1f4476bd9SJan Schumann<?php 2f4476bd9SJan Schumann// must be run within Dokuwiki 3f4476bd9SJan Schumannif(!defined('DOKU_INC')) die(); 4f4476bd9SJan Schumann 532fd494aSAndreas Gohrrequire_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php'); 632fd494aSAndreas Gohr 7f4476bd9SJan Schumann/** 8f4476bd9SJan Schumann * Active Directory authentication backend for DokuWiki 9f4476bd9SJan Schumann * 10f4476bd9SJan Schumann * This makes authentication with a Active Directory server much easier 11f4476bd9SJan Schumann * than when using the normal LDAP backend by utilizing the adLDAP library 12f4476bd9SJan Schumann * 13f4476bd9SJan Schumann * Usage: 14f4476bd9SJan Schumann * Set DokuWiki's local.protected.php auth setting to read 15f4476bd9SJan Schumann * 16f4476bd9SJan Schumann * $conf['authtype'] = 'authad'; 17f4476bd9SJan Schumann * 1832fd494aSAndreas Gohr * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org'; 1932fd494aSAndreas Gohr * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org'; 2032fd494aSAndreas Gohr * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; 21f4476bd9SJan Schumann * 22f4476bd9SJan Schumann * //optional: 2332fd494aSAndreas Gohr * $conf['plugin']['authad']['sso'] = 1; 243002d731SAndreas Gohr * $conf['plugin']['authad']['admin_username'] = 'root'; 253002d731SAndreas Gohr * $conf['plugin']['authad']['admin_password'] = 'pass'; 2632fd494aSAndreas Gohr * $conf['plugin']['authad']['real_primarygroup'] = 1; 2732fd494aSAndreas Gohr * $conf['plugin']['authad']['use_ssl'] = 1; 2832fd494aSAndreas Gohr * $conf['plugin']['authad']['use_tls'] = 1; 2932fd494aSAndreas Gohr * $conf['plugin']['authad']['debug'] = 1; 3093a7873eSAndreas Gohr * // warn user about expiring password this many days in advance: 3132fd494aSAndreas Gohr * $conf['plugin']['authad']['expirywarn'] = 5; 32f4476bd9SJan Schumann * 33f4476bd9SJan Schumann * // get additional information to the userinfo array 34f4476bd9SJan Schumann * // add a list of comma separated ldap contact fields. 35f4476bd9SJan Schumann * $conf['plugin']['authad']['additional'] = 'field1,field2'; 36f4476bd9SJan Schumann * 37f4476bd9SJan Schumann * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 38f4476bd9SJan Schumann * @author James Van Lommel <jamesvl@gmail.com> 39f4476bd9SJan Schumann * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ 40f4476bd9SJan Schumann * @author Andreas Gohr <andi@splitbrain.org> 41f4476bd9SJan Schumann * @author Jan Schumann <js@schumann-it.com> 42f4476bd9SJan Schumann */ 4393a7873eSAndreas Gohrclass auth_plugin_authad extends DokuWiki_Auth_Plugin { 4432fd494aSAndreas Gohr 4593a7873eSAndreas Gohr /** 4693a7873eSAndreas Gohr * @var array hold connection data for a specific AD domain 4793a7873eSAndreas Gohr */ 4893a7873eSAndreas Gohr protected $opts = array(); 4932fd494aSAndreas Gohr 5093a7873eSAndreas Gohr /** 5193a7873eSAndreas Gohr * @var array open connections for each AD domain, as adLDAP objects 5293a7873eSAndreas Gohr */ 5393a7873eSAndreas Gohr protected $adldap = array(); 5493a7873eSAndreas Gohr 5593a7873eSAndreas Gohr /** 5693a7873eSAndreas Gohr * @var bool message state 5793a7873eSAndreas Gohr */ 5893a7873eSAndreas Gohr protected $msgshown = false; 5993a7873eSAndreas Gohr 6093a7873eSAndreas Gohr /** 6193a7873eSAndreas Gohr * @var array user listing cache 6293a7873eSAndreas Gohr */ 6393a7873eSAndreas Gohr protected $users = array(); 6493a7873eSAndreas Gohr 6593a7873eSAndreas Gohr /** 6693a7873eSAndreas Gohr * @var array filter patterns for listing users 6793a7873eSAndreas Gohr */ 6893a7873eSAndreas Gohr protected $_pattern = array(); 69f4476bd9SJan Schumann 70f4476bd9SJan Schumann /** 71f4476bd9SJan Schumann * Constructor 72f4476bd9SJan Schumann */ 7393a7873eSAndreas Gohr public function __construct() { 7400d58927SMichael Hamann global $INPUT; 75454d868bSAndreas Gohr parent::__construct(); 76454d868bSAndreas Gohr 7732fd494aSAndreas Gohr // we load the config early to modify it a bit here 7832fd494aSAndreas Gohr $this->loadConfig(); 79f4476bd9SJan Schumann 80f4476bd9SJan Schumann // additional information fields 8132fd494aSAndreas Gohr if(isset($this->conf['additional'])) { 8232fd494aSAndreas Gohr $this->conf['additional'] = str_replace(' ', '', $this->conf['additional']); 8332fd494aSAndreas Gohr $this->conf['additional'] = explode(',', $this->conf['additional']); 8432fd494aSAndreas Gohr } else $this->conf['additional'] = array(); 85f4476bd9SJan Schumann 86f4476bd9SJan Schumann // ldap extension is needed 87f4476bd9SJan Schumann if(!function_exists('ldap_connect')) { 8832fd494aSAndreas Gohr if($this->conf['debug']) 89f4476bd9SJan Schumann msg("AD Auth: PHP LDAP extension not found.", -1); 90f4476bd9SJan Schumann $this->success = false; 91f4476bd9SJan Schumann return; 92f4476bd9SJan Schumann } 93f4476bd9SJan Schumann 94f4476bd9SJan Schumann // Prepare SSO 95d34a2a38SAndreas Gohr if(!empty($_SERVER['REMOTE_USER'])) { 96d34a2a38SAndreas Gohr 97d34a2a38SAndreas Gohr // make sure the right encoding is used 98d34a2a38SAndreas Gohr if($this->getConf('sso_charset')) { 99d34a2a38SAndreas Gohr $_SERVER['REMOTE_USER'] = iconv($this->getConf('sso_charset'), 'UTF-8', $_SERVER['REMOTE_USER']); 100d34a2a38SAndreas Gohr } elseif(!utf8_check($_SERVER['REMOTE_USER'])) { 10193a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']); 10293a7873eSAndreas Gohr } 103d34a2a38SAndreas Gohr 104d34a2a38SAndreas Gohr // trust the incoming user 105d34a2a38SAndreas Gohr if($this->conf['sso']) { 10693a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']); 107f4476bd9SJan Schumann 108f4476bd9SJan Schumann // we need to simulate a login 109f4476bd9SJan Schumann if(empty($_COOKIE[DOKU_COOKIE])) { 11000d58927SMichael Hamann $INPUT->set('u', $_SERVER['REMOTE_USER']); 11100d58927SMichael Hamann $INPUT->set('p', 'sso_only'); 112f4476bd9SJan Schumann } 113f4476bd9SJan Schumann } 114d34a2a38SAndreas Gohr } 115f4476bd9SJan Schumann 11693a7873eSAndreas Gohr // other can do's are changed in $this->_loadServerConfig() base on domain setup 117f4476bd9SJan Schumann $this->cando['modName'] = true; 118f4476bd9SJan Schumann $this->cando['modMail'] = true; 119f4476bd9SJan Schumann } 120f4476bd9SJan Schumann 121f4476bd9SJan Schumann /** 122a154806fSAndreas Gohr * Load domain config on capability check 123a154806fSAndreas Gohr * 124a154806fSAndreas Gohr * @param string $cap 125a154806fSAndreas Gohr * @return bool 126a154806fSAndreas Gohr */ 127a154806fSAndreas Gohr public function canDo($cap) { 128a154806fSAndreas Gohr //capabilities depend on config, which may change depending on domain 129a154806fSAndreas Gohr $domain = $this->_userDomain($_SERVER['REMOTE_USER']); 130a154806fSAndreas Gohr $this->_loadServerConfig($domain); 131a154806fSAndreas Gohr return parent::canDo($cap); 132a154806fSAndreas Gohr } 133a154806fSAndreas Gohr 134a154806fSAndreas Gohr /** 135f4476bd9SJan Schumann * Check user+password [required auth function] 136f4476bd9SJan Schumann * 137f4476bd9SJan Schumann * Checks if the given user exists and the given 138f4476bd9SJan Schumann * plaintext password is correct by trying to bind 139f4476bd9SJan Schumann * to the LDAP server 140f4476bd9SJan Schumann * 141f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 14293a7873eSAndreas Gohr * @param string $user 14393a7873eSAndreas Gohr * @param string $pass 144f4476bd9SJan Schumann * @return bool 145f4476bd9SJan Schumann */ 14693a7873eSAndreas Gohr public function checkPass($user, $pass) { 147f4476bd9SJan Schumann if($_SERVER['REMOTE_USER'] && 148f4476bd9SJan Schumann $_SERVER['REMOTE_USER'] == $user && 14932fd494aSAndreas Gohr $this->conf['sso'] 15093a7873eSAndreas Gohr ) return true; 151f4476bd9SJan Schumann 15293a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 15393a7873eSAndreas Gohr if(!$adldap) return false; 15493a7873eSAndreas Gohr 15593a7873eSAndreas Gohr return $adldap->authenticate($this->_userName($user), $pass); 156f4476bd9SJan Schumann } 157f4476bd9SJan Schumann 158f4476bd9SJan Schumann /** 159f4476bd9SJan Schumann * Return user info [required auth function] 160f4476bd9SJan Schumann * 161f4476bd9SJan Schumann * Returns info about the given user needs to contain 162f4476bd9SJan Schumann * at least these fields: 163f4476bd9SJan Schumann * 164f4476bd9SJan Schumann * name string full name of the user 165f4476bd9SJan Schumann * mail string email address of the user 166f4476bd9SJan Schumann * grps array list of groups the user is in 167f4476bd9SJan Schumann * 16893a7873eSAndreas Gohr * This AD specific function returns the following 169f4476bd9SJan Schumann * addional fields: 170f4476bd9SJan Schumann * 171f4476bd9SJan Schumann * dn string distinguished name (DN) 17293a7873eSAndreas Gohr * uid string samaccountname 17393a7873eSAndreas Gohr * lastpwd int timestamp of the date when the password was set 17493a7873eSAndreas Gohr * expires true if the password expires 17593a7873eSAndreas Gohr * expiresin int seconds until the password expires 17693a7873eSAndreas Gohr * any fields specified in the 'additional' config option 177f4476bd9SJan Schumann * 178f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 17993a7873eSAndreas Gohr * @param string $user 1802046a654SChristopher Smith * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin 18193a7873eSAndreas Gohr * @return array 182f4476bd9SJan Schumann */ 1832046a654SChristopher Smith public function getUserData($user, $requireGroups=true) { 184f4476bd9SJan Schumann global $conf; 18593a7873eSAndreas Gohr global $lang; 18693a7873eSAndreas Gohr global $ID; 18793a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 18893a7873eSAndreas Gohr if(!$adldap) return false; 189f4476bd9SJan Schumann 19093a7873eSAndreas Gohr if($user == '') return array(); 19193a7873eSAndreas Gohr 19293a7873eSAndreas Gohr $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol'); 193f4476bd9SJan Schumann 194f4476bd9SJan Schumann // add additional fields to read 19532fd494aSAndreas Gohr $fields = array_merge($fields, $this->conf['additional']); 196f4476bd9SJan Schumann $fields = array_unique($fields); 19714642325SAndreas Gohr $fields = array_filter($fields); 198f4476bd9SJan Schumann 199f4476bd9SJan Schumann //get info for given user 20032fd494aSAndreas Gohr $result = $adldap->user()->info($this->_userName($user), $fields); 20193a7873eSAndreas Gohr if($result == false){ 20293a7873eSAndreas Gohr return array(); 20393a7873eSAndreas Gohr } 20493a7873eSAndreas Gohr 205f4476bd9SJan Schumann //general user info 206*59bc3b48SGerrit Uitslag $info = array(); 207f4476bd9SJan Schumann $info['name'] = $result[0]['displayname'][0]; 208f4476bd9SJan Schumann $info['mail'] = $result[0]['mail'][0]; 209f4476bd9SJan Schumann $info['uid'] = $result[0]['samaccountname'][0]; 210f4476bd9SJan Schumann $info['dn'] = $result[0]['dn']; 21193a7873eSAndreas Gohr //last password set (Windows counts from January 1st 1601) 21293a7873eSAndreas Gohr $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; 21393a7873eSAndreas Gohr //will it expire? 21493a7873eSAndreas Gohr $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD 215f4476bd9SJan Schumann 216f4476bd9SJan Schumann // additional information 21732fd494aSAndreas Gohr foreach($this->conf['additional'] as $field) { 218f4476bd9SJan Schumann if(isset($result[0][strtolower($field)])) { 219f4476bd9SJan Schumann $info[$field] = $result[0][strtolower($field)][0]; 220f4476bd9SJan Schumann } 221f4476bd9SJan Schumann } 222f4476bd9SJan Schumann 223f4476bd9SJan Schumann // handle ActiveDirectory memberOf 22432fd494aSAndreas Gohr $info['grps'] = $adldap->user()->groups($this->_userName($user),(bool) $this->opts['recursive_groups']); 225f4476bd9SJan Schumann 226f4476bd9SJan Schumann if(is_array($info['grps'])) { 227f4476bd9SJan Schumann foreach($info['grps'] as $ndx => $group) { 228f4476bd9SJan Schumann $info['grps'][$ndx] = $this->cleanGroup($group); 229f4476bd9SJan Schumann } 230f4476bd9SJan Schumann } 231f4476bd9SJan Schumann 232f4476bd9SJan Schumann // always add the default group to the list of groups 233f4476bd9SJan Schumann if(!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) { 234f4476bd9SJan Schumann $info['grps'][] = $conf['defaultgroup']; 235f4476bd9SJan Schumann } 236f4476bd9SJan Schumann 23793a7873eSAndreas Gohr // add the user's domain to the groups 23893a7873eSAndreas Gohr $domain = $this->_userDomain($user); 23993a7873eSAndreas Gohr if($domain && !in_array("domain-$domain", (array) $info['grps'])) { 24093a7873eSAndreas Gohr $info['grps'][] = $this->cleanGroup("domain-$domain"); 24193a7873eSAndreas Gohr } 24293a7873eSAndreas Gohr 24393a7873eSAndreas Gohr // check expiry time 24432fd494aSAndreas Gohr if($info['expires'] && $this->conf['expirywarn']){ 2451e52e72aSAndreas Gohr $expiry = $adldap->user()->passwordExpiry($user); 2461e52e72aSAndreas Gohr if(is_array($expiry)){ 2471e52e72aSAndreas Gohr $info['expiresat'] = $expiry['expiryts']; 2481e52e72aSAndreas Gohr $info['expiresin'] = round(($info['expiresat'] - time())/(24*60*60)); 24993a7873eSAndreas Gohr 25093a7873eSAndreas Gohr // if this is the current user, warn him (once per request only) 25193a7873eSAndreas Gohr if(($_SERVER['REMOTE_USER'] == $user) && 2521e52e72aSAndreas Gohr ($info['expiresin'] <= $this->conf['expirywarn']) && 25393a7873eSAndreas Gohr !$this->msgshown 25493a7873eSAndreas Gohr ) { 2551e52e72aSAndreas Gohr $msg = sprintf($lang['authpwdexpire'], $info['expiresin']); 25693a7873eSAndreas Gohr if($this->canDo('modPass')) { 25793a7873eSAndreas Gohr $url = wl($ID, array('do'=> 'profile')); 25893a7873eSAndreas Gohr $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>'; 25993a7873eSAndreas Gohr } 26093a7873eSAndreas Gohr msg($msg); 26193a7873eSAndreas Gohr $this->msgshown = true; 26293a7873eSAndreas Gohr } 26393a7873eSAndreas Gohr } 2641e52e72aSAndreas Gohr } 26593a7873eSAndreas Gohr 266f4476bd9SJan Schumann return $info; 267f4476bd9SJan Schumann } 268f4476bd9SJan Schumann 269f4476bd9SJan Schumann /** 270f4476bd9SJan Schumann * Make AD group names usable by DokuWiki. 271f4476bd9SJan Schumann * 272f4476bd9SJan Schumann * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. 273f4476bd9SJan Schumann * 274f4476bd9SJan Schumann * @author James Van Lommel (jamesvl@gmail.com) 27593a7873eSAndreas Gohr * @param string $group 27693a7873eSAndreas Gohr * @return string 277f4476bd9SJan Schumann */ 27893a7873eSAndreas Gohr public function cleanGroup($group) { 27993a7873eSAndreas Gohr $group = str_replace('\\', '', $group); 28093a7873eSAndreas Gohr $group = str_replace('#', '', $group); 28193a7873eSAndreas Gohr $group = preg_replace('[\s]', '_', $group); 28293a7873eSAndreas Gohr $group = utf8_strtolower(trim($group)); 28393a7873eSAndreas Gohr return $group; 284f4476bd9SJan Schumann } 285f4476bd9SJan Schumann 286f4476bd9SJan Schumann /** 287f4476bd9SJan Schumann * Sanitize user names 28893a7873eSAndreas Gohr * 28993a7873eSAndreas Gohr * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup) 29093a7873eSAndreas Gohr * 29193a7873eSAndreas Gohr * @author Andreas Gohr <gohr@cosmocode.de> 29293a7873eSAndreas Gohr * @param string $user 29393a7873eSAndreas Gohr * @return string 294f4476bd9SJan Schumann */ 29593a7873eSAndreas Gohr public function cleanUser($user) { 29693a7873eSAndreas Gohr $domain = ''; 29793a7873eSAndreas Gohr 29893a7873eSAndreas Gohr // get NTLM or Kerberos domain part 29993a7873eSAndreas Gohr list($dom, $user) = explode('\\', $user, 2); 30093a7873eSAndreas Gohr if(!$user) $user = $dom; 30193a7873eSAndreas Gohr if($dom) $domain = $dom; 30293a7873eSAndreas Gohr list($user, $dom) = explode('@', $user, 2); 30393a7873eSAndreas Gohr if($dom) $domain = $dom; 30493a7873eSAndreas Gohr 30593a7873eSAndreas Gohr // clean up both 30693a7873eSAndreas Gohr $domain = utf8_strtolower(trim($domain)); 30793a7873eSAndreas Gohr $user = utf8_strtolower(trim($user)); 30893a7873eSAndreas Gohr 30993a7873eSAndreas Gohr // is this a known, valid domain? if not discard 31032fd494aSAndreas Gohr if(!is_array($this->conf[$domain])) { 31193a7873eSAndreas Gohr $domain = ''; 31293a7873eSAndreas Gohr } 31393a7873eSAndreas Gohr 31493a7873eSAndreas Gohr // reattach domain 31593a7873eSAndreas Gohr if($domain) $user = "$user@$domain"; 31693a7873eSAndreas Gohr return $user; 317f4476bd9SJan Schumann } 318f4476bd9SJan Schumann 319f4476bd9SJan Schumann /** 320f4476bd9SJan Schumann * Most values in LDAP are case-insensitive 32193a7873eSAndreas Gohr * 32293a7873eSAndreas Gohr * @return bool 323f4476bd9SJan Schumann */ 32493a7873eSAndreas Gohr public function isCaseSensitive() { 325f4476bd9SJan Schumann return false; 326f4476bd9SJan Schumann } 327f4476bd9SJan Schumann 328f4476bd9SJan Schumann /** 329f4476bd9SJan Schumann * Bulk retrieval of user data 330f4476bd9SJan Schumann * 331f4476bd9SJan Schumann * @author Dominik Eckelmann <dokuwiki@cosmocode.de> 33293a7873eSAndreas Gohr * @param int $start index of first user to be returned 33393a7873eSAndreas Gohr * @param int $limit max number of users to be returned 33493a7873eSAndreas Gohr * @param array $filter array of field/pattern pairs, null for no filter 33593a7873eSAndreas Gohr * @return array userinfo (refer getUserData for internal userinfo details) 336f4476bd9SJan Schumann */ 3379a2c73e8SAndreas Gohr public function retrieveUsers($start = 0, $limit = 0, $filter = array()) { 33893a7873eSAndreas Gohr $adldap = $this->_adldap(null); 33993a7873eSAndreas Gohr if(!$adldap) return false; 340f4476bd9SJan Schumann 3410ba750c0SAndreas Gohr if(!$this->users) { 342f4476bd9SJan Schumann //get info for given user 34332fd494aSAndreas Gohr $result = $adldap->user()->all(); 344f4476bd9SJan Schumann if (!$result) return array(); 345f4476bd9SJan Schumann $this->users = array_fill_keys($result, false); 346f4476bd9SJan Schumann } 347f4476bd9SJan Schumann 348f4476bd9SJan Schumann $i = 0; 349f4476bd9SJan Schumann $count = 0; 350f4476bd9SJan Schumann $this->_constructPattern($filter); 351f4476bd9SJan Schumann $result = array(); 352f4476bd9SJan Schumann 353f4476bd9SJan Schumann foreach($this->users as $user => &$info) { 354f4476bd9SJan Schumann if($i++ < $start) { 355f4476bd9SJan Schumann continue; 356f4476bd9SJan Schumann } 357f4476bd9SJan Schumann if($info === false) { 358f4476bd9SJan Schumann $info = $this->getUserData($user); 359f4476bd9SJan Schumann } 360f4476bd9SJan Schumann if($this->_filter($user, $info)) { 361f4476bd9SJan Schumann $result[$user] = $info; 3629a2c73e8SAndreas Gohr if(($limit > 0) && (++$count >= $limit)) break; 363f4476bd9SJan Schumann } 364f4476bd9SJan Schumann } 365f4476bd9SJan Schumann return $result; 366f4476bd9SJan Schumann } 367f4476bd9SJan Schumann 368f4476bd9SJan Schumann /** 369f4476bd9SJan Schumann * Modify user data 370f4476bd9SJan Schumann * 37193a7873eSAndreas Gohr * @param string $user nick of the user to be changed 37293a7873eSAndreas Gohr * @param array $changes array of field/value pairs to be changed 373f4476bd9SJan Schumann * @return bool 374f4476bd9SJan Schumann */ 37593a7873eSAndreas Gohr public function modifyUser($user, $changes) { 376f4476bd9SJan Schumann $return = true; 37793a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 37893a7873eSAndreas Gohr if(!$adldap) return false; 379f4476bd9SJan Schumann 380f4476bd9SJan Schumann // password changing 381f4476bd9SJan Schumann if(isset($changes['pass'])) { 382f4476bd9SJan Schumann try { 38332fd494aSAndreas Gohr $return = $adldap->user()->password($this->_userName($user),$changes['pass']); 384f4476bd9SJan Schumann } catch (adLDAPException $e) { 38532fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 386f4476bd9SJan Schumann $return = false; 387f4476bd9SJan Schumann } 388f4476bd9SJan Schumann if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?', -1); 389f4476bd9SJan Schumann } 390f4476bd9SJan Schumann 391f4476bd9SJan Schumann // changing user data 392f4476bd9SJan Schumann $adchanges = array(); 393f4476bd9SJan Schumann if(isset($changes['name'])) { 394f4476bd9SJan Schumann // get first and last name 395f4476bd9SJan Schumann $parts = explode(' ', $changes['name']); 396f4476bd9SJan Schumann $adchanges['surname'] = array_pop($parts); 397f4476bd9SJan Schumann $adchanges['firstname'] = join(' ', $parts); 398f4476bd9SJan Schumann $adchanges['display_name'] = $changes['name']; 399f4476bd9SJan Schumann } 400f4476bd9SJan Schumann if(isset($changes['mail'])) { 401f4476bd9SJan Schumann $adchanges['email'] = $changes['mail']; 402f4476bd9SJan Schumann } 403f4476bd9SJan Schumann if(count($adchanges)) { 404f4476bd9SJan Schumann try { 40532fd494aSAndreas Gohr $return = $return & $adldap->user()->modify($this->_userName($user),$adchanges); 406f4476bd9SJan Schumann } catch (adLDAPException $e) { 40732fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 408f4476bd9SJan Schumann $return = false; 409f4476bd9SJan Schumann } 410f4476bd9SJan Schumann } 411f4476bd9SJan Schumann 412f4476bd9SJan Schumann return $return; 413f4476bd9SJan Schumann } 414f4476bd9SJan Schumann 415f4476bd9SJan Schumann /** 416f4476bd9SJan Schumann * Initialize the AdLDAP library and connect to the server 41793a7873eSAndreas Gohr * 41893a7873eSAndreas Gohr * When you pass null as domain, it will reuse any existing domain. 41993a7873eSAndreas Gohr * Eg. the one of the logged in user. It falls back to the default 42093a7873eSAndreas Gohr * domain if no current one is available. 42193a7873eSAndreas Gohr * 42293a7873eSAndreas Gohr * @param string|null $domain The AD domain to use 42393a7873eSAndreas Gohr * @return adLDAP|bool true if a connection was established 424f4476bd9SJan Schumann */ 42593a7873eSAndreas Gohr protected function _adldap($domain) { 42693a7873eSAndreas Gohr if(is_null($domain) && is_array($this->opts)) { 42793a7873eSAndreas Gohr $domain = $this->opts['domain']; 42893a7873eSAndreas Gohr } 42993a7873eSAndreas Gohr 43093a7873eSAndreas Gohr $this->opts = $this->_loadServerConfig((string) $domain); 43193a7873eSAndreas Gohr if(isset($this->adldap[$domain])) return $this->adldap[$domain]; 432f4476bd9SJan Schumann 433f4476bd9SJan Schumann // connect 434f4476bd9SJan Schumann try { 43593a7873eSAndreas Gohr $this->adldap[$domain] = new adLDAP($this->opts); 43693a7873eSAndreas Gohr return $this->adldap[$domain]; 437f4476bd9SJan Schumann } catch(adLDAPException $e) { 43832fd494aSAndreas Gohr if($this->conf['debug']) { 439f4476bd9SJan Schumann msg('AD Auth: '.$e->getMessage(), -1); 440f4476bd9SJan Schumann } 441f4476bd9SJan Schumann $this->success = false; 44293a7873eSAndreas Gohr $this->adldap[$domain] = null; 443f4476bd9SJan Schumann } 444f4476bd9SJan Schumann return false; 445f4476bd9SJan Schumann } 446f4476bd9SJan Schumann 447f4476bd9SJan Schumann /** 44893a7873eSAndreas Gohr * Get the domain part from a user 449f4476bd9SJan Schumann * 45093a7873eSAndreas Gohr * @param $user 45193a7873eSAndreas Gohr * @return string 452f4476bd9SJan Schumann */ 45393a7873eSAndreas Gohr public function _userDomain($user) { 45493a7873eSAndreas Gohr list(, $domain) = explode('@', $user, 2); 45593a7873eSAndreas Gohr return $domain; 456f4476bd9SJan Schumann } 457f4476bd9SJan Schumann 45893a7873eSAndreas Gohr /** 45993a7873eSAndreas Gohr * Get the user part from a user 46093a7873eSAndreas Gohr * 46193a7873eSAndreas Gohr * @param $user 46293a7873eSAndreas Gohr * @return string 46393a7873eSAndreas Gohr */ 46493a7873eSAndreas Gohr public function _userName($user) { 46593a7873eSAndreas Gohr list($name) = explode('@', $user, 2); 46693a7873eSAndreas Gohr return $name; 46793a7873eSAndreas Gohr } 46893a7873eSAndreas Gohr 46993a7873eSAndreas Gohr /** 47093a7873eSAndreas Gohr * Fetch the configuration for the given AD domain 47193a7873eSAndreas Gohr * 47293a7873eSAndreas Gohr * @param string $domain current AD domain 47393a7873eSAndreas Gohr * @return array 47493a7873eSAndreas Gohr */ 47593a7873eSAndreas Gohr protected function _loadServerConfig($domain) { 47693a7873eSAndreas Gohr // prepare adLDAP standard configuration 47732fd494aSAndreas Gohr $opts = $this->conf; 47893a7873eSAndreas Gohr 47993a7873eSAndreas Gohr $opts['domain'] = $domain; 48093a7873eSAndreas Gohr 48193a7873eSAndreas Gohr // add possible domain specific configuration 48232fd494aSAndreas Gohr if($domain && is_array($this->conf[$domain])) foreach($this->conf[$domain] as $key => $val) { 48393a7873eSAndreas Gohr $opts[$key] = $val; 48493a7873eSAndreas Gohr } 48593a7873eSAndreas Gohr 48693a7873eSAndreas Gohr // handle multiple AD servers 48793a7873eSAndreas Gohr $opts['domain_controllers'] = explode(',', $opts['domain_controllers']); 48893a7873eSAndreas Gohr $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']); 48993a7873eSAndreas Gohr $opts['domain_controllers'] = array_filter($opts['domain_controllers']); 49093a7873eSAndreas Gohr 4918257d713SAndreas Gohr // compatibility with old option name 4928257d713SAndreas Gohr if(empty($opts['admin_username']) && !empty($opts['ad_username'])) $opts['admin_username'] = $opts['ad_username']; 4938257d713SAndreas Gohr if(empty($opts['admin_password']) && !empty($opts['ad_password'])) $opts['admin_password'] = $opts['ad_password']; 4948257d713SAndreas Gohr 49593a7873eSAndreas Gohr // we can change the password if SSL is set 49693a7873eSAndreas Gohr if($opts['use_ssl'] || $opts['use_tls']) { 49793a7873eSAndreas Gohr $this->cando['modPass'] = true; 49893a7873eSAndreas Gohr } else { 49993a7873eSAndreas Gohr $this->cando['modPass'] = false; 50093a7873eSAndreas Gohr } 50193a7873eSAndreas Gohr 50212d195abSAndreas Gohr // adLDAP expects empty user/pass as NULL, we're less strict FS#2781 50312d195abSAndreas Gohr if(empty($opts['admin_username'])) $opts['admin_username'] = null; 50412d195abSAndreas Gohr if(empty($opts['admin_password'])) $opts['admin_password'] = null; 50512d195abSAndreas Gohr 50612d195abSAndreas Gohr // user listing needs admin priviledges 5078257d713SAndreas Gohr if(!empty($opts['admin_username']) && !empty($opts['admin_password'])) { 50893a7873eSAndreas Gohr $this->cando['getUsers'] = true; 50993a7873eSAndreas Gohr } else { 5101b228d28SKlap-in $this->cando['getUsers'] = false; 51193a7873eSAndreas Gohr } 51293a7873eSAndreas Gohr 51393a7873eSAndreas Gohr return $opts; 51493a7873eSAndreas Gohr } 51593a7873eSAndreas Gohr 51693a7873eSAndreas Gohr /** 517741b8a48SAndreas Gohr * Returns a list of configured domains 518741b8a48SAndreas Gohr * 519741b8a48SAndreas Gohr * The default domain has an empty string as key 520741b8a48SAndreas Gohr * 521741b8a48SAndreas Gohr * @return array associative array(key => domain) 522741b8a48SAndreas Gohr */ 523741b8a48SAndreas Gohr public function _getConfiguredDomains() { 524741b8a48SAndreas Gohr $domains = array(); 525741b8a48SAndreas Gohr if(empty($this->conf['account_suffix'])) return $domains; // not configured yet 526741b8a48SAndreas Gohr 527741b8a48SAndreas Gohr // add default domain, using the name from account suffix 528741b8a48SAndreas Gohr $domains[''] = ltrim($this->conf['account_suffix'], '@'); 529741b8a48SAndreas Gohr 530741b8a48SAndreas Gohr // find additional domains 531741b8a48SAndreas Gohr foreach($this->conf as $key => $val) { 532741b8a48SAndreas Gohr if(is_array($val) && isset($val['account_suffix'])) { 533741b8a48SAndreas Gohr $domains[$key] = ltrim($val['account_suffix'], '@'); 534741b8a48SAndreas Gohr } 535741b8a48SAndreas Gohr } 536741b8a48SAndreas Gohr ksort($domains); 537741b8a48SAndreas Gohr 538741b8a48SAndreas Gohr return $domains; 539741b8a48SAndreas Gohr } 540741b8a48SAndreas Gohr 541741b8a48SAndreas Gohr /** 54293a7873eSAndreas Gohr * Check provided user and userinfo for matching patterns 54393a7873eSAndreas Gohr * 54493a7873eSAndreas Gohr * The patterns are set up with $this->_constructPattern() 54593a7873eSAndreas Gohr * 54693a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 54793a7873eSAndreas Gohr * @param string $user 54893a7873eSAndreas Gohr * @param array $info 54993a7873eSAndreas Gohr * @return bool 55093a7873eSAndreas Gohr */ 55193a7873eSAndreas Gohr protected function _filter($user, $info) { 55293a7873eSAndreas Gohr foreach($this->_pattern as $item => $pattern) { 55393a7873eSAndreas Gohr if($item == 'user') { 55493a7873eSAndreas Gohr if(!preg_match($pattern, $user)) return false; 55593a7873eSAndreas Gohr } else if($item == 'grps') { 55693a7873eSAndreas Gohr if(!count(preg_grep($pattern, $info['grps']))) return false; 55793a7873eSAndreas Gohr } else { 55893a7873eSAndreas Gohr if(!preg_match($pattern, $info[$item])) return false; 55993a7873eSAndreas Gohr } 56093a7873eSAndreas Gohr } 56193a7873eSAndreas Gohr return true; 56293a7873eSAndreas Gohr } 56393a7873eSAndreas Gohr 56493a7873eSAndreas Gohr /** 56593a7873eSAndreas Gohr * Create a pattern for $this->_filter() 56693a7873eSAndreas Gohr * 56793a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 56893a7873eSAndreas Gohr * @param array $filter 56993a7873eSAndreas Gohr */ 57093a7873eSAndreas Gohr protected function _constructPattern($filter) { 571f4476bd9SJan Schumann $this->_pattern = array(); 572f4476bd9SJan Schumann foreach($filter as $item => $pattern) { 573f4476bd9SJan Schumann $this->_pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters 574f4476bd9SJan Schumann } 575f4476bd9SJan Schumann } 576f4476bd9SJan Schumann} 577