Commit c2f3f7ab7f867c7ee76e5cf73fc095e09b602aae
1 parent
a4831b3b
Basic Import
Showing
1 changed file
with
270 additions
and
0 deletions
class.ldap.php
0 → 100644
| 1 | +<?php | |
| 2 | +global $conf; | |
| 3 | +class Ldap { | |
| 4 | + var $cnx; | |
| 5 | + var $config; | |
| 6 | + | |
| 7 | + // for debug | |
| 8 | + public function write_log($message){ | |
| 9 | + $log = 0; | |
| 10 | + if($log>0){ | |
| 11 | + @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND); | |
| 12 | + } | |
| 13 | + } | |
| 14 | + | |
| 15 | + /** | |
| 16 | + * check ldap configuration | |
| 17 | + * | |
| 18 | + * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche | |
| 19 | + * pour tester la connection. | |
| 20 | + * | |
| 21 | + * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect | |
| 22 | + * but just initializes the connecting parameters. The actual connect happens with the next calls | |
| 23 | + * to ldap_* funcs, usually with ldap_bind(). | |
| 24 | + */ | |
| 25 | + public function check_ldap(){ | |
| 26 | + //$this->write_log("[function]> check_ldap"); | |
| 27 | + if (!$this->ldap_conn()) { | |
| 28 | + return $this->getErrorString(); | |
| 29 | + } | |
| 30 | + | |
| 31 | + // test du compte root si renseigné | |
| 32 | + if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search | |
| 33 | + // authentication with rootdn and rootpw for search | |
| 34 | + if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){ | |
| 35 | + return $this->getErrorString(); | |
| 36 | + } | |
| 37 | + } else { | |
| 38 | + // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP) | |
| 39 | + if (!$this->ldap_check_basedn()){ // search userdn | |
| 40 | + return $this->getErrorString(); | |
| 41 | + } | |
| 42 | + } | |
| 43 | + return true; | |
| 44 | + } | |
| 45 | + | |
| 46 | + public function load_default_config(){ | |
| 47 | + $this->config['host'] = 'localhost'; | |
| 48 | + $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine ! | |
| 49 | + $this->config['port'] = ''; // if port is empty, I count on the software to care of it ! | |
| 50 | + $this->config['ld_attr'] = 'uid'; | |
| 51 | + $this->config['ld_group'] = 'cn=myPiwigoLDAPGroup,cn=users,dc=example,dc=com'; | |
| 52 | + $this->config['ld_use_ssl'] = False; | |
| 53 | + $this->config['ld_bindpw'] =''; | |
| 54 | + $this->config['ld_binddn'] =''; | |
| 55 | + | |
| 56 | + $this->config['allow_newusers'] = False; | |
| 57 | + $this->config['advertise_admin_new_ldapuser'] = False; | |
| 58 | + $this->config['send_password_by_mail_ldap'] = False; | |
| 59 | + } | |
| 60 | + | |
| 61 | + function load_config() { | |
| 62 | + // first we load the base config | |
| 63 | + $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' ); | |
| 64 | + if ($conf_file!==false) | |
| 65 | + { | |
| 66 | + $this->config = unserialize($conf_file); | |
| 67 | + } | |
| 68 | + } | |
| 69 | + | |
| 70 | + function save_config() | |
| 71 | + { | |
| 72 | + $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' ); | |
| 73 | + fwrite($file, serialize($this->config) ); | |
| 74 | + fclose( $file ); | |
| 75 | + } | |
| 76 | + | |
| 77 | + function ldap_admin_menu($menu) | |
| 78 | + { | |
| 79 | + array_push($menu, | |
| 80 | + array( | |
| 81 | + 'NAME' => 'Ldap Login', | |
| 82 | + 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') ) | |
| 83 | + ); | |
| 84 | + return $menu; | |
| 85 | + } | |
| 86 | + | |
| 87 | + // LDAP connection public | |
| 88 | + public function ldap_conn(){ | |
| 89 | + if( $this->cnx = $this->make_ldap_conn() ){ | |
| 90 | + return true; | |
| 91 | + } | |
| 92 | + return false; | |
| 93 | + } | |
| 94 | + | |
| 95 | + // LDAP connection private | |
| 96 | + private function make_ldap_conn(){ | |
| 97 | + if ($this->config['ld_use_ssl'] == 1){ | |
| 98 | + if (empty($this->config['port'])){ | |
| 99 | + $this->config['uri'] = 'ldaps://'.$this->config['host']; | |
| 100 | + } | |
| 101 | + else { | |
| 102 | + $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port']; | |
| 103 | + } | |
| 104 | + } | |
| 105 | + | |
| 106 | + // now, it's without ssl | |
| 107 | + else { | |
| 108 | + if (empty($this->config['port'])){ | |
| 109 | + $this->config['uri'] = 'ldap://'.$this->config['host']; | |
| 110 | + } | |
| 111 | + else { | |
| 112 | + $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port']; | |
| 113 | + } | |
| 114 | + } | |
| 115 | + | |
| 116 | + if ($conn = @ldap_connect($this->config['uri'])){ | |
| 117 | + @ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible | |
| 118 | + return $conn; | |
| 119 | + } | |
| 120 | + return false; | |
| 121 | + } | |
| 122 | + | |
| 123 | + // return ldap error | |
| 124 | + public function getErrorString(){ | |
| 125 | + return ldap_err2str(ldap_errno($this->cnx)); | |
| 126 | + } | |
| 127 | + | |
| 128 | + // return the name ldap understand | |
| 129 | + public function ldap_name($name){ | |
| 130 | + return $this->config['ld_attr'].'='.$name.','.$this->config['basedn']; | |
| 131 | + } | |
| 132 | + | |
| 133 | + // authentication public | |
| 134 | + public function ldap_bind_as($user,$user_passwd){ | |
| 135 | + $this->write_log("[function]> ldap_bind_as"); | |
| 136 | + $this->write_log("[ldap_bind_as]> ".$user.",".$user_passwd); | |
| 137 | + if($this->make_ldap_bind_as($this->cnx,$user,$user_passwd)){ | |
| 138 | + $this->write_log("[ldap_bind_as]> Bind was successfull"); | |
| 139 | + return true; | |
| 140 | + } | |
| 141 | + return false; | |
| 142 | + } | |
| 143 | + | |
| 144 | + // authentication private | |
| 145 | + private function make_ldap_bind_as($conn,$user,$user_passwd){ | |
| 146 | + $this->write_log("[function]> make_ldap_bind_as"); | |
| 147 | + $this->write_log("[make_ldap_bind_as]> \$conn,".$user.",".$user_passwd); | |
| 148 | + $bind = @ldap_bind($conn,$user,$user_passwd); | |
| 149 | + if($bind){ | |
| 150 | + return true; | |
| 151 | + } | |
| 152 | + return false; | |
| 153 | + } | |
| 154 | + | |
| 155 | + public function ldap_mail($name){ | |
| 156 | + //echo $this->cnx; | |
| 157 | + //echo $this->ldap_name($name); | |
| 158 | + $sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail')); | |
| 159 | + $entry = @ldap_get_entries($this->cnx, $sr); | |
| 160 | + | |
| 161 | + if (!empty($entry[0]['mail'])) { | |
| 162 | + return $entry[0]['mail'][0]; | |
| 163 | + } | |
| 164 | + return False; | |
| 165 | + } | |
| 166 | + | |
| 167 | + // return userdn (and username) for authentication | |
| 168 | + public function ldap_search_dn($value_to_search){ | |
| 169 | + $this->write_log("[function]> ldap_search_dn(".$value_to_search.")"); | |
| 170 | + $filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))'; | |
| 171 | + | |
| 172 | + // connection handling | |
| 173 | + $this->write_log("[ldap_search_dn]> Connecting to server"); | |
| 174 | + //if(!$bcnx = $this->make_ldap_conn()){ | |
| 175 | + if(!$this->cnx){ | |
| 176 | + $this->write_log("[ldap_search_dn]> Cannot connect to server!"); | |
| 177 | + return false; | |
| 178 | + } | |
| 179 | + $this->write_log("[ldap_search_dn]> make_ldap_bind_as(\$this->cnx,".$this->config['ld_binddn'].",".$this->config['ld_bindpw'].")"); | |
| 180 | + //if(!$this->make_ldap_bind_as($bcnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ | |
| 181 | + if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ | |
| 182 | + $this->write_log("[ldap_search_dn]> Cannot bind to server!"); | |
| 183 | + return false; | |
| 184 | + } | |
| 185 | + | |
| 186 | + $this->write_log("[ldap_search_dn]> @ldap_search(\$this->cnx,".$this->config['basedn'].",".$filter.",array('dn'),0,1)"); | |
| 187 | + | |
| 188 | + // look for our attribute and get always the DN for login | |
| 189 | + //if($search = ldap_search($bcnx,$this->config['basedn'],$filter,array('dn'),0,1)){ | |
| 190 | + if($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn'),0,1)){ | |
| 191 | + $this->write_log("[ldap_search_dn]> ldap_search successfull"); | |
| 192 | + //$entry = ldap_get_entries($bcnx, $search); | |
| 193 | + $entry = @ldap_get_entries($this->cnx, $search); | |
| 194 | + //if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) { | |
| 195 | + if (!empty($entry[0]["dn"])) { | |
| 196 | + $this->write_log("[ldap_search_dn]> RESULT: ".$entry[0]["dn"]); | |
| 197 | + //@ldap_unbind($bcnx); | |
| 198 | + return $entry[0]["dn"]; | |
| 199 | + } | |
| 200 | + $this->write_log("[ldap_search_dn]> result is empty!"); | |
| 201 | + return false; | |
| 202 | + } | |
| 203 | + $this->write_log("[ldap_search_dn]> ldap_search NOT successfull:"); | |
| 204 | + return false; | |
| 205 | + } | |
| 206 | + | |
| 207 | + // look for LDAP group membership | |
| 208 | + public function check_ldap_group_membership($user_dn,$group_dn){ | |
| 209 | + $this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")"); | |
| 210 | + //if no group specified return true | |
| 211 | + if(!$group_dn){ | |
| 212 | + return true; | |
| 213 | + } | |
| 214 | + if(!$this->cnx){ | |
| 215 | + $this->write_log("[check_ldap_group_membership]> Cannot connect to server!"); | |
| 216 | + return false; | |
| 217 | + } | |
| 218 | + if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ | |
| 219 | + $this->write_log("[check_ldap_group_membership]> Cannot bind to server!"); | |
| 220 | + return false; | |
| 221 | + } | |
| 222 | + // search for all memberOf-attributes for a given user_dn | |
| 223 | + $this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)"); | |
| 224 | + if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){ | |
| 225 | + $entry = @ldap_get_entries($this->cnx, $search); | |
| 226 | + //check if there are memberof-attributes | |
| 227 | + if(isset($entry[0]["memberof"])){ | |
| 228 | + $this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes"); | |
| 229 | + for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){ | |
| 230 | + $this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]); | |
| 231 | + if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){ | |
| 232 | + $this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\""); | |
| 233 | + return true; | |
| 234 | + } | |
| 235 | + } | |
| 236 | + } else { | |
| 237 | + $this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side"); | |
| 238 | + } | |
| 239 | + } else { | |
| 240 | + $this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString()); | |
| 241 | + } | |
| 242 | + $this->write_log("[check_ldap_group_membership]> No matching groups found for given group_dn: ". $group_dn); | |
| 243 | + return false; | |
| 244 | + } | |
| 245 | + | |
| 246 | + | |
| 247 | + public function getAttr() { | |
| 248 | + $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=*)", array('*', 'subschemasubentry')); | |
| 249 | + $entries = @ldap_get_entries($this->cnx, $search); | |
| 250 | + echo count($entries); | |
| 251 | + } | |
| 252 | + | |
| 253 | + public function getRootDse() { | |
| 254 | + $search = @ldap_read($this->cnx, NULL, 'objectClass=*', array("*", "+")); | |
| 255 | + $entries = @ldap_get_entries($this->cnx, $search); | |
| 256 | + return $entries[0]; | |
| 257 | + } | |
| 258 | + | |
| 259 | + | |
| 260 | + public function ldap_check_basedn(){ | |
| 261 | + if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){ | |
| 262 | + $entry = @ldap_get_entries($this->cnx, $read); | |
| 263 | + if (!empty($entry[0]['dn'])) { | |
| 264 | + return true; | |
| 265 | + } | |
| 266 | + } | |
| 267 | + return false; | |
| 268 | + } | |
| 269 | +} | |
| 270 | +?> | |
| ... | ... |