An error occurred while loading the file. Please try again.
-
Unverifiedc44ca130
<?php/* This code is part of FusionDirectory (http://www.fusiondirectory.org/) Copyright (C) 2003-2010 Cajus Pollmeier Copyright (C) 2003 Alejandro Escanero Blanco <aescanero@chaosdimension.org> Copyright (C) 1998 Eric Kilfoil <eric@ipass.net> Copyright (C) 2011-2016 FusionDirectory This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.*//*! * \file class_ldap.inc * Source code for Class LDAP *//*! * \brief This class contains all ldap function needed to make * ldap operations easy */class LDAP{ var $hascon = FALSE; var $reconnect = FALSE; var $tls = FALSE; /* connection identifier */ var $cid; var $hasres = []; var $sr = []; var $re = []; var $basedn = ""; /* 0 if we are fetching the first entry, otherwise 1 */ var $start = []; /* Any error messages to be returned can be put here */ var $error = ""; var $srp = 0; /* Information read from slapd.oc.conf */ var $objectClasses = []; /* the dn for the bind */ var $binddn = ""; /* the dn's password for the bind */ var $bindpw = ""; var $hostname = ""; var $follow_referral = FALSE; var $referrals = []; /* 0, empty or negative values will disable this check */ var $max_ldap_query_time = 0; /*! * \brief Create a LDAP connection7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
*
* \param string $binddn Bind of the DN
*
* \param string $bindpw Bind
*
* \param string $hostname The hostname
*
* \param boolean $follow_referral FALSE
*
* \param boolean $tls FALSE
*/
function __construct ($binddn, $bindpw, $hostname, $follow_referral = FALSE, $tls = FALSE)
{
global $config;
$this->follow_referral = $follow_referral;
$this->tls = $tls;
$this->binddn = $binddn;
$this->bindpw = $bindpw;
$this->hostname = $hostname;
/* Check if MAX_LDAP_QUERY_TIME is defined */
if (is_object($config) && ($config->get_cfg_value("ldapMaxQueryTime") != "")) {
$str = $config->get_cfg_value("ldapMaxQueryTime");
$this->max_ldap_query_time = (float)($str);
}
$this->connect();
}
/*!
* \brief Get the search ressource
*
* \return increase srp
*/
function getSearchResource ()
{
$this->sr[$this->srp] = NULL;
$this->start[$this->srp] = 0;
$this->hasres[$this->srp] = FALSE;
return $this->srp++;
}
/*!
* \brief Function to fix problematic characters in DN's that are used for search requests. I.e. member=....
*
* \param string $dn The DN
*/
static function prepare4filter ($dn)
{
trigger_error('deprecated, use ldap_escape_f instead');
return ldap_escape_f($dn);
}
/*!
* \brief Error text that must be returned for invalid user or password
*
* This is useful to make sure the same error text is shown whether a user exists or not, when the password is not correct.
*/
static function invalidCredentialsError (): string
{
return _(ldap_err2str(49));
}
/*!
* \brief Create a connection to LDAP server
*
* The string $error containts result of the connection
*/
function connect ()
{
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
$this->hascon = FALSE;
$this->reconnect = FALSE;
if ($this->cid = @ldap_connect($this->hostname)) {
@ldap_set_option($this->cid, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($this->follow_referral) {
@ldap_set_option($this->cid, LDAP_OPT_REFERRALS, 1);
@ldap_set_rebind_proc($this->cid, [&$this, 'rebind']);
}
if ($this->tls) {
@ldap_start_tls($this->cid);
}
$this->error = 'No Error';
if (function_exists('ldap_bind_ext')) {
/* PHP>=7.3 */
$serverctrls = [];
if (class_available('ppolicyAccount')) {
$serverctrls = [['oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST]];
}
$result = @ldap_bind_ext($this->cid, $this->binddn, $this->bindpw, $serverctrls);
if (@ldap_parse_result($this->cid, $result, $errcode, $matcheddn, $errmsg, $referrals, $ctrls)) {
if (isset($ctrls[LDAP_CONTROL_PASSWORDPOLICYRESPONSE]['value']['error'])) {
$this->hascon = FALSE;
switch ($ctrls[LDAP_CONTROL_PASSWORDPOLICYRESPONSE]['value']['error']) {
case 0:
/* passwordExpired - password has expired and must be reset */
$this->error = _('It seems your user password has expired. Please use <a href="recovery.php">password recovery</a> to change it.');
break;
case 1:
/* accountLocked */
$this->error = _('Account locked. Please contact your system administrator!');
break;
case 2:
/* changeAfterReset - password must be changed before the user will be allowed to perform any other operation */
$this->error = 'changeAfterReset';
break;
case 3:
/* passwordModNotAllowed */
case 4:
/* mustSupplyOldPassword */
case 5:
/* insufficientPasswordQuality */
case 6:
/* passwordTooShort */
case 7:
/* passwordTooYoung */
case 8:
/* passwordInHistory */
default:
$this->error = sprintf(_('Unexpected ppolicy error "%s", please contact the administrator'), $ctrls[LDAP_CONTROL_PASSWORDPOLICYRESPONSE]['value']['error']);
break;
}
// Note: Also available: expire, grace
} else {
$this->hascon = ($errcode == 0);
if ($errcode == 49) {
$this->error = static::invalidCredentialsError();
} elseif (empty($errmsg)) {
$this->error = ldap_err2str($errcode);
} else {
$this->error = $errmsg;
}
}
} else {
$this->error = 'Parsing of LDAP result from bind failed';
$this->hascon = FALSE;
}
} elseif (@ldap_bind($this->cid, $this->binddn, $this->bindpw)) {
$this->error = 'Success';
$this->hascon = TRUE;
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
} else {
if ($this->reconnect) {
if ($this->error != 'Success') {
$this->error = static::invalidCredentialsError();
}
} else {
$this->error = static::invalidCredentialsError();
}
}
} else {
$this->error = 'Could not connect to LDAP server';
}
logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'connect');
}
/*!
* \brief Rebind
*/
function rebind ($ldap, $referral)
{
$credentials = $this->get_credentials($referral);
if (@ldap_bind($ldap, $credentials['ADMINDN'], $credentials['ADMINPASSWORD'])) {
$this->error = "Success";
$this->hascon = TRUE;
$this->reconnect = TRUE;
logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'rebind');
return 0;
} else {
$this->error = "Could not bind to " . $credentials['ADMINDN'];
logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $this->error, 'rebind');
return NULL;
}
}
/*!
* \brief Reconnect to LDAP server
*/
function reconnect ()
{
if ($this->reconnect) {
$this->unbind();
}
}
/*!
* \brief Unbind to LDAP server
*/
function unbind ()
{
@ldap_unbind($this->cid);
$this->cid = NULL;
logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, '', 'unbind');
}
/*!
* \brief Disconnect to LDAP server
*/
function disconnect ()
{
if ($this->hascon) {
@ldap_close($this->cid);
$this->hascon = FALSE;
}
logging::debug(DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, '', 'disconnect');
}
/*!
* \brief Change directory
*
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
* \param string $dir The new directory
*/
function cd ($dir)
{
if ($dir == '..') {
$this->basedn = $this->getParentDir();
} else {
$this->basedn = $dir;
}
}
/*!
* \brief Accessor of the parent directory of the basedn
*
* \param string $basedn The basedn which we want the parent directory
*
* \return String, the parent directory
*/
function getParentDir ($basedn = '')
{
if ($basedn == '') {
$basedn = $this->basedn;
}
return preg_replace("/[^,]*[,]*[ ]*(.*)/", "$1", $basedn);
}
/*!
* \brief Search about filter
*
* \param integer $srp srp
*
* \param string $filter The filter
*
* \param array $attrs
*
* \param string $scope Scope of the search: subtree/base/one
*/
function search ($srp, $filter, $attrs = [], $scope = 'subtree', array $controls = NULL)
{
if ($this->hascon) {
if ($this->reconnect) {
$this->connect();
}
$startTime = microtime(TRUE);
$this->clearResult($srp);
switch (strtolower($scope)) {
case 'base':
if (isset($controls)) {
$this->sr[$srp] = @ldap_read($this->cid, $this->basedn, $filter, $attrs, 0, 0, 0, LDAP_DEREF_NEVER, $controls);
} else {
$this->sr[$srp] = @ldap_read($this->cid, $this->basedn, $filter, $attrs);
}
break;
case 'one':
if (isset($controls)) {
$this->sr[$srp] = @ldap_list($this->cid, $this->basedn, $filter, $attrs, 0, 0, 0, LDAP_DEREF_NEVER, $controls);
} else {
$this->sr[$srp] = @ldap_list($this->cid, $this->basedn, $filter, $attrs);
}
break;
case 'subtree':
default:
if (isset($controls)) {
$this->sr[$srp] = @ldap_search($this->cid, $this->basedn, $filter, $attrs, 0, 0, 0, LDAP_DEREF_NEVER, $controls);
} else {
$this->sr[$srp] = @ldap_search($this->cid, $this->basedn, $filter, $attrs);
}
break;
}