PageRenderTime 44ms CodeModel.GetById 20ms RepoModel.GetById 1ms app.codeStats 0ms

/php/main/auth/external_login/ldap.inc.php

https://bitbucket.org/frchico/chamilo_openshift
PHP | 322 lines | 204 code | 22 blank | 96 comment | 44 complexity | f0757310f5ddc599046390bb758d96dc MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. // External login module : LDAP 
    4. 

  4. /**
    5. 

  5.  * This files is included by newUser.ldap.php and login.ldap.php
    6. 

  6.  * It implements the functions nedded by both files
    7. 

  7.  * */
    8. 

  8. //Includes the configuration file
    9. 

  9. require_once dirname(__FILE__) . '/../../inc/global.inc.php';
    10. 

  10. require_once dirname(__FILE__) . '/../../inc/conf/auth.conf.php';
    11. 

  11. 

  12. /**
    13. 

  13.  * Returns a transcoded and trimmed string
    14. 

  14.  *
    15. 

  15.  * @param string 
    16. 

  16.  * @return string 
    17. 

  17.  * @author ndiechburg <noel@cblue.be>
    18. 

  18.  * */
    19. 

  19. function extldap_purify_string($string) {
    20. 

  20.     global $extldap_config;
    21. 

  21.     if (isset($extldap_config['encoding'])) {
    22. 

  22.         return trim(api_to_system_encoding($string, $extldap_config['encoding']));
    23. 

  23.     } else {
    24. 

  24.         return trim($string);
    25. 

  25.     }
    26. 

  26. }
    27. 

  27. 

  28. /**
    29. 

  29.  * Establishes a connection to the LDAP server and sets the protocol version
    30. 

  30.  *
    31. 

  31.  * @return resource ldap link identifier or false
    32. 

  32.  * @author ndiechburg <noel@cblue.be>
    33. 

  33.  * */
    34. 

  34. function extldap_connect() {
    35. 

  35.     global $extldap_config;
    36. 

  36. 

  37.     if (!is_array($extldap_config['host']))
    38. 

  38.         $extldap_config['host'] = array($extldap_config['host']);
    39. 

  39. 

  40.     foreach ($extldap_config['host'] as $host) {
    41. 

  41.         //Trying to connect
    42. 

  42.         if (isset($extldap_config['port'])) {
    43. 

  43.             $ds = ldap_connect($host, $extldap_config['port']);
    44. 

  44.         } else {
    45. 

  45.             $ds = ldap_connect($host);
    46. 

  46.         }
    47. 

  47.         if (!$ds) {
    48. 

  48.             $port = isset($extldap_config['port']) ? $ldap_config['port'] : 389;
    49. 

  49.             error_log('EXTLDAP ERROR : cannot connect to ' . $extldap_config['host'] . ':' . $port);
    50. 

  50.         } else
    51. 

  51.             break;
    52. 

  52.     }
    53. 

  53.     if (!$ds) {
    54. 

  54.         error_log('EXTLDAP ERROR : no valid server found');
    55. 

  55.         return false;
    56. 

  56.     }
    57. 

  57.     //Setting protocol version
    58. 

  58.     if (isset($extldap_config['protocol_version'])) {
    59. 

  59.         if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $extldap_config['protocol_version'])) {
    60. 

  60.             ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 2);
    61. 

  61.         }
    62. 

  62.     }
    63. 

  63. 

  64.     //Setting protocol version
    65. 

  65.     if (isset($extldap_config['referrals'])) {
    66. 

  66.         if (!ldap_set_option($ds, LDAP_OPT_REFERRALS, $extldap_config['referrals'])) {
    67. 

  67.             ldap_set_option($ds, LDAP_OPT_REFERRALS, $extldap_config['referrals']);
    68. 

  68.         }
    69. 

  69.     }
    70. 

  70. 

  71.     return $ds;
    72. 

  72. }
    73. 

  73. 

  74. /**
    75. 

  75.  * Authenticate user on external ldap server and return user ldap entry if that succeeds
    76. 

  76.  *
    77. 

  77.  * @return mixed false if user cannot authenticate on ldap, user ldap entry if tha succeeds
    78. 

  78.  * @author ndiechburg <noel@cblue.be>
    79. 

  79.  * Modified by hubert.borderiou@grenet.fr 
    80. 

  80.  * Add possibility to get user info from LDAP without check password (if CAS auth and LDAP profil update)
    81. 

  81.  * 
    82. 

  82.  * */
    83. 

  83. function extldap_authenticate($username, $password, $in_auth_with_no_password = false) {
    84. 

  84.     global $extldap_config;
    85. 

  85. 

  86.     if (empty($username) or empty($password)) {
    87. 

  87.         return false;
    88. 

  88.     }
    89. 

  89. 

  90.     $ds = extldap_connect();
    91. 

  91.     if (!$ds) {
    92. 

  92.         return false;
    93. 

  93.     }
    94. 

  94. 

  95.     //Connection as admin to search dn of user
    96. 

  96.     $ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $extldap_config['admin_password']);
    97. 

  97.     if ($ldapbind === false) {
    98. 

  98.         error_log('EXTLDAP ERROR : cannot connect with admin login/password');
    99. 

  99.         return false;
    100. 

  100.     }
    101. 

  101.     $user_search = extldap_get_user_search_string($username);
    102. 

  102.     //Search distinguish name of user
    103. 

  103.     $sr = ldap_search($ds, $extldap_config['base_dn'], $user_search);
    104. 

  104.     if (!$sr) {
    105. 

  105.         error_log('EXTLDAP ERROR : ldap_search(' . $ds . ', ' . $extldap_config['base_dn'] . ", $user_search) failed");
    106. 

  106.         return false;
    107. 

  107.     }
    108. 

  108.     $entries_count = ldap_count_entries($ds, $sr);
    109. 

  109. 

  110.     if ($entries_count > 1) {
    111. 

  111.         error_log('EXTLDAP ERROR : more than one entry for that user ( ldap_search(ds, ' . $extldap_config['base_dn'] . ", $user_search) )");
    112. 

  112.         return false;
    113. 

  113.     }
    114. 

  114.     if ($entries_count < 1) {
    115. 

  115.         error_log('EXTLDAP ERROR :  No entry for that user ( ldap_search(ds, ' . $extldap_config['base_dn'] . ", $user_search) )");
    116. 

  116.         return false;
    117. 

  117.     }
    118. 

  118.     $users = ldap_get_entries($ds, $sr);
    119. 

  119.     $user = $users[0];
    120. 

  120. 

  121.     // If we just want to have user info from LDAP and not to check password
    122. 

  122.     if ($in_auth_with_no_password) {
    123. 

  123.         return $user;
    124. 

  124.     }
    125. 

  125.     //now we try to autenthicate the user in the ldap
    126. 

  126.     $ubind = @ldap_bind($ds, $user['dn'], $password);
    127. 

  127.     if ($ubind !== false) {
    128. 

  128.         return $user;
    129. 

  129.     } else {
    130. 

  130.         error_log('EXTLDAP : Wrong password for ' . $user['dn']);
    131. 

  131.         return false;
    132. 

  132.     }
    133. 

  133. }
    134. 

  134. 

  135. /**
    136. 

  136.  * Return an array with userinfo compatible with chamilo using $extldap_user_correspondance
    137. 

  137.  * configuration array declared in ldap.conf.php file
    138. 

  138.  *
    139. 

  139.  * @param array ldap user
    140. 

  140.  * @param array correspondance array (if not set use extldap_user_correspondance declared in auth.conf.php
    141. 

  141.  * @return array userinfo array
    142. 

  142.  * @author ndiechburg <noel@cblue.be>
    143. 

  143.  * */
    144. 

  144. function extldap_get_chamilo_user($ldap_user, $cor = null) {
    145. 

  145.     global $extldap_user_correspondance;
    146. 

  146.     if (is_null($cor)) {
    147. 

  147.         $cor = $extldap_user_correspondance;
    148. 

  148.     }
    149. 

  149. 

  150.     $chamilo_user = array();
    151. 

  151.     foreach ($cor as $chamilo_field => $ldap_field) {
    152. 

  152.         if (is_array($ldap_field)) {
    153. 

  153.             $chamilo_user[$chamilo_field] = extldap_get_chamilo_user($ldap_user, $ldap_field);
    154. 

  154.             continue;
    155. 

  155.         }
    156. 

  156. 

  157.         switch ($ldap_field) {
    158. 

  158.             case 'func':
    159. 

  159.                 $func = "extldap_get_$chamilo_field";
    160. 

  160.                 if (function_exists($func)) {
    161. 

  161.                     $chamilo_user[$chamilo_field] = extldap_purify_string($func($ldap_user));
    162. 

  162.                 } else {
    163. 

  163.                     error_log("EXTLDAP WARNING : You forgot to declare $func");
    164. 

  164.                 }
    165. 

  165.                 break;
    166. 

  166.             default:
    167. 

  167.                 //if string begins with "!", then this is a constant
    168. 

  168.                 if ($ldap_field[0] === '!') {
    169. 

  169.                     $chamilo_user[$chamilo_field] = trim($ldap_field, "!\t\n\r\0");
    170. 

  170.                     break;
    171. 

  171.                 }
    172. 

  172.                 if (isset($ldap_user[$ldap_field][0])) {
    173. 

  173.                     $chamilo_user[$chamilo_field] = extldap_purify_string($ldap_user[$ldap_field][0]);
    174. 

  174.                 } else {
    175. 

  175.                     error_log('EXTLDAP WARNING : ' . $ldap_field . '[0] field is not set in ldap array');
    176. 

  176.                 }
    177. 

  177.                 break;
    178. 

  178.         }
    179. 

  179.     }
    180. 

  180.     return $chamilo_user;
    181. 

  181. }
    182. 

  182. 

  183. /**
    184. 

  184.  * Please declare here all the function you use in extldap_user_correspondance
    185. 

  185.  * All these functions must have an $ldap_user parameter. This parameter is the 
    186. 

  186.  * array returned by the ldap for the user
    187. 

  187.  * */
    188. 

  188. 

  189. /**
    190. 

  190.  * example function for email
    191. 

  191.  * */
    192. 

  192. /*
    193. 

  193.   function extldap_get_email($ldap_user){
    194. 

  194.   return $ldap_user['cn'].$ldap['sn'].'@gmail.com';
    195. 

  195.   }
    196. 

  196.  */
    197. 

  197. function extldap_get_status($ldap_user) {
    198. 

  198.     return STUDENT;
    199. 

  199. }
    200. 

  200. 

  201. function extldap_get_admin($ldap_user) {
    202. 

  202.     return false;
    203. 

  203. }
    204. 

  204. 

  205. /**
    206. 

  206.  * return the string used to search a user in ldap
    207. 

  207.  *
    208. 

  208.  * @param string username
    209. 

  209.  * @return string the serach string
    210. 

  210.  * @author ndiechburg <noel@cblue.be>
    211. 

  211.  * */
    212. 

  212. function extldap_get_user_search_string($username) {
    213. 

  213.     global $extldap_config;
    214. 

  214.     // init
    215. 

  215.     $filter = '(' . $extldap_config['user_search'] . ')';
    216. 

  216.     // replacing %username% by the actual username
    217. 

  217.     $filter = str_replace('%username%', $username, $filter);
    218. 

  218.     // append a global filter if needed
    219. 

  219.     if (isset($extldap_config['filter']) && $extldap_config['filter'] != "")
    220. 

  220.         $filter = '(&' . $filter . '(' . $extldap_config['filter'] . '))';
    221. 

  221. 

  222.     return $filter;
    223. 

  223. }
    224. 

  224. /**
    225. 

  225.  * Imports all LDAP users into Chamilo
    226. 

  226.  * @return bool false on error, true otherwise
    227. 

  227.  */
    228. 

  228. function extldap_import_all_users() {
    229. 

  229.     global $extldap_config;
    230. 

  230.     //echo "Connecting...\n";
    231. 

  231.     $ds = extldap_connect();
    232. 

  232.     if (!$ds) {
    233. 

  233.         return false;
    234. 

  234.     }
    235. 

  235.     //echo "Binding...\n";
    236. 

  236.     $ldapbind = false;
    237. 

  237.     //Connection as admin to search dn of user
    238. 

  238.     $ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $extldap_config['admin_password']);
    239. 

  239.     if ($ldapbind === false) {
    240. 

  240.         error_log('EXTLDAP ERROR : cannot connect with admin login/password');
    241. 

  241.         return false;
    242. 

  242.     }
    243. 

  243.     //browse ASCII values from a to z to avoid 1000 results limit of LDAP
    244. 

  244.     $count = 0;
    245. 

  245.     $alphanum = array('0','1','2','3','4','5','6','7','8','9');
    246. 

  246.     for ($a=97;$a<=122;$a++) {
    247. 

  247.         $alphanum[] = chr($a);
    248. 

  248.     }
    249. 

  249.     foreach ($alphanum as $char1) {
    250. 

  250.         foreach ($alphanum as $char2) {
    251. 

  251.             //$user_search = "uid=*";
    252. 

  252.             $user_search = "sAMAccountName=$char1$char2*";
    253. 

  253.             //Search distinguish name of user
    254. 

  254.             $sr = ldap_search($ds, $extldap_config['base_dn'], $user_search);
    255. 

  255.             if (!$sr) {
    256. 

  256.                 error_log('EXTLDAP ERROR : ldap_search(' . $ds . ', ' . $extldap_config['base_dn'] . ", $user_search) failed");
    257. 

  257.                 return false;
    258. 

  258.             }
    259. 

  259.             //echo "Getting entries\n";
    260. 

  260.             $users = ldap_get_entries($ds, $sr);
    261. 

  261.             //echo "Entries: ".$users['count']."\n";
    262. 

  262.             for ($key = 0; $key < $users['count']; $key ++) {
    263. 

  263.                 $user_id = extldap_add_user_by_array($users[$key], true);
    264. 

  264.                 $count ++;
    265. 

  265.                 if ($user_id) {
    266. 

  266.                     // echo "User #$user_id created or updated\n";
    267. 

  267.                 } else {
    268. 

  268.                     // echo "User was not created\n";
    269. 

  269.                 }
    270. 

  270.             }
    271. 

  271.         }
    272. 

  272.     }
    273. 

  273.     //echo "Found $count users in total\n";
    274. 

  274.     @ldap_close($ds);
    275. 

  275. }
    276. 

  276. /**
    277. 

  277.  * Insert users from an array of user fields
    278. 

  278.  */
    279. 

  279. function extldap_add_user_by_array($data, $update_if_exists = true) {
    280. 

  280.     $lastname = api_convert_encoding($data['sn'][0], api_get_system_encoding(), 'UTF-8');
    281. 

  281.     $firstname = api_convert_encoding($data['cn'][0], api_get_system_encoding(), 'UTF-8');
    282. 

  282.     $email = $data['mail'][0];
    283. 

  283.     // Get uid from dn
    284. 

  284.     $dn_array=ldap_explode_dn($data['dn'],1);
    285. 

  285.     $username = $dn_array[0]; // uid is first key
    286. 

  286.     $outab[] = $data['edupersonprimaryaffiliation'][0]; // Here, "student"
    287. 

  287.     //$val = ldap_get_values_len($ds, $entry, "userPassword");
    288. 

  288.     //$val = ldap_get_values_len($ds, $data, "userPassword");
    289. 

  289.     //$password = $val[0];
    290. 

  290.     // TODO the password, if encrypted at the source, will be encrypted twice, which makes it useless. Try to fix that.
    291. 

  291.     $password = $data['userPassword'][0];
    292. 

  292.     $structure=$data['edupersonprimaryorgunitdn'][0];
    293. 

  293.     $array_structure=explode(",", $structure);
    294. 

  294.     $array_val=explode("=", $array_structure[0]);
    295. 

  295.     $etape=$array_val[1];
    296. 

  296.     $array_val=explode("=", $array_structure[1]);
    297. 

  297.     $annee=$array_val[1];
    298. 

  298.     // To ease management, we add the step-year (etape-annee) code
    299. 

  299.     $official_code=$etape."-".$annee;
    300. 

  300.     $auth_source='ldap';
    301. 

  301.     // No expiration date for students (recover from LDAP's shadow expiry)
    302. 

  302.     $expiration_date='0000-00-00 00:00:00';
    303. 

  303.     $active=1;
    304. 

  304.     if(empty($status)){$status = 5;}
    305. 

  305.     if(empty($phone)){$phone = '';}
    306. 

  306.     if(empty($picture_uri)){$picture_uri = '';}
    307. 

  307.     // Adding user
    308. 

  308.     $user_id = 0;
    309. 

  309.     if (UserManager::is_username_available($username)) {
    310. 

  310.         //echo "$username\n";
    311. 

  311.         $user_id = UserManager::create_user($firstname,$lastname,$status,$email,$username,$password,$official_code,api_get_setting('platformLanguage'),$phone,$picture_uri,$auth_source,$expiration_date,$active);
    312. 

  312.     } else {
    313. 

  313.         if ($update_if_exists) {
    314. 

  314.             $user = UserManager::get_user_info($username);
    315. 

  315.             $user_id=$user['user_id'];
    316. 

  316.             //echo "$username\n";
    317. 

  317.             UserManager::update_user($user_id, $firstname, $lastname, $username, null, null, $email, $status, $official_code, $phone, $picture_uri, $expiration_date, $active);
    318. 

  318.         }
    319. 

  319.     }
    320. 

  320.     return $user_id;
    321. 

  321. }
    322. 

  322. 

  323.