aboutsummaryrefslogtreecommitdiff
path: root/engine/lib/pam.php
diff options
context:
space:
mode:
Diffstat (limited to 'engine/lib/pam.php')
-rw-r--r--engine/lib/pam.php44
1 files changed, 28 insertions, 16 deletions
diff --git a/engine/lib/pam.php b/engine/lib/pam.php
index 17b10b5cc..590ef9fde 100644
--- a/engine/lib/pam.php
+++ b/engine/lib/pam.php
@@ -3,12 +3,13 @@
* Elgg Simple PAM library
* Contains functions for managing authentication.
* This is not a full implementation of PAM. It supports a single facility
- * (authentication) and only allows one policy at a time. There are two control
- * flags possible for each module: sufficient or required. The entire chain for
- * a policy is processed (or until a required module fails). A module fails by
- * returning false or throwing an exception. The order that modules are
- * processed is determined by the order they are registered. For an example of
- * a PAM, see pam_auth_userpass() in sessions.php.
+ * (authentication) and allows multiple policies (user authentication is the
+ * default). There are two control flags possible for each module: sufficient
+ * or required. The entire chain for a policy is processed (or until a
+ * required module fails). A module fails by returning false or throwing an
+ * exception. The order that modules are processed is determined by the order
+ * they are registered. For an example of a PAM, see pam_auth_userpass() in
+ * sessions.php.
*
* For more information on PAMs see:
* http://www.freebsd.org/doc/en/articles/pam/index.html
@@ -27,16 +28,23 @@ $_PAM_HANDLERS_MSG = array();
*
* @param string $handler The handler function in the format
* pam_handler($credentials = NULL);
- * @param string $importance The importance - "sufficient" or "required"
+ * @param string $importance The importance - "sufficient" (default) or "required"
+ * @param string $policy - the policy type, default is "user"
+ * @return boolean
*/
-function register_pam_handler($handler, $importance = "sufficient") {
+function register_pam_handler($handler, $importance = "sufficient", $policy = "user") {
global $_PAM_HANDLERS;
+ // setup array for this type of pam if not already set
+ if (!isset($_PAM_HANDLERS[$policy])) {
+ $_PAM_HANDLERS[$policy] = array();
+ }
+
if (is_callable($handler)) {
- $_PAM_HANDLERS[$handler] = new stdClass;
+ $_PAM_HANDLERS[$policy][$handler] = new stdClass;
- $_PAM_HANDLERS[$handler]->handler = $handler;
- $_PAM_HANDLERS[$handler]->importance = strtolower($importance);
+ $_PAM_HANDLERS[$policy][$handler]->handler = $handler;
+ $_PAM_HANDLERS[$policy][$handler]->importance = strtolower($importance);
return true;
}
@@ -48,18 +56,19 @@ function register_pam_handler($handler, $importance = "sufficient") {
* Unregisters a PAM handler.
*
* @param string $handler The PAM handler function name
+ * @param string $policy - the policy type, default is "user"
*/
-function unregister_pam_handler($handler) {
+function unregister_pam_handler($handler, $policy = "user") {
global $_PAM_HANDLERS;
- unset($_PAM_HANDLERS[$handler]);
+ unset($_PAM_HANDLERS[$policy][$handler]);
}
/**
* Attempt to authenticate.
* This function will process all registered PAM handlers or stop when the first
* handler fails. A handler fails by either returning false or throwing an
- * exception. The advatange of throwing an exception is that it returns a message
+ * exception. The advantage of throwing an exception is that it returns a message
* through the global $_PAM_HANDLERS_MSG which can be used in communication with
* a user. The order that handlers are processed is determined by the order that
* they were registered.
@@ -69,14 +78,17 @@ function unregister_pam_handler($handler) {
* otherwise retrieved (eg from the HTTP header or $_SESSION).
*
* @param mixed $credentials Mixed PAM handler specific credentials (e.g. username, password)
+ * @param string $policy - the policy type, default is "user"
* @return bool true if authenticated, false if not.
*/
-function pam_authenticate($credentials = NULL) {
+function pam_authenticate($credentials = NULL, $policy = "user") {
global $_PAM_HANDLERS, $_PAM_HANDLERS_MSG;
+ $_PAM_HANDLERS_MSG = array();
+
$authenticated = false;
- foreach ($_PAM_HANDLERS as $k => $v) {
+ foreach ($_PAM_HANDLERS[$policy] as $k => $v) {
$handler = $v->handler;
$importance = $v->importance;