PageRenderTime 45ms CodeModel.GetById 17ms RepoModel.GetById 0ms app.codeStats 0ms

/htdocs/core/login/functions_ldap.php

https://bitbucket.org/speedealing/speedealing
PHP | 217 lines | 138 code | 23 blank | 56 comment | 36 complexity | 28d8bbc12db3912f2614f5aae9a3609b MD5 | raw file
Possible License(s): LGPL-3.0, LGPL-2.1, GPL-3.0, MIT
  1. <?php
  2. /* Copyright (C) 2007-2011 Laurent Destailleur <eldy@users.sourceforge.net>
  3. *
  4. * This program is free software; you can redistribute it and/or modify
  5. * it under the terms of the GNU General Public License as published by
  6. * the Free Software Foundation; either version 3 of the License, or
  7. * (at your option) any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful,
  10. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. * GNU General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  16. *
  17. */
  18. /**
  19. * \file htdocs/core/login/functions_ldap.php
  20. * \ingroup core
  21. * \brief Authentication functions for LDAP
  22. */
  23. /**
  24. * Check validity of user/password/entity
  25. * If test is ko, reason must be filled into $_SESSION["dol_loginmesg"]
  26. *
  27. * @param string $usertotest Login
  28. * @param string $passwordtotest Password
  29. * @param int $entitytotest Number of instance (always 1 if module multicompany not enabled)
  30. * @return string Login if OK, '' if KO
  31. */
  32. function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
  33. {
  34. global $_POST,$db,$conf,$langs;
  35. global $dolibarr_main_auth_ldap_host,$dolibarr_main_auth_ldap_port;
  36. global $dolibarr_main_auth_ldap_version,$dolibarr_main_auth_ldap_servertype;
  37. global $dolibarr_main_auth_ldap_login_attribute,$dolibarr_main_auth_ldap_dn;
  38. global $dolibarr_main_auth_ldap_admin_login,$dolibarr_main_auth_ldap_admin_pass;
  39. global $dolibarr_main_auth_ldap_filter;
  40. global $dolibarr_main_auth_ldap_debug;
  41. if (! function_exists("ldap_connect"))
  42. {
  43. dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP");
  44. sleep(1);
  45. $langs->load('main');
  46. $langs->load('other');
  47. $_SESSION["dol_loginmesg"]=$langs->trans("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->trans("TryAnotherConnectionMode");
  48. return;
  49. }
  50. $login='';
  51. $resultFetchUser='';
  52. if (! empty($_POST["username"]))
  53. {
  54. // If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
  55. $ldaphost=$dolibarr_main_auth_ldap_host;
  56. $ldapport=$dolibarr_main_auth_ldap_port;
  57. $ldapversion=$dolibarr_main_auth_ldap_version;
  58. $ldapservertype=(empty($dolibarr_main_auth_ldap_servertype) ? 'openldap' : $dolibarr_main_auth_ldap_servertype);
  59. $ldapuserattr=$dolibarr_main_auth_ldap_login_attribute;
  60. $ldapdn=$dolibarr_main_auth_ldap_dn;
  61. $ldapadminlogin=$dolibarr_main_auth_ldap_admin_login;
  62. $ldapadminpass=$dolibarr_main_auth_ldap_admin_pass;
  63. $ldapdebug=(empty($dolibarr_main_auth_ldap_debug) || $dolibarr_main_auth_ldap_debug=="false" ? false : true);
  64. if ($ldapdebug) print "DEBUG: Logging LDAP steps<br>\n";
  65. require_once DOL_DOCUMENT_ROOT.'/core/class/ldap.class.php';
  66. $ldap=new Ldap();
  67. $ldap->server=array($ldaphost);
  68. $ldap->serverPort=$ldapport;
  69. $ldap->ldapProtocolVersion=$ldapversion;
  70. $ldap->serverType=$ldapservertype;
  71. $ldap->searchUser=$ldapadminlogin;
  72. $ldap->searchPassword=$ldapadminpass;
  73. dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest);
  74. if ($ldapdebug)
  75. {
  76. dol_syslog("functions_ldap::check_user_password_ldap Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
  77. dol_syslog("functions_ldap::check_user_password_ldap uid/samacountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
  78. print "DEBUG: Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType."<br>\n";
  79. print "DEBUG: uid/samacountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword."<br>\n";
  80. }
  81. $resultFetchLdapUser=0;
  82. // Define $userSearchFilter
  83. $userSearchFilter = "";
  84. if (empty($dolibarr_main_auth_ldap_filter)) {
  85. $userSearchFilter = "(" . $ldapuserattr . "=" . $usertotest . ")";
  86. } else {
  87. $userSearchFilter = str_replace('%1%', $usertotest, $dolibarr_main_auth_ldap_filter);
  88. }
  89. // If admin login provided
  90. // Code to get user in LDAP from an admin connection (may differ from user connection, done later)
  91. if ($ldapadminlogin)
  92. {
  93. $result=$ldap->connect_bind();
  94. if ($result > 0)
  95. {
  96. $resultFetchLdapUser = $ldap->fetch($usertotest,$userSearchFilter);
  97. //dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
  98. if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) // If ok but password need to be reset
  99. {
  100. dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
  101. if ($ldapdebug) print "DEBUG: User ".$usertotest." must change password<br>\n";
  102. $ldap->close();
  103. sleep(1);
  104. $langs->load('ldap');
  105. $_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$usertotest,$ldap->domainFQDN);
  106. return '';
  107. }
  108. }
  109. else
  110. {
  111. if ($ldapdebug) print "DEBUG: ".$ldap->error."<br>\n";
  112. }
  113. $ldap->close();
  114. }
  115. // Forge LDAP user and password to test with them
  116. // If LDAP need a dn with login like "uid=jbloggs,ou=People,dc=foo,dc=com", default dn may work even if previous code with
  117. // admin login no exectued.
  118. $ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn; // Default dn (will work if LDAP accept a dn with login value inside)
  119. // But if LDAP need a dn with name like "cn=Jhon Bloggs,ou=People,dc=foo,dc=com", previous part must have been executed to have
  120. // dn detected into ldapUserDN.
  121. if ($resultFetchLdapUser) $ldap->searchUser = $ldap->ldapUserDN;
  122. $ldap->searchPassword=$passwordtotest;
  123. // Test with this->seachUser and this->searchPassword
  124. //print $resultFetchLdapUser."-".$ldap->ldapUserDN."-".$ldap->searchUser.'-'.$ldap->searchPassword;exit;
  125. $result=$ldap->connect_bind();
  126. if ($result > 0)
  127. {
  128. if ($result == 2)
  129. {
  130. dol_syslog("functions_ldap::check_user_password_ldap Authentification ok");
  131. $login=$usertotest;
  132. // ldap2dolibarr synchronisation
  133. if ($login && ! empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr')
  134. {
  135. // On charge les attributs du user ldap
  136. if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
  137. $resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
  138. if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
  139. if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
  140. if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime,'day')."<br>\n";
  141. // On recherche le user dolibarr en fonction de son SID ldap
  142. $sid = $ldap->getObjectSid($login);
  143. if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
  144. $user=new User($db);
  145. $resultFetchUser=$user->fetch('',$login,$sid);
  146. if ($resultFetchUser > 0)
  147. {
  148. // On verifie si le login a change et on met a jour les attributs dolibarr
  149. if ($user->login != $ldap->login && $ldap->login)
  150. {
  151. $user->login = $ldap->login;
  152. $user->update($user);
  153. // TODO Que faire si update echoue car on update avec un login deja existant.
  154. }
  155. //$resultUpdate = $user->update_ldap2dolibarr();
  156. }
  157. }
  158. }
  159. if ($result == 1)
  160. {
  161. dol_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password for '".$usertotest."'");
  162. sleep(1);
  163. $langs->load('main');
  164. $langs->load('other');
  165. $_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
  166. }
  167. }
  168. else
  169. {
  170. /* Login failed. Return false, together with the error code and text from
  171. ** the LDAP server. The common error codes and reasons are listed below :
  172. ** (for iPlanet, other servers may differ)
  173. ** 19 - Account locked out (too many invalid login attempts)
  174. ** 32 - User does not exist
  175. ** 49 - Wrong password
  176. ** 53 - Account inactive (manually locked out by administrator)
  177. */
  178. dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'");
  179. if (is_resource($ldap->connection)) // If connection ok but bind ko
  180. {
  181. $ldap->ldapErrorCode = ldap_errno($ldap->connection);
  182. $ldap->ldapErrorText = ldap_error($ldap->connection);
  183. dol_syslog("functions_ldap::check_user_password_ldap ".$ldap->ldapErrorText);
  184. }
  185. sleep(1);
  186. $langs->load('main');
  187. $langs->load('other');
  188. $_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
  189. }
  190. $ldap->close();
  191. }
  192. return $login;
  193. }
  194. ?>