163 lines
5.7 KiB
PHP
163 lines
5.7 KiB
PHP
<?php
|
|
/** DomFramework
|
|
* @package domframework
|
|
* @author Dominique Fournier <dominique@fournier38.fr>
|
|
* @license BSD
|
|
*/
|
|
|
|
namespace Domframework;
|
|
|
|
require_once ("domframework/auth.php");
|
|
|
|
/** User authentication against LDAP server */
|
|
class authldap extends auth
|
|
{
|
|
/** LDAP server : can be ldaps://server.domain.tld if LDAPS */
|
|
public $ldapserver="localhost";
|
|
/** LDAP TCP Port (389 by default) */
|
|
public $ldapport=389;
|
|
/** LDAP Connection timeout (5s by default) */
|
|
public $ldaptimeout=5;
|
|
/** LDAP authentication to search user */
|
|
public $ldapauth = "";
|
|
/** LDAP authentication password */
|
|
public $ldappwd = "";
|
|
/** LDAP Search base */
|
|
public $ldapbase = "";
|
|
/** Filter used to search user */
|
|
public $ldapfilter = "(mail=%s)";
|
|
/** Field used to identify a user */
|
|
public $ldapfield = "mail";
|
|
/** Filter used to find the available data of an authenticated user */
|
|
public $ldapfiltersearch = "(objectClass=inetOrgPerson)";
|
|
|
|
/** The opened LDAP connection identifier */
|
|
private $ldapconn = NULL;
|
|
/** The DN of the user when found */
|
|
private $ldapdnuser = NULL;
|
|
|
|
/** Check the availability of LDAP functions in PHP */
|
|
function __construct ()
|
|
{
|
|
if (!function_exists ("ldap_connect"))
|
|
throw new \Exception ("LDAP support unavailable in PHP", 500);
|
|
}
|
|
|
|
/** Establish a connection to a LDAP server
|
|
$server can be "ldaps://ldap.domain:636"
|
|
If $user is "", there is no authentication (anonymous mode) */
|
|
public function connect ()
|
|
{
|
|
$this->ldapconn = ldap_connect ($this->ldapserver, $this->ldapport);
|
|
if (!$this->ldapconn)
|
|
throw new \Exception ("Can't contact LDAP server", 500);
|
|
|
|
ldap_set_option ($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
ldap_set_option($this->ldapconn, LDAP_OPT_TIMELIMIT, $this->ldaptimeout);
|
|
$ldapbind = @ldap_bind ($this->ldapconn, $this->ldapauth, $this->ldappwd);
|
|
if (ldap_errno ($this->ldapconn) !== 0)
|
|
throw new \Exception ("Authentication error in pre-auth LDAP", 500);
|
|
}
|
|
|
|
/** Try to authenticate the email/password of the user
|
|
@param string $email Email to authenticate
|
|
@param string $password Password to authenticate */
|
|
public function authentication ($email, $password)
|
|
{
|
|
$filter = sprintf ($this->ldapfilter, $email, $email, $email, $email);
|
|
$search = ldap_search ($this->ldapconn, $this->ldapbase, $filter,
|
|
array ($this->ldapfield));
|
|
if ($search === FALSE)
|
|
throw new \Exception ("Unable to search in LDAP", 500);
|
|
$info = ldap_get_entries ($this->ldapconn, $search);
|
|
if (!isset ($info["count"]) || $info["count"] !== 1 || !isset ($info[0]) ||
|
|
!isset ($info[0]["dn"]))
|
|
throw new \Exception ("Unable to find the user : '$email'", 401);
|
|
$dn = $info[0]["dn"];
|
|
$ldapbind2 = @ldap_bind ($this->ldapconn, $dn, $password);
|
|
if ($ldapbind2 !== TRUE)
|
|
throw new \Exception ("Bad password for '$email'", 401);
|
|
$this->ldapdnuser = $dn;
|
|
}
|
|
|
|
/** Return all the parameters recorded for the authenticate user */
|
|
public function getdetails ()
|
|
{
|
|
if ($this->ldapdnuser === NULL)
|
|
throw new \Exception ("No user authenticated !", 401);
|
|
$search = ldap_search ($this->ldapconn, $this->ldapdnuser,
|
|
$this->ldapfiltersearch);
|
|
if ($search === FALSE)
|
|
throw new \Exception ("Can not found the details for user", 401);
|
|
$data = ldap_get_entries ($this->ldapconn, $search);
|
|
$res = array ();
|
|
if (isset ($data[0]))
|
|
{
|
|
$res = array ("lastname"=>$data[0]["sn"][0],
|
|
"firstname"=>$data[0]["givenname"][0],
|
|
"email"=>$data[0]["mail"][0]);
|
|
}
|
|
|
|
return $res;
|
|
}
|
|
|
|
/** Method to change the password
|
|
@param string $oldpassword The old password (to check if the user have the
|
|
rights to change the password)
|
|
@param string $newpassword The new password to be recorded */
|
|
public function changepassword ($oldpassword, $newpassword)
|
|
{
|
|
throw new \Exception (dgettext ("domframework",
|
|
"The password can't be change for LDAP users"), 405);
|
|
}
|
|
|
|
/** Method to overwrite the password (without oldpassword check)
|
|
Must be reserved to the administrators. For the users, use changepassword
|
|
method
|
|
@param string $email the user identifier to select
|
|
@param string $newpassword The new password to be recorded */
|
|
public function overwritepassword ($email, $newpassword)
|
|
{
|
|
throw new exception (dgettext ("domframework",
|
|
"The password can't be overwrite for LDAP users"),
|
|
405);
|
|
}
|
|
|
|
/** List all the users available in the database
|
|
Return firstname, lastname, mail, with mail is an array */
|
|
public function listusers ()
|
|
{
|
|
if ($this->ldapconn === NULL)
|
|
throw new \Exception ("No established LDAP connection", 500);
|
|
$search = ldap_search ($this->ldapconn, $this->ldapbase,
|
|
$this->ldapfiltersearch,
|
|
array ("mail", "sn", "givenname"));
|
|
if ($search === FALSE)
|
|
throw new \Exception ("Unable to search the users in LDAP", 500);
|
|
$info = ldap_get_entries ($this->ldapconn, $search);
|
|
$data = array ();
|
|
foreach ($info as $key=>$vals)
|
|
{
|
|
if ($key === "count") continue;
|
|
if (isset ($vals["sn"][0]) && isset ($vals["givenname"][0]) &&
|
|
isset ($vals["mail"]))
|
|
{
|
|
$data[$key] = array ("lastname"=>$vals["sn"][0],
|
|
"firstname"=>$vals["givenname"][0],
|
|
"email"=>$vals["mail"][0]);
|
|
}
|
|
|
|
unset ($data[$key]["mail"]["count"]);
|
|
}
|
|
|
|
return $data;
|
|
}
|
|
|
|
/** Close the LDAP connection when closing the object or PHP */
|
|
function __destruct ()
|
|
{
|
|
if (isset ($this->ldapconn))
|
|
ldap_close ($this->ldapconn);
|
|
}
|
|
}
|