diff -ru ../orig/lib/userslib.php ./lib/userslib.php --- ../orig/lib/userslib.php 2004-04-17 03:51:00.000000000 +0200 +++ ./lib/userslib.php 2004-04-17 18:29:25.000000000 +0200 @@ -222,6 +222,11 @@ $userAuth = false; $userAuthPresent = false; + // see if we are to use PAM + $auth_pam = ($tikilib->get_preference("auth_method", "tiki") == "pam"); + $pam_create_tiki = ($tikilib->get_preference("pam_create_user_tiki", "n") == "y"); + $pam_skip_admin = ($tikilib->get_preference("pam_skip_admin", "n") == "y"); + // see if we are to use PEAR::Auth $auth_pear = ($tikilib->get_preference("auth_method", "tiki") == "auth"); $create_tiki = ($tikilib->get_preference("auth_create_user_tiki", "n") == "y"); @@ -245,7 +250,7 @@ } // if we aren't using LDAP this will be quick - if (!$auth_pear || ($auth_pear && $user == "admin" && $skip_admin)) { + if ((!$auth_pear && !$auth_pam) || ((($auth_pear && $skip_admin) || ($auth_pam && $pam_skip_admin)) && $user == "admin")) { // if the user verified ok, log them in if ($userTiki) return $this->update_lastlogin($user); @@ -257,6 +262,58 @@ else return false; } + // next see if we need to check PAM + elseif ($auth_pam) { + $result = $this->validate_user_pam($user, $pass); + switch ($result) { + case USER_VALID: + $userPAM = true; + + break; + case PASSWORD_INCORRECT: + $userPAM = false; + + break; + } + + // start off easy + // if the user verified in Tiki and PAM, log in + if ($userPAM && $userTiki) { + return $this->update_lastlogin($user); + } + // if the user wasn't found in either system, just fail + elseif (!$userTikiPresent && !$userPAM) { + return false; + } + // if the user was logged into PAM but not found in Tiki + elseif ($userPAM && !$userTikiPresent) { + // see if we can create a new account + if ($pam_create_tiki) { + // need to make this better! ********************************************************* + $result = $this->add_user($user, $pass, ''); + + // if it worked ok, just log in + if ($result == USER_VALID) + // before we log in, update the login counter + return $this->update_lastlogin($user); + // if the server didn't work, do something! + elseif ($result == SERVER_ERROR) { + // check the notification status for this type of error + return false; + } + // otherwise don't log in. + else + return false; + } + // otherwise + else + // just say no! + return false; + } + // if the user was logged into PAM and found in Tiki (no password in Tiki user table necessary) + elseif ($userPAM && $userTikiPresent) + return $this->update_lastlogin($user); + } // next see if we need to check LDAP else { @@ -345,6 +402,32 @@ return false; } + // validate the user through PAM + function validate_user_pam($user, $pass) { + global $tikilib; + + // just make sure we're supposed to be here + if ($tikilib->get_preference("auth_method", "tiki") != "pam") + return false; + + // get all of the PAM options from the database + $pam_service = $tikilib->get_preference("pam_service", "tikiwiki"); + $pam_authpam_path = $tikilib->get_preference("pam_authpam_path", "/usr/bin/auth_pam.pl"); + system("$pam_authpam_path $user $pass $pam_service", $retval); + + // NOTE that we don't know why pam returned an error (at least now) + // so we return PASSWORD_INCORRECT anyway it was invalid user, not found , or wrong password !!!!! + if ($retval == 1) + return PASSWORD_INCORRECT; + elseif($retval == 0) { + return USER_VALID; + } + else { + return SERVER_ERROR; + } + } + + // validate the user in the PEAR::Auth system function validate_user_auth($user, $pass) { global $tikilib; @@ -558,7 +641,7 @@ function get_users_names($offset = 0, $maxRecords = -1, $sort_mode = 'login_desc', $find = '') { - // Return an array of users indicating name, email, last changed pages, versions, lastLogin + // Return an array of users indicating name, email, last changed pages, versions, lastLogin if ($find) { $findesc = '%' . $find . '%'; $mid = " where `login` like ?"; @@ -582,7 +665,7 @@ function get_users($offset = 0, $maxRecords = -1, $sort_mode = 'login_desc', $find = '') { $sort_mode = $this->convert_sortmode($sort_mode); - // Return an array of users indicating name, email, last changed pages, versions, lastLogin + // Return an array of users indicating name, email, last changed pages, versions, lastLogin if ($find) { $mid = " where `login` like ?"; $bindvars = array('%'.$find.'%'); @@ -651,7 +734,7 @@ function get_groups($offset = 0, $maxRecords = -1, $sort_mode = 'groupName_desc', $find = '') { $sort_mode = $this->convert_sortmode($sort_mode); - // Return an array of users indicating name, email, last changed pages, versions, lastLogin + // Return an array of users indicating name, email, last changed pages, versions, lastLogin if ($find) { $mid = " where `groupName` like ?"; $bindvars[] = "%" . $find . "%"; @@ -797,9 +880,9 @@ function change_permission_level($perm, $level) { global $cachelib; - + $cachelib->invalidate("allperms"); - + $query = "update `users_permissions` set `level` = ? where `permName` = ?"; $this->query($query, array($level, $perm)); @@ -820,7 +903,7 @@ function remove_level_permissions($group, $level) { global $cachelib; - + $cachelib->invalidate("allperms"); $query = "select `permName` from `users_permissions` where `level` = ?"; @@ -835,7 +918,7 @@ function create_dummy_level($level) { global $cachelib; - + $cachelib->invalidate("allperms"); $query = "delete from `users_permissions` where `permName` = ?"; @@ -944,7 +1027,7 @@ function assign_permission_to_group($perm, $group) { global $cachelib; - + $cachelib->invalidate("allperms"); $query = "delete from `users_grouppermissions` where `groupName` = ? @@ -980,7 +1063,7 @@ if ($user == 'admin') return true; - // Get user_groups ? + // Get user_groups ? $groups = $this->get_user_groups($user); foreach ($groups as $group) { @@ -1009,7 +1092,7 @@ function remove_permission_from_group($perm, $group) { global $cachelib; - + $cachelib->invalidate("allperms"); $query = "delete from `users_grouppermissions` where `permName` = ? @@ -1029,7 +1112,7 @@ } function assign_user_to_group($user, $group) { - + $userid = $this->get_user_id($user); $query = "insert into `users_usergroups`(`userId`,`groupName`) values(?,?)"; @@ -1204,7 +1287,7 @@ } function add_group($group, $desc, $home) { - + if ($this->group_exists($group)) return false; @@ -1306,7 +1389,7 @@ // damian aka damosoft function count_users($group) { static $rv = array(); - + if (!isset($rv[$group])) { if ($group == '') { $query = "select count(login) from `users_users`"; @@ -1317,7 +1400,7 @@ } $rv[$group] = $result; } - + return $rv[$group]; } diff -ru ../orig/templates/tiki-admin-include-login.tpl ./templates/tiki-admin-include-login.tpl --- ../orig/templates/tiki-admin-include-login.tpl 2004-04-17 03:51:00.000000000 +0200 +++ ./templates/tiki-admin-include-login.tpl 2004-04-17 03:51:48.000000000 +0200 @@ -9,6 +9,7 @@ <option value="tiki" {if $auth_method eq 'tiki'} selected="selected"{/if}>{tr}Just Tiki{/tr}</option> <option value="ws" {if $auth_method eq 'ws'} selected="selected"{/if}>{tr}Web Server{/tr}</option> <option value="auth" {if $auth_method eq 'auth'} selected="selected"{/if}>{tr}Tiki and PEAR::Auth{/tr}</option> +<option value="pam" {if $auth_method eq 'pam'} selected="selected"{/if}>{tr}Tiki and PAM{/tr}</option> <!--option value="http" {if $auth_method eq 'http'} selected="selected"{/if}>{tr}Tiki and HTTP Auth{/tr}</option--> </select></td></tr> <!--<tr><td class="form">{tr}Use WebServer authentication for Tiki{/tr}:</td><td><input type="checkbox" name="webserverauth" {if $webserverauth eq 'y'}checked="checked"{/if}/></td></tr>--> @@ -107,3 +108,19 @@ </div> </div> +<div class="cbox"> +<div class="cbox-title">{tr}PAM{/tr}</div> +<div class="cbox-data"> +<div class="simplebox"> +<form action="tiki-admin.php?page=login" method="post"> +<table class="admin"> +<tr><td class="form">{tr}Create user if not in Tiki?{/tr}</td><td><input type="checkbox" name="pam_create_user_tiki" {if $pam_create_user_tiki eq 'y'}checked="checked"{/if} /></td></tr> +<tr><td class="form">{tr}Just use Tiki auth for admin?{/tr}</td><td><input type="checkbox" name="pam_skip_admin" {if $pam_skip_admin eq 'y'}checked="checked"{/if} /></td></tr> +<tr><td class="form">{tr}PAM service{/tr}:</td><td><input type="text" name="pam_service" value="{$pam_service|escape}" /></td></tr> +<tr><td class="form">{tr}Full path to authpam.pl{/tr}:</td><td><input type="text" name="pam_authpam_path" value="{$pam_authpam_path|escape}" /></td></tr> +<tr><td colspan="2" class="button"><input type="submit" name="auth_pam" value="{tr}Change preferences{/tr}" /></td></tr> +</table> +</form> +</div> +</div> +</div> diff -ru ../orig/tiki-admin_include_login.php ./tiki-admin_include_login.php --- ../orig/tiki-admin_include_login.php 2004-04-17 03:51:00.000000000 +0200 +++ ./tiki-admin_include_login.php 2004-04-17 03:51:30.000000000 +0200 @@ -346,6 +346,38 @@ } } +if (isset($_REQUEST["auth_pam"])) { + check_ticket('admin-inc-login'); + if (isset($_REQUEST["pam_create_user_tiki"]) && $_REQUEST["pam_create_user_tiki"] == "on") { + $tikilib->set_preference("pam_create_user_tiki", 'y'); + + $smarty->assign("pam_create_user_tiki", 'y'); + } else { + $tikilib->set_preference("pam_create_user_tiki", 'n'); + + $smarty->assign("pam_create_user_tiki", 'n'); + } + if (isset($_REQUEST["pam_skip_admin"]) && $_REQUEST["pam_skip_admin"] == "on") { + $tikilib->set_preference("pam_skip_admin", 'y'); + + $smarty->assign("pam_skip_admin", 'y'); + } else { + $tikilib->set_preference("pam_skip_admin", 'n'); + + $smarty->assign("pam_skip_admin", 'n'); + } + if (isset($_REQUEST["pam_service"])) { + $tikilib->set_preference("pam_service", $_REQUEST["pam_service"]); + + $smarty->assign('pam_service', $_REQUEST["pam_service"]); + } + if (isset($_REQUEST["pam_authpam_path"])) { + $tikilib->set_preference("pam_authpam_path", $_REQUEST["pam_authpam_path"]); + + $smarty->assign('pam_authpam_path', $_REQUEST["pam_authpam_path"]); + } +} + $smarty->assign("rememberme", $tikilib->get_preference("rememberme", "disabled")); $smarty->assign("remembertime", $tikilib->get_preference("remembertime", 7200)); $smarty->assign("allowRegister", $tikilib->get_preference("allowRegister", 'n')); S�lo en .: tikiwiki_authpam.diff