<?php
/**
 * HTTP/LDAP authentication backend
 * HTTP (your web server) handle the authentication
 * LDAP handle user informations, and group membership
 * This plugin have been written to work with LemonLDAP::NG WebSSO
 * @license   GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author    Daniel Berteaud <daniel@firewall-services.com>
 */

require("ldap.class.php");
class auth_httpldap extends auth_ldap {
    var $cnf = null;

    /**
    * Posible things an auth backend module may be able to
    * do. The things a backend can do need to be set to true
    * in the constructor.
    */
    var $cando = array (
        'addUser'     => false, // can Users be created?
        'delUser'     => false, // can Users be deleted?
        'modLogin'    => false, // can login names be changed?
        'modPass'     => false, // can passwords be changed?
        'modName'     => false, // can real names be changed?
        'modMail'     => false, // can emails be changed?
        'modGroups'   => false, // can groups be changed?
        'getUsers'    => false, // can a (filtered) list of users be retrieved?
        'getUserCount'=> false, // can the number of users be retrieved?
        'getGroups'   => false, // can a list of available groups be retrieved?
        'external'    => true, // does the module do external auth checking?
        'logout'      => true,  // can the user logout again? (eg. not possible with HTTP auth)
    );


    /**
     * Constructor
     */
    function auth_httpldap() {
        global $conf;
        $this->cnf = $conf['auth']['ldap'];

        // ldap extension is needed
        if(!function_exists('ldap_connect')) {
            if ($this->cnf['debug'])
                msg("LDAP err: PHP LDAP extension not found.",-1,__LINE__,__FILE__);
            $this->success = false;
            return;
        }

        if(empty($this->cnf['groupkey']))   $this->cnf['groupkey']   = 'cn';
        if(empty($this->cnf['userscope']))  $this->cnf['userscope']  = 'sub';
        if(empty($this->cnf['groupscope'])) $this->cnf['groupscope'] = 'sub';
    }


    /**
    * Check if REMOTE_USER is set
    */
    function trustExternal($user,$pass,$sticky=false){
        global $USERINFO;
        $success = false;
        $username = $_SERVER['REMOTE_USER'];
        // print info if debug is enabled
        if ($this->cnf['debug']){
          msg('LemonLDAP::NG Login Name: '.htmlspecialchars($username),0,__LINE__,__FILE__);
        }
        if (!empty($username)){
            $USERINFO = $this->getUserData($user,true);
            $success = true;
            $_SESSION[DOKU_COOKIE]['auth']['user'] = $username;
            $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
        }
        // Deny access if user is not found in LDAP
        // This should never happen
        if (!empty($USERINFO['dn'])){
            $success = false;
        }
        return $success;
    }
}