Dominique.Fournier/DomFramework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity
Files
7e98df1b0c9b91ed00c0eb6c906d7bf961219c6b
DomFramework/authldap.php
Dominique Fournier 033b817627 Add license BSD on each file header 
git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@6096 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
2020-09-07 14:13:56 +00:00

161 lines
5.7 KiB
PHP
Raw Blame History

<?php
/** DomFramework
* @package domframework
* @author Dominique Fournier <dominique@fournier38.fr>
* @license BSD
*/
require_once ("domframework/auth.php");
/** User authentication against LDAP server */
class authldap extends auth
{
/** LDAP server : can be ldaps://server.domain.tld if LDAPS */
public $ldapserver="localhost";
/** LDAP TCP Port (389 by default) */
public $ldapport=389;
/** LDAP Connection timeout (5s by default) */
public $ldaptimeout=5;
/** LDAP authentication to search user */
public $ldapauth = "";
/** LDAP authentication password */
public $ldappwd = "";
/** LDAP Search base */
public $ldapbase = "";
/** Filter used to search user */
public $ldapfilter = "(mail=%s)";
/** Field used to identify a user */
public $ldapfield = "mail";
/** Filter used to find the available data of an authenticated user */
public $ldapfiltersearch = "(objectClass=inetOrgPerson)";
/** The opened LDAP connection identifier */
private $ldapconn = NULL;
/** The DN of the user when found */
private $ldapdnuser = NULL;
/** Check the availability of LDAP functions in PHP */
function __construct ()
{
if (!function_exists ("ldap_connect"))
throw new \Exception ("LDAP support unavailable in PHP", 500);
}
/** Establish a connection to a LDAP server
$server can be "ldaps://ldap.domain:636"
If $user is "", there is no authentication (anonymous mode) */
public function connect ()
{
$this->ldapconn = ldap_connect ($this->ldapserver, $this->ldapport);
if (!$this->ldapconn)
throw new \Exception ("Can't contact LDAP server", 500);
ldap_set_option ($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->ldapconn, LDAP_OPT_TIMELIMIT, $this->ldaptimeout);
$ldapbind = @ldap_bind ($this->ldapconn, $this->ldapauth, $this->ldappwd);
if (ldap_errno ($this->ldapconn) !== 0)
throw new \Exception ("Authentication error in pre-auth LDAP", 500);
}
/** Try to authenticate the email/password of the user
@param string $email Email to authenticate
@param string $password Password to authenticate */
public function authentication ($email, $password)
{
$filter = sprintf ($this->ldapfilter, $email, $email, $email, $email);
$search = ldap_search ($this->ldapconn, $this->ldapbase, $filter,
array ($this->ldapfield));
if ($search === FALSE)
throw new \Exception ("Unable to search in LDAP", 500);
$info = ldap_get_entries ($this->ldapconn, $search);
if (!isset ($info["count"]) || $info["count"] !== 1 || !isset ($info[0]) ||
!isset ($info[0]["dn"]))
throw new \Exception ("Unable to find the user : '$email'", 401);
$dn = $info[0]["dn"];
$ldapbind2 = @ldap_bind ($this->ldapconn, $dn, $password);
if ($ldapbind2 !== TRUE)
throw new \Exception ("Bad password for '$email'", 401);
$this->ldapdnuser = $dn;
}
/** Return all the parameters recorded for the authenticate user */
public function getdetails ()
{
if ($this->ldapdnuser === NULL)
throw new \Exception ("No user authenticated !", 401);
$search = ldap_search ($this->ldapconn, $this->ldapdnuser,
$this->ldapfiltersearch);
if ($search === FALSE)
throw new \Exception ("Can not found the details for user", 401);
$data = ldap_get_entries ($this->ldapconn, $search);
$res = array ();
if (isset ($data[0]))
{
$res = array ("lastname"=>$data[0]["sn"][0],
"firstname"=>$data[0]["givenname"][0],
"email"=>$data[0]["mail"][0]);
}
return $res;
}
/** Method to change the password
@param string $oldpassword The old password (to check if the user have the
rights to change the password)
@param string $newpassword The new password to be recorded */
public function changepassword ($oldpassword, $newpassword)
{
throw new \Exception (dgettext ("domframework",
"The password can't be change for LDAP users"), 405);
}
/** Method to overwrite the password (without oldpassword check)
Must be reserved to the administrators. For the users, use changepassword
method
@param string $email the user identifier to select
@param string $newpassword The new password to be recorded */
public function overwritepassword ($email, $newpassword)
{
throw new exception (dgettext ("domframework",
"The password can't be overwrite for LDAP users"),
405);
}
/** List all the users available in the database
Return firstname, lastname, mail, with mail is an array */
public function listusers ()
{
if ($this->ldapconn === NULL)
throw new \Exception ("No established LDAP connection", 500);
$search = ldap_search ($this->ldapconn, $this->ldapbase,
$this->ldapfiltersearch,
array ("mail", "sn", "givenname"));
if ($search === FALSE)
throw new \Exception ("Unable to search the users in LDAP", 500);
$info = ldap_get_entries ($this->ldapconn, $search);
$data = array ();
foreach ($info as $key=>$vals)
{
if ($key === "count") continue;
if (isset ($vals["sn"][0]) && isset ($vals["givenname"][0]) &&
isset ($vals["mail"]))
{
$data[$key] = array ("lastname"=>$vals["sn"][0],
"firstname"=>$vals["givenname"][0],
"email"=>$vals["mail"][0]);
}
unset ($data[$key]["mail"]["count"]);
}
return $data;
}
/** Close the LDAP connection when closing the object or PHP */
function __destruct ()
{
if (isset ($this->ldapconn))
ldap_close ($this->ldapconn);
}
}
Reference in New Issue View Git Blame Copy Permalink