Commit c2f3f7ab7f867c7ee76e5cf73fc095e09b602aae

Authored by spelth
1 parent a4831b3b

Basic Import

Showing 1 changed file with 270 additions and 0 deletions
class.ldap.php 0 → 100644
  1 +<?php
  2 +global $conf;
  3 +class Ldap {
  4 + var $cnx;
  5 + var $config;
  6 +
  7 + // for debug
  8 + public function write_log($message){
  9 + $log = 0;
  10 + if($log>0){
  11 + @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND);
  12 + }
  13 + }
  14 +
  15 + /**
  16 + * check ldap configuration
  17 + *
  18 + * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche
  19 + * pour tester la connection.
  20 + *
  21 + * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect
  22 + * but just initializes the connecting parameters. The actual connect happens with the next calls
  23 + * to ldap_* funcs, usually with ldap_bind().
  24 + */
  25 + public function check_ldap(){
  26 + //$this->write_log("[function]> check_ldap");
  27 + if (!$this->ldap_conn()) {
  28 + return $this->getErrorString();
  29 + }
  30 +
  31 + // test du compte root si renseigné
  32 + if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search
  33 + // authentication with rootdn and rootpw for search
  34 + if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){
  35 + return $this->getErrorString();
  36 + }
  37 + } else {
  38 + // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP)
  39 + if (!$this->ldap_check_basedn()){ // search userdn
  40 + return $this->getErrorString();
  41 + }
  42 + }
  43 + return true;
  44 + }
  45 +
  46 + public function load_default_config(){
  47 + $this->config['host'] = 'localhost';
  48 + $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine !
  49 + $this->config['port'] = ''; // if port is empty, I count on the software to care of it !
  50 + $this->config['ld_attr'] = 'uid';
  51 + $this->config['ld_group'] = 'cn=myPiwigoLDAPGroup,cn=users,dc=example,dc=com';
  52 + $this->config['ld_use_ssl'] = False;
  53 + $this->config['ld_bindpw'] ='';
  54 + $this->config['ld_binddn'] ='';
  55 +
  56 + $this->config['allow_newusers'] = False;
  57 + $this->config['advertise_admin_new_ldapuser'] = False;
  58 + $this->config['send_password_by_mail_ldap'] = False;
  59 + }
  60 +
  61 + function load_config() {
  62 + // first we load the base config
  63 + $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' );
  64 + if ($conf_file!==false)
  65 + {
  66 + $this->config = unserialize($conf_file);
  67 + }
  68 + }
  69 +
  70 + function save_config()
  71 + {
  72 + $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' );
  73 + fwrite($file, serialize($this->config) );
  74 + fclose( $file );
  75 + }
  76 +
  77 + function ldap_admin_menu($menu)
  78 + {
  79 + array_push($menu,
  80 + array(
  81 + 'NAME' => 'Ldap Login',
  82 + 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') )
  83 + );
  84 + return $menu;
  85 + }
  86 +
  87 + // LDAP connection public
  88 + public function ldap_conn(){
  89 + if( $this->cnx = $this->make_ldap_conn() ){
  90 + return true;
  91 + }
  92 + return false;
  93 + }
  94 +
  95 + // LDAP connection private
  96 + private function make_ldap_conn(){
  97 + if ($this->config['ld_use_ssl'] == 1){
  98 + if (empty($this->config['port'])){
  99 + $this->config['uri'] = 'ldaps://'.$this->config['host'];
  100 + }
  101 + else {
  102 + $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port'];
  103 + }
  104 + }
  105 +
  106 + // now, it's without ssl
  107 + else {
  108 + if (empty($this->config['port'])){
  109 + $this->config['uri'] = 'ldap://'.$this->config['host'];
  110 + }
  111 + else {
  112 + $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port'];
  113 + }
  114 + }
  115 +
  116 + if ($conn = @ldap_connect($this->config['uri'])){
  117 + @ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible
  118 + return $conn;
  119 + }
  120 + return false;
  121 + }
  122 +
  123 + // return ldap error
  124 + public function getErrorString(){
  125 + return ldap_err2str(ldap_errno($this->cnx));
  126 + }
  127 +
  128 + // return the name ldap understand
  129 + public function ldap_name($name){
  130 + return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
  131 + }
  132 +
  133 + // authentication public
  134 + public function ldap_bind_as($user,$user_passwd){
  135 + $this->write_log("[function]> ldap_bind_as");
  136 + $this->write_log("[ldap_bind_as]> ".$user.",".$user_passwd);
  137 + if($this->make_ldap_bind_as($this->cnx,$user,$user_passwd)){
  138 + $this->write_log("[ldap_bind_as]> Bind was successfull");
  139 + return true;
  140 + }
  141 + return false;
  142 + }
  143 +
  144 + // authentication private
  145 + private function make_ldap_bind_as($conn,$user,$user_passwd){
  146 + $this->write_log("[function]> make_ldap_bind_as");
  147 + $this->write_log("[make_ldap_bind_as]> \$conn,".$user.",".$user_passwd);
  148 + $bind = @ldap_bind($conn,$user,$user_passwd);
  149 + if($bind){
  150 + return true;
  151 + }
  152 + return false;
  153 + }
  154 +
  155 + public function ldap_mail($name){
  156 + //echo $this->cnx;
  157 + //echo $this->ldap_name($name);
  158 + $sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
  159 + $entry = @ldap_get_entries($this->cnx, $sr);
  160 +
  161 + if (!empty($entry[0]['mail'])) {
  162 + return $entry[0]['mail'][0];
  163 + }
  164 + return False;
  165 + }
  166 +
  167 + // return userdn (and username) for authentication
  168 + public function ldap_search_dn($value_to_search){
  169 + $this->write_log("[function]> ldap_search_dn(".$value_to_search.")");
  170 + $filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
  171 +
  172 + // connection handling
  173 + $this->write_log("[ldap_search_dn]> Connecting to server");
  174 + //if(!$bcnx = $this->make_ldap_conn()){
  175 + if(!$this->cnx){
  176 + $this->write_log("[ldap_search_dn]> Cannot connect to server!");
  177 + return false;
  178 + }
  179 + $this->write_log("[ldap_search_dn]> make_ldap_bind_as(\$this->cnx,".$this->config['ld_binddn'].",".$this->config['ld_bindpw'].")");
  180 + //if(!$this->make_ldap_bind_as($bcnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
  181 + if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
  182 + $this->write_log("[ldap_search_dn]> Cannot bind to server!");
  183 + return false;
  184 + }
  185 +
  186 + $this->write_log("[ldap_search_dn]> @ldap_search(\$this->cnx,".$this->config['basedn'].",".$filter.",array('dn'),0,1)");
  187 +
  188 + // look for our attribute and get always the DN for login
  189 + //if($search = ldap_search($bcnx,$this->config['basedn'],$filter,array('dn'),0,1)){
  190 + if($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn'),0,1)){
  191 + $this->write_log("[ldap_search_dn]> ldap_search successfull");
  192 + //$entry = ldap_get_entries($bcnx, $search);
  193 + $entry = @ldap_get_entries($this->cnx, $search);
  194 + //if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) {
  195 + if (!empty($entry[0]["dn"])) {
  196 + $this->write_log("[ldap_search_dn]> RESULT: ".$entry[0]["dn"]);
  197 + //@ldap_unbind($bcnx);
  198 + return $entry[0]["dn"];
  199 + }
  200 + $this->write_log("[ldap_search_dn]> result is empty!");
  201 + return false;
  202 + }
  203 + $this->write_log("[ldap_search_dn]> ldap_search NOT successfull:");
  204 + return false;
  205 + }
  206 +
  207 + // look for LDAP group membership
  208 + public function check_ldap_group_membership($user_dn,$group_dn){
  209 + $this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")");
  210 + //if no group specified return true
  211 + if(!$group_dn){
  212 + return true;
  213 + }
  214 + if(!$this->cnx){
  215 + $this->write_log("[check_ldap_group_membership]> Cannot connect to server!");
  216 + return false;
  217 + }
  218 + if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
  219 + $this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
  220 + return false;
  221 + }
  222 + // search for all memberOf-attributes for a given user_dn
  223 + $this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
  224 + if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
  225 + $entry = @ldap_get_entries($this->cnx, $search);
  226 + //check if there are memberof-attributes
  227 + if(isset($entry[0]["memberof"])){
  228 + $this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
  229 + for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
  230 + $this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
  231 + if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
  232 + $this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
  233 + return true;
  234 + }
  235 + }
  236 + } else {
  237 + $this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
  238 + }
  239 + } else {
  240 + $this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
  241 + }
  242 + $this->write_log("[check_ldap_group_membership]> No matching groups found for given group_dn: ". $group_dn);
  243 + return false;
  244 + }
  245 +
  246 +
  247 + public function getAttr() {
  248 + $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=*)", array('*', 'subschemasubentry'));
  249 + $entries = @ldap_get_entries($this->cnx, $search);
  250 + echo count($entries);
  251 + }
  252 +
  253 + public function getRootDse() {
  254 + $search = @ldap_read($this->cnx, NULL, 'objectClass=*', array("*", "+"));
  255 + $entries = @ldap_get_entries($this->cnx, $search);
  256 + return $entries[0];
  257 + }
  258 +
  259 +
  260 + public function ldap_check_basedn(){
  261 + if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){
  262 + $entry = @ldap_get_entries($this->cnx, $read);
  263 + if (!empty($entry[0]['dn'])) {
  264 + return true;
  265 + }
  266 + }
  267 + return false;
  268 + }
  269 +}
  270 +?>
... ...