--- ldapauth.admin.inc Tue Mar 24 10:07:58 2009 +++ ldapauth.admin.inc Tue Apr 21 09:53:26 2009 @@ -18,7 +18,8 @@ function ldapauth_admin_settings() { $options_login_process = array( LDAPAUTH_AUTH_MIXED => t('Mixed mode. The LDAP authentication is performed only if Drupal authentication fails'), - LDAPAUTH_AUTH_EXCLUSIVED => t('LDAP directory only') + LDAPAUTH_AUTH_EXCLUSIVED => t('LDAP directory only'), + LDAPAUTH_AUTH_HTTP => t('HTTP/NTLM Authentication. Will just do lookups on the username. Authentication will be left to the server.') ); $options_login_conflict = array( LDAPAUTH_CONFLICT_LOG => t('Disallow login and log the conflict'), --- ldapauth.module Mon Mar 30 11:32:52 2009 +++ ldapauth.module Thu Apr 23 12:10:36 2009 @@ -10,6 +10,7 @@ define('LDAPAUTH_AUTH_MIXED', 0); define('LDAPAUTH_AUTH_EXCLUSIVED', 1); +define('LDAPAUTH_AUTH_HTTP', 2); define('LDAPAUTH_CONFLICT_LOG', 0); define('LDAPAUTH_CONFLICT_RESOLVE', 1); define('LDAPAUTH_EMAIL_FIELD_NO', 0); @@ -34,7 +35,43 @@ * Implements hook_init(). */ function ldapauth_init() { + global $user; require_once(drupal_get_path('module', 'ldapauth') .'/includes/LDAPInterface.inc'); + + if (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_HTTP && (!isset($user) || $user->uid == 0)) { + $authname = ''; + // Make sure we get the remote user whichever way it is available. + if (isset($_SERVER['REDIRECT_REMOTE_USER'])) { + $authname = $_SERVER['REDIRECT_REMOTE_USER']; + } + elseif (isset($_SERVER['REMOTE_USER'])) { + $authname = $_SERVER['REMOTE_USER']; + } + + $authname = trim($authname); + // Pretty up the username from NTLM authentication (i.e. Windows) + // Get 'bar' from 'foo1\foo2\bar' + $authname = array_pop(explode("\\", $authname)); + // Get 'foo' from 'foo@bar' + $authname = array_shift(explode('@', $authname)); + + // Perform some cleanup so plaintext passwords aren't available under + // mod_auth_kerb. + unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); + + // Retrieve user credentials + $result = db_query("SELECT uid FROM {authmap} WHERE authname = '%s' AND module = 'ldapauth'", $authname); + $expected = db_fetch_array($result); + if (isset($user) && $user->uid === $expected['uid']) { + // Do nothing: user is already logged into Drupal with session data matching + // HTTP authentication. + } + else { + $login['name'] = $authname; + $login['pass'] = 'password'; + ldapauth_authenticate($login); + } + } } /** @@ -147,7 +184,7 @@ // If authentication is being done in "LDAP only" mode, passwords // should not be written to the database, or users would be able // to log in even after removing their LDAP entry. - if (isset($account->ldap_authentified) && (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || !LDAPAUTH_SYNC_PASSWORDS)) + if (isset($account->ldap_authentified) && (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || !LDAPAUTH_SYNC_PASSWORDS || LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_HTTP)) $edit['pass'] = NULL; } @@ -391,9 +428,11 @@ if (($code = _ldapauth_ldap_info($row->sid, 'filter_php')) && !eval($code)) continue; + if (LDAPAUTH_LOGIN_PROCESS != LDAPAUTH_AUTH_HTTP) { // Try to authenticate. if (!$_ldapauth_ldap->connect($ldap['dn'], $pass)) continue; + } return $ldap['dn']; }