252 lines
10 KiB
PHP
Executable File
252 lines
10 KiB
PHP
Executable File
<?php
|
|
|
|
/**
|
|
* Simple LDAP object to interact with LDAP
|
|
*
|
|
* @author Denis CLAVIER <clavierd at gmail dot com>
|
|
*/
|
|
|
|
|
|
require_once __DIR__.'/LDAPInterface.php';
|
|
|
|
class LDAP implements LDAPInterface
|
|
{
|
|
protected $ldap_server;
|
|
|
|
/**
|
|
* LDAP Resource
|
|
*
|
|
* @param string @ldap_host
|
|
* Either a hostname or, with OpenLDAP 2.x.x and later, a full LDAP URI
|
|
* @param int @ldap_port
|
|
* An optional int to specify ldap server port, by default : 389
|
|
* @param int @ldap_version
|
|
* An optional int to specify ldap version, by default LDAP V3 protocol is used
|
|
*
|
|
* Initiate LDAP connection by creating an associated resource
|
|
*/
|
|
public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3)
|
|
{
|
|
if (!is_string($ldap_host))
|
|
{
|
|
throw new InvalidArgumentException('First argument to LDAP must be the hostname of a ldap server (string). Ex: ldap//example.com/ ');
|
|
}
|
|
|
|
if (!is_int($ldap_port))
|
|
{
|
|
throw new InvalidArgumentException('Second argument to LDAP must be the ldap server port (int). Ex : 389');
|
|
}
|
|
|
|
$ldap = ldap_connect($ldap_host, $ldap_port)
|
|
or die("Unable to connect to the ldap server : $ldaphost ! Please check your configuration.");
|
|
|
|
// Support LDAP V3 since many users have encountered difficulties with LDAP V3.
|
|
if (is_int($ldap_version) && $ldap_version <= 3 && $ldap_version > 0)
|
|
{
|
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
|
|
}
|
|
else
|
|
{
|
|
throw new InvalidArgumentException('Third argument to LDAP must be the ldap version (int). Ex : 3');
|
|
}
|
|
|
|
$this->ldap_server = $ldap;
|
|
}
|
|
|
|
/**
|
|
* @param string @user
|
|
* A ldap username or email or sAMAccountName
|
|
* @param string @password
|
|
* An optional password linked to the user, if not provided an anonymous bind is attempted
|
|
* @param string @ldap_search_attribute
|
|
* The attribute used on your LDAP to identify user (uid, email, cn, sAMAccountName)
|
|
* @param string @ldap_filter
|
|
* An optional filter to search in LDAP (ex : objectClass = person).
|
|
* @param string @ldap_base_dn
|
|
* The LDAP base DN.
|
|
* @param string @ldap_bind_dn
|
|
* The directory name of a service user to bind before search. Must be a user with read permission on LDAP.
|
|
* @param string @ldap_bind_pass
|
|
* The password associated to the service user to bind before search.
|
|
*
|
|
* @return
|
|
* TRUE if the user is identified and can access to the LDAP server
|
|
* and FALSE if it isn't
|
|
*/
|
|
public function checkLogin($user, $password = null, $ldap_search_attribute, $ldap_filter = null, $ldap_base_dn,$ldap_bind_dn, $ldap_bind_pass) {
|
|
if (!is_string($user))
|
|
{
|
|
throw new InvalidArgumentException('First argument to LDAP/checkLogin must be the username or email of a ldap user (string). Ex: jdupont or jdupont@company.com');
|
|
}
|
|
if (!is_string($password) && $password != null)
|
|
{
|
|
throw new InvalidArgumentException('Second argument to LDAP/checkLogin must be the password associated to the relative directory name (string).');
|
|
}
|
|
if (!is_string($ldap_search_attribute))
|
|
{
|
|
throw new InvalidArgumentException('Third argument to LDAP/checkLogin must be the attribute to identify users (ex : uid, email, sAMAccountName) (string).');
|
|
}
|
|
if (!is_string($ldap_filter) && $ldap_filter != null)
|
|
{
|
|
throw new InvalidArgumentException('Fourth argument to LDAP/checkLogin must be an optional filter to search in LDAP (string).');
|
|
}
|
|
if (!is_string($ldap_base_dn))
|
|
{
|
|
throw new InvalidArgumentException('Fifth argument to LDAP/checkLogin must be the ldap base directory name (string). Ex: o=Company');
|
|
}
|
|
if (!is_string($ldap_bind_dn) && $ldap_bind_dn != null)
|
|
{
|
|
throw new InvalidArgumentException('Sixth argument to LDAP/checkLogin must be an optional service account on restrictive LDAP (string).');
|
|
}
|
|
if (!is_string($ldap_bind_pass) && $ldap_bind_pass != null)
|
|
{
|
|
throw new InvalidArgumentException('Seventh argument to LDAP/checkLogin must be an optional password for the service account on restrictive LDAP (string).');
|
|
}
|
|
|
|
// If LDAP service account for search is specified, do an ldap_bind with this account
|
|
if ($ldap_bind_dn != '' && $ldap_bind_dn != null)
|
|
{
|
|
$bind_result=ldap_bind($this->ldap_server,$ldap_bind_dn,$ldap_bind_pass);
|
|
|
|
// If authentification failed, throw an exception
|
|
if (!$bind_result)
|
|
{
|
|
throw new Exception('An error has occured during ldap_bind execution. Please check parameter of LDAP/checkLogin, and make sure that user provided have read permission on LDAP.');
|
|
}
|
|
}
|
|
if ($ldap_filter!="" && $ldap_filter != null)
|
|
{
|
|
$search_filter = '(&(' . $ldap_search_attribute . '=' . $user . ')(' . $ldap_filter .'))';
|
|
}
|
|
else
|
|
{
|
|
$search_filter = $ldap_search_attribute . '=' . $user;
|
|
}
|
|
|
|
|
|
$result = ldap_search($this->ldap_server, $ldap_base_dn, $search_filter, array(), 0, 1, 500);
|
|
|
|
if (!$result)
|
|
{
|
|
throw new Exception('An error has occured during ldap_search execution. Please check parameter of LDAP/checkLogin.');
|
|
}
|
|
|
|
$data = ldap_first_entry($this->ldap_server, $result);
|
|
if (!$data)
|
|
{
|
|
throw new Exception('An error has occured during ldap_first_entry execution. Please check parameter of LDAP/checkLogin.');
|
|
}
|
|
$dn = ldap_get_dn($this->ldap_server, $data);
|
|
if (!$dn)
|
|
{
|
|
throw new Exception('An error has occured during ldap_get_values execution (dn). Please check parameter of LDAP/checkLogin.');
|
|
}
|
|
|
|
return ldap_bind($this->ldap_server,$dn,$password);
|
|
}
|
|
|
|
/**
|
|
* @param string @ldap_base_dn
|
|
* The LDAP base DN.
|
|
* @param string @ldap_filter
|
|
* A filter to get relevant data. Often the user id in ldap (uid or sAMAccountName).
|
|
* @param string @ldap_bind_dn
|
|
* The directory name of a service user to bind before search. Must be a user with read permission on LDAP.
|
|
* @param string @ldap_bind_pass
|
|
* The password associated to the service user to bind before search.
|
|
* @param string @ldap_search_attribute
|
|
* The attribute used on your LDAP to identify user (uid, email, cn, sAMAccountName)
|
|
* @param string @user
|
|
* A ldap username or email or sAMAccountName
|
|
*
|
|
* @return
|
|
* An array with the user's mail, complete name and directory name.
|
|
*/
|
|
public function getDataForMattermost($ldap_base_dn, $ldap_filter, $ldap_bind_dn, $ldap_bind_pass, $ldap_search_attribute, $user) {
|
|
|
|
$attribute=array("cn","mail");
|
|
|
|
if (!is_string($ldap_base_dn))
|
|
{
|
|
throw new InvalidArgumentException('First argument to LDAP/getData must be the ldap base directory name (string). Ex: o=Company');
|
|
}
|
|
if (!is_string($ldap_filter))
|
|
{
|
|
throw new InvalidArgumentException('Second argument to LDAP/getData must be a filter to get relevant data. Often is the user id in ldap (string). Ex : uid=jdupont');
|
|
}
|
|
if (!is_string($ldap_bind_dn) && $ldap_bind_dn != null)
|
|
{
|
|
throw new InvalidArgumentException('Third argument to LDAP/getData must be an optional service account on restrictive LDAP (string).');
|
|
}
|
|
if (!is_string($ldap_bind_pass) && $ldap_bind_pass != null)
|
|
{
|
|
throw new InvalidArgumentException('Fourth argument to LDAP/getData must be an optional password for the service account on restrictive LDAP (string).');
|
|
}
|
|
if (!is_string($ldap_search_attribute))
|
|
{
|
|
throw new InvalidArgumentException('Fifth argument to LDAP/getData must be the attribute to identify users (ex : uid, email, sAMAccountName) (string).');
|
|
}
|
|
if (!is_string($user))
|
|
{
|
|
throw new InvalidArgumentException('Sixth argument to LDAP/getData must be the username or email of a ldap user (string). Ex: jdupont or jdupont@company.com');
|
|
}
|
|
|
|
// If LDAP service account for search is specified, do an ldap_bind with this account
|
|
if ($ldap_bind_dn != '' && $ldap_bind_dn != null)
|
|
{
|
|
$bind_result=ldap_bind($this->ldap_server,$ldap_bind_dn,$ldap_bind_pass);
|
|
|
|
// If authentification failed, throw an exception
|
|
if (!$bind_result)
|
|
{
|
|
throw new Exception('An error has occured during ldap_bind execution. Please check parameter of LDAP/getData, and make sure that user provided have read permission on LDAP.');
|
|
}
|
|
}
|
|
|
|
if ($ldap_filter!="" && $ldap_filter != null)
|
|
{
|
|
$search_filter = '(&(' . $ldap_search_attribute . '=' . $user . ')(' . $ldap_filter .'))';
|
|
}
|
|
else
|
|
{
|
|
$search_filter = $ldap_search_attribute . '=' . $user;
|
|
}
|
|
|
|
$result = ldap_search($this->ldap_server, $ldap_base_dn, $search_filter, array(), 0, 1, 500);
|
|
|
|
if (!$result)
|
|
{
|
|
throw new Exception('An error has occured during ldap_search execution. Please check parameter of LDAP/getData.');
|
|
}
|
|
|
|
$data = ldap_first_entry($this->ldap_server, $result);
|
|
if (!$data)
|
|
{
|
|
throw new Exception('An error has occured during ldap_first_entry execution. Please check parameter of LDAP/getData.');
|
|
}
|
|
|
|
$mail = ldap_get_values($this->ldap_server, $data, "mail");
|
|
if (!$mail)
|
|
{
|
|
throw new Exception('An error has occured during ldap_get_values execution (mail). Please check parameter of LDAP/getData.');
|
|
}
|
|
|
|
$cn = ldap_get_values($this->ldap_server, $data, "cn");
|
|
if (!$cn)
|
|
{
|
|
throw new Exception('An error has occured during ldap_get_values execution (complete name). Please check parameter of LDAP/getData.');
|
|
}
|
|
|
|
return array("mail" => $mail[0], "cn" => $cn[0]);
|
|
}
|
|
|
|
/*
|
|
* Destructor to close the LDAP connection
|
|
*/
|
|
public function __destruct()
|
|
{
|
|
ldap_close($this->ldap_server);
|
|
}
|
|
|
|
}
|