Basic Import (c2f3f7ab) | Commits | piwigo / Ldap_Login

Browse Code »

Commit c2f3f7ab7f867c7ee76e5cf73fc095e09b602aae

Authored by spelth 10 years ago

1 parent a4831b3b

Basic Import

Inline Side-by-side

Showing 1 changed file with 270 additions and 0 deletions

class.ldap.php 0 → 100644

View file @c2f3f7a

		1	+<?php
		2	+global $conf;
		3	+class Ldap {
		4	+ var $cnx;
		5	+ var $config;
		6	+
		7	+ // for debug
		8	+ public function write_log($message){
		9	+ $log = 0;
		10	+ if($log>0){
		11	+ @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND);
		12	+ }
		13	+ }
		14	+
		15	+ /**
		16	+ * check ldap configuration
		17	+ *
		18	+ * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche
		19	+ * pour tester la connection.
		20	+ *
		21	+ * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect
		22	+ * but just initializes the connecting parameters. The actual connect happens with the next calls
		23	+ * to ldap_* funcs, usually with ldap_bind().
		24	+ */
		25	+ public function check_ldap(){
		26	+ //$this->write_log("[function]> check_ldap");
		27	+ if (!$this->ldap_conn()) {
		28	+ return $this->getErrorString();
		29	+ }
		30	+
		31	+ // test du compte root si renseigné
		32	+ if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search
		33	+ // authentication with rootdn and rootpw for search
		34	+ if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){
		35	+ return $this->getErrorString();
		36	+ }
		37	+ } else {
		38	+ // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP)
		39	+ if (!$this->ldap_check_basedn()){ // search userdn
		40	+ return $this->getErrorString();
		41	+ }
		42	+ }
		43	+ return true;
		44	+ }
		45	+
		46	+ public function load_default_config(){
		47	+ $this->config['host'] = 'localhost';
		48	+ $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine !
		49	+ $this->config['port'] = ''; // if port is empty, I count on the software to care of it !
		50	+ $this->config['ld_attr'] = 'uid';
		51	+ $this->config['ld_group'] = 'cn=myPiwigoLDAPGroup,cn=users,dc=example,dc=com';
		52	+ $this->config['ld_use_ssl'] = False;
		53	+ $this->config['ld_bindpw'] ='';
		54	+ $this->config['ld_binddn'] ='';
		55	+
		56	+ $this->config['allow_newusers'] = False;
		57	+ $this->config['advertise_admin_new_ldapuser'] = False;
		58	+ $this->config['send_password_by_mail_ldap'] = False;
		59	+ }
		60	+
		61	+ function load_config() {
		62	+ // first we load the base config
		63	+ $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' );
		64	+ if ($conf_file!==false)
		65	+ {
		66	+ $this->config = unserialize($conf_file);
		67	+ }
		68	+ }
		69	+
		70	+ function save_config()
		71	+ {
		72	+ $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' );
		73	+ fwrite($file, serialize($this->config) );
		74	+ fclose( $file );
		75	+ }
		76	+
		77	+ function ldap_admin_menu($menu)
		78	+ {
		79	+ array_push($menu,
		80	+ array(
		81	+ 'NAME' => 'Ldap Login',
		82	+ 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') )
		83	+ );
		84	+ return $menu;
		85	+ }
		86	+
		87	+ // LDAP connection public
		88	+ public function ldap_conn(){
		89	+ if( $this->cnx = $this->make_ldap_conn() ){
		90	+ return true;
		91	+ }
		92	+ return false;
		93	+ }
		94	+
		95	+ // LDAP connection private
		96	+ private function make_ldap_conn(){
		97	+ if ($this->config['ld_use_ssl'] == 1){
		98	+ if (empty($this->config['port'])){
		99	+ $this->config['uri'] = 'ldaps://'.$this->config['host'];
		100	+ }
		101	+ else {
		102	+ $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port'];
		103	+ }
		104	+ }
		105	+
		106	+ // now, it's without ssl
		107	+ else {
		108	+ if (empty($this->config['port'])){
		109	+ $this->config['uri'] = 'ldap://'.$this->config['host'];
		110	+ }
		111	+ else {
		112	+ $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port'];
		113	+ }
		114	+ }
		115	+
		116	+ if ($conn = @ldap_connect($this->config['uri'])){
		117	+ @ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible
		118	+ return $conn;
		119	+ }
		120	+ return false;
		121	+ }
		122	+
		123	+ // return ldap error
		124	+ public function getErrorString(){
		125	+ return ldap_err2str(ldap_errno($this->cnx));
		126	+ }
		127	+
		128	+ // return the name ldap understand
		129	+ public function ldap_name($name){
		130	+ return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
		131	+ }
		132	+
		133	+ // authentication public
		134	+ public function ldap_bind_as($user,$user_passwd){
		135	+ $this->write_log("[function]> ldap_bind_as");
		136	+ $this->write_log("[ldap_bind_as]> ".$user.",".$user_passwd);
		137	+ if($this->make_ldap_bind_as($this->cnx,$user,$user_passwd)){
		138	+ $this->write_log("[ldap_bind_as]> Bind was successfull");
		139	+ return true;
		140	+ }
		141	+ return false;
		142	+ }
		143	+
		144	+ // authentication private
		145	+ private function make_ldap_bind_as($conn,$user,$user_passwd){
		146	+ $this->write_log("[function]> make_ldap_bind_as");
		147	+ $this->write_log("[make_ldap_bind_as]> \$conn,".$user.",".$user_passwd);
		148	+ $bind = @ldap_bind($conn,$user,$user_passwd);
		149	+ if($bind){
		150	+ return true;
		151	+ }
		152	+ return false;
		153	+ }
		154	+
		155	+ public function ldap_mail($name){
		156	+ //echo $this->cnx;
		157	+ //echo $this->ldap_name($name);
		158	+ $sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
		159	+ $entry = @ldap_get_entries($this->cnx, $sr);
		160	+
		161	+ if (!empty($entry[0]['mail'])) {
		162	+ return $entry[0]['mail'][0];
		163	+ }
		164	+ return False;
		165	+ }
		166	+
		167	+ // return userdn (and username) for authentication
		168	+ public function ldap_search_dn($value_to_search){
		169	+ $this->write_log("[function]> ldap_search_dn(".$value_to_search.")");
		170	+ $filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
		171	+
		172	+ // connection handling
		173	+ $this->write_log("[ldap_search_dn]> Connecting to server");
		174	+ //if(!$bcnx = $this->make_ldap_conn()){
		175	+ if(!$this->cnx){
		176	+ $this->write_log("[ldap_search_dn]> Cannot connect to server!");
		177	+ return false;
		178	+ }
		179	+ $this->write_log("[ldap_search_dn]> make_ldap_bind_as(\$this->cnx,".$this->config['ld_binddn'].",".$this->config['ld_bindpw'].")");
		180	+ //if(!$this->make_ldap_bind_as($bcnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
		181	+ if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
		182	+ $this->write_log("[ldap_search_dn]> Cannot bind to server!");
		183	+ return false;
		184	+ }
		185	+
		186	+ $this->write_log("[ldap_search_dn]> @ldap_search(\$this->cnx,".$this->config['basedn'].",".$filter.",array('dn'),0,1)");
		187	+
		188	+ // look for our attribute and get always the DN for login
		189	+ //if($search = ldap_search($bcnx,$this->config['basedn'],$filter,array('dn'),0,1)){
		190	+ if($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn'),0,1)){
		191	+ $this->write_log("[ldap_search_dn]> ldap_search successfull");
		192	+ //$entry = ldap_get_entries($bcnx, $search);
		193	+ $entry = @ldap_get_entries($this->cnx, $search);
		194	+ //if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) {
		195	+ if (!empty($entry[0]["dn"])) {
		196	+ $this->write_log("[ldap_search_dn]> RESULT: ".$entry[0]["dn"]);
		197	+ //@ldap_unbind($bcnx);
		198	+ return $entry[0]["dn"];
		199	+ }
		200	+ $this->write_log("[ldap_search_dn]> result is empty!");
		201	+ return false;
		202	+ }
		203	+ $this->write_log("[ldap_search_dn]> ldap_search NOT successfull:");
		204	+ return false;
		205	+ }
		206	+
		207	+ // look for LDAP group membership
		208	+ public function check_ldap_group_membership($user_dn,$group_dn){
		209	+ $this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")");
		210	+ //if no group specified return true
		211	+ if(!$group_dn){
		212	+ return true;
		213	+ }
		214	+ if(!$this->cnx){
		215	+ $this->write_log("[check_ldap_group_membership]> Cannot connect to server!");
		216	+ return false;
		217	+ }
		218	+ if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){
		219	+ $this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
		220	+ return false;
		221	+ }
		222	+ // search for all memberOf-attributes for a given user_dn
		223	+ $this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
		224	+ if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
		225	+ $entry = @ldap_get_entries($this->cnx, $search);
		226	+ //check if there are memberof-attributes
		227	+ if(isset($entry[0]["memberof"])){
		228	+ $this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
		229	+ for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
		230	+ $this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
		231	+ if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
		232	+ $this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
		233	+ return true;
		234	+ }
		235	+ }
		236	+ } else {
		237	+ $this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
		238	+ }
		239	+ } else {
		240	+ $this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
		241	+ }
		242	+ $this->write_log("[check_ldap_group_membership]> No matching groups found for given group_dn: ". $group_dn);
		243	+ return false;
		244	+ }
		245	+
		246	+
		247	+ public function getAttr() {
		248	+ $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=)", array('', 'subschemasubentry'));
		249	+ $entries = @ldap_get_entries($this->cnx, $search);
		250	+ echo count($entries);
		251	+ }
		252	+
		253	+ public function getRootDse() {
		254	+ $search = @ldap_read($this->cnx, NULL, 'objectClass=', array("", "+"));
		255	+ $entries = @ldap_get_entries($this->cnx, $search);
		256	+ return $entries[0];
		257	+ }
		258	+
		259	+
		260	+ public function ldap_check_basedn(){
		261	+ if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){
		262	+ $entry = @ldap_get_entries($this->cnx, $read);
		263	+ if (!empty($entry[0]['dn'])) {
		264	+ return true;
		265	+ }
		266	+ }
		267	+ return false;
		268	+ }
		269	+}
		270	+?>