  * For Bitrix calls.
  * @param array &$params
  * @return int
 public static function authenticate(&$params)
     try {
         // Import PEAR library gracefully...
         if (!@(include_once 'Net/LDAP2.php')) {
             throw new Capall_Ldaper_UnavailableDependencyException('PEAR::Net_LDAP2');
         $ldapConnection = Net_LDAP2::connect(array('host' => COption::GetOptionString('sh.ldaper', 'host'), 'port' => COption::GetOptionInt('sh.ldaper', 'port'), 'binddn' => COption::GetOptionString('sh.ldaper', 'binddn'), 'bindpw' => COption::GetOptionString('sh.ldaper', 'bindpw')));
         if (PEAR::isError($ldapConnection)) {
             throw new Capall_Ldaper_LdapException($ldapConnection);
         $ldaper = new self($ldapConnection, new Capall_Ldaper_BitrixUserManager(new CUser(), array_filter(explode(',', COption::GetOptionString('sh.ldaper', 'default_groups', '')), 'trim')), COption::GetOptionString('sh.ldaper', 'basedn'), COption::GetOptionString('sh.ldaper', 'login_attribute'), COption::GetOptionString('sh.ldaper', 'mail_attribute'), COption::GetOptionString('sh.ldaper', 'mail_attribute_index'));
         $ldapUser = $ldaper->getLdapUser($params['LOGIN']);
         if ($ldapUser) {
             if ($ldaper->authenticateUser($ldapUser, $params['PASSWORD'])) {
                 $bitrixUserIdentifier = $ldaper->getBitrixUser($ldapUser);
             } else {
                 // Authentication failed. May be user not from LDAP?
                 return false;
         } else {
             // User not found. It's normal use case.
         // Return identifier to Bitrix for authorization.
         return $bitrixUserIdentifier;
     } catch (Exception $error) {
         CEventLog::Log('WARNING', 'USER_LOGIN', 'sh.ldaper', $params['LOGIN'], (string) $error);
  * Create LDAP connection.
  * @param array $options
  * @return Net_LDAP2
 private function connect($options)
     $conn = Net_LDAP2::connect($options);
     if (Misc::isError($conn)) {
         throw new AuthException($conn->getMessage(), $conn->getCode());
     return $conn;
  * Connect to the database.
  * @throws     <b>AgaviDatabaseException</b> If a connection could not be
  *                                           created.
  * @author     Bram Goessens <*****@*****.**>
 protected function connect()
     // determine how to get our parameters
     $method = $this->getParameter('method', 'normal');
     // get parameters
     switch ($method) {
         case 'normal':
             // get parameters normally
             $host = $this->getParameter('host');
             $port = $this->getParameter('port', 389);
             $version = $this->getParameter('version', 3);
             $basedn = $this->getParameter('basedn');
             $binddn = $this->getParameter('binddn', null);
             $bindpw = $this->getParameter('bindpw', null);
             if ($host == null || $port == null || $version == null || $basedn == null) {
                 // missing required dsn parameter
                 $error = 'Database configuration specifies method "normal", but is missing 1 or more parameters.
                     Required parameters are host, port, version, basedn';
                 throw new AgaviDatabaseException($error);
             // who knows what the user wants...
             $error = 'Invalid KVDag_LdapDatabase parameter retrieval method "%s"';
             $error = sprintf($error, $method);
             throw new AgaviDatabaseException($error);
     // The configuration array:
     $config = array('host' => $host, 'port' => $port, 'version' => $version, 'basedn' => $basedn);
     //Connecteer de proxyuser
     if ($binddn != null && $bindpw != null) {
         $config['binddn'] = $binddn;
         $config['bindpw'] = $bindpw;
     //Connecteer de authzID gebruiker
     if (AgaviConfig::get('ldap.proxyAs', false)) {
         $authzID = AgaviConfig::get('ldap.proxyAs');
         $proxy_auth_ctrl = array('oid' => '2.16.840.1.113730.3.4.18', 'value' => "dn:{$authzID}", 'iscritical' => true);
         $config['options'] = array('LDAP_OPT_SERVER_CONTROLS' => array($proxy_auth_ctrl));
     // Connecting using the configuration:
     $this->connection = Net_LDAP2::connect($config);
     // Testing for connection error
     if (Net_LDAP2::isError($this->connection)) {
         // the connection's foobar'd
         $error = 'Failed to create a KVDag_LdapDatabase connection';
         throw new AgaviDatabaseException($error);
     // make sure the connection went through
     if ($this->connection === false) {
         // the connection's foobar'd
         $error = 'Failed to create a KVDag_LdapDatabase connection';
         throw new AgaviDatabaseException($error);
     // since we're not an abstraction layer, we copy the connection
     // to the resource
     $this->resource =& $this->connection;
Exemple #4
 * LDAP Password Driver
 * Driver for passwords stored in LDAP
 * This driver use the PEAR Net_LDAP2 class (http://pear.php.net/package/Net_LDAP2).
 * @version 1.0 (2009-06-24)
 * @author Edouard MOREAU <*****@*****.**>
 * function hashPassword based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
 * function randomSalt based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/).
function password_save($curpass, $passwd)
    $rcmail = rcmail::get_instance();
    require_once 'Net/LDAP2.php';
    // Building user DN
    $userDN = str_replace('%login', $_SESSION['username'], $rcmail->config->get('password_ldap_userDN_mask'));
    $parts = explode('@', $_SESSION['username']);
    if (count($parts) == 2) {
        $userDN = str_replace('%name', $parts[0], $userDN);
        $userDN = str_replace('%domain', $parts[1], $userDN);
    if (empty($userDN)) {
    // Connection Method
    switch ($rcmail->config->get('password_ldap_method')) {
        case 'user':
            $binddn = $userDN;
            $bindpw = $curpass;
        case 'admin':
            $binddn = $rcmail->config->get('password_ldap_adminDN');
            $bindpw = $rcmail->config->get('password_ldap_adminPW');
            $binddn = $userDN;
            $bindpw = $curpass;
            // default is user mode
    // Configuration array
    $ldapConfig = array('binddn' => $binddn, 'bindpw' => $bindpw, 'basedn' => $rcmail->config->get('password_ldap_basedn'), 'host' => $rcmail->config->get('password_ldap_host'), 'port' => $rcmail->config->get('password_ldap_port'), 'starttls' => $rcmail->config->get('password_ldap_starttls'), 'version' => $rcmail->config->get('password_ldap_version'));
    // Connecting using the configuration array
    $ldap = Net_LDAP2::connect($ldapConfig);
    // Checking for connection error
    if (PEAR::isError($ldap)) {
    // Crypting new password
    $newCryptedPassword = hashPassword($passwd, $rcmail->config->get('password_ldap_encodage'));
    if (!$newCryptedPassword) {
        return PASSWORD_CRYPT_ERROR;
    // Writing new crypted password to LDAP
    $userEntry = $ldap->getEntry($userDN);
    if (Net_LDAP2::isError($userEntry)) {
    if (!$userEntry->replace(array($rcmail->config->get('password_ldap_pwattr') => $newCryptedPassword), $rcmail->config->get('password_ldap_force_replace'))) {
    if (Net_LDAP2::isError($userEntry->update())) {
    // All done, no error
Exemple #5
 public function Connect()
     Log::Debug('Trying to connect to LDAP');
     $this->ldap = Net_LDAP2::connect($this->options->Ldap2Config());
     if (PEAR::isError($this->ldap)) {
         $message = 'Could not connect to LDAP server. Check your settings in Ldap.config.php : ' . $this->ldap->getMessage();
         throw new Exception($message);
     return true;
  * Establishes a working connection
  * @return Net_LDAP2
 public function &connect()
     // Check extension
     if (true !== Net_LDAP2::checkLDAPExtension()) {
         $this->markTestSkipped('PHP LDAP extension not found or not loadable. Skipped Test.');
     // Simple working connect and privilegued bind
     $lcfg = array('host' => $this->ldapcfg['global']['server_address'], 'port' => $this->ldapcfg['global']['server_port'], 'basedn' => $this->ldapcfg['global']['server_base_dn'], 'binddn' => $this->ldapcfg['global']['server_binddn'], 'bindpw' => $this->ldapcfg['global']['server_bindpw'], 'filter' => '(ou=*)');
     $ldap = Net_LDAP2::connect($lcfg);
     $this->assertInstanceOf('Net_LDAP2', $ldap, 'Connect failed but was supposed to work. Check credentials and host address. If those are correct, file a bug!');
     return $ldap;
  * Create LDAP connection.
  * @return Net_LDAP2
 protected function connect()
     static $conn;
     if (!$conn) {
         $setup = Setup::get()->ldap;
         $options = array('host' => $setup['host'], 'port' => $setup['port'], 'binddn' => $setup['binddn'], 'bindpw' => $setup['bindpw'], 'basedn' => $this->basedn);
         $conn = Net_LDAP2::connect($options);
         if (Misc::isError($conn)) {
             throw new AuthException($conn->getMessage(), $conn->getCode());
     return $conn;
Exemple #8
 * Bind with searchDN and searchPW and search for the user's DN.
 * Use search_base and search_filter defined in config file.
 * Return the found DN.
function search_userdn($rcmail)
    $ldapConfig = array('binddn' => $rcmail->config->get('password_ldap_searchDN'), 'bindpw' => $rcmail->config->get('password_ldap_searchPW'), 'basedn' => $rcmail->config->get('password_ldap_basedn'), 'host' => $rcmail->config->get('password_ldap_host'), 'port' => $rcmail->config->get('password_ldap_port'), 'starttls' => $rcmail->config->get('password_ldap_starttls'), 'version' => $rcmail->config->get('password_ldap_version'));
    $ldap = Net_LDAP2::connect($ldapConfig);
    if (PEAR::isError($ldap)) {
        return '';
    $base = $rcmail->config->get('password_ldap_search_base');
    $filter = substitute_vars($rcmail->config->get('password_ldap_search_filter'));
    $options = array('scope' => 'sub', 'attributes' => array());
    $result = $ldap->search($base, $filter, $options);
    if (PEAR::isError($result) || $result->count() != 1) {
        return '';
    return $result->current()->dn();
Exemple #9
function connect($user, $passwd)
    require_once '/usr/share/pear/Net/LDAP2.php';
    $config = array('binddn' => "uid={$user},ou=people,dc=domain,dc=com", 'bindpw' => "{$passwd}", 'basedn' => 'dc=domain,dc=com', 'host' => 'ldaprr.domain.com');
    $ldap = Net_LDAP2::connect($config);
    if (PEAR::isError($ldap)) {
        //echo 'Could not connect to LDAP-server: '.$ldap->getMessage();
        return FALSE;
    $filter = 'uid=' . $user;
    $searchbase = 'dc=domain,dc=com';
    $options = array('scope' => 'sub', 'attributes' => array('uid', 'cn'));
    $result = $ldap->search($searchbase, $filter, $options);
    $entries = $result->entries();
    if (count($entries) != 1) {
        echo ".";
    } else {
        foreach ($entries as $entry) {
            setcookie('UName', $entry->getValue('cn'), time() + 900);
    return TRUE;
Exemple #10
 public function login($queryStr)
     // If username and password provided
     if (isset($queryStr['username']) && isset($queryStr['password'])) {
         $username = addslashes($queryStr['username']);
         $password = addslashes($queryStr['password']);
         // If not already logged in
         if (!isset($_SESSION['username'])) {
             $_SESSION['start'] = "login " . $queryStr['username'] . " ";
             $netLogin = false;
             if ($this->registry->ldapAuth == true) {
                 $where = "username=?";
                 $bind = array($username);
                 $result = $this->registry->db->select('User', $where, $bind);
                 // LDAP Authentication
                 $config = array('binddn' => $queryStr['username'] . "@aston.ac.uk", 'bindpw' => $queryStr['password'], 'basedn' => 'dc=campus,dc=aston,dc=ac,dc=uk', 'host' => 'gc.campus.aston.ac.uk', 'port' => '3268');
                 // Connecting using the configuration:
                 $ldap = Net_LDAP2::connect($config);
                 if ($this->registry->ldapAuth == true && Net_LDAP2::isError($ldap)) {
                     error_log("ldap ERROR=" . $ldap->getMessage());
                 } else {
                     //error_log("LDAP CONNECTED");
                     $netLogin = TRUE;
             } else {
                 $where = "username=? and password=?";
                 $bind = array($username, $password);
                 $result = $this->registry->db->select('User', $where, $bind);
                 $netLogin = true;
             // If user/pass match a user then set login session
             if ($netLogin == TRUE && sizeof($result) == 1) {
                 if (!isset($_SESSION["timeout"])) {
                     $_SESSION['timeout'] = time();
                 $st = $_SESSION['timeout'] + 3600;
                 //session time is 1 hour
                 $_SESSION['start'] .= "One row ";
                 $row = $result[0];
                 $_SESSION['start'] .= sizeof($row) . " ";
                 $_SESSION['username'] = $row['username'];
                 $_SESSION['name'] = $row['firstname'] . ' ' . $row['surname'];
                 $where = "username=?";
                 $bind = array($username);
                 $result = $this->registry->db->select('Admin', $where, $bind);
                 if (sizeof($result) == 1) {
                     $row = $result[0];
                     $_SESSION['admin'] = true;
                 $result = $this->registry->db->select('Tutors', $where, $bind);
                 if (sizeof($result) == 1) {
                     $row = $result[0];
                     $_SESSION['tutor'] = true;
                 $result = $this->registry->db->select('TeachAssist', $where, $bind);
                 if (sizeof($result) >= 1) {
                     $row = $result[0];
                     $_SESSION['ta'] = true;
             } else {
                 $_SESSION['start'] .= "no rows";
     // If login was successful
     if (isset($_SESSION['username'])) {
         $_SESSION['invalid_login'] = false;
     } else {
         $_SESSION['invalid_login'] = true;
Exemple #11
  * Bind with searchDN and searchPW and search for the user's DN.
  * Use search_base and search_filter defined in config file.
  * Return the found DN.
 function search_userdn($rcmail)
     $binddn = $rcmail->config->get('password_ldap_searchDN');
     $bindpw = $rcmail->config->get('password_ldap_searchPW');
     $ldapConfig = array('basedn' => $rcmail->config->get('password_ldap_basedn'), 'host' => $rcmail->config->get('password_ldap_host'), 'port' => $rcmail->config->get('password_ldap_port'), 'starttls' => $rcmail->config->get('password_ldap_starttls'), 'version' => $rcmail->config->get('password_ldap_version'));
     // allow anonymous searches
     if (!empty($binddn)) {
         $ldapConfig['binddn'] = $binddn;
         $ldapConfig['bindpw'] = $bindpw;
     $ldap = Net_LDAP2::connect($ldapConfig);
     if (is_a($ldap, 'PEAR_Error')) {
         return '';
     $base = self::substitute_vars($rcmail->config->get('password_ldap_search_base'));
     $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter'));
     $options = array('scope' => 'sub', 'attributes' => array());
     $result = $ldap->search($base, $filter, $options);
     if (is_a($result, 'PEAR_Error') || $result->count() != 1) {
         return '';
     return $result->current()->dn();
  * Check if $user and $password are related to a valid user and password
  * @param string $check_password
  * @return boolean
 function isValidPasswordLdap($user, $password, $config)
     // Connecting using the configuration:
     require_once "Net/LDAP2.php";
     $ldap = Net_LDAP2::connect($config);
     // Testing for connection error
     if (PEAR::isError($ldap)) {
         return false;
     $filter = Net_LDAP2_Filter::create($config['uid'], 'equals', $user);
     $search = $ldap->search(null, $filter, null);
     if (Net_LDAP2::isError($search)) {
         return false;
     if ($search->count() != 1) {
         return false;
     // User exists so we may rebind to authenticate the password
     $entries = $search->entries();
     $bind_result = $ldap->bind($entries[0]->dn(), $password);
     if (PEAR::isError($bind_result)) {
         return false;
     return true;
Exemple #13
 private function init_schema()
     // use PEAR include if autoloading failed
     if (!class_exists('Net_LDAP2')) {
         require_once 'Net/LDAP2.php';
     $port = $this->config_get('port', 389);
     $tls = $this->config_get('use_tls', false);
     foreach ((array) $this->config_get('hosts') as $host) {
         $this->_debug("C: Connect [{$host}:{$port}]");
         $_ldap_cfg = array('host' => $host, 'port' => $port, 'tls' => $tls, 'version' => 3, 'binddn' => $this->config_get('service_bind_dn'), 'bindpw' => $this->config_get('service_bind_pw'));
         $_ldap_schema_cache_cfg = array('path' => "/tmp/" . $host . ":" . ($port ? $port : '389') . "-Net_LDAP2_Schema.cache", 'max_age' => 86400);
         $_ldap = Net_LDAP2::connect($_ldap_cfg);
         if (!is_a($_ldap, 'Net_LDAP2_Error')) {
             $this->_debug("S: OK");
         $this->_debug("S: NOT OK");
     if (is_a($_ldap, 'Net_LDAP2_Error')) {
         return null;
     $_ldap_schema_cache = new Net_LDAP2_SimpleFileSchemaCache($_ldap_schema_cache_cfg);
     // TODO: We should learn what LDAP tech. we're running against.
     // Perhaps with a scope base objectclass recognize rootdse entry
     $schema_root_dn = $this->config_get('schema_root_dn');
     if (!$schema_root_dn) {
         $_schema = $_ldap->schema();
     return $_schema;
Exemple #14
  * Main Authentication method
  * Required for plugin interface 
  * @param unknown $login  User's username
  * @param unknown $password User's password
  * @return boolean
 function authenticate($login, $password)
     if ($login && $password) {
         if (!function_exists('ldap_connect')) {
             trigger_error('auth_ldap requires PHP\'s PECL LDAP package installed.');
             return FALSE;
         if (!(require_once 'Net/LDAP2.php')) {
             trigger_error('auth_ldap requires the PEAR package Net::LDAP2');
             return FALSE;
               Loading configuration 
         $this->_debugMode = defined('LDAP_AUTH_DEBUG') ? LDAP_AUTH_DEBUG : FALSE;
         $this->_serviceBindDN = defined('LDAP_AUTH_BINDDN') ? LDAP_AUTH_BINDDN : null;
         $this->_serviceBindPass = defined('LDAP_AUTH_BINDPW') ? LDAP_AUTH_BINDPW : null;
         $this->_baseDN = defined('LDAP_AUTH_BASEDN') ? LDAP_AUTH_BASEDN : null;
         if (!defined('LDAP_AUTH_BASEDN')) {
             $this->_log('LDAP_AUTH_BASEDN is required and not defined.', E_USER_ERROR);
             return FALSE;
         } else {
             $this->_baseDN = LDAP_AUTH_BASEDN;
         $parsedURI = parse_url(LDAP_AUTH_SERVER_URI);
         if ($parsedURI === FALSE) {
             $this->_log('Could not parse LDAP_AUTH_SERVER_URI in config.php', E_USER_ERROR);
             return FALSE;
         $this->_host = $parsedURI['host'];
         $this->_scheme = $parsedURI['scheme'];
         if (is_int($parsedURI['port'])) {
             $this->_port = $parsedURI['port'];
         } else {
             $this->_port = $this->_scheme === 'ldaps' ? 636 : 389;
         $this->_useTLS = defined('LDAP_AUTH_USETLS') ? LDAP_AUTH_USETLS : FALSE;
         $this->_allowUntrustedCerts = defined('LDAP_AUTH_ALLOW_UNTRUSTED_CERT') ? LDAP_AUTH_ALLOW_UNTRUSTED_CERT : FALSE;
         $this->_schemaCacheEnable = defined('LDAP_AUTH_SCHEMA_CACHE_ENABLE') ? LDAP_AUTH_SCHEMA_CACHE_ENABLE : TRUE;
         $this->_schemaCacheTimeout = defined('LDAP_AUTH_SCHEMA_CACHE_TIMEOUT') ? LDAP_AUTH_SCHEMA_CACHE_TIMEOUT : 86400;
         $this->_logAttempts = defined('LDAP_AUTH_LOG_ATTEMPTS') ? LDAP_AUTH_LOG_ATTEMPTS : FALSE;
         $this->_ldapLoginAttrib = defined('LDAP_AUTH_LOGIN_ATTRIB') ? LDAP_AUTH_LOGIN_ATTRIB : null;
               Building LDAP connection
         $ldapConnParams = array('host' => $this->_scheme . '://' . $this->_host, 'options' => array('LDAP_OPT_REFERRALS' => 0), 'basedn' => $this->_baseDN, 'port' => $this->_port, 'starttls' => $this->_useTLS);
         if (!$this->_anonBeforeBind) {
             $ldapConnParams['binddn'] = $this->_serviceBindDN;
             $ldapConnParams['bindpw'] = $this->_serviceBindPass;
         if ($this->_allowUntrustedCerts) {
         if ($this->_debugMode) {
             $this->_log(print_r($ldapConnParams, TRUE), E_USER_NOTICE);
         $ldapConn = Net_LDAP2::connect($ldapConnParams);
         if (get_class($ldapConn) !== 'Net_LDAP2') {
             $this->_log('Could not connect to LDAP Server: ' . $ldapConn->getMessage() . ' with ' . $this->_getBindDNWord(), E_USER_ERROR);
             return FALSE;
         } else {
             $this->ldapObj = $ldapConn;
             $this->_log('Connected to LDAP Server: ' . LDAP_AUTH_SERVER_URI . ' with ' . $this->_getBindDNWord());
         // Bind with service account if orignal connexion was anonymous
         if ($this->_anonBeforeBind && strlen($this->_bindDN > 0)) {
             $binding = $this->ldapObj->bind($this->_serviceBindDN, $this->_serviceBindPass);
             if (get_class($binding) !== 'Net_LDAP2') {
                 $this->_log('Cound not bind service account: ' . $binding->getMessage(), E_USER_ERROR);
                 return FALSE;
             } else {
                 $this->_log('Bind with ' . $this->_serviceBindDN . ' successful.', E_USER_NOTICE);
         //Cache LDAP Schema
         if ($ldapSchemaCacheEnable) {
         //Validate BaseDN
         $baseDNObj = $this->ldapObj->getEntry($this->_baseDN);
         if (get_class($baseDNObj) !== 'Net_LDAP2_Entry') {
             $this->_log('Cound not get LDAP_AUTH_BASEDN.  Please check config.php', E_USER_ERROR);
             //return FALSE;
         //Searching for user
         $escapedUserName = Net_LDAP2_Util::escape_filter_value(array($login));
         $completedSearchFilter = str_replace('???', $escapedUserName[0], LDAP_AUTH_SEARCHFILTER);
         $filterObj = Net_LDAP2_Filter::parse($completedSearchFilter);
         if (get_class($filterObj) !== 'Net_LDAP2_Filter') {
             $this->_log('Could not parse LDAP Search filter', E_USER_ERROR);
             return FALSE;
         if ($this->_debugMode) {
             $this->_log("Seaching for user {$login} with this query " . $filterObj->asString() . ' within ' . $this->_baseDN);
         $searchResults = $this->ldapObj->search($this->_baseDN, $filterObj);
         if (get_class($searchResults) !== 'Net_LDAP2_Search') {
             $this->_log('LDAP Search Failed: ' . $searchResults->getMessage(), E_USER_ERROR);
             return FALSE;
         } elseif ($searchResults->count() === 0) {
             $this->_log((string) $login, 'Unknown User', E_USER_NOTICE);
             return FALSE;
         } elseif ($searchResults->count() > 1) {
             $this->_log('Multiple DNs found for username ' . (string) $login, E_USER_WARNING);
             return FALSE;
         //Getting user's DN from search
         $userEntry = $searchResults->shiftEntry();
         $userDN = $userEntry->dn();
         //Binding with user's DN.
         if ($this->_debugMode) {
             $this->_log('Try to bind with user\'s DN: ' . $userDN);
         $loginAttempt = $this->ldapObj->bind($userDN, $password);
         if ($loginAttempt === TRUE) {
             $this->_log('User: '******' authentication successful');
             if (strlen($this->_ldapLoginAttrib) > 0) {
                 if ($this->_debugMode) {
                     $this->_log('Looking up TT-RSS username attribute in ' . $this->_ldapLoginAttrib);
                 $ttrssUsername = $userEntry->getValue($this->_ldapLoginAttrib, 'single');
                 if (!is_string($ttrssUsername)) {
                     $this->_log('Could not find user name attribute ' . $this->_ldapLoginAttrib . ' in LDAP entry', E_USER_WARNING);
                     return FALSE;
                 return $this->base->auto_create_user($ttrssUsername);
             } else {
                 return $this->base->auto_create_user($login);
         } elseif ($loginAttempt->getCode() == 49) {
             $this->_log('User: '******' authentication failed');
             return FALSE;
         } else {
             $this->_log('Unknown Error: Code: ' . $loginAttempt->getCode() . ' Message: ' . $loginAttempt->getMessage() . ' user(' . (string) $login . ')', E_USER_WARNING);
             return FALSE;
     return false;
Exemple #15
 function authenticate($login, $password)
     if ($login && $password) {
         if (!function_exists('ldap_connect')) {
             trigger_error('auth_ldap requires PHP\'s PECL LDAP package installed.');
             return FALSE;
         if (!(require_once 'Net/LDAP2.php')) {
             trigger_error('auth_ldap requires the PEAR package Net::LDAP2');
             return FALSE;
         $debugMode = defined('LDAP_AUTH_DEBUG') ? LDAP_AUTH_DEBUG : FALSE;
         $parsedURI = parse_url(LDAP_AUTH_SERVER_URI);
         if ($parsedURI === FALSE) {
             $this->_log('Could not parse LDAP_AUTH_SERVER_URI in config.php');
             return FALSE;
         $ldapConnParams = array('host' => $parsedURI['scheme'] . '://' . $parsedURI['host'], 'basedn' => LDAP_AUTH_BASEDN, 'options' => array('LDAP_OPT_REFERRALS' => 0));
         if (!$anonymousBeforeBind) {
             $ldapConnParams['binddn'] = LDAP_AUTH_BINDDN;
             $ldapConnParams['bindpw'] = LDAP_AUTH_BINDPW;
         $ldapConnParams['starttls'] = defined('LDAP_AUTH_USETLS') ? LDAP_AUTH_USETLS : FALSE;
         if (is_int($parsedURI['port'])) {
             $ldapConnParams['port'] = $parsedURI['port'];
         $ldapSchemaCacheEnable = defined('LDAP_AUTH_SCHEMA_CACHE_ENABLE') ? LDAP_AUTH_SCHEMA_CACHE_ENABLE : TRUE;
         $ldapSchemaCacheTimeout = defined('LDAP_AUTH_SCHEMA_CACHE_TIMEOUT') ? LDAP_AUTH_SCHEMA_CACHE_TIMEOUT : 86400;
         $logAttempts = defined('LDAP_AUTH_LOG_ATTEMPTS') ? LDAP_AUTH_LOG_ATTEMPTS : FALSE;
         // Making connection to LDAP server
         $ldapConn = Net_LDAP2::connect($ldapConnParams);
         if (Net_LDAP2::isError($ldapConn)) {
             $this->_log('Could not connect to LDAP Server: ' . $ldapConn->getMessage());
             return FALSE;
         // Bind with service account if orignal connexion was anonymous
         if ($anonymousBeforeBind) {
             $binding = $ldapConn->bind(LDAP_AUTH_BINDDN, LDAP_AUTH_BINDPW);
             if (Net_LDAP2::isError($binding)) {
                 $this->_log('Cound not bind service account: ' . $binding->getMessage());
                 return FALSE;
         //Cache LDAP Schema
         if ($ldapSchemaCacheEnable) {
             if (!sys_get_temp_dir()) {
                 $tmpFile = tmp;
                 $tmpDir = dirname($tmpFile);
             } else {
                 $tmpDir = sys_get_temp_dir();
             if (empty($parsedURI['port'])) {
                 $ldapPort = $parsedURI['scheme'] == 'ldaps' ? 636 : 389;
             } else {
                 $ldapPort = $parsedURI['port'];
             $cacheFileLoc = $tmpDir . '/ttrss-ldapCache-' . $parsedURI['host'] . ':' . $ldapPort . '.cache';
             if ($debugMode) {
                 $this->_log('Schema Cache File: ' . $cacheFileLoc, E_USER_NOTICE);
             $schemaCacheConf = array('path' => $cacheFileLoc, 'max_age' => $ldapSchemaCacheTimeout);
             $schemaCacheObj = new Net_LDAP2_SimpleFileSchemaCache($schemaCacheConf);
         //Searching for user
         $completedSearchFiler = str_replace('???', $login, LDAP_AUTH_SEARCHFILTER);
         $filterObj = Net_LDAP2_Filter::parse($completedSearchFiler);
         $searchResults = $ldapConn->search(LDAP_AUTH_BASEDN, $filterObj);
         if (Net_LDAP2::isError($searchResults)) {
             $this->_log('LDAP Search Failed: ' . $searchResults->getMessage());
             return FALSE;
         } elseif ($searchResults->count() === 0) {
             if ($logAttempts) {
                 $this->_logAttempt((string) $login, 'Unknown User');
             return FALSE;
         } elseif ($searchResults->count() > 1) {
             $this->_log('Multiple DNs found for username ' . $login);
             return FALSE;
         //Getting user's DN from search
         $userEntry = $searchResults->shiftEntry();
         $userDN = $userEntry->dn();
         //Binding with user's DN.
         $loginAttempt = $ldapConn->bind($userDN, $password);
         if ($loginAttempt === TRUE) {
             if ($logAttempts) {
                 $this->_logAttempt((string) $login, 'successful');
             return $this->base->auto_create_user($login);
         } elseif ($loginAttempt->getCode() == 49) {
             if ($logAttempts) {
                 $this->_logAttempt((string) $login, 'bad password');
             return FALSE;
         } else {
             $this->_log('Unknown Error: Code: ' . $loginAttempt->getCode() . ' Message: ' . $loginAttempt->getMessage() . ' user(' . (string) $login . ')');
             return FALSE;
     return false;
Exemple #16
function vacation_write(array &$data)
    require_once 'Net/LDAP2.php';
    $rcmail = rcmail::get_instance();
    $search = array('%username', '%email_local', '%email_domain', '%email');
    $replace = array($data['username'], $data['email_local'], $data['email_domain'], $data['email']);
    $ldap_basedn = str_replace($search, $replace, $rcmail->config->get('vacation_ldap_basedn'));
    $ldap_binddn = str_replace($search, $replace, $rcmail->config->get('vacation_ldap_binddn'));
    $search = array('%username', '%password', '%email_local', '%email_domain', '%email');
    $replace = array($data['username'], $rcmail->decrypt($_SESSION['password']), $data['email_local'], $data['email_domain'], $data['email']);
    $ldap_bindpw = str_replace($search, $replace, $rcmail->config->get('vacation_ldap_bindpw'));
    $ldapConfig = array('host' => $rcmail->config->get('vacation_ldap_host'), 'port' => $rcmail->config->get('vacation_ldap_port'), 'starttls' => $rcmail->config->get('vacation_ldap_starttls'), 'version' => $rcmail->config->get('vacation_ldap_version'), 'basedn' => $ldap_basedn, 'binddn' => $ldap_binddn, 'bindpw' => $ldap_bindpw);
    $ldap = Net_LDAP2::connect($ldapConfig);
    if (PEAR::isError($ldap)) {
        return PLUGIN_ERROR_CONNECT;
    $searchkeys = array('%username', '%email_local', '%email_domain', '%email', '%vacation_enable', '%vacation_start', '%vacation_end', '%vacation_subject', '%vacation_message', '%vacation_keepcopyininbox', '%vacation_forwarder');
    $replaceby = array($data['username'], $data['email_local'], $data['email_domain'], $data['email'], $data['vacation_enable'] ? $rcmail->config->get('vacation_ldap_attr_vacationenable_value_enabled') : $rcmail->config->get('vacation_ldap_attr_vacationenable_value_disabled'), $rcmail->config->get('vacation_ldap_date_use_generalized_time_format') ? timestamp2generalizedtime($data['vacation_start']) : $data['vacation_start'], $rcmail->config->get('vacation_ldap_date_use_generalized_time_format') ? timestamp2generalizedtime($data['vacation_end']) : $data['vacation_end'], $data['vacation_subject'], $data['vacation_message'], $data['vacation_keepcopyininbox'], $data['vacation_forwarder']);
    $dns = $rcmail->config->get('vacation_ldap_modify_dns');
    $ops = $rcmail->config->get('vacation_ldap_modify_ops');
    if (!empty($dns)) {
        for ($i = 0; $i < count($dns) && $i < count($ops); $i++) {
            $dns[$i] = str_replace($searchkeys, $replaceby, $dns[$i]);
            foreach ($ops[$i] as $op => $args) {
                foreach ($args as $key => $value) {
                    $ops[$i][$op][$key] = str_replace($searchkeys, $replaceby, $value);
            $ret = $ldap->modify($dns[$i], $ops[$i]);
            if (PEAR::isError($ret)) {
                return PLUGIN_ERROR_PROCESS;
    } else {
        $search_base = str_replace($searchkeys, $replaceby, $rcmail->config->get('vacation_ldap_search_base'));
        $search_filter = str_replace($searchkeys, $replaceby, $rcmail->config->get('vacation_ldap_search_filter'));
        $search_params = array('attributes' => $rcmail->config->get('vacation_ldap_search_attrs'), 'scope' => $rcmail->config->get('vacation_ldap_search_scope'));
        $search = $ldap->search($search_base, $search_filter, $search_params);
        if (PEAR::isError($search)) {
            return PLUGIN_ERROR_PROCESS;
        if ($search->count() < 1) {
            return PLUGIN_ERROR_PROCESS;
        $entry = $search->shiftEntry();
        foreach ($ops as $op => $args) {
            if (in_array($op, array('add', 'replace', 'delete'))) {
                foreach ($args as $key => $value) {
                    $value = str_replace($searchkeys, $replaceby, $value);
                    $ret = $entry->{$op}(array($key => $value));
                    if (PEAR::isError($ret)) {
                        return PLUGIN_ERROR_PROCESS;
            } else {
                return PLUGIN_ERROR_PROCESS;
        $ret = $entry->update();
        if (PEAR::isError($ret)) {
            return PLUGIN_ERROR_PROCESS;
    return PLUGIN_SUCCESS;
Exemple #17
    } else {
        if (@(include_once 'Net/LDAP2.php')) {
            define('LDAP_LAYER', 'LDAP2');
        } else {
            define('LDAP_LAYER', 'LDAP');
if (LDAP_LAYER == 'LDAP2') {
    if (!@(include_once 'Net/LDAP2.php')) {
        print 'skip could not find Net/LDAP2.php';
    } else {
        include_once dirname(dirname(__FILE__)) . '/settings.php';
        $ldap = Net_LDAP2::connect($ldapConfig);
        if (PEAR::isError($ldap)) {
            print 'skip could not connect to LDAP directory';
} else {
    if (!@(include_once 'Net/LDAP.php')) {
        print 'skip could not find Net/LDAP.php';
    } else {
        include_once dirname(dirname(__FILE__)) . '/settings.php';
        $ldap = Net_LDAP::connect($ldapConfig);
        if (PEAR::isError($ldap)) {
            print 'skip could not connect to LDAP directory';
 public function login()
     global $tables;
     if (!class_exists('Net_LDAP2')) {
         require getConfig('casldap_netldap2_path');
     // force CAS authentication
     $cas_login = phpCAS::getUser();
     if (!$cas_login) {
     $ldap_config = array('host' => getConfig('ldap_host'), 'port' => getConfig('ldap_port'), 'basedn' => getConfig('ldap_basedn'));
     $ldap_version = getConfig('ldap_version');
     if (is_int($ldap_version)) {
         $ldap_config['version'] = $ldap_version;
     if (getConfig('ldap_starttls')) {
         $ldap_config['starttls'] = true;
     $ldap_binddn = getConfig('ldap_binddn');
     $ldap_bindpw = getConfig('ldap_bindpw');
     if ($ldap_binddn && $ldap_bindpw) {
         $ldap_config['binddn'] = $ldap_binddn;
         $ldap_config['bindpw'] = $ldap_bindpw;
     $ldap = Net_LDAP2::connect($ldap_config);
     if (Net_LDAP2::isError($ldap)) {
         die(Fatal_Error(s("Could not connect to LDAP-server: %s", $ldap->getMessage())));
     $user_filter = str_replace('%login', $cas_login, getConfig('ldap_search_user_filter'));
     $user_basedn = getConfig('ldap_search_user_basedn');
     if (!$user_basedn) {
         $user_basedn = NULL;
     $user_scope = getConfig('ldap_search_user_scope');
     if (!in_array($user_scope, array('one', 'base', 'sub'))) {
         $user_scope = 'sub';
     $user_login_attr = getConfig('ldap_search_user_login_attr');
     $user_mail_attr = getConfig('ldap_search_user_mail_attr');
     $options = array('scope' => $user_scope, 'attributes' => array($user_mail_attr));
     if ($user_login_attr) {
         $options['attributes'][] = $user_login_attr;
     $search = $ldap->search($user_basedn, $user_filter, $options);
     if (Net_LDAP2::isError($search)) {
         die(Fatal_Error(s("A problem occured during user search in LDAP : %s", $search->getMessage())));
     if ($search->count() == 0) {
         die(Error(s("You are not authorized to access to this page")));
     } elseif ($search->count() != 1) {
         die(Fatal_Error(s("Found %d users in LDAP corresponding to CAS login %s.", $search->count(), $cas_login)));
     $user_entry = $search->shiftEntry();
     if ($user_login_attr) {
         $login = $user_entry->getValue($user_login_attr, 'single');
         if (!is_string($login)) {
             die(Fatal_Error(s("Fail to retreive user login from LDAP data")));
     } else {
         $login = $cas_login;
     $mail = $user_entry->getValue($user_mail_attr, 'single');
     if (!is_string($mail)) {
         die(Fatal_Error(s("Fail to retreive user mail from LDAP data")));
     $superuser = 0;
     $superuser_filter = getConfig('ldap_search_superuser_filter');
     if ($superuser_filter) {
         $superuser_filter = str_replace('%login', $login, $superuser_filter);
         $superuser_basedn = getConfig('ldap_search_superuser_basedn');
         if (!$superuser_basedn) {
             $superuser_basedn = NULL;
         $superuser_scope = getConfig('ldap_search_superuser_scope');
         if (!in_array($superuser_scope, array('one', 'base', 'sub'))) {
             $superuser_scope = 'sub';
         $search = $ldap->search($superuser_basedn, $superuser_filter, array('scope' => $superuser_scope, 'attrsonly' => true));
         if (Net_LDAP2::isError($search)) {
             die(Fatal_Error(s("A problem occured during the search in LDAP to known if user is a superuser : %s", $search->getMessage())));
         if ($search->count() > 0) {
             $superuser = 1;
     } elseif (getConfig('casldap_all_user_superadmin')) {
         $superuser = 1;
     $row = Sql_Fetch_Row_Query(sprintf("SELECT id, privileges\n\t\t\tFROM {$tables['admin']}\n\t\t\tWHERE loginname = '%s'", sql_escape($login)));
     if ($row) {
         list($id, $privileges) = $row;
         $update = Sql_Query(sprintf("UPDATE {$tables['admin']} SET\n\t\t\t\temail = '%s',\n\t\t\t\tsuperuser = %s,\n\t\t\t\tdisabled = 0\n\t\t\t\tWHERE id=%s", sql_escape($mail), $superuser, $id));
         if (!$update) {
             die(Fatal_Error(s("Fail to update user informations in database : %s", Sql_Error())));
     } else {
         $insert = Sql_Query(sprintf("INSERT INTO {$tables['admin']}\n\t\t\t\t(loginname,email,superuser,disabled)\n\t\t\t\tVALUES\n\t\t\t\t('%s','%s',%s,0)", sql_escape($login), sql_escape($mail), $superuser));
         if (!$insert) {
             die(Fatal_Error(s("Fail to create user in database : %s", Sql_Error())));
         $id = Sql_Insert_Id();
     $_SESSION['adminloggedin'] = $_SERVER["REMOTE_ADDR"];
     $_SESSION['logindetails'] = array('adminname' => $login, 'id' => $id, 'superuser' => $superuser);
     if ($privileges) {
         $_SESSION['privileges'] = unserialize($privileges);
     if (isset($_GET['ticket'])) {
         header('Location: ' . $_SERVER['REQUEST_URI']);
     return true;
Exemple #19
  * testStartTLS() if server supports it
 public function testStartTLS()
     // Check extension
     if (true !== Net_LDAP2::checkLDAPExtension()) {
         $this->markTestSkipped('PHP LDAP extension not found or not loadable. Skipped Test.');
     if (!$this->ldapcfg) {
         $this->markTestSkipped('No ldapconfig.ini found. Skipping test!');
     } elseif ($this->ldapcfg['global']['server_cap_tls'] == true) {
         // Simple working connect and privilegued bind
         $lcfg = array('host' => $this->ldapcfg['global']['server_address'], 'port' => $this->ldapcfg['global']['server_port'], 'binddn' => $this->ldapcfg['global']['server_binddn'] . ',' . $this->ldapcfg['global']['server_binddn'], 'bindpw' => $this->ldapcfg['global']['server_bindpw'], 'starttls' => true);
         $ldap = Net_LDAP2::connect();
         $this->assertInstanceOf('Net_LDAP2', $ldap, 'Connect failed but was supposed to work. Check credentials and host address. If those are correct, file a bug!');
     } else {
         $this->markTestSkipped('Server does not support TLS (see ldapconfig.ini). Skipping test.');
Exemple #20
 public function bind($reconnect = false)
     global $prefs;
     // Force the reconnection
     if ($this->ldaplink instanceof Net_LDAP2) {
         if ($reconnect === true) {
         } else {
             return true;
             // do not try to reconnect since this may lead to huge timeouts
     // Set the bindpw with the options['password']
     if ($this->options['bind_type'] != 'explicit') {
         $this->options['bindpw'] = $this->options['password'];
     $user = $this->options['username'];
     switch ($this->options['bind_type']) {
         case 'ad':
             // active directory
             preg_match_all('/\\s*,?dc=\\s*([^,]+)/i', $this->options['basedn'], $t);
             $this->options['binddn'] = $user . '@';
             if (isset($t[1]) && is_array($t[1])) {
                 foreach ($t[1] as $domainpart) {
                     $this->options['binddn'] .= $domainpart . '.';
                 // cut trailing dot
                 $this->options['binddn'] = substr($this->options['binddn'], 0, -1);
             // set referrals to 0 to avoid LDAP_OPERATIONS_ERROR
             $this->options['options']['LDAP_OPT_REFERRALS'] = 0;
         case 'plain':
             // plain username
             $this->options['binddn'] = $user;
         case 'full':
             $this->options['binddn'] = $this->user_dn($user);
         case 'ol':
             // openldap
             $this->options['binddn'] = 'cn=' . $user . ',' . $prefs['auth_ldap_basedn'];
         case 'default':
             // Anonymous binding
             $this->options['binddn'] = '';
             $this->options['bindpw'] = '';
         case 'explicit':
             $this->add_log('ldap', 'Error: Invalid "bind_type" value "' . $this->options['bind_type'] . '".');
     $this->add_log('ldap', 'Connect Host: ' . implode($this->options['host']) . '. Binddn: ' . $this->options['binddn'] . ' at line ' . __LINE__ . ' in ' . __FILE__);
     //create options array to handle it to Net_LDAP2
     foreach (array('host', 'port', 'version', 'starttls', 'basedn', 'filter', 'scope', 'binddn', 'bindpw', 'options') as $o) {
         if (isset($this->options[$o])) {
             $options[$o] = $this->options[$o];
     $this->ldaplink = Net_LDAP2::connect($options);
     if (Net_LDAP2::isError($this->ldaplink)) {
         $this->add_log('ldap', 'Error: ' . $this->ldaplink->getMessage() . ' at line ' . __LINE__ . ' in ' . __FILE__);
         // return Net_LDAP2 Error codes. No need to redefine this.
         return $this->ldaplink->getCode();
     return 'LDAP_SUCCESS';
Exemple #21
function vacation_write(array &$data)
    require_once 'Net/LDAP2.php';
    $rcmail = rcmail::get_instance();
    $search = array('%username', '%email_local', '%email_domain', '%email');
    $replace = array($data['username'], $data['email_local'], $data['email_domain'], $data['email']);
    $ldap_basedn = str_replace($search, $replace, $rcmail->config->get('vacation_ldap_basedn'));
    $ldap_binddn = str_replace($search, $replace, $rcmail->config->get('vacation_ldap_binddn'));
    $search = array('%username', '%password', '%email_local', '%email_domain', '%email');
    $replace = array($data['username'], $rcmail->decrypt($_SESSION['password']), $data['email_local'], $data['email_domain'], $data['email']);
    $ldap_bindpw = str_replace($search, $replace, $rcmail->config->get('vacation_ldap_bindpw'));
    $ldapConfig = array('host' => $rcmail->config->get('vacation_ldap_host'), 'port' => $rcmail->config->get('vacation_ldap_port'), 'starttls' => $rcmail->config->get('vacation_ldap_starttls'), 'version' => $rcmail->config->get('vacation_ldap_version'), 'basedn' => $ldap_basedn, 'binddn' => $ldap_binddn, 'bindpw' => $ldap_bindpw);
    $ldap = Net_LDAP2::connect($ldapConfig);
    if (PEAR::isError($ldap)) {
        return PLUGIN_ERROR_CONNECT;
    $dns = $rcmail->config->get('vacation_ldap_modify_dns');
    $ops = $rcmail->config->get('vacation_ldap_modify_ops');
    for ($i = 0; $i < count($dns) && $i < count($ops); $i++) {
        $search = array('%username', '%email_local', '%email_domain', '%email', '%vacation_enable', '%vacation_start', '%vacation_end', '%vacation_subject', '%vacation_message', '%vacation_keepcopyininbox', '%vacation_forwarder');
        $replace = array($data['username'], $data['email_local'], $data['email_domain'], $data['email'], $data['vacation_enable'] ? "TRUE" : "FALSE", $data['vacation_start'], $data['vacation_end'], $data['vacation_subject'], $data['vacation_message'], $data['vacation_keepcopyininbox'], $data['vacation_forwarder']);
        $dns[$i] = str_replace($search, $replace, $dns[$i]);
        foreach ($ops[$i] as $op => $args) {
            foreach ($args as $key => $value) {
                $search = array('%username', '%email_local', '%email_domain', '%email', '%vacation_enable', '%vacation_start', '%vacation_end', '%vacation_subject', '%vacation_message', '%vacation_keepcopyininbox', '%vacation_forwarder');
                $replace = array($data['username'], $data['email_local'], $data['email_domain'], $data['email'], $data['vacation_enable'] ? $rcmail->config->get('vacation_ldap_attr_vacationenable_value_enabled') : $rcmail->config->get('vacation_ldap_attr_vacationenable_value_disabled'), $data['vacation_start'], $data['vacation_end'], $data['vacation_subject'], $data['vacation_message'], $data['vacation_keepcopyininbox'], $data['vacation_forwarder']);
                $ops[$i][$op][$key] = str_replace($search, $replace, $value);
        $ret = $ldap->modify($dns[$i], $ops[$i]);
        if (PEAR::isError($ldap)) {
            return PLUGIN_ERROR_PROCESS;
    return PLUGIN_SUCCESS;