function install_etape_ldap4_dist() { $adresse_ldap = _request('adresse_ldap'); $login_ldap = _request('login_ldap'); $pass_ldap = _request('pass_ldap'); $port_ldap = _request('port_ldap'); $base_ldap = _request('base_ldap'); $base_ldap_text = _request('base_ldap_text'); if (!$base_ldap) { $base_ldap = $base_ldap_text; } echo install_debut_html(); $ldap_link = ldap_connect($adresse_ldap, $port_ldap); @ldap_bind($ldap_link, $login_ldap, $pass_ldap); // Essayer de verifier le chemin fourni $r = @ldap_compare($ldap_link, $base_ldap, "objectClass", ""); $fail = ldap_errno($ldap_link) == 32; if ($fail) { echo info_etape(_T('info_chemin_acces_annuaire')), info_progression_etape(3, 'etape_ldap', 'install/', true), "<div class='error'><p><b>" . _T('avis_operation_echec') . "</b></p><p>" . _T('avis_chemin_invalide_1'), " (<tt>" . htmlspecialchars($base_ldap) . "</tt>) " . _T('avis_chemin_invalide_2') . "</p></div>"; } else { info_etape(_T('info_reglage_ldap')); echo info_progression_etape(4, 'etape_ldap', 'install/'); $statuts = liste_statuts_ldap(); $statut_ldap = defined('_INSTALL_STATUT_LDAP') ? _INSTALL_STATUT_LDAP : $GLOBALS['liste_des_statuts']['info_redacteurs']; $res = install_propager(array('adresse_ldap', 'port_ldap', 'login_ldap', 'pass_ldap', 'protocole_ldap', 'tls_ldap')) . "<input type='hidden' name='etape' value='ldap5' />" . "<input type='hidden' name='base_ldap' value='" . htmlentities($base_ldap) . "' />" . fieldset(_T('info_statut_utilisateurs_1'), array('statut_ldap' => array('label' => _T('info_statut_utilisateurs_2') . '<br />', 'valeur' => $statut_ldap, 'alternatives' => $statuts))) . install_ldap_correspondances() . bouton_suivant(); echo generer_form_ecrire('install', $res); } echo install_fin_html(); }
/** * Finds if user belongs to group, recursively if requested * Private function for this LDAP module only. * * @param string $ldap_group LDAP group to check * @param string $userdn User Distinguished Name * @param int $depth Recursion depth (used in recursion, stops at configured maximum depth) * * @return array Array of server names to be used for LDAP. */ function ldap_search_user($ldap_group, $userdn, $depth = -1) { global $ds, $config; $compare = ldap_compare($ds, $ldap_group, $config['auth_ldap_groupmemberattr'], $userdn); if ($compare === TRUE) { return TRUE; // Member found, return TRUE } elseif ($config['auth_ldap_recursive'] === true && $depth < $config['auth_ldap_recursive_maxdepth']) { $depth++; //$filter = "(&(objectClass=group)(memberOf=". $ldap_group ."))"; $filter_params = array(); $filter_params[] = ldap_filter_create('objectClass', 'group'); $filter_params[] = ldap_filter_create('memberOf', $ldap_group); $filter = ldap_filter_combine($filter_params); print_debug("LDAP[UserSearch][{$depth}][Comparing: " . $ldap_group . "][" . $config['auth_ldap_groupmemberattr'] . "={$userdn}][Filter: {$filter}]"); $ldap_search = ldap_search($ds, trim($config['auth_ldap_groupbase'], ', '), $filter, array($config['auth_ldap_attr']['dn'])); $ldap_results = ldap_get_entries($ds, $ldap_search); array_shift($ldap_results); // Chop off "count" array entry foreach ($ldap_results as $element) { print_debug("LDAP[UserSearch][{$depth}][Comparing: " . $element[$config['auth_ldap_attr']['dn']][0] . "][" . $config['auth_ldap_groupmemberattr'] . "={$userdn}]"); $result = ldap_search_user($element[$config['auth_ldap_attr']['dn']][0], $userdn, $depth); if ($result === TRUE) { return TRUE; // Member found, return TRUE } } return FALSE; // Not found, return FALSE. } else { return FALSE; // Recursion disabled or reached maximum depth, return FALSE. } }
function authenticate($username, $password) { global $config; $ds = @ldap_connect($config['auth_ldap_server'], $config['auth_ldap_port']); if ($ds) { if ($config['auth_ldap_version']) { ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $config['auth_ldap_version']); } if (ldap_bind($ds, $config['auth_ldap_prefix'] . $username . $config['auth_ldap_suffix'], $password)) { if (!$config['auth_ldap_group']) { return 1; } else { if (ldap_compare($ds, $config['auth_ldap_group'], 'memberUid', $username)) { return 1; } } } } else { # FIXME return a warning that LDAP couldn't connect? } return 0; }
/** * Compare an entry and return a true or false result * * @param string $dn The DN which contains the attribute you want to compare * @param string $attribute The attribute whose value you want to compare * @param string $value The value you want to check against the LDAP attribute * * @return mixed result of comparison (true, false, -1 on error) * * @since 12.1 */ public function compare($dn, $attribute, $value) { return @ldap_compare($this->_resource, $dn, $attribute, $value); }
function get_userlist() { global $config, $ldap_connection; $userlist = array(); $filter = '(' . $config['auth_ldap_prefix'] . '*)'; $search = ldap_search($ldap_connection, trim($config['auth_ldap_suffix'], ','), $filter); $entries = ldap_get_entries($ldap_connection, $search); if ($entries['count']) { foreach ($entries as $entry) { $username = $entry['uid'][0]; $realname = $entry['cn'][0]; $user_id = $entry['uidnumber'][0]; $email = $entry[$config['auth_ldap_emailattr']][0]; $ldap_groups = get_group_list(); foreach ($ldap_groups as $ldap_group) { $ldap_comparison = ldap_compare($ldap_connection, $ldap_group, $config['auth_ldap_groupmemberattr'], get_membername($username)); if (!isset($config['auth_ldap_group']) || $ldap_comparison === true) { $userlist[] = array('username' => $username, 'realname' => $realname, 'user_id' => $user_id, 'email' => $email); } } } } return $userlist; }
ldap_mod_replace($ds, $dn, $entry); /* ### SEARCH ### */ $dn = "o=My Company, c=USs"; echo "\nSearch " . $dn; $filter = "(|(sn=jeantet)(givenname=jeantet*))"; $justthese = array("ou", "sn", "givenname", "mail"); $cookie = 'cookie'; ldap_control_paged_result($ds, 23, true, $cookie); $sr = ldap_search($ds, $dn, $filter, $justthese); $info = ldap_get_entries($ds, $sr); echo "\n\t" . $info["count"] . " entries returned"; // ldap_control_paged_result_response($ds, $sr, $cookie); /* ### COMPARE ### */ $dn = "cn=Matti Meikku, ou=My Unit, o=My Company, c=FI"; echo "\nCompare " . $dn; // Préparation des données $value = "secretpassword"; $attr = "password"; // Comparaison des valeurs $r = ldap_compare($ds, $dn, $attr, $value); if ($r === -1) { echo "Error: " . ldap_error($ds); } elseif ($r === true) { echo "\n\tCompare true."; } elseif ($r === false) { echo "\n\tCompare false !"; } /* ### LDAP CLOSE / UNBIND ### */ echo "\nUnbind "; ldap_unbind($ds); echo "\n";
/** * Compare the value of attribute found in entry specified with $dn * * Used to compare the value of attr to the value of same attribute in the LDAP directory * entry specified with $dn. * * Returns TRUE if value matches, otherwise returns FALSE. Returns -1 on error. * * @link http://www.php.net/ldap_compare * @param string $dn The DN which we are comparing * @param string $attr The attribute to check * @param string $value The value to check for * @return mixed */ function compare($dn, $attr, $value) { $result = @ldap_compare($this->connection, $dn, $attr, $value); if ($result === -1) { $this->setErrVars(); } return $result; }
/** * {@inheritdoc} */ public function compare($dn, $attribute, $value) { return ldap_compare($this->getConnection(), $dn, $attribute, $value); }
/** * Wrapper function for ldap_compare(). * * @param resource $link_identifier * An LDAP link identifier. * @param string $dn * The distinguished name of an LDAP entity. * @param string $attribute * The attribute name. * @param string $value * The compared value. * * @return boolean * Returns TRUE if value matches otherwise returns FALSE. * * @throw SimpleLdapException */ public static function ldap_compare($link_identifier, $dn, $attribute, $value) { // Devel debugging. if (variable_get('simple_ldap_devel', FALSE)) { dpm(__FUNCTION__); dpm(array('$dn' => $dn, '$attribute' => $attribute, '$value' => $value)); } // Wrapped function call. $return = @ldap_compare($link_identifier, $dn, $attribute, $value); // Debugging. if (variable_get('simple_ldap_debug', FALSE)) { $message = __FUNCTION__ . '($link_identifier = @link_identifier, $dn = @dn, $attribute = @attribute, $value = @value) returns @return'; $variables = array('@link_identifier' => print_r($link_identifier, TRUE), '@dn' => print_r($dn, TRUE), '@attribute' => print_r($attribute, TRUE), '@value' => print_r($value, TRUE), '@return' => print_r($return, TRUE)); watchdog('simple_ldap', $message, $variables, WATCHDOG_DEBUG); } // Error handling. if ($return == -1) { throw new SimpleLdapException($link_identifier); } return $return; }
/** * @link http://php.net/manual/en/function.ldap-compare.php * @param $linkIdentifier * @param $dn * @param $attribute * @param $value * @return mixed */ public function compare($linkIdentifier, $dn, $attribute, $value) { return ldap_compare($linkIdentifier, $dn, $attribute, $value); }
function ldapauth_authenticate($username, $password, &$mail) { logger('ldapauth: Searching user ' . $username . '.'); $ldap_server = get_config('ldapauth', 'ldap_server'); $ldap_binddn = get_config('ldapauth', 'ldap_binddn'); $ldap_bindpw = get_config('ldapauth', 'ldap_bindpw'); $ldap_searchdn = get_config('ldapauth', 'ldap_searchdn'); $ldap_userattr = get_config('ldapauth', 'ldap_userattr'); $ldap_group = get_config('ldapauth', 'ldap_group'); if (empty($password)) { logger('ldapauth: Empty Password not allowed.'); return false; } if (!function_exists('ldap_connect') || empty($ldap_server)) { logger('ldapauth: PHP-LDAP fail or no server set.'); return false; } $connect = @ldap_connect($ldap_server); if (!$connect) { logger('ldapauth: Unable to connect to server'); return false; } @ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); @ldap_set_option($connect, LDAP_OPT_REFERRALS, 0); if (@ldap_bind($connect, $ldap_binddn, $ldap_bindpw) === false) { logger('ldapauth: Unable to bind to server. Check credentials of binddn.'); return false; } $res = @ldap_search($connect, $ldap_searchdn, $ldap_userattr . '=' . $username, array('mail')); if (!$res) { logger('ldapauth: User ' . $username . ' not found.'); return false; } $id = @ldap_first_entry($connect, $res); if (!$id) { logger('ldapauth: User ' . $username . ' found but unable to load data.'); return false; } // get primary email $mail = ''; $attrs = @ldap_get_attributes($connect, $id); if ($attrs['count'] && $attrs['mail']) { if (is_array($attrs['mail'])) { $mail = $attrs['mail'][0]; } else { $mail = $attrs['mail']; } } $dn = @ldap_get_dn($connect, $id); if (!@ldap_bind($connect, $dn, $password)) { logger('ldapauth: User ' . $username . ' provided wrong credentials.'); return false; } if (empty($ldap_group)) { logger('ldapauth: User ' . $username . ' authenticated.'); return true; } $r = @ldap_compare($connect, $ldap_group, 'member', $dn); if ($r === -1) { $err = @ldap_error($connect); $eno = @ldap_errno($connect); @ldap_close($connect); if ($eno === 32) { logger('ldapauth: access control group Does Not Exist'); return false; } elseif ($eno === 16) { logger('ldapauth: membership attribute does not exist in access control group'); return false; } else { logger('ldapauth: error: ' . $err); return false; } } elseif ($r === false) { logger('ldapauth: User ' . $username . ' is not in the allowed group.'); @ldap_close($connect); return false; } // logger('ldapauth: User '.$username.' authenticated and in allowed group.'); return true; }
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link, $base); var_dump(ldap_compare($link, "cn=userA,{$base}", "sn", "testSN1"), ldap_compare($link, "cn=userA,{$base}", "telephoneNumber", "yy-yy-yy-yy-yy")); ?> ===DONE===
/** * Compare an entry and return the result * * @param string $dn The distinguished name of the attribute to compare * @param string $attribute The attribute name/key * @param string $value The compared value of the attribute (case insensitive) * * @return boolean True if value matches otherwise returns False. * * @since 1.0 * @throws SHLdapException */ public function compare($dn, $attribute, $value) { $this->operationAllowed(); // Do the Ldap compare operation $result = @ldap_compare($this->resource, $dn, $attribute, $value); if ($result === -1) { // A error in the Ldap compare operation occurred throw new SHLdapException($this->getErrorCode(), 10131, JText::_('LIB_SHLDAP_ERR_10131')); } return $result; }
/** * @param string $dn * @param string $attribute * @param mixed $value * @return bool * @throws UnavailableException * @throws ReadFailureException */ public function compare($dn, $attribute, $value) { $this->checkBound(); if (-1 === ($result = ldap_compare($this->link, $dn, $attribute, $value))) { throw new ReadFailureException(ldap_error($this->link), ldap_errno($this->link)); } return $result; }
/** * This function queries the LDAP server to determine whether a given user and * group combination exists. This function returns an array of groups the given * user belongs to * * @param array $groupsInConfig * * @author Andrew Darwin <*****@*****.**> * @author Delvison Castillo */ function queryLDAP($groupsInConfig) { $groupsUserBelongsTo = array(); global $ldapAddress; global $ldapPort; global $useLDAP; //LDAP QUERIES HERE if (!$useLDAP) { $groupsUserBelongsTo = array("public"); return $groupsUserBelongsTo; } if ($ldapAddress == "" || $ldapPort == "") { return null; } $ldap = ldap_connect($ldapAddress, $ldapPort); logMessage("queryLDAP() Tried to connect to LDAP and got the following " . "object: {$ldap}"); //$bindedLDAP = ldap_bind($ldap); //binded for read access if ($ldap && ldap_bind($ldap)) { logMessage("queryLDAP() is beginning to query groups from config"); foreach ($groupsInConfig as $group) { // prepare data $dn = getLDAPQueryDN($group); $value = getLDAPQueryValue(); $attr = getLDAPQueryAttribute(); logMessage("queryLDAP() prepared a query with dn: {$dn}, value: " . "{$value}, and attr: {$attr}"); $query = ldap_compare($ldap, $dn, $attr, $value); logMessage("queryLDAP(): The query returned: " . ($query ? "true" : "false")); if ($query === -1) { //AN ERROR HAS OCCURED $groupsUserBelongsTo = array("LDAP Error"); logMessage("LDAP ERROR"); } else { if ($query) { array_push($groupsUserBelongsTo, $group); logMessage("queryLDAP() pushed group: {$group} to list of groups " . "the user belongs to"); } } } } else { $groupsUserBelongsTo = array("Invalid LDAP Connection"); } return $groupsUserBelongsTo; }
function ldap_auth_user_list() { global $config, $ds; ldap_init(); ldap_bind_dn(); $filter = '(objectClass=' . $config['auth_ldap_objectclass'] . ')'; print_debug("LDAP[UserList][Filter][{$filter}][" . trim($config['auth_ldap_suffix'], ', ') . "]"); $search = ldap_search($ds, trim($config['auth_ldap_suffix'], ', '), $filter); print_debug(ldap_error($ds)); $entries = ldap_get_entries($ds, $search); if ($entries['count']) { for ($i = 0; $i < $entries['count']; $i++) { $username = $entries[$i][strtolower($config['auth_ldap_attr']['uid'])][0]; $realname = $entries[$i][strtolower($config['auth_ldap_attr']['cn'])][0]; $user_id = ldap_internal_auth_user_id($entries[$i]); $userdn = $config['auth_ldap_groupmembertype'] == 'fulldn' ? $entries[$i]['dn'] : $username; print_debug("LDAP[UserList][Compare: " . implode('|', $config['auth_ldap_group']) . "][" . $config['auth_ldap_groupmemberattr'] . "][{$userdn}]"); foreach ($config['auth_ldap_group'] as $ldap_group) { $authorized = 0; $compare = ldap_compare($ds, $ldap_group, $config['auth_ldap_groupmemberattr'], $userdn); if ($compare === -1) { print_debug("LDAP[UserList][Compare LDAP error: " . ldap_error($ds) . "]"); continue; } elseif ($compare === FALSE) { print_debug("LDAP[UserList][Processing group: {$ldap_group}][Not matched]"); } else { // $$compare === TRUE print_debug("LDAP[UserList][Authorized: {$userdn} for group {$ldap_group}]"); $authorized = 1; break; } // FIXME does not support nested groups } if (!isset($config['auth_ldap_group']) || $authorized) { $userlist[] = array('username' => $username, 'realname' => $realname, 'user_id' => $user_id); } } } return $userlist; }
function check_filegroup_membership($ds, $uid) { $dn = LDAP_GROUPDN; $attr = LDAP_GROUP_ATTRIBUTE; $result = @ldap_compare($ds, $dn, $attr, $uid); if ($result === true) { return true; } else { return false; } }
/** Compare the value of the attribute of an entry for a specific DN. @param $sDN The Distinguished Name of an LDAP entity. @param $sAttribute The attribute name. @param $sValue The compared value. @return bool Whether the value matched. @throw LDAPException If an error occurs. */ public function isEqual($sDN, $sAttribute, $sValue) { $b = ldap_compare($this->rLink, $sDN, $sAttribute, $sValue); if ($b === -1) { throw new LDAPException(_WT('Failed to compare the value of the attribute.') . "\n" . ldap_error($this->rLink), ldap_errno($this->rLink)); } return $b; }
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link); var_dump(ldap_compare($link, "cn=userA,dc=my-domain,dc=com", "sn", "testSN1"), ldap_compare($link, "cn=userA,dc=my-domain,dc=com", "telephoneNumber", "yy-yy-yy-yy-yy")); ?> ===DONE=== <?php include "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); remove_dummy_data($link);
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link, $base); // Too few parameters var_dump(ldap_compare($link)); var_dump(ldap_compare($link, $link)); var_dump(ldap_compare($link, $link, $link)); // Too many parameters var_dump(ldap_compare($link, $link, $link, $link, "Additional data")); var_dump(ldap_compare($link, "cn=userNotAvailable,{$base}", "sn", "testSN1"), ldap_error($link), ldap_errno($link)); ?> ===DONE===
function get_userlist() { global $config, $ds; $filter = '(' . $config['auth_ldap_prefix'] . '*)'; $search = ldap_search($ds, trim($config['auth_ldap_suffix'], ','), $filter); $entries = ldap_get_entries($ds, $search); if ($entries['count']) { foreach ($entries as $entry) { $username = $entry['uid'][0]; $realname = $entry['cn'][0]; $user_id = $entry['uidnumber'][0]; if (!isset($config['auth_ldap_group']) || ldap_compare($ds, $config['auth_ldap_group'], 'memberUid', $username)) { $userlist[] = array('username' => $username, 'realname' => $realname, 'user_id' => $user_id); } } } return $userlist; }
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link, $base); // Too few parameters var_dump(ldap_compare($link)); var_dump(ldap_compare($link, $link)); var_dump(ldap_compare($link, $link, $link)); // Too many parameters var_dump(ldap_compare($link, $link, $link, $link, "Additional data")); var_dump( ldap_compare($link, "cn=userNotAvailable,$base", "sn", "testSN1"), ldap_error($link), ldap_errno($link) ); ?> ===DONE=== <?php include "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); remove_dummy_data($link, $base); ?>
/** * Performs the LDAP authentication procedure * * @since 1.0 * @package facileManager * * @param string $username Username to authenticate * @param string $password Username to authenticate with * @return boolean */ function doLDAPAuth($username, $password) { global $fmdb; /** Get LDAP variables */ if (empty($ldap_server)) { $ldap_server = getOption('ldap_server'); } if (empty($ldap_port)) { $ldap_port = getOption('ldap_port'); } if (empty($ldap_port_ssl)) { $ldap_port_ssl = getOption('ldap_port_ssl'); } if (empty($ldap_version)) { $ldap_version = getOption('ldap_version'); } if (empty($ldap_encryption)) { $ldap_encryption = getOption('ldap_encryption'); } if (empty($ldap_referrals)) { $ldap_referrals = getOption('ldap_referrals'); } if (empty($ldap_dn)) { $ldap_dn = getOption('ldap_dn'); } if (empty($ldap_group_require)) { $ldap_group_require = getOption('ldap_group_require'); } if (empty($ldap_group_dn)) { $ldap_group_dn = getOption('ldap_group_dn'); } if (empty($ldap_group_attribute)) { $ldap_group_attribute = getOption('ldap_group_attribute'); } $ldap_dn = str_replace('<username>', $username, $ldap_dn); if ($ldap_encryption == 'SSL') { $ldap_connect = @ldap_connect('ldaps://' . $ldap_server, $ldap_port_ssl); } else { $ldap_connect = @ldap_connect($ldap_server, $ldap_port); } if ($ldap_connect) { /** Set protocol version */ if (!@ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, $ldap_version)) { @ldap_close($ldap_connect); return false; } /** Set referrals */ if (!@ldap_set_option($ldap_connect, LDAP_OPT_REFERRALS, $ldap_referrals)) { @ldap_close($ldap_connect); return false; } /** Start TLS if requested */ if ($ldap_encryption == 'TLS') { if (!@ldap_start_tls($ldap_connect)) { @ldap_close($ldap_connect); return false; } } $ldap_bind = @ldap_bind($ldap_connect, $ldap_dn, $password); if ($ldap_bind) { if ($ldap_group_require) { /** Process group membership if required */ $ldap_group_response = @ldap_compare($ldap_connect, $ldap_group_dn, $ldap_group_attribute, $username); if ($ldap_group_response !== true) { @ldap_close($ldap_connect); return false; } } /** Get user permissions from database */ $fmdb->get_results("SELECT * FROM `fm_users` WHERE `user_status`='active' AND `user_auth_type`=2 AND `user_template_only`='no' AND `user_login`='{$username}'"); if (!$fmdb->num_rows) { if (!$this->createUserFromTemplate($username)) { @ldap_close($ldap_connect); return false; } } $this->setSession($fmdb->last_result[0]); return true; } /** Close LDAP connection */ @ldap_close($ldap_connect); } return false; }
/** * Compare value of attribute found in entry specified with DN * * @param string $dn The distinguished name of an LDAP entity * @param string $attribute The attribute name * @param string $value The compared value * @return bool Returns TRUE if value matches otherwise returns FALSE */ public function compare($dn, $attribute, $value) { $retVal = @ldap_compare($this->resource, $dn, $attribute, $value); $this->verifyOperation(); return $retVal; }
<?php require "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); insert_dummy_data($link, $base); var_dump( ldap_compare($link, "cn=userA,$base", "sn", "testSN1"), ldap_compare($link, "cn=userA,$base", "telephoneNumber", "yy-yy-yy-yy-yy") ); ?> ===DONE=== <?php include "connect.inc"; $link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version); remove_dummy_data($link, $base); ?>
function ldapauth_authenticate($username, $password) { $ldap_server = get_config('ldapauth', 'ldap_server'); $ldap_binddn = get_config('ldapauth', 'ldap_binddn'); $ldap_bindpw = get_config('ldapauth', 'ldap_bindpw'); $ldap_searchdn = get_config('ldapauth', 'ldap_searchdn'); $ldap_userattr = get_config('ldapauth', 'ldap_userattr'); $ldap_group = get_config('ldapauth', 'ldap_group'); $ldap_autocreateaccount = get_config('ldapauth', 'ldap_autocreateaccount'); $ldap_autocreateaccount_emailattribute = get_config('ldapauth', 'ldap_autocreateaccount_emailattribute'); $ldap_autocreateaccount_nameattribute = get_config('ldapauth', 'ldap_autocreateaccount_nameattribute'); if (!(strlen($password) && function_exists('ldap_connect') && strlen($ldap_server))) { logger("ldapauth: not configured or missing php-ldap module"); return false; } $connect = @ldap_connect($ldap_server); if ($connect === false) { logger("ldapauth: could not connect to {$ldap_server}"); return false; } @ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); @ldap_set_option($connect, LDAP_OPT_REFERRALS, 0); if (@ldap_bind($connect, $ldap_binddn, $ldap_bindpw) === false) { logger("ldapauth: could not bind {$ldap_server} as {$ldap_binddn}"); return false; } $res = @ldap_search($connect, $ldap_searchdn, $ldap_userattr . '=' . $username); if (!$res) { logger("ldapauth: {$ldap_userattr}={$username},{$ldap_searchdn} not found"); return false; } $id = @ldap_first_entry($connect, $res); if (!$id) { return false; } $dn = @ldap_get_dn($connect, $id); if (!@ldap_bind($connect, $dn, $password)) { return false; } $emailarray = []; $namearray = []; if ($ldap_autocreateaccount == "true") { if (!strlen($ldap_autocreateaccount_emailattribute)) { $ldap_autocreateaccount_emailattribute = "mail"; } if (!strlen($ldap_autocreateaccount_nameattribute)) { $ldap_autocreateaccount_nameattribute = "givenName"; } $emailarray = @ldap_get_values($connect, $id, $ldap_autocreateaccount_emailattribute); $namearray = @ldap_get_values($connect, $id, $ldap_autocreateaccount_nameattribute); } if (!strlen($ldap_group)) { ldap_autocreateaccount($ldap_autocreateaccount, $username, $password, $emailarray[0], $namearray[0]); return true; } $r = @ldap_compare($connect, $ldap_group, 'member', $dn); if ($r === -1) { $err = @ldap_error($connect); $eno = @ldap_errno($connect); @ldap_close($connect); if ($eno === 32) { logger("ldapauth: access control group Does Not Exist"); return false; } elseif ($eno === 16) { logger('ldapauth: membership attribute does not exist in access control group'); return false; } else { logger('ldapauth: error: ' . $err); return false; } } elseif ($r === false) { @ldap_close($connect); return false; } ldap_autocreateaccount($ldap_autocreateaccount, $username, $password, $emailarray[0], $namearray[0]); return true; }
function Authenticate() { $output = array(); /* function check */ if (!function_exists("ldap_connect")) { $output["error_num"] = 99; $output["error_text"] = "PHP LDAP not enabled"; return $output; } /* validation */ if (empty($this->username)) { $output["error_num"] = "2"; $output["error_text"] = "No username defined"; return $output; } $this->dn = str_replace("<username>", $this->username, $this->dn); /* Fix encoding of username and password */ $this->username = html_entity_decode($this->username, ENT_COMPAT | ENT_HTML401, "UTF-8"); $this->password = html_entity_decode($this->password, ENT_COMPAT | ENT_HTML401, "UTF-8"); /* Determine connection method and create LDAP Object */ if ($this->encryption == "1") { /* This only works with OpenLDAP, I'm pretty sure this will not work with Solaris, Tony */ $ldap_conn = @ldap_connect("ldaps://" . $this->host . ":" . $this->port_ssl); } else { $ldap_conn = @ldap_connect($this->host, $this->port); } if ($ldap_conn) { /* Set protocol version */ cacti_log("LDAP: Setting protocol version to " . $this->version, false, "AUTH"); if (!@ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $this->version)) { $output["error_num"] = "3"; $output["error_text"] = "Protocol Error, Unable to set version"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } /* set referrals */ if ($this->referrals == "0") { if (!@ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0)) { $output["error_num"] = "4"; $output["error_text"] = "Unable to set referrals option"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } } /* start TLS if requested */ if ($this->encryption == "2") { if (!@ldap_start_tls($ldap_conn)) { $output["error_num"] = "5"; $output["error_text"] = "Protocol error, unable to start TLS communications"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } } /* Bind to the LDAP directory */ $ldap_response = @ldap_bind($ldap_conn, $this->dn, $this->password); if ($ldap_response) { if ($this->group_require == 1) { /* Process group membership if required */ if ($this->group_member_type == 1) { $ldap_group_response = @ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $this->dn); } else { $ldap_group_response = @ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $this->username); } if ($ldap_group_response === true) { /* Auth ok */ $output["error_num"] = "0"; $output["error_text"] = "Authentication Success"; } else { if ($ldap_group_response === false) { $output["error_num"] = "8"; $output["error_text"] = "Insufficient access"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } else { $output["error_num"] = "12"; $output["error_text"] = "Group DN could not be found to compare"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } } } else { /* Auth ok - No group membership required */ $output["error_num"] = "0"; $output["error_text"] = "Authentication Success"; } } else { /* unable to bind */ $ldap_error = ldap_errno($ldap_conn); if ($ldap_error == 0x3) { /* protocol error */ $output["error_num"] = "7"; $output["error_text"] = "Protocol error"; } elseif ($ldap_error == 0x31) { /* invalid credentials */ $output["error_num"] = "1"; $output["error_text"] = "Authentication Failure"; } elseif ($ldap_error == 0x32) { /* insuffient access */ $output["error_num"] = "8"; $output["error_text"] = "Insufficient access"; } elseif ($ldap_error == 0x51) { /* unable to connect to server */ $output["error_num"] = "9"; $output["error_text"] = "Unable to connect to server"; } elseif ($ldap_error == 0x55) { /* timeout */ $output["error_num"] = "10"; $output["error_text"] = "Connection Timeout"; } else { /* general bind error */ $output["error_num"] = "11"; $output["error_text"] = "General bind error, LDAP result: " . ldap_error($ldap_conn); } } } else { /* Error intializing LDAP */ $output["error_num"] = "6"; $output["error_text"] = "Unable to create LDAP object"; } /* Close LDAP connection */ @ldap_close($ldap_conn); if ($output["error_num"] > 0) { cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); } return $output; }
private function getLdapAccount() { //chech if KOLAB_LDAP_SERVER is a URI or an IP $reg = "/ldap:\\/\\/(.+):(.+)/"; if (preg_match($reg, KOLAB_SERVER, $tab)) { $addrip = $tab[1]; $port = $tab[2]; } else { $addrip = KOLAB_SERVER; $port = 389; } $conn = ldap_connect($addrip, $port); if ($conn == 0) { $this->Log("ERR LDAP connexion to server : " . KOLAB_SERVER . " failed"); return 0; } if (!ldap_bind($conn, "", "")) { $this->Log("ERR LDAP Invalid credential"); return 0; } //recherche du DN a autentifier if (!($sr = ldap_search($conn, KOLAB_LDAP_BASE, "(uid=" . $this->_username . ")"))) { $this->Log("ERR LDAP " . $this->_username . " not found"); return 0; } $entries = ldap_get_entries($conn, $sr); if ($entries['count'] == 1) { $this->_email = $entries[0]["mail"][0]; $this->_cn = $entries[0]["cn"][0]; $this->_KolabHomeServer = $entries[0]["kolabhomeserver"][0]; $dn = $entries[0]["dn"]; //check ACL if KOLAN_LDAP_ACL if (defined("KOLAB_LDAP_ACL")) { $grp = KOLAB_LDAP_ACL; } else { $grp = ""; } if ($grp != "") { //check if the dn is in the group as member $r = ldap_compare($conn, $grp, "member", $dn); if (!$r) { $this->Log("ACL member not present in {$grp} Access Denied"); return 0; } if ($r == -1) { $this->Log("ACL group {$gr} not found (acces authorized)"); } } return 1; } }
function is_dn_member_of_group($userDn, $groupDn) { $ldap = $this->get_ldap_connection(); $link = $ldap->getLink(); $r = @ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn); if ($r === true) { return true; } else { if ($r === false) { return false; } else { common_log(LOG_ERR, "LDAP error determining if userDn={$userDn} is a member of groupDn={$groupDn} using uniqueMember_attribute={$this->uniqueMember_attribute} error: " . ldap_error($link)); return false; } } }
function cacti_ldap_auth($username,$password = "",$ldap_dn = "",$ldap_device = "",$ldap_port = "",$ldap_port_ssl = "",$ldap_version = "",$ldap_encryption = "",$ldap_referrals = "",$ldap_group_require = "",$ldap_group_dn = "",$ldap_group_attrib = "",$ldap_group_member_type = "") { require_once(CACTI_BASE_PATH . "/include/auth/auth_constants.php"); $output = array(); /* function check */ if (! function_exists("ldap_connect")) { $output["error_num"] = 99; $output["error_text"] = "PHP LDAP not enabled"; return $output; } /* validation */ if (empty($username)) { $output["error_num"] = "2"; $output["error_text"] = "No username defined"; return $output; } /* Fix encoding of username and password */ $username = utf8_encode($username); $password = utf8_encode($password); /* get LDAP parameters */ if (empty($ldap_dn)) { $ldap_dn = read_config_option("ldap_dn"); } $ldap_dn = str_replace("<username>",$username,$ldap_dn); if (empty($ldap_device)) { $ldap_device = read_config_option("ldap_server"); } if (empty($ldap_port)) { $ldap_port = read_config_option("ldap_port"); } if (empty($ldap_port_ssl)) { $ldap_port_ssl = read_config_option("ldap_port_ssl"); } if (empty($ldap_version)) { $ldap_version = read_config_option("ldap_version"); } if (empty($ldap_encryption)) { $ldap_encryption = read_config_option("ldap_encryption"); } if (empty($ldap_referrals)) { $ldap_referrals = read_config_option("ldap_referrals"); } if (empty($ldap_group_require)) { if (read_config_option("ldap_group_require") == CHECKED) { $ldap_group_require = 1; }else{ $ldap_group_require = 0; } } if (empty($ldap_group_dn)) { $ldap_group_dn = read_config_option("ldap_group_dn"); } if (empty($ldap_group_attrib)) { $ldap_group_attrib = read_config_option("ldap_group_attrib"); } if (empty($ldap_group_member_type)) { $ldap_group_member_type = read_config_option("ldap_group_member_type"); } /* Determine connection method and create LDAP Object */ if ($ldap_encryption == LDAP_ENCRYPT_SSL) { /* This only works with OpenLDAP, I'm pretty sure this will not work with Solaris, Tony */ $ldap_conn = @ldap_connect("ldaps://" . $ldap_device . ":" . $ldap_port_ssl); }else{ $ldap_conn = @ldap_connect($ldap_device,$ldap_port); } if ($ldap_conn) { /* Set protocol version */ cacti_log("LDAP: Setting protocol version to " . $ldap_version, false, "AUTH"); if (!@ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $ldap_version)) { $output["error_num"] = "3"; $output["error_text"] = "Protocol Error, Unable to set version"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } /* set referrals */ if ($ldap_referrals == "0") { if (!@ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0)) { $output["error_num"] = "4"; $output["error_text"] = "Unable to set referrals option"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } } /* start TLS if requested */ if ($ldap_encryption == LDAP_ENCRYPT_TLS) { if (!@ldap_start_tls($ldap_conn)) { $output["error_num"] = "5"; $output["error_text"] = "Protocol error, unable to start TLS communications"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } } /* Bind to the LDAP directory */ $ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$password); if ($ldap_response) { if ($ldap_group_require == 1) { /* Process group membership if required */ if ($ldap_group_member_type == 1) { $ldap_group_response = @ldap_compare($ldap_conn,$ldap_group_dn,$ldap_group_attrib,$ldap_dn); } else { $ldap_group_response = @ldap_compare($ldap_conn,$ldap_group_dn,$ldap_group_attrib,$username); } if ($ldap_group_response === true) { /* Auth ok */ $output["error_num"] = "0"; $output["error_text"] = "Authentication Success"; } else if ($ldap_group_response === false) { $output["error_num"] = "8"; $output["error_text"] = "Insuffient access"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } else { $output["error_num"] = "12"; $output["error_text"] = "Group DN could not be found to compare"; cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); @ldap_close($ldap_conn); return $output; } }else{ /* Auth ok - No group membership required */ $output["error_num"] = "0"; $output["error_text"] = "Authentication Success"; } }else{ /* unable to bind */ $ldap_error = ldap_errno($ldap_conn); if ($ldap_error == 0x03) { /* protocol error */ $output["error_num"] = "7"; $output["error_text"] = "Protocol error"; }elseif ($ldap_error == 0x31) { /* invalid credentials */ $output["error_num"] = "1"; $output["error_text"] = "Authentication Failure"; }elseif ($ldap_error == 0x32) { /* insuffient access */ $output["error_num"] = "8"; $output["error_text"] = "Insuffient access"; }elseif ($ldap_error == 0x51) { /* unable to connect to server */ $output["error_num"] = "9"; $output["error_text"] = "Unable to connect to server"; }elseif ($ldap_error == 0x55) { /* timeout */ $output["error_num"] = "10"; $output["error_text"] = "Connection Timeout"; }else{ /* general bind error */ $output["error_num"] = "11"; $output["error_text"] = "General bind error, LDAP result: " . ldap_error($ldap_conn); } } }else{ /* Error intializing LDAP */ $output["error_num"] = "6"; $output["error_text"] = "Unable to create LDAP object"; } /* Close LDAP connection */ @ldap_close($ldap_conn); if ($output["error_num"] > 0) { cacti_log("LDAP: " . $output["error_text"], false, "AUTH"); } return $output; }