<?php global $conf; class Ldap { var $cnx; var $config; // for debug public function write_log($message){ $log = 0; if($log>0){ @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND); } } /** * check ldap configuration * * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche * pour tester la connection. * * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect * but just initializes the connecting parameters. The actual connect happens with the next calls * to ldap_* funcs, usually with ldap_bind(). */ public function check_ldap(){ //$this->write_log("[function]> check_ldap"); if (!$this->ldap_conn()) { return $this->getErrorString(); } // test du compte root si renseigné if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search // authentication with rootdn and rootpw for search if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){ return $this->getErrorString(); } } else { // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP) if (!$this->ldap_check_basedn()){ // search userdn return $this->getErrorString(); } } return true; } public function load_default_config(){ $this->config['host'] = 'localhost'; $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine ! $this->config['port'] = ''; // if port is empty, I count on the software to care of it ! $this->config['ld_attr'] = 'uid'; $this->config['ld_group'] = 'cn=myPiwigoLDAPGroup,cn=users,dc=example,dc=com'; $this->config['ld_use_ssl'] = False; $this->config['ld_bindpw'] =''; $this->config['ld_binddn'] =''; $this->config['allow_newusers'] = False; $this->config['advertise_admin_new_ldapuser'] = False; $this->config['send_password_by_mail_ldap'] = False; } function load_config() { // first we load the base config $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' ); if ($conf_file!==false) { $this->config = unserialize($conf_file); } } function save_config() { $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' ); fwrite($file, serialize($this->config) ); fclose( $file ); } function ldap_admin_menu($menu) { array_push($menu, array( 'NAME' => 'Ldap Login', 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') ) ); return $menu; } // LDAP connection public public function ldap_conn(){ if( $this->cnx = $this->make_ldap_conn() ){ return true; } return false; } // LDAP connection private private function make_ldap_conn(){ if ($this->config['ld_use_ssl'] == 1){ if (empty($this->config['port'])){ $this->config['uri'] = 'ldaps://'.$this->config['host']; } else { $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port']; } } // now, it's without ssl else { if (empty($this->config['port'])){ $this->config['uri'] = 'ldap://'.$this->config['host']; } else { $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port']; } } if ($conn = @ldap_connect($this->config['uri'])){ @ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible return $conn; } return false; } // return ldap error public function getErrorString(){ return ldap_err2str(ldap_errno($this->cnx)); } // authentication public public function ldap_bind_as($user,$user_passwd){ $this->write_log("[function]> ldap_bind_as"); $this->write_log("[ldap_bind_as]> ".$user.",".$user_passwd); if($this->make_ldap_bind_as($this->cnx,$user,$user_passwd)){ $this->write_log("[ldap_bind_as]> Bind was successfull"); return true; } return false; } // authentication private private function make_ldap_bind_as($conn,$user,$user_passwd){ $this->write_log("[function]> make_ldap_bind_as"); $this->write_log("[make_ldap_bind_as]> \$conn,".$user.",".$user_passwd); $bind = @ldap_bind($conn,$user,$user_passwd); if($bind){ return true; } return false; } public function ldap_get_email($user_dn){ $sr=@ldap_read($this->cnx, $user_dn, "(objectclass=*)", array('mail')); $entry = @ldap_get_entries($this->cnx, $sr); if (!empty($entry[0]['mail'])) { return $entry[0]['mail'][0]; } return null; } public function ldap_get_user_email($username) { return $this->ldap_email($this->ldap_get_dn($username)); } // return userdn (and username) for authentication public function ldap_search_dn($value_to_search){ $this->write_log("[function]> ldap_search_dn(".$value_to_search.")"); $filter = '(&(objectClass=person)('.$this->config['ld_attr'].'='.$value_to_search.'))'; // connection handling $this->write_log("[ldap_search_dn]> Connecting to server"); //if(!$bcnx = $this->make_ldap_conn()){ if(!$this->cnx){ $this->write_log("[ldap_search_dn]> Cannot connect to server!"); return false; } $this->write_log("[ldap_search_dn]> make_ldap_bind_as(\$this->cnx,".$this->config['ld_binddn'].",".$this->config['ld_bindpw'].")"); //if(!$this->make_ldap_bind_as($bcnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ $this->write_log("[ldap_search_dn]> Cannot bind to server!"); return false; } $this->write_log("[ldap_search_dn]> @ldap_search(\$this->cnx,".$this->config['basedn'].",".$filter.",array('dn'),0,1)"); // look for our attribute and get always the DN for login //if($search = ldap_search($bcnx,$this->config['basedn'],$filter,array('dn'),0,1)){ if($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn'),0,1)){ $this->write_log("[ldap_search_dn]> ldap_search successfull"); //$entry = ldap_get_entries($bcnx, $search); $entry = @ldap_get_entries($this->cnx, $search); //if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) { if (!empty($entry[0]["dn"])) { $this->write_log("[ldap_search_dn]> RESULT: ".$entry[0]["dn"]); //@ldap_unbind($bcnx); return $entry[0]["dn"]; } $this->write_log("[ldap_search_dn]> result is empty!"); return false; } $this->write_log("[ldap_search_dn]> ldap_search NOT successfull:"); return false; } // look for LDAP group membership public function check_ldap_group_membership($user_dn, $user_login){ $group_dn = $this->config['ld_group']; $this->write_log("[function]> check_ldap_group_membership('$user_dn', '$group_dn', '$user_login')"); //if no group specified return true if(!$group_dn){ return true; } if(!$this->cnx){ $this->write_log("[check_ldap_group_membership]> Cannot connect to server!"); return false; } if(!$this->make_ldap_bind_as($this->cnx,$this->config['ld_binddn'],$this->config['ld_bindpw'])){ $this->write_log("[check_ldap_group_membership]> Cannot bind to server!"); return false; } // search for all member and memberUid attributes for a group_dn $search_filter = "(|(&(objectClass=posixGroup)(memberUid=$user_login))(&(objectClass=group)(member=$user_dn)))"; $this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,'$group_dn', '$search_filter', array('memberOf'),0,1)"); if($search = @ldap_search($this->cnx, $group_dn, $search_filter, array("dn"),0,1)){ $entry = @ldap_get_entries($this->cnx, $search); //check if there are dn-attributes if (!empty($entry[0]["dn"])) { $this->write_log("[check_ldap_group_membership]> match found: ".$entry[0]["dn"]); return true; } else { $this->write_log("[check_ldap_group_membership]> no group membership for user found for given group and user, check on ldap side"); } } else { $this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString()); } $this->write_log("[check_ldap_group_membership]> No matching groups found for given group_dn: ". $group_dn); return false; } public function getAttr() { $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=*)", array('*', 'subschemasubentry')); $entries = @ldap_get_entries($this->cnx, $search); echo count($entries); } public function getRootDse() { $search = @ldap_read($this->cnx, NULL, 'objectClass=*', array("*", "+")); $entries = @ldap_get_entries($this->cnx, $search); return $entries[0]; } public function ldap_check_basedn(){ if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){ $entry = @ldap_get_entries($this->cnx, $read); if (!empty($entry[0]['dn'])) { return true; } } return false; } } ?>