281 lines
7.9 KiB
PHP
281 lines
7.9 KiB
PHP
<?php
|
|
/**
|
|
* $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
|
|
*
|
|
* authLdap - Authenticate Wordpress against an LDAP-Backend.
|
|
* Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version 2
|
|
* of the License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
*
|
|
* This file handles the basic LDAP-Tasks
|
|
*
|
|
* @author Andreas Heigl<andreas@heigl.org>
|
|
* @package authLdap
|
|
* @category authLdap
|
|
* @since 2008
|
|
*/
|
|
namespace Org_Heigl\AuthLdap;
|
|
|
|
use Exception;
|
|
|
|
class LDAP
|
|
{
|
|
private $_server = '';
|
|
|
|
private $_scheme = 'ldap';
|
|
|
|
private $_port = 389;
|
|
|
|
private $_baseDn = '';
|
|
|
|
private $_debug = false;
|
|
/**
|
|
* This property contains the connection handle to the ldap-server
|
|
*
|
|
* @var Ressource
|
|
*/
|
|
private $_ch = null;
|
|
|
|
private $_username = '';
|
|
|
|
private $_password = '';
|
|
|
|
private $_starttls = false;
|
|
|
|
public function __construct($URI, $debug = false, $starttls = false)
|
|
{
|
|
$this->_debug=$debug;
|
|
$array = parse_url($URI);
|
|
if (! is_array($array)) {
|
|
throw new Exception($URI . ' seems not to be a valid URI');
|
|
}
|
|
$url = array_map(function ($item) {
|
|
return urldecode($item);
|
|
}, $array);
|
|
|
|
if (false === $url) {
|
|
throw new Exception($URI . ' is an invalid URL');
|
|
}
|
|
if (! isset ( $url['scheme'] )) {
|
|
throw new Exception($URI . ' does not provide a scheme');
|
|
}
|
|
if (0 !== strpos($url['scheme'], 'ldap')) {
|
|
throw new Exception($URI . ' is an invalid LDAP-URI');
|
|
}
|
|
if (! isset ( $url['host'] )) {
|
|
throw new Exception($URI . ' does not provide a server');
|
|
}
|
|
if (! isset ( $url['path'] )) {
|
|
throw new Exception($URI . ' does not provide a search-base');
|
|
}
|
|
if (1 == strlen($url['path'])) {
|
|
throw new Exception($URI . ' does not provide a valid search-base');
|
|
}
|
|
$this -> _server = $url['host'];
|
|
$this -> _scheme = $url['scheme'];
|
|
$this -> _baseDn = substr($url['path'], 1);
|
|
if (isset ( $url['user'] )) {
|
|
$this -> _username = $url['user'];
|
|
}
|
|
if ('' == trim($this -> _username)) {
|
|
$this -> _username = 'anonymous';
|
|
}
|
|
if (isset ( $url['pass'] )) {
|
|
$this -> _password = $url['pass'];
|
|
}
|
|
if (isset ( $url['port'] )) {
|
|
$this -> _port = $url['port'];
|
|
}
|
|
$this->_starttls = $starttls;
|
|
}
|
|
|
|
/**
|
|
* Connect to the given LDAP-Server
|
|
*
|
|
* @return LDAP
|
|
* @throws AuthLdap_Exception
|
|
*/
|
|
public function connect()
|
|
{
|
|
$this -> disconnect();
|
|
if ('ldaps' == $this->_scheme && 389 == $this->_port) {
|
|
$this->_port = 636;
|
|
}
|
|
|
|
$this->_ch = @ldap_connect($this->_scheme . '://' . $this->_server . ':' . $this -> _port);
|
|
if (! $this->_ch) {
|
|
throw new AuthLDAP_Exception('Could not connect to the server');
|
|
}
|
|
ldap_set_option($this->_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
ldap_set_option($this->_ch, LDAP_OPT_REFERRALS, 0);
|
|
//if configured try to upgrade encryption to tls for ldap connections
|
|
if ($this->_starttls) {
|
|
ldap_start_tls($this->_ch);
|
|
}
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* Disconnect from a resource if one is available
|
|
*
|
|
* @return LDAP
|
|
*/
|
|
public function disconnect()
|
|
{
|
|
if (is_resource($this->_ch)) {
|
|
@ldap_unbind($this->_ch);
|
|
}
|
|
$this->_ch = null;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* Bind to an LDAP-Server with the given credentials
|
|
*
|
|
* @return LDAP
|
|
* @throw AuthLdap_Exception
|
|
*/
|
|
public function bind()
|
|
{
|
|
if (! $this->_ch) {
|
|
$this->connect();
|
|
}
|
|
if (! is_resource($this->_ch)) {
|
|
throw new AuthLDAP_Exception('No Resource-handle given');
|
|
}
|
|
$bind = false;
|
|
if (( ( $this->_username )
|
|
&& ( $this->_username != 'anonymous') )
|
|
&& ( $this->_password != '' ) ) {
|
|
$bind = @ldap_bind($this->_ch, $this->_username, $this->_password);
|
|
} else {
|
|
$bind = @ldap_bind($this->_ch);
|
|
}
|
|
if (! $bind) {
|
|
throw new AuthLDAP_Exception('bind was not successfull: ' . ldap_error($this->_ch));
|
|
}
|
|
return $this;
|
|
}
|
|
|
|
public function getErrorNumber()
|
|
{
|
|
return @ldap_errno($this->_ch);
|
|
}
|
|
|
|
public function getErrorText()
|
|
{
|
|
return @ldap_error($this->_ch);
|
|
}
|
|
|
|
/**
|
|
* This method does the actual ldap-serch.
|
|
*
|
|
* This is using the filter <var>$filter</var> for retrieving the attributes
|
|
* <var>$attributes</var>
|
|
*
|
|
*
|
|
* @param string $filter
|
|
* @param array $attributes
|
|
* @param string $base
|
|
* @return array
|
|
*/
|
|
public function search($filter, $attributes = array('uid'), $base = '' )
|
|
{
|
|
if (! is_Resource($this->_ch)) {
|
|
throw new AuthLDAP_Exception('No resource handle avbailable');
|
|
}
|
|
if (! $base) {
|
|
$base = $this->_baseDn;
|
|
}
|
|
$result = ldap_search($this->_ch, $base, $filter, $attributes);
|
|
if ($result === false) {
|
|
throw new AuthLDAP_Exception('no result found');
|
|
}
|
|
$this->_info = @ldap_get_entries($this->_ch, $result);
|
|
if ($this->_info === false) {
|
|
throw new AuthLDAP_Exception('invalid results found');
|
|
}
|
|
return $this -> _info;
|
|
}
|
|
|
|
/**
|
|
* This method sets debugging to ON
|
|
*/
|
|
public function debugOn()
|
|
{
|
|
$this->_debug = true;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* This method sets debugging to OFF
|
|
*/
|
|
public function debugOff()
|
|
{
|
|
$this->_debug = false;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* This method authenticates the user <var>$username</var> using the
|
|
* password <var>$password</var>
|
|
*
|
|
* @param string $username
|
|
* @param string $password
|
|
* @param string $filter OPTIONAL This parameter defines the Filter to be used
|
|
* when searchin for the username. This MUST contain the string '%s' which
|
|
* will be replaced by the vaue given in <var>$username</var>
|
|
* @return boolean true or false depending on successfull authentication or not
|
|
*/
|
|
public function authenticate($username, $password, $filter = '(uid=%s)')
|
|
{
|
|
//return true;
|
|
$this->connect();
|
|
$this->bind();
|
|
$res = $this->search(sprintf($filter, $username));
|
|
if (! $res || ! is_array($res) || ( $res ['count'] != 1 )) {
|
|
return false;
|
|
}
|
|
$dn = $res[0]['dn'];
|
|
if ($username && $password) {
|
|
if (@ldap_bind($this->_ch, $dn, $password)) {
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
/**
|
|
* $this method loggs errors if debugging is set to ON
|
|
*/
|
|
public function logError()
|
|
{
|
|
if ($this->_debug) {
|
|
$_v = debug_backtrace();
|
|
throw new AuthLDAP_Exception('[LDAP_ERROR]' . ldap_errno($this->_ch) . ':' . ldap_error($this->_ch), $_v[0]['line']);
|
|
}
|
|
}
|
|
}
|
|
|
|
class AuthLDAP_Exception extends Exception
|
|
{
|
|
public function __construct($message, $line = null)
|
|
{
|
|
parent :: __construct($message);
|
|
if ($line) {
|
|
$this -> line = $line;
|
|
}
|
|
}
|
|
}
|