1f4476bd9SJan Schumann<?php 2f4476bd9SJan Schumann// must be run within Dokuwiki 3f4476bd9SJan Schumannif(!defined('DOKU_INC')) die(); 4f4476bd9SJan Schumann 532fd494aSAndreas Gohrrequire_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php'); 632fd494aSAndreas Gohr 7f4476bd9SJan Schumann/** 8f4476bd9SJan Schumann * Active Directory authentication backend for DokuWiki 9f4476bd9SJan Schumann * 10f4476bd9SJan Schumann * This makes authentication with a Active Directory server much easier 11f4476bd9SJan Schumann * than when using the normal LDAP backend by utilizing the adLDAP library 12f4476bd9SJan Schumann * 13f4476bd9SJan Schumann * Usage: 14f4476bd9SJan Schumann * Set DokuWiki's local.protected.php auth setting to read 15f4476bd9SJan Schumann * 16f4476bd9SJan Schumann * $conf['authtype'] = 'authad'; 17f4476bd9SJan Schumann * 1832fd494aSAndreas Gohr * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org'; 1932fd494aSAndreas Gohr * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org'; 2032fd494aSAndreas Gohr * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; 21f4476bd9SJan Schumann * 22f4476bd9SJan Schumann * //optional: 2332fd494aSAndreas Gohr * $conf['plugin']['authad']['sso'] = 1; 243002d731SAndreas Gohr * $conf['plugin']['authad']['admin_username'] = 'root'; 253002d731SAndreas Gohr * $conf['plugin']['authad']['admin_password'] = 'pass'; 2632fd494aSAndreas Gohr * $conf['plugin']['authad']['real_primarygroup'] = 1; 2732fd494aSAndreas Gohr * $conf['plugin']['authad']['use_ssl'] = 1; 2832fd494aSAndreas Gohr * $conf['plugin']['authad']['use_tls'] = 1; 2932fd494aSAndreas Gohr * $conf['plugin']['authad']['debug'] = 1; 3093a7873eSAndreas Gohr * // warn user about expiring password this many days in advance: 3132fd494aSAndreas Gohr * $conf['plugin']['authad']['expirywarn'] = 5; 32f4476bd9SJan Schumann * 33f4476bd9SJan Schumann * // get additional information to the userinfo array 34f4476bd9SJan Schumann * // add a list of comma separated ldap contact fields. 35f4476bd9SJan Schumann * $conf['plugin']['authad']['additional'] = 'field1,field2'; 36f4476bd9SJan Schumann * 37f4476bd9SJan Schumann * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 38f4476bd9SJan Schumann * @author James Van Lommel <jamesvl@gmail.com> 39f4476bd9SJan Schumann * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ 40f4476bd9SJan Schumann * @author Andreas Gohr <andi@splitbrain.org> 41f4476bd9SJan Schumann * @author Jan Schumann <js@schumann-it.com> 42f4476bd9SJan Schumann */ 4393a7873eSAndreas Gohrclass auth_plugin_authad extends DokuWiki_Auth_Plugin { 4432fd494aSAndreas Gohr 4593a7873eSAndreas Gohr /** 4693a7873eSAndreas Gohr * @var array hold connection data for a specific AD domain 4793a7873eSAndreas Gohr */ 4893a7873eSAndreas Gohr protected $opts = array(); 4932fd494aSAndreas Gohr 5093a7873eSAndreas Gohr /** 5193a7873eSAndreas Gohr * @var array open connections for each AD domain, as adLDAP objects 5293a7873eSAndreas Gohr */ 5393a7873eSAndreas Gohr protected $adldap = array(); 5493a7873eSAndreas Gohr 5593a7873eSAndreas Gohr /** 5693a7873eSAndreas Gohr * @var bool message state 5793a7873eSAndreas Gohr */ 5893a7873eSAndreas Gohr protected $msgshown = false; 5993a7873eSAndreas Gohr 6093a7873eSAndreas Gohr /** 6193a7873eSAndreas Gohr * @var array user listing cache 6293a7873eSAndreas Gohr */ 6393a7873eSAndreas Gohr protected $users = array(); 6493a7873eSAndreas Gohr 6593a7873eSAndreas Gohr /** 6693a7873eSAndreas Gohr * @var array filter patterns for listing users 6793a7873eSAndreas Gohr */ 6893a7873eSAndreas Gohr protected $_pattern = array(); 69f4476bd9SJan Schumann 70f4476bd9SJan Schumann /** 71f4476bd9SJan Schumann * Constructor 72f4476bd9SJan Schumann */ 7393a7873eSAndreas Gohr public function __construct() { 7400d58927SMichael Hamann global $INPUT; 75454d868bSAndreas Gohr parent::__construct(); 76454d868bSAndreas Gohr 7732fd494aSAndreas Gohr // we load the config early to modify it a bit here 7832fd494aSAndreas Gohr $this->loadConfig(); 79f4476bd9SJan Schumann 80f4476bd9SJan Schumann // additional information fields 8132fd494aSAndreas Gohr if(isset($this->conf['additional'])) { 8232fd494aSAndreas Gohr $this->conf['additional'] = str_replace(' ', '', $this->conf['additional']); 8332fd494aSAndreas Gohr $this->conf['additional'] = explode(',', $this->conf['additional']); 8432fd494aSAndreas Gohr } else $this->conf['additional'] = array(); 85f4476bd9SJan Schumann 86f4476bd9SJan Schumann // ldap extension is needed 87f4476bd9SJan Schumann if(!function_exists('ldap_connect')) { 8832fd494aSAndreas Gohr if($this->conf['debug']) 89f4476bd9SJan Schumann msg("AD Auth: PHP LDAP extension not found.", -1); 90f4476bd9SJan Schumann $this->success = false; 91f4476bd9SJan Schumann return; 92f4476bd9SJan Schumann } 93f4476bd9SJan Schumann 94f4476bd9SJan Schumann // Prepare SSO 95d34a2a38SAndreas Gohr if(!empty($_SERVER['REMOTE_USER'])) { 96d34a2a38SAndreas Gohr 97d34a2a38SAndreas Gohr // make sure the right encoding is used 98d34a2a38SAndreas Gohr if($this->getConf('sso_charset')) { 99d34a2a38SAndreas Gohr $_SERVER['REMOTE_USER'] = iconv($this->getConf('sso_charset'), 'UTF-8', $_SERVER['REMOTE_USER']); 100d34a2a38SAndreas Gohr } elseif(!utf8_check($_SERVER['REMOTE_USER'])) { 10193a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']); 10293a7873eSAndreas Gohr } 103d34a2a38SAndreas Gohr 104d34a2a38SAndreas Gohr // trust the incoming user 105d34a2a38SAndreas Gohr if($this->conf['sso']) { 10693a7873eSAndreas Gohr $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']); 107f4476bd9SJan Schumann 108f4476bd9SJan Schumann // we need to simulate a login 109f4476bd9SJan Schumann if(empty($_COOKIE[DOKU_COOKIE])) { 11000d58927SMichael Hamann $INPUT->set('u', $_SERVER['REMOTE_USER']); 11100d58927SMichael Hamann $INPUT->set('p', 'sso_only'); 112f4476bd9SJan Schumann } 113f4476bd9SJan Schumann } 114d34a2a38SAndreas Gohr } 115f4476bd9SJan Schumann 11693a7873eSAndreas Gohr // other can do's are changed in $this->_loadServerConfig() base on domain setup 117f4476bd9SJan Schumann $this->cando['modName'] = true; 118f4476bd9SJan Schumann $this->cando['modMail'] = true; 119f4476bd9SJan Schumann } 120f4476bd9SJan Schumann 121f4476bd9SJan Schumann /** 122a154806fSAndreas Gohr * Load domain config on capability check 123a154806fSAndreas Gohr * 124a154806fSAndreas Gohr * @param string $cap 125a154806fSAndreas Gohr * @return bool 126a154806fSAndreas Gohr */ 127a154806fSAndreas Gohr public function canDo($cap) { 128a154806fSAndreas Gohr //capabilities depend on config, which may change depending on domain 129a154806fSAndreas Gohr $domain = $this->_userDomain($_SERVER['REMOTE_USER']); 130a154806fSAndreas Gohr $this->_loadServerConfig($domain); 131a154806fSAndreas Gohr return parent::canDo($cap); 132a154806fSAndreas Gohr } 133a154806fSAndreas Gohr 134a154806fSAndreas Gohr /** 135f4476bd9SJan Schumann * Check user+password [required auth function] 136f4476bd9SJan Schumann * 137f4476bd9SJan Schumann * Checks if the given user exists and the given 138f4476bd9SJan Schumann * plaintext password is correct by trying to bind 139f4476bd9SJan Schumann * to the LDAP server 140f4476bd9SJan Schumann * 141f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 14293a7873eSAndreas Gohr * @param string $user 14393a7873eSAndreas Gohr * @param string $pass 144f4476bd9SJan Schumann * @return bool 145f4476bd9SJan Schumann */ 14693a7873eSAndreas Gohr public function checkPass($user, $pass) { 147f4476bd9SJan Schumann if($_SERVER['REMOTE_USER'] && 148f4476bd9SJan Schumann $_SERVER['REMOTE_USER'] == $user && 14932fd494aSAndreas Gohr $this->conf['sso'] 15093a7873eSAndreas Gohr ) return true; 151f4476bd9SJan Schumann 15293a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 15393a7873eSAndreas Gohr if(!$adldap) return false; 15493a7873eSAndreas Gohr 15593a7873eSAndreas Gohr return $adldap->authenticate($this->_userName($user), $pass); 156f4476bd9SJan Schumann } 157f4476bd9SJan Schumann 158f4476bd9SJan Schumann /** 159f4476bd9SJan Schumann * Return user info [required auth function] 160f4476bd9SJan Schumann * 161f4476bd9SJan Schumann * Returns info about the given user needs to contain 162f4476bd9SJan Schumann * at least these fields: 163f4476bd9SJan Schumann * 164f4476bd9SJan Schumann * name string full name of the user 165f4476bd9SJan Schumann * mail string email address of the user 166f4476bd9SJan Schumann * grps array list of groups the user is in 167f4476bd9SJan Schumann * 16893a7873eSAndreas Gohr * This AD specific function returns the following 169f4476bd9SJan Schumann * addional fields: 170f4476bd9SJan Schumann * 171f4476bd9SJan Schumann * dn string distinguished name (DN) 17293a7873eSAndreas Gohr * uid string samaccountname 17393a7873eSAndreas Gohr * lastpwd int timestamp of the date when the password was set 17493a7873eSAndreas Gohr * expires true if the password expires 17593a7873eSAndreas Gohr * expiresin int seconds until the password expires 17693a7873eSAndreas Gohr * any fields specified in the 'additional' config option 177f4476bd9SJan Schumann * 178f4476bd9SJan Schumann * @author James Van Lommel <james@nosq.com> 17993a7873eSAndreas Gohr * @param string $user 18093a7873eSAndreas Gohr * @return array 181f4476bd9SJan Schumann */ 18293a7873eSAndreas Gohr public function getUserData($user) { 183f4476bd9SJan Schumann global $conf; 18493a7873eSAndreas Gohr global $lang; 18593a7873eSAndreas Gohr global $ID; 18693a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 18793a7873eSAndreas Gohr if(!$adldap) return false; 188f4476bd9SJan Schumann 18993a7873eSAndreas Gohr if($user == '') return array(); 19093a7873eSAndreas Gohr 19193a7873eSAndreas Gohr $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol'); 192f4476bd9SJan Schumann 193f4476bd9SJan Schumann // add additional fields to read 19432fd494aSAndreas Gohr $fields = array_merge($fields, $this->conf['additional']); 195f4476bd9SJan Schumann $fields = array_unique($fields); 19614642325SAndreas Gohr $fields = array_filter($fields); 197f4476bd9SJan Schumann 198f4476bd9SJan Schumann //get info for given user 19932fd494aSAndreas Gohr $result = $adldap->user()->info($this->_userName($user), $fields); 20093a7873eSAndreas Gohr if($result == false){ 20193a7873eSAndreas Gohr return array(); 20293a7873eSAndreas Gohr } 20393a7873eSAndreas Gohr 204f4476bd9SJan Schumann //general user info 205f4476bd9SJan Schumann $info['name'] = $result[0]['displayname'][0]; 206f4476bd9SJan Schumann $info['mail'] = $result[0]['mail'][0]; 207f4476bd9SJan Schumann $info['uid'] = $result[0]['samaccountname'][0]; 208f4476bd9SJan Schumann $info['dn'] = $result[0]['dn']; 20993a7873eSAndreas Gohr //last password set (Windows counts from January 1st 1601) 21093a7873eSAndreas Gohr $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; 21193a7873eSAndreas Gohr //will it expire? 21293a7873eSAndreas Gohr $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD 213f4476bd9SJan Schumann 214f4476bd9SJan Schumann // additional information 21532fd494aSAndreas Gohr foreach($this->conf['additional'] as $field) { 216f4476bd9SJan Schumann if(isset($result[0][strtolower($field)])) { 217f4476bd9SJan Schumann $info[$field] = $result[0][strtolower($field)][0]; 218f4476bd9SJan Schumann } 219f4476bd9SJan Schumann } 220f4476bd9SJan Schumann 221f4476bd9SJan Schumann // handle ActiveDirectory memberOf 22232fd494aSAndreas Gohr $info['grps'] = $adldap->user()->groups($this->_userName($user),(bool) $this->opts['recursive_groups']); 223f4476bd9SJan Schumann 224f4476bd9SJan Schumann if(is_array($info['grps'])) { 225f4476bd9SJan Schumann foreach($info['grps'] as $ndx => $group) { 226f4476bd9SJan Schumann $info['grps'][$ndx] = $this->cleanGroup($group); 227f4476bd9SJan Schumann } 228f4476bd9SJan Schumann } 229f4476bd9SJan Schumann 230f4476bd9SJan Schumann // always add the default group to the list of groups 231f4476bd9SJan Schumann if(!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) { 232f4476bd9SJan Schumann $info['grps'][] = $conf['defaultgroup']; 233f4476bd9SJan Schumann } 234f4476bd9SJan Schumann 23593a7873eSAndreas Gohr // add the user's domain to the groups 23693a7873eSAndreas Gohr $domain = $this->_userDomain($user); 23793a7873eSAndreas Gohr if($domain && !in_array("domain-$domain", (array) $info['grps'])) { 23893a7873eSAndreas Gohr $info['grps'][] = $this->cleanGroup("domain-$domain"); 23993a7873eSAndreas Gohr } 24093a7873eSAndreas Gohr 24193a7873eSAndreas Gohr // check expiry time 24232fd494aSAndreas Gohr if($info['expires'] && $this->conf['expirywarn']){ 2431e52e72aSAndreas Gohr $expiry = $adldap->user()->passwordExpiry($user); 2441e52e72aSAndreas Gohr if(is_array($expiry)){ 2451e52e72aSAndreas Gohr $info['expiresat'] = $expiry['expiryts']; 2461e52e72aSAndreas Gohr $info['expiresin'] = round(($info['expiresat'] - time())/(24*60*60)); 24793a7873eSAndreas Gohr 24893a7873eSAndreas Gohr // if this is the current user, warn him (once per request only) 24993a7873eSAndreas Gohr if(($_SERVER['REMOTE_USER'] == $user) && 2501e52e72aSAndreas Gohr ($info['expiresin'] <= $this->conf['expirywarn']) && 25193a7873eSAndreas Gohr !$this->msgshown 25293a7873eSAndreas Gohr ) { 2531e52e72aSAndreas Gohr $msg = sprintf($lang['authpwdexpire'], $info['expiresin']); 25493a7873eSAndreas Gohr if($this->canDo('modPass')) { 25593a7873eSAndreas Gohr $url = wl($ID, array('do'=> 'profile')); 25693a7873eSAndreas Gohr $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>'; 25793a7873eSAndreas Gohr } 25893a7873eSAndreas Gohr msg($msg); 25993a7873eSAndreas Gohr $this->msgshown = true; 26093a7873eSAndreas Gohr } 26193a7873eSAndreas Gohr } 2621e52e72aSAndreas Gohr } 26393a7873eSAndreas Gohr 264f4476bd9SJan Schumann return $info; 265f4476bd9SJan Schumann } 266f4476bd9SJan Schumann 267f4476bd9SJan Schumann /** 268f4476bd9SJan Schumann * Make AD group names usable by DokuWiki. 269f4476bd9SJan Schumann * 270f4476bd9SJan Schumann * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. 271f4476bd9SJan Schumann * 272f4476bd9SJan Schumann * @author James Van Lommel (jamesvl@gmail.com) 27393a7873eSAndreas Gohr * @param string $group 27493a7873eSAndreas Gohr * @return string 275f4476bd9SJan Schumann */ 27693a7873eSAndreas Gohr public function cleanGroup($group) { 27793a7873eSAndreas Gohr $group = str_replace('\\', '', $group); 27893a7873eSAndreas Gohr $group = str_replace('#', '', $group); 27993a7873eSAndreas Gohr $group = preg_replace('[\s]', '_', $group); 28093a7873eSAndreas Gohr $group = utf8_strtolower(trim($group)); 28193a7873eSAndreas Gohr return $group; 282f4476bd9SJan Schumann } 283f4476bd9SJan Schumann 284f4476bd9SJan Schumann /** 285f4476bd9SJan Schumann * Sanitize user names 28693a7873eSAndreas Gohr * 28793a7873eSAndreas Gohr * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup) 28893a7873eSAndreas Gohr * 28993a7873eSAndreas Gohr * @author Andreas Gohr <gohr@cosmocode.de> 29093a7873eSAndreas Gohr * @param string $user 29193a7873eSAndreas Gohr * @return string 292f4476bd9SJan Schumann */ 29393a7873eSAndreas Gohr public function cleanUser($user) { 29493a7873eSAndreas Gohr $domain = ''; 29593a7873eSAndreas Gohr 29693a7873eSAndreas Gohr // get NTLM or Kerberos domain part 29793a7873eSAndreas Gohr list($dom, $user) = explode('\\', $user, 2); 29893a7873eSAndreas Gohr if(!$user) $user = $dom; 29993a7873eSAndreas Gohr if($dom) $domain = $dom; 30093a7873eSAndreas Gohr list($user, $dom) = explode('@', $user, 2); 30193a7873eSAndreas Gohr if($dom) $domain = $dom; 30293a7873eSAndreas Gohr 30393a7873eSAndreas Gohr // clean up both 30493a7873eSAndreas Gohr $domain = utf8_strtolower(trim($domain)); 30593a7873eSAndreas Gohr $user = utf8_strtolower(trim($user)); 30693a7873eSAndreas Gohr 30793a7873eSAndreas Gohr // is this a known, valid domain? if not discard 30832fd494aSAndreas Gohr if(!is_array($this->conf[$domain])) { 30993a7873eSAndreas Gohr $domain = ''; 31093a7873eSAndreas Gohr } 31193a7873eSAndreas Gohr 31293a7873eSAndreas Gohr // reattach domain 31393a7873eSAndreas Gohr if($domain) $user = "$user@$domain"; 31493a7873eSAndreas Gohr return $user; 315f4476bd9SJan Schumann } 316f4476bd9SJan Schumann 317f4476bd9SJan Schumann /** 318f4476bd9SJan Schumann * Most values in LDAP are case-insensitive 31993a7873eSAndreas Gohr * 32093a7873eSAndreas Gohr * @return bool 321f4476bd9SJan Schumann */ 32293a7873eSAndreas Gohr public function isCaseSensitive() { 323f4476bd9SJan Schumann return false; 324f4476bd9SJan Schumann } 325f4476bd9SJan Schumann 326f4476bd9SJan Schumann /** 327f4476bd9SJan Schumann * Bulk retrieval of user data 328f4476bd9SJan Schumann * 329f4476bd9SJan Schumann * @author Dominik Eckelmann <dokuwiki@cosmocode.de> 33093a7873eSAndreas Gohr * @param int $start index of first user to be returned 33193a7873eSAndreas Gohr * @param int $limit max number of users to be returned 33293a7873eSAndreas Gohr * @param array $filter array of field/pattern pairs, null for no filter 33393a7873eSAndreas Gohr * @return array userinfo (refer getUserData for internal userinfo details) 334f4476bd9SJan Schumann */ 33593a7873eSAndreas Gohr public function retrieveUsers($start = 0, $limit = -1, $filter = array()) { 33693a7873eSAndreas Gohr $adldap = $this->_adldap(null); 33793a7873eSAndreas Gohr if(!$adldap) return false; 338f4476bd9SJan Schumann 339f4476bd9SJan Schumann if($this->users === null) { 340f4476bd9SJan Schumann //get info for given user 34132fd494aSAndreas Gohr $result = $adldap->user()->all(); 342f4476bd9SJan Schumann if (!$result) return array(); 343f4476bd9SJan Schumann $this->users = array_fill_keys($result, false); 344f4476bd9SJan Schumann } 345f4476bd9SJan Schumann 346f4476bd9SJan Schumann $i = 0; 347f4476bd9SJan Schumann $count = 0; 348f4476bd9SJan Schumann $this->_constructPattern($filter); 349f4476bd9SJan Schumann $result = array(); 350f4476bd9SJan Schumann 351f4476bd9SJan Schumann foreach($this->users as $user => &$info) { 352f4476bd9SJan Schumann if($i++ < $start) { 353f4476bd9SJan Schumann continue; 354f4476bd9SJan Schumann } 355f4476bd9SJan Schumann if($info === false) { 356f4476bd9SJan Schumann $info = $this->getUserData($user); 357f4476bd9SJan Schumann } 358f4476bd9SJan Schumann if($this->_filter($user, $info)) { 359f4476bd9SJan Schumann $result[$user] = $info; 360f4476bd9SJan Schumann if(($limit >= 0) && (++$count >= $limit)) break; 361f4476bd9SJan Schumann } 362f4476bd9SJan Schumann } 363f4476bd9SJan Schumann return $result; 364f4476bd9SJan Schumann } 365f4476bd9SJan Schumann 366f4476bd9SJan Schumann /** 367f4476bd9SJan Schumann * Modify user data 368f4476bd9SJan Schumann * 36993a7873eSAndreas Gohr * @param string $user nick of the user to be changed 37093a7873eSAndreas Gohr * @param array $changes array of field/value pairs to be changed 371f4476bd9SJan Schumann * @return bool 372f4476bd9SJan Schumann */ 37393a7873eSAndreas Gohr public function modifyUser($user, $changes) { 374f4476bd9SJan Schumann $return = true; 37593a7873eSAndreas Gohr $adldap = $this->_adldap($this->_userDomain($user)); 37693a7873eSAndreas Gohr if(!$adldap) return false; 377f4476bd9SJan Schumann 378f4476bd9SJan Schumann // password changing 379f4476bd9SJan Schumann if(isset($changes['pass'])) { 380f4476bd9SJan Schumann try { 38132fd494aSAndreas Gohr $return = $adldap->user()->password($this->_userName($user),$changes['pass']); 382f4476bd9SJan Schumann } catch (adLDAPException $e) { 38332fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 384f4476bd9SJan Schumann $return = false; 385f4476bd9SJan Schumann } 386f4476bd9SJan Schumann if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?', -1); 387f4476bd9SJan Schumann } 388f4476bd9SJan Schumann 389f4476bd9SJan Schumann // changing user data 390f4476bd9SJan Schumann $adchanges = array(); 391f4476bd9SJan Schumann if(isset($changes['name'])) { 392f4476bd9SJan Schumann // get first and last name 393f4476bd9SJan Schumann $parts = explode(' ', $changes['name']); 394f4476bd9SJan Schumann $adchanges['surname'] = array_pop($parts); 395f4476bd9SJan Schumann $adchanges['firstname'] = join(' ', $parts); 396f4476bd9SJan Schumann $adchanges['display_name'] = $changes['name']; 397f4476bd9SJan Schumann } 398f4476bd9SJan Schumann if(isset($changes['mail'])) { 399f4476bd9SJan Schumann $adchanges['email'] = $changes['mail']; 400f4476bd9SJan Schumann } 401f4476bd9SJan Schumann if(count($adchanges)) { 402f4476bd9SJan Schumann try { 40332fd494aSAndreas Gohr $return = $return & $adldap->user()->modify($this->_userName($user),$adchanges); 404f4476bd9SJan Schumann } catch (adLDAPException $e) { 40532fd494aSAndreas Gohr if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); 406f4476bd9SJan Schumann $return = false; 407f4476bd9SJan Schumann } 408f4476bd9SJan Schumann } 409f4476bd9SJan Schumann 410f4476bd9SJan Schumann return $return; 411f4476bd9SJan Schumann } 412f4476bd9SJan Schumann 413f4476bd9SJan Schumann /** 414f4476bd9SJan Schumann * Initialize the AdLDAP library and connect to the server 41593a7873eSAndreas Gohr * 41693a7873eSAndreas Gohr * When you pass null as domain, it will reuse any existing domain. 41793a7873eSAndreas Gohr * Eg. the one of the logged in user. It falls back to the default 41893a7873eSAndreas Gohr * domain if no current one is available. 41993a7873eSAndreas Gohr * 42093a7873eSAndreas Gohr * @param string|null $domain The AD domain to use 42193a7873eSAndreas Gohr * @return adLDAP|bool true if a connection was established 422f4476bd9SJan Schumann */ 42393a7873eSAndreas Gohr protected function _adldap($domain) { 42493a7873eSAndreas Gohr if(is_null($domain) && is_array($this->opts)) { 42593a7873eSAndreas Gohr $domain = $this->opts['domain']; 42693a7873eSAndreas Gohr } 42793a7873eSAndreas Gohr 42893a7873eSAndreas Gohr $this->opts = $this->_loadServerConfig((string) $domain); 42993a7873eSAndreas Gohr if(isset($this->adldap[$domain])) return $this->adldap[$domain]; 430f4476bd9SJan Schumann 431f4476bd9SJan Schumann // connect 432f4476bd9SJan Schumann try { 43393a7873eSAndreas Gohr $this->adldap[$domain] = new adLDAP($this->opts); 43493a7873eSAndreas Gohr return $this->adldap[$domain]; 435f4476bd9SJan Schumann } catch(adLDAPException $e) { 43632fd494aSAndreas Gohr if($this->conf['debug']) { 437f4476bd9SJan Schumann msg('AD Auth: '.$e->getMessage(), -1); 438f4476bd9SJan Schumann } 439f4476bd9SJan Schumann $this->success = false; 44093a7873eSAndreas Gohr $this->adldap[$domain] = null; 441f4476bd9SJan Schumann } 442f4476bd9SJan Schumann return false; 443f4476bd9SJan Schumann } 444f4476bd9SJan Schumann 445f4476bd9SJan Schumann /** 44693a7873eSAndreas Gohr * Get the domain part from a user 447f4476bd9SJan Schumann * 44893a7873eSAndreas Gohr * @param $user 44993a7873eSAndreas Gohr * @return string 450f4476bd9SJan Schumann */ 45193a7873eSAndreas Gohr public function _userDomain($user) { 45293a7873eSAndreas Gohr list(, $domain) = explode('@', $user, 2); 45393a7873eSAndreas Gohr return $domain; 454f4476bd9SJan Schumann } 455f4476bd9SJan Schumann 45693a7873eSAndreas Gohr /** 45793a7873eSAndreas Gohr * Get the user part from a user 45893a7873eSAndreas Gohr * 45993a7873eSAndreas Gohr * @param $user 46093a7873eSAndreas Gohr * @return string 46193a7873eSAndreas Gohr */ 46293a7873eSAndreas Gohr public function _userName($user) { 46393a7873eSAndreas Gohr list($name) = explode('@', $user, 2); 46493a7873eSAndreas Gohr return $name; 46593a7873eSAndreas Gohr } 46693a7873eSAndreas Gohr 46793a7873eSAndreas Gohr /** 46893a7873eSAndreas Gohr * Fetch the configuration for the given AD domain 46993a7873eSAndreas Gohr * 47093a7873eSAndreas Gohr * @param string $domain current AD domain 47193a7873eSAndreas Gohr * @return array 47293a7873eSAndreas Gohr */ 47393a7873eSAndreas Gohr protected function _loadServerConfig($domain) { 47493a7873eSAndreas Gohr // prepare adLDAP standard configuration 47532fd494aSAndreas Gohr $opts = $this->conf; 47693a7873eSAndreas Gohr 47793a7873eSAndreas Gohr $opts['domain'] = $domain; 47893a7873eSAndreas Gohr 47993a7873eSAndreas Gohr // add possible domain specific configuration 48032fd494aSAndreas Gohr if($domain && is_array($this->conf[$domain])) foreach($this->conf[$domain] as $key => $val) { 48193a7873eSAndreas Gohr $opts[$key] = $val; 48293a7873eSAndreas Gohr } 48393a7873eSAndreas Gohr 48493a7873eSAndreas Gohr // handle multiple AD servers 48593a7873eSAndreas Gohr $opts['domain_controllers'] = explode(',', $opts['domain_controllers']); 48693a7873eSAndreas Gohr $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']); 48793a7873eSAndreas Gohr $opts['domain_controllers'] = array_filter($opts['domain_controllers']); 48893a7873eSAndreas Gohr 4898257d713SAndreas Gohr // compatibility with old option name 4908257d713SAndreas Gohr if(empty($opts['admin_username']) && !empty($opts['ad_username'])) $opts['admin_username'] = $opts['ad_username']; 4918257d713SAndreas Gohr if(empty($opts['admin_password']) && !empty($opts['ad_password'])) $opts['admin_password'] = $opts['ad_password']; 4928257d713SAndreas Gohr 49393a7873eSAndreas Gohr // we can change the password if SSL is set 49493a7873eSAndreas Gohr if($opts['use_ssl'] || $opts['use_tls']) { 49593a7873eSAndreas Gohr $this->cando['modPass'] = true; 49693a7873eSAndreas Gohr } else { 49793a7873eSAndreas Gohr $this->cando['modPass'] = false; 49893a7873eSAndreas Gohr } 49993a7873eSAndreas Gohr 50012d195abSAndreas Gohr // adLDAP expects empty user/pass as NULL, we're less strict FS#2781 50112d195abSAndreas Gohr if(empty($opts['admin_username'])) $opts['admin_username'] = null; 50212d195abSAndreas Gohr if(empty($opts['admin_password'])) $opts['admin_password'] = null; 50312d195abSAndreas Gohr 50412d195abSAndreas Gohr // user listing needs admin priviledges 5058257d713SAndreas Gohr if(!empty($opts['admin_username']) && !empty($opts['admin_password'])) { 50693a7873eSAndreas Gohr $this->cando['getUsers'] = true; 50793a7873eSAndreas Gohr } else { 5081b228d28SKlap-in $this->cando['getUsers'] = false; 50993a7873eSAndreas Gohr } 51093a7873eSAndreas Gohr 51193a7873eSAndreas Gohr return $opts; 51293a7873eSAndreas Gohr } 51393a7873eSAndreas Gohr 51493a7873eSAndreas Gohr /** 515*741b8a48SAndreas Gohr * Returns a list of configured domains 516*741b8a48SAndreas Gohr * 517*741b8a48SAndreas Gohr * The default domain has an empty string as key 518*741b8a48SAndreas Gohr * 519*741b8a48SAndreas Gohr * @return array associative array(key => domain) 520*741b8a48SAndreas Gohr */ 521*741b8a48SAndreas Gohr public function _getConfiguredDomains() { 522*741b8a48SAndreas Gohr $domains = array(); 523*741b8a48SAndreas Gohr if(empty($this->conf['account_suffix'])) return $domains; // not configured yet 524*741b8a48SAndreas Gohr 525*741b8a48SAndreas Gohr // add default domain, using the name from account suffix 526*741b8a48SAndreas Gohr $domains[''] = ltrim($this->conf['account_suffix'], '@'); 527*741b8a48SAndreas Gohr 528*741b8a48SAndreas Gohr // find additional domains 529*741b8a48SAndreas Gohr foreach($this->conf as $key => $val) { 530*741b8a48SAndreas Gohr if(is_array($val) && isset($val['account_suffix'])) { 531*741b8a48SAndreas Gohr $domains[$key] = ltrim($val['account_suffix'], '@'); 532*741b8a48SAndreas Gohr } 533*741b8a48SAndreas Gohr } 534*741b8a48SAndreas Gohr ksort($domains); 535*741b8a48SAndreas Gohr 536*741b8a48SAndreas Gohr return $domains; 537*741b8a48SAndreas Gohr } 538*741b8a48SAndreas Gohr 539*741b8a48SAndreas Gohr /** 54093a7873eSAndreas Gohr * Check provided user and userinfo for matching patterns 54193a7873eSAndreas Gohr * 54293a7873eSAndreas Gohr * The patterns are set up with $this->_constructPattern() 54393a7873eSAndreas Gohr * 54493a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 54593a7873eSAndreas Gohr * @param string $user 54693a7873eSAndreas Gohr * @param array $info 54793a7873eSAndreas Gohr * @return bool 54893a7873eSAndreas Gohr */ 54993a7873eSAndreas Gohr protected function _filter($user, $info) { 55093a7873eSAndreas Gohr foreach($this->_pattern as $item => $pattern) { 55193a7873eSAndreas Gohr if($item == 'user') { 55293a7873eSAndreas Gohr if(!preg_match($pattern, $user)) return false; 55393a7873eSAndreas Gohr } else if($item == 'grps') { 55493a7873eSAndreas Gohr if(!count(preg_grep($pattern, $info['grps']))) return false; 55593a7873eSAndreas Gohr } else { 55693a7873eSAndreas Gohr if(!preg_match($pattern, $info[$item])) return false; 55793a7873eSAndreas Gohr } 55893a7873eSAndreas Gohr } 55993a7873eSAndreas Gohr return true; 56093a7873eSAndreas Gohr } 56193a7873eSAndreas Gohr 56293a7873eSAndreas Gohr /** 56393a7873eSAndreas Gohr * Create a pattern for $this->_filter() 56493a7873eSAndreas Gohr * 56593a7873eSAndreas Gohr * @author Chris Smith <chris@jalakai.co.uk> 56693a7873eSAndreas Gohr * @param array $filter 56793a7873eSAndreas Gohr */ 56893a7873eSAndreas Gohr protected function _constructPattern($filter) { 569f4476bd9SJan Schumann $this->_pattern = array(); 570f4476bd9SJan Schumann foreach($filter as $item => $pattern) { 571f4476bd9SJan Schumann $this->_pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters 572f4476bd9SJan Schumann } 573f4476bd9SJan Schumann } 574f4476bd9SJan Schumann} 575