<?

require_once("includes.php");

/*
 * We get a redirect here via a Location: header if the user is not yet logged
 * in and carrying around a session token.  The purpose of this script is to
 * authenticate the user, and give him such a token.
 */

/*
 * Retain the user's LDAP binding information via session variables.  Retain
 * the user credentials across sessions as we keep rebinding to the LDAP
 * server.  Note that we don't seem to be able to keep the LDAP connection
 * identifier across a page invocation; it's destroyed as soon as the script
 * exits, unconditionally (php 4.2).  This is unfortunate that we have to open
 * new connections all the time and rebinding every page load that does
 * any LDAP, but there appears to be nothing we can do about it but wait until
 * PHP offers non-ephemeral LDAP connects.
 */

session_start();

if (isset($_GET["clearsession"]))
        session_unset();

if (isset($_SESSION["bind_dn"]))
        die("error: session already bound");

if (isset($_GET["submitted"])) {

        if (!empty($_GET["username"]) && !(empty($_GET["ldapdn"])))
                die("error: use of username and DN are mutually exclusive.");
        if (!empty($_GET["username"]))
                $ldapdn = LDAP_USER_KEY . "=" . $_GET["username"] . "," .
                          LDAP_BASE_DN_PEOPLE;
        else
                $ldapdn = $_GET["ldapdn"];
        if (empty($_GET["password"]))
                die("error: no password given!!!");
        if (!do_ldap_connect($ldapdn, $_GET["password"]))
                die(sprintf("ldap_bind failed as %s (bad password?)", $ldapdn));

        $_SESSION["bind_user"] = $_GET["username"];
        $_SESSION["bind_pass"] = $_GET["password"];
        $_SESSION["bind_dn"] = $ldapdn;

        /*
         * At this point the user is logged in and the session is set up.  Now
         * redirect them to their originally requested page, if there was one.
         * Otherwise, inform them they are logged in and display a navbar.
         *
         * Note: as of this writing, the server is set to use users.php as the
         * directoryindex, so actually that page will be requested even if the
         * user doesn't specify one, which means the `else' clause below is
         * never reached.  Probably good to leave it in though, in case the
         * server configuration changes.
         */

        if (isset($_SESSION["requested"]))
                redirect($_SESSION["requested"]);
        else {
                pagehead("Corporate Directory - Logged in",
                         "Login Page", MENU_NAVBAR_HEADER);
?>
                <p>
                <hr>
                You are now logged in.  Please select one of the pages from the
                navigation links above.
<?      }
} else {
        pagehead("Corporate Directory - Login", "Login Page", NULL);
?>
        <p>
        Please enter your Corporate login to access these directory pages.

        <p>
        Your login credentials will allow you to make modifications to
        directory entries that you are listed as the owner of, and to
        see all of the information available to you specifically.

        <p>
        You can login as your normal username, or as a specific
        LDAP Distinguished Name (i.e., for administrative access).

        <hr>

        <form action="/<?echo(LOGINPAGE)?>">
        <input type=hidden name=submitted>

        <p>
        Username:
        <input type=text name=username size=20 maxlength=40> &nbsp;
        <strong> -OR- </strong>
        LDAP DN:
        <input type=text name=ldapdn size=40 maxlength=80> &nbsp;

        <br>
        Password:
        <input type=password name=password size=20 maxlength=20> &nbsp;

        <p>
        <input type=submit value=login>

        </form>
<?
}

pagefoot();

?>