I maintain a multi-site environment. Yesterday morning, all of a sudden the sites became inactive without me doing anything to it. Before I got off the computer the day before, the site was working just fine.
Today, I started going through the plugins and renaming them to see if one was the culprit and it is your plugin version 0.9.9.9
Once I changed the folder name, the site came back up. However, when I went to log into the admin site, I got another error saying that "[the name of my site] refused to connect"
I got curious. I clicked into the adi_multisite_patch and saw two text file. I'm for sure the first file named "ad-integration" is the issue. The file reads:
<?php
/*
Plugin Name: Active Directory Integration
Version: 0.9.9.9
Plugin URI: http://blog.ecw.de/wp-ad-integration
Description: Allows WordPress to authenticate, authorize, create and update users through Active Directory
Author: Christoph Steindorff, ECW GmbH
Author URI: http://blog.ecw.de/
The work is derived from version 1.0.5 of the plugin Active Directory Authentication:
OriginalPlugin URI: http://soc.qc.edu/jonathan/wordpress-ad-auth
OriginalDescription: Allows WordPress to authenticate users through Active Directory
OriginalAuthor: Jonathan Marc Bearak
OriginalAuthor URI: http://soc.qc.edu/jonathan
*/
/*
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
*/
if (!class_exists('ADIntegrationPlugin')) {
// LOG LEVEL
define('ADI_LOG_DEBUG', 6);
define('ADI_LOG_INFO', 5);
define('ADI_LOG_NOTICE',4);
define('ADI_LOG_WARN', 3);
define('ADI_LOG_ERROR', 2);
define('ADI_LOG_FATAL', 1);
define('ADI_LOG_NONE', 0);
define('ADI_DUPLICATE_EMAIL_ADDRESS_PREVENT', 'prevent');
define('ADI_DUPLICATE_EMAIL_ADDRESS_ALLOW', 'allow');
define('ADI_DUPLICATE_EMAIL_ADDRESS_CREATE', 'create');
class ADIntegrationPlugin {
// version of needed DB table structure
const DB_VERSION = "0.9";
// name of our own table
const TABLE_NAME = 'adintegration';
// is the user authenticated?
public $_authenticated = false;
protected $_minium_WPMU_version = '2.8';
protected $_minium_WP_version = '2.8';
// log level
protected $_loglevel = ADI_LOG_NONE;
// adLDAP-object
protected $_adldap;
// Should a new user be created automatically if not already in the WordPress database?
protected $_auto_create_user = false;
// Should the users be updated in the WordPress database everytime they logon? (Works only if automatic user creation is set.
protected $_auto_update_user = false;
// Account Suffix (will be appended to all usernames created in WordPress, as well as used in the Active Directory authentication process
protected $_account_suffix = '';
// Should the account suffix be appended to the usernames created in WordPress?
protected $_append_suffix_to_new_users = false;
// Domain Controllers (separate with semicolons)
protected $_domain_controllers = '';
// LDAP/AD BASE DN
protected $_base_dn = '';
// Role Equivalent Groups (wp-role1=ad-group1;wp-role2=ad-group2;...)
protected $_role_equivalent_groups = '';
// Default Email Domain (eg. 'domain.tld')
protected $_default_email_domain = '';
// Port on which AD listens (default 389)
protected $_port = 389;
// Username for non-anonymous requests to AD
protected $_bind_user = '';
// Password for non-anonymous requests to AD
protected $_bind_pwd = '';
// Secure the connection between the Drupal and the LDAP servers using TLS.
protected $_use_tls = false;
// Check Login authorization by group membership
protected $_authorize_by_group = false;
// Group name for authorization.
protected $_authorization_group = '';
// Maximum number of failed login attempts before the account is blocked
protected $_max_login_attempts = 3;
// Number of seconds an account is blocked after the maximum number of failed login attempts is reached.
protected $_block_time = 30;
// Send email to user if his account is blocked.
protected $_user_notification = false;
// Send email to admin if a user account is blocked.
protected $_admin_notification = false;
// Administrator's e-mail address(es) where notifications should be sent to.
protected $_admin_email = '';
// Set user's display_name to an AD attribute or to username if left blank
// Possible values: description, displayname, mail, sn, cn, givenname, samaccountname
protected $_display_name = '';
// Enable/Disable password changes
protected $_enable_password_change = false;
protected $_duplicate_email_prevention = ADI_DUPLICATE_EMAIL_ADDRESS_PREVENT;
// All options and its types
protected $_all_options = array(
array('name' => 'AD_Integration_account_suffix', 'type' => 'string'),
array('name' => 'AD_Integration_auto_create_user', 'type' => 'bool'),
array('name' => 'AD_Integration_auto_update_user', 'type' => 'bool'),
array('name' => 'AD_Integration_append_suffix_to_new_users', 'type' => 'bool'),
array('name' => 'AD_Integration_domain_controllers', 'type' => 'string'),
array('name' => 'AD_Integration_base_dn', 'type' => 'string'),
array('name' => 'AD_Integration_prefix_dn', 'type' => 'string'),
array('name' => 'AD_Integration_role_equivalent_groups', 'type' => 'string'),
array('name' => 'AD_Integration_default_email_domain', 'type' => 'string'),
array('name' => 'AD_Integration_port', 'type' => 'int'),
array('name' => 'AD_Integration_bind_user', 'type' => 'string'),
array('name' => 'AD_Integration_bind_pwd', 'type' => 'string'),
array('name' => 'AD_Integration_use_tls', 'type' => 'bool'),
array('name' => 'AD_Integration_authorize_by_group', 'type' => 'bool'),
array('name' => 'AD_Integration_authorization_group', 'type' => 'string'),
array('name' => 'AD_Integration_max_login_attempts', 'type' => 'int'),
array('name' => 'AD_Integration_block_time', 'type' => 'int'),
array('name' => 'AD_Integration_user_notification', 'type' => 'bool'),
array('name' => 'AD_Integration_admin_notification', 'type' => 'bool'),
array('name' => 'AD_Integration_admin_email', 'type' => 'string'),
array('name' => 'AD_Integration_display_name', 'type' => 'string'),
array('name' => 'AD_Integration_enable_password_change', 'type' => 'bool'),
array('name' => 'AD_Integration_duplicate_email_prevention', 'type' => 'string')
);
/**
* Constructor
*/
public function __construct() {
global $wp_version, $wpmu_version, $wpdb, $wpmuBaseTablePrefix;
if (!defined('IS_WPMU')) {
define('IS_WPMU', ($wpmu_version != ''));
}
// define folder constant
if (!defined('ADINTEGRATION_FOLDER')) {
define('ADINTEGRATION_FOLDER', basename(dirname(__FILE__)));
}
// Load up the localization file if we're using WordPress in a different language
// Place it in this plugin's folder and name it "ad-auth-[value in wp-config].mo"
load_plugin_textdomain( 'ad-integration', WP_PLUGIN_URL.'/'.ADINTEGRATION_FOLDER, ADINTEGRATION_FOLDER );
load_plugin_textdomain( 'ad-integration', ( (IS_WPMU) ? WPMU_PLUGIN_URL : WP_PLUGIN_URL ).'/'.ADINTEGRATION_FOLDER, ADINTEGRATION_FOLDER );
// Load Options
$this->_load_options();
if (isset($_GET['activate']) and $_GET['activate'] == 'true') {
add_action('init', array(&$this, 'initialize_options'));
}
add_action('admin_menu', array(&$this, 'add_options_page'));
add_filter('contextual_help', array(&$this, 'contextual_help'), 10, 2);
// DO WE HAVE LDAP SUPPORT?
if (function_exists('ldap_connect')) {
// WP 2.8 and above?
if (version_compare($wp_version, '2.8', '>=')) {
add_filter('authenticate', array(&$this, 'authenticate'), 10, 3);
} else {
add_action('wp_authenticate', array(&$this, 'authenticate'), 10, 2);
}
add_action('lost_password', array(&$this, 'disable_function'));
add_action('retrieve_password', array(&$this, 'disable_function'));
add_action('password_reset', array(&$this, 'disable_function'));
add_action('admin_print_styles', array(&$this, 'load_styles'));
add_action('admin_print_scripts', array(&$this, 'load_scripts'));
add_filter('check_password', array(&$this, 'override_password_check'), 10, 4);
// Is local password change disallowed?
if (!$this->_enable_password_change) {
// disable password fields
add_filter('show_password_fields', array(&$this, 'disable_password_fields'));
// generate a random passwords for manually added users
add_action('check_passwords', array(&$this, 'generate_password'), 10, 3);
}
if (!class_exists('adLDAP')) {
require 'ad_ldap/adLDAP.php';
}
}
}
public function load_styles() {
wp_register_style('adintegration', ( (IS_WPMU) ? WPMU_PLUGIN_URL : WP_PLUGIN_URL ).'/'.ADINTEGRATION_FOLDER.'/css/adintegration.css',false, '1.7.1', 'screen');
wp_enqueue_style('adintegration');
}
public function load_scripts() {
wp_enqueue_script( 'jquery-ui-tabs' );
}
/*************************************************************
* Plugin hooks
*************************************************************/
/**
* Add options for this plugin to the database.
*/
public function initialize_options() {
if (IS_WPMU) {
if (is_site_admin()) {
add_site_option('AD_Integration_account_suffix', '', 'Account Suffix (will be appended to all usernames created in WordPress, as well as used in the Active Directory authentication process');
add_site_option('AD_Integration_auto_create_user', false, 'Should a new user be created automatically if not already in the WordPress database?');
add_site_option('AD_Integration_auto_update_user', false, 'Should the users be updated in the WordPress database everytime they logon? (Works only if automatic user creation is set.)');
add_site_option('AD_Integration_append_suffix_to_new_users', '', false, 'Should the account suffix be appended to the usernames created in WordPress?');
add_site_option('AD_Integration_domain_controllers', '', 'Domain Controllers (separate with semicolons)');
add_site_option('AD_Integration_base_dn', '', 'Base DN');
add_site_option('AD_Integration_prefix_dn', '', 'before userid in DN (e.g., CN, UID, ...)');
add_site_option('AD_Integration_role_equivalent_groups', '', 'Role Equivalent Groups');
add_site_option('AD_Integration_default_email_domain', '', 'Default Email Domain');
add_site_option('AD_Integration_port', '389', 'Port on which AD listens (default 389).');
add_site_option('AD_Integration_bind_user', '', 'Username for non-anonymous requests to AD.');
add_site_option('AD_Integration_bind_pwd', '', 'Password for non-anonymous requests to AD.');
add_site_option('AD_Integration_use_tls', false, 'Secure the connection between the Drupal and the LDAP servers using TLS.');
add_site_option('AD_Integration_authorize_by_group', false, 'Check Login authorization by group membership.');
add_site_option('AD_Integration_authorization_group', '', 'Group name for authorization.');
add_site_option('AD_Integration_max_login_attempts', '3', 'Maximum number of failed login attempts before the account is blocked.');
add_site_option('AD_Integration_block_time', '30', 'Number of seconds an account is blocked after the maximum number of failed login attempts is reached.');
add_site_option('AD_Integration_user_notification', false, 'Send email to user if his account is blocked.');
add_site_option('AD_Integration_admin_notification', false, 'Send email to admin if a user account is blocked.');
add_site_option('AD_Integration_admin_email', '', "Administrator's email address where notifications should be sent to.");
add_site_option('AD_Integration_display_name', '', "Set user's display_name to an AD attribute or to username if left blank.");
add_site_option('AD_Integration_enable_password_change', false, 'Enable the ability of the users to change their WP passwords.');
add_site_option('AD_Integration_duplicate_email_prevention', ADI_DUPLICATE_EMAIL_ADDRESS_PREVENT, 'Prevent duplicate email addresses?');
}
} else {
if (current_user_can('manage_options')) {
add_option('AD_Integration_account_suffix', '', 'Account Suffix (will be appended to all usernames created in WordPress, as well as used in the Active Directory authentication process');
add_option('AD_Integration_auto_create_user', false, 'Should a new user be created automatically if not already in the WordPress database?');
add_option('AD_Integration_auto_update_user', false, 'Should the users be updated in the WordPress database everytime they logon? (Works only if automatic user creation is set.)');
add_option('AD_Integration_append_suffix_to_new_users', '', false, 'Should the account suffix be appended to the usernames created in WordPress?');
add_option('AD_Integration_domain_controllers', '', 'Domain Controllers (separate with semicolons)');
add_option('AD_Integration_base_dn', '', 'Base DN');
add_option('AD_Integration_prefix_dn', '', 'before userid in DN (e.g., CN, UID, ...)');
add_option('AD_Integration_role_equivalent_groups', '', 'Role Equivalent Groups');
add_option('AD_Integration_default_email_domain', '', 'Default Email Domain');
add_option('AD_Integration_port', '389', 'Port on which AD listens (default 389).');
add_option('AD_Integration_bind_user', '', 'Username for non-anonymous requests to AD.');
add_option('AD_Integration_bind_pwd', '', 'Password for non-anonymous requests to AD.');
add_option('AD_Integration_use_tls', false, 'Secure the connection between the Drupal and the LDAP servers using TLS.');
add_option('AD_Integration_authorize_by_group', false, 'Check Login authorization by group membership.');
add_option('AD_Integration_authorization_group', '', 'Group name for authorization.');
add_option('AD_Integration_max_login_attempts', '3', 'Maximum number of failed login attempts before the account is blocked.');
add_option('AD_Integration_block_time', '30', 'Number of seconds an account is blocked after the maximum number of failed login attempts is reached.');
add_option('AD_Integration_user_notification', false, 'Send email to user if his account is blocked.');
add_option('AD_Integration_admin_notification', false, 'Send email to admin if a user account is blocked.');
add_option('AD_Integration_admin_email', '', "Administrator's email address where notifications should be sent to.");
add_option('AD_Integration_display_name', '', "Set user's display_name to an AD attribute or to username if left blank.");
add_option('AD_Integration_enable_password_change', false, 'Enable or disabled the ability to the change user WP passwords.');
add_option('AD_Integration_duplicate_email_prevention', ADI_DUPLICATE_EMAIL_ADDRESS_PREVENT, 'Prevent duplicate email addresses?');
}
}
}
/**
* Add an options pane for this plugin.
*/
public function add_options_page() {
if (IS_WPMU && is_site_admin()) {
// WordPress MU
if (function_exists('add_submenu_page')) {
add_submenu_page('wpmu-admin.php', __('Active Directory Integration'), __('Active Directory Integration'), 'manage_options', __FILE__, array(&$this, '_display_options_page'));
}
}
if (!IS_WPMU) {
// WordPress Standard
if (function_exists('add_options_page')) {
add_options_page('Active Directory Integration', 'Active Directory Integration', 'manage_options', __FILE__, array(&$this, '_display_options_page'));
}
}
}
/**
* Wrapper
*
* @param $arg1 WP_User or username
* @param $arg2 username or password
* @param $arg3 passwprd or empty
* @return WP_User
*/
public function authenticate($arg1 = NULL, $arg2 = NULL, $arg3 = NULL) {
global $wp_version, $wpmu_version;
$this->_log(ADI_LOG_INFO,'method authenticate() called');
if (IS_WPMU) {
$version = $wpmu_version;
} else {
$version = $wp_version;
}
$this->_log(ADI_LOG_INFO,'WP version: '.$version);
if (version_compare($version, '2.8', '>=')) {
return $this->ad_authenticate($arg1, $arg2, $arg3);
} else {
return $this->ad_authenticate(NULL, $arg1, $arg2);
}
}
/**
* If the REMOTE_USER evironment is set, use it as the username.
* This assumes that you have externally authenticated the user.
*/
public function ad_authenticate($user = NULL, $username = '', $password = '') {
$user_id = NULL;
$this->_authenticated = false;
// IMPORTANT!
$username = strtolower($username);
$this->_log(ADI_LOG_NOTICE,'username: '.$username);
$this->_log(ADI_LOG_DEBUG,'password: '.$password);
// Load options from WordPress-DB.
$this->_load_options();
// Log informations
$this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
"- account_suffix: $this->_account_suffix\n".
"- base_dn: $this->_base_dn\n".
"- domain_controllers: $this->_domain_controllers\n".
"- ad_username: $this->_bind_user\n".
"- ad_password: $this->_bind_pwd\n".
"- ad_port: $this->_port\n".
"- use_tls: $this->_use_tls");
// Connect to Active Directory
try {
$this->_adldap = @new adLDAP(array(
"account_suffix" => $this->_account_suffix,
"base_dn" => $this->_base_dn,
"domain_controllers" => explode(';', $this->_domain_controllers),
"ad_username" => $this->_bind_user, // AD Bind User
"ad_password" => $this->_bind_pwd, // password
"ad_port" => $this->_port, // AD port
"use_tls" => $this->_use_tls // secure?
));
} catch (Exception $e) {
$this->_log(ADI_LOG_ERROR,'adLDAP exception: ' . $e->getMessage());
return false;
}
$this->_log(ADI_LOG_NOTICE,'adLDAP object created.');
// Check for maximum login attempts
$this->_log(ADI_LOG_INFO,'max_login_attempts: '.$this->_max_login_attempts);
if ($this->_max_login_attempts > 0) {
$failed_logins = $this->_get_failed_logins_within_block_time($username);
$this->_log(ADI_LOG_INFO,'users failed logins: '.$failed_logins);
if ($failed_logins >= $this->_max_login_attempts) {
$this->_authenticated = false;
$this->_log(ADI_LOG_ERROR,'Authentication failed');
$this->_log(ADI_LOG_ERROR,"Account '$username' blocked for $this->_block_time seconds");
// e-mail notfications if user is blocked
if ($this->_user_notification) {
$this->_notify_user($username);
$this->_log(ADI_LOG_NOTICE,"Notification send to user.");
}
if ($this->_admin_notification) {
$this->_notify_admin($username);
$this->_log(ADI_LOG_NOTICE,"Notification send to admin(s).");
}
// Show the blocking page to the user (only if we are not in debug/log mode)
if ($this->_loglevel == ADI_LOG_NONE) {
$this->_display_blocking_page($username);
}
die(); // important !
}
}
// This is where the action is.
if ( $this->_adldap->authenticate($username, $password) )
{
$this->_log(ADI_LOG_NOTICE,'Authentication successfull');
$this->_authenticated = true;
}
if ( $this->_authenticated == false )
{
$this->_log(ADI_LOG_ERROR,'Authentication failed');
$this->_authenticated = false;
$this->_store_failed_login($username);
return false;
}
// Cleanup old database entries
$this->_cleanup_failed_logins($username);
// Check the authorization
if ($this->_authorize_by_group) {
if ($this->_check_authorization_by_group($username)) {
$this->_authenticated = true;
} else {
$this->_authenticated = false;
return false;
}
}
$ad_username = $username;
// should the account suffix be used for the new username?
if ($this->_append_suffix_to_new_users) {
$username .= $this->_account_suffix;
}
// Create new users automatically, if configured
$user = get_userdatabylogin($username);
if (!$user OR ($user->user_login != $username)) {
$user_role = $this->_get_user_role_equiv($ad_username);
if ($this->_auto_create_user || trim($user_role) != '' ) {
// create user
$userinfo = $this->_adldap->user_info($ad_username, array('sn', 'givenname', 'mail', 'displayName', 'description', 'cn'));
$userinfo = $userinfo[0];
$email = $userinfo['mail'][0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
$display_name = $this->_get_display_name_from_AD($username, $userinfo);
$user_id = $this->_create_user($ad_username, $email, $first_name, $last_name, $display_name, $user_role);
} else {
// Bail out to avoid showing the login form
$this->_log(ADI_LOG_ERROR,'This user exists in Active Directory, but has not been granted access to this installation of WordPress.');
return new WP_Error('invalid_username', __('<strong>ERROR</strong>: This user exists in Active Directory, but has not been granted access to this installation of WordPress.'));
}
} else {
// update known users if configured
if ($this->_auto_create_user AND $this->_auto_update_user) {
// Update users role
$user_role = $this->_get_user_role_equiv($ad_username);
$userinfo = $this->_adldap->user_info($ad_username, array('sn', 'givenname', 'mail', 'displayName', 'description', 'cn'));
$userinfo = $userinfo[0];
$email = $userinfo['mail'][0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
$common_name = $userinfo['cn'][0];
$display_name = $this->_get_display_name_from_AD($username, $userinfo);
$user_id = $this->_update_user($ad_username, $email, $first_name, $last_name, $display_name, $user_role);
}
}
// load user object
if (!$user_id) {
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR .'registration.php');
$user_id = username_exists($username);
$this->_log(ADI_LOG_NOTICE,'user_id: '.$user_id);
}
$user = new WP_User($user_id);
$this->_log(ADI_LOG_NOTICE,'FINISHED');
return $user;
}
/*
* Skip the password check, since we've externally authenticated.
*/
public function override_password_check($check, $password, $hash, $user_id) {
if ( $this->_authenticated == true )
{
return true;
}
else
{
return $check;
}
}
/*
* Generate a password for the user. This plugin does not
* require the user to enter this value, but we want to set it
* to something nonobvious.
*/
public function generate_password($username, $password1, $password2) {
$password1 = $password2 = $this->_get_password();
}
/*
* Used to disable certain display elements, e.g. password
* fields on profile screen.
*/
public function disable_password_fields($show_password_fields) {
return false;
}
/*
* Used to disable certain login functions, e.g. retrieving a
* user's password.
*/
public function disable_function() {
die('Disabled');
}
/**
* Shows the contexual help on the options/admin screen.
*
* @param $help
* @param $screen
* @return string help message
*/
public function contextual_help ($help, $screen) {
if ($screen == 'settings_page_' . ADINTEGRATION_FOLDER . '/ad-integration'
|| $screen == 'wpmu-admin_page_' . ADINTEGRATION_FOLDER . '/ad-integration') {
$help .= '<h5>' . __('Active Directory Integration Help','ad-integration') . '</h5><div class="metabox-prefs">';
$help .= '<a href="http://blog.ecw.de/wp-ad-integration">'.__ ('Overview','ad-integration').'</a><br/>';
$help .= '<a href="http://wordpress.org/extend/plugins/active-directory-integration/faq/">'.__ ('FAQ', 'ad-integration').'</a><br/>';
$help .= '<a href="http://wordpress.org/extend/plugins/active-directory-integration/changelog/">'.__ ('Changelog', 'ad-integration').'</a><br/>';
$help .= '<a href="http://wordpress.org/tags/active-directory-integration">'.__ ('Support-Forum', 'ad-integration').'</a><br/>';
$help .= '</div>';
}
return $help;
}
public function setLogLevel($level = 0) {
$this->_loglevel = (int)$level;
}
public function disableDebug() {
$this->debug = false;
}
/****************************************************************
* STATIC FUNCTIONS
****************************************************************/
/**
* Determine global table prefix, usually "wp_".
*
* @return string table prefix
*/
public static function global_db_prefix() {
global $wpmu_version, $wpdb, $wpmuBaseTablePrefix;
// define table prefix
if ($wpmu_version != '') {
return $wpmuBaseTablePrefix;
} else {
return $wpdb->prefix;
}
}
/**
* Adding the needed table to database and store the db version in the
* options table on plugin activation.
*/
public static function activate() {
global $wpdb, $wpmu_version;
//$table_name = $wpdb->prefix . ADIntegrationPlugin::TABLE_NAME;
$table_name = ADIntegrationPlugin::global_db_prefix() . ADIntegrationPlugin::TABLE_NAME;
if ($wpmu_version != '') {
$db_version = get_site_option('AD_Integration_db_version');
} else {
$db_version = get_option('AD_Integration_db_version');
}
if (($wpdb->get_var("show tables like '$table_name'") != $table_name) OR ($db_version != ADIntegrationPlugin::DB_VERSION)) {
$sql = 'CREATE TABLE ' . $table_name . ' (
id bigint(20) NOT NULL AUTO_INCREMENT,
user_login varchar(60),
failed_login_time bigint(11),
UNIQUE KEY id (id)
);';
require_once(ABSPATH . 'wp-admin/includes/upgrade.php');
dbDelta($sql);
// store db version in the options
if ($wpmu_version != '') {
add_site_option('AD_Integration_db_version', ADIntegrationPlugin::DB_VERSION, 'Version of the table structure');
} else {
add_option('AD_Integration_db_version', ADIntegrationPlugin::DB_VERSION, 'Version of the table structure');
}
}
}
/**
* Delete the table from database and delete the db version from the
* options table on plugin deactivation.
*/
public static function deactivate() {
global $wpdb, $wpmu_version;
$table_name = ADIntegrationPlugin::global_db_prefix() . ADIntegrationPlugin::TABLE_NAME;
// drop table
$wpdb->query('DROP TABLE IF EXISTS '.$table_name);
// delete option
if ($wpmu_version != '') {
delete_site_option('AD_Integration_db_version');
} else {
delete_option('AD_Integration_db_version');
}
}
/**
* removes the plugin options from options table.
*/
public static function uninstall($echo=false) {
foreach($this->_all_options as $option) {
$delete_setting = delete_option($option['name']);
if ($echo) {
if($delete_setting) {
echo '<font color="green">';
printf(__('Setting Key \'%s\' has been deleted.', 'ad-integration'), "<strong><em>{$option['name']}</em></strong>");
echo '</font><br />';
} else {
echo '<font color="red">';
printf(__('Error deleting Setting Key \'%s\'.', 'ad-integration'), "<strong><em>{$option['name']}</em></strong>");
echo '</font><br />';
}
}
}
}
/*************************************************************
* Functions
*************************************************************/
/**
* Loads the options from WordPress-DB
*/
protected function _load_options() {
$this->_log(ADI_LOG_INFO,'loading options...');
if (IS_WPMU) {
$this->_auto_create_user = (bool)get_site_option('AD_Integration_auto_create_user');
$this->_auto_update_user = (bool)get_site_option('AD_Integration_auto_update_user');
$this->_account_suffix = get_site_option('AD_Integration_account_suffix');
$this->_append_suffix_to_new_users = get_site_option('AD_Integration_append_suffix_to_new_users');
$this->_domain_controllers = get_site_option('AD_Integration_domain_controllers');
$this->_base_dn = get_site_option('AD_Integration_base_dn');
$this->_prefix_dn = get_site_option('AD_Integration_prefix_dn');
$this->_bind_user = get_site_option('AD_Integration_bind_user');
$this->_bind_pwd = get_site_option('AD_Integration_bind_pwd');
$this->_port = get_site_option('AD_Integration_port');
$this->_use_tls = get_site_option('AD_Integration_use_tls');
$this->_default_email_domain = get_site_option('AD_Integration_default_email_domain');
$this->_authorize_by_group = (bool)get_site_option('AD_Integration_authorize_by_group');
$this->_authorization_group = get_site_option('AD_Integration_authorization_group');
$this->_role_equivalent_groups = get_site_option('AD_Integration_role_equivalent_groups');
$this->_max_login_attempts = (int)get_site_option('AD_Integration_max_login_attempts');
$this->_block_time = (int)get_site_option('AD_Integration_block_time');
$this->_user_notification = (bool)get_site_option('AD_Integration_user_notification');
$this->_admin_notification = (bool)get_site_option('AD_Integration_admin_notification');
$this->_admin_email = get_site_option('AD_Integration_admin_email');
$this->_display_name = get_site_option('AD_Integration_display_name');
$this->_enable_password_change = get_site_option('AD_Integration_enable_password_change');
$this->_duplicate_email_prevention = get_site_option('AD_Integration_duplicate_email_prevention');
} else {
$this->_auto_create_user = (bool)get_option('AD_Integration_auto_create_user');
$this->_auto_update_user = (bool)get_option('AD_Integration_auto_update_user');
$this->_account_suffix = get_option('AD_Integration_account_suffix');
$this->_append_suffix_to_new_users = get_option('AD_Integration_append_suffix_to_new_users');
$this->_domain_controllers = get_option('AD_Integration_domain_controllers');
$this->_base_dn = get_option('AD_Integration_base_dn');
$this->_prefix_dn = get_option('AD_Integration_prefix_dn');
$this->_bind_user = get_option('AD_Integration_bind_user');
$this->_bind_pwd = get_option('AD_Integration_bind_pwd');
$this->_port = get_option('AD_Integration_port');
$this->_use_tls = get_option('AD_Integration_use_tls');
$this->_default_email_domain = get_option('AD_Integration_default_email_domain');
$this->_authorize_by_group = (bool)get_option('AD_Integration_authorize_by_group');
$this->_authorization_group = get_option('AD_Integration_authorization_group');
$this->_role_equivalent_groups = get_option('AD_Integration_role_equivalent_groups');
$this->_max_login_attempts = (int)get_option('AD_Integration_max_login_attempts');
$this->_block_time = (int)get_option('AD_Integration_block_time');
$this->_user_notification = (bool)get_option('AD_Integration_user_notification');
$this->_admin_notification = (bool)get_option('AD_Integration_admin_notification');
$this->_admin_email = get_option('AD_Integration_admin_email');
$this->_display_name = get_option('AD_Integration_display_name');
$this->_enable_password_change = get_option('AD_Integration_enable_password_change');
$this->_duplicate_email_prevention = get_option('AD_Integration_duplicate_email_prevention');
}
}
/**
* Saves the options to the sitewide options store. This is only needed for WPMU.
*
* @param $arrPost the POST-Array with the new options
* @return unknown_type
*/
protected function _save_wpmu_options($arrPost) {
if (IS_WPMU) {
if ( !empty( $arrPost['AD_Integration_auto_create_user'] ) )
update_site_option('AD_Integration_auto_create_user', (bool)$arrPost['AD_Integration_auto_create_user']);
if ( !empty( $arrPost['AD_Integration_auto_update_user'] ) )
update_site_option('AD_Integration_auto_update_user', (bool)$arrPost['AD_Integration_auto_update_user']);
if ( !empty( $arrPost['AD_Integration_account_suffix'] ) )
update_site_option('AD_Integration_account_suffix', $arrPost['AD_Integration_account_suffix']);
if ( !empty( $arrPost['AD_Integration_append_suffix_to_new_users'] ) )
update_site_option('AD_Integration_append_suffix_to_new_users', $arrPost['AD_Integration_append_suffix_to_new_users']);
if ( !empty( $arrPost['AD_Integration_domain_controllers'] ) )
update_site_option('AD_Integration_domain_controllers', $arrPost['AD_Integration_domain_controllers']);
if ( !empty( $arrPost['AD_Integration_base_dn'] ) )
update_site_option('AD_Integration_base_dn', $arrPost['AD_Integration_base_dn']);
if ( !empty( $arrPost['AD_Integration_prefix_dn'] ) )
update_site_option('AD_Integration_prefix_dn', $arrPost['AD_Integration_prefix_dn']);
if ( !empty( $arrPost['AD_Integration_bind_user'] ) )
update_site_option('AD_Integration_bind_user', $arrPost['AD_Integration_bind_user']);
if ( !empty( $arrPost['AD_Integration_bind_pwd'] ) )
update_site_option('AD_Integration_bind_pwd', $arrPost['AD_Integration_bind_pwd']);
if ( !empty( $arrPost['AD_Integration_port'] ) )
update_site_option('AD_Integration_port', $arrPost['AD_Integration_port']);
if ( !empty( $arrPost['AD_Integration_use_tls'] ) )
update_site_option('AD_Integration_use_tls', $arrPost['AD_Integration_use_tls']);
if ( !empty( $arrPost['AD_Integration_default_email_domain'] ) )
update_site_option('AD_Integration_default_email_domain', $arrPost['AD_Integration_default_email_domain']);
if ( !empty( $arrPost['AD_Integration_authorize_by_group'] ) )
update_site_option('AD_Integration_authorize_by_group', (bool)$arrPost['AD_Integration_authorize_by_group']);
if ( !empty( $arrPost['AD_Integration_authorization_group'] ) )
update_site_option('AD_Integration_authorization_group', $arrPost['AD_Integration_authorization_group']);
if ( !empty( $arrPost['AD_Integration_role_equivalent_groups'] ) )
update_site_option('AD_Integration_role_equivalent_groups', $arrPost['AD_Integration_role_equivalent_groups']);
if ( !empty( $arrPost['AD_Integration_max_login_attempts'] ) )
update_site_option('AD_Integration_max_login_attempts', (int)$arrPost['AD_Integration_max_login_attempts']);
if ( !empty( $arrPost['AD_Integration_block_time'] ) )
update_site_option('AD_Integration_block_time', (int)$arrPost['AD_Integration_block_time']);
if ( !empty( $arrPost['AD_Integration_user_notification'] ) )
update_site_option('AD_Integration_user_notification', (bool)$arrPost['AD_Integration_user_notification']);
if ( !empty( $arrPost['AD_Integration_admin_notification'] ) )
update_site_option('AD_Integration_admin_notification', (bool)$arrPost['AD_Integration_admin_notification']);
if ( !empty( $arrPost['AD_Integration_admin_email'] ) )
update_site_option('AD_Integration_admin_email', $arrPost['AD_Integration_admin_email']);
if ( !empty( $arrPost['AD_Integration_display_name'] ) )
update_site_option('AD_Integration_display_name', $arrPost['AD_Integration_display_name']);
if ( !empty( $arrPost['AD_Integration_enable_password_change'] ) )
update_site_option('AD_Integration_enable_password_change', $arrPost['AD_Integration_enable_password_change']);
// let's load the new values
$this->_load_options();
}
}
/**
* Determine the display_name to be stored in WP database.
* @param $username the username used to login
* @param $userinfo the array with data returned from AD
* @return string display_name
*/
protected function _get_display_name_from_AD($username, $userinfo) {
if (($this->_display_name == '') OR ($this->_display_name == 'sAMAccountName')) {
return $username;
}
$display_name = $userinfo[$this->_display_name][0];
if ($display_name == '') {
return $username;
} else {
return $display_name;
}
}
/**
* Stores the username and the current time in the db.
*
* @param $username
* @return unknown_type
*/
protected function _store_failed_login($username) {
global $wpdb;
$this->_log(ADI_LOG_WARN,'storing failed login for user "'.$username.'"');
$table_name = ADIntegrationPlugin::global_db_prefix() . ADIntegrationPlugin::TABLE_NAME;
$sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . $wpdb->escape($username)."'," . time() . ")";
$result = $wpdb->query($sql);
}
/**
* Determines the number of failed login attempts of specific user within a specific time from now to the past.
*
* @param $username
* @param $seconds number of seconds
* @return number of failed login attempts
*/
protected function _get_failed_logins_within_block_time($username) {
global $wpdb;
$table_name = ADIntegrationPlugin::global_db_prefix() . ADIntegrationPlugin::TABLE_NAME;
$time = time() - (int)$this->_block_time;
$sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".$wpdb->escape($username)."' AND failed_login_time >= $time";
return $wpdb->get_var($sql);
}
/**
* Deletes entries from store where the time of failed logins is more than the specified block time ago.
* Deletes also all entries of a user, if its username is given .
*
* @param $username
* @return
*/
protected function _cleanup_failed_logins($username = NULL) {
global $wpdb;
$this->_log(ADI_LOG_NOTICE,'cleaning up failed logins for user "'.$username.'"');
$table_name = ADIntegrationPlugin::global_db_prefix() . ADIntegrationPlugin::TABLE_NAME;
$time = time() - $this->_block_time;
$sql = "DELETE FROM $table_name WHERE failed_login_time < $time";
if ($username != NULL) {
$sql .= " OR user_login = '".$wpdb->escape($username)."'";
}
$results = $wpdb->query($sql);
}
/**
* Get the rest of the time an account is blocked.
*
* @param $username
* @return int seconds the account is blocked, or 0
*/
protected function _get_rest_of_blocking_time($username) {
global $wpdb;
$table_name = ADIntegrationPlugin::global_db_prefix() . ADIntegrationPlugin::TABLE_NAME;
$sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".$wpdb->escape($username)."'";
$max_time = $wpdb->get_var($sql);
if ($max_time == NULL ) {
return 0;
}
return ($max_time + $this->_block_time) - time();
}
/**
* Generate a random password.
*
* @param int $length Length of the password
* @return password as string
*/
protected function _get_password($length = 10) {
return substr(md5(uniqid(microtime())), 0, $length);
}
/**
* Create a new WordPress account for the specified username.
* @param $username
* @param $email
* @param $first_name
* @param $last_name
* @param $display_name
* @param $role
* @return integer user_id
*/
protected function _create_user($username, $email, $first_name, $last_name, $display_name = '', $role = '')
{
global $wp_version;
$password = $this->_get_password();
if ( $email == '' )
{
if (trim($this->_default_email_domain) != '') {
$email = $username . '@' . $this->_default_email_domain;
} else {
if (strpos($username, '@') !== false) {
$email = $username;
}
}
}
// append account suffix to new users?
if ($this->_append_suffix_to_new_users) {
$username .= $this->_account_suffix;
}
$this->_log(ADI_LOG_NOTICE,"Creating user '$username' with following data:\n".
"- email: $email\n".
"- first name: $first_name\n".
"- last name: $last_name\n".
"- display name: $display_name\n".
"- role: $role");
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
if ($this->_duplicate_email_prevention == ADI_DUPLICATE_EMAIL_ADDRESS_ALLOW) {
if (!defined('WP_IMPORTING')) {
define('WP_IMPORTING',true); // This is a dirty hack. See wp-includes/registration.php
}
}
if ($this->_duplicate_email_prevention == ADI_DUPLICATE_EMAIL_ADDRESS_CREATE) {
$new_email = $this->_create_non_duplicate_email($email);
if ($new_email !== $email) {
$this->_log(ADI_LOG_NOTICE, "Duplicate email address prevention: Email changed from $email to $new_email.");
}
$email = $new_email;
}
// Here we go!
$return = wp_create_user($username, $password, $email);
// log errors
if (is_wp_error($return)) {
$this->_log(ADI_LOG_ERROR, $return->get_error_message());
}
$user_id = username_exists($username);
$this->_log(ADI_LOG_NOTICE,' - user_id: '.$user_id);
if ( !$user_id ) {
$this->_log(ADI_LOG_FATAL,'Error creating user.');
die("Error creating user!");
} else {
if (version_compare($wp_version, '3', '>=')) {
// WP 3.0 and above
update_user_meta($user_id, 'first_name', $first_name);
update_user_meta($user_id, 'last_name', $last_name);
} else {
// WP 2.x
update_usermeta($user_id, 'first_name', $first_name);
update_usermeta($user_id, 'last_name', $last_name);
}
// set display_name
if ($display_name != '') {
$return = wp_update_user(array('ID' => $user_id, 'display_name' => $display_name));
}
// set role
if ( $role != '' )
{
$return = wp_update_user(array("ID" => $user_id, "role" => $role));
}
}
return $user_id;
}
/**
* Updates a specific Wordpress user account
*
* @param $username
* @param $email
* @param $first_name
* @param $last_name
* @param $display_name
* @param $role
* @return integer user_id
*/
protected function _update_user($username, $email, $first_name, $last_name, $display_name='', $role = '')
{
global $wp_version;
if ( $email == '' )
{
if (trim($this->_default_email_domain) != '') {
$email = $username . '@' . $this->_default_email_domain;
} else {
if (strpos($username, '@') !== false) {
$email = $username;
}
}
}
if ($this->_append_suffix_to_new_users) {
$username .= $this->_account_suffix;
}
$this->_log(ADI_LOG_NOTICE,'Updating user "'.$username."\" with following data:\n".
"- email: $email\n".
"- first name: $first_name\n".
"- last name: $last_name\n".
"- display name: $display_name\n".
"- role: $role");
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
$user_id = username_exists($username);
$this->_log(ADI_LOG_NOTICE,' - user_id: '.$user_id);
if ( !$user_id ) {
$this->_log(ADI_LOG_FATAL,'Error updating user.');
die('Error updating user!');
} else {
if (version_compare($wp_version, '3', '>=')) {
// WP 3.0 and above
update_user_meta($user_id, 'first_name', $first_name);
update_user_meta($user_id, 'last_name', $last_name);
} else {
// WP 2.x
update_usermeta($user_id, 'first_name', $first_name);
update_usermeta($user_id, 'last_name', $last_name);
}
// set display_name
if ($display_name != '') {
wp_update_user(array('ID' => $user_id, 'display_name' => $display_name));
}
// set role
if ( $role != '' )
{
wp_update_user(array('ID' => $user_id, 'role' => $role));
}
// set email
if ( $email != '' )
{
$return = wp_update_user(array('ID' => $user_id, 'user_email' => $email));
}
}
// log errors
if (isset($return)) {
if (is_wp_error($return)) {
$this->_log(ADI_LOG_ERROR, $return->get_error_message());
}
}
return $user_id;
}
/**
* Returns the given email address or a newly created so no 2 users
* can have the same email address.
*
* @param $email original email address
* @return unique email address
*/
protected function _create_non_duplicate_email($email)
{
if (!email_exists($email)) {
return $email;
}
// Ok, lets create a new email address that does not already exists in the database
$arrEmailParts = split('@',$email);
$counter = 1;
$ok = false;
while ($ok !== true) {
$email = $arrEmailParts[0].$counter.'@'.$arrEmailParts[1];
$ok = !email_exists($email);
$counter++;
}
return $email;
}
/**
* Checks if the user is member of the group(s) allowed to login
*
* @param $username
* @return boolean
*/
protected function _check_authorization_by_group($username) {
if ($this->_authorize_by_group) {
$authorization_groups = explode(';', $this->_authorization_group);
foreach ($authorization_groups as $authorization_group) {
if ($this->_adldap->user_ingroup($username, $authorization_group, true)) {
$this->_log(ADI_LOG_NOTICE,'Authorized by membership of group "'.$authorization_group.'"');
return true;
}
}
$this->_log(ADI_LOG_WARN,'Authorization by group failed. User is not authorized.');
return false;
} else {
return true;
}
}
/**
* Get the first matching role from the list of role equivalent groups the user belongs to.
*
* @param $ad_username
* @return string matching role
*/
protected function _get_user_role_equiv($ad_username) {
$role_equiv_groups = explode(';', $this->_role_equivalent_groups);
$user_role = '';
foreach ($role_equiv_groups as $whatever => $role_group)
{
$role_group = explode('=', $role_group);
if ( count($role_group) != 2 )
{
continue;
}
$ad_group = $role_group[0];
$corresponding_role = $role_group[1];
if ( $this->_adldap->user_ingroup($ad_username, $ad_group, true ) )
{
$user_role = $corresponding_role;
break;
}
}
$this->_log(ADI_LOG_INFO,'user role: '.$user_role);
return $user_role;
}
/**
* Send an email to the user who's account is blocked
*
* @param $username string
* @return unknown_type
*/
protected function _notify_user($username)
{
// if auto creation is enabled look for the user in AD
if ($this->_auto_create_user) {
$userinfo = $this->_adldap->user_info($username, array("sn", "givenname", "mail"));
if ($userinfo) {
$userinfo = $userinfo[0];
$email = $userinfo['mail'][0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
} else {
return false;
}
} else {
// auto creation is disabled, so look for the user in local database
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
$user_id = username_exists($username);
if ($user_id) {
$user_info = get_userdata($user_id);
$last_name = $user_info->last_name;
$first_name = $user_info->first_name;
$email = $user_info->user_email;
} else {
return false;
}
}
// do we have a correct email address?
if (is_email($email)) {
$blog_url = get_bloginfo('url');
$blog_name = get_bloginfo('name');
$blog_domain = preg_replace ('/^(http:\/\/)(.+)\/.*$/i','$2', $blog_url);
$subject = '['.$blog_name.'] '.__('Account blocked','ad-integration');
$body = sprintf(__('Someone tried to login to %s (%s) with your username (%s) - but in vain. For security reasons your account is now blocked for %d seconds.','ad-integration'), $blog_name, $blog_url, $username, $this->_block_time);
$body .= "\n\r";
$body .= __('THIS IS A SYSTEM GENERATED E-MAIL, PLEASE DO NOT RESPOND TO THE E-MAIL ADDRESS SPECIFIED ABOVE.','ad-integration');
$header = 'From: "WordPress" <wordpress@'.$blog_domain.">\r\n";
return wp_mail($email, $subject, $body, $header);
} else {
return false;
}
}
/**
* Notify administrator(s) by e-mail if an account is blocked
*
* @param $username username of the blocked account
* @return boolean false if no e-mail is sent, true on success
*/
protected function _notify_admin($username)
{
$arrEmail = array(); // list of recipients
if ($this->_admin_notification) {
$email = $this->_admin_email;
// Should we use Blog-Administrator's e-mail
if (trim($email) == '') {
// Is this an e-mail address?
if (is_email($email)) {
$arrEmail[0] = trim(get_bloginfo('admin_email '));
}
} else {
// Using own list of notification recipients
$arrEmail = explode(";",$email);
// remove wrong e-mail addresses from array
for ($x=0; $x < count($arrEmail); $x++) {
$arrEmail[$x] = trim($arrEmail[$x]); // remove possible whitespaces
if (!is_email($arrEmail[$x])) {
unset($arrEmail[$x]);
}
}
}
// Do we have valid e-mail addresses?
if (count($arrEmail) > 0) {
if ($this->_auto_create_user) {
// auto creation is enabled, so look for the user in AD
$userinfo = $this->_adldap->user_info($username, array("sn", "givenname", "mail"));
if ($userinfo) {
$userinfo = $userinfo[0];
$first_name = $userinfo['givenname'][0];
$last_name = $userinfo['sn'][0];
} else {
return false;
}
} else {
// auto creation is disabled, so look for the user in local database
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
$user_id = username_exists($username);
if ($user_id) {
$user_info = get_userdata($user_id);
$last_name = $user_info->last_name;
$first_name = $user_info->first_name;
} else {
return false;
}
}
$blog_url = get_bloginfo('url');
$blog_name = get_bloginfo('name');
$blog_domain = preg_replace ('/^(http:\/\/)(.+)\/.*$/i','$2', $blog_url);
$subject = '['.$blog_name.'] '.__('Account blocked','ad-integration');
$body = sprintf(__('Someone tried to login to %s (%s) with the username "%s" (%s %s) - but in vain. For security reasons this account is now blocked for %d seconds.','ad-integration'), $blog_name, $blog_url, $username, $first_name, $last_name, $this->_block_time);
$body .= "\n\r";
$body .= sprintf(__('The login attempt was made from IP-Address: %s','ad-integration'), $_SERVER['REMOTE_ADDR']);
$body .= "\n\r";
$body .= __('THIS IS A SYSTEM GENERATED E-MAIL, PLEASE DO NOT RESPOND TO THE E-MAIL ADDRESS SPECIFIED ABOVE.','ad-integration');
$header = 'From: "WordPress" <wordpress@'.$blog_domain.">\r\n";
// send e-mails
$blnSuccess = true;
foreach($arrEmail AS $email) {
$blnSuccess = ($blnSuccess AND wp_mail($email, $subject, $body, $header));
}
return $blnSuccess;
} else {
return false;
}
} else {
return false;
}
return true;
}
/**
* Output debug informations
*
* @param integer level
* @param string $notice
*/
protected function _log($level = 0, $info = '') {
if ($level <= $this->_loglevel) {
echo '[' .$level . '] '.$info."\n\r";
}
}
/**
* Show a blocking page for blocked accounts.
*
* @param $username
*/
protected function _display_blocking_page($username) {
$seconds = $this->_get_rest_of_blocking_time($username);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
<head>
<title><?php bloginfo('name'); ?> › <?php echo $title; ?></title>
<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
<script type="text/javascript">
var seconds = <?php echo $seconds;?>;
function setTimer() {
var aktiv = window.setInterval("countdown()", 1000);
}
function countdown() {
seconds = seconds - 1;
if (seconds > 0) {
document.getElementById('secondsleft').innerHTML = seconds;
} else {
window.location.hre