,6 +384,7 @@ $s_update_user_button = 'Gebruiker aanpassen'; $s_verify_warning = 'Uw account is gecontroleerd. Het accountbevestigingsbericht dat u heeft ontvangen is niet langer bruikbaar.'; $s_verify_change_password = 'Hier dient een wachtwoord ingegeven te worden om opnieuw te kunnen aanmelden.'; +$s_login_method = 'Aanmeldings-methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Standaard accountinstellingen'; Index: lang/strings_english.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_english.txt,v retrieving revision 1.281 diff -u -r1.281 strings_english.txt --- lang/strings_english.txt 1 Oct 2006 09:04:57 -0000 1.281 +++ lang/strings_english.txt 5 Oct 2006 09:10:28 -0000 @@ -262,6 +262,7 @@ $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_*.php files.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'ADS Server Connection Failed'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; @@ -380,6 +381,7 @@ $s_update_user_button = 'Update User'; $s_verify_warning = 'Your account information has been verified. The account confirmation message you have received is now invalid.'; $s_verify_change_password = 'You must set a password here to allow you to log in again.'; +$s_login_method = 'Authentication method'; # account_prefs_page.php $s_default_account_preferences_title = 'Account Preferences'; Index: lang/strings_german.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_german.txt,v retrieving revision 1.146 diff -u -r1.146 strings_german.txt --- lang/strings_german.txt 25 Sep 2006 11:23:30 -0000 1.146 +++ lang/strings_german.txt 5 Oct 2006 09:10:29 -0000 @@ -266,7 +266,11 @@ $MANTIS_ERROR[ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED] = 'Max. Anzahl der in Bearbeitung befindlichen Anfragen erreicht. Bitte setzen Sie sich mit Ihrem Systemadministrator in Verbindung.'; $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'Diese Operation w�rde eine Schleife in der Unterprojekthierarchie erzeugen.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'Sie k�nnen die Zugangsrechte des einzigen System-ADMINISTRATORS nicht �ndern.'; +<<<<<<< strings_german.txt +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'Verbindung zum ADS Server fehlgeschlagen'; +======= $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_*.php files.'; +>>>>>>> 1.146 $s_login_error = 'Ihr Konto ist deaktiviert oder gesperrt (aufgrund von zu vielen fehlgeschlagenen Anmeldeversuchen) oder der eigegebene Benutzer/Password ist falsch.'; $s_login_cookies_disabled = 'Ihr Web-Browser akzeptiert keine Cookies.'; @@ -385,6 +389,7 @@ $s_update_user_button = 'Benutzer aktualisieren'; $s_verify_warning = 'Ihre Kontoinformationen wurden �berpr�ft. Die von Ihnen erhaltene Konto Best�tigungsmeldung ist jetzt ung�ltig.'; $s_verify_change_password = 'Sie m�ssen hier ein Pa�wort vergeben, um sich wieder anmelden zu k�nnen.'; +$s_login_method = 'Authentifizierungs-Methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Kontoeinstellungen'; | ||||
Here are my changes:
|
|
Applies cleanly on a fresh CVS checkout. After setting the required options in the config file, worked perfectly for me on the first try. One minor nitpick: in manage_user_edit_page.php, the 'magic constant' 7 is used to check if the login method of the user is Active Directory, that should probably be replaced with the defined value 'ADS' for clarity. Furthermore, a couple of lines down (between lines 155 and 161 in today's CVS version), there is a message that says whether the users new password (when reset by the administrator) will be send to that user or be set to blank (depending on the configuration setting). That block should also be surrounded by <?php if ( $t_user['login_method'] != 7 ) { ?> otherwise there's a message there about the resetting of the password, but no button to actually do it. I didn't supply a patch since it's easier to put in these changes by hand than having to apply yet another patch - but I can, if someone want me to. |
|
I was in a rush yesterday. Sorry! I changed your "nitpick" to the defined constant 'ADS'. Also this message disappears when ADS authentication. |
|