Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_ldap.inc 46.50 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4 
  Copyright (C) 2003-2010  Cajus Pollmeier
5 
  Copyright (C) 2003 Alejandro Escanero Blanco <aescanero@chaosdimension.org>
6 
  Copyright (C) 1998  Eric Kilfoil <eric@ipass.net>
7 
  Copyright (C) 2011-2016  FusionDirectory
8
9 
  This program is free software; you can redistribute it and/or modify
10 
  it under the terms of the GNU General Public License as published by
11 
  the Free Software Foundation; either version 2 of the License, or
12 
  (at your option) any later version.
13
14 
  This program is distributed in the hope that it will be useful,
15 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
16 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 
  GNU General Public License for more details.
18
19 
  You should have received a copy of the GNU General Public License
20 
  along with this program; if not, write to the Free Software
21 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
22 
*/
23
24 
/*!
25 
 * \file class_ldap.inc
26 
 * Source code for Class LDAP
27 
 */
28
29 
/*!
30 
 * \brief This class contains all ldap function needed to make
31 
 * ldap operations easy
32 
 */
33
34 
class LDAP
35 
{
36 
  var $hascon         = FALSE;
37 
  var $reconnect      = FALSE;
38 
  var $tls            = FALSE;
39
40 
  /* connection identifier */
41 
  var $cid;
42
43 
  var $hasres         = [];
44 
  var $sr             = [];
45 
  var $re             = [];
46 
  var $basedn         = "";
47
48 
  /* 0 if we are fetching the first entry, otherwise 1 */
49 
  var $start          = [];
50
51 
  /* Any error messages to be returned can be put here */
52 
  var $error          = "";
53
54 
  var $srp            = 0;
55
56 
  /* Information read from slapd.oc.conf */
57 
  var $objectClasses    = [];
58 
  /* the dn for the bind */
59 
  var $binddn           = "";
60 
  /* the dn's password for the bind */
61 
  var $bindpw           = "";
62 
  var $hostname         = "";
63 
  var $follow_referral  = FALSE;
64 
  var $referrals        = [];
65
66 
  /* 0, empty or negative values will disable this check */
67 
  var $max_ldap_query_time  = 0;
68
69 
  /*!
70 
   * \brief Create a LDAP connection
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
* * \param string $binddn Bind of the DN * * \param string $bindpw Bind * * \param string $hostname The hostname * * \param boolean $follow_referral FALSE * * \param boolean $tls FALSE */ function __construct ($binddn, $bindpw, $hostname, $follow_referral = FALSE, $tls = FALSE) { global $config; $this->follow_referral = $follow_referral; $this->tls = $tls; $this->binddn = $binddn; $this->bindpw = $bindpw; $this->hostname = $hostname; /* Check if MAX_LDAP_QUERY_TIME is defined */ if (is_object($config) && ($config->get_cfg_value("ldapMaxQueryTime") != "")) { $str = $config->get_cfg_value("ldapMaxQueryTime"); $this->max_ldap_query_time = (float)($str); } $this->connect(); } /*! * \brief Initialize a LDAP connection * * Initializes a LDAP connection. * * \param string $server The server we are connecting to * * \param string $base The base of our ldap tree * * \param string $binddn Default: empty * * \param string $pass Default: empty * * \return LDAP object */ public static function init (string $server, string $base, string $binddn = '', string $pass = ''): LDAP { global $config; $ldap = new LDAP($binddn, $pass, $server, isset($config->current['LDAPFOLLOWREFERRALS']) && $config->current['LDAPFOLLOWREFERRALS'] == 'TRUE', isset($config->current['LDAPTLS']) && $config->current['LDAPTLS'] == 'TRUE'); /* Sadly we've no proper return values here. Use the error message instead. */ if (!$ldap->success()) { throw new FatalError(htmlescape(sprintf(_('FATAL: Error when connecting the LDAP. Server said "%s".'), $ldap->get_error()))); } /* Preset connection base to $base and return to caller */ $ldap->cd($base); return $ldap; } /*! * \brief Get the search ressource * * \return increase srp */ function getSearchResource () { $this->sr[$this->srp] = NULL;
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
$this->start[$this->srp] = 0; $this->hasres[$this->srp] = FALSE; return $this->srp++; } /*! * \brief Function to fix problematic characters in DN's that are used for search requests. I.e. member=.... * * \param string $dn The DN */ static function prepare4filter ($dn) { trigger_error('deprecated, use ldap_escape_f instead'); return ldap_escape_f($dn); } /*! * \brief Error text that must be returned for invalid user or password * * This is useful to make sure the same error text is shown whether a user exists or not, when the password is not correct. */ static function invalidCredentialsError (): string { return _(ldap_err2str(49)); } /*! * \brief Create a connection to LDAP server * * The string $error containts result of the connection */ function connect () { $this->hascon = FALSE; $this->reconnect = FALSE; if ($this->cid = @ldap_connect($this->hostname)) { @ldap_set_option($this->cid, LDAP_OPT_PROTOCOL_VERSION, 3); if ($this->follow_referral) { @ldap_set_option($this->cid, LDAP_OPT_REFERRALS, 1); @ldap_set_rebind_proc($this->cid, [&$this, 'rebind']); } if ($this->tls) { @ldap_start_tls($this->cid); } $this->error = 'No Error'; if (function_exists('ldap_bind_ext')) { /* PHP>=7.3 */ $serverctrls = []; if (class_available('ppolicyAccount')) { $serverctrls = [['oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST]]; } $result = @ldap_bind_ext($this->cid, $this->binddn, $this->bindpw, $serverctrls); if (@ldap_parse_result($this->cid, $result, $errcode, $matcheddn, $errmsg, $referrals, $ctrls)) { if (isset($ctrls[LDAP_CONTROL_PASSWORDPOLICYRESPONSE]['value']['error'])) { $this->hascon = FALSE; switch ($ctrls[LDAP_CONTROL_PASSWORDPOLICYRESPONSE]['value']['error']) { case 0: /* passwordExpired - password has expired and must be reset */ $this->error = _('It seems your user password has expired. Please use <a href="recovery.php">password recovery</a> to change it.'); break; case 1: /* accountLocked */ $this->error = _('Account locked. Please contact your system administrator!'); break; case 2: /* changeAfterReset - password must be changed before the user will be allowed to perform any other operation */ $this->error = 'changeAfterReset'; break; case 3:
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
/* passwordModNotAllowed */ case 4: /* mustSupplyOldPassword */ case 5: /* insufficientPasswordQuality */ case 6: /* passwordTooShort */ case 7: /* passwordTooYoung */ case 8: /* passwordInHistory */ default: $this->error = sprintf(_('Unexpected ppolicy error "%s", please contact the administrator'), $ctrls[LDAP_CONTROL_PASSWORDPOLICYRESPONSE]['value']['error']); break; } // Note: Also available: expire, grace } else { $this->hascon = ($errcode == 0); if ($errcode == 49) { $this->error = static::invalidCredentialsError(); } elseif (empty($errmsg)) { $this->error = ldap_err2str($errcode); } else { $this->error = $errmsg; } } } else { $this->error = 'Parsing of LDAP result from bind failed'; $this->hascon = FALSE; } } elseif (@ldap_bind($this->cid, $this->binddn, $this->bindpw)) { $this->error = 'Success'; $this->hascon = TRUE; } else { if ($this->reconnect) { if ($this->error != 'Success') { $this->error = static::invalidCredentialsError(); } } else { $this->error = static::invalidCredentialsError(); } } } else { $this->error = 'Could not connect to LDAP server'; } logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'connect'); } /*! * \brief Rebind */ function rebind ($ldap, $referral) { $credentials = $this->get_credentials($referral); if (@ldap_bind($ldap, $credentials['ADMINDN'], $credentials['ADMINPASSWORD'])) { $this->error = "Success"; $this->hascon = TRUE; $this->reconnect = TRUE; logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'rebind'); return 0; } else { $this->error = "Could not bind to " . $credentials['ADMINDN']; logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'rebind'); return NULL; } } /*! * \brief Reconnect to LDAP server
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
*/ function reconnect () { if ($this->reconnect) { $this->unbind(); } } /*! * \brief Unbind to LDAP server */ function unbind () { @ldap_unbind($this->cid); $this->cid = NULL; logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, '', 'unbind'); } /*! * \brief Disconnect to LDAP server */ function disconnect () { if ($this->hascon) { @ldap_close($this->cid); $this->hascon = FALSE; } logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, '', 'disconnect'); } /*! * \brief Change directory * * \param string $dir The new directory */ function cd ($dir) { if ($dir == '..') { $this->basedn = $this->getParentDir(); } else { $this->basedn = $dir; } } /*! * \brief Accessor of the parent directory of the basedn * * \param string $basedn The basedn which we want the parent directory * * \return String, the parent directory */ function getParentDir ($basedn = '') { if ($basedn == '') { $basedn = $this->basedn; } return preg_replace("/[^,]*[,]*[ ]*(.*)/", "$1", $basedn); } /*! * \brief Search about filter * * \param integer $srp srp * * \param string $filter The filter * * \param array $attrs * * \param string $scope Scope of the search: subtree/base/one */
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420
function search ($srp, $filter, $attrs = [], $scope = 'subtree', array $controls = NULL) { if ($this->hascon) { if ($this->reconnect) { $this->connect(); } $startTime = microtime(TRUE); $this->clearResult($srp); switch (strtolower($scope)) { case 'base': if (isset($controls)) { $this->sr[$srp] = @ldap_read($this->cid, $this->basedn, $filter, $attrs, 0, 0, 0, LDAP_DEREF_NEVER, $controls); } else { $this->sr[$srp] = @ldap_read($this->cid, $this->basedn, $filter, $attrs); } break; case 'one': if (isset($controls)) { $this->sr[$srp] = @ldap_list($this->cid, $this->basedn, $filter, $attrs, 0, 0, 0, LDAP_DEREF_NEVER, $controls); } else { $this->sr[$srp] = @ldap_list($this->cid, $this->basedn, $filter, $attrs); } break; case 'subtree': default: if (isset($controls)) { $this->sr[$srp] = @ldap_search($this->cid, $this->basedn, $filter, $attrs, 0, 0, 0, LDAP_DEREF_NEVER, $controls); } else { $this->sr[$srp] = @ldap_search($this->cid, $this->basedn, $filter, $attrs); } break; } $this->error = @ldap_error($this->cid); $this->resetResult($srp); $this->hasres[$srp] = TRUE; /* Check if query took longer as specified in max_ldap_query_time */ $diff = microtime(TRUE) - $startTime; if ($this->max_ldap_query_time && ($diff > $this->max_ldap_query_time)) { $warning = new FusionDirectoryWarning(htmlescape(sprintf(_('LDAP performance is poor: last query took about %.2fs!'), $diff))); $warning->display(); } $this->log("LDAP operation: time=".$diff." operation=search('".$this->basedn."', '$filter')"); logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'search(base="'.$this->basedn.'",scope="'.$scope.'",filter="'.$filter.'")'); return $this->sr[$srp]; } else { $this->error = "Could not connect to LDAP server"; logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'search(base="'.$this->basedn.'",scope="'.$scope.'",filter="'.$filter.'")'); return ""; } } /*! * \brief Parse last result * * \param integer $srp srp * */ function parse_result ($srp): array { if ($this->hascon && $this->hasres[$srp]) { if (ldap_parse_result($this->cid, $this->sr[$srp], $errcode, $matcheddn, $errmsg, $referrals, $controls)) { return [$errcode, $matcheddn, $errmsg, $referrals, $controls]; } else { throw new FusionDirectoryException(_('Parsing LDAP result failed')); } } else { throw new FusionDirectoryException(_('No LDAP result to parse'));
421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
} } /* * \brief List * * \param integer $srp * * \param string $filter Initialized at "(objectclass=*)" * * \param string $basedn Empty string * * \param array $attrs */ function ls ($srp, $filter = "(objectclass=*)", $basedn = "", $attrs = ["*"]) { trigger_error('deprecated'); $this->cd($basedn); return $this->search($srp, $filter, $attrs, 'one'); } /* * \brief Concatenate * * \param integer $srp * * \param string $dn The DN * * \param array $attrs * * \param string $filter Initialized at "(objectclass=*)" */ function cat ($srp, $dn, $attrs = ["*"], $filter = "(objectclass=*)") { if ($this->hascon) { if ($this->reconnect) { $this->connect(); } $this->clearResult($srp); $this->sr[$srp] = @ldap_read($this->cid, $dn, $filter, $attrs); $this->error = @ldap_error($this->cid); $this->resetResult($srp); $this->hasres[$srp] = TRUE; logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'cat(dn="'.$dn.'",filter="'.$filter.'")'); return $this->sr[$srp]; } else { $this->error = "Could not connect to LDAP server"; logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'cat(dn="'.$dn.'",filter="'.$filter.'")'); return ""; } } /*! * \brief Search object from a filter * * \param string $dn The DN * * \param string $filter The filter of the research */ function object_match_filter ($dn, $filter) { if ($this->hascon) { if ($this->reconnect) { $this->connect(); } $res = @ldap_read($this->cid, $dn, $filter, ["objectClass"]); logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'object_match_filter(dn="'.$dn.'",filter="'.$filter.'")'); return @ldap_count_entries($this->cid, $res); } else {