/**
* @param $username string
* @param $password string
* @param $filter string
* @return bool
*/
public function Authenticate($username, $password, $filter)
{
$this->PopulateUser($username, $filter);
if ($this->user == null) {
return false;
}
Log::Debug('Trying to authenticate user %s against ldap with dn %s', $username, $this->user->GetDn());
$result = $this->ldap->bind($this->user->GetDn(), $password);
if ($result === true) {
Log::Debug('Authentication was successful');
return true;
}
if (Net_LDAP2::isError($result)) {
$message = 'Could not authenticate user against ldap %s: ' . $result->getMessage();
Log::Error($message, $username);
}
return false;
}
/**
*
* @internal
*
* @param Capall_Ldaper_LdapUser $ldapUser
* @param string $password
*
* @return bool
*/
public function authenticateUser($ldapUser, $password)
{
$bindResult = $this->ldapConnection->bind($ldapUser->getDn(), $password);
if (PEAR::isError($bindResult)) {
// Authentication failed.
return false;
}
return true;
}
private function validatePassword($uid, $password)
{
$errors = array();
foreach (explode('|', $this->getUserDNstring($uid)) as $userDNstring) {
// Connecting using the configuration
try {
$res = $this->conn->bind($userDNstring, $password);
if (Misc::isError($res)) {
throw new AuthException($res->getMessage(), $res->getCode());
}
return $res;
} catch (AuthException $e) {
$errors[] = $e;
}
}
foreach ($errors as $e) {
/** @var Exception $e */
Auth::saveLoginAttempt($uid, 'failure', $e->getMessage());
}
return false;
}
function get_ldap_connection($config = null)
{
if ($config == null) {
$config = $this->ldap_config;
}
$config_id = crc32(serialize($config));
if (array_key_exists($config_id, self::$ldap_connections)) {
$ldap = self::$ldap_connections[$config_id];
} else {
//cannot use Net_LDAP2::connect() as StatusNet uses
//PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError');
//PEAR handling can be overridden on instance objects, so we do that.
$ldap = new Net_LDAP2($config);
$ldap->setErrorHandling(PEAR_ERROR_RETURN);
$err = $ldap->bind();
if (Net_LDAP2::isError($err)) {
// if we were called with a config, assume caller will handle
// incorrect username/password (LDAP_INVALID_CREDENTIALS)
if (isset($config) && $err->getCode() == 0x31) {
throw new LdapInvalidCredentialsException('Could not connect to LDAP server: ' . $err->getMessage());
}
throw new Exception('Could not connect to LDAP server: ' . $err->getMessage());
}
$c = common_memcache();
if (!empty($c)) {
$cacheObj = new MemcacheSchemaCache(array('c' => $c, 'cacheKey' => common_cache_key('ldap_schema:' . $config_id)));
$ldap->registerSchemaCache($cacheObj);
}
self::$ldap_connections[$config_id] = $ldap;
}
return $ldap;
}
/**
* Configure Net_LDAP2, connect and bind
*
* Use this method as starting point of using Net_LDAP2
* to establish a connection to your LDAP server.
*
* Static function that returns either an error object or the new Net_LDAP2
* object. Something like a factory. Takes a config array with the needed
* parameters.
*
* @param array $config Configuration array
*
* @access public
* @return Net_LDAP2_Error|Net_LDAP2 Net_LDAP2_Error or Net_LDAP2 object
*/
public static function &connect($config = array())
{
$ldap_check = self::checkLDAPExtension();
if (self::iserror($ldap_check)) {
return $ldap_check;
}
@($obj = new Net_LDAP2($config));
// todo? better errorhandling for setConfig()?
// connect and bind with credentials in config
$err = $obj->bind();
if (self::isError($err)) {
return $err;
}
return $obj;
}
function getConnection()
{
require_once 'include/Net/LDAP2.php';
// Set reasonable timeout limits
$defaults = array('options' => array('LDAP_OPT_TIMELIMIT' => 5, 'LDAP_OPT_NETWORK_TIMEOUT' => 5));
if ($this->getConfig()->get('tls')) {
$defaults['starttls'] = true;
}
if ($this->getConfig()->get('schema') == 'msad') {
// Special options for Active Directory (2000+) servers
//$defaults['starttls'] = true;
$defaults['options'] += array('LDAP_OPT_PROTOCOL_VERSION' => 3, 'LDAP_OPT_REFERRALS' => 0);
// Active Directory servers almost always use self-signed certs
putenv('LDAPTLS_REQCERT=never');
}
foreach ($this->getServers() as $s) {
$params = $defaults + $s;
$c = new Net_LDAP2($params);
$r = $c->bind();
if (!PEAR::isError($r)) {
return $c;
}
var_dump($r);
}
}
function pre_save(&$config, &$errors)
{
require_once 'include/Net/LDAP2.php';
global $ost;
if ($ost && !extension_loaded('ldap')) {
$ost->setWarning('LDAP extension is not available');
return;
}
if ($config['domain'] && !$config['servers']) {
if (!($servers = LDAPAuthentication::autodiscover($config['domain'], preg_split('/,?\\s+/', $config['dns'])))) {
$this->getForm()->getField('servers')->addError("Unable to find LDAP servers for this domain. Try giving\n an address of one of the DNS servers or manually specify\n the LDAP servers for this domain below.");
}
} else {
if (!$config['servers']) {
$this->getForm()->getField('servers')->addError("No servers specified. Either specify a Active Directory\n domain or a list of servers");
} else {
$servers = array();
foreach (preg_split('/\\s+/', $config['servers']) as $host) {
$servers[] = array('host' => $host);
}
}
}
$connection_error = false;
foreach ($servers as $info) {
// Assume MSAD
$info['options']['LDAP_OPT_REFERRALS'] = 0;
if ($config['tls']) {
$info['starttls'] = true;
// Don't require a certificate here
putenv('LDAPTLS_REQCERT=never');
}
if ($config['bind_dn']) {
$info['binddn'] = $config['bind_dn'];
$info['bindpw'] = $config['bind_pw'] ? $config['bind_pw'] : Crypto::decrypt($this->get('bind_pw'), SECRET_SALT, $this->getNamespace());
}
// Set reasonable timeouts so we dont exceed max_execution_time
$info['options'] = array('LDAP_OPT_TIMELIMIT' => 5, 'LDAP_OPT_NETWORK_TIMEOUT' => 5);
$c = new Net_LDAP2($info);
$r = $c->bind();
if (PEAR::isError($r)) {
$connection_error = $r->getMessage() . ': Unable to bind to ' . $info['host'];
} else {
$connection_error = false;
break;
}
}
if ($connection_error) {
$this->getForm()->getField('servers')->addError($connection_error);
$errors['err'] = 'Unable to connect any listed LDAP servers';
}
if (!$errors && $config['bind_pw']) {
$config['bind_pw'] = Crypto::encrypt($config['bind_pw'], SECRET_SALT, $this->getNamespace());
} else {
$config['bind_pw'] = $this->get('bind_pw');
}
global $msg;
if (!$errors) {
$msg = 'LDAP configuration updated successfully';
}
return !$errors;
}
function ldap_get_connection($config = null)
{
if ($config == null && isset($this->default_ldap)) {
return $this->default_ldap;
}
//cannot use Net_LDAP2::connect() as StatusNet uses
//PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError');
//PEAR handling can be overridden on instance objects, so we do that.
$ldap = new Net_LDAP2(isset($config) ? $config : $this->ldap_get_config());
$ldap->setErrorHandling(PEAR_ERROR_RETURN);
$err = $ldap->bind();
if (Net_LDAP2::isError($err)) {
// if we were called with a config, assume caller will handle
// incorrect username/password (LDAP_INVALID_CREDENTIALS)
if (isset($config) && $err->getCode() == 0x31) {
return null;
}
throw new Exception('Could not connect to LDAP server: ' . $err->getMessage());
return false;
}
if ($config == null) {
$this->default_ldap = $ldap;
}
return $ldap;
}
