0007478: MS Active Directory Authentication - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0007478	mantisbt	authentication	public	2006-09-27 04:55	2014-11-25 12:33

Reporter	roel	Assigned To
Priority	normal	Severity	feature	Reproducibility	N/A
Status	new	Resolution	open

Summary	0007478: MS Active Directory Authentication
Description	Moving discussion from -dev list to here. Discussion started by Holger Kaufmann (h.kaufmann at rac.de) 2006/09/06. Synopsis: Holger: First of all there's a new option to configure in the config_inc.php. It's an array where you can tell the system which of the supported authentication methods should be available. This array will be read when creating a new user and gives an option field where the administrator configures the login-method like LDAP, MD5 or ADS (for Active Directory). When actually creating a user this value will be stored in the new db field. If somebody tries to login the system first reads out his login-method and then starts authentication in the configured way. Victor: Did you check the implementation at: http://www.mantisbugtracker.com/bugs/view.php?id=7432 Instead of updating the users table, you can use the configuration to achieve a per user configuration option. The configuration stored in the database are easily editable in Mantis 1.1.0a1 through the Mantis web interface. Do we really need a per user configuration? One option is to have a threshold that we compare with the user default access level and if higher or equal we use AD, otherwise we use the standard infrastructure, i.e. customers will use the standard login, but developers, etc would use AD. Obiously the per user approach is more flexible as long as it doesn't over complicate to code. Roel: (about original patch): It doesn't seem to be possible to change the login method after the user account has been created. I think it would be a fairly easy change, is there a reason this wasn't included? The 'reset password' button should be removed for accounts that login though ADS (unless there is a way to make the functionality work). The proposed patch has @'s before every call to ldap_* functions. I understand why it was done, but I ran into two problems: first one was that I didn't enable the ldap module in php (didn't bother to check, thought I had it enabled), this quickly became obvious once I removed the @ and got a 'unknown function: ldap_connect' error. Secondly, I had put in the wrong domain name (the full name of my AD domain is riks.nl, bu apparantly I'm supposed to put in only 'riks') and that became obvious once I removed the @ before ldap_bind and got a 'invalid credentials' error message. So not having the @'s made it possible to quickly diagnose installation errors. Perhaps the 'login method strings' (in config_defaults_inc.php) should be translateable as well? It would be easy to do. Some changes have been commented out, maybe they should be removed all together. (about Victor's remarks): Using a general system like the configuration options is not very appropriate for a core function like logging in, imo. It's a setting that is required for every user anyway, it would quickly get very crowded in the 'Manage configuration' screen (unless there'd be a 'default' value and only the users who use another method would be listed, but still.) Also, I don't find it a very intuitive place for a 'core' setting like that. (as an admin, I'd go looking in a users profile first if I wanted to change the login method, the database configuration is more for advanced use and non-standard extensions, I thought. Basing the login-method on access treshold: I have internal 'reporters' and external 'managers' (ie, clients who can manage the priority of bugs(. My usecase isn't decisive for Mantis functionality, of course; but still I find connecting the login method to the user access level to be very limiting. I've attached a new patch, based on Holder's, with the following changes: Added the new field of the user table to schema.php. Removed @ from ldap_* functions. Added translation for the new string to Dutch. Victor: The db configuration supports a default for all users / all projects, all user / specific project. specific user / all projects, specific user / specific project. The problem with the preferences as they are, is that whenever a feature is implemented we need to change the database schema and expose this specifically through the Web interface. I guess this is a general issue that we have to put a pattern for. For now, we can stick with what we have and make sure that all other issues with the patch are resolved. Ideas are welcome.
Tags	patch
Attached Files	mantisbt_ads_v2.patch (25,412 bytes) Index: account_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_page.php,v retrieving revision 1.51 diff -u -r1.51 account_page.php --- account_page.php 17 Jul 2005 21:56:21 -0000 1.51 +++ account_page.php 25 Sep 2006 10:45:56 -0000 @@ -52,7 +52,7 @@ $row = user_get_row( auth_get_current_user_id() ); extract( $row, EXTR_PREFIX_ALL, 'u' ); - $t_ldap = ( LDAP == config_get( 'login_method' ) ); + $t_ldap = ( LDAP == $row['login_method'] ); #config_get( 'login_method' ) ); # In case we're using LDAP to get the email address... this will pull out # that version instead of the one in the DB @@ -72,7 +72,7 @@ <center><div style="color:red; width:75%"> <?php echo lang_get( 'verify_warning' ); - if ( helper_call_custom_function( 'auth_can_change_password', array() ) ) { + if ( helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { echo '<br />' . lang_get( 'verify_change_password' ); } ?> @@ -93,7 +93,7 @@ </td> </tr> -<?php if ( !helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <!-- With LDAP --> +<?php if ( !helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { ?> <!-- With LDAP --> <!-- Username --> <tr class="row-1"> Index: account_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v retrieving revision 1.40 diff -u -r1.40 account_update.php --- account_update.php 30 Nov 2004 13:02:57 -0000 1.40 +++ account_update.php 25 Sep 2006 10:45:56 -0000 @@ -68,7 +68,7 @@ } # Update password if the two match and are not empty - if ( !is_blank( $f_password ) ) { + if ( !is_blank( $f_password ) ) { if ( $f_password != $f_password_confirm ) { trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { Index: config_defaults_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/config_defaults_inc.php,v retrieving revision 1.312 diff -u -r1.312 config_defaults_inc.php --- config_defaults_inc.php 22 Sep 2006 22:18:08 -0000 1.312 +++ config_defaults_inc.php 25 Sep 2006 10:45:57 -0000 @@ -832,6 +832,16 @@ # The LDAP Protocol Version, if 0, then the protocol version is not set. $g_ldap_protocol_version = 0; + ############################# + # Mantis ADS Settings + ############################# + # --- using MS Active Directory ------------- + $g_ads_server = 'ldap://ads.example.com.au/'; + $g_ads_port = '389'; + $g_ads_domain = 'myDomain'; # ADS domain like 'myDomain' + $g_ads_bind_name = ''; + $g_ads_bind_passwd = ''; + ############################ # Status Settings ############################ @@ -1083,10 +1093,26 @@ # example: $g_set_status_threshold = array( ACKNOWLEDGED => MANAGER, CONFIRMED => DEVELOPER, CLOSED => MANAGER ); $g_set_status_threshold = array(); + # --- login method strings -------- + # Don't change this + $g_login_method_strings[PLAIN] = "Plain"; + $g_login_method_strings[CRYPT] = "Crypt"; + $g_login_method_strings[CRYPT_FULL_SALT] = "Crypt full salt"; + $g_login_method_strings[MD5] = "MD5"; + $g_login_method_strings[LDAP] = "LDAP"; + $g_login_method_strings[BASIC_AUTH] = "Basic Auth"; + $g_login_method_strings[HTTP_AUTH] = "HTTP Auth"; + $g_login_method_strings[ADS] = "Active Directory"; + # --- login method ---------------- - # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or ADS # You can simply change this at will. Mantis will try to figure out how the passwords were encrypted. + # ATTENTION: This might soon be depricated $g_login_method = MD5; + + # Enter here your allowed login methods. This values will be choosable when create new user + # e.g. array(LDAP, ADS, MD5, CRYPT) + $g_login_methods = array(MD5, ADS); # --- limit reporters ------------- # Set to ON if you wish to limit reporters to only viewing bugs that they report. @@ -1768,4 +1794,4 @@ # The maximum number of issues to keep in the recently visited list. $g_recently_visited_count = 5; -?> \ No newline at end of file +?> Index: login.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login.php,v retrieving revision 1.36 diff -u -r1.36 login.php --- login.php 7 Aug 2005 16:01:37 -0000 1.36 +++ login.php 25 Sep 2006 10:45:57 -0000 @@ -20,13 +20,15 @@ $f_perm_login = gpc_get_bool( 'perm_login' ); $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) ); $f_from = gpc_get_string( 'from', '' ); + $f_login_method = user_get_field( user_get_id_by_name($f_username), 'login_method' ); + - if ( BASIC_AUTH == config_get( 'login_method' ) ) { + if ( BASIC_AUTH == $f_login_method ) { #config_get( 'login_method' ) ) { $f_username = $_SERVER['REMOTE_USER']; $f_password = $_SERVER['PHP_AUTH_PW']; } - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { #config_get( 'login_method' ) ) { if ( !auth_http_is_logout_pending() ) { if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) @@ -45,7 +47,7 @@ } else { $t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1'; - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { #config_get( 'login_method' ) ) { auth_http_prompt(); exit; } Index: login_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login_page.php,v retrieving revision 1.56 diff -u -r1.56 login_page.php --- login_page.php 24 Jul 2006 01:31:28 -0000 1.56 +++ login_page.php 25 Sep 2006 10:45:57 -0000 @@ -23,21 +23,22 @@ $f_return = gpc_get_string( 'return', '' ); # Check for HTTP_AUTH. HTTP_AUTH is handled in login.php - - if ( HTTP_AUTH == config_get( 'login_method' ) ) { - $t_uri = "login.php"; - - if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { - $t_uri = "login_anon.php"; - } - - if ( $f_return ) { - $t_uri .= "?return=" . urlencode( $f_return ); - } - - print_header_redirect( $t_uri ); - exit; - } + # + #if ( HTTP_AUTH == config_get( 'login_method' ) ) { + # $t_uri = "login.php"; + # + # if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { + # $t_uri = "login_anon.php"; + # } + # + # if ( $f_return ) { + # $t_uri .= "?return=" . urlencode( $f_return ); + # } + # + # print_header_redirect( $t_uri ); + # exit; + #} + # THIS IS CHECKED IN login.php ANYWAYS html_page_top1(); html_page_top2a(); @@ -127,7 +128,7 @@ # # Warning, if plain passwords are selected - if ( config_get( 'login_method' ) === PLAIN ) { + if ( in_array( PLAIN, $g_login_methods ) ){ #config_get( 'login_method' ) === PLAIN ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> Plain password authentication is used, this will expose your passwords to administrators.</font></p>'; echo '</div>'; @@ -135,7 +136,7 @@ # Generate a warning if administrator/root is valid. $t_admin_user_id = user_get_id_by_name( 'administrator' ); - if ( $t_admin_user_id !== false ) { + if ( $t_admin_user_id !== false ) { if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> You should disable the default "administrator" account or change its password.</font></p>'; Index: manage_user_create.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create.php,v retrieving revision 1.22 diff -u -r1.22 manage_user_create.php --- manage_user_create.php 21 Mar 2005 20:48:55 -0000 1.22 +++ manage_user_create.php 25 Sep 2006 10:45:57 -0000 @@ -22,6 +22,7 @@ $f_password = gpc_get_string( 'password', '' ); $f_password_verify = gpc_get_string( 'password_verify', '' ); $f_email = gpc_get_string( 'email' ); + $f_login_method = gpc_get_string( 'login_method' ); $f_access_level = gpc_get_string( 'access_level' ); $f_protected = gpc_get_bool( 'protected' ); $f_enabled = gpc_get_bool( 'enabled' ); @@ -58,7 +59,7 @@ } } - $t_cookie = user_create( $f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $f_realname ); + $t_cookie = user_create( $f_username, $f_password, $f_email, $f_login_method, $f_access_level, $f_protected, $f_enabled, $f_realname ); if ( $t_cookie === false ) { $t_redirect_url = 'manage_user_page.php'; Index: manage_user_create_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create_page.php,v retrieving revision 1.19 diff -u -r1.19 manage_user_create_page.php --- manage_user_create_page.php 21 Mar 2005 20:48:55 -0000 1.19 +++ manage_user_create_page.php 25 Sep 2006 10:45:57 -0000 @@ -75,6 +75,21 @@ ?> <tr <?php echo helper_alternate_class() ?>> <td class="category"> + <?php echo lang_get( 'login_method' ) ?> + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'>".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> <?php echo lang_get( 'access_level' ) ?> </td> <td> Index: manage_user_edit_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_edit_page.php,v retrieving revision 1.16 diff -u -r1.16 manage_user_edit_page.php --- manage_user_edit_page.php 26 Mar 2006 10:35:33 -0000 1.16 +++ manage_user_edit_page.php 25 Sep 2006 10:45:57 -0000 @@ -69,6 +69,16 @@ </td> </tr> +<!-- Login Method --> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> + <?php echo lang_get( 'login_method' ) ?>: + </td> + <td> + <?php echo $g_login_method_strings[$t_user['login_method']]; ?> + </td> +</tr> + <!-- Access Level --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> Index: admin/schema.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/admin/schema.php,v retrieving revision 1.11 diff -u -r1.11 schema.php --- admin/schema.php 14 Aug 2006 08:32:57 -0000 1.11 +++ admin/schema.php 25 Sep 2006 10:45:57 -0000 @@ -303,7 +303,8 @@ login_count I NOTNULL DEFAULT '0', lost_password_request_count I2 NOTNULL DEFAULT '0', failed_login_count I2 NOTNULL DEFAULT '0', - cookie_string C(64) NOTNULL DEFAULT \" '' \" + cookie_string C(64) NOTNULL DEFAULT \" '' \", + login_method I2 NOTNULL DEFAULT '0' ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_cookie_string',config_get('mantis_user_table'),'cookie_string',Array('UNIQUE'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE'))); @@ -325,4 +326,4 @@ body XS NOTNULL ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_email_id',config_get('mantis_email_table'),'email_id')); -?> \ No newline at end of file +?> Index: core/authentication_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/authentication_api.php,v retrieving revision 1.55 diff -u -r1.55 authentication_api.php --- core/authentication_api.php 23 Apr 2006 12:32:59 -0000 1.55 +++ core/authentication_api.php 25 Sep 2006 10:45:58 -0000 @@ -74,7 +74,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) { $t_user_id = user_get_id_by_name( $p_username ); - $t_login_method = config_get( 'login_method' ); + $t_login_method = user_get_field($t_user_id, 'login_method'); #config_get( 'login_method' ); if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { @@ -118,7 +118,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -201,22 +201,25 @@ # Return true if the password for the user id given matches the given # password (taking into account the global login method) function auth_does_password_match( $p_user_id, $p_test_password ) { - $t_configured_login_method = config_get( 'login_method' ); - - if ( LDAP == $t_configured_login_method ) { - return ldap_authenticate( $p_user_id, $p_test_password ); - } + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); #config_get( 'login_method' ); + switch ($t_user_login_method) + { + case ADS: return ads_authenticate( $p_user_id, $p_test_password ); break; + case LDAP: return ldap_authenticate( $p_user_id, $p_test_password ); break; + default: break; + } + $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array(MD5, CRYPT, PLAIN); foreach ( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if ( auth_process_plain_password( $p_test_password, $t_login_method, $t_password) == $t_password ) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method - if ( ( $t_login_method != $t_configured_login_method ) \|\| - ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { + if ( ( $t_login_method != $t_user_login_method ) \|\| + ( ( CRYPT == $t_user_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { user_set_password( $p_user_id, $p_test_password, true ); } @@ -235,13 +238,9 @@ # When encrypting a password to compare to a stored password, the stored # password should be passed in as salt. If the auth method is CRYPT then # crypt() will extract the appropriate portion of the stored password as its salt - function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) { - $t_login_method = config_get( 'login_method' ); - if ( $p_method !== null ) { - $t_login_method = $p_method; - } + function auth_process_plain_password( $p_password, $p_login_method, $p_salt=null ) { - switch ( $t_login_method ) { + switch ( $p_login_method ) { case CRYPT: # a null salt is the same as no salt, which causes a salt to be generated # otherwise, use the salt given Index: core/constant_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/constant_inc.php,v retrieving revision 1.58 diff -u -r1.58 constant_inc.php --- core/constant_inc.php 12 Aug 2006 08:04:13 -0000 1.58 +++ core/constant_inc.php 25 Sep 2006 10:45:58 -0000 @@ -103,8 +103,9 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); - - # file upload methods + define( 'ADS', 7 ); + + # file upload methods define( 'DISK', 1 ); define( 'DATABASE', 2 ); define( 'FTP', 3 ); @@ -286,6 +287,9 @@ define( 'ERROR_SIGNUP_NOT_MATCHING_CAPTCHA', 1904 ); define( 'ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED', 1905 ); + # ERROR_ADS_* + define( 'ERROR_ADS_SERVER_CONNECT_FAILED', 2000 ); + # ERROR_FILTER_NOT_FOUND define( 'ERROR_FILTER_NOT_FOUND', 2000 ); define( 'ERROR_FILTER_TOO_OLD', 2001 ); Index: core/custom_function_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/custom_function_api.php,v retrieving revision 1.27 diff -u -r1.27 custom_function_api.php --- core/custom_function_api.php 18 May 2006 05:53:44 -0000 1.27 +++ core/custom_function_api.php 25 Sep 2006 10:45:58 -0000 @@ -128,9 +128,9 @@ # -------------------- # Hook for authentication # can Mantis update the password - function custom_function_default_auth_can_change_password( ) { + function custom_function_default_auth_can_change_password( $p_login_method ) { $t_can_change = array( PLAIN, CRYPT, CRYPT_FULL_SALT, MD5 ); - if ( in_array( config_get( 'login_method' ), $t_can_change ) ) { + if ( in_array( $p_login_method, $t_can_change ) ) { return true; } else { return false; @@ -347,4 +347,4 @@ # html_api.php. For each button, this function needs to generate the enclosing '<td>' and '</td>'. function custom_function_default_print_bug_view_page_custom_buttons( $p_bug_id ) { } -?> \ No newline at end of file +?> Index: core/ldap_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/ldap_api.php,v retrieving revision 1.19 diff -u -r1.19 ldap_api.php --- core/ldap_api.php 22 Apr 2006 01:52:14 -0000 1.19 +++ core/ldap_api.php 25 Sep 2006 10:45:58 -0000 @@ -153,4 +153,5 @@ # -------------------- # Change the user's password in the LDAP Directory + ?> Index: core/user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.107 diff -u -r1.107 user_api.php --- core/user_api.php 29 Oct 2005 09:52:52 -0000 1.107 +++ core/user_api.php 25 Sep 2006 10:45:58 -0000 @@ -13,6 +13,7 @@ require_once( $t_core_dir . 'email_api.php' ); require_once( $t_core_dir . 'ldap_api.php' ); + require_once( $t_core_dir . 'ads_api.php' ); ### User API ### @@ -326,17 +327,18 @@ # -------------------- # Create a user. # returns false if error, the generated cookie string if ok - function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { + function user_create( $p_username, $p_password, $p_email='', $p_login_method=MD5, $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { if ( null === $p_access_level ) { $p_access_level = config_get( 'default_new_account_access_level'); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, 'MD5' ); $c_username = db_prepare_string( $p_username ); $c_realname = db_prepare_string( $p_realname ); $c_password = db_prepare_string( $t_password ); $c_email = db_prepare_string( $p_email ); + $c_login_method = db_prepare_int( $p_login_method ); $c_access_level = db_prepare_int( $p_access_level ); $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); @@ -352,10 +354,10 @@ $query = "INSERT INTO $t_user_table ( username, email, password, date_created, last_visit, - enabled, access_level, login_count, cookie_string, realname ) + enabled, access_level, login_count, cookie_string, realname, login_method ) VALUES ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ", - $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')"; + $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname', '$c_login_method')"; db_query( $query ); # Create preferences for the user @@ -1054,12 +1056,13 @@ # Set the user's password to the given string, encoded as appropriate function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) { $c_user_id = db_prepare_int( $p_user_id ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); if ( !$p_allow_protected ) { user_ensure_unprotected( $p_user_id ); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, $t_user_login_method ); $t_user_table = config_get( 'mantis_user_table' ); $query = "UPDATE $t_user_table SET password='$t_password' @@ -1120,8 +1123,9 @@ if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { # Create random password $t_email = user_get_field( $p_user_id, 'email' ); + $t_user_login_method = user_get_field ( $p_user_id, 'login_method' ); $t_password = auth_generate_random_password( $t_email ); - $t_password2 = auth_process_plain_password( $t_password ); + $t_password2 = auth_process_plain_password( $t_password, $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password2 ); @@ -1132,7 +1136,8 @@ } } else { # use blank password, no emailing - $t_password = auth_process_plain_password( '' ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + $t_password = auth_process_plain_password( '', $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password ); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero( $p_user_id ); Index: lang/strings_dutch.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_dutch.txt,v retrieving revision 1.108 diff -u -r1.108 strings_dutch.txt --- lang/strings_dutch.txt 25 Sep 2006 05:16:48 -0000 1.108 +++ lang/strings_dutch.txt 25 Sep 2006 10:45:58 -0000 @@ -384,6 +384,7 @@ $s_update_user_button = 'Gebruiker aanpassen'; $s_verify_warning = 'Uw account is gecontroleerd. Het accountbevestigingsbericht dat u heeft ontvangen is niet langer bruikbaar.'; $s_verify_change_password = 'Hier dient een wachtwoord ingegeven te worden om opnieuw te kunnen aanmelden.'; +$s_login_method = 'Aanmeldings-methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Standaard accountinstellingen'; Index: lang/strings_english.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_english.txt,v retrieving revision 1.280 diff -u -r1.280 strings_english.txt --- lang/strings_english.txt 25 Sep 2006 05:16:48 -0000 1.280 +++ lang/strings_english.txt 25 Sep 2006 10:45:59 -0000 @@ -262,6 +262,7 @@ $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_.php files.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'ADS Server Connection Failed'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; @@ -380,6 +381,7 @@ $s_update_user_button = 'Update User'; $s_verify_warning = 'Your account information has been verified. The account confirmation message you have received is now invalid.'; $s_verify_change_password = 'You must set a password here to allow you to log in again.'; +$s_login_method = 'Authentication method'; # account_prefs_page.php $s_default_account_preferences_title = 'Account Preferences'; Index: lang/strings_german.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_german.txt,v retrieving revision 1.145 diff -u -r1.145 strings_german.txt --- lang/strings_german.txt 25 Sep 2006 05:16:48 -0000 1.145 +++ lang/strings_german.txt 25 Sep 2006 10:45:59 -0000 @@ -385,6 +385,7 @@ $s_update_user_button = 'Benutzer aktualisieren'; $s_verify_warning = 'Ihre Kontoinformationen wurden �berpr�ft. Die von Ihnen erhaltene Konto Best�tigungsmeldung ist jetzt ung�ltig.'; $s_verify_change_password = 'Sie m�ssen hier ein Pa�wort vergeben, um sich wieder anmelden zu k�nnen.'; +$s_login_method = 'Authentifizierungs-Methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Kontoeinstellungen'; mantisbt_ads_v2.patch (25,412 bytes) ads_api.php (3,364 bytes) <?php # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org # Copyright (C) 2002 - 2004 Mantis Team - mantisbt-dev@lists.sourceforge.net # This program is distributed under the terms and conditions of the GPL # See the README and LICENSE files for details # -------------------------------------------------------- # $Id: ads_api.php,v 1.01 2006/09/21 01:52:14 hkaufmann Exp $ # -------------------------------------------------------- ########################################################################### # Active Directory API ########################################################################### # -------------------- # Connect to the ADS directory function ads_connect() { # Get ads configuration $t_ads_server = config_get( 'ads_server' ); $t_ads_port = config_get( 'ads_port' ); # Connection to ADS-Server $t_ds = @ldap_connect ( $t_ads_server, $t_ads_port); # Trigger error if ( !$t_ds ) { trigger_error( ERROR_ADS_SERVER_CONNECT_FAILED, ERROR ); } return $t_ds; } # -------------------- # Bind to the ADS directory function ads_bind( $p_ds, $p_bindname = '', $p_password = '' ) { # If no Bind DN and Password is set, attempt to login as the configured Bind DN. if ( is_blank( $p_bindname ) && is_blank( $p_password ) ) { $p_bindname = config_get( 'ads_bind_name', '' ); $p_password = config_get( 'ads_bind_passwd', '' ); } # Try bind if ( !is_blank( $p_bindname ) && !is_blank( $p_password ) ) { # Get domain $t_ads_domain = config_get( 'ads_domain' ) ; $t_bindname = "$t_ads_domain\\$p_bindname"; $t_br = @ldap_bind( $p_ds, $t_bindname, $p_password ); } # If either bindname or password is empty try anonymous bind else { $t_br = @ldap_bind( $p_ds ); } return $t_br; } # -------------------- # Attempt to authenticate the user against the MS Active Directory # return true on successful authentication, false otherwise function ads_authenticate( $p_user_id, $p_password ) { # if password is empty and Active Directory allows anonymous login, then # the user will be able to login, so we need to check for this special case. if ( is_blank( $p_password ) ) { return false; } # Connection to ADS-Server $t_ds = ads_connect(); # Get username $t_username = user_get_field( $p_user_id, 'username' ); # Try bind if ( ads_bind($t_ds, $t_username, $p_password) ) $t_authenticated = true; else $t_authenticated = false; # Unbind ldap_unbind( $t_ds ); return $t_authenticated; } # -------------------- # Create a new user account in the Active Directory. # -------------------- # Update the user's account in the Active Directory # -------------------- # Change the user's password in the Active Directory ?> ads_api.php (3,364 bytes) mantisbt_ads_v3.patch (28,371 bytes) ? core/ads_api.php Index: account_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_page.php,v retrieving revision 1.51 diff -u -r1.51 account_page.php --- account_page.php 17 Jul 2005 21:56:21 -0000 1.51 +++ account_page.php 4 Oct 2006 09:21:19 -0000 @@ -52,7 +52,7 @@ $row = user_get_row( auth_get_current_user_id() ); extract( $row, EXTR_PREFIX_ALL, 'u' ); - $t_ldap = ( LDAP == config_get( 'login_method' ) ); + $t_ldap = ( LDAP == $row['login_method'] ); # In case we're using LDAP to get the email address... this will pull out # that version instead of the one in the DB @@ -72,7 +72,7 @@ <center><div style="color:red; width:75%"> <?php echo lang_get( 'verify_warning' ); - if ( helper_call_custom_function( 'auth_can_change_password', array() ) ) { + if ( helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { echo '<br />' . lang_get( 'verify_change_password' ); } ?> @@ -93,7 +93,7 @@ </td> </tr> -<?php if ( !helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <!-- With LDAP --> +<?php if ( !helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { ?> <!-- With LDAP --> <!-- Username --> <tr class="row-1"> Index: account_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v retrieving revision 1.40 diff -u -r1.40 account_update.php --- account_update.php 30 Nov 2004 13:02:57 -0000 1.40 +++ account_update.php 22 Sep 2006 07:53:31 -0000 @@ -68,7 +68,7 @@ } # Update password if the two match and are not empty - if ( !is_blank( $f_password ) ) { + if ( !is_blank( $f_password ) ) { if ( $f_password != $f_password_confirm ) { trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { Index: config_defaults_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/config_defaults_inc.php,v retrieving revision 1.311 diff -u -r1.311 config_defaults_inc.php --- config_defaults_inc.php 16 Sep 2006 18:02:05 -0000 1.311 +++ config_defaults_inc.php 22 Sep 2006 14:19:45 -0000 @@ -831,6 +831,16 @@ # The LDAP Protocol Version, if 0, then the protocol version is not set. $g_ldap_protocol_version = 0; + ############################# + # Mantis ADS Settings + ############################# + # --- using MS Active Directory ------------- + $g_ads_server = 'ldap://ads.example.com.au/'; + $g_ads_port = '389'; + $g_ads_domain = 'myDomain'; # ADS domain like 'myDomain' + $g_ads_bind_name = ''; + $g_ads_bind_passwd = ''; + ############################ # Status Settings ############################ @@ -1082,10 +1092,26 @@ # example: $g_set_status_threshold = array( ACKNOWLEDGED => MANAGER, CONFIRMED => DEVELOPER, CLOSED => MANAGER ); $g_set_status_threshold = array(); + # --- login method strings -------- + # Don't change this + $g_login_method_strings[PLAIN] = "Plain"; + $g_login_method_strings[CRYPT] = "Crypt"; + $g_login_method_strings[CRYPT_FULL_SALT] = "Crypt full salt"; + $g_login_method_strings[MD5] = "MD5"; + $g_login_method_strings[LDAP] = "LDAP"; + $g_login_method_strings[BASIC_AUTH] = "Basic Auth"; + $g_login_method_strings[HTTP_AUTH] = "HTTP Auth"; + $g_login_method_strings[ADS] = "Active Directory"; + # --- login method ---------------- - # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or ADS # You can simply change this at will. Mantis will try to figure out how the passwords were encrypted. + # ATTENTION: This might soon be depricated $g_login_method = MD5; + + # Enter here your allowed login methods. This values will be choosable when create new user + # e.g. array(LDAP, ADS, MD5, CRYPT) + $g_login_methods = array(MD5); # --- limit reporters ------------- # Set to ON if you wish to limit reporters to only viewing bugs that they report. @@ -1767,4 +1793,4 @@ # The maximum number of issues to keep in the recently visited list. $g_recently_visited_count = 5; -?> \ No newline at end of file +?> Index: login.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login.php,v retrieving revision 1.36 diff -u -r1.36 login.php --- login.php 7 Aug 2005 16:01:37 -0000 1.36 +++ login.php 4 Oct 2006 09:23:26 -0000 @@ -20,13 +20,15 @@ $f_perm_login = gpc_get_bool( 'perm_login' ); $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) ); $f_from = gpc_get_string( 'from', '' ); + $f_login_method = user_get_field( user_get_id_by_name($f_username), 'login_method' ); + - if ( BASIC_AUTH == config_get( 'login_method' ) ) { + if ( BASIC_AUTH == $f_login_method ) { $f_username = $_SERVER['REMOTE_USER']; $f_password = $_SERVER['PHP_AUTH_PW']; } - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { if ( !auth_http_is_logout_pending() ) { if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) @@ -45,7 +47,7 @@ } else { $t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1'; - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { auth_http_prompt(); exit; } Index: login_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login_page.php,v retrieving revision 1.56 diff -u -r1.56 login_page.php --- login_page.php 24 Jul 2006 01:31:28 -0000 1.56 +++ login_page.php 4 Oct 2006 09:25:48 -0000 @@ -22,23 +22,6 @@ $f_cookie_error = gpc_get_bool( 'cookie_error' ); $f_return = gpc_get_string( 'return', '' ); - # Check for HTTP_AUTH. HTTP_AUTH is handled in login.php - - if ( HTTP_AUTH == config_get( 'login_method' ) ) { - $t_uri = "login.php"; - - if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { - $t_uri = "login_anon.php"; - } - - if ( $f_return ) { - $t_uri .= "?return=" . urlencode( $f_return ); - } - - print_header_redirect( $t_uri ); - exit; - } - html_page_top1(); html_page_top2a(); @@ -127,7 +110,7 @@ # # Warning, if plain passwords are selected - if ( config_get( 'login_method' ) === PLAIN ) { + if ( in_array( PLAIN, $g_login_methods ) ){ echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> Plain password authentication is used, this will expose your passwords to administrators.</font></p>'; echo '</div>'; @@ -135,7 +118,7 @@ # Generate a warning if administrator/root is valid. $t_admin_user_id = user_get_id_by_name( 'administrator' ); - if ( $t_admin_user_id !== false ) { + if ( $t_admin_user_id !== false ) { if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> You should disable the default "administrator" account or change its password.</font></p>'; Index: manage_user_create.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create.php,v retrieving revision 1.22 diff -u -r1.22 manage_user_create.php --- manage_user_create.php 21 Mar 2005 20:48:55 -0000 1.22 +++ manage_user_create.php 22 Sep 2006 13:01:23 -0000 @@ -22,6 +22,7 @@ $f_password = gpc_get_string( 'password', '' ); $f_password_verify = gpc_get_string( 'password_verify', '' ); $f_email = gpc_get_string( 'email' ); + $f_login_method = gpc_get_string( 'login_method' ); $f_access_level = gpc_get_string( 'access_level' ); $f_protected = gpc_get_bool( 'protected' ); $f_enabled = gpc_get_bool( 'enabled' ); @@ -58,7 +59,7 @@ } } - $t_cookie = user_create( $f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $f_realname ); + $t_cookie = user_create( $f_username, $f_password, $f_email, $f_login_method, $f_access_level, $f_protected, $f_enabled, $f_realname ); if ( $t_cookie === false ) { $t_redirect_url = 'manage_user_page.php'; Index: manage_user_create_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create_page.php,v retrieving revision 1.19 diff -u -r1.19 manage_user_create_page.php --- manage_user_create_page.php 21 Mar 2005 20:48:55 -0000 1.19 +++ manage_user_create_page.php 22 Sep 2006 12:48:19 -0000 @@ -75,6 +75,21 @@ ?> <tr <?php echo helper_alternate_class() ?>> <td class="category"> + <?php echo lang_get( 'login_method' ) ?> + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'>".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> <?php echo lang_get( 'access_level' ) ?> </td> <td> Index: manage_user_edit_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_edit_page.php,v retrieving revision 1.16 diff -u -r1.16 manage_user_edit_page.php --- manage_user_edit_page.php 26 Mar 2006 10:35:33 -0000 1.16 +++ manage_user_edit_page.php 4 Oct 2006 10:01:29 -0000 @@ -69,6 +69,25 @@ </td> </tr> +<!-- Login Method --> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> + <?php echo lang_get( 'login_method' ) ?>: + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'"; + if ( $t_user['login_method'] == $g_login_methods[$i] ) echo " SELECTED"; + echo ">".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> + <!-- Access Level --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> @@ -116,10 +135,12 @@ <!-- RESET AND DELETE --> <div class="border-center"> <!-- Reset Button --> +<?php if ( $t_user['login_method'] != 7 ) { ?> <form method="post" action="manage_user_reset.php"> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /> </form> +<?php } ?> <!-- Delete Button --> <?php if ( !( ( ADMINISTRATOR <= $t_user['access_level'] ) && ( 1 >= user_count_level( ADMINISTRATOR ) ) ) ) { ?> Index: manage_user_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_update.php,v retrieving revision 1.38 diff -u -r1.38 manage_user_update.php --- manage_user_update.php 26 Mar 2006 10:35:33 -0000 1.38 +++ manage_user_update.php 4 Oct 2006 10:08:55 -0000 @@ -24,6 +24,7 @@ $f_email = gpc_get_string( 'email', '' ); $f_username = gpc_get_string( 'username', '' ); $f_realname = gpc_get_string( 'realname', '' ); + $f_login_method = gpc_get_string( 'login_method', '' ); $f_access_level = gpc_get_int( 'access_level' ); $f_user_id = gpc_get_int( 'user_id' ); @@ -49,6 +50,7 @@ $c_enabled = db_prepare_bool( $f_enabled ); $c_user_id = db_prepare_int( $f_user_id ); $c_access_level = db_prepare_int( $f_access_level ); + $c_login_method = db_prepare_int( $f_login_method ); $t_user_table = config_get( 'mantis_user_table' ); @@ -67,7 +69,7 @@ } # if the user is already protected and the admin is not removing the - # protected flag then don't update the access level and enabled flag. + # protected flag then don't update the access level, login_method and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. if ( $f_protected && $t_old_protected ) { @@ -77,7 +79,7 @@ WHERE id='$c_user_id'"; } else { $query = "UPDATE $t_user_table - SET username='$c_username', email='$c_email', + SET username='$c_username', email='$c_email', login_method='$c_login_method', access_level='$c_access_level', enabled='$c_enabled', protected='$c_protected', realname='$c_realname' WHERE id='$c_user_id'"; Index: admin/schema.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/admin/schema.php,v retrieving revision 1.11 diff -u -r1.11 schema.php --- admin/schema.php 14 Aug 2006 08:32:57 -0000 1.11 +++ admin/schema.php 4 Oct 2006 08:46:28 -0000 @@ -303,7 +303,8 @@ login_count I NOTNULL DEFAULT '0', lost_password_request_count I2 NOTNULL DEFAULT '0', failed_login_count I2 NOTNULL DEFAULT '0', - cookie_string C(64) NOTNULL DEFAULT \" '' \" + cookie_string C(64) NOTNULL DEFAULT \" '' \", + login_method I2 NOTNULL DEFAULT '0' ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_cookie_string',config_get('mantis_user_table'),'cookie_string',Array('UNIQUE'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE'))); @@ -325,4 +326,4 @@ body XS NOTNULL ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_email_id',config_get('mantis_email_table'),'email_id')); -?> \ No newline at end of file +?> Index: core/authentication_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/authentication_api.php,v retrieving revision 1.55 diff -u -r1.55 authentication_api.php --- core/authentication_api.php 23 Apr 2006 12:32:59 -0000 1.55 +++ core/authentication_api.php 4 Oct 2006 09:33:30 -0000 @@ -74,7 +74,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) { $t_user_id = user_get_id_by_name( $p_username ); - $t_login_method = config_get( 'login_method' ); + $t_login_method = user_get_field($t_user_id, 'login_method'); if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { @@ -118,7 +118,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -201,22 +201,25 @@ # Return true if the password for the user id given matches the given # password (taking into account the global login method) function auth_does_password_match( $p_user_id, $p_test_password ) { - $t_configured_login_method = config_get( 'login_method' ); - - if ( LDAP == $t_configured_login_method ) { - return ldap_authenticate( $p_user_id, $p_test_password ); - } + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + switch ($t_user_login_method) + { + case ADS: return ads_authenticate( $p_user_id, $p_test_password ); break; + case LDAP: return ldap_authenticate( $p_user_id, $p_test_password ); break; + default: break; + } + $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array(MD5, CRYPT, PLAIN); foreach ( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if ( auth_process_plain_password( $p_test_password, $t_login_method, $t_password) == $t_password ) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method - if ( ( $t_login_method != $t_configured_login_method ) \|\| - ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { + if ( ( $t_login_method != $t_user_login_method ) \|\| + ( ( CRYPT == $t_user_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { user_set_password( $p_user_id, $p_test_password, true ); } @@ -235,13 +238,9 @@ # When encrypting a password to compare to a stored password, the stored # password should be passed in as salt. If the auth method is CRYPT then # crypt() will extract the appropriate portion of the stored password as its salt - function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) { - $t_login_method = config_get( 'login_method' ); - if ( $p_method !== null ) { - $t_login_method = $p_method; - } + function auth_process_plain_password( $p_password, $p_login_method, $p_salt=null ) { - switch ( $t_login_method ) { + switch ( $p_login_method ) { case CRYPT: # a null salt is the same as no salt, which causes a salt to be generated # otherwise, use the salt given Index: core/constant_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/constant_inc.php,v retrieving revision 1.58 diff -u -r1.58 constant_inc.php --- core/constant_inc.php 12 Aug 2006 08:04:13 -0000 1.58 +++ core/constant_inc.php 22 Sep 2006 12:46:27 -0000 @@ -103,8 +103,9 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); - - # file upload methods + define( 'ADS', 7 ); + + # file upload methods define( 'DISK', 1 ); define( 'DATABASE', 2 ); define( 'FTP', 3 ); @@ -286,6 +287,9 @@ define( 'ERROR_SIGNUP_NOT_MATCHING_CAPTCHA', 1904 ); define( 'ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED', 1905 ); + # ERROR_ADS_ + define( 'ERROR_ADS_SERVER_CONNECT_FAILED', 2000 ); + # ERROR_FILTER_NOT_FOUND define( 'ERROR_FILTER_NOT_FOUND', 2000 ); define( 'ERROR_FILTER_TOO_OLD', 2001 ); Index: core/custom_function_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/custom_function_api.php,v retrieving revision 1.27 diff -u -r1.27 custom_function_api.php --- core/custom_function_api.php 18 May 2006 05:53:44 -0000 1.27 +++ core/custom_function_api.php 22 Sep 2006 09:31:40 -0000 @@ -128,9 +128,9 @@ # -------------------- # Hook for authentication # can Mantis update the password - function custom_function_default_auth_can_change_password( ) { + function custom_function_default_auth_can_change_password( $p_login_method ) { $t_can_change = array( PLAIN, CRYPT, CRYPT_FULL_SALT, MD5 ); - if ( in_array( config_get( 'login_method' ), $t_can_change ) ) { + if ( in_array( $p_login_method, $t_can_change ) ) { return true; } else { return false; @@ -347,4 +347,4 @@ # html_api.php. For each button, this function needs to generate the enclosing '<td>' and '</td>'. function custom_function_default_print_bug_view_page_custom_buttons( $p_bug_id ) { } -?> \ No newline at end of file +?> Index: core/ldap_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/ldap_api.php,v retrieving revision 1.19 diff -u -r1.19 ldap_api.php --- core/ldap_api.php 22 Apr 2006 01:52:14 -0000 1.19 +++ core/ldap_api.php 4 Oct 2006 08:26:42 -0000 @@ -153,4 +153,5 @@ # -------------------- # Change the user's password in the LDAP Directory + ?> Index: core/user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.107 diff -u -r1.107 user_api.php --- core/user_api.php 29 Oct 2005 09:52:52 -0000 1.107 +++ core/user_api.php 22 Sep 2006 13:01:37 -0000 @@ -13,6 +13,7 @@ require_once( $t_core_dir . 'email_api.php' ); require_once( $t_core_dir . 'ldap_api.php' ); + require_once( $t_core_dir . 'ads_api.php' ); ### User API ### @@ -326,17 +327,18 @@ # -------------------- # Create a user. # returns false if error, the generated cookie string if ok - function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { + function user_create( $p_username, $p_password, $p_email='', $p_login_method=MD5, $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { if ( null === $p_access_level ) { $p_access_level = config_get( 'default_new_account_access_level'); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, 'MD5' ); $c_username = db_prepare_string( $p_username ); $c_realname = db_prepare_string( $p_realname ); $c_password = db_prepare_string( $t_password ); $c_email = db_prepare_string( $p_email ); + $c_login_method = db_prepare_int( $p_login_method ); $c_access_level = db_prepare_int( $p_access_level ); $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); @@ -352,10 +354,10 @@ $query = "INSERT INTO $t_user_table ( username, email, password, date_created, last_visit, - enabled, access_level, login_count, cookie_string, realname ) + enabled, access_level, login_count, cookie_string, realname, login_method ) VALUES ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ", - $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')"; + $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname', '$c_login_method')"; db_query( $query ); # Create preferences for the user @@ -1054,12 +1056,13 @@ # Set the user's password to the given string, encoded as appropriate function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) { $c_user_id = db_prepare_int( $p_user_id ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); if ( !$p_allow_protected ) { user_ensure_unprotected( $p_user_id ); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, $t_user_login_method ); $t_user_table = config_get( 'mantis_user_table' ); $query = "UPDATE $t_user_table SET password='$t_password' @@ -1120,8 +1123,9 @@ if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { # Create random password $t_email = user_get_field( $p_user_id, 'email' ); + $t_user_login_method = user_get_field ( $p_user_id, 'login_method' ); $t_password = auth_generate_random_password( $t_email ); - $t_password2 = auth_process_plain_password( $t_password ); + $t_password2 = auth_process_plain_password( $t_password, $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password2 ); @@ -1132,7 +1136,8 @@ } } else { # use blank password, no emailing - $t_password = auth_process_plain_password( '' ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + $t_password = auth_process_plain_password( '', $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password ); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero( $p_user_id ); Index: lang/strings_dutch.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_dutch.txt,v retrieving revision 1.99 diff -u -r1.99 strings_dutch.txt --- lang/strings_dutch.txt 21 Mar 2006 12:40:24 -0000 1.99 +++ lang/strings_dutch.txt 4 Oct 2006 09:32:40 -0000 @@ -379,6 +379,7 @@ $s_update_user_button = 'Gebruiker aanpassen'; $s_verify_warning = 'Uw account is gecontroleerd. Het accountbevestigingsbericht dat u heeft ontvangen is niet langer bruikbaar.'; $s_verify_change_password = 'Hier dient een wachtwoord ingegeven te worden om opnieuw te kunnen aanmelden.'; +$s_login_method = 'Aanmeldings-methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Standaard accountinstellingen'; Index: lang/strings_english.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_english.txt,v retrieving revision 1.276 diff -u -r1.276 strings_english.txt --- lang/strings_english.txt 12 Aug 2006 08:04:14 -0000 1.276 +++ lang/strings_english.txt 22 Sep 2006 12:24:59 -0000 @@ -259,6 +259,7 @@ $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_.php files.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'ADS Server Connection Failed'; #$s_login_error = 'Your account may be disabled or blocked (due to too many failed login attempts) or the username/password you entered is incorrect.'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; @@ -378,6 +379,7 @@ $s_update_user_button = 'Update User'; $s_verify_warning = 'Your account information has been verified. The account confirmation message you have received is now invalid.'; $s_verify_change_password = 'You must set a password here to allow you to log in again.'; +$s_login_method = 'Authentication method'; # account_prefs_page.php $s_default_account_preferences_title = 'Account Preferences'; Index: lang/strings_german.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_german.txt,v retrieving revision 1.139 diff -u -r1.139 strings_german.txt --- lang/strings_german.txt 20 Feb 2006 09:08:46 -0000 1.139 +++ lang/strings_german.txt 22 Sep 2006 12:24:29 -0000 @@ -260,6 +260,7 @@ $MANTIS_ERROR[ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED] = 'Max. Anzahl der in Bearbeitung befindlichen Anfragen erreicht. Bitte setzen Sie sich mit Ihrem Systemadministrator in Verbindung.'; $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'Diese Operation w�rde eine Schleife in der Unterprojekthierarchie erzeugen.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'Sie k�nnen die Zugangsrechte des einzigen System-ADMINISTRATORS nicht �ndern.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'Verbindung zum ADS Server fehlgeschlagen'; #$s_login_error = 'Your account may be disabled or blocked (due to too many failed login attempts) or the username/password you entered is incorrect.'; $s_login_error = 'Benutzername oder Passwort falsch.'; @@ -379,6 +380,7 @@ $s_update_user_button = 'Benutzer aktualisieren'; $s_verify_warning = 'Ihre Kontoinformationen wurden �berpr�ft. Die von Ihnen erhaltene Konto Best�tigungsmeldung ist jetzt ung�ltig.'; $s_verify_change_password = 'Sie m�ssen hier ein Pa�wort vergeben, um sich wieder anmelden zu k�nnen.'; +$s_login_method = 'Authentifizierungs-Methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Kontoeinstellungen'; mantisbt_ads_v3.patch (28,371 bytes) mantisbt_ads_v4.patch (28,953 bytes) ? core/ads_api.php Index: account_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_page.php,v retrieving revision 1.51 diff -u -r1.51 account_page.php --- account_page.php 17 Jul 2005 21:56:21 -0000 1.51 +++ account_page.php 4 Oct 2006 09:21:19 -0000 @@ -52,7 +52,7 @@ $row = user_get_row( auth_get_current_user_id() ); extract( $row, EXTR_PREFIX_ALL, 'u' ); - $t_ldap = ( LDAP == config_get( 'login_method' ) ); + $t_ldap = ( LDAP == $row['login_method'] ); # In case we're using LDAP to get the email address... this will pull out # that version instead of the one in the DB @@ -72,7 +72,7 @@ <center><div style="color:red; width:75%"> <?php echo lang_get( 'verify_warning' ); - if ( helper_call_custom_function( 'auth_can_change_password', array() ) ) { + if ( helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { echo '<br />' . lang_get( 'verify_change_password' ); } ?> @@ -93,7 +93,7 @@ </td> </tr> -<?php if ( !helper_call_custom_function( 'auth_can_change_password', array() ) ) { ?> <!-- With LDAP --> +<?php if ( !helper_call_custom_function( 'auth_can_change_password', array($row['login_method']) ) ) { ?> <!-- With LDAP --> <!-- Username --> <tr class="row-1"> Index: account_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v retrieving revision 1.40 diff -u -r1.40 account_update.php --- account_update.php 30 Nov 2004 13:02:57 -0000 1.40 +++ account_update.php 22 Sep 2006 07:53:31 -0000 @@ -68,7 +68,7 @@ } # Update password if the two match and are not empty - if ( !is_blank( $f_password ) ) { + if ( !is_blank( $f_password ) ) { if ( $f_password != $f_password_confirm ) { trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); } else { Index: config_defaults_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/config_defaults_inc.php,v retrieving revision 1.314 diff -u -r1.314 config_defaults_inc.php --- config_defaults_inc.php 1 Oct 2006 00:31:42 -0000 1.314 +++ config_defaults_inc.php 5 Oct 2006 09:10:10 -0000 @@ -842,6 +842,16 @@ # The LDAP Protocol Version, if 0, then the protocol version is not set. $g_ldap_protocol_version = 0; + ############################# + # Mantis ADS Settings + ############################# + # --- using MS Active Directory ------------- + $g_ads_server = 'ldap://ads.example.com.au/'; + $g_ads_port = '389'; + $g_ads_domain = 'myDomain'; # ADS domain like 'myDomain' + $g_ads_bind_name = ''; + $g_ads_bind_passwd = ''; + ############################ # Status Settings ############################ @@ -1093,10 +1103,26 @@ # example: $g_set_status_threshold = array( ACKNOWLEDGED => MANAGER, CONFIRMED => DEVELOPER, CLOSED => MANAGER ); $g_set_status_threshold = array(); + # --- login method strings -------- + # Don't change this + $g_login_method_strings[PLAIN] = "Plain"; + $g_login_method_strings[CRYPT] = "Crypt"; + $g_login_method_strings[CRYPT_FULL_SALT] = "Crypt full salt"; + $g_login_method_strings[MD5] = "MD5"; + $g_login_method_strings[LDAP] = "LDAP"; + $g_login_method_strings[BASIC_AUTH] = "Basic Auth"; + $g_login_method_strings[HTTP_AUTH] = "HTTP Auth"; + $g_login_method_strings[ADS] = "Active Directory"; + # --- login method ---------------- - # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + # CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or ADS # You can simply change this at will. Mantis will try to figure out how the passwords were encrypted. + # ATTENTION: This might soon be depricated $g_login_method = MD5; + + # Enter here your allowed login methods. This values will be choosable when create new user + # e.g. array(LDAP, ADS, MD5, CRYPT) + $g_login_methods = array(MD5); # --- limit reporters ------------- # Set to ON if you wish to limit reporters to only viewing bugs that they report. @@ -1778,4 +1804,4 @@ # The maximum number of issues to keep in the recently visited list. $g_recently_visited_count = 5; -?> \ No newline at end of file +?> Index: login.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login.php,v retrieving revision 1.36 diff -u -r1.36 login.php --- login.php 7 Aug 2005 16:01:37 -0000 1.36 +++ login.php 4 Oct 2006 09:23:26 -0000 @@ -20,13 +20,15 @@ $f_perm_login = gpc_get_bool( 'perm_login' ); $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) ); $f_from = gpc_get_string( 'from', '' ); + $f_login_method = user_get_field( user_get_id_by_name($f_username), 'login_method' ); + - if ( BASIC_AUTH == config_get( 'login_method' ) ) { + if ( BASIC_AUTH == $f_login_method ) { $f_username = $_SERVER['REMOTE_USER']; $f_password = $_SERVER['PHP_AUTH_PW']; } - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { if ( !auth_http_is_logout_pending() ) { if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) @@ -45,7 +47,7 @@ } else { $t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1'; - if ( HTTP_AUTH == config_get( 'login_method' ) ) { + if ( HTTP_AUTH == $f_login_method ) { auth_http_prompt(); exit; } Index: login_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/login_page.php,v retrieving revision 1.56 diff -u -r1.56 login_page.php --- login_page.php 24 Jul 2006 01:31:28 -0000 1.56 +++ login_page.php 4 Oct 2006 09:25:48 -0000 @@ -22,23 +22,6 @@ $f_cookie_error = gpc_get_bool( 'cookie_error' ); $f_return = gpc_get_string( 'return', '' ); - # Check for HTTP_AUTH. HTTP_AUTH is handled in login.php - - if ( HTTP_AUTH == config_get( 'login_method' ) ) { - $t_uri = "login.php"; - - if ( !$f_return && ON == config_get( 'allow_anonymous_login' ) ) { - $t_uri = "login_anon.php"; - } - - if ( $f_return ) { - $t_uri .= "?return=" . urlencode( $f_return ); - } - - print_header_redirect( $t_uri ); - exit; - } - html_page_top1(); html_page_top2a(); @@ -127,7 +110,7 @@ # # Warning, if plain passwords are selected - if ( config_get( 'login_method' ) === PLAIN ) { + if ( in_array( PLAIN, $g_login_methods ) ){ echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> Plain password authentication is used, this will expose your passwords to administrators.</font></p>'; echo '</div>'; @@ -135,7 +118,7 @@ # Generate a warning if administrator/root is valid. $t_admin_user_id = user_get_id_by_name( 'administrator' ); - if ( $t_admin_user_id !== false ) { + if ( $t_admin_user_id !== false ) { if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { echo '<div class="warning" align="center">'; echo '<p><font color="red"><strong>WARNING:</strong> You should disable the default "administrator" account or change its password.</font></p>'; Index: manage_user_create.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create.php,v retrieving revision 1.22 diff -u -r1.22 manage_user_create.php --- manage_user_create.php 21 Mar 2005 20:48:55 -0000 1.22 +++ manage_user_create.php 22 Sep 2006 13:01:23 -0000 @@ -22,6 +22,7 @@ $f_password = gpc_get_string( 'password', '' ); $f_password_verify = gpc_get_string( 'password_verify', '' ); $f_email = gpc_get_string( 'email' ); + $f_login_method = gpc_get_string( 'login_method' ); $f_access_level = gpc_get_string( 'access_level' ); $f_protected = gpc_get_bool( 'protected' ); $f_enabled = gpc_get_bool( 'enabled' ); @@ -58,7 +59,7 @@ } } - $t_cookie = user_create( $f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $f_realname ); + $t_cookie = user_create( $f_username, $f_password, $f_email, $f_login_method, $f_access_level, $f_protected, $f_enabled, $f_realname ); if ( $t_cookie === false ) { $t_redirect_url = 'manage_user_page.php'; Index: manage_user_create_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_create_page.php,v retrieving revision 1.19 diff -u -r1.19 manage_user_create_page.php --- manage_user_create_page.php 21 Mar 2005 20:48:55 -0000 1.19 +++ manage_user_create_page.php 22 Sep 2006 12:48:19 -0000 @@ -75,6 +75,21 @@ ?> <tr <?php echo helper_alternate_class() ?>> <td class="category"> + <?php echo lang_get( 'login_method' ) ?> + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'>".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> <?php echo lang_get( 'access_level' ) ?> </td> <td> Index: manage_user_edit_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_edit_page.php,v retrieving revision 1.16 diff -u -r1.16 manage_user_edit_page.php --- manage_user_edit_page.php 26 Mar 2006 10:35:33 -0000 1.16 +++ manage_user_edit_page.php 5 Oct 2006 09:20:46 -0000 @@ -69,6 +69,25 @@ </td> </tr> +<!-- Login Method --> +<tr <?php echo helper_alternate_class() ?>> + <td class="category"> + <?php echo lang_get( 'login_method' ) ?>: + </td> + <td> + <select name="login_method"> + <?php + for ($i=0; $i<sizeof($g_login_methods); $i++) + { + echo "<option value='".$g_login_methods[$i]."'"; + if ( $t_user['login_method'] == $g_login_methods[$i] ) echo " SELECTED"; + echo ">".$g_login_method_strings[$g_login_methods[$i]]."</option>"; + } + ?> + </select> + </td> +</tr> + <!-- Access Level --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> @@ -116,10 +135,12 @@ <!-- RESET AND DELETE --> <div class="border-center"> <!-- Reset Button --> +<?php if ( $t_user['login_method'] != ADS ) { ?> <form method="post" action="manage_user_reset.php"> <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /> </form> +<?php } ?> <!-- Delete Button --> <?php if ( !( ( ADMINISTRATOR <= $t_user['access_level'] ) && ( 1 >= user_count_level( ADMINISTRATOR ) ) ) ) { ?> @@ -132,11 +153,13 @@ <br /> <div align="center"> <?php + if ( $t_user['login_method'] != ADS ) { if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { echo lang_get( 'reset_password_msg' ); } else { echo lang_get( 'reset_password_msg2' ); } + } ?> </div> Index: manage_user_update.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_update.php,v retrieving revision 1.38 diff -u -r1.38 manage_user_update.php --- manage_user_update.php 26 Mar 2006 10:35:33 -0000 1.38 +++ manage_user_update.php 4 Oct 2006 10:08:55 -0000 @@ -24,6 +24,7 @@ $f_email = gpc_get_string( 'email', '' ); $f_username = gpc_get_string( 'username', '' ); $f_realname = gpc_get_string( 'realname', '' ); + $f_login_method = gpc_get_string( 'login_method', '' ); $f_access_level = gpc_get_int( 'access_level' ); $f_user_id = gpc_get_int( 'user_id' ); @@ -49,6 +50,7 @@ $c_enabled = db_prepare_bool( $f_enabled ); $c_user_id = db_prepare_int( $f_user_id ); $c_access_level = db_prepare_int( $f_access_level ); + $c_login_method = db_prepare_int( $f_login_method ); $t_user_table = config_get( 'mantis_user_table' ); @@ -67,7 +69,7 @@ } # if the user is already protected and the admin is not removing the - # protected flag then don't update the access level and enabled flag. + # protected flag then don't update the access level, login_method and enabled flag. # If the user was unprotected or the protected flag is being turned off # then proceed with a full update. if ( $f_protected && $t_old_protected ) { @@ -77,7 +79,7 @@ WHERE id='$c_user_id'"; } else { $query = "UPDATE $t_user_table - SET username='$c_username', email='$c_email', + SET username='$c_username', email='$c_email', login_method='$c_login_method', access_level='$c_access_level', enabled='$c_enabled', protected='$c_protected', realname='$c_realname' WHERE id='$c_user_id'"; Index: admin/schema.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/admin/schema.php,v retrieving revision 1.11 diff -u -r1.11 schema.php --- admin/schema.php 14 Aug 2006 08:32:57 -0000 1.11 +++ admin/schema.php 4 Oct 2006 08:46:28 -0000 @@ -303,7 +303,8 @@ login_count I NOTNULL DEFAULT '0', lost_password_request_count I2 NOTNULL DEFAULT '0', failed_login_count I2 NOTNULL DEFAULT '0', - cookie_string C(64) NOTNULL DEFAULT \" '' \" + cookie_string C(64) NOTNULL DEFAULT \" '' \", + login_method I2 NOTNULL DEFAULT '0' ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_cookie_string',config_get('mantis_user_table'),'cookie_string',Array('UNIQUE'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE'))); @@ -325,4 +326,4 @@ body XS NOTNULL ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS'))); $upgrade[] = Array('CreateIndexSQL',Array('idx_email_id',config_get('mantis_email_table'),'email_id')); -?> \ No newline at end of file +?> Index: core/authentication_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/authentication_api.php,v retrieving revision 1.55 diff -u -r1.55 authentication_api.php --- core/authentication_api.php 23 Apr 2006 12:32:59 -0000 1.55 +++ core/authentication_api.php 4 Oct 2006 09:33:30 -0000 @@ -74,7 +74,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) { $t_user_id = user_get_id_by_name( $p_username ); - $t_login_method = config_get( 'login_method' ); + $t_login_method = user_get_field($t_user_id, 'login_method'); if ( false === $t_user_id ) { if ( BASIC_AUTH == $t_login_method ) { @@ -118,7 +118,7 @@ if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) { # anonymous login didn't work, so check the password - if ( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -201,22 +201,25 @@ # Return true if the password for the user id given matches the given # password (taking into account the global login method) function auth_does_password_match( $p_user_id, $p_test_password ) { - $t_configured_login_method = config_get( 'login_method' ); - - if ( LDAP == $t_configured_login_method ) { - return ldap_authenticate( $p_user_id, $p_test_password ); - } + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + switch ($t_user_login_method) + { + case ADS: return ads_authenticate( $p_user_id, $p_test_password ); break; + case LDAP: return ldap_authenticate( $p_user_id, $p_test_password ); break; + default: break; + } + $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array(MD5, CRYPT, PLAIN); foreach ( $t_login_methods as $t_login_method ) { # pass the stored password in as the salt - if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) { + if ( auth_process_plain_password( $p_test_password, $t_login_method, $t_password) == $t_password ) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method - if ( ( $t_login_method != $t_configured_login_method ) \|\| - ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { + if ( ( $t_login_method != $t_user_login_method ) \|\| + ( ( CRYPT == $t_user_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) { user_set_password( $p_user_id, $p_test_password, true ); } @@ -235,13 +238,9 @@ # When encrypting a password to compare to a stored password, the stored # password should be passed in as salt. If the auth method is CRYPT then # crypt() will extract the appropriate portion of the stored password as its salt - function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) { - $t_login_method = config_get( 'login_method' ); - if ( $p_method !== null ) { - $t_login_method = $p_method; - } + function auth_process_plain_password( $p_password, $p_login_method, $p_salt=null ) { - switch ( $t_login_method ) { + switch ( $p_login_method ) { case CRYPT: # a null salt is the same as no salt, which causes a salt to be generated # otherwise, use the salt given Index: core/constant_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/constant_inc.php,v retrieving revision 1.58 diff -u -r1.58 constant_inc.php --- core/constant_inc.php 12 Aug 2006 08:04:13 -0000 1.58 +++ core/constant_inc.php 22 Sep 2006 12:46:27 -0000 @@ -103,8 +103,9 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); - - # file upload methods + define( 'ADS', 7 ); + + # file upload methods define( 'DISK', 1 ); define( 'DATABASE', 2 ); define( 'FTP', 3 ); @@ -286,6 +287,9 @@ define( 'ERROR_SIGNUP_NOT_MATCHING_CAPTCHA', 1904 ); define( 'ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED', 1905 ); + # ERROR_ADS_ + define( 'ERROR_ADS_SERVER_CONNECT_FAILED', 2000 ); + # ERROR_FILTER_NOT_FOUND define( 'ERROR_FILTER_NOT_FOUND', 2000 ); define( 'ERROR_FILTER_TOO_OLD', 2001 ); Index: core/custom_function_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/custom_function_api.php,v retrieving revision 1.27 diff -u -r1.27 custom_function_api.php --- core/custom_function_api.php 18 May 2006 05:53:44 -0000 1.27 +++ core/custom_function_api.php 22 Sep 2006 09:31:40 -0000 @@ -128,9 +128,9 @@ # -------------------- # Hook for authentication # can Mantis update the password - function custom_function_default_auth_can_change_password( ) { + function custom_function_default_auth_can_change_password( $p_login_method ) { $t_can_change = array( PLAIN, CRYPT, CRYPT_FULL_SALT, MD5 ); - if ( in_array( config_get( 'login_method' ), $t_can_change ) ) { + if ( in_array( $p_login_method, $t_can_change ) ) { return true; } else { return false; @@ -347,4 +347,4 @@ # html_api.php. For each button, this function needs to generate the enclosing '<td>' and '</td>'. function custom_function_default_print_bug_view_page_custom_buttons( $p_bug_id ) { } -?> \ No newline at end of file +?> Index: core/ldap_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/ldap_api.php,v retrieving revision 1.19 diff -u -r1.19 ldap_api.php --- core/ldap_api.php 22 Apr 2006 01:52:14 -0000 1.19 +++ core/ldap_api.php 4 Oct 2006 08:26:42 -0000 @@ -153,4 +153,5 @@ # -------------------- # Change the user's password in the LDAP Directory + ?> Index: core/user_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/user_api.php,v retrieving revision 1.107 diff -u -r1.107 user_api.php --- core/user_api.php 29 Oct 2005 09:52:52 -0000 1.107 +++ core/user_api.php 22 Sep 2006 13:01:37 -0000 @@ -13,6 +13,7 @@ require_once( $t_core_dir . 'email_api.php' ); require_once( $t_core_dir . 'ldap_api.php' ); + require_once( $t_core_dir . 'ads_api.php' ); ### User API ### @@ -326,17 +327,18 @@ # -------------------- # Create a user. # returns false if error, the generated cookie string if ok - function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { + function user_create( $p_username, $p_password, $p_email='', $p_login_method=MD5, $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) { if ( null === $p_access_level ) { $p_access_level = config_get( 'default_new_account_access_level'); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, 'MD5' ); $c_username = db_prepare_string( $p_username ); $c_realname = db_prepare_string( $p_realname ); $c_password = db_prepare_string( $t_password ); $c_email = db_prepare_string( $p_email ); + $c_login_method = db_prepare_int( $p_login_method ); $c_access_level = db_prepare_int( $p_access_level ); $c_protected = db_prepare_bool( $p_protected ); $c_enabled = db_prepare_bool( $p_enabled ); @@ -352,10 +354,10 @@ $query = "INSERT INTO $t_user_table ( username, email, password, date_created, last_visit, - enabled, access_level, login_count, cookie_string, realname ) + enabled, access_level, login_count, cookie_string, realname, login_method ) VALUES ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ", - $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')"; + $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname', '$c_login_method')"; db_query( $query ); # Create preferences for the user @@ -1054,12 +1056,13 @@ # Set the user's password to the given string, encoded as appropriate function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) { $c_user_id = db_prepare_int( $p_user_id ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); if ( !$p_allow_protected ) { user_ensure_unprotected( $p_user_id ); } - $t_password = auth_process_plain_password( $p_password ); + $t_password = auth_process_plain_password( $p_password, $t_user_login_method ); $t_user_table = config_get( 'mantis_user_table' ); $query = "UPDATE $t_user_table SET password='$t_password' @@ -1120,8 +1123,9 @@ if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { # Create random password $t_email = user_get_field( $p_user_id, 'email' ); + $t_user_login_method = user_get_field ( $p_user_id, 'login_method' ); $t_password = auth_generate_random_password( $t_email ); - $t_password2 = auth_process_plain_password( $t_password ); + $t_password2 = auth_process_plain_password( $t_password, $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password2 ); @@ -1132,7 +1136,8 @@ } } else { # use blank password, no emailing - $t_password = auth_process_plain_password( '' ); + $t_user_login_method = user_get_field( $p_user_id, 'login_method' ); + $t_password = auth_process_plain_password( '', $t_user_login_method ); user_set_field( $p_user_id, 'password', $t_password ); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero( $p_user_id ); Index: lang/strings_dutch.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_dutch.txt,v retrieving revision 1.108 diff -u -r1.108 strings_dutch.txt --- lang/strings_dutch.txt 25 Sep 2006 05:16:48 -0000 1.108 +++ lang/strings_dutch.txt 5 Oct 2006 09:10:27 -0000 @@ -384,6 +384,7 @@ $s_update_user_button = 'Gebruiker aanpassen'; $s_verify_warning = 'Uw account is gecontroleerd. Het accountbevestigingsbericht dat u heeft ontvangen is niet langer bruikbaar.'; $s_verify_change_password = 'Hier dient een wachtwoord ingegeven te worden om opnieuw te kunnen aanmelden.'; +$s_login_method = 'Aanmeldings-methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Standaard accountinstellingen'; Index: lang/strings_english.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_english.txt,v retrieving revision 1.281 diff -u -r1.281 strings_english.txt --- lang/strings_english.txt 1 Oct 2006 09:04:57 -0000 1.281 +++ lang/strings_english.txt 5 Oct 2006 09:10:28 -0000 @@ -262,6 +262,7 @@ $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only ADMINISTRATOR in the system.'; $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_.php files.'; +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'ADS Server Connection Failed'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; @@ -380,6 +381,7 @@ $s_update_user_button = 'Update User'; $s_verify_warning = 'Your account information has been verified. The account confirmation message you have received is now invalid.'; $s_verify_change_password = 'You must set a password here to allow you to log in again.'; +$s_login_method = 'Authentication method'; # account_prefs_page.php $s_default_account_preferences_title = 'Account Preferences'; Index: lang/strings_german.txt =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/lang/strings_german.txt,v retrieving revision 1.146 diff -u -r1.146 strings_german.txt --- lang/strings_german.txt 25 Sep 2006 11:23:30 -0000 1.146 +++ lang/strings_german.txt 5 Oct 2006 09:10:29 -0000 @@ -266,7 +266,11 @@ $MANTIS_ERROR[ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED] = 'Max. Anzahl der in Bearbeitung befindlichen Anfragen erreicht. Bitte setzen Sie sich mit Ihrem Systemadministrator in Verbindung.'; $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'Diese Operation w�rde eine Schleife in der Unterprojekthierarchie erzeugen.'; $MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'Sie k�nnen die Zugangsrechte des einzigen System-ADMINISTRATORS nicht �ndern.'; +<<<<<<< strings_german.txt +$MANTIS_ERROR[ERROR_ADS_SERVER_CONNECT_FAILED] = 'Verbindung zum ADS Server fehlgeschlagen'; +======= $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (<?php ?>) in config_inc.php or custom_.php files.'; +>>>>>>> 1.146 $s_login_error = 'Ihr Konto ist deaktiviert oder gesperrt (aufgrund von zu vielen fehlgeschlagenen Anmeldeversuchen) oder der eigegebene Benutzer/Password ist falsch.'; $s_login_cookies_disabled = 'Ihr Web-Browser akzeptiert keine Cookies.'; @@ -385,6 +389,7 @@ $s_update_user_button = 'Benutzer aktualisieren'; $s_verify_warning = 'Ihre Kontoinformationen wurden �berpr�ft. Die von Ihnen erhaltene Konto Best�tigungsmeldung ist jetzt ung�ltig.'; $s_verify_change_password = 'Sie m�ssen hier ein Pa�wort vergeben, um sich wieder anmelden zu k�nnen.'; +$s_login_method = 'Authentifizierungs-Methode'; # account_prefs_page.php $s_default_account_preferences_title = 'Kontoeinstellungen'; mantisbt_ads_v4.patch (28,953 bytes)

hkaufmann 2006-10-04 06:27 reporter ~0013579	Here are my changes: Login-method is changeable now Reset-pw-button not shown anymore if ADS-auth Removed out commended code

roel 2006-10-05 04:56 reporter ~0013583	Applies cleanly on a fresh CVS checkout. After setting the required options in the config file, worked perfectly for me on the first try. One minor nitpick: in manage_user_edit_page.php, the 'magic constant' 7 is used to check if the login method of the user is Active Directory, that should probably be replaced with the defined value 'ADS' for clarity. Furthermore, a couple of lines down (between lines 155 and 161 in today's CVS version), there is a message that says whether the users new password (when reset by the administrator) will be send to that user or be set to blank (depending on the configuration setting). That block should also be surrounded by <?php if ( $t_user['login_method'] != 7 ) { ?> <?php } ?> otherwise there's a message there about the resetting of the password, but no button to actually do it. I didn't supply a patch since it's easier to put in these changes by hand than having to apply yet another patch - but I can, if someone want me to.

hkaufmann 2006-10-05 05:30 reporter ~0013584	I was in a rush yesterday. Sorry! I changed your "nitpick" to the defined constant 'ADS'. Also this message disappears when ADS authentication. Included in version 4 of the patch are all changes I did on this issue. ads_api.php still is up to date.