1<?php 2 3use dokuwiki\Extension\AuthPlugin; 4use dokuwiki\PassHash; 5use dokuwiki\Utf8\Sort; 6 7/** 8 * LDAP authentication backend 9 * 10 * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 11 * @author Andreas Gohr <andi@splitbrain.org> 12 * @author Chris Smith <chris@jalakaic.co.uk> 13 * @author Jan Schumann <js@schumann-it.com> 14 */ 15class auth_plugin_authldap extends AuthPlugin 16{ 17 /* @var resource $con holds the LDAP connection */ 18 protected $con; 19 20 /* @var int $bound What type of connection does already exist? */ 21 protected $bound = 0; // 0: anonymous, 1: user, 2: superuser 22 23 /* @var array $users User data cache */ 24 protected $users; 25 26 /* @var array $pattern User filter pattern */ 27 protected $pattern; 28 29 /** 30 * Constructor 31 */ 32 public function __construct() 33 { 34 parent::__construct(); 35 36 // ldap extension is needed 37 if (!function_exists('ldap_connect')) { 38 $this->debug("LDAP err: PHP LDAP extension not found.", -1, __LINE__, __FILE__); 39 $this->success = false; 40 return; 41 } 42 43 // Add the capabilities to change the password 44 $this->cando['modPass'] = $this->getConf('modPass'); 45 } 46 47 /** 48 * Check user+password 49 * 50 * Checks if the given user exists and the given 51 * plaintext password is correct by trying to bind 52 * to the LDAP server 53 * 54 * @param string $user 55 * @param string $pass 56 * @return bool 57 * @author Andreas Gohr <andi@splitbrain.org> 58 */ 59 public function checkPass($user, $pass) 60 { 61 // reject empty password 62 if (empty($pass)) return false; 63 if (!$this->openLDAP()) return false; 64 65 // indirect user bind 66 if ($this->getConf('binddn') && $this->getConf('bindpw')) { 67 // use superuser credentials 68 if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) { 69 $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 70 return false; 71 } 72 $this->bound = 2; 73 } elseif ( 74 $this->getConf('binddn') && 75 $this->getConf('usertree') && 76 $this->getConf('userfilter') 77 ) { 78 // special bind string 79 $dn = $this->makeFilter( 80 $this->getConf('binddn'), 81 ['user' => $user, 'server' => $this->getConf('server')] 82 ); 83 } elseif (strpos($this->getConf('usertree'), '%{user}')) { 84 // direct user bind 85 $dn = $this->makeFilter( 86 $this->getConf('usertree'), 87 ['user' => $user, 'server' => $this->getConf('server')] 88 ); 89 } elseif (!@ldap_bind($this->con)) { 90 // Anonymous bind 91 msg("LDAP: can not bind anonymously", -1); 92 $this->debug('LDAP anonymous bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 93 return false; 94 } 95 96 // Try to bind to with the dn if we have one. 97 if (!empty($dn)) { 98 // User/Password bind 99 if (!@ldap_bind($this->con, $dn, $pass)) { 100 $this->debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__); 101 $this->debug('LDAP user dn bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 102 return false; 103 } 104 $this->bound = 1; 105 return true; 106 } else { 107 // See if we can find the user 108 $info = $this->fetchUserData($user, true); 109 if (empty($info['dn'])) { 110 return false; 111 } else { 112 $dn = $info['dn']; 113 } 114 115 // Try to bind with the dn provided 116 if (!@ldap_bind($this->con, $dn, $pass)) { 117 $this->debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__); 118 $this->debug('LDAP user bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 119 return false; 120 } 121 $this->bound = 1; 122 return true; 123 } 124 } 125 126 /** 127 * Return user info 128 * 129 * Returns info about the given user needs to contain 130 * at least these fields: 131 * 132 * name string full name of the user 133 * mail string email addres of the user 134 * grps array list of groups the user is in 135 * 136 * This LDAP specific function returns the following 137 * addional fields: 138 * 139 * dn string distinguished name (DN) 140 * uid string Posix User ID 141 * inbind bool for internal use - avoid loop in binding 142 * 143 * @param string $user 144 * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin 145 * @return array containing user data or false 146 * @author <evaldas.auryla@pheur.org> 147 * @author Stephane Chazelas <stephane.chazelas@emerson.com> 148 * @author Steffen Schoch <schoch@dsb.net> 149 * 150 * @author Andreas Gohr <andi@splitbrain.org> 151 * @author Trouble 152 * @author Dan Allen <dan.j.allen@gmail.com> 153 */ 154 public function getUserData($user, $requireGroups = true) 155 { 156 return $this->fetchUserData($user); 157 } 158 159 /** 160 * @param string $user 161 * @param bool $inbind authldap specific, true if in bind phase 162 * @return array containing user data or false 163 */ 164 protected function fetchUserData($user, $inbind = false) 165 { 166 global $conf; 167 if (!$this->openLDAP()) return []; 168 169 // force superuser bind if wanted and not bound as superuser yet 170 if ($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) { 171 // use superuser credentials 172 if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) { 173 $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 174 return []; 175 } 176 $this->bound = 2; 177 } elseif ($this->bound == 0 && !$inbind) { 178 // in some cases getUserData is called outside the authentication workflow 179 // eg. for sending email notification on subscribed pages. This data might not 180 // be accessible anonymously, so we try to rebind the current user here 181 [$loginuser, $loginsticky, $loginpass] = auth_getCookie(); 182 if ($loginuser && $loginpass) { 183 $loginpass = auth_decrypt($loginpass, auth_cookiesalt(!$loginsticky, true)); 184 $this->checkPass($loginuser, $loginpass); 185 } 186 } 187 188 $info = []; 189 $info['user'] = $user; 190 $this->debug('LDAP user to find: ' . hsc($info['user']), 0, __LINE__, __FILE__); 191 192 $info['server'] = $this->getConf('server'); 193 $this->debug('LDAP Server: ' . hsc($info['server']), 0, __LINE__, __FILE__); 194 195 //get info for given user 196 $base = $this->makeFilter($this->getConf('usertree'), $info); 197 if ($this->getConf('userfilter')) { 198 $filter = $this->makeFilter($this->getConf('userfilter'), $info); 199 } else { 200 $filter = "(ObjectClass=*)"; 201 } 202 203 $this->debug('LDAP Filter: ' . hsc($filter), 0, __LINE__, __FILE__); 204 205 $this->debug('LDAP search at: ' . hsc($base . ' ' . $filter), 0, __LINE__, __FILE__); 206 $sr = $this->ldapSearch($this->con, $base, $filter, $this->getConf('userscope'), $this->getConf('attributes')); 207 $this->debug('LDAP user search: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 208 if ($sr === false) { 209 $this->debug('User ldap_search failed. Check configuration.', 0, __LINE__, __FILE__); 210 return false; 211 } 212 213 $result = @ldap_get_entries($this->con, $sr); 214 215 // if result is not an array 216 if (!is_array($result)) { 217 // no objects found 218 $this->debug('LDAP search returned non-array result: ' . hsc(print($result)), -1, __LINE__, __FILE__); 219 return []; 220 } 221 222 // Don't accept more or less than one response 223 if ($result['count'] != 1) { 224 $this->debug( 225 'LDAP search returned ' . hsc($result['count']) . ' results while it should return 1!', 226 -1, 227 __LINE__, 228 __FILE__ 229 ); 230 //for($i = 0; $i < $result["count"]; $i++) { 231 //$this->_debug('result: '.hsc(print_r($result[$i])), 0, __LINE__, __FILE__); 232 //} 233 return []; 234 } 235 236 $this->debug('LDAP search found single result !', 0, __LINE__, __FILE__); 237 238 $user_result = $result[0]; 239 ldap_free_result($sr); 240 241 // general user info 242 $info['dn'] = $user_result['dn']; 243 $info['gid'] = $user_result['gidnumber'][0] ?? null; 244 $info['mail'] = $user_result['mail'][0]; 245 $info['name'] = $user_result['cn'][0]; 246 $info['grps'] = []; 247 248 // overwrite if other attribs are specified. 249 if (is_array($this->getConf('mapping'))) { 250 foreach ($this->getConf('mapping') as $localkey => $key) { 251 if (is_array($key)) { 252 // use regexp to clean up user_result 253 // $key = array($key=>$regexp), only handles the first key-value 254 $regexp = current($key); 255 $key = key($key); 256 if (is_array($user_result[$key] ?? null)) foreach ($user_result[$key] as $grpkey => $grp) { 257 if ($grpkey !== 'count' && preg_match($regexp, $grp, $match)) { 258 if ($localkey == 'grps') { 259 $info[$localkey][] = $match[1]; 260 } else { 261 $info[$localkey] = $match[1]; 262 } 263 } 264 } 265 } else { 266 $info[$localkey] = $user_result[$key][0]; 267 } 268 } 269 } 270 $user_result = array_merge($info, $user_result); 271 272 //get groups for given user if grouptree is given 273 if ($this->getConf('grouptree') || $this->getConf('groupfilter')) { 274 $base = $this->makeFilter($this->getConf('grouptree'), $user_result); 275 $filter = $this->makeFilter($this->getConf('groupfilter'), $user_result); 276 $sr = $this->ldapSearch( 277 $this->con, 278 $base, 279 $filter, 280 $this->getConf('groupscope'), 281 [$this->getConf('groupkey')] 282 ); 283 $this->debug('LDAP group search: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 284 $this->debug('LDAP search at: ' . hsc($base . ' ' . $filter), 0, __LINE__, __FILE__); 285 286 if (!$sr) { 287 msg("LDAP: Reading group memberships failed", -1); 288 return []; 289 } 290 $result = ldap_get_entries($this->con, $sr); 291 ldap_free_result($sr); 292 293 if (is_array($result)) foreach ($result as $grp) { 294 if (!empty($grp[$this->getConf('groupkey')])) { 295 $group = $grp[$this->getConf('groupkey')]; 296 if (is_array($group)) { 297 $group = $group[0]; 298 } else { 299 $this->debug('groupkey did not return a detailled result', 0, __LINE__, __FILE__); 300 } 301 if ($group === '') continue; 302 303 $this->debug('LDAP usergroup: ' . hsc($group), 0, __LINE__, __FILE__); 304 $info['grps'][] = $group; 305 } 306 } 307 } 308 309 // always add the default group to the list of groups 310 if (!$info['grps'] || !in_array($conf['defaultgroup'], $info['grps'])) { 311 $info['grps'][] = $conf['defaultgroup']; 312 } 313 return $info; 314 } 315 316 /** 317 * Definition of the function modifyUser in order to modify the password 318 * 319 * @param string $user nick of the user to be changed 320 * @param array $changes array of field/value pairs to be changed (password will be clear text) 321 * @return bool true on success, false on error 322 */ 323 public function modifyUser($user, $changes) 324 { 325 326 // open the connection to the ldap 327 if (!$this->openLDAP()) { 328 $this->debug('LDAP cannot connect: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 329 return false; 330 } 331 332 // find the information about the user, in particular the "dn" 333 $info = $this->getUserData($user, true); 334 if (empty($info['dn'])) { 335 $this->debug('LDAP cannot find your user dn', 0, __LINE__, __FILE__); 336 return false; 337 } 338 $dn = $info['dn']; 339 340 // find the old password of the user 341 [$loginuser, $loginsticky, $loginpass] = auth_getCookie(); 342 if ($loginuser !== null) { // the user is currently logged in 343 $secret = auth_cookiesalt(!$loginsticky, true); 344 $pass = auth_decrypt($loginpass, $secret); 345 346 // bind with the ldap 347 if (!@ldap_bind($this->con, $dn, $pass)) { 348 $this->debug( 349 'LDAP user bind failed: ' . hsc($dn) . ': ' . hsc(ldap_error($this->con)), 350 0, 351 __LINE__, 352 __FILE__ 353 ); 354 return false; 355 } 356 } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) { 357 // we are changing the password on behalf of the user (eg: forgotten password) 358 // bind with the superuser ldap 359 if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) { 360 $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 361 return false; 362 } 363 } else { 364 return false; // no otherway 365 } 366 367 // Generate the salted hashed password for LDAP 368 if ($this->getConf('modPassPlain')) { 369 $hash = $changes['pass']; 370 } else { 371 $phash = new PassHash(); 372 $hash = $phash->hash_ssha($changes['pass']); 373 } 374 375 // change the password 376 if (!@ldap_mod_replace($this->con, $dn, ['userpassword' => $hash])) { 377 $this->debug( 378 'LDAP mod replace failed: ' . hsc($dn) . ': ' . hsc(ldap_error($this->con)), 379 0, 380 __LINE__, 381 __FILE__ 382 ); 383 return false; 384 } 385 386 return true; 387 } 388 389 /** 390 * Most values in LDAP are case-insensitive 391 * 392 * @return bool 393 */ 394 public function isCaseSensitive() 395 { 396 return false; 397 } 398 399 /** 400 * Bulk retrieval of user data 401 * 402 * @param int $start index of first user to be returned 403 * @param int $limit max number of users to be returned 404 * @param array $filter array of field/pattern pairs, null for no filter 405 * @return array of userinfo (refer getUserData for internal userinfo details) 406 * @author Dominik Eckelmann <dokuwiki@cosmocode.de> 407 */ 408 public function retrieveUsers($start = 0, $limit = 0, $filter = []) 409 { 410 if (!$this->openLDAP()) return []; 411 412 if (is_null($this->users)) { 413 // Perform the search and grab all their details 414 if ($this->getConf('userfilter')) { 415 $all_filter = str_replace('%{user}', '*', $this->getConf('userfilter')); 416 } else { 417 $all_filter = "(ObjectClass=*)"; 418 } 419 $sr = ldap_search($this->con, $this->getConf('usertree'), $all_filter); 420 $entries = ldap_get_entries($this->con, $sr); 421 $users_array = []; 422 $userkey = $this->getConf('userkey'); 423 for ($i = 0; $i < $entries["count"]; $i++) { 424 $users_array[] = $entries[$i][$userkey][0]; 425 } 426 Sort::asort($users_array); 427 $result = $users_array; 428 if (!$result) return []; 429 $this->users = array_fill_keys($result, false); 430 } 431 $i = 0; 432 $count = 0; 433 $this->constructPattern($filter); 434 $result = []; 435 436 foreach ($this->users as $user => &$info) { 437 if ($i++ < $start) { 438 continue; 439 } 440 if ($info === false) { 441 $info = $this->getUserData($user); 442 } 443 if ($this->filter($user, $info)) { 444 $result[$user] = $info; 445 if (($limit > 0) && (++$count >= $limit)) break; 446 } 447 } 448 return $result; 449 } 450 451 /** 452 * Make LDAP filter strings. 453 * 454 * Used by auth_getUserData to make the filter 455 * strings for grouptree and groupfilter 456 * 457 * @param string $filter ldap search filter with placeholders 458 * @param array $placeholders placeholders to fill in 459 * @return string 460 * @author Troels Liebe Bentsen <tlb@rapanden.dk> 461 */ 462 protected function makeFilter($filter, $placeholders) 463 { 464 preg_match_all("/%{([^}]+)/", $filter, $matches, PREG_PATTERN_ORDER); 465 //replace each match 466 foreach ($matches[1] as $match) { 467 //take first element if array 468 if (is_array($placeholders[$match])) { 469 $value = $placeholders[$match][0]; 470 } else { 471 $value = $placeholders[$match]; 472 } 473 $value = $this->filterEscape($value); 474 $filter = str_replace('%{' . $match . '}', $value, $filter); 475 } 476 return $filter; 477 } 478 479 /** 480 * return true if $user + $info match $filter criteria, false otherwise 481 * 482 * @param string $user the user's login name 483 * @param array $info the user's userinfo array 484 * @return bool 485 * @author Chris Smith <chris@jalakai.co.uk> 486 * 487 */ 488 protected function filter($user, $info) 489 { 490 foreach ($this->pattern as $item => $pattern) { 491 if ($item == 'user') { 492 if (!preg_match($pattern, $user)) return false; 493 } elseif ($item == 'grps') { 494 if (!count(preg_grep($pattern, $info['grps']))) return false; 495 } elseif (!preg_match($pattern, $info[$item])) { 496 return false; 497 } 498 } 499 return true; 500 } 501 502 /** 503 * Set the filter pattern 504 * 505 * @param $filter 506 * @return void 507 * @author Chris Smith <chris@jalakai.co.uk> 508 * 509 */ 510 protected function constructPattern($filter) 511 { 512 $this->pattern = []; 513 foreach ($filter as $item => $pattern) { 514 $this->pattern[$item] = '/' . str_replace('/', '\/', $pattern) . '/i'; // allow regex characters 515 } 516 } 517 518 /** 519 * Escape a string to be used in a LDAP filter 520 * 521 * Ported from Perl's Net::LDAP::Util escape_filter_value 522 * 523 * @param string $string 524 * @return string 525 * @author Andreas Gohr 526 */ 527 protected function filterEscape($string) 528 { 529 // see https://github.com/adldap/adLDAP/issues/22 530 return preg_replace_callback( 531 '/([\x00-\x1F\*\(\)\\\\])/', 532 static fn($matches) => "\\" . implode("", unpack("H2", $matches[1])), 533 $string 534 ); 535 } 536 537 /** 538 * Opens a connection to the configured LDAP server and sets the wanted 539 * option on the connection 540 * 541 * @author Andreas Gohr <andi@splitbrain.org> 542 */ 543 protected function openLDAP() 544 { 545 if ($this->con) return true; // connection already established 546 547 if ($this->getConf('debug')) { 548 ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7); 549 } 550 551 $this->bound = 0; 552 553 $port = $this->getConf('port'); 554 $bound = false; 555 $servers = explode(',', $this->getConf('server')); 556 foreach ($servers as $server) { 557 $server = trim($server); 558 if (str_starts_with($server, 'ldap://') || str_starts_with($server, 'ldaps://')) { 559 $this->con = @ldap_connect($server); 560 } else { 561 $this->con = @ldap_connect($server, $port); 562 } 563 if (!$this->con) { 564 continue; 565 } 566 567 /* 568 * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does 569 * not actually connect but just initializes the connecting parameters. The actual 570 * connect happens with the next calls to ldap_* funcs, usually with ldap_bind(). 571 * 572 * So we should try to bind to server in order to check its availability. 573 */ 574 575 //set protocol version and dependend options 576 if ($this->getConf('version')) { 577 if ( 578 !@ldap_set_option( 579 $this->con, 580 LDAP_OPT_PROTOCOL_VERSION, 581 $this->getConf('version') 582 ) 583 ) { 584 msg('Setting LDAP Protocol version ' . $this->getConf('version') . ' failed', -1); 585 $this->debug('LDAP version set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 586 } else { 587 //use TLS (needs version 3) 588 if ($this->getConf('starttls')) { 589 if (!@ldap_start_tls($this->con)) { 590 msg('Starting TLS failed', -1); 591 $this->debug('LDAP TLS set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 592 } 593 } 594 // needs version 3 595 if ($this->getConf('referrals') > -1) { 596 if ( 597 !@ldap_set_option( 598 $this->con, 599 LDAP_OPT_REFERRALS, 600 $this->getConf('referrals') 601 ) 602 ) { 603 msg('Setting LDAP referrals failed', -1); 604 $this->debug('LDAP referal set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 605 } 606 } 607 } 608 } 609 610 //set deref mode 611 if ($this->getConf('deref')) { 612 if (!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->getConf('deref'))) { 613 msg('Setting LDAP Deref mode ' . $this->getConf('deref') . ' failed', -1); 614 $this->debug('LDAP deref set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 615 } 616 } 617 /* As of PHP 5.3.0 we can set timeout to speedup skipping of invalid servers */ 618 if (defined('LDAP_OPT_NETWORK_TIMEOUT')) { 619 ldap_set_option($this->con, LDAP_OPT_NETWORK_TIMEOUT, 1); 620 } 621 622 if ($this->getConf('binddn') && $this->getConf('bindpw')) { 623 $bound = @ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw'))); 624 $this->bound = 2; 625 } else { 626 $bound = @ldap_bind($this->con); 627 } 628 if ($bound) { 629 break; 630 } 631 } 632 633 if (!$bound) { 634 msg("LDAP: couldn't connect to LDAP server", -1); 635 $this->debug(ldap_error($this->con), 0, __LINE__, __FILE__); 636 return false; 637 } 638 639 $this->cando['getUsers'] = true; 640 return true; 641 } 642 643 /** 644 * Wraps around ldap_search, ldap_list or ldap_read depending on $scope 645 * 646 * @param resource $link_identifier 647 * @param string $base_dn 648 * @param string $filter 649 * @param string $scope can be 'base', 'one' or 'sub' 650 * @param null|array $attributes 651 * @param int $attrsonly 652 * @param int $sizelimit 653 * @return resource 654 * @author Andreas Gohr <andi@splitbrain.org> 655 */ 656 protected function ldapSearch( 657 $link_identifier, 658 $base_dn, 659 $filter, 660 $scope = 'sub', 661 $attributes = null, 662 $attrsonly = 0, 663 $sizelimit = 0 664 ) { 665 if (is_null($attributes)) $attributes = []; 666 667 if ($scope == 'base') { 668 return @ldap_read( 669 $link_identifier, 670 $base_dn, 671 $filter, 672 $attributes, 673 $attrsonly, 674 $sizelimit 675 ); 676 } elseif ($scope == 'one') { 677 return @ldap_list( 678 $link_identifier, 679 $base_dn, 680 $filter, 681 $attributes, 682 $attrsonly, 683 $sizelimit 684 ); 685 } else { 686 return @ldap_search( 687 $link_identifier, 688 $base_dn, 689 $filter, 690 $attributes, 691 $attrsonly, 692 $sizelimit 693 ); 694 } 695 } 696 697 /** 698 * Wrapper around msg() but outputs only when debug is enabled 699 * 700 * @param string $message 701 * @param int $err 702 * @param int $line 703 * @param string $file 704 * @return void 705 */ 706 protected function debug($message, $err, $line, $file) 707 { 708 if (!$this->getConf('debug')) return; 709 msg($message, $err, $line, $file); 710 } 711} 712