Authentication Methods

// From inc/auth.class.php:74-82
class Auth extends CommonGLPI {
    public const DB_GLPI  = 1;  // Local database
    public const MAIL     = 2;  // Mail server (IMAP/POP)
    public const LDAP     = 3;  // LDAP directory
    public const EXTERNAL = 4;  // External SSO
    public const CAS      = 5;  // CAS server
    public const X509     = 6;  // X.509 certificates
    public const API      = 7;  // API token
    public const COOKIE   = 8;  // Remember me cookie
}

// From inc/auth.class.php:740-1077
public function login($login_name, $login_password, $noauto, $remember_me, $login_auth) {
    // 1. Try alternate auth (OIDC, CAS, External SSO)
    if ($authtype = checkAlternateAuthSystems()) {
        // Auto-redirect to external provider
    }
    
    // 2. Try local database authentication
    if ($this->connection_db($login_name, $login_password)) {
        // Local auth successful
    }
    
    // 3. Try LDAP authentication
    if (Toolbox::canUseLdap()) {
        AuthLDAP::tryLdapAuth($this, $login_name, $login_password);
    }
    
    // 4. Try Mail server authentication
    AuthMail::tryMailAuth($this, $login_name, $login_password);
}

// From inc/auth.class.php:352-356
public static function getPasswordHash($pass) {
    return password_hash($pass, PASSWORD_DEFAULT);
}

// Modern bcrypt/argon2 hashing with automatic salt

// From inc/auth.class.php:309-326
public static function checkPassword($pass, $hash) {
    // Supports multiple hash formats for backward compatibility:
    // - Modern: password_verify() for bcrypt/argon2
    // - Legacy: MD5 (32 chars)
    // - Legacy: SHA1 (40 chars)
    // - Legacy: Salted SHA1
}

// From inc/auth.class.php:377-434
$password_expiration_delay    // Days until password expires
$password_expiration_lock_delay   // Additional days before account locks

// Automatic account disable on expiration + lock delay
if ($lock_date < current_time) {
    $user->update(['is_active' => 0]);
}

// From inc/authldap.class.php:120-144
'host'              // LDAP server hostname
'port'              // Port (default: 389)
'basedn'            // Base DN for searches
'rootdn'            // Bind DN (optional)
'rootdn_passwd'     // Bind password (encrypted)
'login_field'       // Attribute containing username (e.g., 'uid', 'sAMAccountName')
'sync_field'        // Unique sync field (e.g., 'objectGUID', 'entryUUID')
'use_tls'           // Enable TLS encryption
'condition'         // LDAP filter for user search

// From inc/authldap.class.php:157-189
'port' => 389
'login_field' => 'samaccountname'
'sync_field' => 'objectguid'
'condition' => '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

// From inc/auth.class.php:237-297
public function connection_ldap($ldap_method, $login, $password) {
    // 1. Connect to LDAP server
    $this->ldap_connection = AuthLDAP::tryToConnectToServer(
        $ldap_method, $login, $password
    );
    
    // 2. Search for user DN
    $infos = AuthLDAP::searchUserDn($this->ldap_connection, [
        'basedn' => $ldap_method['basedn'],
        'login_field' => $ldap_method['login_field'],
        'user_params' => ['value' => $login],
        'condition' => $ldap_method['condition']
    ]);
    
    // 3. Attempt bind with user credentials
    if (@ldap_bind($this->ldap_connection, $dn, $password)) {
        return $infos;  // Authentication successful
    }
}

// From inc/authldap.class.php:1386-1418
public static function getSyncFields($authtype_array) {
    return [
        'login_field' => 'name',
        'email1_field' => 'email1',
        'realname_field' => 'realname',
        'firstname_field' => 'firstname',
        'phone_field' => 'phone',
        'mobile_field' => 'mobile',
        'title_field' => 'usertitles_id',
        'category_field' => 'usercategories_id',
        'language_field' => 'language',
        'registration_number_field' => 'registration_number',
        'picture_field' => 'picture',
        'responsible_field' => 'users_id_supervisor'
    ];
}

// From inc/authldap.class.php:787-820
'group_field'           // User attribute with group membership
'group_condition'       // LDAP filter for groups
'group_search_type'     // Search in users, groups, or both
'group_member_field'    // Group attribute listing members
'use_dn'                // Use Distinguished Names in search

public const GROUP_SEARCH_USER  = 0;  // Search in user objects
public const GROUP_SEARCH_GROUP = 1;  // Search in group objects  
public const GROUP_SEARCH_BOTH  = 2;  // Search both

// Multiple LDAP servers in priority order
Primary: ldap1.company.com:389
Replicate 1: ldap2.company.com:389
Replicate 2: ldap3.company.com:389

// From inc/authldap.class.php:64-88
public const DELETED_USER_PRESERVE = 0;  // Keep unchanged
public const DELETED_USER_DELETE = 1;    // Move to trash
public const DELETED_USER_WITHDRAWDYNINFO = 2;  // Remove dynamic info
public const DELETED_USER_DISABLE = 3;   // Disable account
public const DELETED_USER_DISABLEANDWITHDRAWDYNINFO = 4;  // Both

// From inc/oidc.class.php:52-67
'Provider'          // OIDC provider URL (e.g., https://auth.company.com)
'ClientID'          // OAuth2 client ID
'ClientSecret'      // OAuth2 client secret (encrypted)
'scope'             // Requested scopes (comma-separated)
'proxy'             // HTTP proxy (optional)
'cert'              // SSL certificate path (optional)
'sso_link_users'    // Link to existing local users?

// From inc/oidc.class.php:124-146
1. User clicks "Login with SSO"
2. Redirect to OIDC provider
3. User authenticates at provider
4. Provider redirects back with authorization code
5. Exchange code for tokens
6. Request user info from provider
7. Create or link user account
8. Establish session

// From inc/oidc.class.php:158-170
// Custom field mapping via glpi_oidc_mapping table
$mapping = [
    'name' => 'preferred_username',  // Username field from OIDC
    'email' => 'email',
    'firstname' => 'given_name',
    'realname' => 'family_name'
];

// Default to standard OIDC claims:
'name' or 'sub'     // Username
'email'             // Email address
'given_name'        // First name
'family_name'       // Last name

// From inc/oidc.class.php:171-200
// If user doesn't exist:
if ($newUser && $auth_username) {
    $user->add([
        'name' => $auth_username,
        '_extauth' => 1,  // Mark as external auth
    ]);
}

// Link existing users if:
// 1. sso_link_users is enabled, OR
// 2. User's authtype is already EXTERNAL

// From inc/oidc.class.php:91-122
// Preserve requested page through login:
1. Store requested URL in cookie before redirect
2. After authentication, redirect to original page
3. Cookie expires after 5 minutes for security

// From inc/auth.class.php:182-225
public function connection_imap($host, $login, $pass) {
    // Parse server string: {server:port/protocol/ssl}
    $config = Toolbox::parseMailServerConnectString($host);
    
    // Connect and attempt login
    $protocol->connect($config['address'], $config['port'], $ssl);
    return $protocol->login($login, $pass);
}

// From inc/auth.class.php:540-573
'ssovariables_id'   // Select server variable (REMOTE_USER, HTTP_AUTH_USER, etc.)

// Common variables:
$_SERVER['REMOTE_USER']         // Apache mod_auth
$_SERVER['HTTP_AUTH_USER']      // Custom SSO headers
$_SERVER['SSL_CLIENT_S_DN']     // X.509 certificates

// From inc/auth.class.php:558-563
'existing_auth_server_field_clean_domain' => true

// Removes domain from username:
'DOMAIN\username' → 'username'
'username@domain' → 'username'

// CAS configuration (global settings)
'cas_host'      // CAS server hostname
'cas_port'      // CAS server port
'cas_uri'       // CAS URI path
'cas_version'   // CAS protocol version (1.0, 2.0, 3.0)

// From inc/auth.class.php:575-624
'x509_email_field'  // Certificate field for email (CN, Email, etc.)
'x509_ou_restrict'  // Restrict by Organizational Unit
'x509_o_restrict'   // Restrict by Organization
'x509_cn_restrict'  // Restrict by Common Name

// Certificate subject parsing:
// CN=john.doe/OU=IT/O=Company/C=US/[email protected]

// From apirest.md:56-60
// User Preference → Remote Access Key
'api_token'  // Personal API token

// Usage:
Authorization: user_token {token}

# From apirest.md:100-117
# With user token:
curl -X GET \
  -H "Authorization: user_token q56hqkniwot8wntb3z1qarka5atf365taaa2uyjrn" \
  'http://glpi/apirest.php/initSession'

# With login/password:
curl -X GET \
  -H "Authorization: Basic base64(login:password)" \
  'http://glpi/apirest.php/initSession'

// From inc/auth.class.php:769-954
1. Check for alternate auth (OIDC, CAS, External SSO)
   → If configured, auto-redirect
   
2. Try local database if:
   → No login_auth specified, OR
   → login_auth = 'local'
   
3. Try LDAP if:
   → LDAP enabled AND
   → Not authenticated yet
   
4. Try Mail if:
   → Mail auth enabled AND
   → Not authenticated yet

// From inc/auth.class.php:637-662
'login_remember_time'  // Cookie lifetime (seconds)

// Cookie contains:
[
    user_id,
    hashed_token
]

// Validated on each request
if (Auth::checkPassword($cookie_token, $stored_hash)) {
    // Auto-login user
}

// Rules processed after successful authentication
$rules = new RuleRightCollection();
$result = $rules->processAllRules(
    $groups_id,
    $user_data,
    ['type' => Auth::LDAP, 'login' => $username, 'email' => $email]
);

// glpi_users table
'authtype'  // Authentication method ID
'auths_id'  // Specific auth source ID (e.g., LDAP server ID)
'user_dn'   // LDAP Distinguished Name (if applicable)
'sync_field' // Unique identifier for sync

User: jdoe
  └─ authtype: LDAP (3)
     auths_id: 1 (Company AD)
     
User: admin
  └─ authtype: DB_GLPI (1)
     auths_id: 0 (local)

// Logs all authentication attempts
Event::log(0, "system", 3, "login", 
    sprintf(__('Failed login for %1$s from IP %2$s'), $login, $ip)
);

// In config/local_define.php
define('GLPI_LOG_LVL', 4);  // Debug level

// Check logs in:
files/_log/php-errors.log
files/_log/event.log