<?php
/** DomFramework
    @package domframework
    @author Dominique Fournier <dominique@fournier38.fr> */

/** User authentication against LDAP server */
class authldap extends auth
{
  /** LDAP server : can be ldaps://server.domain.tld if LDAPS */
  public $ldapserver="localhost";
  /** LDAP TCP Port (389 by default) */
  public $ldapport=389;
  /** LDAP Connection timeout (5s by default) */
  public $ldaptimeout=5;
  /** LDAP authentication to search user */
  public $ldapauth = "";
  /** LDAP authentication password */
  public $ldappwd = "";
  /** LDAP Search base */
  public $ldapbase = "";
  /** Filter used to search user */
  public $ldapfilter = "(mail=%s)";
  /** Field used to identify a user */
  public $ldapfield = "mail";
  /** Filter used to find the available datas of an authenticated user */
  public $ldapfiltersearch = "(objectClass=inetOrgPerson)";

  /** The opened LDAP connection identifier */
  private $ldapconn = NULL;
  /** The DN of the user when found */
  private $ldapdnuser = NULL;

  /** Check the availability of LDAP functions in PHP */
  function __construct ()
  {
    if (!function_exists ("ldap_connect"))
      throw new Exception ("LDAP support unavailable in PHP", 500);
  }

  /** Establish a connection to a LDAP server
      $server can be "ldaps://ldap.domain:636"
      If $user is "", there is no authentication (anonymous mode) */
  public function connect ()
  {
    $this->ldapconn = ldap_connect ($this->ldapserver, $this->ldapport);
    if (!$this->ldapconn)
      throw new Exception ("Can't contact LDAP server", 500);

    ldap_set_option ($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($this->ldapconn, LDAP_OPT_TIMELIMIT, $this->ldaptimeout);
    $ldapbind = ldap_bind ($this->ldapconn, $this->ldapauth, $this->ldappwd);
    if (ldap_errno ($this->ldapconn) !== 0)
      throw new Exception ("Authentication error in pre-auth LDAP", 500);
  }

  /** Try to authenticate the email/password of the user
      @param string $email Email to authenticate
      @param string $password Password to authenticate */
  public function authentication ($email, $password)
  {
    $filter = sprintf ($this->ldapfilter, $email, $email, $email, $email);
    $search = ldap_search ($this->ldapconn, $this->ldapbase, $filter,
                           array ($this->ldapfield));
    if ($search === FALSE)
      throw new Exception ("Unable to search in LDAP", 500);
    $info = ldap_get_entries ($this->ldapconn, $search);
    if (!isset ($info["count"]) || $info["count"] !== 1 || !isset ($info[0]) ||
        !isset ($info[0]["dn"]))
      throw new Exception ("Unable to find the user : '$email'", 401);
    $dn = $info[0]["dn"];
    $ldapbind2 = @ldap_bind ($this->ldapconn, $dn, $password);
    if ($ldapbind2 !== TRUE)
      throw new Exception ("Bad password for '$email'", 401);
    $this->ldapdnuser = $dn;
  }

  /** Return all the parameters recorded for the authenticate user */
  public function getdetails ()
  {
    if ($this->ldapdnuser === NULL)
      throw new Exception ("No user authenticated !", 401);
    $search = ldap_search ($this->ldapconn, $this->ldapdnuser,
                           $this->ldapfiltersearch);
    if ($search === FALSE)
      throw new Exception ("Can not found the details for user", 401);
    $datas = ldap_get_entries ($this->ldapconn, $search);
    $res = array ();
    if (isset ($datas[0]))
    {
      $res = array ("lastname"=>$datas[0]["sn"][0],
                    "firstname"=>$datas[0]["givenname"][0],
                    "email"=>$datas[0]["mail"][0]);
    }

    return $res;
  }

  /** Method to change the password
      @param string $oldpassword The old password (to check if the user have the
         rights to change the password)
      @param string $newpassword The new password to be recorded */
  public function changepassword ($oldpassword, $newpassword)
  {
    throw new Exception (dgettext("domframework", 
                           "The password can't be change for LDAP users"), 405);
  }

  /** Method to overwrite the password (without oldpassword check)
      Must be reserved to the administrators. For the users, use changepassword
      method
      @param string $email the user identifier to select
      @param string $newpassword The new password to be recorded */
  public function overwritepassword ($email, $newpassword)
  {
    throw new exception (dgettext("domframework",
                              "The password can't be overwrite for LDAP users"),
                         405);
  }

  /** List all the users available in the database
      Return firstname, lastname, mail, with mail is an array */
  public function listusers ()
  {
    if ($this->ldapconn === NULL)
      throw new Exception ("No established LDAP connection", 500);
    $search = ldap_search ($this->ldapconn,$this->ldapbase,
                           $this->ldapfiltersearch,
                           array ("mail","sn","givenname"));
    if ($search === FALSE)
      throw new Exception ("Unable to search the users in LDAP", 500);
    $info = ldap_get_entries ($this->ldapconn, $search);
    $datas = array ();
    foreach ($info as $key=>$vals)
    {
      if ($key === "count") continue;
      if (isset ($vals["sn"][0]) && isset ($vals["givenname"][0]) &&
          isset ($vals["mail"]))
      {
        $datas[$key] = array ("lastname"=>$vals["sn"][0],
                              "firstname"=>$vals["givenname"][0],
                              "email"=>$vals["mail"][0]);
      }

      unset ($datas[$key]["mail"]["count"]);
    }

    return $datas;
  }

  /** Close the LDAP connection when closing the object or PHP */
  function __destruct ()
  {
    if (isset ($this->ldapconn))
      ldap_close ($this->ldapconn);
  }
}