PageRenderTime 35ms CodeModel.GetById 9ms RepoModel.GetById 1ms app.codeStats 0ms

/mrbs-1.4.8/web/auth_ldap.inc

#
PHP | 511 lines | 355 code | 47 blank | 109 comment | 45 complexity | fff3d4723a871b5b9f8d32f35c833c54 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?php
    2. 

  2. 

  3. // $Id: auth_ldap.inc 2202 2011-12-17 20:05:28Z jberanek $
    4. 

  4. 

  5. /* ~~JFL 2003/11/12 By default, use the http session mechanism */
    6. 

  6. if (!isset($auth['session']))
    7. 

  7. {
    8. 

  8.   $auth['session']='http';
    9. 

  9. }
    10. 

  10. 

  11. 

  12. /* authLdapAction($callback, $user, &$object)
    13. 

  13.  * 
    14. 

  14.  * Connects/binds to all configured LDAP servers/base DNs and
    15. 

  15.  * then performs a callback, passing the LDAP object, $base_dn,
    16. 

  16.  * user DN (in $dn), $user and a generic object $object
    17. 

  17.  *
    18. 

  18.  * $callback - The callback function
    19. 

  19.  * $user     - The user name
    20. 

  20.  * &$object  - Reference to the generic object, type defined by caller
    21. 

  21.  * 
    22. 

  22.  * Returns:
    23. 

  23.  *   0        - The pair are invalid or do not exist
    24. 

  24.  *   non-zero - The pair are valid
    25. 

  25.  */
    26. 

  26. function authLdapAction($callback, $user, &$object)
    27. 

  27. {
    28. 

  28.   global $auth;
    29. 

  29.   global $ldap_host;
    30. 

  30.   global $ldap_port;
    31. 

  31.   global $ldap_v3;
    32. 

  32.   global $ldap_tls;
    33. 

  33.   global $ldap_base_dn;
    34. 

  34.   global $ldap_user_attrib;
    35. 

  35.   global $ldap_dn_search_attrib;
    36. 

  36.   global $ldap_dn_search_dn;
    37. 

  37.   global $ldap_dn_search_password;
    38. 

  38.   global $ldap_filter;
    39. 

  39.   global $ldap_group_member_attrib;
    40. 

  40.   global $ldap_admin_group_dn;
    41. 

  41.   global $ldap_email_attrib;
    42. 

  42.   global $ldap_disable_referrals;
    43. 

  43. 

  44.   if (!function_exists("ldap_connect"))
    45. 

  45.   {
    46. 

  46.     die("<hr><p><b>ERROR: PHP's 'ldap' extension is not installed/enabled. ".
    47. 

  47.         "Please check your MRBS and web server configuration.</b></p><hr>\n");
    48. 

  48.   }
    49. 

  49. 

  50.   // Transfer the values from the config variables into a local
    51. 

  51.   // associative array, turning them all into arrays
    52. 

  52.   
    53. 

  53.   $config_items = array(
    54. 

  54.                         'ldap_host',
    55. 

  55.                         'ldap_port',
    56. 

  56.                         'ldap_base_dn',
    57. 

  57.                         'ldap_user_attrib',
    58. 

  58.                         'ldap_dn_search_attrib',
    59. 

  59.                         'ldap_dn_search_dn',
    60. 

  60.                         'ldap_dn_search_password',
    61. 

  61.                         'ldap_filter',
    62. 

  62.                         'ldap_group_member_attrib',
    63. 

  63.                         'ldap_admin_group_dn',
    64. 

  64.                         'ldap_v3',
    65. 

  65.                         'ldap_tls',
    66. 

  66.                         'ldap_email_attrib',
    67. 

  67.                         'ldap_disable_referrals'
    68. 

  68.                        );
    69. 

  69. 

  70.   $all_ldap_opts = array();
    71. 

  71. 

  72.   
    73. 

  73.   foreach ($config_items as $item)
    74. 

  74.   {
    75. 

  75.     if (!isset($$item))
    76. 

  76.     {
    77. 

  77.       continue;
    78. 

  78.     }
    79. 

  79.     if (is_array($$item))
    80. 

  80.     {
    81. 

  81.       $all_ldap_opts[$item] = $$item;
    82. 

  82.     }
    83. 

  83.     // The case where the config item _isn't_ an array is handled
    84. 

  84.     // further down
    85. 

  85.   }
    86. 

  86. 

  87.   $count = null;
    88. 

  88.   foreach ($all_ldap_opts as $key => $value)
    89. 

  89.   {
    90. 

  90.     if (isset($count))
    91. 

  91.     {
    92. 

  92.       if (count($value) != $count)
    93. 

  93.       {
    94. 

  94.         authLdapDebug("Count of LDAP array config variables doesn't match, aborting!");
    95. 

  95.         fatal_error(TRUE,
    96. 

  96.                     "MRBS configuration error: Count of LDAP array config variables doesn't match, aborting!",
    97. 

  97.                     false);
    98. 

  98.         return 0;
    99. 

  99.       }
    100. 

  100.     }
    101. 

  101.     $count = count($value);
    102. 

  102.   }
    103. 

  103. 

  104.   // Turn any non-array config items into arrays in $all_ldap_opts
    105. 

  105.   foreach ($config_items as $item)
    106. 

  106.   {
    107. 

  107.     if (!isset($$item))
    108. 

  108.     {
    109. 

  109.       continue;
    110. 

  110.     }
    111. 

  111.     if (!is_array($$item))
    112. 

  112.     {
    113. 

  113.       $all_ldap_opts[$item] = array_fill(0, $count, $$item);
    114. 

  114.     }
    115. 

  115.   }
    116. 

  116. 

  117.   foreach ($all_ldap_opts['ldap_host'] as $idx => $host)
    118. 

  118.   {
    119. 

  119.     // establish ldap connection
    120. 

  120.     // the '@' suppresses errors
    121. 

  121.     if (isset($all_ldap_opts['ldap_port'][$idx]))
    122. 

  122.     {
    123. 

  123.       $ldap = @ldap_connect($host, $all_ldap_opts['ldap_port'][$idx]);
    124. 

  124.     }
    125. 

  125.     else
    126. 

  126.     {
    127. 

  127.       $ldap = @ldap_connect($host);
    128. 

  128.     }
    129. 

  129. 

  130.     // Check that connection was established
    131. 

  131.     if ($ldap)
    132. 

  132.     {
    133. 

  133.       authLdapDebug("authLdapAction: Got LDAP connection");
    134. 

  134. 

  135.       if (isset($all_ldap_opts['ldap_v3'][$idx]) &&
    136. 

  136.           $all_ldap_opts['ldap_v3'][$idx])
    137. 

  137.       {
    138. 

  138.         ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    139. 

  139.       }
    140. 

  140.       if (isset($all_ldap_opts['ldap_tls'][$idx]) &&
    141. 

  141.           $all_ldap_opts['ldap_tls'][$idx])
    142. 

  142.       {
    143. 

  143.         ldap_start_tls($ldap);
    144. 

  144.       }
    145. 

  145.       if(isset($all_ldap_opts['ldap_disable_referrals'][$idx]) && $all_ldap_opts['ldap_disable_referrals'][$idx])
    146. 

  146.       {
    147. 

  147.         // Required to do a search on Active Directory for Win 2003+
    148. 

  148.         ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    149. 

  149.       }
    150. 

  150.       
    151. 

  151.       if (isset($all_ldap_opts['ldap_dn_search_attrib'][$idx]))
    152. 

  152.       {
    153. 

  153.         if (isset($all_ldap_opts['ldap_dn_search_dn'][$idx]) &&
    154. 

  154.             isset($all_ldap_opts['ldap_dn_search_password'][$idx]))
    155. 

  155.         {
    156. 

  156.           // Bind with DN and password
    157. 

  157.           $res = @ldap_bind($ldap, $all_ldap_opts['ldap_dn_search_dn'][$idx],
    158. 

  158.                             $all_ldap_opts['ldap_dn_search_password'][$idx]);
    159. 

  159.         }
    160. 

  160.         else
    161. 

  161.         {
    162. 

  162.           // Anonymous bind
    163. 

  163.           $res = @ldap_bind($ldap);
    164. 

  164.         }
    165. 

  165.         authLdapDebug("authLdapAction: Result of initial bind is $res");
    166. 

  166. 

  167.         if ($res)
    168. 

  168.         {
    169. 

  169.           $res = @ldap_search($ldap,
    170. 

  170.                               $all_ldap_opts['ldap_base_dn'][$idx],
    171. 

  171.                               "(". $all_ldap_opts['ldap_dn_search_attrib'][$idx] ."=$user)");
    172. 

  172. 

  173.           if (@ldap_count_entries($ldap, $res) == 1)
    174. 

  174.           {
    175. 

  175.             authLdapDebug("authLdapAction: Found one entry using '".
    176. 

  176.                           $all_ldap_opts['ldap_dn_search_attrib'][$idx]."'");
    177. 

  177.             $entries = ldap_get_entries($ldap, $res);
    178. 

  178.             $dn = $entries[0]["dn"];
    179. 

  179.             $user_search = "distinguishedName=" . $dn;
    180. 

  180.           }
    181. 

  181.           else
    182. 

  182.           {
    183. 

  183.             authLdapDebug("authLdapAction: Didn't find entry using '".
    184. 

  184.                           $all_ldap_opts['ldap_dn_search_attrib'][$idx]."'");
    185. 

  185.           }
    186. 

  186.           authLdapDebug("authLdapAction: base_dn '".
    187. 

  187.                         $all_ldap_opts['ldap_base_dn'][$idx].
    188. 

  188.                         "' user $user dn $dn");
    189. 

  189.         }
    190. 

  190.       }
    191. 

  191.       else
    192. 

  192.       {
    193. 

  193.         // construct dn for user
    194. 

  194.         $user_search = $all_ldap_opts['ldap_user_attrib'][$idx] . "=" . $user;
    195. 

  195.         $dn = $user_search . "," . $all_ldap_opts['ldap_base_dn'][$idx];
    196. 

  196. 

  197.         authLdapDebug("authLdapAction: Constructed dn '$dn' and ".
    198. 

  198.                       "user_search '$user_search' using '".
    199. 

  199.                       $all_ldap_opts['ldap_user_attrib'][$idx]."'");
    200. 

  200.       }
    201. 

  201. 

  202.       foreach ($config_items as $item)
    203. 

  203.       {
    204. 

  204.         if (isset($all_ldap_opts[$item][$idx]))
    205. 

  205.         {
    206. 

  206.           $object['config'][$item] = $all_ldap_opts[$item][$idx];
    207. 

  207.         }
    208. 

  208.       }
    209. 

  209. 

  210.       $res = $callback($ldap, $all_ldap_opts['ldap_base_dn'][$idx], $dn,
    211. 

  211.                        $user_search, $user, $object);
    212. 

  212.       if ($res)
    213. 

  213.       {
    214. 

  214.         return $res;
    215. 

  215.       }
    216. 

  216. 

  217.     } // if ($ldap)
    218. 

  218. 

  219.     @ldap_unbind($ldap);
    220. 

  220.   } // foreach
    221. 

  221. }
    222. 

  222. 

  223. 

  224. /* authLdapGetEmail($user)
    225. 

  225.  * 
    226. 

  226.  * Gets the email address of the user from LDAP
    227. 

  227.  * 
    228. 

  228.  * $user  - The user name
    229. 

  229.  * 
    230. 

  230.  * Returns:
    231. 

  231.  *   The user's email address or ''
    232. 

  232.  */
    233. 

  233. function authLdapGetEmail($user)
    234. 

  234. {
    235. 

  235.   $email = '';
    236. 

  236.   $object = array();
    237. 

  237. 

  238.   $res = authLdapAction("authLdapGetEmailCallback", $user, $object);
    239. 

  239. 

  240.   if ($res)
    241. 

  241.   {
    242. 

  242.     $email = $object['email'];
    243. 

  243.   }
    244. 

  244.   return $email;
    245. 

  245. }
    246. 

  246. 

  247. 

  248. /* authLdapGetEmailCallback(&$ldap, $base_dn, $dn, $user_search,
    249. 

  249.                             $user, &$object)
    250. 

  250.  * 
    251. 

  251.  * Checks if the specified username/password pair are valid
    252. 

  252.  *
    253. 

  253.  * &$ldap       - Reference to the LDAP object
    254. 

  254.  * $base_dn     - The base DN
    255. 

  255.  * $dn          - The user's DN
    256. 

  256.  * $user_search - The LDAP filter to find the user
    257. 

  257.  * $user        - The user name
    258. 

  258.  * &$object     - Reference to the generic object
    259. 

  259.  * 
    260. 

  260.  * Returns:
    261. 

  261.  *   0        - Didn't find a user
    262. 

  262.  *   non-zero - Found a user
    263. 

  263.  */
    264. 

  264. function authLdapGetEmailCallback(&$ldap, $base_dn, $dn, $user_search,
    265. 

  265.                                   $user, &$object)
    266. 

  266. {
    267. 

  267.   $email_attrib = $object['config']['ldap_email_attrib'];
    268. 

  268. 

  269.   authLdapDebug("authLdapGetEmailCallback: base_dn '$base_dn' dn '$dn' ".
    270. 

  270.                 "user_search '$user_search' user '$user'");
    271. 

  271. 

  272.   if ($ldap && $base_dn && $dn && $user_search)
    273. 

  273.   {
    274. 

  274.     $res = @ldap_read(
    275. 

  275.                       $ldap,
    276. 

  276.                       $dn,
    277. 

  277.                       "(objectclass=*)",
    278. 

  278.                       array(strtolower($email_attrib))
    279. 

  279.                      );
    280. 

  280.     if (@ldap_count_entries($ldap, $res) > 0)
    281. 

  281.     {
    282. 

  282.       authLdapDebug("authLdapGetEmailCallback: search successful");
    283. 

  283.       $entries = ldap_get_entries($ldap, $res);
    284. 

  284.       $object['email'] = $entries[0][strtolower($email_attrib)][0];
    285. 

  285. 

  286.       authLdapDebug("authLdapGetEmailCallback: email is '".
    287. 

  287.                     $object['email']."'");
    288. 

  288.       
    289. 

  289.       return 1;
    290. 

  290.     }
    291. 

  291.   }
    292. 

  292.   return 0;
    293. 

  293. }
    294. 

  294. 

  295. 

  296. /* authValidateUser($user, $pass)
    297. 

  297.  * 
    298. 

  298.  * Checks if the specified username/password pair are valid
    299. 

  299.  * 
    300. 

  300.  * $user  - The user name
    301. 

  301.  * $pass  - The password
    302. 

  302.  * 
    303. 

  303.  * Returns:
    304. 

  304.  *   0        - The pair are invalid or do not exist
    305. 

  305.  *   non-zero - The pair are valid
    306. 

  306.  */
    307. 

  307. function authValidateUser($user, $pass)
    308. 

  308. {
    309. 

  309.   // Check if we do not have a username/password
    310. 

  310.   // User can always bind to LDAP anonymously with empty password,
    311. 

  311.   // therefore we need to block empty password here...
    312. 

  312.   if (!isset($user) || !isset($pass) || strlen($pass)==0)
    313. 

  313.   {
    314. 

  314.     authLdapDebug("Empty username or password passed");
    315. 

  315.     return 0;
    316. 

  316.   }
    317. 

  317. 

  318.   $object = array();
    319. 

  319.   $object['pass'] = $pass;
    320. 

  320. 

  321.   return authLdapAction("authValidateUserCallback", $user, $object);
    322. 

  322. }
    323. 

  323. 

  324. 

  325. /* authValidateUserCallback(&$ldap, $base_dn, $dn, $user_search,
    326. 

  326.                             $user, &$object)
    327. 

  327.  * 
    328. 

  328.  * Checks if the specified username/password pair are valid
    329. 

  329.  *
    330. 

  330.  * &$ldap       - Reference to the LDAP object
    331. 

  331.  * $base_dn     - The base DN
    332. 

  332.  * $dn          - The user's DN
    333. 

  333.  * $user_search - The LDAP filter to find the user
    334. 

  334.  * $user        - The user name
    335. 

  335.  * &$object     - Reference to the generic object
    336. 

  336.  * 
    337. 

  337.  * Returns:
    338. 

  338.  *   0        - Didn't find a user
    339. 

  339.  *   non-zero - Found a user
    340. 

  340.  */
    341. 

  341. function authValidateUserCallback(&$ldap, $base_dn, $dn, $user_search,
    342. 

  342.                                   $user, &$object)
    343. 

  343. {
    344. 

  344.   authLdapDebug("authValidateUserCallback: base_dn '$base_dn' ".
    345. 

  345.                 "dn '$dn' user '$user'");
    346. 

  346. 

  347.   $pass = $object['pass'];
    348. 

  348. 

  349.   // try an authenticated bind
    350. 

  350.   // use this to confirm that the user/password pair
    351. 

  351.   if ($dn && @ldap_bind($ldap, $dn, $pass))
    352. 

  352.   {
    353. 

  353.     $filter = $object['config']['ldap_filter'];
    354. 

  354. 

  355.     // however if there is a filter check that the
    356. 

  356.     // user is part of the group defined by the filter
    357. 

  357.     if (! $filter)
    358. 

  358.     {
    359. 

  359.       authLdapDebug("authValidateUserCallback: Successful authenticated ".
    360. 

  360.                     "bind with no \$ldap_filter");
    361. 

  361.       return 1;
    362. 

  362.     }
    363. 

  363.     else
    364. 

  364.     {
    365. 

  365.       authLdapDebug("authValidateUserCallback: Successful authenticated ".
    366. 

  366.                     "bind checking '$filter'");
    367. 

  367. 

  368.       $res = @ldap_read($ldap,
    369. 

  369.                         $dn,
    370. 

  370.                         "($filter)",
    371. 

  371.                         array()
    372. 

  372.                        );
    373. 

  373.       if (@ldap_count_entries($ldap, $res) > 0)
    374. 

  374.       {
    375. 

  375.         authLdapDebug("authValidateUserCallback: Found entry with filter");
    376. 

  376.         return 1;
    377. 

  377.       }
    378. 

  378.       authLdapDebug("authValidateUserCallback: No entry found with filter");
    379. 

  379.     }
    380. 

  380.   }
    381. 

  381.   else
    382. 

  382.   {
    383. 

  383.     authLdapDebug("authValidateUserCallback: Bind to '$dn' failed");
    384. 

  384.   }
    385. 

  385. 

  386.   if ($ldap_unbind_between_attempts)
    387. 

  387.   {
    388. 

  388.     @ldap_unbind($ldap);
    389. 

  389.   }
    390. 

  390. 

  391.   // return failure if no connection is established
    392. 

  392.   return 0;
    393. 

  393. }
    394. 

  394. 

  395. 

  396. /* authLdapCheckAdminGroupCallback(&$ldap, $base_dn, $dn, $user_search,
    397. 

  397.                             $user, &$object)
    398. 

  398.  * 
    399. 

  399.  * Checks if the specified username is in an admin group
    400. 

  400.  *
    401. 

  401.  * &$ldap       - Reference to the LDAP object
    402. 

  402.  * $base_dn     - The base DN
    403. 

  403.  * $dn          - The user's DN
    404. 

  404.  * $user_search - The LDAP filter to find the user
    405. 

  405.  * $user        - The user name
    406. 

  406.  * &$object     - Reference to the generic object
    407. 

  407.  * 
    408. 

  408.  * Returns:
    409. 

  409.  *   0        - Not in the admin group
    410. 

  410.  *   non-zero - In the admin group
    411. 

  411.  */
    412. 

  412. function authLdapCheckAdminGroupCallback(&$ldap, $base_dn, $dn, $user_search,
    413. 

  413.                                          $user, &$object)
    414. 

  414. {
    415. 

  415.   $admin_group_dn = $object['config']['ldap_admin_group_dn'];
    416. 

  416.   $group_member_attrib = $object['config']['ldap_group_member_attrib'];
    417. 

  417. 

  418.   authLdapDebug("authLdapCheckAdminGroupCallback: base_dn '$base_dn' ".
    419. 

  419.                 "dn '$dn' user_search '$user_search' user '$user'");
    420. 

  420. 

  421.   if ($ldap && $base_dn && $dn && $user_search)
    422. 

  422.   {
    423. 

  423.   $res = @ldap_read(
    424. 

  424.                     $ldap,
    425. 

  425.                     $dn,
    426. 

  426.                     "(objectclass=*)",
    427. 

  427.                     array(strtolower($group_member_attrib))
    428. 

  428.                    );
    429. 

  429.     if (@ldap_count_entries($ldap, $res) > 0)
    430. 

  430.     {
    431. 

  431.       authLdapDebug("authCheckAdminGroupCallback: search successful".
    432. 

  432.                     " $group_member_attrib");
    433. 

  433.       $entries = ldap_get_entries($ldap, $res);
    434. 

  434.       foreach ($entries[0][strtolower($group_member_attrib)] as $group)
    435. 

  435.       {
    436. 

  436.         if (strcasecmp($group, $admin_group_dn) == 0)
    437. 

  437.         {
    438. 

  438.           return 1;
    439. 

  439.         }
    440. 

  440.       }
    441. 

  441.     }
    442. 

  442.   }
    443. 

  443.   return 0;
    444. 

  444. }
    445. 

  445. 

  446. 

  447. /* authGetUserLevel($user)
    448. 

  448.  *
    449. 

  449.  * Determines the users access level
    450. 

  450.  *
    451. 

  451.  * $user - The user name
    452. 

  452.  *
    453. 

  453.  * Returns:
    454. 

  454.  *   The users access level
    455. 

  455.  */
    456. 

  456. function authGetUserLevel($user)
    457. 

  457. {
    458. 

  458.   global $auth;
    459. 

  459.   global $ldap_admin_group_dn;
    460. 

  460. 

  461.   $admins = $auth['admin'];
    462. 

  462.   // User not logged in, user level '0'
    463. 

  463.   if (!isset($user))
    464. 

  464.   {
    465. 

  465.     return 0;
    466. 

  466.   }
    467. 

  467.   
    468. 

  468.   if ($ldap_admin_group_dn)
    469. 

  469.   {
    470. 

  470.     $res = authLdapAction("authLdapCheckAdminGroupCallback", $user, $object);
    471. 

  471.     if ($res)
    472. 

  472.     {
    473. 

  473.       return 2;
    474. 

  474.     }
    475. 

  475.     else
    476. 

  476.     {
    477. 

  477.       return 1;
    478. 

  478.     }
    479. 

  479.   }
    480. 

  480.     
    481. 

  481.   // Check if the user is an admin
    482. 

  482.   foreach ($admins as $admin)
    483. 

  483.   {
    484. 

  484.     if (strcasecmp($user, $admin) == 0)
    485. 

  485.     {
    486. 

  486.       return 2;
    487. 

  487.     }
    488. 

  488.   }
    489. 

  489.     
    490. 

  490.   // Everybody else is access level '1'
    491. 

  491.   return 1;
    492. 

  492. }
    493. 

  493. 

  494. 

  495. /* authLdapDebug($message)
    496. 

  496.  *
    497. 

  497.  * Output LDAP debugging, if the configuration variable
    498. 

  498.  * $ldap_debug is true.
    499. 

  499.  *
    500. 

  500.  */
    501. 

  501. function authLdapDebug($message)
    502. 

  502. {
    503. 

  503.   global $ldap_debug;
    504. 

  504. 

  505.   if ($ldap_debug)
    506. 

  506.   {
    507. 

  507.     error_log($message);
    508. 

  508.   }
    509. 

  509. }
    510. 

  510. 

  511. ?>
    512. 

  512.