1f4476bd9SJan Schumann<?php 2f4476bd9SJan Schumann// must be run within Dokuwiki 3f4476bd9SJan Schumannif(!defined('DOKU_INC')) die(); 4f4476bd9SJan Schumann 532fd494aSAndreas Gohrrequire_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php'); 632fd494aSAndreas Gohr 7f4476bd9SJan Schumann/** 8f4476bd9SJan Schumann * Active Directory authentication backend for DokuWiki 9f4476bd9SJan Schumann * 10f4476bd9SJan Schumann * This makes authentication with a Active Directory server much easier 11f4476bd9SJan Schumann * than when using the normal LDAP backend by utilizing the adLDAP library 12f4476bd9SJan Schumann * 13f4476bd9SJan Schumann * Usage: 14f4476bd9SJan Schumann * Set DokuWiki's local.protected.php auth setting to read 15f4476bd9SJan Schumann * 16f4476bd9SJan Schumann * $conf['authtype'] = 'authad'; 17f4476bd9SJan Schumann * 1832fd494aSAndreas Gohr * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org'; 1932fd494aSAndreas Gohr * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org'; 2032fd494aSAndreas Gohr * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; 21f4476bd9SJan Schumann * 22f4476bd9SJan Schumann * //optional: 2332fd494aSAndreas Gohr * $conf['plugin']['authad']['sso'] = 1; 243002d731SAndreas Gohr * $conf['plugin']['authad']['admin_username'] = 'root'; 253002d731SAndreas Gohr * $conf['plugin']['authad']['admin_password'] = 'pass'; 2632fd494aSAndreas Gohr * $conf['plugin']['authad']['real_primarygroup'] = 1; 2732fd494aSAndreas Gohr * $conf['plugin']['authad']['use_ssl'] = 1; 2832fd494aSAndreas Gohr * $conf['plugin']['authad']['use_tls'] = 1; 2932fd494aSAndreas Gohr * $conf['plugin']['authad']['debug'] = 1; 3093a7873eSAndreas Gohr * // warn user about expiring password this many days in advance: 3132fd494aSAndreas Gohr * $conf['plugin']['authad']['expirywarn'] = 5; 32f4476bd9SJan Schumann * 33f4476bd9SJan Schumann * // get additional information to the userinfo array 34f4476bd9SJan Schumann * // add a list of comma separated ldap contact fields. 35f4476bd9SJan Schumann * $conf['plugin']['authad']['additional'] = 'field1,field2'; 36f4476bd9SJan Schumann * 37f4476bd9SJan Schumann * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 38f4476bd9SJan Schumann * @author James Van Lommel <jamesvl@gmail.com> 39f4476bd9SJan Schumann * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ 40f4476bd9SJan Schumann * @author Andreas Gohr <andi@splitbrain.org> 41f4476bd9SJan Schumann * @author Jan Schumann <js@schumann-it.com> 42f4476bd9SJan Schumann */ 4393a7873eSAndreas Gohrclass auth_plugin_authad extends DokuWiki_Auth_Plugin { 4432fd494aSAndreas Gohr 4593a7873eSAndreas Gohr /** 4693a7873eSAndreas Gohr * @var array hold connection data for a specific AD domain 4793a7873eSAndreas Gohr */ 4893a7873eSAndreas Gohr protected $opts = array(); 4932fd494aSAndreas Gohr 5093a7873eSAndreas Gohr /** 5193a7873eSAndreas Gohr * @var array open connections for each AD domain, as adLDAP objects 5293a7873eSAndreas Gohr */ 5393a7873eSAndreas Gohr protected $adldap = array(); 5493a7873eSAndreas Gohr 5593a7873eSAndreas Gohr /** 5693a7873eSAndreas Gohr * @var bool message state 5793a7873eSAndreas Gohr */ 5893a7873eSAndreas Gohr protected $msgshown = false; 5993a7873eSAndreas Gohr 6093a7873eSAndreas Gohr /** 6193a7873eSAndreas Gohr * @var array user listing cache 6293a7873eSAndreas Gohr */ 6393a7873eSAndreas Gohr protected $users = array(); 6493a7873eSAndreas Gohr 6593a7873eSAndreas Gohr /** 6693a7873eSAndreas Gohr * @var array filter patterns for listing users 6793a7873eSAndreas Gohr */ 6893a7873eSAndreas Gohr protected $_pattern = array(); 69f4476bd9SJan Schumann 70f4476bd9SJan Schumann /** 71f4476bd9SJan Schumann * Constructor 72f4476bd9SJan Schumann */ 7393a7873eSAndreas Gohr public function __construct() { 7400d58927SMichael Hamann global $INPUT; 75454d868bSAndreas Gohr parent::__construct(); 76454d868bSAndreas Gohr 7732fd494aSAndreas Gohr // we load the config early to modify it a bit here 7832fd494aSAndreas Gohr $this->loadConfig(); 79f4476bd9SJan Schumann 80f4476bd9SJan Schumann // additional information fields 8132fd494aSAndreas Gohr if(isset($this->conf['additional'])) { 8232fd494aSAndreas Gohr $this->conf['additional'] = str_replace(' ', '', $this->conf['additional']); 8332fd494aSAndreas Gohr $this->conf['additional'] = explode(',', $this->conf['additional']); 8432fd494aSAndreas Gohr } else $this->conf['additional'] = array(); 85f4476bd9SJan Schumann 86f4476bd9SJan Schumann // ldap extension is needed 87f4476bd9SJan Schumann if(!function_exists('ldap_connect')) { 8832fd494aSAndreas Gohr if($this->conf['debug']) 89f4476bd9SJan Schumann msg("AD Auth: PHP LDAP extension not found.", -1); 90f4476bd9SJan Schumann $this->success = false; 91f4476bd9SJan Schumann return; 92f4476bd9SJan Schumann } 93f4476bd9SJan Schumann 94f4476bd9SJan Schumann // Prepare SSO 9593a7873eSAndreas Gohr if(!utf8_check($_SERVER['REMOTE_USER'])) { 9693a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']); 9793a7873eSAndreas Gohr } 9832fd494aSAndreas Gohr if($_SERVER['REMOTE_USER'] && $this->conf['sso']) { 9993a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']); 100f4476bd9SJan Schumann 101f4476bd9SJan Schumann // we need to simulate a login 102f4476bd9SJan Schumann if(empty($_COOKIE[DOKU_COOKIE])) { 10300d58927SMichael Hamann $INPUT->set('u', $_SERVER['REMOTE_USER']); 10400d58927SMichael Hamann $INPUT->set('p', 'sso_only'); 105f4476bd9SJan Schumann } 106f4476bd9SJan Schumann } 107f4476bd9SJan Schumann 10893a7873eSAndreas Gohr // other can do's are changed in $this->_loadServerConfig() base on domain setup 109f4476bd9SJan Schumann $this->cando['modName'] = true; 110f4476bd9SJan Schumann $this->cando['modMail'] = true; 111f4476bd9SJan Schumann } 112f4476bd9SJan Schumann 113f4476bd9SJan Schumann /** 114a154806fSAndreas Gohr * Load domain config on capability check 115a154806fSAndreas Gohr * 116a154806fSAndreas Gohr * @param string $cap 117a154806fSAndreas Gohr * @return bool 118a154806fSAndreas Gohr */ 119a154806fSAndreas Gohr public function canDo($cap) { 120a154806fSAndreas Gohr //capabilities depend on config, which may change depending on domain 121a154806fSAndreas Gohr $domain = $this->_userDomain($_SERVER['REMOTE_USER']); 122a154806fSAndreas Gohr $this->_loadServerConfig($domain); 123a154806fSAndreas Gohr return parent::canDo($cap); 124a154806fSAndreas Gohr } 125a154806fSAndreas Gohr 126a154806fSAndreas Gohr /** 127f4476bd9SJan Schumann * Check user+password [required auth function] 128f4476bd9SJan Schumann * 129f4476bd9SJan Schumann * Checks if the given user exists and the given 130f4476bd9SJan Schumann * plaintext password is correct by trying to bind 131f4476bd9SJan Schumann * to the LDAP server 132f4476bd9SJan Schumann * 133f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 13493a7873eSAndreas Gohr * @param string $user 13593a7873eSAndreas Gohr * @param string $pass 136f4476bd9SJan Schumann * @return bool 137f4476bd9SJan Schumann */ 13893a7873eSAndreas Gohr public function checkPass($user, $pass) { 139f4476bd9SJan Schumann if($_SERVER['REMOTE_USER'] && 140f4476bd9SJan Schumann $_SERVER['REMOTE_USER'] == $user && 14132fd494aSAndreas Gohr $this->conf['sso'] 14293a7873eSAndreas Gohr ) return true; 143f4476bd9SJan Schumann 14493a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 14593a7873eSAndreas Gohr if(!$adldap) return false; 14693a7873eSAndreas Gohr 14793a7873eSAndreas Gohr return $adldap->authenticate($this->_userName($user), $pass); 148f4476bd9SJan Schumann } 149f4476bd9SJan Schumann 150f4476bd9SJan Schumann /** 151f4476bd9SJan Schumann * Return user info [required auth function] 152f4476bd9SJan Schumann * 153f4476bd9SJan Schumann * Returns info about the given user needs to contain 154f4476bd9SJan Schumann * at least these fields: 155f4476bd9SJan Schumann * 156f4476bd9SJan Schumann * name string full name of the user 157f4476bd9SJan Schumann * mail string email address of the user 158f4476bd9SJan Schumann * grps array list of groups the user is in 159f4476bd9SJan Schumann * 16093a7873eSAndreas Gohr * This AD specific function returns the following 161f4476bd9SJan Schumann * addional fields: 162f4476bd9SJan Schumann * 163f4476bd9SJan Schumann * dn string distinguished name (DN) 16493a7873eSAndreas Gohr * uid string samaccountname 16593a7873eSAndreas Gohr * lastpwd int timestamp of the date when the password was set 16693a7873eSAndreas Gohr * expires true if the password expires 16793a7873eSAndreas Gohr * expiresin int seconds until the password expires 16893a7873eSAndreas Gohr * any fields specified in the 'additional' config option 169f4476bd9SJan Schumann * 170f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 17193a7873eSAndreas Gohr * @param string $user 17293a7873eSAndreas Gohr * @return array 173f4476bd9SJan Schumann */ 17493a7873eSAndreas Gohr public function getUserData($user) { 175f4476bd9SJan Schumann global $conf; 17693a7873eSAndreas Gohr global $lang; 17793a7873eSAndreas Gohr global $ID; 17893a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 17993a7873eSAndreas Gohr if(!$adldap) return false; 180f4476bd9SJan Schumann 18193a7873eSAndreas Gohr if($user == '') return array(); 18293a7873eSAndreas Gohr 18393a7873eSAndreas Gohr $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol'); 184f4476bd9SJan Schumann 185f4476bd9SJan Schumann // add additional fields to read 18632fd494aSAndreas Gohr $fields = array_merge($fields, $this->conf['additional']); 187f4476bd9SJan Schumann $fields = array_unique($fields); 18814642325SAndreas Gohr $fields = array_filter($fields); 189f4476bd9SJan Schumann 190f4476bd9SJan Schumann //get info for given user 19132fd494aSAndreas Gohr $result = $adldap->user()->info($this->_userName($user), $fields); 19293a7873eSAndreas Gohr if($result == false){ 19393a7873eSAndreas Gohr return array(); 19493a7873eSAndreas Gohr } 19593a7873eSAndreas Gohr 196f4476bd9SJan Schumann //general user info 197f4476bd9SJan Schumann $info['name'] = $result[0]['displayname'][0]; 198f4476bd9SJan Schumann $info['mail'] = $result[0]['mail'][0]; 199f4476bd9SJan Schumann $info['uid'] = $result[0]['samaccountname'][0]; 200f4476bd9SJan Schumann $info['dn'] = $result[0]['dn']; 20193a7873eSAndreas Gohr //last password set (Windows counts from January 1st 1601) 20293a7873eSAndreas Gohr $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; 20393a7873eSAndreas Gohr //will it expire? 20493a7873eSAndreas Gohr $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD 205f4476bd9SJan Schumann 206f4476bd9SJan Schumann // additional information 20732fd494aSAndreas Gohr foreach($this->conf['additional'] as $field) { 208f4476bd9SJan Schumann if(isset($result[0][strtolower($field)])) { 209f4476bd9SJan Schumann $info[$field] = $result[0][strtolower($field)][0]; 210f4476bd9SJan Schumann } 211f4476bd9SJan Schumann } 212f4476bd9SJan Schumann 213f4476bd9SJan Schumann // handle ActiveDirectory memberOf 21432fd494aSAndreas Gohr $info['grps'] = $adldap->user()->groups($this->_userName($user),(bool) $this->opts['recursive_groups']); 215f4476bd9SJan Schumann 216f4476bd9SJan Schumann if(is_array($info['grps'])) { 217f4476bd9SJan Schumann foreach($info['grps'] as $ndx => $group) { 218f4476bd9SJan Schumann $info['grps'][$ndx] = $this->cleanGroup($group); 219f4476bd9SJan Schumann } 220f4476bd9SJan Schumann } 221f4476bd9SJan Schumann 222f4476bd9SJan Schumann // always add the default group to the list of groups 223f4476bd9SJan Schumann if(!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) { 224f4476bd9SJan Schumann $info['grps'][] = $conf['defaultgroup']; 225f4476bd9SJan Schumann } 226f4476bd9SJan Schumann 22793a7873eSAndreas Gohr // add the user's domain to the groups 22893a7873eSAndreas Gohr $domain = $this->_userDomain($user); 22993a7873eSAndreas Gohr if($domain && !in_array("domain-$domain", (array) $info['grps'])) { 23093a7873eSAndreas Gohr $info['grps'][] = $this->cleanGroup("domain-$domain"); 23193a7873eSAndreas Gohr } 23293a7873eSAndreas Gohr 23393a7873eSAndreas Gohr // check expiry time 23432fd494aSAndreas Gohr if($info['expires'] && $this->conf['expirywarn']){ 2351e52e72aSAndreas Gohr $expiry = $adldap->user()->passwordExpiry($user); 2361e52e72aSAndreas Gohr if(is_array($expiry)){ 2371e52e72aSAndreas Gohr $info['expiresat'] = $expiry['expiryts']; 2381e52e72aSAndreas Gohr $info['expiresin'] = round(($info['expiresat'] - time())/(24*60*60)); 23993a7873eSAndreas Gohr 24093a7873eSAndreas Gohr // if this is the current user, warn him (once per request only) 24193a7873eSAndreas Gohr if(($_SERVER['REMOTE_USER'] == $user) && 2421e52e72aSAndreas Gohr ($info['expiresin'] <= $this->conf['expirywarn']) && 24393a7873eSAndreas Gohr !$this->msgshown 24493a7873eSAndreas Gohr ) { 2451e52e72aSAndreas Gohr $msg = sprintf($lang['authpwdexpire'], $info['expiresin']); 24693a7873eSAndreas Gohr if($this->canDo('modPass')) { 24793a7873eSAndreas Gohr $url = wl($ID, array('do'=> 'profile')); 24893a7873eSAndreas Gohr $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>'; 24993a7873eSAndreas Gohr } 25093a7873eSAndreas Gohr msg($msg); 25193a7873eSAndreas Gohr $this->msgshown = true; 25293a7873eSAndreas Gohr } 25393a7873eSAndreas Gohr } 2541e52e72aSAndreas Gohr } 25593a7873eSAndreas Gohr 256f4476bd9SJan Schumann return $info; 257f4476bd9SJan Schumann } 258f4476bd9SJan Schumann 259f4476bd9SJan Schumann /** 260f4476bd9SJan Schumann * Make AD group names usable by DokuWiki. 261f4476bd9SJan Schumann * 262f4476bd9SJan Schumann * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. 263f4476bd9SJan Schumann * 264f4476bd9SJan Schumann * @author James Van Lommel (jamesvl@gmail.com) 26593a7873eSAndreas Gohr * @param string $group 26693a7873eSAndreas Gohr * @return string 267f4476bd9SJan Schumann */ 26893a7873eSAndreas Gohr public function cleanGroup($group) { 26993a7873eSAndreas Gohr $group = str_replace('\\', '', $group); 27093a7873eSAndreas Gohr $group = str_replace('#', '', $group); 27193a7873eSAndreas Gohr $group = preg_replace('[\s]', '_', $group); 27293a7873eSAndreas Gohr $group = utf8_strtolower(trim($group)); 27393a7873eSAndreas Gohr return $group; 274f4476bd9SJan Schumann } 275f4476bd9SJan Schumann 276f4476bd9SJan Schumann /** 277f4476bd9SJan Schumann * Sanitize user names 27893a7873eSAndreas Gohr * 27993a7873eSAndreas Gohr * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup) 28093a7873eSAndreas Gohr * 28193a7873eSAndreas Gohr * @author Andreas Gohr <gohr@cosmocode.de> 28293a7873eSAndreas Gohr * @param string $user 28393a7873eSAndreas Gohr * @return string 284f4476bd9SJan Schumann */ 28593a7873eSAndreas Gohr public function cleanUser($user) { 28693a7873eSAndreas Gohr $domain = ''; 28793a7873eSAndreas Gohr 28893a7873eSAndreas Gohr // get NTLM or Kerberos domain part 28993a7873eSAndreas Gohr list($dom, $user) = explode('\\', $user, 2); 29093a7873eSAndreas Gohr if(!$user) $user = $dom; 29193a7873eSAndreas Gohr if($dom) $domain = $dom; 29293a7873eSAndreas Gohr list($user, $dom) = explode('@', $user, 2); 29393a7873eSAndreas Gohr if($dom) $domain = $dom; 29493a7873eSAndreas Gohr 29593a7873eSAndreas Gohr // clean up both 29693a7873eSAndreas Gohr $domain = utf8_strtolower(trim($domain)); 29793a7873eSAndreas Gohr $user = utf8_strtolower(trim($user)); 29893a7873eSAndreas Gohr 29993a7873eSAndreas Gohr // is this a known, valid domain? if not discard 30032fd494aSAndreas Gohr if(!is_array($this->conf[$domain])) { 30193a7873eSAndreas Gohr $domain = ''; 30293a7873eSAndreas Gohr } 30393a7873eSAndreas Gohr 30493a7873eSAndreas Gohr // reattach domain 30593a7873eSAndreas Gohr if($domain) $user = "$user@$domain"; 30693a7873eSAndreas Gohr return $user; 307f4476bd9SJan Schumann } 308f4476bd9SJan Schumann 309f4476bd9SJan Schumann /** 310f4476bd9SJan Schumann * Most values in LDAP are case-insensitive 31193a7873eSAndreas Gohr * 31293a7873eSAndreas Gohr * @return bool 313f4476bd9SJan Schumann */ 31493a7873eSAndreas Gohr public function isCaseSensitive() { 315f4476bd9SJan Schumann return false; 316f4476bd9SJan Schumann } 317f4476bd9SJan Schumann 318f4476bd9SJan Schumann /** 319f4476bd9SJan Schumann * Bulk retrieval of user data 320f4476bd9SJan Schumann * 321f4476bd9SJan Schumann * @author Dominik Eckelmann <dokuwiki@cosmocode.de> 32293a7873eSAndreas Gohr * @param int $start index of first user to be returned 32393a7873eSAndreas Gohr * @param int $limit max number of users to be returned 32493a7873eSAndreas Gohr * @param array $filter array of field/pattern pairs, null for no filter 32593a7873eSAndreas Gohr * @return array userinfo (refer getUserData for internal userinfo details) 326f4476bd9SJan Schumann */ 32793a7873eSAndreas Gohr public function retrieveUsers($start = 0, $limit = -1, $filter = array()) { 32893a7873eSAndreas Gohr $adldap = $this->_adldap(null); 32993a7873eSAndreas Gohr if(!$adldap) return false; 330f4476bd9SJan Schumann 331f4476bd9SJan Schumann if($this->users === null) { 332f4476bd9SJan Schumann //get info for given user 33332fd494aSAndreas Gohr $result = $adldap->user()->all(); 334f4476bd9SJan Schumann if (!$result) return array(); 335f4476bd9SJan Schumann $this->users = array_fill_keys($result, false); 336f4476bd9SJan Schumann } 337f4476bd9SJan Schumann 338f4476bd9SJan Schumann $i = 0; 339f4476bd9SJan Schumann $count = 0; 340f4476bd9SJan Schumann $this->_constructPattern($filter); 341f4476bd9SJan Schumann $result = array(); 342f4476bd9SJan Schumann 343f4476bd9SJan Schumann foreach($this->users as $user => &$info) { 344f4476bd9SJan Schumann if($i++ < $start) { 345f4476bd9SJan Schumann continue; 346f4476bd9SJan Schumann } 347f4476bd9SJan Schumann if($info === false) { 348f4476bd9SJan Schumann $info = $this->getUserData($user); 349f4476bd9SJan Schumann } 350f4476bd9SJan Schumann if($this->_filter($user, $info)) { 351f4476bd9SJan Schumann $result[$user] = $info; 352f4476bd9SJan Schumann if(($limit >= 0) && (++$count >= $limit)) break; 353f4476bd9SJan Schumann } 354f4476bd9SJan Schumann } 355f4476bd9SJan Schumann return $result; 356f4476bd9SJan Schumann } 357f4476bd9SJan Schumann 358f4476bd9SJan Schumann /** 359f4476bd9SJan Schumann * Modify user data 360f4476bd9SJan Schumann * 36193a7873eSAndreas Gohr * @param string $user nick of the user to be changed 36293a7873eSAndreas Gohr * @param array $changes array of field/value pairs to be changed 363f4476bd9SJan Schumann * @return bool 364f4476bd9SJan Schumann */ 36593a7873eSAndreas Gohr public function modifyUser($user, $changes) { 366f4476bd9SJan Schumann $return = true; 36793a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 36893a7873eSAndreas Gohr if(!$adldap) return false; 369f4476bd9SJan Schumann 370f4476bd9SJan Schumann // password changing 371f4476bd9SJan Schumann if(isset($changes['pass'])) { 372f4476bd9SJan Schumann try { 37332fd494aSAndreas Gohr $return = $adldap->user()->password($this->_userName($user),$changes['pass']); 374f4476bd9SJan Schumann } catch (adLDAPException $e) { 37532fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 376f4476bd9SJan Schumann $return = false; 377f4476bd9SJan Schumann } 378f4476bd9SJan Schumann if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?', -1); 379f4476bd9SJan Schumann } 380f4476bd9SJan Schumann 381f4476bd9SJan Schumann // changing user data 382f4476bd9SJan Schumann $adchanges = array(); 383f4476bd9SJan Schumann if(isset($changes['name'])) { 384f4476bd9SJan Schumann // get first and last name 385f4476bd9SJan Schumann $parts = explode(' ', $changes['name']); 386f4476bd9SJan Schumann $adchanges['surname'] = array_pop($parts); 387f4476bd9SJan Schumann $adchanges['firstname'] = join(' ', $parts); 388f4476bd9SJan Schumann $adchanges['display_name'] = $changes['name']; 389f4476bd9SJan Schumann } 390f4476bd9SJan Schumann if(isset($changes['mail'])) { 391f4476bd9SJan Schumann $adchanges['email'] = $changes['mail']; 392f4476bd9SJan Schumann } 393f4476bd9SJan Schumann if(count($adchanges)) { 394f4476bd9SJan Schumann try { 39532fd494aSAndreas Gohr $return = $return & $adldap->user()->modify($this->_userName($user),$adchanges); 396f4476bd9SJan Schumann } catch (adLDAPException $e) { 39732fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 398f4476bd9SJan Schumann $return = false; 399f4476bd9SJan Schumann } 400f4476bd9SJan Schumann } 401f4476bd9SJan Schumann 402f4476bd9SJan Schumann return $return; 403f4476bd9SJan Schumann } 404f4476bd9SJan Schumann 405f4476bd9SJan Schumann /** 406f4476bd9SJan Schumann * Initialize the AdLDAP library and connect to the server 40793a7873eSAndreas Gohr * 40893a7873eSAndreas Gohr * When you pass null as domain, it will reuse any existing domain. 40993a7873eSAndreas Gohr * Eg. the one of the logged in user. It falls back to the default 41093a7873eSAndreas Gohr * domain if no current one is available. 41193a7873eSAndreas Gohr * 41293a7873eSAndreas Gohr * @param string|null $domain The AD domain to use 41393a7873eSAndreas Gohr * @return adLDAP|bool true if a connection was established 414f4476bd9SJan Schumann */ 41593a7873eSAndreas Gohr protected function _adldap($domain) { 41693a7873eSAndreas Gohr if(is_null($domain) && is_array($this->opts)) { 41793a7873eSAndreas Gohr $domain = $this->opts['domain']; 41893a7873eSAndreas Gohr } 41993a7873eSAndreas Gohr 42093a7873eSAndreas Gohr $this->opts = $this->_loadServerConfig((string) $domain); 42193a7873eSAndreas Gohr if(isset($this->adldap[$domain])) return $this->adldap[$domain]; 422f4476bd9SJan Schumann 423f4476bd9SJan Schumann // connect 424f4476bd9SJan Schumann try { 42593a7873eSAndreas Gohr $this->adldap[$domain] = new adLDAP($this->opts); 42693a7873eSAndreas Gohr return $this->adldap[$domain]; 427f4476bd9SJan Schumann } catch(adLDAPException $e) { 42832fd494aSAndreas Gohr if($this->conf['debug']) { 429f4476bd9SJan Schumann msg('AD Auth: '.$e->getMessage(), -1); 430f4476bd9SJan Schumann } 431f4476bd9SJan Schumann $this->success = false; 43293a7873eSAndreas Gohr $this->adldap[$domain] = null; 433f4476bd9SJan Schumann } 434f4476bd9SJan Schumann return false; 435f4476bd9SJan Schumann } 436f4476bd9SJan Schumann 437f4476bd9SJan Schumann /** 43893a7873eSAndreas Gohr * Get the domain part from a user 439f4476bd9SJan Schumann * 44093a7873eSAndreas Gohr * @param $user 44193a7873eSAndreas Gohr * @return string 442f4476bd9SJan Schumann */ 44393a7873eSAndreas Gohr public function _userDomain($user) { 44493a7873eSAndreas Gohr list(, $domain) = explode('@', $user, 2); 44593a7873eSAndreas Gohr return $domain; 446f4476bd9SJan Schumann } 447f4476bd9SJan Schumann 44893a7873eSAndreas Gohr /** 44993a7873eSAndreas Gohr * Get the user part from a user 45093a7873eSAndreas Gohr * 45193a7873eSAndreas Gohr * @param $user 45293a7873eSAndreas Gohr * @return string 45393a7873eSAndreas Gohr */ 45493a7873eSAndreas Gohr public function _userName($user) { 45593a7873eSAndreas Gohr list($name) = explode('@', $user, 2); 45693a7873eSAndreas Gohr return $name; 45793a7873eSAndreas Gohr } 45893a7873eSAndreas Gohr 45993a7873eSAndreas Gohr /** 46093a7873eSAndreas Gohr * Fetch the configuration for the given AD domain 46193a7873eSAndreas Gohr * 46293a7873eSAndreas Gohr * @param string $domain current AD domain 46393a7873eSAndreas Gohr * @return array 46493a7873eSAndreas Gohr */ 46593a7873eSAndreas Gohr protected function _loadServerConfig($domain) { 46693a7873eSAndreas Gohr // prepare adLDAP standard configuration 46732fd494aSAndreas Gohr $opts = $this->conf; 46893a7873eSAndreas Gohr 46993a7873eSAndreas Gohr $opts['domain'] = $domain; 47093a7873eSAndreas Gohr 47193a7873eSAndreas Gohr // add possible domain specific configuration 47232fd494aSAndreas Gohr if($domain && is_array($this->conf[$domain])) foreach($this->conf[$domain] as $key => $val) { 47393a7873eSAndreas Gohr $opts[$key] = $val; 47493a7873eSAndreas Gohr } 47593a7873eSAndreas Gohr 47693a7873eSAndreas Gohr // handle multiple AD servers 47793a7873eSAndreas Gohr $opts['domain_controllers'] = explode(',', $opts['domain_controllers']); 47893a7873eSAndreas Gohr $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']); 47993a7873eSAndreas Gohr $opts['domain_controllers'] = array_filter($opts['domain_controllers']); 48093a7873eSAndreas Gohr 4818257d713SAndreas Gohr // compatibility with old option name 4828257d713SAndreas Gohr if(empty($opts['admin_username']) && !empty($opts['ad_username'])) $opts['admin_username'] = $opts['ad_username']; 4838257d713SAndreas Gohr if(empty($opts['admin_password']) && !empty($opts['ad_password'])) $opts['admin_password'] = $opts['ad_password']; 4848257d713SAndreas Gohr 48593a7873eSAndreas Gohr // we can change the password if SSL is set 48693a7873eSAndreas Gohr if($opts['use_ssl'] || $opts['use_tls']) { 48793a7873eSAndreas Gohr $this->cando['modPass'] = true; 48893a7873eSAndreas Gohr } else { 48993a7873eSAndreas Gohr $this->cando['modPass'] = false; 49093a7873eSAndreas Gohr } 49193a7873eSAndreas Gohr 492*12d195abSAndreas Gohr // adLDAP expects empty user/pass as NULL, we're less strict FS#2781 493*12d195abSAndreas Gohr if(empty($opts['admin_username'])) $opts['admin_username'] = null; 494*12d195abSAndreas Gohr if(empty($opts['admin_password'])) $opts['admin_password'] = null; 495*12d195abSAndreas Gohr 496*12d195abSAndreas Gohr // user listing needs admin priviledges 4978257d713SAndreas Gohr if(!empty($opts['admin_username']) && !empty($opts['admin_password'])) { 49893a7873eSAndreas Gohr $this->cando['getUsers'] = true; 49993a7873eSAndreas Gohr } else { 5001b228d28SKlap-in $this->cando['getUsers'] = false; 50193a7873eSAndreas Gohr } 50293a7873eSAndreas Gohr 50393a7873eSAndreas Gohr return $opts; 50493a7873eSAndreas Gohr } 50593a7873eSAndreas Gohr 50693a7873eSAndreas Gohr /** 50793a7873eSAndreas Gohr * Check provided user and userinfo for matching patterns 50893a7873eSAndreas Gohr * 50993a7873eSAndreas Gohr * The patterns are set up with $this->_constructPattern() 51093a7873eSAndreas Gohr * 51193a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 51293a7873eSAndreas Gohr * @param string $user 51393a7873eSAndreas Gohr * @param array $info 51493a7873eSAndreas Gohr * @return bool 51593a7873eSAndreas Gohr */ 51693a7873eSAndreas Gohr protected function _filter($user, $info) { 51793a7873eSAndreas Gohr foreach($this->_pattern as $item => $pattern) { 51893a7873eSAndreas Gohr if($item == 'user') { 51993a7873eSAndreas Gohr if(!preg_match($pattern, $user)) return false; 52093a7873eSAndreas Gohr } else if($item == 'grps') { 52193a7873eSAndreas Gohr if(!count(preg_grep($pattern, $info['grps']))) return false; 52293a7873eSAndreas Gohr } else { 52393a7873eSAndreas Gohr if(!preg_match($pattern, $info[$item])) return false; 52493a7873eSAndreas Gohr } 52593a7873eSAndreas Gohr } 52693a7873eSAndreas Gohr return true; 52793a7873eSAndreas Gohr } 52893a7873eSAndreas Gohr 52993a7873eSAndreas Gohr /** 53093a7873eSAndreas Gohr * Create a pattern for $this->_filter() 53193a7873eSAndreas Gohr * 53293a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 53393a7873eSAndreas Gohr * @param array $filter 53493a7873eSAndreas Gohr */ 53593a7873eSAndreas Gohr protected function _constructPattern($filter) { 536f4476bd9SJan Schumann $this->_pattern = array(); 537f4476bd9SJan Schumann foreach($filter as $item => $pattern) { 538f4476bd9SJan Schumann $this->_pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters 539f4476bd9SJan Schumann } 540f4476bd9SJan Schumann } 541f4476bd9SJan Schumann} 542