protected function loadPage()
{
if (!ldap_control_paged_result($this->connection, $this->pageSize, true, $this->pageToken)) {
throw new SearchException("Unable to set paged control pageSize: " . $this->pageSize);
}
$search = ldap_search($this->connection, $this->baseDn, $this->filter, is_array($this->attributes) ? $this->attributes : []);
if (!$search) {
// Something went wrong in search
throw Connection::createLdapSearchException(ldap_errno($this->connection), $this->baseDn, $this->filter, $this->pageSize);
}
$this->entries = ldap_get_entries($this->connection, $search);
$this->entriesPosition = 0;
if (!$this->entries) {
throw Connection::createLdapSearchException(ldap_errno($this->connection), $this->baseDn, $this->filter, $this->pageSize);
}
// check if on first page
if (empty($this->pageToken)) {
$this->currentPage = 0;
} else {
$this->currentPage++;
}
// Ok go to next page
ldap_control_paged_result_response($this->connection, $search, $this->pageToken);
if (empty($this->pageToken)) {
$this->isLastPage = true;
}
}
/**
* Tries to connect to an LDAP server.
*
* If a connection is currently open, it is closed.
*
* All PHP errors triggered by ldap_* calls are wrapped in exceptions and thrown.
*
* @param string $serverHostName The hostname of the LDAP server.
* @param int $port The server port to use.
* @param int $timeout The timeout in seconds of the network connection.
* @throws Exception If an error occurs during the `ldap_connect` call or if there is a connection
* issue during the subsequent anonymous bind.
*/
public function connect($serverHostName, $port = ServerInfo::DEFAULT_LDAP_PORT, $timeout = self::DEFAULT_TIMEOUT_SECS)
{
$this->closeIfCurrentlyOpen();
Log::debug("Calling ldap_connect('%s', %s)", $serverHostName, $port);
$this->connectionResource = ldap_connect($serverHostName, $port);
ldap_set_option($this->connectionResource, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->connectionResource, LDAP_OPT_REFERRALS, 0);
ldap_set_option($this->connectionResource, LDAP_OPT_NETWORK_TIMEOUT, $timeout);
Log::debug("ldap_connect result is %s", $this->connectionResource);
// ldap_connect will not always try to connect to the server, so execute a bind
// to test the connection
try {
ldap_bind($this->connectionResource);
Log::debug("anonymous ldap_bind call finished; connection ok");
} catch (Exception $ex) {
// if the error was due to a connection error, rethrow, otherwise ignore it
$errno = ldap_errno($this->connectionResource);
Log::debug("anonymous ldap_bind returned error '%s'", $errno);
if (!in_array($errno, self::$initialBindErrorCodesToIgnore)) {
throw $ex;
}
}
if (!$this->isOpen()) {
// sanity check
throw new Exception("sanity check failed: ldap_connect did not return a connection resource!");
}
}
/**
*
* Verifies a username handle and password.
*
* @return mixed An array of verified user information, or boolean false
* if verification failed.
*
*
*/
protected function _processLogin()
{
// connect
$conn = @ldap_connect($this->_config['uri']);
// did the connection work?
if (!$conn) {
throw $this->_exception('ERR_CONNECTION_FAILED', $this->_config);
}
// upgrade to LDAP3 when possible
@ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
// filter the handle to prevent LDAP injection
$regex = '/[^' . $this->_config['filter'] . ']/';
$this->_handle = preg_replace($regex, '', $this->_handle);
// bind to the server
$rdn = sprintf($this->_config['format'], $this->_handle);
$bind = @ldap_bind($conn, $rdn, $this->_passwd);
// did the bind succeed?
if ($bind) {
ldap_close($conn);
return array('handle' => $this->_handle);
} else {
$this->_err = @ldap_errno($conn) . " " . @ldap_error($conn);
ldap_close($conn);
return false;
}
}
public function __construct($message, $ldapLink, $dn = null)
{
if ($ldapLink instanceof server) {
$ldapLink = $ldapLink->getLink();
}
parent::__construct(sprintf('LDAP exception (%s): %s (%s)', $dn ? $dn : 'global', $message, @ldap_error($ldapLink), @ldap_errno($ldapLink)));
}
function install_etape_ldap4_dist()
{
$adresse_ldap = _request('adresse_ldap');
$login_ldap = _request('login_ldap');
$pass_ldap = _request('pass_ldap');
$port_ldap = _request('port_ldap');
$base_ldap = _request('base_ldap');
$base_ldap_text = _request('base_ldap_text');
if (!$base_ldap) {
$base_ldap = $base_ldap_text;
}
echo install_debut_html();
$ldap_link = ldap_connect($adresse_ldap, $port_ldap);
@ldap_bind($ldap_link, $login_ldap, $pass_ldap);
// Essayer de verifier le chemin fourni
$r = @ldap_compare($ldap_link, $base_ldap, "objectClass", "");
$fail = ldap_errno($ldap_link) == 32;
if ($fail) {
echo info_etape(_T('info_chemin_acces_annuaire')), info_progression_etape(3, 'etape_ldap', 'install/', true), "<div class='error'><p><b>" . _T('avis_operation_echec') . "</b></p><p>" . _T('avis_chemin_invalide_1'), " (<tt>" . htmlspecialchars($base_ldap) . "</tt>) " . _T('avis_chemin_invalide_2') . "</p></div>";
} else {
info_etape(_T('info_reglage_ldap'));
echo info_progression_etape(4, 'etape_ldap', 'install/');
$statuts = liste_statuts_ldap();
$statut_ldap = defined('_INSTALL_STATUT_LDAP') ? _INSTALL_STATUT_LDAP : $GLOBALS['liste_des_statuts']['info_redacteurs'];
$res = install_propager(array('adresse_ldap', 'port_ldap', 'login_ldap', 'pass_ldap', 'protocole_ldap', 'tls_ldap')) . "<input type='hidden' name='etape' value='ldap5' />" . "<input type='hidden' name='base_ldap' value='" . htmlentities($base_ldap) . "' />" . fieldset(_T('info_statut_utilisateurs_1'), array('statut_ldap' => array('label' => _T('info_statut_utilisateurs_2') . '<br />', 'valeur' => $statut_ldap, 'alternatives' => $statuts))) . install_ldap_correspondances() . bouton_suivant();
echo generer_form_ecrire('install', $res);
}
echo install_fin_html();
}
/**
* @return string[]
* @throws ValueRetrievalFailureException
*/
public function parse()
{
if (!ldap_parse_reference($this->link, $this->reference, $referrals)) {
throw new ValueRetrievalFailureException(ldap_error($this->link), ldap_errno($this->link));
}
return $referrals;
}
/**
* Returns the first entry in the result set.
*
* @throws \gossi\ldap\LdapException If the read fails.
* @return \gossi\ldap\LdapEntry The new LdapEntry.
*/
public function getFirstEntry()
{
$this->pointer = ldap_first_entry($this->conn, $this->result);
if (ldap_errno($this->conn)) {
throw new LdapException(ldap_error($this->conn), ldap_errno($this->conn));
}
return new LdapEntry($this->conn, $this->pointer);
}
function __construct($arg, $code = 0)
{
if (is_resource($arg)) {
$errno = ldap_errno($arg);
$msg = ldap_err2str($errno);
} else {
$errno = $code;
$msg = $arg;
}
error_log("LDAP Error {$errno}: {$msg}");
parent::__construct($msg, $errno);
}
public function __construct($message, $ldap = NULL)
{
if (is_resource($ldap)) {
$error = ldap_error($ldap);
if ($error) {
parent::__construct($message . '. ' . $error, ldap_errno($ldap));
} else {
parent::__construct($message);
}
} else {
parent::__construct($message);
}
}
/**
*
* Fetch roles for a user.
*
* @param string $handle Username to get roles for.
*
* @return array An array of roles discovered in LDAP.
*
*/
public function fetch($handle)
{
// connect
$conn = @ldap_connect($this->_config['url']);
// did the connection work?
if (!$conn) {
throw $this->_exception('ERR_CONNECTION_FAILED', array('url' => $this->_config['url']));
}
// upgrade to LDAP3 when possible
@ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
// bind to the server
if ($this->_config['binddn']) {
// authenticated bind
$bind = @ldap_bind($conn, $this->_config['binddn'], $this->_config['bindpw']);
} else {
// anonumous bind
$bind = @ldap_bind($conn);
}
// did we bind to the server?
if (!$bind) {
// not using $this->_exception() because we need fine control
// over the error text
throw Solar::exception(get_class($this), @ldap_errno($conn), @ldap_error($conn), array($this->_config));
}
// search for the groups
$filter = sprintf($this->_config['filter'], $handle);
$attrib = (array) $this->_config['attrib'];
$result = ldap_search($conn, $this->_config['basedn'], $filter, $attrib);
// get the first entry from the search result and free the result.
$entry = ldap_first_entry($conn, $result);
ldap_free_result($result);
// now get the data from the entry and close the connection.
$data = ldap_get_attributes($conn, $entry);
ldap_close($conn);
// go through the attribute data and add to the list. only
// retain numeric keys; the ldap entry will have some
// associative keys that are metadata and not useful to us here.
$list = array();
foreach ($attrib as $attr) {
if (isset($data[$attr]) && is_array($data[$attr])) {
foreach ($data[$attr] as $key => $val) {
if (is_int($key)) {
$list[] = $val;
}
}
}
}
// done!
return $list;
}
public function getfromDn($dn, $noassoc = false)
{
$dn = $this->adescape($dn);
$filter = "(&(objectCategory=group)(distinguishedname={$dn}))";
$result = ldap_search($this->con, $this->dn, $filter, $this->attributes);
if (ldap_errno($this->con)) {
throw new searchException('Unable to conduct search: ' . ldap_error($this->con));
}
if (ldap_count_entries($this->con, $result) == 0) {
$result = ldap_search($this->con2, $this->dn2, $filter, $this->attributes);
}
if (ldap_errno($this->con2)) {
throw new searchException('Unable to conduct search: ' . ldap_error($this->con2));
}
return $this->parseResult($result, $noassoc);
}
/**
*
* @throws BadSearchFilterException
* @throws NoSuchObjectException
* @throws InvalidCredentialException
* @throws AlreadyExistsException
* @throws LdapException
*/
public static function throwException(Connection $conn)
{
$error = ldap_error($conn->getResource());
$code = ldap_errno($conn->getResource());
switch ($code) {
case -7:
throw new BadSearchFilterException($error, $code);
case 32:
throw new NoSuchObjectException($error, $code);
case 49:
throw new InvalidCredentialException($error, $code);
case 68:
throw new AlreadyExistsException($error, $code);
}
throw new LdapException($error, $code);
}
/**
* Connects to an LDAP server specified by $uri, with admin $user and $password.
*
* Returns a resource which can be used in LDAP functions like add, delete, search.
*
* @param string $uri Uri for LDAP, such as 'ldap://example.com'
* @param string $format Format for an entry, like 'cn=%s,dc=example,dc=com'. %s is a literal placeholder for username
* @param string $user Admin username
* @param string $password Password for admin
* @return resource
*/
public static function connect($uri, $format, $user, $password)
{
if (!extension_loaded('ldap')) {
die('LDAP extension is not loaded.');
}
$connection = ldap_connect($uri);
if (!$connection) {
throw new Exception("Could not connect to host '{$uri}'");
}
ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_bind($connection, sprintf($format, $user), $password);
$err = ldap_errno($connection);
switch ($err) {
case 0x51:
// LDAP_SERVER_DOWN
// LDAP_SERVER_DOWN
case 0x52:
// LDAP_LOCAL_ERROR
// LDAP_LOCAL_ERROR
case 0x53:
// LDAP_ENCODING_ERROR
// LDAP_ENCODING_ERROR
case 0x54:
// LDAP_DECODING_ERROR
// LDAP_DECODING_ERROR
case 0x55:
// LDAP_TIMEOUT
// LDAP_TIMEOUT
case 0x56:
// LDAP_AUTH_UNKNOWN
// LDAP_AUTH_UNKNOWN
case 0x57:
// LDAP_FILTER_ERROR
// LDAP_FILTER_ERROR
case 0x58:
// LDAP_USER_CANCELLED
// LDAP_USER_CANCELLED
case 0x59:
// LDAP_PARAM_ERROR
// LDAP_PARAM_ERROR
case 0x5a:
// LDAP_NO_MEMORY
throw new Exception("Could not connect to host '{$uri}'. (0x" . dechex($err) . ")");
break;
}
return $connection;
}
function init()
{
try {
write_log('identiteam', 'Initialising');
# Load default config, and merge with users' settings
$this->load_config('config-default.inc.php');
$this->load_config('config.inc.php');
$this->app = rcmail::get_instance();
$this->config = $this->app->config->get('identiteam');
# Load LDAP & mail config at once
$this->ldap = $this->config['ldap'];
$this->mail = $this->config['mail'];
$this->server = $this->ldap['server'];
$this->referr = $this->ldap['referrals'];
$this->b_user = $this->ldap['bind_user'];
$this->b_pass = $this->ldap['bind_pass'];
$this->filter = $this->ldap['filter'];
$this->domain = $this->ldap['domain'];
# Get these fields
$this->fields = explode(',', $this->ldap['fields']);
array_push($this->fields, $this->ldap['extraEmailField']);
$this->conn = ldap_connect($this->server);
if (is_resource($this->conn)) {
ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->conn, LDAP_OPT_REFERRALS, $this->referr);
$bound = ldap_bind($this->conn, $this->b_user, $this->b_pass);
if ($bound) {
// Create signature
$this->add_hook('user2email', array($this, 'user2email'));
$this->initialised = true;
} else {
$log = sprintf("Bind to server '%s' failed. Con: (%s), Error: (%s)", $this->server, $this->conn, ldap_errno($this->conn));
write_log('identiteam', $log);
}
} else {
$log = sprintf("Connection to the server failed: (Error=%s)", ldap_errno($this->conn));
write_log('identiteam', $log);
}
} catch (Exception $exc) {
write_log('identiteam', 'Fail to initialise: ' . $exc->getMessage());
}
if ($this->initialised) {
write_log('identiteam', 'Initialised');
}
}
public function authenticate($ps_username, $ps_password = '', $pa_options = null)
{
$vo_bind = $this->bindToDirectory($ps_username, $ps_password);
if (!$vo_bind) {
if (ldap_get_option($this->getLinkIdentifier(), 0x32, $extended_error)) {
$vs_bind_rdn = $this->getProcessedConfigValue("ldap_bind_rdn_format", $ps_username, "", "");
caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($this->getLinkIdentifier()) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate");
}
return false;
}
// check group membership
if (!$this->hasRequiredGroupMembership($ps_username)) {
return false;
}
// user role and group membership syncing with directory
$this->syncWithDirectory($ps_username);
return true;
}
protected function retrieveResponse()
{
$response = $this->initResponse();
$response->setCode($this->errorNo);
$response->setResponseError($this->errorMsg);
if (!$this->filter) {
return $response;
}
$ds = $this->connectToServer();
if (!$ds) {
$response->setResponseError("Could not connect to LDAP server");
return $response;
}
if ($this->adminDN) {
if (!ldap_bind($ds, $this->adminDN, $this->adminPassword)) {
Kurogo::log(LOG_WARNING, "Error binding to LDAP Server {$this->host} for {$this->adminDN}: " . ldap_error($ds), 'data');
$response->setResponseError("Could not connect to LDAP server");
return $response;
}
}
// suppress warnings on non-dev servers
// about searches that go over the result limit
if (!$this->debugMode) {
$error_reporting = ini_get('error_reporting');
error_reporting($error_reporting & ~E_WARNING);
}
if ($this->filter instanceof LDAPFilter) {
$result = @ldap_search($ds, $this->searchBase, strval($this->filter), $this->getAttributes(), 0, 0, $this->searchTimelimit);
} else {
$result = @ldap_read($ds, $this->filter, "(objectclass=*)", $this->getAttributes(), 0, 0, $this->readTimelimit);
}
$error_code = ldap_errno($ds);
$response->setResponse($result);
$response->setCode($error_code);
$response->setContext('ldap', $ds);
if ($error_code) {
$response->setResponseError($this->generateErrorMessage($error_code));
}
if (!$this->debugMode) {
error_reporting($error_reporting);
}
return $response;
}
/**
* Authenticate user again LDAP directory (Bind)
* 2 options :
* Authenticate directly with uname in the DN
* Authenticate with manager, search the dn
*
* @param string $uname Username
* @param string $pwd Password
*
* @return bool
*/
public function authenticate($uname, $pwd = null)
{
$authenticated = false;
if (!extension_loaded('ldap')) {
$this->setErrors(0, _AUTH_LDAP_EXTENSION_NOT_LOAD);
return $authenticated;
}
$this->_ds = ldap_connect($this->ldap_server, $this->ldap_port);
if ($this->_ds) {
ldap_set_option($this->_ds, LDAP_OPT_PROTOCOL_VERSION, $this->ldap_version);
ldap_set_option($this->_ds, LDAP_OPT_REFERRALS, 0);
if ($this->ldap_use_TLS) {
// We use TLS secure connection
if (!ldap_start_tls($this->_ds)) {
$this->setErrors(0, _AUTH_LDAP_START_TLS_FAILED);
}
}
// If the uid is not in the DN we proceed to a search
// The uid is not always in the dn
$userUPN = $this->getUPN($uname);
if (!$userUPN) {
return false;
}
// We bind as user to test the credentials
$authenticated = ldap_bind($this->_ds, $userUPN, $this->cp1252_to_utf8(stripslashes($pwd)));
if ($authenticated) {
// We load the User database
$dn = $this->getUserDN($uname);
if ($dn) {
return $this->loadicms_member_user_Object($dn, $uname, $pwd);
} else {
return false;
}
} else {
$this->setErrors(ldap_errno($this->_ds), ldap_err2str(ldap_errno($this->_ds)) . '(' . $userUPN . ')');
}
} else {
$this->setErrors(0, _AUTH_LDAP_SERVER_NOT_FOUND);
}
@ldap_close($this->_ds);
return $authenticated;
}
function authenticate($params)
{
assert('isset($params["user"]) && isset($params["password"])');
$con = false;
if (($domain = getConfiguration('auth.ldap.domain')) !== false) {
$port = (int) getConfiguration('auth.ldap.port', self::LDAP_DEFAULT_PORT);
$con = ldap_connect($domain, $port);
}
if ($con === false) {
throw new Exception(__METHOD__ . ": Failed to connect to {$domain} in port {$port}");
}
$authUser = $user = $this->ldap_escape($params['user']);
$pass = $this->ldap_escape($params['password']);
$ldapDomainName = getConfiguration('auth.ldap.domain.name');
if ($ldapDomainName) {
$authUser = $ldapDomainName . '\\' . $authUser;
}
debug(__METHOD__ . ": Trying to authenticate {$authUser} against {$domain}");
if (ldap_bind($con, $authUser, $pass)) {
// We're assuming that the email used is as the user name
$email = $email = Utils::buildEmail($user);
// Close the connection - we don't need it any more
ldap_unbind($con);
// Fetch contact
$contact = DatabaseHelper::getInstance()->getContactByEmail($email);
if ($contact !== false) {
return array('Id' => $contact['Id'], 'Role' => $contact['Role']);
} else {
// Contact is not in the database - we better create it
// TODO: Put the option to read data
return array('Id' => DatabaseHelper::getInstance()->addContact('', '', $email, ROLE_IDENTIFIED), 'Role' => ROLE_IDENTIFIED);
}
} else {
$errCode = ldap_errno($con);
if ($errCode == self::LDAP_INAPPROPRIATE_AUTH || $errCode == self::LDAP_INVALID_CREDENTIALS) {
// Invalid credentials - simply fail
return false;
}
// Internal error
throw new Exception(__METHOD__ . " : LDAP error: " . ldap_err2str($errCode));
}
}
function moveuser()
{
$u = new user($_POST["userid"]);
$dn = $u->dn;
$gplist = $u->Groups_list();
if (preg_match("#^(.+?),#", $dn, $re)) {
$newRdn = $re[1];
} else {
$newRdn = "cn={$_POST["userid"]}";
}
$ldap = new clladp();
$newParent = "ou=users,ou={$_POST["nextou"]},dc=organizations,{$ldap->suffix}";
if (!ldap_rename($ldap->ldap_connection, $dn, $newRdn, $newParent, true)) {
echo 'Error number ' . ldap_errno($ldap->ldap_connection) . "\nAction:LDAP Ldap_rename\ndn:{$dn} -> {$newRdn},{$newParent}\n" . ldap_err2str(ldap_errno($ldap->ldap_connection));
return;
}
while (list($gid, $name) = each($gplist)) {
$gp = new groups($gid);
$gp->DeleteUserFromThisGroup($_POST["userid"]);
}
}
function delete_ldap($dn, $connect, $recursive = false)
{
if ($recursive == false) {
if (!@ldap_delete($connect, $dn)) {
echo "Deleting {$dn}...\n";
echo "ERROR: ldap_delete \"{$dn}\"" . ldap_err2str(ldap_errno($connect)) . "\n";
return false;
}
}
$sr = @ldap_list($connect, $dn, "ObjectClass=*");
if ($sr) {
$info = @ldap_get_entries($connect, $sr);
for ($i = 0; $i < $info['count']; $i++) {
$result = delete_ldap($info[$i]['dn'], $connect, $recursive);
if (!$result) {
return $result;
}
}
return delete_ldap($dn, $connect, false);
}
}
function login($dn, $password)
{
global $ldap_connection;
global $ldap_error;
$ldap_host = "ldap://192.168.30.190";
$ldap_port = "389";
$ldap_user = $dn;
$ldap_pwd = $password;
$ldap_connection = ldap_connect($ldap_host, $ldap_port) or die("Can't connect to LDAP server");
@ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_bind($ldap_connection, $ldap_user, $ldap_pwd);
if (ldap_errno($ldap_connection) != 0) {
//echo "Can't log in! ".ldap_error($ldap_connection)."<br>";
//$_SERVER['PHP_AUTH_USER']= "";
//@ldap_unbind($ldap_conn);
$ldap_error = ldap_error($ldap_connection);
return 1;
} else {
return 0;
}
}
public function __construct(Ldap $link, $result = null)
{
$this->result = $result;
if (is_resource($result)) {
// Get the status code, matched DN and referrals from the response
ldap_parse_result($link->resource(), $result, $this->code, $this->matchedDN, $this->message, $this->referrals);
// Get the string representation of the status code
$this->message = ldap_err2str($this->code);
// Extract the data from the resource
$this->data = ldap_get_entries($link->resource(), $result);
$this->data = $this->cleanup_result($this->data);
// Remove the referrals array if there's nothing inside
count($this->referrals) == 0 && ($this->referrals = null);
// Try to extract pagination cookie and estimated number of objects to be returned
// Since there's no way to tell if pagination has been enabled or not, I am suppressing php errors
@ldap_control_paged_result_response($link->resource(), $result, $this->cookie, $this->estimated);
} else {
$this->code = ldap_errno($link->resource());
$this->message = ldap_error($link->resource());
}
// Active Directory conceals some additional error codes in the ErrorMessage of the response
// that we cannot get to with ldap_errno() in authentication failures - let's try to
// extract them!
if ($this->code == 49) {
$message = null;
ldap_get_option($link->resource(), Option::ErrorString, $message);
if (stripos($message, 'AcceptSecurityContext') !== false) {
$message = explode(', ', $message);
end($message);
$message = prev($message);
$this->code = explode(' ', $message)[1];
// For compatibility reasons with standard ldap, if the error code
// is 52e let's replace it with 49 ( their meanings are equal, it's just
// Microsoft doing it its own way again )
if ($this->code == '52e') {
$this->code = ResponseCode::InvalidCredentials;
}
}
}
}
/**
* Runs a standard search on LDAP
*
* @param string $queryString
* @param string $context
* @return beautified LDAP result set
* @throws Ncstate_Service_Exception on LDAP Error
*/
public function search($queryString, $context, $returnFields, $sortKey = null, $sortOrder = null)
{
// Make sure there are some return fields set
if (count($returnFields) == 0) {
$returnFields = array('*', '+');
}
// Do the search
$ldapResult = @ldap_search($this->getLink(), $context, $queryString, $returnFields, 0, $this->_maxResults);
if (!$ldapResult) {
throw new Ncstate_Service_Exception(ldap_error($this->_link), ldap_errno($this->_link));
}
// Return empty array if there are no etries
if (@ldap_count_entries($this->getLink(), $ldapResult) == 0) {
return array();
}
$result = @ldap_get_entries($this->getLink(), $ldapResult);
unset($result["count"]);
$ret = array();
foreach ($result as $r) {
$temp = array();
$keys = array_keys($r);
foreach ($keys as $k) {
if (!is_int($k) && $k != "dn" && $k != "count") {
if (is_array($r[$k])) {
$temp[$k] = $r[$k][0];
} else {
$temp[$k] = $r[$k];
}
}
}
$ret[] = $temp;
}
if (!is_null($sortKey)) {
usort($ret, create_function('$a, $b', "return strnatcasecmp(\$a['{$sortKey}'], \$b['{$sortKey}']);"));
if ($sortOrder == "desc") {
$ret = array_reverse($ret);
}
}
return $ret;
}
public static function authenticateLdapMember($strUsername, $strPassword)
{
$objLdapUser = LdapMemberModel::findLdapMember($strUsername);
if ($objLdapUser) {
if (!@ldap_bind(Ldap::getConnection(), $objLdapUser->dn, $strPassword)) {
$errno = ldap_errno(Ldap::getConnection());
switch ($errno) {
case static::LDAP_INVALID_CREDENTIALS:
return false;
}
return false;
}
// ldap account requires an valid email and uid
if ($objLdapUser->uid['count'] == 0 || $objLdapUser->mail['count'] == 0) {
\Message::addError($GLOBALS['TL_LANG']['MSC']['ldap']['emailUidMissing']);
return false;
}
return true;
} else {
return false;
}
}
function bindCheck($username, $password)
{
if (!function_exists("ldap_connect")) {
$this->errorString = "This PHP doesn't support LDAP, check the result of infophp() function.";
return false;
}
$this->errorString = "";
if (!$this->isActive) {
$this->errorString = "LDAP Setting isn't supplied.";
return false;
}
if (!$username || !$password) {
$this->errorString = "Account Info isn't supplied.";
return false;
}
$ds = ldap_connect($this->server, $this->port);
if (!$ds) {
$this->errorString = ldap_err2str(ldap_errno($ds));
return false;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$rdn = "{$this->accountKey}={$username},{$this->container},{$this->base}";
try {
$currentErrorReporting = error_reporting();
error_reporting(0);
$r = ldap_bind($ds, $rdn, $password);
error_reporting($currentErrorReporting);
} catch (Exception $e) {
$this->errorString = ldap_err2str(ldap_errno($ds)) . " by {$rdn}";
$r = false;
}
ldap_close($ds);
if (strlen($this->errorString)) {
$this->logger->setErrorMessage($this->errorString);
}
return $r;
}
/**
* Connects to a Ldap directory without binding
*
* @param string $hostname Hostname to connect to
* @param int $port Port to connect to (Default: 389)
* @param boolean $withSSL Whether to connect with SSL support (Default: false)
* @param boolean $withTLS Whether to connect with TLS support (Default: false)
*
* @return ConnectionInterface connection instance
*
* @throws ConnectionException if connection fails
*/
public function connect($hostname, $port = 389, $withSSL = false, $withTLS = false)
{
if ($withSSL && $withTLS) {
throw new ConnectionException('Cannot support both TLS & SSL for a given Ldap Connection');
}
if (!extension_loaded('ldap') && !@dl('ldap.' . PHP_SHLIB_SUFFIX)) {
throw new ConnectionException('You do not have the required ldap-extension installed');
}
if ($withSSL) {
$hostname = 'ldaps://' . $hostname;
}
$connection = @ldap_connect($hostname, $port);
if (false === $connection) {
throw new ConnectionException('Could not successfully connect to the LDAP server');
}
if ($withTLS) {
if (!@ldap_start_tls($connection)) {
$code = @ldap_errno($connection);
throw new ConnectionException(sprintf('Could not start TLS: Ldap Error Code=%s - %s', $code, ldap_err2str($code)));
}
}
return new Connection($connection);
}
/**
* Gets next entry
*
* @return peer.ldap.LDAPEntry or NULL if nothing was found
* @throws peer.ldap.LDAPException in case of a read error
*/
public function next()
{
// If we have reached the number of results reported by ldap_count_entries()
// - see constructor, return FALSE without trying to read further. Trying
// to read "past the end" results in LDAP error #84 (decoding error) in some
// client/server constellations, which is then incorrectly reported as an error.
if ($this->iteration[1] >= $this->size) {
return null;
}
// Fetch the next entry. Return FALSE if it was the last one (where really,
// we shouldn't be getting here)
$entry = ldap_next_entry($this->conn, $this->iteration[0]);
if (!$entry) {
if ($e = ldap_errno($this->conn)) {
throw new LDAPException('Could not fetch next result entry.', $e);
}
return null;
// EOF
}
// Keep track how many etnries we have fetched so we stop once we
// have reached this number - see above for explanation.
$this->iteration = [$entry, ++$this->iteration[1]];
return LDAPEntry::create(ldap_get_dn($this->conn, $entry), ldap_get_attributes($this->conn, $entry));
}
/**
* Sets a script running on the backend.
*
* @param array $script The filter script information. Passed elements:
* - 'name': (string) the script name.
* - 'recipes': (array) the filter recipe objects.
* - 'script': (string) the filter script.
*
* @throws Ingo_Exception
*/
public function setScriptActive($script)
{
$ldapcn = $this->_connect();
$values = $this->_getScripts($ldapcn, $userDN);
$found = false;
foreach ($values as $i => $value) {
if (strpos($value, "# Sieve Filter\n") !== false) {
if (empty($script['script'])) {
unset($values[$i]);
} else {
$values[$i] = $script['script'];
}
$found = true;
break;
}
}
if (!$found && !empty($script['script'])) {
$values[] = $script['script'];
}
$replace = array(Horde_String::lower($this->_params['script_attribute']) => $values);
$r = empty($values) ? @ldap_mod_del($ldapcn, $userDN, $replace) : @ldap_mod_replace($ldapcn, $userDN, $replace);
if (!$r) {
throw new Ingo_Exception(sprintf(_("Activating the script for \"%s\" failed: (%d) %s"), $userDN, ldap_errno($ldapcn), ldap_error($ldapcn)));
}
@ldap_close($ldapcn);
}
/**
* @param mixed $mReturn
* @return mixed
*/
private function validateLdapErrorOnFalse($mReturn)
{
if (false === $mReturn) {
if ($this->rLink) {
CApi::Log('LDAP: error #' . @ldap_errno($this->rLink) . ': ' . @ldap_error($this->rLink), ELogLevel::Error);
} else {
CApi::Log('LDAP: unknown ldap error', ELogLevel::Error);
}
}
return $mReturn;
}
/**
* Bind to LDAP with a specific DN and password. Simple wrapper around
* ldap_bind() with some additional logging.
*
* @param string $dn
* The DN used.
* @param string $password
* The password used.
* @param array $sasl_args
* Array of SASL options for SASL bind
* @return bool
* Returns TRUE if successful, FALSE if
* LDAP_INVALID_CREDENTIALS, LDAP_X_PROXY_AUTHZ_FAILURE,
* LDAP_INAPPROPRIATE_AUTH, LDAP_INSUFFICIENT_ACCESS
* @throws SimpleSAML_Error_Exception on other errors
*/
public function bind($dn, $password, array $sasl_args = NULL)
{
$authz_id = null;
if ($sasl_args != NULL) {
if (!function_exists('ldap_sasl_bind')) {
$ex_msg = 'Library - missing SASL support';
throw $this->makeException($ex_msg);
}
// SASL Bind, with error handling.
$authz_id = $sasl_args['authz_id'];
$error = @ldap_sasl_bind($this->ldap, $dn, $password, $sasl_args['mech'], $sasl_args['realm'], $sasl_args['authc_id'], $sasl_args['authz_id'], $sasl_args['props']);
} else {
// Simple Bind, with error handling.
$authz_id = $dn;
$error = @ldap_bind($this->ldap, $dn, $password);
}
if ($error === TRUE) {
// Good.
$this->authz_id = $authz_id;
SimpleSAML_Logger::debug('Library - LDAP bind(): Bind successful with DN \'' . $dn . '\'');
return TRUE;
}
/* Handle errors
* LDAP_INVALID_CREDENTIALS
* LDAP_INSUFFICIENT_ACCESS */
switch (ldap_errno($this->ldap)) {
case 32:
/* LDAP_NO_SUCH_OBJECT */
/* LDAP_NO_SUCH_OBJECT */
case 47:
/* LDAP_X_PROXY_AUTHZ_FAILURE */
/* LDAP_X_PROXY_AUTHZ_FAILURE */
case 48:
/* LDAP_INAPPROPRIATE_AUTH */
/* LDAP_INAPPROPRIATE_AUTH */
case 49:
/* LDAP_INVALID_CREDENTIALS */
/* LDAP_INVALID_CREDENTIALS */
case 50:
/* LDAP_INSUFFICIENT_ACCESS */
return FALSE;
break;
default:
break;
}
// Bad.
throw $this->makeException('Library - LDAP bind(): Bind failed with DN \'' . $dn . '\'');
}
