| [27036] | 1 | <?php |
|---|
| [27285] | 2 | global $conf; |
|---|
| [27036] | 3 | class Ldap { |
|---|
| 4 | var $cnx; |
|---|
| 5 | var $config; |
|---|
| 6 | |
|---|
| 7 | // for debug |
|---|
| 8 | public function write_log($message){ |
|---|
| 9 | @file_put_contents('/var/log/ldap_login.log',$message."\n",FILE_APPEND); |
|---|
| 10 | } |
|---|
| 11 | |
|---|
| 12 | /** |
|---|
| 13 | * check ldap configuration |
|---|
| 14 | * |
|---|
| 15 | * Dans le cas ou l'acces au ldap est anonyme il faut impérativement faire une recherche |
|---|
| 16 | * pour tester la connection. |
|---|
| 17 | * |
|---|
| 18 | * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect |
|---|
| 19 | * but just initializes the connecting parameters. The actual connect happens with the next calls |
|---|
| 20 | * to ldap_* funcs, usually with ldap_bind(). |
|---|
| 21 | */ |
|---|
| 22 | public function check_ldap(){ |
|---|
| 23 | |
|---|
| 24 | if (!$this->ldap_conn()) { |
|---|
| 25 | return $this->getErrorString(); |
|---|
| 26 | } |
|---|
| 27 | |
|---|
| 28 | // test du compte root si renseigné |
|---|
| 29 | if (!empty($this->config['ld_binddn']) && !empty($this->config['ld_bindpw'])){ // if empty ld_binddn, anonymous search |
|---|
| 30 | // authentication with rootdn and rootpw for search |
|---|
| 31 | if (!$this->ldap_bind_as($this->config['ld_binddn'],$this->config['ld_bindpw'])){ |
|---|
| 32 | return $this->getErrorString(); |
|---|
| 33 | } |
|---|
| 34 | } else { |
|---|
| 35 | // sinon recherche du basedn (cf comportement ldap_connect avec OpenLDAP) |
|---|
| 36 | if (!$this->ldap_check_basedn()){ // search userdn |
|---|
| 37 | return $this->getErrorString(); |
|---|
| 38 | } |
|---|
| 39 | } |
|---|
| 40 | return true; |
|---|
| 41 | } |
|---|
| 42 | |
|---|
| [27285] | 43 | public function load_default_config() |
|---|
| [27036] | 44 | { |
|---|
| 45 | $this->config['host'] = 'localhost'; |
|---|
| 46 | $this->config['basedn'] = 'ou=people,dc=example,dc=com'; // racine ! |
|---|
| 47 | $this->config['port'] = ''; // if port is empty, I count on the software to care of it ! |
|---|
| 48 | $this->config['ld_attr'] = 'uid'; |
|---|
| 49 | $this->config['ld_use_ssl'] = False; |
|---|
| 50 | $this->config['ld_bindpw'] =''; |
|---|
| 51 | $this->config['ld_binddn'] =''; |
|---|
| 52 | |
|---|
| 53 | $this->config['allow_newusers'] = False; |
|---|
| 54 | $this->config['advertise_admin_new_ldapuser'] = False; |
|---|
| 55 | $this->config['send_password_by_mail_ldap'] = False; |
|---|
| [27285] | 56 | } |
|---|
| 57 | |
|---|
| 58 | function load_config() { |
|---|
| 59 | // first we load the base config |
|---|
| 60 | $conf_file = @file_get_contents( LDAP_LOGIN_PATH.'data.dat' ); |
|---|
| 61 | if ($conf_file!==false) |
|---|
| [27036] | 62 | { |
|---|
| [27285] | 63 | $this->config = unserialize($conf_file); |
|---|
| [27036] | 64 | } |
|---|
| 65 | } |
|---|
| 66 | |
|---|
| 67 | function save_config() |
|---|
| 68 | { |
|---|
| 69 | $file = fopen( LDAP_LOGIN_PATH.'/data.dat', 'w' ); |
|---|
| 70 | fwrite($file, serialize($this->config) ); |
|---|
| 71 | fclose( $file ); |
|---|
| 72 | } |
|---|
| 73 | |
|---|
| 74 | function ldap_admin_menu($menu) |
|---|
| 75 | { |
|---|
| 76 | array_push($menu, |
|---|
| 77 | array( |
|---|
| 78 | 'NAME' => 'Ldap Login', |
|---|
| 79 | 'URL' => get_admin_plugin_menu_link(LDAP_LOGIN_PATH.'/admin.php') ) |
|---|
| 80 | ); |
|---|
| 81 | return $menu; |
|---|
| 82 | } |
|---|
| 83 | |
|---|
| 84 | public function ldap_conn(){ |
|---|
| [27285] | 85 | if ($this->config['ld_use_ssl'] == 1){ |
|---|
| [27036] | 86 | if (empty($this->config['port'])){ |
|---|
| 87 | $this->config['uri'] = 'ldaps://'.$this->config['host']; |
|---|
| 88 | } |
|---|
| 89 | else { |
|---|
| 90 | $this->config['uri'] = 'ldaps://'.$this->config['host'].':'.$this->config['port']; |
|---|
| 91 | } |
|---|
| 92 | } |
|---|
| 93 | |
|---|
| 94 | // now, it's without ssl |
|---|
| 95 | else { |
|---|
| 96 | if (empty($this->config['port'])){ |
|---|
| 97 | $this->config['uri'] = 'ldap://'.$this->config['host']; |
|---|
| 98 | } |
|---|
| 99 | else { |
|---|
| 100 | $this->config['uri'] = 'ldap://'.$this->config['host'].':'.$this->config['port']; |
|---|
| 101 | } |
|---|
| 102 | } |
|---|
| 103 | |
|---|
| 104 | if ($this->cnx = @ldap_connect($this->config['uri'])){ |
|---|
| 105 | @ldap_set_option($this->cnx, LDAP_OPT_PROTOCOL_VERSION, 3); // LDAPv3 if possible |
|---|
| 106 | return true; |
|---|
| 107 | } |
|---|
| 108 | return false; |
|---|
| 109 | |
|---|
| 110 | // connect with rootdn in case not anonymous. |
|---|
| 111 | if (!empty($obj->config['ld_binddn']) && !empty($obj->config['ld_bindpw'])){ // if empty ld_binddn, anonymous work |
|---|
| 112 | |
|---|
| 113 | // authentication with rootdn and rootpw for dn search |
|---|
| 114 | // carefull ! rootdn should be in full ldap style ! Nothing is supposed (to be one of the users the plugin auth…). |
|---|
| 115 | if (@ldap_bind($obj->config['ld_binddn'],$obj->config['ld_bindpw'])){ |
|---|
| 116 | return false; |
|---|
| 117 | } |
|---|
| 118 | } |
|---|
| 119 | } |
|---|
| 120 | |
|---|
| 121 | // return ldap error |
|---|
| 122 | public function getErrorString(){ |
|---|
| 123 | return ldap_err2str(ldap_errno($this->cnx)); |
|---|
| 124 | } |
|---|
| 125 | |
|---|
| 126 | // return the name ldap understand |
|---|
| 127 | public function ldap_name($name){ |
|---|
| 128 | return $this->config['ld_attr'].'='.$name.','.$this->config['basedn']; |
|---|
| 129 | } |
|---|
| 130 | |
|---|
| 131 | // authentication |
|---|
| 132 | public function ldap_bind_as($user,$user_passwd){ |
|---|
| 133 | if (@ldap_bind($this->cnx,$this->ldap_name($user),$user_passwd)){ |
|---|
| 134 | return true; |
|---|
| 135 | } |
|---|
| 136 | return false; |
|---|
| 137 | } |
|---|
| 138 | |
|---|
| 139 | public function ldap_mail($name){ |
|---|
| 140 | |
|---|
| 141 | //echo $this->cnx; |
|---|
| 142 | //echo $this->ldap_name($name); |
|---|
| 143 | $sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail')); |
|---|
| 144 | $entry = @ldap_get_entries($this->cnx, $sr); |
|---|
| 145 | |
|---|
| 146 | if (!empty($entry[0]['mail'])) { |
|---|
| 147 | return $entry[0]['mail'][0]; |
|---|
| 148 | } |
|---|
| 149 | return False; |
|---|
| 150 | } |
|---|
| 151 | |
|---|
| 152 | // return userdn (and username) for authentication |
|---|
| 153 | /* public function ldap_search_dn($to_search){ |
|---|
| 154 | $filter = str_replace('%s',$to_search,$this->config['ld_filter']); |
|---|
| 155 | //$this->write_log('$filter '.$filter); |
|---|
| 156 | |
|---|
| 157 | if ($search = @ldap_search($this->cnx,$this->config['basedn'],$filter,array('dn',$this->config['ld_attr']),0,1)){ |
|---|
| 158 | $entry = @ldap_get_entries($this->cnx, $search); |
|---|
| 159 | if (!empty($entry[0][strtolower($this->config['ld_attr'])][0])) { |
|---|
| 160 | return $entry; |
|---|
| 161 | } |
|---|
| 162 | } |
|---|
| 163 | return false; |
|---|
| 164 | } */ |
|---|
| 165 | |
|---|
| 166 | |
|---|
| 167 | public function getAttr() { |
|---|
| 168 | $search = @ldap_read($this->cnx, "cn=subschema", "(objectClass=*)", array('*', 'subschemasubentry')); |
|---|
| 169 | $entries = @ldap_get_entries($this->cnx, $search); |
|---|
| 170 | echo count($entries); |
|---|
| 171 | } |
|---|
| 172 | |
|---|
| 173 | public function getRootDse() { |
|---|
| 174 | |
|---|
| 175 | $search = @ldap_read($this->cnx, NULL, 'objectClass=*', array("*", "+")); |
|---|
| 176 | $entries = @ldap_get_entries($this->cnx, $search); |
|---|
| 177 | return $entries[0]; |
|---|
| 178 | } |
|---|
| 179 | |
|---|
| 180 | |
|---|
| 181 | public function ldap_check_basedn(){ |
|---|
| 182 | if ($read = @ldap_read($this->cnx,$this->config['basedn'],'(objectClass=*)',array('dn'))){ |
|---|
| 183 | $entry = @ldap_get_entries($this->cnx, $read); |
|---|
| 184 | if (!empty($entry[0]['dn'])) { |
|---|
| 185 | return true; |
|---|
| 186 | } |
|---|
| 187 | } |
|---|
| 188 | return false; |
|---|
| 189 | } |
|---|
| 190 | |
|---|
| 191 | } |
|---|
| 192 | ?> |
|---|
