Index: cas.module =================================================================== --- cas.module (revision 235) +++ cas.module (revision 242) @@ -73,7 +73,9 @@ $cas_roles[$key] = $key; } } -// phpCAS::setDebug(); + if ( ($debugFile = variable_get("cas_debugfile","")) != "" ) { + phpCAS::setDebug($debugFile); + } $server_version = (string)variable_get('cas_version', '2.0'); $server_cas_server = (string)variable_get('cas_server', 'sso-cas.univ-rennes1.fr'); $server_port = (int)variable_get('cas_port', '443'); @@ -83,7 +85,17 @@ $cas_cert = (string)variable_get('cas_cert',''); $start_session = (boolean)FALSE; // Drupal takes care of its own session cas_save_page(); - phpCAS::client($server_version, $server_cas_server, $server_port, $server_uri, $start_session); + if ( variable_get("cas_proxy",0) ) { + phpCAS::proxy($server_version, $server_cas_server, $server_port, $server_uri, $start_session); + } + else { + phpCAS::client($server_version, $server_cas_server, $server_port, $server_uri, $start_session); + } + $casPGTFormat = variable_get("cas_pgtformat", "plain"); + $casPGTStoragePath = variable_get("cas_pgtpath",""); + if ( $casPGTStoragePath != "" ) { + phpCAS::setPGTStorageFile($casPGTFormat, $casPGTStoragePath); + } // force CAS authentication // Determine if CA option is set. This is only avialable in version 0.6 or greater, so we need to test @@ -177,16 +189,19 @@ ** LDAPAuth interfacing - BEGIN */ - if (variable_get('cas_useldap_groups','')) - { - if ($ldap_config_name = _get_ldap_config_name($user->name)) - { - _ldapauth_init($ldap_config_name); - include_once('modules/ldap_integration/ldapgroups.module'); - $user->ldap_authentified = true; - ldapgroups_user_login($user); - } - } + // syncing ldap groups is now done in cas_user() + // this code can be removed + // + // if (variable_get('cas_useldap_groups','')) + // { + // if ($ldap_config_name = _get_ldap_config_name($user->name)) + // { + // _ldapauth_init($ldap_config_name); + // include_once('modules/ldap_integration/ldapgroups.module'); + // $user->ldap_authentified = true; + // ldapgroups_user_login($user); + // } + // } /* ** LDAPAuth interfacing - END @@ -333,9 +348,39 @@ '#default_value' => variable_get('cas_cert', ''), '#size' => 30, '#description' => 'With client version 0.6 or greater this is the certificate for validating cas or the cas CA as appropriate.', ); - - - + + $form['server']['cas_proxy'] = array( + '#type' => 'checkbox', + '#title' => t('Initialize CAS as proxy'), + '#default_value' => variable_get('cas_proxy', 0), + '#description' => t('When using a proxy it is required to set the option "Require CAS login for:" to "specific pages" with "node/*" as a specific page or "all pages except specific pages" on the "Redirection settings".') + ); + + $form['server']['cas_pgtformat'] = array( + '#type' => 'radios', + '#title' => t('CAS PGT storage file format'), + '#default_value' => variable_get('cas_pgtformat', 'plain'), + '#options' => array('plain' => 'Plain Text', 'xml' => 'XML'), + ); + + $form['server']['cas_pgtpath'] = array( + '#type' => 'textfield', + '#title' => t('CAS PGT storage path'), + '#default_value' => variable_get('cas_pgtpath', ''), + '#size' => 30, + '#description' => "Only needed if 'Use CAS proxy initializer' is configured. Leave empty for default.", + ); + + $form['server']['cas_debugfile'] = array( + '#type' => 'textfield', + '#title' => t('CAS debugging output filename'), + '#default_value' => variable_get('cas_debugfile', ''), + '#size' => 30, + '#description' => "Leave empty if you don't want debugging output.", + ); + + + $form['account'] = array( '#type' => 'fieldset', '#title' => t('User account settings'), @@ -507,7 +552,14 @@ '#maxlength' => 55, '#description' => t('LDAP entry attribute containing the email address.'), ); - + + $form['ldap']['cas_useldap_data'] = array( + '#type' => 'checkbox', + '#title' => t('Should we extract user data from an LDAP directory?'), + '#default_value' => variable_get('cas_useldap_data', 0), + '#description' => t('Activate this option if you want to extract the user data from an LDAP directory. Ldapdata module must be enabled and configured.'), + ); + $form['ldap']['cas_useldap_groups'] = array( '#type' => 'checkbox', '#title' => t('Should we extract user groups from an LDAP directory?'), @@ -757,11 +809,11 @@ { include_once('modules/ldap_integration/ldapauth.module'); $user_found = false; - $result = db_query("SELECT name FROM {ldapauth} WHERE status = '%d' ORDER BY sid", 1); + $result = db_query("SELECT name, sid FROM {ldapauth} WHERE status = '%d' ORDER BY sid", 1); while ($row = db_fetch_object($result)) { // cycle thru the authentication schemes - first successful one wins // instantiate ldap - _ldapauth_init($row->name); + _ldapauth_init($row->sid); $ldap_user_entry = _ldapauth_user_lookup($user_name); if ($ldap_user_entry) { @@ -775,6 +827,102 @@ return false; } +/** + * Updates the user with some ldap specific attributes: + * - $user->ldap_config contains the sid of the ldap server + * - $user->ldap_dn contains the DN used to search for the user + */ +function _cas_update_user_ldap_config(&$user) +{ + $result = db_query("SELECT name, sid FROM {ldapauth} WHERE status = '%d' ORDER BY sid", 1); + while ($row = db_fetch_object($result)) { + // cycle thru the authentication schemes - first successful one wins + // instantiate ldap + _ldapauth_init($row->sid); + $ldap_user_entry = _ldapauth_user_lookup($user->name); + if ($ldap_user_entry) + { + $user->ldap_config = $row->sid; + $user->ldap_dn = $ldap_user_entry['dn']; + break; + } + } +} + +/** + * Implements hook_user. + */ +function cas_user($op, &$edit, &$account, $category = NULL) +{ + switch ($op) { + case 'login': + _cas_user_login($account); + break; + } +} + +/** + * Updates the users ldap data and groups on login. + */ +function _cas_user_login(&$user) +{ + $authmap = user_get_authmaps($user->name); + if (!isset($authmap['cas'])) { + return; + } + + if ( module_exists("ldapauth") ) { + // call init hook to execute neccessary includes and requires + ldapauth_init(); + } + else { + // ldapauth module not installed or activated + return; + } + + $ldapdata_sync = module_exists("ldapdata") && variable_get('cas_useldap_data',''); + $ldapgroups_sync = module_exists("ldapgroups") && variable_get('cas_useldap_groups',''); + + if ( !$ldapdata_sync && !$ldapgroups_sync ) { + return; + } + + // Pretend that the user was authenticated by ldap_auth. + // Otherwise calls to the ldap modules will return without any effect. + user_set_authmaps($user, array( + "authname_cas" => null, // delete cas entry first, because there is a unique key on authname in authmap. + "authname_ldapauth" => $user->name)); + + _cas_update_user_ldap_config($user); + + if ( $ldapdata_sync ) { + // call init hook otherwise additional config ldapdata.conf.php will not be loaded + ldapdata_init(); + module_invoke("ldapdata", "user", "load", null, $user); + + // explicitly save the mail and signature because ldapdata does not do that + // (see bug report http://drupal.org/node/259180) + // there is no problem with syncing the attributes from the Profile module + $userFields = array( + 'mail' => $user->mail, + 'signature' => $user->signature + ); + error_log( "cas.module: userFields=" . print_r( $userFields, true ) ); + user_save($user, $userFields); + } + + if ( $ldapgroups_sync ) { + // call init hook (see above) + ldapgroups_init(); + module_invoke("ldapgroups", "user_login", $user); + } + + // reset the authmap to cas authentication + user_set_authmaps($user, array( + "authname_ldapauth" => null, + "authname_cas" => $user->name)); +} + /* ** LDAPAuth interfacing - END */