1f4476bd9SJan Schumann<?php 2f4476bd9SJan Schumann// must be run within Dokuwiki 3f4476bd9SJan Schumannif(!defined('DOKU_INC')) die(); 4f4476bd9SJan Schumann 532fd494aSAndreas Gohrrequire_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php'); 632fd494aSAndreas Gohr 7f4476bd9SJan Schumann/** 8f4476bd9SJan Schumann * Active Directory authentication backend for DokuWiki 9f4476bd9SJan Schumann * 10f4476bd9SJan Schumann * This makes authentication with a Active Directory server much easier 11f4476bd9SJan Schumann * than when using the normal LDAP backend by utilizing the adLDAP library 12f4476bd9SJan Schumann * 13f4476bd9SJan Schumann * Usage: 14f4476bd9SJan Schumann * Set DokuWiki's local.protected.php auth setting to read 15f4476bd9SJan Schumann * 16f4476bd9SJan Schumann * $conf['authtype'] = 'authad'; 17f4476bd9SJan Schumann * 1832fd494aSAndreas Gohr * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org'; 1932fd494aSAndreas Gohr * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org'; 2032fd494aSAndreas Gohr * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; 21f4476bd9SJan Schumann * 22f4476bd9SJan Schumann * //optional: 2332fd494aSAndreas Gohr * $conf['plugin']['authad']['sso'] = 1; 243002d731SAndreas Gohr * $conf['plugin']['authad']['admin_username'] = 'root'; 253002d731SAndreas Gohr * $conf['plugin']['authad']['admin_password'] = 'pass'; 2632fd494aSAndreas Gohr * $conf['plugin']['authad']['real_primarygroup'] = 1; 2732fd494aSAndreas Gohr * $conf['plugin']['authad']['use_ssl'] = 1; 2832fd494aSAndreas Gohr * $conf['plugin']['authad']['use_tls'] = 1; 2932fd494aSAndreas Gohr * $conf['plugin']['authad']['debug'] = 1; 3093a7873eSAndreas Gohr * // warn user about expiring password this many days in advance: 3132fd494aSAndreas Gohr * $conf['plugin']['authad']['expirywarn'] = 5; 32f4476bd9SJan Schumann * 33f4476bd9SJan Schumann * // get additional information to the userinfo array 34f4476bd9SJan Schumann * // add a list of comma separated ldap contact fields. 35f4476bd9SJan Schumann * $conf['plugin']['authad']['additional'] = 'field1,field2'; 36f4476bd9SJan Schumann * 37f4476bd9SJan Schumann * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 38f4476bd9SJan Schumann * @author James Van Lommel <jamesvl@gmail.com> 39f4476bd9SJan Schumann * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ 40f4476bd9SJan Schumann * @author Andreas Gohr <andi@splitbrain.org> 41f4476bd9SJan Schumann * @author Jan Schumann <js@schumann-it.com> 42f4476bd9SJan Schumann */ 4393a7873eSAndreas Gohrclass auth_plugin_authad extends DokuWiki_Auth_Plugin { 4432fd494aSAndreas Gohr 4593a7873eSAndreas Gohr /** 4693a7873eSAndreas Gohr * @var array hold connection data for a specific AD domain 4793a7873eSAndreas Gohr */ 4893a7873eSAndreas Gohr protected $opts = array(); 4932fd494aSAndreas Gohr 5093a7873eSAndreas Gohr /** 5193a7873eSAndreas Gohr * @var array open connections for each AD domain, as adLDAP objects 5293a7873eSAndreas Gohr */ 5393a7873eSAndreas Gohr protected $adldap = array(); 5493a7873eSAndreas Gohr 5593a7873eSAndreas Gohr /** 5693a7873eSAndreas Gohr * @var bool message state 5793a7873eSAndreas Gohr */ 5893a7873eSAndreas Gohr protected $msgshown = false; 5993a7873eSAndreas Gohr 6093a7873eSAndreas Gohr /** 6193a7873eSAndreas Gohr * @var array user listing cache 6293a7873eSAndreas Gohr */ 6393a7873eSAndreas Gohr protected $users = array(); 6493a7873eSAndreas Gohr 6593a7873eSAndreas Gohr /** 6693a7873eSAndreas Gohr * @var array filter patterns for listing users 6793a7873eSAndreas Gohr */ 6893a7873eSAndreas Gohr protected $_pattern = array(); 69f4476bd9SJan Schumann 70f4476bd9SJan Schumann /** 71f4476bd9SJan Schumann * Constructor 72f4476bd9SJan Schumann */ 7393a7873eSAndreas Gohr public function __construct() { 7400d58927SMichael Hamann global $INPUT; 75454d868bSAndreas Gohr parent::__construct(); 76454d868bSAndreas Gohr 7732fd494aSAndreas Gohr // we load the config early to modify it a bit here 7832fd494aSAndreas Gohr $this->loadConfig(); 79f4476bd9SJan Schumann 80f4476bd9SJan Schumann // additional information fields 8132fd494aSAndreas Gohr if(isset($this->conf['additional'])) { 8232fd494aSAndreas Gohr $this->conf['additional'] = str_replace(' ', '', $this->conf['additional']); 8332fd494aSAndreas Gohr $this->conf['additional'] = explode(',', $this->conf['additional']); 8432fd494aSAndreas Gohr } else $this->conf['additional'] = array(); 85f4476bd9SJan Schumann 86f4476bd9SJan Schumann // ldap extension is needed 87f4476bd9SJan Schumann if(!function_exists('ldap_connect')) { 8832fd494aSAndreas Gohr if($this->conf['debug']) 89f4476bd9SJan Schumann msg("AD Auth: PHP LDAP extension not found.", -1); 90f4476bd9SJan Schumann $this->success = false; 91f4476bd9SJan Schumann return; 92f4476bd9SJan Schumann } 93f4476bd9SJan Schumann 94f4476bd9SJan Schumann // Prepare SSO 9593a7873eSAndreas Gohr if(!utf8_check($_SERVER['REMOTE_USER'])) { 9693a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']); 9793a7873eSAndreas Gohr } 9832fd494aSAndreas Gohr if($_SERVER['REMOTE_USER'] && $this->conf['sso']) { 9993a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']); 100f4476bd9SJan Schumann 101f4476bd9SJan Schumann // we need to simulate a login 102f4476bd9SJan Schumann if(empty($_COOKIE[DOKU_COOKIE])) { 10300d58927SMichael Hamann $INPUT->set('u', $_SERVER['REMOTE_USER']); 10400d58927SMichael Hamann $INPUT->set('p', 'sso_only'); 105f4476bd9SJan Schumann } 106f4476bd9SJan Schumann } 107f4476bd9SJan Schumann 10893a7873eSAndreas Gohr // other can do's are changed in $this->_loadServerConfig() base on domain setup 109f4476bd9SJan Schumann $this->cando['modName'] = true; 110f4476bd9SJan Schumann $this->cando['modMail'] = true; 111f4476bd9SJan Schumann } 112f4476bd9SJan Schumann 113f4476bd9SJan Schumann /** 114f4476bd9SJan Schumann * Check user+password [required auth function] 115f4476bd9SJan Schumann * 116f4476bd9SJan Schumann * Checks if the given user exists and the given 117f4476bd9SJan Schumann * plaintext password is correct by trying to bind 118f4476bd9SJan Schumann * to the LDAP server 119f4476bd9SJan Schumann * 120f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 12193a7873eSAndreas Gohr * @param string $user 12293a7873eSAndreas Gohr * @param string $pass 123f4476bd9SJan Schumann * @return bool 124f4476bd9SJan Schumann */ 12593a7873eSAndreas Gohr public function checkPass($user, $pass) { 126f4476bd9SJan Schumann if($_SERVER['REMOTE_USER'] && 127f4476bd9SJan Schumann $_SERVER['REMOTE_USER'] == $user && 12832fd494aSAndreas Gohr $this->conf['sso'] 12993a7873eSAndreas Gohr ) return true; 130f4476bd9SJan Schumann 13193a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 13293a7873eSAndreas Gohr if(!$adldap) return false; 13393a7873eSAndreas Gohr 13493a7873eSAndreas Gohr return $adldap->authenticate($this->_userName($user), $pass); 135f4476bd9SJan Schumann } 136f4476bd9SJan Schumann 137f4476bd9SJan Schumann /** 138f4476bd9SJan Schumann * Return user info [required auth function] 139f4476bd9SJan Schumann * 140f4476bd9SJan Schumann * Returns info about the given user needs to contain 141f4476bd9SJan Schumann * at least these fields: 142f4476bd9SJan Schumann * 143f4476bd9SJan Schumann * name string full name of the user 144f4476bd9SJan Schumann * mail string email address of the user 145f4476bd9SJan Schumann * grps array list of groups the user is in 146f4476bd9SJan Schumann * 14793a7873eSAndreas Gohr * This AD specific function returns the following 148f4476bd9SJan Schumann * addional fields: 149f4476bd9SJan Schumann * 150f4476bd9SJan Schumann * dn string distinguished name (DN) 15193a7873eSAndreas Gohr * uid string samaccountname 15293a7873eSAndreas Gohr * lastpwd int timestamp of the date when the password was set 15393a7873eSAndreas Gohr * expires true if the password expires 15493a7873eSAndreas Gohr * expiresin int seconds until the password expires 15593a7873eSAndreas Gohr * any fields specified in the 'additional' config option 156f4476bd9SJan Schumann * 157f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 15893a7873eSAndreas Gohr * @param string $user 15993a7873eSAndreas Gohr * @return array 160f4476bd9SJan Schumann */ 16193a7873eSAndreas Gohr public function getUserData($user) { 162f4476bd9SJan Schumann global $conf; 16393a7873eSAndreas Gohr global $lang; 16493a7873eSAndreas Gohr global $ID; 16593a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 16693a7873eSAndreas Gohr if(!$adldap) return false; 167f4476bd9SJan Schumann 16893a7873eSAndreas Gohr if($user == '') return array(); 16993a7873eSAndreas Gohr 17093a7873eSAndreas Gohr $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol'); 171f4476bd9SJan Schumann 172f4476bd9SJan Schumann // add additional fields to read 17332fd494aSAndreas Gohr $fields = array_merge($fields, $this->conf['additional']); 174f4476bd9SJan Schumann $fields = array_unique($fields); 175f4476bd9SJan Schumann 176f4476bd9SJan Schumann //get info for given user 17732fd494aSAndreas Gohr $result = $adldap->user()->info($this->_userName($user), $fields); 17893a7873eSAndreas Gohr if($result == false){ 17993a7873eSAndreas Gohr return array(); 18093a7873eSAndreas Gohr } 18193a7873eSAndreas Gohr 182f4476bd9SJan Schumann //general user info 183f4476bd9SJan Schumann $info['name'] = $result[0]['displayname'][0]; 184f4476bd9SJan Schumann $info['mail'] = $result[0]['mail'][0]; 185f4476bd9SJan Schumann $info['uid'] = $result[0]['samaccountname'][0]; 186f4476bd9SJan Schumann $info['dn'] = $result[0]['dn']; 18793a7873eSAndreas Gohr //last password set (Windows counts from January 1st 1601) 18893a7873eSAndreas Gohr $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; 18993a7873eSAndreas Gohr //will it expire? 19093a7873eSAndreas Gohr $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD 191f4476bd9SJan Schumann 192f4476bd9SJan Schumann // additional information 19332fd494aSAndreas Gohr foreach($this->conf['additional'] as $field) { 194f4476bd9SJan Schumann if(isset($result[0][strtolower($field)])) { 195f4476bd9SJan Schumann $info[$field] = $result[0][strtolower($field)][0]; 196f4476bd9SJan Schumann } 197f4476bd9SJan Schumann } 198f4476bd9SJan Schumann 199f4476bd9SJan Schumann // handle ActiveDirectory memberOf 20032fd494aSAndreas Gohr $info['grps'] = $adldap->user()->groups($this->_userName($user),(bool) $this->opts['recursive_groups']); 201f4476bd9SJan Schumann 202f4476bd9SJan Schumann if(is_array($info['grps'])) { 203f4476bd9SJan Schumann foreach($info['grps'] as $ndx => $group) { 204f4476bd9SJan Schumann $info['grps'][$ndx] = $this->cleanGroup($group); 205f4476bd9SJan Schumann } 206f4476bd9SJan Schumann } 207f4476bd9SJan Schumann 208f4476bd9SJan Schumann // always add the default group to the list of groups 209f4476bd9SJan Schumann if(!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) { 210f4476bd9SJan Schumann $info['grps'][] = $conf['defaultgroup']; 211f4476bd9SJan Schumann } 212f4476bd9SJan Schumann 21393a7873eSAndreas Gohr // add the user's domain to the groups 21493a7873eSAndreas Gohr $domain = $this->_userDomain($user); 21593a7873eSAndreas Gohr if($domain && !in_array("domain-$domain", (array) $info['grps'])) { 21693a7873eSAndreas Gohr $info['grps'][] = $this->cleanGroup("domain-$domain"); 21793a7873eSAndreas Gohr } 21893a7873eSAndreas Gohr 21993a7873eSAndreas Gohr // check expiry time 22032fd494aSAndreas Gohr if($info['expires'] && $this->conf['expirywarn']){ 221*1e52e72aSAndreas Gohr $expiry = $adldap->user()->passwordExpiry($user); 222*1e52e72aSAndreas Gohr if(is_array($expiry)){ 223*1e52e72aSAndreas Gohr $info['expiresat'] = $expiry['expiryts']; 224*1e52e72aSAndreas Gohr $info['expiresin'] = round(($info['expiresat'] - time())/(24*60*60)); 22593a7873eSAndreas Gohr 22693a7873eSAndreas Gohr // if this is the current user, warn him (once per request only) 22793a7873eSAndreas Gohr if(($_SERVER['REMOTE_USER'] == $user) && 228*1e52e72aSAndreas Gohr ($info['expiresin'] <= $this->conf['expirywarn']) && 22993a7873eSAndreas Gohr !$this->msgshown 23093a7873eSAndreas Gohr ) { 231*1e52e72aSAndreas Gohr $msg = sprintf($lang['authpwdexpire'], $info['expiresin']); 23293a7873eSAndreas Gohr if($this->canDo('modPass')) { 23393a7873eSAndreas Gohr $url = wl($ID, array('do'=> 'profile')); 23493a7873eSAndreas Gohr $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>'; 23593a7873eSAndreas Gohr } 23693a7873eSAndreas Gohr msg($msg); 23793a7873eSAndreas Gohr $this->msgshown = true; 23893a7873eSAndreas Gohr } 23993a7873eSAndreas Gohr } 240*1e52e72aSAndreas Gohr } 24193a7873eSAndreas Gohr 242f4476bd9SJan Schumann return $info; 243f4476bd9SJan Schumann } 244f4476bd9SJan Schumann 245f4476bd9SJan Schumann /** 246f4476bd9SJan Schumann * Make AD group names usable by DokuWiki. 247f4476bd9SJan Schumann * 248f4476bd9SJan Schumann * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. 249f4476bd9SJan Schumann * 250f4476bd9SJan Schumann * @author James Van Lommel (jamesvl@gmail.com) 25193a7873eSAndreas Gohr * @param string $group 25293a7873eSAndreas Gohr * @return string 253f4476bd9SJan Schumann */ 25493a7873eSAndreas Gohr public function cleanGroup($group) { 25593a7873eSAndreas Gohr $group = str_replace('\\', '', $group); 25693a7873eSAndreas Gohr $group = str_replace('#', '', $group); 25793a7873eSAndreas Gohr $group = preg_replace('[\s]', '_', $group); 25893a7873eSAndreas Gohr $group = utf8_strtolower(trim($group)); 25993a7873eSAndreas Gohr return $group; 260f4476bd9SJan Schumann } 261f4476bd9SJan Schumann 262f4476bd9SJan Schumann /** 263f4476bd9SJan Schumann * Sanitize user names 26493a7873eSAndreas Gohr * 26593a7873eSAndreas Gohr * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup) 26693a7873eSAndreas Gohr * 26793a7873eSAndreas Gohr * @author Andreas Gohr <gohr@cosmocode.de> 26893a7873eSAndreas Gohr * @param string $user 26993a7873eSAndreas Gohr * @return string 270f4476bd9SJan Schumann */ 27193a7873eSAndreas Gohr public function cleanUser($user) { 27293a7873eSAndreas Gohr $domain = ''; 27393a7873eSAndreas Gohr 27493a7873eSAndreas Gohr // get NTLM or Kerberos domain part 27593a7873eSAndreas Gohr list($dom, $user) = explode('\\', $user, 2); 27693a7873eSAndreas Gohr if(!$user) $user = $dom; 27793a7873eSAndreas Gohr if($dom) $domain = $dom; 27893a7873eSAndreas Gohr list($user, $dom) = explode('@', $user, 2); 27993a7873eSAndreas Gohr if($dom) $domain = $dom; 28093a7873eSAndreas Gohr 28193a7873eSAndreas Gohr // clean up both 28293a7873eSAndreas Gohr $domain = utf8_strtolower(trim($domain)); 28393a7873eSAndreas Gohr $user = utf8_strtolower(trim($user)); 28493a7873eSAndreas Gohr 28593a7873eSAndreas Gohr // is this a known, valid domain? if not discard 28632fd494aSAndreas Gohr if(!is_array($this->conf[$domain])) { 28793a7873eSAndreas Gohr $domain = ''; 28893a7873eSAndreas Gohr } 28993a7873eSAndreas Gohr 29093a7873eSAndreas Gohr // reattach domain 29193a7873eSAndreas Gohr if($domain) $user = "$user@$domain"; 29293a7873eSAndreas Gohr return $user; 293f4476bd9SJan Schumann } 294f4476bd9SJan Schumann 295f4476bd9SJan Schumann /** 296f4476bd9SJan Schumann * Most values in LDAP are case-insensitive 29793a7873eSAndreas Gohr * 29893a7873eSAndreas Gohr * @return bool 299f4476bd9SJan Schumann */ 30093a7873eSAndreas Gohr public function isCaseSensitive() { 301f4476bd9SJan Schumann return false; 302f4476bd9SJan Schumann } 303f4476bd9SJan Schumann 304f4476bd9SJan Schumann /** 305f4476bd9SJan Schumann * Bulk retrieval of user data 306f4476bd9SJan Schumann * 307f4476bd9SJan Schumann * @author Dominik Eckelmann <dokuwiki@cosmocode.de> 30893a7873eSAndreas Gohr * @param int $start index of first user to be returned 30993a7873eSAndreas Gohr * @param int $limit max number of users to be returned 31093a7873eSAndreas Gohr * @param array $filter array of field/pattern pairs, null for no filter 31193a7873eSAndreas Gohr * @return array userinfo (refer getUserData for internal userinfo details) 312f4476bd9SJan Schumann */ 31393a7873eSAndreas Gohr public function retrieveUsers($start = 0, $limit = -1, $filter = array()) { 31493a7873eSAndreas Gohr $adldap = $this->_adldap(null); 31593a7873eSAndreas Gohr if(!$adldap) return false; 316f4476bd9SJan Schumann 317f4476bd9SJan Schumann if($this->users === null) { 318f4476bd9SJan Schumann //get info for given user 31932fd494aSAndreas Gohr $result = $adldap->user()->all(); 320f4476bd9SJan Schumann if (!$result) return array(); 321f4476bd9SJan Schumann $this->users = array_fill_keys($result, false); 322f4476bd9SJan Schumann } 323f4476bd9SJan Schumann 324f4476bd9SJan Schumann $i = 0; 325f4476bd9SJan Schumann $count = 0; 326f4476bd9SJan Schumann $this->_constructPattern($filter); 327f4476bd9SJan Schumann $result = array(); 328f4476bd9SJan Schumann 329f4476bd9SJan Schumann foreach($this->users as $user => &$info) { 330f4476bd9SJan Schumann if($i++ < $start) { 331f4476bd9SJan Schumann continue; 332f4476bd9SJan Schumann } 333f4476bd9SJan Schumann if($info === false) { 334f4476bd9SJan Schumann $info = $this->getUserData($user); 335f4476bd9SJan Schumann } 336f4476bd9SJan Schumann if($this->_filter($user, $info)) { 337f4476bd9SJan Schumann $result[$user] = $info; 338f4476bd9SJan Schumann if(($limit >= 0) && (++$count >= $limit)) break; 339f4476bd9SJan Schumann } 340f4476bd9SJan Schumann } 341f4476bd9SJan Schumann return $result; 342f4476bd9SJan Schumann } 343f4476bd9SJan Schumann 344f4476bd9SJan Schumann /** 345f4476bd9SJan Schumann * Modify user data 346f4476bd9SJan Schumann * 34793a7873eSAndreas Gohr * @param string $user nick of the user to be changed 34893a7873eSAndreas Gohr * @param array $changes array of field/value pairs to be changed 349f4476bd9SJan Schumann * @return bool 350f4476bd9SJan Schumann */ 35193a7873eSAndreas Gohr public function modifyUser($user, $changes) { 352f4476bd9SJan Schumann $return = true; 35393a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 35493a7873eSAndreas Gohr if(!$adldap) return false; 355f4476bd9SJan Schumann 356f4476bd9SJan Schumann // password changing 357f4476bd9SJan Schumann if(isset($changes['pass'])) { 358f4476bd9SJan Schumann try { 35932fd494aSAndreas Gohr $return = $adldap->user()->password($this->_userName($user),$changes['pass']); 360f4476bd9SJan Schumann } catch (adLDAPException $e) { 36132fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 362f4476bd9SJan Schumann $return = false; 363f4476bd9SJan Schumann } 364f4476bd9SJan Schumann if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?', -1); 365f4476bd9SJan Schumann } 366f4476bd9SJan Schumann 367f4476bd9SJan Schumann // changing user data 368f4476bd9SJan Schumann $adchanges = array(); 369f4476bd9SJan Schumann if(isset($changes['name'])) { 370f4476bd9SJan Schumann // get first and last name 371f4476bd9SJan Schumann $parts = explode(' ', $changes['name']); 372f4476bd9SJan Schumann $adchanges['surname'] = array_pop($parts); 373f4476bd9SJan Schumann $adchanges['firstname'] = join(' ', $parts); 374f4476bd9SJan Schumann $adchanges['display_name'] = $changes['name']; 375f4476bd9SJan Schumann } 376f4476bd9SJan Schumann if(isset($changes['mail'])) { 377f4476bd9SJan Schumann $adchanges['email'] = $changes['mail']; 378f4476bd9SJan Schumann } 379f4476bd9SJan Schumann if(count($adchanges)) { 380f4476bd9SJan Schumann try { 38132fd494aSAndreas Gohr $return = $return & $adldap->user()->modify($this->_userName($user),$adchanges); 382f4476bd9SJan Schumann } catch (adLDAPException $e) { 38332fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 384f4476bd9SJan Schumann $return = false; 385f4476bd9SJan Schumann } 386f4476bd9SJan Schumann } 387f4476bd9SJan Schumann 388f4476bd9SJan Schumann return $return; 389f4476bd9SJan Schumann } 390f4476bd9SJan Schumann 391f4476bd9SJan Schumann /** 392f4476bd9SJan Schumann * Initialize the AdLDAP library and connect to the server 39393a7873eSAndreas Gohr * 39493a7873eSAndreas Gohr * When you pass null as domain, it will reuse any existing domain. 39593a7873eSAndreas Gohr * Eg. the one of the logged in user. It falls back to the default 39693a7873eSAndreas Gohr * domain if no current one is available. 39793a7873eSAndreas Gohr * 39893a7873eSAndreas Gohr * @param string|null $domain The AD domain to use 39993a7873eSAndreas Gohr * @return adLDAP|bool true if a connection was established 400f4476bd9SJan Schumann */ 40193a7873eSAndreas Gohr protected function _adldap($domain) { 40293a7873eSAndreas Gohr if(is_null($domain) && is_array($this->opts)) { 40393a7873eSAndreas Gohr $domain = $this->opts['domain']; 40493a7873eSAndreas Gohr } 40593a7873eSAndreas Gohr 40693a7873eSAndreas Gohr $this->opts = $this->_loadServerConfig((string) $domain); 40793a7873eSAndreas Gohr if(isset($this->adldap[$domain])) return $this->adldap[$domain]; 408f4476bd9SJan Schumann 409f4476bd9SJan Schumann // connect 410f4476bd9SJan Schumann try { 41193a7873eSAndreas Gohr $this->adldap[$domain] = new adLDAP($this->opts); 41293a7873eSAndreas Gohr return $this->adldap[$domain]; 413f4476bd9SJan Schumann } catch(adLDAPException $e) { 41432fd494aSAndreas Gohr if($this->conf['debug']) { 415f4476bd9SJan Schumann msg('AD Auth: '.$e->getMessage(), -1); 416f4476bd9SJan Schumann } 417f4476bd9SJan Schumann $this->success = false; 41893a7873eSAndreas Gohr $this->adldap[$domain] = null; 419f4476bd9SJan Schumann } 420f4476bd9SJan Schumann return false; 421f4476bd9SJan Schumann } 422f4476bd9SJan Schumann 423f4476bd9SJan Schumann /** 42493a7873eSAndreas Gohr * Get the domain part from a user 425f4476bd9SJan Schumann * 42693a7873eSAndreas Gohr * @param $user 42793a7873eSAndreas Gohr * @return string 428f4476bd9SJan Schumann */ 42993a7873eSAndreas Gohr public function _userDomain($user) { 43093a7873eSAndreas Gohr list(, $domain) = explode('@', $user, 2); 43193a7873eSAndreas Gohr return $domain; 432f4476bd9SJan Schumann } 433f4476bd9SJan Schumann 43493a7873eSAndreas Gohr /** 43593a7873eSAndreas Gohr * Get the user part from a user 43693a7873eSAndreas Gohr * 43793a7873eSAndreas Gohr * @param $user 43893a7873eSAndreas Gohr * @return string 43993a7873eSAndreas Gohr */ 44093a7873eSAndreas Gohr public function _userName($user) { 44193a7873eSAndreas Gohr list($name) = explode('@', $user, 2); 44293a7873eSAndreas Gohr return $name; 44393a7873eSAndreas Gohr } 44493a7873eSAndreas Gohr 44593a7873eSAndreas Gohr /** 44693a7873eSAndreas Gohr * Fetch the configuration for the given AD domain 44793a7873eSAndreas Gohr * 44893a7873eSAndreas Gohr * @param string $domain current AD domain 44993a7873eSAndreas Gohr * @return array 45093a7873eSAndreas Gohr */ 45193a7873eSAndreas Gohr protected function _loadServerConfig($domain) { 45293a7873eSAndreas Gohr // prepare adLDAP standard configuration 45332fd494aSAndreas Gohr $opts = $this->conf; 45493a7873eSAndreas Gohr 45593a7873eSAndreas Gohr $opts['domain'] = $domain; 45693a7873eSAndreas Gohr 45793a7873eSAndreas Gohr // add possible domain specific configuration 45832fd494aSAndreas Gohr if($domain && is_array($this->conf[$domain])) foreach($this->conf[$domain] as $key => $val) { 45993a7873eSAndreas Gohr $opts[$key] = $val; 46093a7873eSAndreas Gohr } 46193a7873eSAndreas Gohr 46293a7873eSAndreas Gohr // handle multiple AD servers 46393a7873eSAndreas Gohr $opts['domain_controllers'] = explode(',', $opts['domain_controllers']); 46493a7873eSAndreas Gohr $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']); 46593a7873eSAndreas Gohr $opts['domain_controllers'] = array_filter($opts['domain_controllers']); 46693a7873eSAndreas Gohr 46793a7873eSAndreas Gohr // we can change the password if SSL is set 46893a7873eSAndreas Gohr if($opts['use_ssl'] || $opts['use_tls']) { 46993a7873eSAndreas Gohr $this->cando['modPass'] = true; 47093a7873eSAndreas Gohr } else { 47193a7873eSAndreas Gohr $this->cando['modPass'] = false; 47293a7873eSAndreas Gohr } 47393a7873eSAndreas Gohr 4741b228d28SKlap-in if(isset($opts['admin_username']) && isset($opts['admin_password'])) { 47593a7873eSAndreas Gohr $this->cando['getUsers'] = true; 47693a7873eSAndreas Gohr } else { 4771b228d28SKlap-in $this->cando['getUsers'] = false; 47893a7873eSAndreas Gohr } 47993a7873eSAndreas Gohr 48093a7873eSAndreas Gohr return $opts; 48193a7873eSAndreas Gohr } 48293a7873eSAndreas Gohr 48393a7873eSAndreas Gohr /** 48493a7873eSAndreas Gohr * Check provided user and userinfo for matching patterns 48593a7873eSAndreas Gohr * 48693a7873eSAndreas Gohr * The patterns are set up with $this->_constructPattern() 48793a7873eSAndreas Gohr * 48893a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 48993a7873eSAndreas Gohr * @param string $user 49093a7873eSAndreas Gohr * @param array $info 49193a7873eSAndreas Gohr * @return bool 49293a7873eSAndreas Gohr */ 49393a7873eSAndreas Gohr protected function _filter($user, $info) { 49493a7873eSAndreas Gohr foreach($this->_pattern as $item => $pattern) { 49593a7873eSAndreas Gohr if($item == 'user') { 49693a7873eSAndreas Gohr if(!preg_match($pattern, $user)) return false; 49793a7873eSAndreas Gohr } else if($item == 'grps') { 49893a7873eSAndreas Gohr if(!count(preg_grep($pattern, $info['grps']))) return false; 49993a7873eSAndreas Gohr } else { 50093a7873eSAndreas Gohr if(!preg_match($pattern, $info[$item])) return false; 50193a7873eSAndreas Gohr } 50293a7873eSAndreas Gohr } 50393a7873eSAndreas Gohr return true; 50493a7873eSAndreas Gohr } 50593a7873eSAndreas Gohr 50693a7873eSAndreas Gohr /** 50793a7873eSAndreas Gohr * Create a pattern for $this->_filter() 50893a7873eSAndreas Gohr * 50993a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 51093a7873eSAndreas Gohr * @param array $filter 51193a7873eSAndreas Gohr */ 51293a7873eSAndreas Gohr protected function _constructPattern($filter) { 513f4476bd9SJan Schumann $this->_pattern = array(); 514f4476bd9SJan Schumann foreach($filter as $item => $pattern) { 515f4476bd9SJan Schumann $this->_pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters 516f4476bd9SJan Schumann } 517f4476bd9SJan Schumann } 518f4476bd9SJan Schumann} 519