From 8c93b4c1c557d4986f4224d66421d1b58f8c437e Mon Sep 17 00:00:00 2001 From: michael Date: Thu, 16 Jan 2003 10:39:48 +0000 Subject: [PATCH] moved to lib/authentication --- lib/class.AuthLdap.php | 401 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1 file changed, 0 insertions(+), 401 deletions(-) delete mode 100644 lib/class.AuthLdap.php diff --git a/lib/class.AuthLdap.php b/lib/class.AuthLdap.php deleted file mode 100644 index 899da93..0000000 --- a/lib/class.AuthLdap.php +++ /dev/null @@ -1,401 +0,0 @@ -server as $key => $host) { - echo "key=$key; host=$host
"; - $this->connection = ldap_connect( $host); - if ( $this->connection) { - echo "connected
"; - // Connected, now try binding.... - if ( $this->result=@ldap_bind( $this->connection)) { - // Bound OK! - $this->bound = $host; - return true; - } - } else { echo "not connected
";} - } - - $this->ldapErrorCode = -1; - $this->ldapErrorText = "Unable to connect to any server"; - return false; - - } - - - - function close() { - /* 2.1.2 : Simply closes the connection set up earlier. - ** Returns true if OK, false if there was an error. - */ - - if ( !@ldap_close( $this->connection)) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } else - return true; - } - - - - function bind() { - /* 2.1.3 : Anonymously binds to the connection. After this is done, - ** queries and searches can be done - but read-only. - */ - - if ( !$this->result=@ldap_bind( $this->connection)) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } else - return true; - } - - - - function authBind( $bindDn,$pass) { - /* 2.1.4 : Binds as an authenticated user, which usually allows for write - ** access. The FULL dn must be passed. For a directory manager, this is - ** "cn=Directory Manager" under iPlanet. For a user, it will be something - ** like "uid=jbloggs,ou=People,dc=foo,dc=com". - */ - if ( !$this->result = @ldap_bind( $this->connection,$bindDn,$pass)) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } else - return true; - } - - // 2.2 Password methods ------------------------------------------------------ - - function checkPass( $uname,$pass) { - /* 2.2.1 : Checks a username and password - does this by logging on to the - ** server as a user - specified in the DN. There are several reasons why - ** this login could fail - these are listed below. - */ - - /* Construct the full DN, eg:- - ** "uid=username, ou=People, dc=orgname,dc=com" - */ - $checkDn = "uid=" .$uname. ", ou=" .$this->people. ", " .$this->dn; - // Try and connect... - $this->result = @ldap_bind( $this->connection,$checkDn,$pass); - if ( $this->result) { - // Connected OK - login credentials are fine! - return true; - } else { - /* Login failed. Return false, together with the error code and text from - ** the LDAP server. The common error codes and reasons are listed below : - ** (for iPlanet, other servers may differ) - ** 19 - Account locked out (too many invalid login attempts) - ** 32 - User does not exist - ** 49 - Wrong password - ** 53 - Account inactive (manually locked out by administrator) - */ - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } - } - - - - function changePass( $uname,$oldPass,$newPass) { - /* 2.2.2 : Allows a password to be changed. Note that on most LDAP servers, - ** a new ACL must be defined giving users the ability to modify their - ** password attribute (userPassword). Otherwise this will fail. - */ - - $checkDn = "uid=" .$uname. ", ou=" .$this->people. ", " .$this->dn; - $this->result = @ldap_bind( $this->connection,$checkDn,$oldPass); - - if ( $this->result) { - // Connected OK - Now modify the password... - $info["userPassword"] = $newPass; - $this->result = @ldap_modify( $this->connection, $checkDn, $info); - if ( $this->result) { - // Change went OK - return true; - } else { - // Couldn't change password... - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } - } else { - // Login failed - see checkPass method for common error codes - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } - } - - - - function checkPassAge ( $uname) { - /* 2.2.3 : Returns days until the password will expire. - ** We have to explicitly state this is what we want returned from the - ** LDAP server - by default, it will only send back the "basic" - ** attributes. - */ - $results[0] = "passwordexpirationtime"; - $this->result = @ldap_search( $this->connection,$this->dn,"uid=".$uname,$results); - - if ( !$info=@ldap_get_entries( $this->connection, $this->result)) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } else { - /* Now work out how many days remaining.... - ** Yes, it's very verbose code but I left it like this so it can easily - ** be modified for your needs. - */ - $date = $info[0]["passwordexpirationtime"][0]; - $year = substr( $date,0,4); - $month = substr( $date,4,2); - $day = substr( $date,6,2); - $hour = substr( $date,8,2); - $min = substr( $date,10,2); - $sec = substr( $date,12,2); - - $timestamp = mktime( $hour,$min,$sec,$month,$day,$year); - $today = mktime(); - $diff = $timestamp-$today; - return round( ( ( ( $diff/60)/60)/24)); - } - } - - // 2.3 Group methods --------------------------------------------------------- - - function checkGroup ( $uname,$group) { - /* 2.3.1 : Checks to see if a user is in a given group. If so, it returns - ** true, and returns false if the user isn't in the group, or any other - ** error occurs (eg:- no such user, no group by that name etc.) - */ - - $checkDn = "ou=" .$this->groups. ", " .$this->dn; - - // We need to search for the group in order to get it's entry. - $this->result = @ldap_search( $this->connection, $checkDn, "cn=" .$group); - $info = @ldap_get_entries( $this->connection, $this->result); - - // Only one entry should be returned(no groups will have the same name) - $entry = ldap_first_entry( $this->connection,$this->result); - - if ( !$entry) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; // Couldn't find the group... - } - // Get all the member DNs - if ( !$values = @ldap_get_values( $this->connection, $entry, "uniqueMember")) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; // No users in the group - } - foreach ( $values as $key => $value) { - /* Loop through all members - see if the uname is there... - ** Also check for sub-groups - this allows us to define a group as - ** having membership of another group. - ** FIXME:- This is pretty ugly code and unoptimised. It takes ages - ** to search if you have sub-groups. - */ - list( $cn,$ou) = explode( ",",$value); - list( $ou_l,$ou_r) = explode( "=",$ou); - - if ( $this->groups==$ou_r) { - list( $cn_l,$cn_r) = explode( "=",$cn); - // OK, So we now check the sub-group... - if ( $this->checkGroup ( $uname,$cn_r)) { - return true; - } - } - - if ( preg_match( "/$uname/i",$value)) { - return true; - } - } - } - - // 2.4 Attribute methods ----------------------------------------------------- - - function getAttribute ( $uname,$attribute) { - /* 2.4.1 : Returns an array containing a set of attribute values. - ** For most searches, this will just be one row, but sometimes multiple - ** results are returned (eg:- multiple email addresses) - */ - - $checkDn = "ou=" .$this->people. ", " .$this->dn; - $results[0] = $attribute; - - // We need to search for this user in order to get their entry. - $this->result = ldap_search( $this->connection, $checkDn, "uid=" .$uname, $results); - $info = ldap_get_entries( $this->connection, $this->result); - - // Only one entry should ever be returned (no user will have the same uid) - $entry = ldap_first_entry( $this->connection, $this->result); - - if ( !$entry) { - $this->ldapErrorCode = -1; - $this->ldapErrorText = "Couldn't find user"; - return false; // Couldn't find the user... - } - - // Get all the member DNs - if ( !$values = @ldap_get_values( $this->connection, $entry, $attribute)) { - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; // No matching attributes - } - - // Return an array containing the attributes. - return $values; - } - - - - function setAttribute( $uname, $attribute, $value) { - /* 2.4.2 : Allows an attribute value to be set. - ** This can only usually be done after an authenticated bind as a - ** directory manager - otherwise, read/write access will not be granted. - */ - - // Construct a full DN... - $attrib_dn = "uid=" .$uname. ",ou=" .$this->people. "," .$this->dn; - $info[$attribute] = $value; - // Change attribute - $this->result = ldap_modify( $this->connection, $attrib_dn, $info); - if ( $this->result) { - // Change went OK - return true; - } else { - // Couldn't change password... - $this->ldapErrorCode = ldap_errno( $this->connection); - $this->ldapErrorText = ldap_error( $this->connection); - return false; - } - } - - /** - * Sets and returns the appropriate dn, based on whether there - * are values in $this->people and $this->groups. - * - * @param $peopleOrGroups - * this boolean specifies whether to build a groups - * dn or a people dn ie. if the boolean is true: - * ou=$this->people,$this->dn else: - * ou=$this->groups,$this->dn - * @return - * the dn to use - */ - function setDn( $peopleOrGroups) { - - if ( $peopleOrGroups) { - if ( isset( $this->people) && ( strlen( $this->people) > 0)) { - $checkDn = "ou=" .$this->people. ", " .$this->dn; - } - } else { - if ( isset( $this->groups) && ( strlen( $this->groups) > 0)) { - $checkDn = "ou=" .$this->groups. ", " .$this->dn; - } - } - - if ( !isset( $checkDn)) { - $checkDn = $this->dn; - } - return $checkDn; - } - // 2.5 User methods ---------------------------------------------------------- - - function getUsers( $search, $attributeArray) { - /* 2.5.1 : Returns an array containing a details of users, sorted by - ** username. The search criteria is a standard LDAP query - * returns all - ** users. The $attributeArray variable contains the required user detail field names - */ - - // builds the appropriate dn, based on whether $this->people and/or $this->group is set - $checkDn = $this->setDn( true); - - // Perform the search and get the entry handles - $this->result = ldap_search( $this->connection, $checkDn, "uid=" .$search); - $info = ldap_get_entries( $this->connection, $this->result); - for( $i = 0; $i < $info["count"]; $i++){ - // Get the username, and create an array indexed by it... - // Modify these as you see fit. - $uname = $info[$i]["uid"][0]; - // add to the array for each attribute in my list - for ( $j = 0; $j < count( $attributeArray); $j++) { - if (strtolower($attributeArray[$j]) == "dn") { - $userslist["$uname"]["$attributeArray[$j]"] = $info[$i][strtolower($attributeArray[$j])]; - } else { - $userslist["$uname"]["$attributeArray[$j]"] = $info[$i][strtolower($attributeArray[$j])][0]; - } - } - } - - if ( !@asort( $userslist)) { - /* Sort into alphabetical order. If this fails, it's because there - ** were no results returned (array is empty) - so just return false. - */ - $this->ldapErrorCode = -1; - $this->ldapErrorText = "No users found matching search criteria ".$search; - return false; - } - return $userslist; - } - -} // End of class - - -?> -- libgit2 0.21.4