function install_etape_ldap4_dist()
{
$adresse_ldap = _request('adresse_ldap');
$login_ldap = _request('login_ldap');
$pass_ldap = _request('pass_ldap');
$port_ldap = _request('port_ldap');
$base_ldap = _request('base_ldap');
$base_ldap_text = _request('base_ldap_text');
if (!$base_ldap) {
$base_ldap = $base_ldap_text;
}
echo install_debut_html();
$ldap_link = ldap_connect($adresse_ldap, $port_ldap);
@ldap_bind($ldap_link, $login_ldap, $pass_ldap);
// Essayer de verifier le chemin fourni
$r = @ldap_compare($ldap_link, $base_ldap, "objectClass", "");
$fail = ldap_errno($ldap_link) == 32;
if ($fail) {
echo info_etape(_T('info_chemin_acces_annuaire')), info_progression_etape(3, 'etape_ldap', 'install/', true), "<div class='error'><p><b>" . _T('avis_operation_echec') . "</b></p><p>" . _T('avis_chemin_invalide_1'), " (<tt>" . htmlspecialchars($base_ldap) . "</tt>) " . _T('avis_chemin_invalide_2') . "</p></div>";
} else {
info_etape(_T('info_reglage_ldap'));
echo info_progression_etape(4, 'etape_ldap', 'install/');
$statuts = liste_statuts_ldap();
$statut_ldap = defined('_INSTALL_STATUT_LDAP') ? _INSTALL_STATUT_LDAP : $GLOBALS['liste_des_statuts']['info_redacteurs'];
$res = install_propager(array('adresse_ldap', 'port_ldap', 'login_ldap', 'pass_ldap', 'protocole_ldap', 'tls_ldap')) . "<input type='hidden' name='etape' value='ldap5' />" . "<input type='hidden' name='base_ldap' value='" . htmlentities($base_ldap) . "' />" . fieldset(_T('info_statut_utilisateurs_1'), array('statut_ldap' => array('label' => _T('info_statut_utilisateurs_2') . '<br />', 'valeur' => $statut_ldap, 'alternatives' => $statuts))) . install_ldap_correspondances() . bouton_suivant();
echo generer_form_ecrire('install', $res);
}
echo install_fin_html();
}
/**
* Finds if user belongs to group, recursively if requested
* Private function for this LDAP module only.
*
* @param string $ldap_group LDAP group to check
* @param string $userdn User Distinguished Name
* @param int $depth Recursion depth (used in recursion, stops at configured maximum depth)
*
* @return array Array of server names to be used for LDAP.
*/
function ldap_search_user($ldap_group, $userdn, $depth = -1)
{
global $ds, $config;
$compare = ldap_compare($ds, $ldap_group, $config['auth_ldap_groupmemberattr'], $userdn);
if ($compare === TRUE) {
return TRUE;
// Member found, return TRUE
} elseif ($config['auth_ldap_recursive'] === true && $depth < $config['auth_ldap_recursive_maxdepth']) {
$depth++;
//$filter = "(&(objectClass=group)(memberOf=". $ldap_group ."))";
$filter_params = array();
$filter_params[] = ldap_filter_create('objectClass', 'group');
$filter_params[] = ldap_filter_create('memberOf', $ldap_group);
$filter = ldap_filter_combine($filter_params);
print_debug("LDAP[UserSearch][{$depth}][Comparing: " . $ldap_group . "][" . $config['auth_ldap_groupmemberattr'] . "={$userdn}][Filter: {$filter}]");
$ldap_search = ldap_search($ds, trim($config['auth_ldap_groupbase'], ', '), $filter, array($config['auth_ldap_attr']['dn']));
$ldap_results = ldap_get_entries($ds, $ldap_search);
array_shift($ldap_results);
// Chop off "count" array entry
foreach ($ldap_results as $element) {
print_debug("LDAP[UserSearch][{$depth}][Comparing: " . $element[$config['auth_ldap_attr']['dn']][0] . "][" . $config['auth_ldap_groupmemberattr'] . "={$userdn}]");
$result = ldap_search_user($element[$config['auth_ldap_attr']['dn']][0], $userdn, $depth);
if ($result === TRUE) {
return TRUE;
// Member found, return TRUE
}
}
return FALSE;
// Not found, return FALSE.
} else {
return FALSE;
// Recursion disabled or reached maximum depth, return FALSE.
}
}
function authenticate($username, $password)
{
global $config;
$ds = @ldap_connect($config['auth_ldap_server'], $config['auth_ldap_port']);
if ($ds) {
if ($config['auth_ldap_version']) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $config['auth_ldap_version']);
}
if (ldap_bind($ds, $config['auth_ldap_prefix'] . $username . $config['auth_ldap_suffix'], $password)) {
if (!$config['auth_ldap_group']) {
return 1;
} else {
if (ldap_compare($ds, $config['auth_ldap_group'], 'memberUid', $username)) {
return 1;
}
}
}
} else {
# FIXME return a warning that LDAP couldn't connect?
}
return 0;
}
/**
* Compare an entry and return a true or false result
*
* @param string $dn The DN which contains the attribute you want to compare
* @param string $attribute The attribute whose value you want to compare
* @param string $value The value you want to check against the LDAP attribute
*
* @return mixed result of comparison (true, false, -1 on error)
*
* @since 12.1
*/
public function compare($dn, $attribute, $value)
{
return @ldap_compare($this->_resource, $dn, $attribute, $value);
}
function get_userlist()
{
global $config, $ldap_connection;
$userlist = array();
$filter = '(' . $config['auth_ldap_prefix'] . '*)';
$search = ldap_search($ldap_connection, trim($config['auth_ldap_suffix'], ','), $filter);
$entries = ldap_get_entries($ldap_connection, $search);
if ($entries['count']) {
foreach ($entries as $entry) {
$username = $entry['uid'][0];
$realname = $entry['cn'][0];
$user_id = $entry['uidnumber'][0];
$email = $entry[$config['auth_ldap_emailattr']][0];
$ldap_groups = get_group_list();
foreach ($ldap_groups as $ldap_group) {
$ldap_comparison = ldap_compare($ldap_connection, $ldap_group, $config['auth_ldap_groupmemberattr'], get_membername($username));
if (!isset($config['auth_ldap_group']) || $ldap_comparison === true) {
$userlist[] = array('username' => $username, 'realname' => $realname, 'user_id' => $user_id, 'email' => $email);
}
}
}
}
return $userlist;
}
ldap_mod_replace($ds, $dn, $entry);
/* ### SEARCH ### */
$dn = "o=My Company, c=USs";
echo "\nSearch " . $dn;
$filter = "(|(sn=jeantet)(givenname=jeantet*))";
$justthese = array("ou", "sn", "givenname", "mail");
$cookie = 'cookie';
ldap_control_paged_result($ds, 23, true, $cookie);
$sr = ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
echo "\n\t" . $info["count"] . " entries returned";
// ldap_control_paged_result_response($ds, $sr, $cookie);
/* ### COMPARE ### */
$dn = "cn=Matti Meikku, ou=My Unit, o=My Company, c=FI";
echo "\nCompare " . $dn;
// Préparation des données
$value = "secretpassword";
$attr = "password";
// Comparaison des valeurs
$r = ldap_compare($ds, $dn, $attr, $value);
if ($r === -1) {
echo "Error: " . ldap_error($ds);
} elseif ($r === true) {
echo "\n\tCompare true.";
} elseif ($r === false) {
echo "\n\tCompare false !";
}
/* ### LDAP CLOSE / UNBIND ### */
echo "\nUnbind ";
ldap_unbind($ds);
echo "\n";
/**
* Compare the value of attribute found in entry specified with $dn
*
* Used to compare the value of attr to the value of same attribute in the LDAP directory
* entry specified with $dn.
*
* Returns TRUE if value matches, otherwise returns FALSE. Returns -1 on error.
*
* @link http://www.php.net/ldap_compare
* @param string $dn The DN which we are comparing
* @param string $attr The attribute to check
* @param string $value The value to check for
* @return mixed
*/
function compare($dn, $attr, $value)
{
$result = @ldap_compare($this->connection, $dn, $attr, $value);
if ($result === -1) {
$this->setErrVars();
}
return $result;
}
/**
* {@inheritdoc}
*/
public function compare($dn, $attribute, $value)
{
return ldap_compare($this->getConnection(), $dn, $attribute, $value);
}
/**
* Wrapper function for ldap_compare().
*
* @param resource $link_identifier
* An LDAP link identifier.
* @param string $dn
* The distinguished name of an LDAP entity.
* @param string $attribute
* The attribute name.
* @param string $value
* The compared value.
*
* @return boolean
* Returns TRUE if value matches otherwise returns FALSE.
*
* @throw SimpleLdapException
*/
public static function ldap_compare($link_identifier, $dn, $attribute, $value)
{
// Devel debugging.
if (variable_get('simple_ldap_devel', FALSE)) {
dpm(__FUNCTION__);
dpm(array('$dn' => $dn, '$attribute' => $attribute, '$value' => $value));
}
// Wrapped function call.
$return = @ldap_compare($link_identifier, $dn, $attribute, $value);
// Debugging.
if (variable_get('simple_ldap_debug', FALSE)) {
$message = __FUNCTION__ . '($link_identifier = @link_identifier, $dn = @dn, $attribute = @attribute, $value = @value) returns @return';
$variables = array('@link_identifier' => print_r($link_identifier, TRUE), '@dn' => print_r($dn, TRUE), '@attribute' => print_r($attribute, TRUE), '@value' => print_r($value, TRUE), '@return' => print_r($return, TRUE));
watchdog('simple_ldap', $message, $variables, WATCHDOG_DEBUG);
}
// Error handling.
if ($return == -1) {
throw new SimpleLdapException($link_identifier);
}
return $return;
}
/**
* @link http://php.net/manual/en/function.ldap-compare.php
* @param $linkIdentifier
* @param $dn
* @param $attribute
* @param $value
* @return mixed
*/
public function compare($linkIdentifier, $dn, $attribute, $value)
{
return ldap_compare($linkIdentifier, $dn, $attribute, $value);
}
function ldapauth_authenticate($username, $password, &$mail)
{
logger('ldapauth: Searching user ' . $username . '.');
$ldap_server = get_config('ldapauth', 'ldap_server');
$ldap_binddn = get_config('ldapauth', 'ldap_binddn');
$ldap_bindpw = get_config('ldapauth', 'ldap_bindpw');
$ldap_searchdn = get_config('ldapauth', 'ldap_searchdn');
$ldap_userattr = get_config('ldapauth', 'ldap_userattr');
$ldap_group = get_config('ldapauth', 'ldap_group');
if (empty($password)) {
logger('ldapauth: Empty Password not allowed.');
return false;
}
if (!function_exists('ldap_connect') || empty($ldap_server)) {
logger('ldapauth: PHP-LDAP fail or no server set.');
return false;
}
$connect = @ldap_connect($ldap_server);
if (!$connect) {
logger('ldapauth: Unable to connect to server');
return false;
}
@ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
if (@ldap_bind($connect, $ldap_binddn, $ldap_bindpw) === false) {
logger('ldapauth: Unable to bind to server. Check credentials of binddn.');
return false;
}
$res = @ldap_search($connect, $ldap_searchdn, $ldap_userattr . '=' . $username, array('mail'));
if (!$res) {
logger('ldapauth: User ' . $username . ' not found.');
return false;
}
$id = @ldap_first_entry($connect, $res);
if (!$id) {
logger('ldapauth: User ' . $username . ' found but unable to load data.');
return false;
}
// get primary email
$mail = '';
$attrs = @ldap_get_attributes($connect, $id);
if ($attrs['count'] && $attrs['mail']) {
if (is_array($attrs['mail'])) {
$mail = $attrs['mail'][0];
} else {
$mail = $attrs['mail'];
}
}
$dn = @ldap_get_dn($connect, $id);
if (!@ldap_bind($connect, $dn, $password)) {
logger('ldapauth: User ' . $username . ' provided wrong credentials.');
return false;
}
if (empty($ldap_group)) {
logger('ldapauth: User ' . $username . ' authenticated.');
return true;
}
$r = @ldap_compare($connect, $ldap_group, 'member', $dn);
if ($r === -1) {
$err = @ldap_error($connect);
$eno = @ldap_errno($connect);
@ldap_close($connect);
if ($eno === 32) {
logger('ldapauth: access control group Does Not Exist');
return false;
} elseif ($eno === 16) {
logger('ldapauth: membership attribute does not exist in access control group');
return false;
} else {
logger('ldapauth: error: ' . $err);
return false;
}
} elseif ($r === false) {
logger('ldapauth: User ' . $username . ' is not in the allowed group.');
@ldap_close($connect);
return false;
}
// logger('ldapauth: User '.$username.' authenticated and in allowed group.');
return true;
}
<?php
require "connect.inc";
$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
insert_dummy_data($link, $base);
var_dump(ldap_compare($link, "cn=userA,{$base}", "sn", "testSN1"), ldap_compare($link, "cn=userA,{$base}", "telephoneNumber", "yy-yy-yy-yy-yy"));
?>
===DONE===
/**
* Compare an entry and return the result
*
* @param string $dn The distinguished name of the attribute to compare
* @param string $attribute The attribute name/key
* @param string $value The compared value of the attribute (case insensitive)
*
* @return boolean True if value matches otherwise returns False.
*
* @since 1.0
* @throws SHLdapException
*/
public function compare($dn, $attribute, $value)
{
$this->operationAllowed();
// Do the Ldap compare operation
$result = @ldap_compare($this->resource, $dn, $attribute, $value);
if ($result === -1)
{
// A error in the Ldap compare operation occurred
throw new SHLdapException($this->getErrorCode(), 10131, JText::_('LIB_SHLDAP_ERR_10131'));
}
return $result;
}
/**
* @param string $dn
* @param string $attribute
* @param mixed $value
* @return bool
* @throws UnavailableException
* @throws ReadFailureException
*/
public function compare($dn, $attribute, $value)
{
$this->checkBound();
if (-1 === ($result = ldap_compare($this->link, $dn, $attribute, $value))) {
throw new ReadFailureException(ldap_error($this->link), ldap_errno($this->link));
}
return $result;
}
/**
* This function queries the LDAP server to determine whether a given user and
* group combination exists. This function returns an array of groups the given
* user belongs to
*
* @param array $groupsInConfig
*
* @author Andrew Darwin <*****@*****.**>
* @author Delvison Castillo
*/
function queryLDAP($groupsInConfig)
{
$groupsUserBelongsTo = array();
global $ldapAddress;
global $ldapPort;
global $useLDAP;
//LDAP QUERIES HERE
if (!$useLDAP) {
$groupsUserBelongsTo = array("public");
return $groupsUserBelongsTo;
}
if ($ldapAddress == "" || $ldapPort == "") {
return null;
}
$ldap = ldap_connect($ldapAddress, $ldapPort);
logMessage("queryLDAP() Tried to connect to LDAP and got the following " . "object: {$ldap}");
//$bindedLDAP = ldap_bind($ldap); //binded for read access
if ($ldap && ldap_bind($ldap)) {
logMessage("queryLDAP() is beginning to query groups from config");
foreach ($groupsInConfig as $group) {
// prepare data
$dn = getLDAPQueryDN($group);
$value = getLDAPQueryValue();
$attr = getLDAPQueryAttribute();
logMessage("queryLDAP() prepared a query with dn: {$dn}, value: " . "{$value}, and attr: {$attr}");
$query = ldap_compare($ldap, $dn, $attr, $value);
logMessage("queryLDAP(): The query returned: " . ($query ? "true" : "false"));
if ($query === -1) {
//AN ERROR HAS OCCURED
$groupsUserBelongsTo = array("LDAP Error");
logMessage("LDAP ERROR");
} else {
if ($query) {
array_push($groupsUserBelongsTo, $group);
logMessage("queryLDAP() pushed group: {$group} to list of groups " . "the user belongs to");
}
}
}
} else {
$groupsUserBelongsTo = array("Invalid LDAP Connection");
}
return $groupsUserBelongsTo;
}
function ldap_auth_user_list()
{
global $config, $ds;
ldap_init();
ldap_bind_dn();
$filter = '(objectClass=' . $config['auth_ldap_objectclass'] . ')';
print_debug("LDAP[UserList][Filter][{$filter}][" . trim($config['auth_ldap_suffix'], ', ') . "]");
$search = ldap_search($ds, trim($config['auth_ldap_suffix'], ', '), $filter);
print_debug(ldap_error($ds));
$entries = ldap_get_entries($ds, $search);
if ($entries['count']) {
for ($i = 0; $i < $entries['count']; $i++) {
$username = $entries[$i][strtolower($config['auth_ldap_attr']['uid'])][0];
$realname = $entries[$i][strtolower($config['auth_ldap_attr']['cn'])][0];
$user_id = ldap_internal_auth_user_id($entries[$i]);
$userdn = $config['auth_ldap_groupmembertype'] == 'fulldn' ? $entries[$i]['dn'] : $username;
print_debug("LDAP[UserList][Compare: " . implode('|', $config['auth_ldap_group']) . "][" . $config['auth_ldap_groupmemberattr'] . "][{$userdn}]");
foreach ($config['auth_ldap_group'] as $ldap_group) {
$authorized = 0;
$compare = ldap_compare($ds, $ldap_group, $config['auth_ldap_groupmemberattr'], $userdn);
if ($compare === -1) {
print_debug("LDAP[UserList][Compare LDAP error: " . ldap_error($ds) . "]");
continue;
} elseif ($compare === FALSE) {
print_debug("LDAP[UserList][Processing group: {$ldap_group}][Not matched]");
} else {
// $$compare === TRUE
print_debug("LDAP[UserList][Authorized: {$userdn} for group {$ldap_group}]");
$authorized = 1;
break;
}
// FIXME does not support nested groups
}
if (!isset($config['auth_ldap_group']) || $authorized) {
$userlist[] = array('username' => $username, 'realname' => $realname, 'user_id' => $user_id);
}
}
}
return $userlist;
}
function check_filegroup_membership($ds, $uid)
{
$dn = LDAP_GROUPDN;
$attr = LDAP_GROUP_ATTRIBUTE;
$result = @ldap_compare($ds, $dn, $attr, $uid);
if ($result === true) {
return true;
} else {
return false;
}
}
/**
Compare the value of the attribute of an entry for a specific DN.
@param $sDN The Distinguished Name of an LDAP entity.
@param $sAttribute The attribute name.
@param $sValue The compared value.
@return bool Whether the value matched.
@throw LDAPException If an error occurs.
*/
public function isEqual($sDN, $sAttribute, $sValue)
{
$b = ldap_compare($this->rLink, $sDN, $sAttribute, $sValue);
if ($b === -1) {
throw new LDAPException(_WT('Failed to compare the value of the attribute.') . "\n" . ldap_error($this->rLink), ldap_errno($this->rLink));
}
return $b;
}
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link); var_dump(ldap_compare($link, "cn=userA,dc=my-domain,dc=com", "sn", "testSN1"), ldap_compare($link, "cn=userA,dc=my-domain,dc=com", "telephoneNumber", "yy-yy-yy-yy-yy")); ?> ===DONE=== <?php include "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); remove_dummy_data($link);
<?php
require "connect.inc";
$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
insert_dummy_data($link, $base);
// Too few parameters
var_dump(ldap_compare($link));
var_dump(ldap_compare($link, $link));
var_dump(ldap_compare($link, $link, $link));
// Too many parameters
var_dump(ldap_compare($link, $link, $link, $link, "Additional data"));
var_dump(ldap_compare($link, "cn=userNotAvailable,{$base}", "sn", "testSN1"), ldap_error($link), ldap_errno($link));
?>
===DONE===
function get_userlist()
{
global $config, $ds;
$filter = '(' . $config['auth_ldap_prefix'] . '*)';
$search = ldap_search($ds, trim($config['auth_ldap_suffix'], ','), $filter);
$entries = ldap_get_entries($ds, $search);
if ($entries['count']) {
foreach ($entries as $entry) {
$username = $entry['uid'][0];
$realname = $entry['cn'][0];
$user_id = $entry['uidnumber'][0];
if (!isset($config['auth_ldap_group']) || ldap_compare($ds, $config['auth_ldap_group'], 'memberUid', $username)) {
$userlist[] = array('username' => $username, 'realname' => $realname, 'user_id' => $user_id);
}
}
}
return $userlist;
}
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link, $base); // Too few parameters var_dump(ldap_compare($link)); var_dump(ldap_compare($link, $link)); var_dump(ldap_compare($link, $link, $link)); // Too many parameters var_dump(ldap_compare($link, $link, $link, $link, "Additional data")); var_dump( ldap_compare($link, "cn=userNotAvailable,$base", "sn", "testSN1"), ldap_error($link), ldap_errno($link) ); ?> ===DONE=== <?php include "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); remove_dummy_data($link, $base); ?>
/**
* Performs the LDAP authentication procedure
*
* @since 1.0
* @package facileManager
*
* @param string $username Username to authenticate
* @param string $password Username to authenticate with
* @return boolean
*/
function doLDAPAuth($username, $password)
{
global $fmdb;
/** Get LDAP variables */
if (empty($ldap_server)) {
$ldap_server = getOption('ldap_server');
}
if (empty($ldap_port)) {
$ldap_port = getOption('ldap_port');
}
if (empty($ldap_port_ssl)) {
$ldap_port_ssl = getOption('ldap_port_ssl');
}
if (empty($ldap_version)) {
$ldap_version = getOption('ldap_version');
}
if (empty($ldap_encryption)) {
$ldap_encryption = getOption('ldap_encryption');
}
if (empty($ldap_referrals)) {
$ldap_referrals = getOption('ldap_referrals');
}
if (empty($ldap_dn)) {
$ldap_dn = getOption('ldap_dn');
}
if (empty($ldap_group_require)) {
$ldap_group_require = getOption('ldap_group_require');
}
if (empty($ldap_group_dn)) {
$ldap_group_dn = getOption('ldap_group_dn');
}
if (empty($ldap_group_attribute)) {
$ldap_group_attribute = getOption('ldap_group_attribute');
}
$ldap_dn = str_replace('<username>', $username, $ldap_dn);
if ($ldap_encryption == 'SSL') {
$ldap_connect = @ldap_connect('ldaps://' . $ldap_server, $ldap_port_ssl);
} else {
$ldap_connect = @ldap_connect($ldap_server, $ldap_port);
}
if ($ldap_connect) {
/** Set protocol version */
if (!@ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, $ldap_version)) {
@ldap_close($ldap_connect);
return false;
}
/** Set referrals */
if (!@ldap_set_option($ldap_connect, LDAP_OPT_REFERRALS, $ldap_referrals)) {
@ldap_close($ldap_connect);
return false;
}
/** Start TLS if requested */
if ($ldap_encryption == 'TLS') {
if (!@ldap_start_tls($ldap_connect)) {
@ldap_close($ldap_connect);
return false;
}
}
$ldap_bind = @ldap_bind($ldap_connect, $ldap_dn, $password);
if ($ldap_bind) {
if ($ldap_group_require) {
/** Process group membership if required */
$ldap_group_response = @ldap_compare($ldap_connect, $ldap_group_dn, $ldap_group_attribute, $username);
if ($ldap_group_response !== true) {
@ldap_close($ldap_connect);
return false;
}
}
/** Get user permissions from database */
$fmdb->get_results("SELECT * FROM `fm_users` WHERE `user_status`='active' AND `user_auth_type`=2 AND `user_template_only`='no' AND `user_login`='{$username}'");
if (!$fmdb->num_rows) {
if (!$this->createUserFromTemplate($username)) {
@ldap_close($ldap_connect);
return false;
}
}
$this->setSession($fmdb->last_result[0]);
return true;
}
/** Close LDAP connection */
@ldap_close($ldap_connect);
}
return false;
}
/**
* Compare value of attribute found in entry specified with DN
*
* @param string $dn The distinguished name of an LDAP entity
* @param string $attribute The attribute name
* @param string $value The compared value
* @return bool Returns TRUE if value matches otherwise returns FALSE
*/
public function compare($dn, $attribute, $value)
{
$retVal = @ldap_compare($this->resource, $dn, $attribute, $value);
$this->verifyOperation();
return $retVal;
}
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link, $base); var_dump( ldap_compare($link, "cn=userA,$base", "sn", "testSN1"), ldap_compare($link, "cn=userA,$base", "telephoneNumber", "yy-yy-yy-yy-yy") ); ?> ===DONE=== <?php include "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); remove_dummy_data($link, $base); ?>
function ldapauth_authenticate($username, $password)
{
$ldap_server = get_config('ldapauth', 'ldap_server');
$ldap_binddn = get_config('ldapauth', 'ldap_binddn');
$ldap_bindpw = get_config('ldapauth', 'ldap_bindpw');
$ldap_searchdn = get_config('ldapauth', 'ldap_searchdn');
$ldap_userattr = get_config('ldapauth', 'ldap_userattr');
$ldap_group = get_config('ldapauth', 'ldap_group');
$ldap_autocreateaccount = get_config('ldapauth', 'ldap_autocreateaccount');
$ldap_autocreateaccount_emailattribute = get_config('ldapauth', 'ldap_autocreateaccount_emailattribute');
$ldap_autocreateaccount_nameattribute = get_config('ldapauth', 'ldap_autocreateaccount_nameattribute');
if (!(strlen($password) && function_exists('ldap_connect') && strlen($ldap_server))) {
logger("ldapauth: not configured or missing php-ldap module");
return false;
}
$connect = @ldap_connect($ldap_server);
if ($connect === false) {
logger("ldapauth: could not connect to {$ldap_server}");
return false;
}
@ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
if (@ldap_bind($connect, $ldap_binddn, $ldap_bindpw) === false) {
logger("ldapauth: could not bind {$ldap_server} as {$ldap_binddn}");
return false;
}
$res = @ldap_search($connect, $ldap_searchdn, $ldap_userattr . '=' . $username);
if (!$res) {
logger("ldapauth: {$ldap_userattr}={$username},{$ldap_searchdn} not found");
return false;
}
$id = @ldap_first_entry($connect, $res);
if (!$id) {
return false;
}
$dn = @ldap_get_dn($connect, $id);
if (!@ldap_bind($connect, $dn, $password)) {
return false;
}
$emailarray = [];
$namearray = [];
if ($ldap_autocreateaccount == "true") {
if (!strlen($ldap_autocreateaccount_emailattribute)) {
$ldap_autocreateaccount_emailattribute = "mail";
}
if (!strlen($ldap_autocreateaccount_nameattribute)) {
$ldap_autocreateaccount_nameattribute = "givenName";
}
$emailarray = @ldap_get_values($connect, $id, $ldap_autocreateaccount_emailattribute);
$namearray = @ldap_get_values($connect, $id, $ldap_autocreateaccount_nameattribute);
}
if (!strlen($ldap_group)) {
ldap_autocreateaccount($ldap_autocreateaccount, $username, $password, $emailarray[0], $namearray[0]);
return true;
}
$r = @ldap_compare($connect, $ldap_group, 'member', $dn);
if ($r === -1) {
$err = @ldap_error($connect);
$eno = @ldap_errno($connect);
@ldap_close($connect);
if ($eno === 32) {
logger("ldapauth: access control group Does Not Exist");
return false;
} elseif ($eno === 16) {
logger('ldapauth: membership attribute does not exist in access control group');
return false;
} else {
logger('ldapauth: error: ' . $err);
return false;
}
} elseif ($r === false) {
@ldap_close($connect);
return false;
}
ldap_autocreateaccount($ldap_autocreateaccount, $username, $password, $emailarray[0], $namearray[0]);
return true;
}
function Authenticate()
{
$output = array();
/* function check */
if (!function_exists("ldap_connect")) {
$output["error_num"] = 99;
$output["error_text"] = "PHP LDAP not enabled";
return $output;
}
/* validation */
if (empty($this->username)) {
$output["error_num"] = "2";
$output["error_text"] = "No username defined";
return $output;
}
$this->dn = str_replace("<username>", $this->username, $this->dn);
/* Fix encoding of username and password */
$this->username = html_entity_decode($this->username, ENT_COMPAT | ENT_HTML401, "UTF-8");
$this->password = html_entity_decode($this->password, ENT_COMPAT | ENT_HTML401, "UTF-8");
/* Determine connection method and create LDAP Object */
if ($this->encryption == "1") {
/* This only works with OpenLDAP, I'm pretty sure this will not work with Solaris, Tony */
$ldap_conn = @ldap_connect("ldaps://" . $this->host . ":" . $this->port_ssl);
} else {
$ldap_conn = @ldap_connect($this->host, $this->port);
}
if ($ldap_conn) {
/* Set protocol version */
cacti_log("LDAP: Setting protocol version to " . $this->version, false, "AUTH");
if (!@ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $this->version)) {
$output["error_num"] = "3";
$output["error_text"] = "Protocol Error, Unable to set version";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
/* set referrals */
if ($this->referrals == "0") {
if (!@ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0)) {
$output["error_num"] = "4";
$output["error_text"] = "Unable to set referrals option";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
}
/* start TLS if requested */
if ($this->encryption == "2") {
if (!@ldap_start_tls($ldap_conn)) {
$output["error_num"] = "5";
$output["error_text"] = "Protocol error, unable to start TLS communications";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
}
/* Bind to the LDAP directory */
$ldap_response = @ldap_bind($ldap_conn, $this->dn, $this->password);
if ($ldap_response) {
if ($this->group_require == 1) {
/* Process group membership if required */
if ($this->group_member_type == 1) {
$ldap_group_response = @ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $this->dn);
} else {
$ldap_group_response = @ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $this->username);
}
if ($ldap_group_response === true) {
/* Auth ok */
$output["error_num"] = "0";
$output["error_text"] = "Authentication Success";
} else {
if ($ldap_group_response === false) {
$output["error_num"] = "8";
$output["error_text"] = "Insufficient access";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
} else {
$output["error_num"] = "12";
$output["error_text"] = "Group DN could not be found to compare";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
}
} else {
/* Auth ok - No group membership required */
$output["error_num"] = "0";
$output["error_text"] = "Authentication Success";
}
} else {
/* unable to bind */
$ldap_error = ldap_errno($ldap_conn);
if ($ldap_error == 0x3) {
/* protocol error */
$output["error_num"] = "7";
$output["error_text"] = "Protocol error";
} elseif ($ldap_error == 0x31) {
/* invalid credentials */
$output["error_num"] = "1";
$output["error_text"] = "Authentication Failure";
} elseif ($ldap_error == 0x32) {
/* insuffient access */
$output["error_num"] = "8";
$output["error_text"] = "Insufficient access";
} elseif ($ldap_error == 0x51) {
/* unable to connect to server */
$output["error_num"] = "9";
$output["error_text"] = "Unable to connect to server";
} elseif ($ldap_error == 0x55) {
/* timeout */
$output["error_num"] = "10";
$output["error_text"] = "Connection Timeout";
} else {
/* general bind error */
$output["error_num"] = "11";
$output["error_text"] = "General bind error, LDAP result: " . ldap_error($ldap_conn);
}
}
} else {
/* Error intializing LDAP */
$output["error_num"] = "6";
$output["error_text"] = "Unable to create LDAP object";
}
/* Close LDAP connection */
@ldap_close($ldap_conn);
if ($output["error_num"] > 0) {
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
}
return $output;
}
private function getLdapAccount()
{
//chech if KOLAB_LDAP_SERVER is a URI or an IP
$reg = "/ldap:\\/\\/(.+):(.+)/";
if (preg_match($reg, KOLAB_SERVER, $tab)) {
$addrip = $tab[1];
$port = $tab[2];
} else {
$addrip = KOLAB_SERVER;
$port = 389;
}
$conn = ldap_connect($addrip, $port);
if ($conn == 0) {
$this->Log("ERR LDAP connexion to server : " . KOLAB_SERVER . " failed");
return 0;
}
if (!ldap_bind($conn, "", "")) {
$this->Log("ERR LDAP Invalid credential");
return 0;
}
//recherche du DN a autentifier
if (!($sr = ldap_search($conn, KOLAB_LDAP_BASE, "(uid=" . $this->_username . ")"))) {
$this->Log("ERR LDAP " . $this->_username . " not found");
return 0;
}
$entries = ldap_get_entries($conn, $sr);
if ($entries['count'] == 1) {
$this->_email = $entries[0]["mail"][0];
$this->_cn = $entries[0]["cn"][0];
$this->_KolabHomeServer = $entries[0]["kolabhomeserver"][0];
$dn = $entries[0]["dn"];
//check ACL if KOLAN_LDAP_ACL
if (defined("KOLAB_LDAP_ACL")) {
$grp = KOLAB_LDAP_ACL;
} else {
$grp = "";
}
if ($grp != "") {
//check if the dn is in the group as member
$r = ldap_compare($conn, $grp, "member", $dn);
if (!$r) {
$this->Log("ACL member not present in {$grp} Access Denied");
return 0;
}
if ($r == -1) {
$this->Log("ACL group {$gr} not found (acces authorized)");
}
}
return 1;
}
}
function is_dn_member_of_group($userDn, $groupDn)
{
$ldap = $this->get_ldap_connection();
$link = $ldap->getLink();
$r = @ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn);
if ($r === true) {
return true;
} else {
if ($r === false) {
return false;
} else {
common_log(LOG_ERR, "LDAP error determining if userDn={$userDn} is a member of groupDn={$groupDn} using uniqueMember_attribute={$this->uniqueMember_attribute} error: " . ldap_error($link));
return false;
}
}
}
function cacti_ldap_auth($username,$password = "",$ldap_dn = "",$ldap_device = "",$ldap_port = "",$ldap_port_ssl = "",$ldap_version = "",$ldap_encryption = "",$ldap_referrals = "",$ldap_group_require = "",$ldap_group_dn = "",$ldap_group_attrib = "",$ldap_group_member_type = "") {
require_once(CACTI_BASE_PATH . "/include/auth/auth_constants.php");
$output = array();
/* function check */
if (! function_exists("ldap_connect")) {
$output["error_num"] = 99;
$output["error_text"] = "PHP LDAP not enabled";
return $output;
}
/* validation */
if (empty($username)) {
$output["error_num"] = "2";
$output["error_text"] = "No username defined";
return $output;
}
/* Fix encoding of username and password */
$username = utf8_encode($username);
$password = utf8_encode($password);
/* get LDAP parameters */
if (empty($ldap_dn)) {
$ldap_dn = read_config_option("ldap_dn");
}
$ldap_dn = str_replace("<username>",$username,$ldap_dn);
if (empty($ldap_device)) {
$ldap_device = read_config_option("ldap_server");
}
if (empty($ldap_port)) {
$ldap_port = read_config_option("ldap_port");
}
if (empty($ldap_port_ssl)) {
$ldap_port_ssl = read_config_option("ldap_port_ssl");
}
if (empty($ldap_version)) {
$ldap_version = read_config_option("ldap_version");
}
if (empty($ldap_encryption)) {
$ldap_encryption = read_config_option("ldap_encryption");
}
if (empty($ldap_referrals)) {
$ldap_referrals = read_config_option("ldap_referrals");
}
if (empty($ldap_group_require)) {
if (read_config_option("ldap_group_require") == CHECKED) {
$ldap_group_require = 1;
}else{
$ldap_group_require = 0;
}
}
if (empty($ldap_group_dn)) {
$ldap_group_dn = read_config_option("ldap_group_dn");
}
if (empty($ldap_group_attrib)) {
$ldap_group_attrib = read_config_option("ldap_group_attrib");
}
if (empty($ldap_group_member_type)) {
$ldap_group_member_type = read_config_option("ldap_group_member_type");
}
/* Determine connection method and create LDAP Object */
if ($ldap_encryption == LDAP_ENCRYPT_SSL) {
/* This only works with OpenLDAP, I'm pretty sure this will not work with Solaris, Tony */
$ldap_conn = @ldap_connect("ldaps://" . $ldap_device . ":" . $ldap_port_ssl);
}else{
$ldap_conn = @ldap_connect($ldap_device,$ldap_port);
}
if ($ldap_conn) {
/* Set protocol version */
cacti_log("LDAP: Setting protocol version to " . $ldap_version, false, "AUTH");
if (!@ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $ldap_version)) {
$output["error_num"] = "3";
$output["error_text"] = "Protocol Error, Unable to set version";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
/* set referrals */
if ($ldap_referrals == "0") {
if (!@ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0)) {
$output["error_num"] = "4";
$output["error_text"] = "Unable to set referrals option";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
}
/* start TLS if requested */
if ($ldap_encryption == LDAP_ENCRYPT_TLS) {
if (!@ldap_start_tls($ldap_conn)) {
$output["error_num"] = "5";
$output["error_text"] = "Protocol error, unable to start TLS communications";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
}
/* Bind to the LDAP directory */
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$password);
if ($ldap_response) {
if ($ldap_group_require == 1) {
/* Process group membership if required */
if ($ldap_group_member_type == 1) {
$ldap_group_response = @ldap_compare($ldap_conn,$ldap_group_dn,$ldap_group_attrib,$ldap_dn);
} else {
$ldap_group_response = @ldap_compare($ldap_conn,$ldap_group_dn,$ldap_group_attrib,$username);
}
if ($ldap_group_response === true) {
/* Auth ok */
$output["error_num"] = "0";
$output["error_text"] = "Authentication Success";
} else if ($ldap_group_response === false) {
$output["error_num"] = "8";
$output["error_text"] = "Insuffient access";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
} else {
$output["error_num"] = "12";
$output["error_text"] = "Group DN could not be found to compare";
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
@ldap_close($ldap_conn);
return $output;
}
}else{
/* Auth ok - No group membership required */
$output["error_num"] = "0";
$output["error_text"] = "Authentication Success";
}
}else{
/* unable to bind */
$ldap_error = ldap_errno($ldap_conn);
if ($ldap_error == 0x03) {
/* protocol error */
$output["error_num"] = "7";
$output["error_text"] = "Protocol error";
}elseif ($ldap_error == 0x31) {
/* invalid credentials */
$output["error_num"] = "1";
$output["error_text"] = "Authentication Failure";
}elseif ($ldap_error == 0x32) {
/* insuffient access */
$output["error_num"] = "8";
$output["error_text"] = "Insuffient access";
}elseif ($ldap_error == 0x51) {
/* unable to connect to server */
$output["error_num"] = "9";
$output["error_text"] = "Unable to connect to server";
}elseif ($ldap_error == 0x55) {
/* timeout */
$output["error_num"] = "10";
$output["error_text"] = "Connection Timeout";
}else{
/* general bind error */
$output["error_num"] = "11";
$output["error_text"] = "General bind error, LDAP result: " . ldap_error($ldap_conn);
}
}
}else{
/* Error intializing LDAP */
$output["error_num"] = "6";
$output["error_text"] = "Unable to create LDAP object";
}
/* Close LDAP connection */
@ldap_close($ldap_conn);
if ($output["error_num"] > 0) {
cacti_log("LDAP: " . $output["error_text"], false, "AUTH");
}
return $output;
}
