Commit c2f3f7ab7f867c7ee76e5cf73fc095e09b602aae
1 parent
a4831b3b
Basic Import
Showing
1 changed file
with
270 additions
and
0 deletions
class.ldap.php
0 → 100644
1 | +<?php | ||
2 | +global $conf; | ||
3 | +class Ldap { | ||
4 | + var $cnx; | ||
5 | + var $config; | ||
6 | + | ||
7 | + // for debug | ||
8 | + public function write_log($message){ | ||
9 | + $log = 0; | ||
10 | + if($log>0){ | ||
11 | + @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND); | ||
12 | + } | ||
13 | + } | ||
14 | + | ||
15 | + /** | ||
16 | + * check ldap configuration | ||
17 | + * | ||
18 | + * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche | ||
19 | + * pour tester la connection. | ||
20 | + * | ||
21 | + * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect | ||
22 | + * but just initializes the connecting parameters. The actual connect happens with the next calls | ||
23 | + * to ldap_* funcs, usually with ldap_bind(). | ||
24 | + */ | ||
25 | + public function check_ldap(){ | ||
26 | + //$this->write_log("[function]> check_ldap"); | ||
27 | + if (!$this->ldap_conn()) { | ||
28 | + return $this->getErrorString(); | ||
29 | + } | ||
30 | + | ||
31 | + // test du compte root si renseigné | ||
32 | + if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search | ||
33 | + // authentication with rootdn and rootpw for search | ||
34 | + if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){ | ||
35 | + return $this->getErrorString(); | ||
36 | + } | ||
37 | + } else { | ||
38 | + // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP) | ||
39 | + if (!$this->ldap_check_basedn()){ // search userdn | ||
40 | + return $this->getErrorString(); | ||
41 | + } | ||
42 | + } | ||
43 | + return true; | ||
44 | + } | ||
45 | + | ||
46 | + public function load_default_config(){ | ||
47 | + $this->config['host'] = 'localhost'; | ||
48 | + $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine ! | ||
49 | + $this->config['port'] = ''; // if port is empty, I count on the software to care of it ! | ||
50 | + $this->config['ld_attr'] = 'uid'; | ||
51 | + $this->config['ld_group'] = 'cn=myPiwigoLDAPGroup,cn=users,dc=example,dc=com'; | ||
52 | + $this->config['ld_use_ssl'] = False; | ||
53 | + $this->config['ld_bindpw'] =''; | ||
54 | + $this->config['ld_binddn'] =''; | ||
55 | + | ||
56 | + $this->config['allow_newusers'] = False; | ||
57 | + $this->config['advertise_admin_new_ldapuser'] = False; | ||
58 | + $this->config['send_password_by_mail_ldap'] = False; | ||
59 | + } | ||
60 | + | ||
61 | + function load_config() { | ||
62 | + // first we load the base config | ||
63 | + $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' ); | ||
64 | + if ($conf_file!==false) | ||
65 | + { | ||
66 | + $this->config = unserialize($conf_file); | ||
67 | + } | ||
68 | + } | ||
69 | + | ||
70 | + function save_config() | ||
71 | + { | ||
72 | + $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' ); | ||
73 | + fwrite($file, serialize($this->config) ); | ||
74 | + fclose( $file ); | ||
75 | + } | ||
76 | + | ||
77 | + function ldap_admin_menu($menu) | ||
78 | + { | ||
79 | + array_push($menu, | ||
80 | + array( | ||
81 | + 'NAME' => 'Ldap Login', | ||
82 | + 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') ) | ||
83 | + ); | ||
84 | + return $menu; | ||
85 | + } | ||
86 | + | ||
87 | + // LDAP connection public | ||
88 | + public function ldap_conn(){ | ||
89 | + if( $this->cnx = $this->make_ldap_conn() ){ | ||
90 | + return true; | ||
91 | + } | ||
92 | + return false; | ||
93 | + } | ||
94 | + | ||
95 | + // LDAP connection private | ||
96 | + private function make_ldap_conn(){ | ||
97 | + if ($this->config['ld_use_ssl'] == 1){ | ||
98 | + if (empty($this->config['port'])){ | ||
99 | + $this->config['uri'] = 'ldaps://'.$this->config['host']; | ||
100 | + } | ||
101 | + else { | ||
102 | + $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port']; | ||
103 | + } | ||
104 | + } | ||
105 | + | ||
106 | + // now, it's without ssl | ||
107 | + else { | ||
108 | + if (empty($this->config['port'])){ | ||
109 | + $this->config['uri'] = 'ldap://'.$this->config['host']; | ||
110 | + } | ||
111 | + else { | ||
112 | + $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port']; | ||
113 | + } | ||
114 | + } | ||
115 | + | ||
116 | + if ($conn = @ldap_connect($this->config['uri'])){ | ||
117 | + @ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible | ||
118 | + return $conn; | ||
119 | + } | ||
120 | + return false; | ||
121 | + } | ||
122 | + | ||
123 | + // return ldap error | ||
124 | + public function getErrorString(){ | ||
125 | + return ldap_err2str(ldap_errno($this->cnx)); | ||
126 | + } | ||
127 | + | ||
128 | + // return the name ldap understand | ||
129 | + public function ldap_name($name){ | ||
130 | + return $this->config['ld_attr'].'='.$name.','.$this->config['basedn']; | ||
131 | + } | ||
132 | + | ||
133 | + // authentication public | ||
134 | + public function ldap_bind_as($user,$user_passwd){ | ||
135 | + $this->write_log("[function]> ldap_bind_as"); | ||
136 | + $this->write_log("[ldap_bind_as]> ".$user.",".$user_passwd); | ||
137 | + if($this->make_ldap_bind_as($this->cnx,$user,$user_passwd)){ | ||
138 | + $this->write_log("[ldap_bind_as]> Bind was successfull"); | ||
139 | + return true; | ||
140 | + } | ||
141 | + return false; | ||
142 | + } | ||
143 | + | ||
144 | + // authentication private | ||
145 | + private function make_ldap_bind_as($conn,$user,$user_passwd){ | ||
146 | + $this->write_log("[function]> make_ldap_bind_as"); | ||
147 | + $this->write_log("[make_ldap_bind_as]> \$conn,".$user.",".$user_passwd); | ||
148 | + $bind = @ldap_bind($conn,$user,$user_passwd); | ||
149 | + if($bind){ | ||
150 | + return true; | ||
151 | + } | ||
152 | + return false; | ||
153 | + } | ||
154 | + | ||
155 | + public function ldap_mail($name){ | ||
156 | + //echo $this->cnx; | ||
157 | + //echo $this->ldap_name($name); | ||
158 | + $sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail')); | ||
159 | + $entry = @ldap_get_entries($this->cnx, $sr); | ||
160 | + | ||
161 | + if (!empty($entry[0]['mail'])) { | ||
162 | + return $entry[0]['mail'][0]; | ||
163 | + } | ||
164 | + return False; | ||
165 | + } | ||
166 | + | ||
167 | + // return userdn (and username) for authentication | ||
168 | + public function ldap_search_dn($value_to_search){ | ||
169 | + $this->write_log("[function]> ldap_search_dn(".$value_to_search.")"); | ||
170 | + $filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))'; | ||
171 | + | ||
172 | + // connection handling | ||
173 | + $this->write_log("[ldap_search_dn]> Connecting to server"); | ||
174 | + //if(!$bcnx = $this->make_ldap_conn()){ | ||
175 | + if(!$this->cnx){ | ||
176 | + $this->write_log("[ldap_search_dn]> Cannot connect to server!"); | ||
177 | + return false; | ||
178 | + } | ||
179 | + $this->write_log("[ldap_search_dn]> make_ldap_bind_as(\$this->cnx,".$this->config['ld_binddn'].",".$this->config['ld_bindpw'].")"); | ||
180 | + //if(!$this->make_ldap_bind_as($bcnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ | ||
181 | + if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ | ||
182 | + $this->write_log("[ldap_search_dn]> Cannot bind to server!"); | ||
183 | + return false; | ||
184 | + } | ||
185 | + | ||
186 | + $this->write_log("[ldap_search_dn]> @ldap_search(\$this->cnx,".$this->config['basedn'].",".$filter.",array('dn'),0,1)"); | ||
187 | + | ||
188 | + // look for our attribute and get always the DN for login | ||
189 | + //if($search = ldap_search($bcnx,$this->config['basedn'],$filter,array('dn'),0,1)){ | ||
190 | + if($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn'),0,1)){ | ||
191 | + $this->write_log("[ldap_search_dn]> ldap_search successfull"); | ||
192 | + //$entry = ldap_get_entries($bcnx, $search); | ||
193 | + $entry = @ldap_get_entries($this->cnx, $search); | ||
194 | + //if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) { | ||
195 | + if (!empty($entry[0]["dn"])) { | ||
196 | + $this->write_log("[ldap_search_dn]> RESULT: ".$entry[0]["dn"]); | ||
197 | + //@ldap_unbind($bcnx); | ||
198 | + return $entry[0]["dn"]; | ||
199 | + } | ||
200 | + $this->write_log("[ldap_search_dn]> result is empty!"); | ||
201 | + return false; | ||
202 | + } | ||
203 | + $this->write_log("[ldap_search_dn]> ldap_search NOT successfull:"); | ||
204 | + return false; | ||
205 | + } | ||
206 | + | ||
207 | + // look for LDAP group membership | ||
208 | + public function check_ldap_group_membership($user_dn,$group_dn){ | ||
209 | + $this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")"); | ||
210 | + //if no group specified return true | ||
211 | + if(!$group_dn){ | ||
212 | + return true; | ||
213 | + } | ||
214 | + if(!$this->cnx){ | ||
215 | + $this->write_log("[check_ldap_group_membership]> Cannot connect to server!"); | ||
216 | + return false; | ||
217 | + } | ||
218 | + if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ | ||
219 | + $this->write_log("[check_ldap_group_membership]> Cannot bind to server!"); | ||
220 | + return false; | ||
221 | + } | ||
222 | + // search for all memberOf-attributes for a given user_dn | ||
223 | + $this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)"); | ||
224 | + if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){ | ||
225 | + $entry = @ldap_get_entries($this->cnx, $search); | ||
226 | + //check if there are memberof-attributes | ||
227 | + if(isset($entry[0]["memberof"])){ | ||
228 | + $this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes"); | ||
229 | + for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){ | ||
230 | + $this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]); | ||
231 | + if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){ | ||
232 | + $this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\""); | ||
233 | + return true; | ||
234 | + } | ||
235 | + } | ||
236 | + } else { | ||
237 | + $this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side"); | ||
238 | + } | ||
239 | + } else { | ||
240 | + $this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString()); | ||
241 | + } | ||
242 | + $this->write_log("[check_ldap_group_membership]> No matching groups found for given group_dn: ". $group_dn); | ||
243 | + return false; | ||
244 | + } | ||
245 | + | ||
246 | + | ||
247 | + public function getAttr() { | ||
248 | + $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=*)", array('*', 'subschemasubentry')); | ||
249 | + $entries = @ldap_get_entries($this->cnx, $search); | ||
250 | + echo count($entries); | ||
251 | + } | ||
252 | + | ||
253 | + public function getRootDse() { | ||
254 | + $search = @ldap_read($this->cnx, NULL, 'objectClass=*', array("*", "+")); | ||
255 | + $entries = @ldap_get_entries($this->cnx, $search); | ||
256 | + return $entries[0]; | ||
257 | + } | ||
258 | + | ||
259 | + | ||
260 | + public function ldap_check_basedn(){ | ||
261 | + if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){ | ||
262 | + $entry = @ldap_get_entries($this->cnx, $read); | ||
263 | + if (!empty($entry[0]['dn'])) { | ||
264 | + return true; | ||
265 | + } | ||
266 | + } | ||
267 | + return false; | ||
268 | + } | ||
269 | +} | ||
270 | +?> |