From c2f3f7ab7f867c7ee76e5cf73fc095e09b602aae Mon Sep 17 00:00:00 2001
From: spelth <lukas.leidinger@gmail.com>
Date: Sat, 2 May 2015 11:30:19 +0200
Subject: [PATCH] Basic Import
---
class.ldap.php | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 270 insertions(+), 0 deletions(-)
create mode 100644 class.ldap.php
diff --git a/class.ldap.php b/class.ldap.php
new file mode 100644
index 0000000..530f8d7
--- /dev/null
+++ b/class.ldap.php
@@ -0,0 +1,270 @@
+<?php
+global $conf;
+class Ldap {
+ var $cnx;
+ var $config;
+
+ // for debug
+ public function write_log($message){
+ $log = 0;
+ if($log>0){
+ @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND);
+ }
+ }
+
+ /**
+ * check ldap configuration
+ *
+ * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche
+ * pour tester la connection.
+ *
+ * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect
+ * but just initializes the connecting parameters. The actual connect happens with the next calls
+ * to ldap_* funcs, usually with ldap_bind().
+ */
+ public function check_ldap(){
+ //$this->write_log("[function]> check_ldap");
+ if (!$this->ldap_conn()) {
+ return $this->getErrorString();
+ }
+
+ // test du compte root si renseigné
+ if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search
+ // authentication with rootdn and rootpw for search
+ if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){
+ return $this->getErrorString();
+ }
+ } else {
+ // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP)
+ if (!$this->ldap_check_basedn()){ // search userdn
+ return $this->getErrorString();
+ }
+ }
+ return true;
+ }
+
+ public function load_default_config(){
+ $this->config['host'] = 'localhost';
+ $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine !
+ $this->config['port'] = ''; // if port is empty, I count on the software to care of it !
+ $this->config['ld_attr'] = 'uid';
+ $this->config['ld_group'] = 'cn=myPiwigoLDAPGroup,cn=users,dc=example,dc=com';
+ $this->config['ld_use_ssl'] = False;
+ $this->config['ld_bindpw'] ='';
+ $this->config['ld_binddn'] ='';
+
+ $this->config['allow_newusers'] = False;
+ $this->config['advertise_admin_new_ldapuser'] = False;
+ $this->config['send_password_by_mail_ldap'] = False;
+ }
+
+ function load_config() {
+ // first we load the base config
+ $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' );
+ if ($conf_file!==false)
+ {
+ $this->config = unserialize($conf_file);
+ }
+ }
+
+ function save_config()
+ {
+ $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' );
+ fwrite($file, serialize($this->config) );
+ fclose( $file );
+ }
+
+ function ldap_admin_menu($menu)
+ {
+ array_push($menu,
+ array(
+ 'NAME' => 'Ldap Login',
+ 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') )
+ );
+ return $menu;
+ }
+
+ // LDAP connection public
+ public function ldap_conn(){
+ if( $this->cnx = $this->make_ldap_conn() ){
+ return true;
+ }
+ return false;
+ }
+
+ // LDAP connection private
+ private function make_ldap_conn(){
+ if ($this->config['ld_use_ssl'] == 1){
+ if (empty($this->config['port'])){
+ $this->config['uri'] = 'ldaps://'.$this->config['host'];
+ }
+ else {
+ $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port'];
+ }
+ }
+
+ // now, it's without ssl
+ else {
+ if (empty($this->config['port'])){
+ $this->config['uri'] = 'ldap://'.$this->config['host'];
+ }
+ else {
+ $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port'];
+ }
+ }
+
+ if ($conn = @ldap_connect($this->config['uri'])){
+ @ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible
+ return $conn;
+ }
+ return false;
+ }
+
+ // return ldap error
+ public function getErrorString(){
+ return ldap_err2str(ldap_errno($this->cnx));
+ }
+
+ // return the name ldap understand
+ public function ldap_name($name){
+ return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
+ }
+
+ // authentication public
+ public function ldap_bind_as($user,$user_passwd){
+ $this->write_log("[function]> ldap_bind_as");
+ $this->write_log("[ldap_bind_as]> ".$user.",".$user_passwd);
+ if($this->make_ldap_bind_as($this->cnx,$user,$user_passwd)){
+ $this->write_log("[ldap_bind_as]> Bind was successfull");
+ return true;
+ }
+ return false;
+ }
+
+ // authentication private
+ private function make_ldap_bind_as($conn,$user,$user_passwd){
+ $this->write_log("[function]> make_ldap_bind_as");
+ $this->write_log("[make_ldap_bind_as]> \$conn,".$user.",".$user_passwd);
+ $bind = @ldap_bind($conn,$user,$user_passwd);
+ if($bind){
+ return true;
+ }
+ return false;
+ }
+
+ public function ldap_mail($name){
+ //echo $this->cnx;
+ //echo $this->ldap_name($name);
+ $sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
+ $entry = @ldap_get_entries($this->cnx, $sr);
+
+ if (!empty($entry[0]['mail'])) {
+ return $entry[0]['mail'][0];
+ }
+ return False;
+ }
+
+ // return userdn (and username) for authentication
+ public function ldap_search_dn($value_to_search){
+ $this->write_log("[function]> ldap_search_dn(".$value_to_search.")");
+ $filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
+
+ // connection handling
+ $this->write_log("[ldap_search_dn]> Connecting to server");
+ //if(!$bcnx = $this->make_ldap_conn()){
+ if(!$this->cnx){
+ $this->write_log("[ldap_search_dn]> Cannot connect to server!");
+ return false;
+ }
+ $this->write_log("[ldap_search_dn]> make_ldap_bind_as(\$this->cnx,".$this->config['ld_binddn'].",".$this->config['ld_bindpw'].")");
+ //if(!$this->make_ldap_bind_as($bcnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
+ if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
+ $this->write_log("[ldap_search_dn]> Cannot bind to server!");
+ return false;
+ }
+
+ $this->write_log("[ldap_search_dn]> @ldap_search(\$this->cnx,".$this->config['basedn'].",".$filter.",array('dn'),0,1)");
+
+ // look for our attribute and get always the DN for login
+ //if($search = ldap_search($bcnx,$this->config['basedn'],$filter,array('dn'),0,1)){
+ if($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn'),0,1)){
+ $this->write_log("[ldap_search_dn]> ldap_search successfull");
+ //$entry = ldap_get_entries($bcnx, $search);
+ $entry = @ldap_get_entries($this->cnx, $search);
+ //if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) {
+ if (!empty($entry[0]["dn"])) {
+ $this->write_log("[ldap_search_dn]> RESULT: ".$entry[0]["dn"]);
+ //@ldap_unbind($bcnx);
+ return $entry[0]["dn"];
+ }
+ $this->write_log("[ldap_search_dn]> result is empty!");
+ return false;
+ }
+ $this->write_log("[ldap_search_dn]> ldap_search NOT successfull:");
+ return false;
+ }
+
+ // look for LDAP group membership
+ public function check_ldap_group_membership($user_dn,$group_dn){
+ $this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")");
+ //if no group specified return true
+ if(!$group_dn){
+ return true;
+ }
+ if(!$this->cnx){
+ $this->write_log("[check_ldap_group_membership]> Cannot connect to server!");
+ return false;
+ }
+ if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
+ $this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
+ return false;
+ }
+ // search for all memberOf-attributes for a given user_dn
+ $this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
+ if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
+ $entry = @ldap_get_entries($this->cnx, $search);
+ //check if there are memberof-attributes
+ if(isset($entry[0]["memberof"])){
+ $this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
+ for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
+ $this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
+ if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
+ $this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
+ return true;
+ }
+ }
+ } else {
+ $this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
+ }
+ } else {
+ $this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
+ }
+ $this->write_log("[check_ldap_group_membership]> No matching groups found for given group_dn: ". $group_dn);
+ return false;
+ }
+
+
+ public function getAttr() {
+ $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=*)", array('*', 'subschemasubentry'));
+ $entries = @ldap_get_entries($this->cnx, $search);
+ echo count($entries);
+ }
+
+ public function getRootDse() {
+ $search = @ldap_read($this->cnx, NULL, 'objectClass=*', array("*", "+"));
+ $entries = @ldap_get_entries($this->cnx, $search);
+ return $entries[0];
+ }
+
+
+ public function ldap_check_basedn(){
+ if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){
+ $entry = @ldap_get_entries($this->cnx, $read);
+ if (!empty($entry[0]['dn'])) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
+?>
--
libgit2 0.22.2