Peter M. Groen / knowledgetree

Commit ae61c83d398710db0eedeb6b67ddcee03a6ff580

Authored by Michael Joseph
1 parent 91a3f245

moved to lib/authentication 


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@257 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 1 changed file with 0 additions and 401 deletions
lib/class.AuthLdap.php deleted
View file @91a3f24
1 -<?php  
2 -/* class.AuthLdap.php , version 0.1  
3 -** Mark Round, December 2002 - http://www.markround.com/unix  
4 -** Provides LDAP authentication and user functions.  
5 -**  
6 -** Not intended as a full-blown LDAP access class - but it does provide  
7 -** several useful functions for dealing with users.  
8 -** Note - this works out of the box on Sun's iPlanet Directory Server - but  
9 -** an ACL has to be defined giving all users the ability to change their  
10 -** password (userPassword attribute).  
11 -** See the README file for more information and examples.  
12 -**  
13 -** This program is free software; you can redistribute it and/or modify  
14 -** it under the terms of the GNU General Public License as published by  
15 -** the Free Software Foundation; either version 2 of the License, or  
16 -** (at your option) any later version.  
17 -**  
18 -** This program is distributed in the hope that it will be useful,  
19 -** but WITHOUT ANY WARRANTY; without even the implied warranty of  
20 -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
21 -** GNU General Public License for more details.  
22 -**  
23 -** You should have received a copy of the GNU General Public License  
24 -** along with this program; if not, write to the Free Software  
25 -** Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA  
26 -*/  
27 -  
28 -class AuthLdap {  
29 -  
30 - // 1.1 Public properties -----------------------------------------------------  
31 -  
32 - var $server; // Array of server IP address or hostnames  
33 - var $dn; // The base DN (e.g. "dc=foo,dc=com")  
34 - var $people; // Where the user records are kept  
35 - var $groups; // Where the group definitions are kept  
36 - var $ldapErrorCode; // The last error code returned by the LDAP server  
37 - var $ldapErrorText; // Text of the error message  
38 -  
39 - // 1.2 Private properties ----------------------------------------------------  
40 -  
41 - var $connection; // The internal LDAP connection handle  
42 - var $result; // Result of any connections etc.  
43 -  
44 - // 2.1 Connection handling methods -------------------------------------------  
45 -  
46 - function connect() {  
47 - /* 2.1.1 : Connects to the server. Just creates a connection which is used  
48 - ** in all later access to the LDAP server. If it can't connect and bind  
49 - ** anonymously, it creates an error code of -1. Returns true if connected,  
50 - ** false if failed. Takes an array of possible servers - if one doesn't work,  
51 - ** it tries the next and so on.  
52 - */  
53 -  
54 - foreach ($this->server as $key => $host) {  
55 - echo "key=$key; host=$host<br>";  
56 - $this->connection = ldap_connect( $host);  
57 - if ( $this->connection) {  
58 - echo "connected<br>";  
59 - // Connected, now try binding....  
60 - if ( $this->result=@ldap_bind( $this->connection)) {  
61 - // Bound OK!  
62 - $this->bound = $host;  
63 - return true;  
64 - }  
65 - } else { echo "not connected<br>";}  
66 - }  
67 -  
68 - $this->ldapErrorCode = -1;  
69 - $this->ldapErrorText = "Unable to connect to any server";  
70 - return false;  
71 -  
72 - }  
73 -  
74 -  
75 -  
76 - function close() {  
77 - /* 2.1.2 : Simply closes the connection set up earlier.  
78 - ** Returns true if OK, false if there was an error.  
79 - */  
80 -  
81 - if ( !@ldap_close( $this->connection)) {  
82 - $this->ldapErrorCode = ldap_errno( $this->connection);  
83 - $this->ldapErrorText = ldap_error( $this->connection);  
84 - return false;  
85 - } else  
86 - return true;  
87 - }  
88 -  
89 -  
90 -  
91 - function bind() {  
92 - /* 2.1.3 : Anonymously binds to the connection. After this is done,  
93 - ** queries and searches can be done - but read-only.  
94 - */  
95 -  
96 - if ( !$this->result=@ldap_bind( $this->connection)) {  
97 - $this->ldapErrorCode = ldap_errno( $this->connection);  
98 - $this->ldapErrorText = ldap_error( $this->connection);  
99 - return false;  
100 - } else  
101 - return true;  
102 - }  
103 -  
104 -  
105 -  
106 - function authBind( $bindDn,$pass) {  
107 - /* 2.1.4 : Binds as an authenticated user, which usually allows for write  
108 - ** access. The FULL dn must be passed. For a directory manager, this is  
109 - ** "cn=Directory Manager" under iPlanet. For a user, it will be something  
110 - ** like "uid=jbloggs,ou=People,dc=foo,dc=com".  
111 - */  
112 - if ( !$this->result = @ldap_bind( $this->connection,$bindDn,$pass)) {  
113 - $this->ldapErrorCode = ldap_errno( $this->connection);  
114 - $this->ldapErrorText = ldap_error( $this->connection);  
115 - return false;  
116 - } else  
117 - return true;  
118 - }  
119 -  
120 - // 2.2 Password methods ------------------------------------------------------  
121 -  
122 - function checkPass( $uname,$pass) {  
123 - /* 2.2.1 : Checks a username and password - does this by logging on to the  
124 - ** server as a user - specified in the DN. There are several reasons why  
125 - ** this login could fail - these are listed below.  
126 - */  
127 -  
128 - /* Construct the full DN, eg:-  
129 - ** "uid=username, ou=People, dc=orgname,dc=com"  
130 - */  
131 - $checkDn = "uid=" .$uname. ", ou=" .$this->people. ", " .$this->dn;  
132 - // Try and connect...  
133 - $this->result = @ldap_bind( $this->connection,$checkDn,$pass);  
134 - if ( $this->result) {  
135 - // Connected OK - login credentials are fine!  
136 - return true;  
137 - } else {  
138 - /* Login failed. Return false, together with the error code and text from  
139 - ** the LDAP server. The common error codes and reasons are listed below :  
140 - ** (for iPlanet, other servers may differ)  
141 - ** 19 - Account locked out (too many invalid login attempts)  
142 - ** 32 - User does not exist  
143 - ** 49 - Wrong password  
144 - ** 53 - Account inactive (manually locked out by administrator)  
145 - */  
146 - $this->ldapErrorCode = ldap_errno( $this->connection);  
147 - $this->ldapErrorText = ldap_error( $this->connection);  
148 - return false;  
149 - }  
150 - }  
151 -  
152 -  
153 -  
154 - function changePass( $uname,$oldPass,$newPass) {  
155 - /* 2.2.2 : Allows a password to be changed. Note that on most LDAP servers,  
156 - ** a new ACL must be defined giving users the ability to modify their  
157 - ** password attribute (userPassword). Otherwise this will fail.  
158 - */  
159 -  
160 - $checkDn = "uid=" .$uname. ", ou=" .$this->people. ", " .$this->dn;  
161 - $this->result = @ldap_bind( $this->connection,$checkDn,$oldPass);  
162 -  
163 - if ( $this->result) {  
164 - // Connected OK - Now modify the password...  
165 - $info["userPassword"] = $newPass;  
166 - $this->result = @ldap_modify( $this->connection, $checkDn, $info);  
167 - if ( $this->result) {  
168 - // Change went OK  
169 - return true;  
170 - } else {  
171 - // Couldn't change password...  
172 - $this->ldapErrorCode = ldap_errno( $this->connection);  
173 - $this->ldapErrorText = ldap_error( $this->connection);  
174 - return false;  
175 - }  
176 - } else {  
177 - // Login failed - see checkPass method for common error codes  
178 - $this->ldapErrorCode = ldap_errno( $this->connection);  
179 - $this->ldapErrorText = ldap_error( $this->connection);  
180 - return false;  
181 - }  
182 - }  
183 -  
184 -  
185 -  
186 - function checkPassAge ( $uname) {  
187 - /* 2.2.3 : Returns days until the password will expire.  
188 - ** We have to explicitly state this is what we want returned from the  
189 - ** LDAP server - by default, it will only send back the "basic"  
190 - ** attributes.  
191 - */  
192 - $results[0] = "passwordexpirationtime";  
193 - $this->result = @ldap_search( $this->connection,$this->dn,"uid=".$uname,$results);  
194 -  
195 - if ( !$info=@ldap_get_entries( $this->connection, $this->result)) {  
196 - $this->ldapErrorCode = ldap_errno( $this->connection);  
197 - $this->ldapErrorText = ldap_error( $this->connection);  
198 - return false;  
199 - } else {  
200 - /* Now work out how many days remaining....  
201 - ** Yes, it's very verbose code but I left it like this so it can easily  
202 - ** be modified for your needs.  
203 - */  
204 - $date = $info[0]["passwordexpirationtime"][0];  
205 - $year = substr( $date,0,4);  
206 - $month = substr( $date,4,2);  
207 - $day = substr( $date,6,2);  
208 - $hour = substr( $date,8,2);  
209 - $min = substr( $date,10,2);  
210 - $sec = substr( $date,12,2);  
211 -  
212 - $timestamp = mktime( $hour,$min,$sec,$month,$day,$year);  
213 - $today = mktime();  
214 - $diff = $timestamp-$today;  
215 - return round( ( ( ( $diff/60)/60)/24));  
216 - }  
217 - }  
218 -  
219 - // 2.3 Group methods ---------------------------------------------------------  
220 -  
221 - function checkGroup ( $uname,$group) {  
222 - /* 2.3.1 : Checks to see if a user is in a given group. If so, it returns  
223 - ** true, and returns false if the user isn't in the group, or any other  
224 - ** error occurs (eg:- no such user, no group by that name etc.)  
225 - */  
226 -  
227 - $checkDn = "ou=" .$this->groups. ", " .$this->dn;  
228 -  
229 - // We need to search for the group in order to get it's entry.  
230 - $this->result = @ldap_search( $this->connection, $checkDn, "cn=" .$group);  
231 - $info = @ldap_get_entries( $this->connection, $this->result);  
232 -  
233 - // Only one entry should be returned(no groups will have the same name)  
234 - $entry = ldap_first_entry( $this->connection,$this->result);  
235 -  
236 - if ( !$entry) {  
237 - $this->ldapErrorCode = ldap_errno( $this->connection);  
238 - $this->ldapErrorText = ldap_error( $this->connection);  
239 - return false; // Couldn't find the group...  
240 - }  
241 - // Get all the member DNs  
242 - if ( !$values = @ldap_get_values( $this->connection, $entry, "uniqueMember")) {  
243 - $this->ldapErrorCode = ldap_errno( $this->connection);  
244 - $this->ldapErrorText = ldap_error( $this->connection);  
245 - return false; // No users in the group  
246 - }  
247 - foreach ( $values as $key => $value) {  
248 - /* Loop through all members - see if the uname is there...  
249 - ** Also check for sub-groups - this allows us to define a group as  
250 - ** having membership of another group.  
251 - ** FIXME:- This is pretty ugly code and unoptimised. It takes ages  
252 - ** to search if you have sub-groups.  
253 - */  
254 - list( $cn,$ou) = explode( ",",$value);  
255 - list( $ou_l,$ou_r) = explode( "=",$ou);  
256 -  
257 - if ( $this->groups==$ou_r) {  
258 - list( $cn_l,$cn_r) = explode( "=",$cn);  
259 - // OK, So we now check the sub-group...  
260 - if ( $this->checkGroup ( $uname,$cn_r)) {  
261 - return true;  
262 - }  
263 - }  
264 -  
265 - if ( preg_match( "/$uname/i",$value)) {  
266 - return true;  
267 - }  
268 - }  
269 - }  
270 -  
271 - // 2.4 Attribute methods -----------------------------------------------------  
272 -  
273 - function getAttribute ( $uname,$attribute) {  
274 - /* 2.4.1 : Returns an array containing a set of attribute values.  
275 - ** For most searches, this will just be one row, but sometimes multiple  
276 - ** results are returned (eg:- multiple email addresses)  
277 - */  
278 -  
279 - $checkDn = "ou=" .$this->people. ", " .$this->dn;  
280 - $results[0] = $attribute;  
281 -  
282 - // We need to search for this user in order to get their entry.  
283 - $this->result = ldap_search( $this->connection, $checkDn, "uid=" .$uname, $results);  
284 - $info = ldap_get_entries( $this->connection, $this->result);  
285 -  
286 - // Only one entry should ever be returned (no user will have the same uid)  
287 - $entry = ldap_first_entry( $this->connection, $this->result);  
288 -  
289 - if ( !$entry) {  
290 - $this->ldapErrorCode = -1;  
291 - $this->ldapErrorText = "Couldn't find user";  
292 - return false; // Couldn't find the user...  
293 - }  
294 -  
295 - // Get all the member DNs  
296 - if ( !$values = @ldap_get_values( $this->connection, $entry, $attribute)) {  
297 - $this->ldapErrorCode = ldap_errno( $this->connection);  
298 - $this->ldapErrorText = ldap_error( $this->connection);  
299 - return false; // No matching attributes  
300 - }  
301 -  
302 - // Return an array containing the attributes.  
303 - return $values;  
304 - }  
305 -  
306 -  
307 -  
308 - function setAttribute( $uname, $attribute, $value) {  
309 - /* 2.4.2 : Allows an attribute value to be set.  
310 - ** This can only usually be done after an authenticated bind as a  
311 - ** directory manager - otherwise, read/write access will not be granted.  
312 - */  
313 -  
314 - // Construct a full DN...  
315 - $attrib_dn = "uid=" .$uname. ",ou=" .$this->people. "," .$this->dn;  
316 - $info[$attribute] = $value;  
317 - // Change attribute  
318 - $this->result = ldap_modify( $this->connection, $attrib_dn, $info);  
319 - if ( $this->result) {  
320 - // Change went OK  
321 - return true;  
322 - } else {  
323 - // Couldn't change password...  
324 - $this->ldapErrorCode = ldap_errno( $this->connection);  
325 - $this->ldapErrorText = ldap_error( $this->connection);  
326 - return false;  
327 - }  
328 - }  
329 -  
330 - /**  
331 - * Sets and returns the appropriate dn, based on whether there  
332 - * are values in $this->people and $this->groups.  
333 - *  
334 - * @param $peopleOrGroups  
335 - * this boolean specifies whether to build a groups  
336 - * dn or a people dn ie. if the boolean is true:  
337 - * ou=$this->people,$this->dn else:  
338 - * ou=$this->groups,$this->dn  
339 - * @return  
340 - * the dn to use  
341 - */  
342 - function setDn( $peopleOrGroups) {  
343 -  
344 - if ( $peopleOrGroups) {  
345 - if ( isset( $this->people) && ( strlen( $this->people) > 0)) {  
346 - $checkDn = "ou=" .$this->people. ", " .$this->dn;  
347 - }  
348 - } else {  
349 - if ( isset( $this->groups) && ( strlen( $this->groups) > 0)) {  
350 - $checkDn = "ou=" .$this->groups. ", " .$this->dn;  
351 - }  
352 - }  
353 -  
354 - if ( !isset( $checkDn)) {  
355 - $checkDn = $this->dn;  
356 - }  
357 - return $checkDn;  
358 - }  
359 - // 2.5 User methods ----------------------------------------------------------  
360 -  
361 - function getUsers( $search, $attributeArray) {  
362 - /* 2.5.1 : Returns an array containing a details of users, sorted by  
363 - ** username. The search criteria is a standard LDAP query - * returns all  
364 - ** users. The $attributeArray variable contains the required user detail field names  
365 - */  
366 -  
367 - // builds the appropriate dn, based on whether $this->people and/or $this->group is set  
368 - $checkDn = $this->setDn( true);  
369 -  
370 - // Perform the search and get the entry handles  
371 - $this->result = ldap_search( $this->connection, $checkDn, "uid=" .$search);  
372 - $info = ldap_get_entries( $this->connection, $this->result);  
373 - for( $i = 0; $i < $info["count"]; $i++){  
374 - // Get the username, and create an array indexed by it...  
375 - // Modify these as you see fit.  
376 - $uname = $info[$i]["uid"][0];  
377 - // add to the array for each attribute in my list  
378 - for ( $j = 0; $j < count( $attributeArray); $j++) {  
379 - if (strtolower($attributeArray[$j]) == "dn") {  
380 - $userslist["$uname"]["$attributeArray[$j]"] = $info[$i][strtolower($attributeArray[$j])];  
381 - } else {  
382 - $userslist["$uname"]["$attributeArray[$j]"] = $info[$i][strtolower($attributeArray[$j])][0];  
383 - }  
384 - }  
385 - }  
386 -  
387 - if ( !@asort( $userslist)) {  
388 - /* Sort into alphabetical order. If this fails, it's because there  
389 - ** were no results returned (array is empty) - so just return false.  
390 - */  
391 - $this->ldapErrorCode = -1;  
392 - $this->ldapErrorText = "No users found matching search criteria ".$search;  
393 - return false;  
394 - }  
395 - return $userslist;  
396 - }  
397 -  
398 -} // End of class  
399 -  
400 -  
401 -?>