modules/pam_auth/pam_auth.module

<?php

/**
 * @file
 * This module allows to your Drupal users to authenticate against one or various 
 * PAM Unix accounts.
 */

/**
 * Implementation of hook_help().
 */
function pam_auth_help($section) {
  
  switch ($section) {
    case 'admin/help#pam_auth':
      return t("<p>The \"pam_auth\" module lets users log in using a PAM Unix account.</p>");
    case 'admin/settings/pam_auth':
      return t("<p>Users can log into %this-site using their Unix username and password via PAM.</p>",
                array('%this-site' => variable_get('site_name', 'this web site')));
    case 'user/help#pam_auth':
      return t("<p>!PAM stands for Pluggable Authentication Modules.  It's the method by which users authenticate to their Unix accounts.</p><p>You can log into !this-site using your system username and password.",
                array('!PAM' => l('PAM', 'http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules', array('target' => '_blank')),
                      '!this-site' => variable_get('site_name', 'this web site')
                      )
              );
  }
}

/**
 * Implementation of hook_menu().
 */
function pam_auth_menu($may_cache) {

  $items = array();
  $items[] = array(
    'path' => 'admin/settings/pam_auth',
    'title' => t('PAM auth'),
    'description' => t('Choose PAM services to authenticate users.'),
    'callback' => 'drupal_get_form',
    'callback arguments' => array('pam_auth_admin_settings'),
    'access' => user_access('administer site configuration'),
   );
   return $items;
}

/**
 * Implementation of hook_form_alter().
 */
function pam_auth_form_alter($form_id, &$form) {

  switch ($form_id) {
    case 'user_login':
    case 'user_login_block':
      // Add pam_auth authentication if it's enabled.
      if (!empty($form_state['post']['name']) && variable_get('pam_auth_enabled', FALSE)) {
        $form['#validate'][] = 'pam_auth_distributed_validate';
      }
      if (variable_get('pam_auth_enabled', FALSE) && !variable_get('pam_auth_disable_password_changes', FALSE)) {
        unset($form['links']);
      }
      break;
    case 'user_edit':
      if (variable_get('pam_auth_enabled', FALSE) && !variable_get('pam_auth_disable_password_changes', FALSE)) {
        unset($form['account']['pass']);
      }
      break;
    case 'user_pass':
      if (variable_get('pam_auth_enabled', FALSE) && !variable_get('pam_auth_disable_password_changes', FALSE)) {
        $form = array(
          '#value' => t(variable_get('ldap_user_pass_form', '<h2>Form disabled by administrator.</h2>')),
        );
      }
      break;
  }
}

/**
 * Attempt to authenticate using the presented credentials
 *
 * @return boolean
 */
function pam_auth_auth($username, $password) {
  
  //PAM extension not loaded
  if (!function_exists('pam_auth')) {
    watchdog('php', t('Auth-PAM extension not loaded. PAM Auth module couldn\'t be used to authenticate users.'), WATCHDOG_WARNING);
    return FALSE;
  }
  
  //PAM Auth not enabled
  if (variable_get('pam_auth_enabled', 0) == 0) {
    return FALSE;
  }

  if (pam_auth($username, $password, &$error)) {
    return TRUE;
  } else {
    watchdog('pam_auth', t('PAM Authentication failed: @error', array('@error' => $error)));
    return FALSE;
  }
}

/**
 * A custom validate handler on the login form. Checks supplied username/password against PAM.
 *
 * @return boolean
 **/
function pam_auth_distributed_validate($form, &$form_state) {
  global $user;

  if ($user->uid) {
    return;
  }

  $name = $form_state['values']['name'];
  $pass = trim($form_state['values']['pass']);

  if (pam_auth_auth($name, $pass)) {
    // We have a successful authentication. Login or register the user.
    user_external_login_register($name, 'pam_auth');
  }
}

/**
 * 
 */
function pam_auth_admin_settings() {
  // Check if PHP IMAP module is loaded
  if (!_pam_auth_install_check()) {
    return;
  }
  $form['pam_auth_enabled'] = array(
    '#type' => 'radios',
    '#title' => t("PAM authentication"),
    '#default_value' => variable_get('pam_auth_enabled', 0), 
    '#options' => array(t('Disabled'), t('Enabled')),
    '#description' => t('If enabled, your Drupal site will to authenticate users against PAM logins.'),
  );
  $form['pam_auth_disable_password_changes'] = array(
    '#type' => 'radios',
    '#title' => t("Password changing forms"),
    '#default_value' => variable_get('pam_auth_disable_password_changes', 0), 
    '#options' => array(t('Disabled'), t('Enabled')),
    '#description' => t('If enabled, your Drupal site will still allow users to change passwords. Should be disabled.'),
  );

  return system_settings_form($form);
}

/**
 * Check to make sure that the PAM functions are installed in PHP,
 * and if not, display an error
 */
function _pam_auth_install_check() {
  if (!function_exists('pam_auth')) {
    drupal_set_message(t('You must compile PHP with !php_pam and enable the Auth-PAM extension in your !php_ini file.',
                                           array('!php_pam' => l('PAM', 'http://packages.debian.org/etch/php5-auth-pam'),
                                                 '!php_ini' => l('php.ini', 'http://www.php.net/configuration#configuration.file')
                                                 )), 'error');
    return FALSE;
  }
  return TRUE;
}
1	<?php
2
3	/**
4	* @file
5	* This module allows to your Drupal users to authenticate against one or various
6	* PAM Unix accounts.
7	*/
8
9	/**
10	* Implementation of hook_help().
11	*/
12	function pam_auth_help($section) {
13
14	switch ($section) {
15	case 'admin/help#pam_auth':
16	return t("<p>The \"pam_auth\" module lets users log in using a PAM Unix account.</p>");
17	case 'admin/settings/pam_auth':
18	return t("<p>Users can log into %this-site using their Unix username and password via PAM.</p>",
19	array('%this-site' => variable_get('site_name', 'this web site')));
20	case 'user/help#pam_auth':
21	return t("<p>!PAM stands for Pluggable Authentication Modules. It's the method by which users authenticate to their Unix accounts.</p><p>You can log into !this-site using your system username and password.",
22	array('!PAM' => l('PAM', 'http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules', array('target' => '_blank')),
23	'!this-site' => variable_get('site_name', 'this web site')
24	)
25	);
26	}
27	}
28
29	/**
30	* Implementation of hook_menu().
31	*/
32	function pam_auth_menu($may_cache) {
33
34	$items = array();
35	$items[] = array(
36	'path' => 'admin/settings/pam_auth',
37	'title' => t('PAM auth'),
38	'description' => t('Choose PAM services to authenticate users.'),
39	'callback' => 'drupal_get_form',
40	'callback arguments' => array('pam_auth_admin_settings'),
41	'access' => user_access('administer site configuration'),
42	);
43	return $items;
44	}
45
46	/**
47	* Implementation of hook_form_alter().
48	*/
49	function pam_auth_form_alter($form_id, &$form) {
50
51	switch ($form_id) {
52	case 'user_login':
53	case 'user_login_block':
54	// Add pam_auth authentication if it's enabled.
55	if (!empty($form_state['post']['name']) && variable_get('pam_auth_enabled', FALSE)) {
56	$form['#validate'][] = 'pam_auth_distributed_validate';
57	}
58	if (variable_get('pam_auth_enabled', FALSE) && !variable_get('pam_auth_disable_password_changes', FALSE)) {
59	unset($form['links']);
60	}
61	break;
62	case 'user_edit':
63	if (variable_get('pam_auth_enabled', FALSE) && !variable_get('pam_auth_disable_password_changes', FALSE)) {
64	unset($form['account']['pass']);
65	}
66	break;
67	case 'user_pass':
68	if (variable_get('pam_auth_enabled', FALSE) && !variable_get('pam_auth_disable_password_changes', FALSE)) {
69	$form = array(
70	'#value' => t(variable_get('ldap_user_pass_form', '<h2>Form disabled by administrator.</h2>')),
71	);
72	}
73	break;
74	}
75	}
76
77	/**
78	* Attempt to authenticate using the presented credentials
79	*
80	* @return boolean
81	*/
82	function pam_auth_auth($username, $password) {
83
84	//PAM extension not loaded
85	if (!function_exists('pam_auth')) {
86	watchdog('php', t('Auth-PAM extension not loaded. PAM Auth module couldn\'t be used to authenticate users.'), WATCHDOG_WARNING);
87	return FALSE;
88	}
89
90	//PAM Auth not enabled
91	if (variable_get('pam_auth_enabled', 0) == 0) {
92	return FALSE;
93	}
94
95	if (pam_auth($username, $password, &$error)) {
96	return TRUE;
97	} else {
98	watchdog('pam_auth', t('PAM Authentication failed: @error', array('@error' => $error)));
99	return FALSE;
100	}
101	}
102
103	/**
104	* A custom validate handler on the login form. Checks supplied username/password against PAM.
105	*
106	* @return boolean
107	**/
108	function pam_auth_distributed_validate($form, &$form_state) {
109	global $user;
110
111	if ($user->uid) {
112	return;
113	}
114
115	$name = $form_state['values']['name'];
116	$pass = trim($form_state['values']['pass']);
117
118	if (pam_auth_auth($name, $pass)) {
119	// We have a successful authentication. Login or register the user.
120	user_external_login_register($name, 'pam_auth');
121	}
122	}
123
124	/**
125	*
126	*/
127	function pam_auth_admin_settings() {
128	// Check if PHP IMAP module is loaded
129	if (!_pam_auth_install_check()) {
130	return;
131	}
132	$form['pam_auth_enabled'] = array(
133	'#type' => 'radios',
134	'#title' => t("PAM authentication"),
135	'#default_value' => variable_get('pam_auth_enabled', 0),
136	'#options' => array(t('Disabled'), t('Enabled')),
137	'#description' => t('If enabled, your Drupal site will to authenticate users against PAM logins.'),
138	);
139	$form['pam_auth_disable_password_changes'] = array(
140	'#type' => 'radios',
141	'#title' => t("Password changing forms"),
142	'#default_value' => variable_get('pam_auth_disable_password_changes', 0),
143	'#options' => array(t('Disabled'), t('Enabled')),
144	'#description' => t('If enabled, your Drupal site will still allow users to change passwords. Should be disabled.'),
145	);
146
147	return system_settings_form($form);
148	}
149
150	/**
151	* Check to make sure that the PAM functions are installed in PHP,
152	* and if not, display an error
153	*/
154	function _pam_auth_install_check() {
155	if (!function_exists('pam_auth')) {
156	drupal_set_message(t('You must compile PHP with !php_pam and enable the Auth-PAM extension in your !php_ini file.',
157	array('!php_pam' => l('PAM', 'http://packages.debian.org/etch/php5-auth-pam'),
158	'!php_ini' => l('php.ini', 'http://www.php.net/configuration#configuration.file')
159	)), 'error');
160	return FALSE;
161	}
162	return TRUE;
163	}