DAViCal
drivers_pwauth_pam.php
1<?php
17require_once("auth-functions.php");
18
23{
36 function __construct($config)
37 {
38 global $c;
39 if(!file_exists($config)) {
40 $c->messages[] = sprintf(i18n('drivers_pwauth_pam : Unable to find %s file'), $config);
41 $this->valid=false;
42 return ;
43 }
44 }
45}
46
47
51function PWAUTH_PAM_check($username, $password) {
52 global $c;
53 $program = $c->authenticate_hook['config']['path'];
54 $email_base = $c->authenticate_hook['config']['email_base'];
55
56 $pipe = popen(escapeshellarg($program), 'w');
57 $authinfo = sprintf("%s\n%s\n", $username, $password);
58 $written = fwrite($pipe, $authinfo);
59 dbg_error_log('PAM', 'Bytes written: %d of %d', $written, strlen($authinfo));
60 $return_status = pclose($pipe);
61
62 switch($return_status) {
63 case 0:
64 // STATUS_OK: Authentication succeeded.
65 dbg_error_log('PAM', 'User %s successfully authenticated', $username);
66 $principal = new Principal('username',$username);
67 if ( !$principal->Exists() ) {
68 dbg_error_log('PAM', 'User %s does not exist in local db, creating', $username);
69 $pwent = posix_getpwnam($username);
70 $gecos = explode(',',$pwent['gecos']);
71 $fullname = $gecos[0];
72 $principal->Create( array(
73 'username' => $username,
74 'user_active' => 't',
75 'email' => sprintf('%s@%s', $username, $email_base),
76 'fullname' => $fullname
77 ));
78 if ( ! $principal->Exists() ) {
79 dbg_error_log( "PAM", "Unable to create local principal for '%s'", $username );
80 return false;
81 }
82 CreateHomeCollections($username);
83 CreateDefaultRelationships($username);
84 }
85 return $principal;
86 break;
87
88 /*
89 * Note that for system configurations using PAM instead of
90 * reading the password database directly, if PAM is unable to
91 * read the password database, pwauth will return status 1.
92 */
93 case 1:
94 case 2:
95 // (1) STATUS_UNKNOWN: Invalid username or password.
96 // (2) STATUS_INVALID: Invalid password.
97 dbg_error_log('PAM', 'Invalid username or password (username: %s)', $username);
98 break;
99
100 case 3:
101 // STATUS_BLOCKED: UID for username is < pwauth's MIN_UNIX_UID
102 dbg_error_log('PAM', 'UID for username %s is < pwauth MIN_UNIX_UID', $username);
103 break;
104
105 case 4:
106 // STATUS_EXPIRED: The user account has expired.
107 dbg_error_log('PAM', 'The account for %s has expired', $username);
108 break;
109
110 case 5:
111 // STATUS_PW_EXPIRED: The user account's password has expired.
112 dbg_error_log('PAM', 'The account password for user %s has expired', $username);
113 break;
114
115 case 6:
116 // STATUS_NOLOGIN: Logins to the system are administratively disabled.
117 dbg_error_log('PAM', 'Logins administratively disabled (%s)', $username);
118 break;
119
120 case 7:
121 // STATUS_MANYFAILS: Too many login failures for user account.
122 dbg_error_log('PAM', 'Login rejected for %s, too many failures', $username);
123 break;
124
125 case 50:
126 // STATUS_INT_USER: Configuration error, Web server cannot use pwauth
127 dbg_error_log('PAM', 'config error: see pwauth man page (%s)', 'STATUS_INT_USER');
128 break;
129
130 case 51:
131 // STATUS_INT_ARGS: pwauth received no username/passwd to check
132 dbg_error_log('PAM', 'error: pwauth received no username/password');
133 break;
134
135 case 52:
136 // STATUS_INT_ERR: unknown error
137 dbg_error_log('PAM', 'error: see pwauth man page (%s)', 'STATUS_INT_ERR');
138 break;
139
140 case 53:
141 // STATUS_INT_NOROOT: pwauth could not read the password database
142 dbg_error_log('PAM', 'config error: cannot read password database (%s)', 'STATUS_INT_NOROOT');
143 break;
144
145 default:
146 // Unknown error code.
147 dbg_error_log('PAM', 'An unknown error (%d) has occurred', $return_status);
148 }
149
150 return(FALSE);
151}