1<?php
2use dokuwiki\Utf8\Sort;
3
4/**
5 * LDAP authentication backend
6 *
7 * @license   GPL 2 (http://www.gnu.org/licenses/gpl.html)
8 * @author    Andreas Gohr <andi@splitbrain.org>
9 * @author    Chris Smith <chris@jalakaic.co.uk>
10 * @author    Jan Schumann <js@schumann-it.com>
11 */
12class auth_plugin_authldap extends DokuWiki_Auth_Plugin
13{
14    /* @var resource $con holds the LDAP connection */
15    protected $con = null;
16
17    /* @var int $bound What type of connection does already exist? */
18    protected $bound = 0; // 0: anonymous, 1: user, 2: superuser
19
20    /* @var array $users User data cache */
21    protected $users = null;
22
23    /* @var array $pattern User filter pattern */
24    protected $pattern = null;
25
26    /**
27     * Constructor
28     */
29    public function __construct()
30    {
31        parent::__construct();
32
33        // ldap extension is needed
34        if (!function_exists('ldap_connect')) {
35            $this->debug("LDAP err: PHP LDAP extension not found.", -1, __LINE__, __FILE__);
36            $this->success = false;
37            return;
38        }
39
40        // Add the capabilities to change the password
41        $this->cando['modPass'] = $this->getConf('modPass');
42    }
43
44    /**
45     * Check user+password
46     *
47     * Checks if the given user exists and the given
48     * plaintext password is correct by trying to bind
49     * to the LDAP server
50     *
51     * @param string $user
52     * @param string $pass
53     * @return  bool
54     * @author  Andreas Gohr <andi@splitbrain.org>
55     */
56    public function checkPass($user, $pass)
57    {
58        // reject empty password
59        if (empty($pass)) return false;
60        if (!$this->openLDAP()) return false;
61
62        // indirect user bind
63        if ($this->getConf('binddn') && $this->getConf('bindpw')) {
64            // use superuser credentials
65            if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
66                $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
67                return false;
68            }
69            $this->bound = 2;
70        } elseif ($this->getConf('binddn') &&
71            $this->getConf('usertree') &&
72            $this->getConf('userfilter')
73        ) {
74            // special bind string
75            $dn = $this->makeFilter(
76                $this->getConf('binddn'),
77                array('user' => $user, 'server' => $this->getConf('server'))
78            );
79        } elseif (strpos($this->getConf('usertree'), '%{user}')) {
80            // direct user bind
81            $dn = $this->makeFilter(
82                $this->getConf('usertree'),
83                array('user' => $user, 'server' => $this->getConf('server'))
84            );
85        } else {
86            // Anonymous bind
87            if (!@ldap_bind($this->con)) {
88                msg("LDAP: can not bind anonymously", -1);
89                $this->debug('LDAP anonymous bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
90                return false;
91            }
92        }
93
94        // Try to bind to with the dn if we have one.
95        if (!empty($dn)) {
96            // User/Password bind
97            if (!@ldap_bind($this->con, $dn, $pass)) {
98                $this->debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__);
99                $this->debug('LDAP user dn bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
100                return false;
101            }
102            $this->bound = 1;
103            return true;
104        } else {
105            // See if we can find the user
106            $info = $this->fetchUserData($user, true);
107            if (empty($info['dn'])) {
108                return false;
109            } else {
110                $dn = $info['dn'];
111            }
112
113            // Try to bind with the dn provided
114            if (!@ldap_bind($this->con, $dn, $pass)) {
115                $this->debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__);
116                $this->debug('LDAP user bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
117                return false;
118            }
119            $this->bound = 1;
120            return true;
121        }
122    }
123
124    /**
125     * Return user info
126     *
127     * Returns info about the given user needs to contain
128     * at least these fields:
129     *
130     * name string  full name of the user
131     * mail string  email addres of the user
132     * grps array   list of groups the user is in
133     *
134     * This LDAP specific function returns the following
135     * addional fields:
136     *
137     * dn     string  distinguished name (DN)
138     * uid    string  Posix User ID
139     * inbind bool    for internal use - avoid loop in binding
140     *
141     * @param string $user
142     * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin
143     * @return  array containing user data or false
144     * @author  <evaldas.auryla@pheur.org>
145     * @author  Stephane Chazelas <stephane.chazelas@emerson.com>
146     * @author  Steffen Schoch <schoch@dsb.net>
147     *
148     * @author  Andreas Gohr <andi@splitbrain.org>
149     * @author  Trouble
150     * @author  Dan Allen <dan.j.allen@gmail.com>
151     */
152    public function getUserData($user, $requireGroups = true)
153    {
154        return $this->fetchUserData($user);
155    }
156
157    /**
158     * @param string $user
159     * @param bool $inbind authldap specific, true if in bind phase
160     * @return  array containing user data or false
161     */
162    protected function fetchUserData($user, $inbind = false)
163    {
164        global $conf;
165        if (!$this->openLDAP()) return array();
166
167        // force superuser bind if wanted and not bound as superuser yet
168        if ($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) {
169            // use superuser credentials
170            if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
171                $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
172                return array();
173            }
174            $this->bound = 2;
175        } elseif ($this->bound == 0 && !$inbind) {
176            // in some cases getUserData is called outside the authentication workflow
177            // eg. for sending email notification on subscribed pages. This data might not
178            // be accessible anonymously, so we try to rebind the current user here
179            list($loginuser, $loginsticky, $loginpass) = auth_getCookie();
180            if ($loginuser && $loginpass) {
181                $loginpass = auth_decrypt($loginpass, auth_cookiesalt(!$loginsticky, true));
182                $this->checkPass($loginuser, $loginpass);
183            }
184        }
185
186        $info = array();
187        $info['user'] = $user;
188        $this->debug('LDAP user to find: ' . hsc($info['user']), 0, __LINE__, __FILE__);
189
190        $info['server'] = $this->getConf('server');
191        $this->debug('LDAP Server: ' . hsc($info['server']), 0, __LINE__, __FILE__);
192
193        //get info for given user
194        $base = $this->makeFilter($this->getConf('usertree'), $info);
195        if ($this->getConf('userfilter')) {
196            $filter = $this->makeFilter($this->getConf('userfilter'), $info);
197        } else {
198            $filter = "(ObjectClass=*)";
199        }
200
201        $this->debug('LDAP Filter: ' . hsc($filter), 0, __LINE__, __FILE__);
202
203        $this->debug('LDAP user search: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
204        $this->debug('LDAP search at: ' . hsc($base . ' ' . $filter), 0, __LINE__, __FILE__);
205        $sr = $this->ldapSearch($this->con, $base, $filter, $this->getConf('userscope'), $this->getConf('attributes'));
206        if ($sr === false) {
207           $this->debug('User ldap_search failed. Check configuration.', 0, __LINE__, __FILE__);
208           return false;
209        }
210
211        $result = @ldap_get_entries($this->con, $sr);
212
213        // if result is not an array
214        if (!is_array($result)) {
215            // no objects found
216            $this->debug('LDAP search returned non-array result: ' . hsc(print($result)), -1, __LINE__, __FILE__);
217            return array();
218        }
219
220        // Don't accept more or less than one response
221        if ($result['count'] != 1) {
222            $this->debug(
223                'LDAP search returned ' . hsc($result['count']) . ' results while it should return 1!',
224                -1,
225                __LINE__,
226                __FILE__
227            );
228            //for($i = 0; $i < $result["count"]; $i++) {
229            //$this->_debug('result: '.hsc(print_r($result[$i])), 0, __LINE__, __FILE__);
230            //}
231            return array();
232        }
233
234        $this->debug('LDAP search found single result !', 0, __LINE__, __FILE__);
235
236        $user_result = $result[0];
237        ldap_free_result($sr);
238
239        // general user info
240        $info['dn'] = $user_result['dn'];
241        $info['gid'] = $user_result['gidnumber'][0];
242        $info['mail'] = $user_result['mail'][0];
243        $info['name'] = $user_result['cn'][0];
244        $info['grps'] = array();
245
246        // overwrite if other attribs are specified.
247        if (is_array($this->getConf('mapping'))) {
248            foreach ($this->getConf('mapping') as $localkey => $key) {
249                if (is_array($key)) {
250                    // use regexp to clean up user_result
251                    // $key = array($key=>$regexp), only handles the first key-value
252                    $regexp = current($key);
253                    $key = key($key);
254                    if ($user_result[$key]) foreach ($user_result[$key] as $grpkey => $grp) {
255                        if ($grpkey !== 'count' && preg_match($regexp, $grp, $match)) {
256                            if ($localkey == 'grps') {
257                                $info[$localkey][] = $match[1];
258                            } else {
259                                $info[$localkey] = $match[1];
260                            }
261                        }
262                    }
263                } else {
264                    $info[$localkey] = $user_result[$key][0];
265                }
266            }
267        }
268        $user_result = array_merge($info, $user_result);
269
270        //get groups for given user if grouptree is given
271        if ($this->getConf('grouptree') || $this->getConf('groupfilter')) {
272            $base = $this->makeFilter($this->getConf('grouptree'), $user_result);
273            $filter = $this->makeFilter($this->getConf('groupfilter'), $user_result);
274            $sr = $this->ldapSearch(
275                $this->con,
276                $base,
277                $filter,
278                $this->getConf('groupscope'),
279                array($this->getConf('groupkey'))
280            );
281            $this->debug('LDAP group search: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
282            $this->debug('LDAP search at: ' . hsc($base . ' ' . $filter), 0, __LINE__, __FILE__);
283
284            if (!$sr) {
285                msg("LDAP: Reading group memberships failed", -1);
286                return array();
287            }
288            $result = ldap_get_entries($this->con, $sr);
289            ldap_free_result($sr);
290
291            if (is_array($result)) foreach ($result as $grp) {
292                if (!empty($grp[$this->getConf('groupkey')])) {
293                    $group = $grp[$this->getConf('groupkey')];
294                    if (is_array($group)) {
295                        $group = $group[0];
296                    } else {
297                        $this->debug('groupkey did not return a detailled result', 0, __LINE__, __FILE__);
298                    }
299                    if ($group === '') continue;
300
301                    $this->debug('LDAP usergroup: ' . hsc($group), 0, __LINE__, __FILE__);
302                    $info['grps'][] = $group;
303                }
304            }
305        }
306
307        // always add the default group to the list of groups
308        if (!$info['grps'] or !in_array($conf['defaultgroup'], $info['grps'])) {
309            $info['grps'][] = $conf['defaultgroup'];
310        }
311        return $info;
312    }
313
314    /**
315     * Definition of the function modifyUser in order to modify the password
316     *
317     * @param string $user nick of the user to be changed
318     * @param array $changes array of field/value pairs to be changed (password will be clear text)
319     * @return  bool   true on success, false on error
320     */
321    public function modifyUser($user, $changes)
322    {
323
324        // open the connection to the ldap
325        if (!$this->openLDAP()) {
326            $this->debug('LDAP cannot connect: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
327            return false;
328        }
329
330        // find the information about the user, in particular the "dn"
331        $info = $this->getUserData($user, true);
332        if (empty($info['dn'])) {
333            $this->debug('LDAP cannot find your user dn', 0, __LINE__, __FILE__);
334            return false;
335        }
336        $dn = $info['dn'];
337
338        // find the old password of the user
339        list($loginuser, $loginsticky, $loginpass) = auth_getCookie();
340        if ($loginuser !== null) { // the user is currently logged in
341            $secret = auth_cookiesalt(!$loginsticky, true);
342            $pass = auth_decrypt($loginpass, $secret);
343
344            // bind with the ldap
345            if (!@ldap_bind($this->con, $dn, $pass)) {
346                $this->debug(
347                    'LDAP user bind failed: ' . hsc($dn) . ': ' . hsc(ldap_error($this->con)),
348                    0,
349                    __LINE__,
350                    __FILE__
351                );
352                return false;
353            }
354        } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
355            // we are changing the password on behalf of the user (eg: forgotten password)
356            // bind with the superuser ldap
357            if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
358                $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
359                return false;
360            }
361        } else {
362            return false; // no otherway
363        }
364
365        // Generate the salted hashed password for LDAP
366        $phash = new \dokuwiki\PassHash();
367        $hash = $phash->hash_ssha($changes['pass']);
368
369        // change the password
370        if (!@ldap_mod_replace($this->con, $dn, array('userpassword' => $hash))) {
371            $this->debug(
372                'LDAP mod replace failed: ' . hsc($dn) . ': ' . hsc(ldap_error($this->con)),
373                0,
374                __LINE__,
375                __FILE__
376            );
377            return false;
378        }
379
380        return true;
381    }
382
383    /**
384     * Most values in LDAP are case-insensitive
385     *
386     * @return bool
387     */
388    public function isCaseSensitive()
389    {
390        return false;
391    }
392
393    /**
394     * Bulk retrieval of user data
395     *
396     * @param int $start index of first user to be returned
397     * @param int $limit max number of users to be returned
398     * @param array $filter array of field/pattern pairs, null for no filter
399     * @return  array of userinfo (refer getUserData for internal userinfo details)
400     * @author  Dominik Eckelmann <dokuwiki@cosmocode.de>
401     */
402    public function retrieveUsers($start = 0, $limit = 0, $filter = array())
403    {
404        if (!$this->openLDAP()) return array();
405
406        if (is_null($this->users)) {
407            // Perform the search and grab all their details
408            if ($this->getConf('userfilter')) {
409                $all_filter = str_replace('%{user}', '*', $this->getConf('userfilter'));
410            } else {
411                $all_filter = "(ObjectClass=*)";
412            }
413            $sr = ldap_search($this->con, $this->getConf('usertree'), $all_filter);
414            $entries = ldap_get_entries($this->con, $sr);
415            $users_array = array();
416            $userkey = $this->getConf('userkey');
417            for ($i = 0; $i < $entries["count"]; $i++) {
418                array_push($users_array, $entries[$i][$userkey][0]);
419            }
420            Sort::asort($users_array);
421            $result = $users_array;
422            if (!$result) return array();
423            $this->users = array_fill_keys($result, false);
424        }
425        $i = 0;
426        $count = 0;
427        $this->constructPattern($filter);
428        $result = array();
429
430        foreach ($this->users as $user => &$info) {
431            if ($i++ < $start) {
432                continue;
433            }
434            if ($info === false) {
435                $info = $this->getUserData($user);
436            }
437            if ($this->filter($user, $info)) {
438                $result[$user] = $info;
439                if (($limit > 0) && (++$count >= $limit)) break;
440            }
441        }
442        return $result;
443    }
444
445    /**
446     * Make LDAP filter strings.
447     *
448     * Used by auth_getUserData to make the filter
449     * strings for grouptree and groupfilter
450     *
451     * @param string $filter ldap search filter with placeholders
452     * @param array $placeholders placeholders to fill in
453     * @return  string
454     * @author  Troels Liebe Bentsen <tlb@rapanden.dk>
455     */
456    protected function makeFilter($filter, $placeholders)
457    {
458        preg_match_all("/%{([^}]+)/", $filter, $matches, PREG_PATTERN_ORDER);
459        //replace each match
460        foreach ($matches[1] as $match) {
461            //take first element if array
462            if (is_array($placeholders[$match])) {
463                $value = $placeholders[$match][0];
464            } else {
465                $value = $placeholders[$match];
466            }
467            $value = $this->filterEscape($value);
468            $filter = str_replace('%{' . $match . '}', $value, $filter);
469        }
470        return $filter;
471    }
472
473    /**
474     * return true if $user + $info match $filter criteria, false otherwise
475     *
476     * @param string $user the user's login name
477     * @param array $info the user's userinfo array
478     * @return bool
479     * @author Chris Smith <chris@jalakai.co.uk>
480     *
481     */
482    protected function filter($user, $info)
483    {
484        foreach ($this->pattern as $item => $pattern) {
485            if ($item == 'user') {
486                if (!preg_match($pattern, $user)) return false;
487            } elseif ($item == 'grps') {
488                if (!count(preg_grep($pattern, $info['grps']))) return false;
489            } else {
490                if (!preg_match($pattern, $info[$item])) return false;
491            }
492        }
493        return true;
494    }
495
496    /**
497     * Set the filter pattern
498     *
499     * @param $filter
500     * @return void
501     * @author Chris Smith <chris@jalakai.co.uk>
502     *
503     */
504    protected function constructPattern($filter)
505    {
506        $this->pattern = array();
507        foreach ($filter as $item => $pattern) {
508            $this->pattern[$item] = '/' . str_replace('/', '\/', $pattern) . '/i'; // allow regex characters
509        }
510    }
511
512    /**
513     * Escape a string to be used in a LDAP filter
514     *
515     * Ported from Perl's Net::LDAP::Util escape_filter_value
516     *
517     * @param string $string
518     * @return string
519     * @author Andreas Gohr
520     */
521    protected function filterEscape($string)
522    {
523        // see https://github.com/adldap/adLDAP/issues/22
524        return preg_replace_callback(
525            '/([\x00-\x1F\*\(\)\\\\])/',
526            function ($matches) {
527                return "\\" . join("", unpack("H2", $matches[1]));
528            },
529            $string
530        );
531    }
532
533    /**
534     * Opens a connection to the configured LDAP server and sets the wanted
535     * option on the connection
536     *
537     * @author  Andreas Gohr <andi@splitbrain.org>
538     */
539    protected function openLDAP()
540    {
541        if ($this->con) return true; // connection already established
542
543        if ($this->getConf('debug')) {
544            ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
545        }
546
547        $this->bound = 0;
548
549        $port = $this->getConf('port');
550        $bound = false;
551        $servers = explode(',', $this->getConf('server'));
552        foreach ($servers as $server) {
553            $server = trim($server);
554            $this->con = @ldap_connect($server, $port);
555            if (!$this->con) {
556                continue;
557            }
558
559            /*
560             * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does
561             * not actually connect but just initializes the connecting parameters. The actual
562             * connect happens with the next calls to ldap_* funcs, usually with ldap_bind().
563             *
564             * So we should try to bind to server in order to check its availability.
565             */
566
567            //set protocol version and dependend options
568            if ($this->getConf('version')) {
569                if (!@ldap_set_option(
570                    $this->con,
571                    LDAP_OPT_PROTOCOL_VERSION,
572                    $this->getConf('version')
573                )
574                ) {
575                    msg('Setting LDAP Protocol version ' . $this->getConf('version') . ' failed', -1);
576                    $this->debug('LDAP version set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
577                } else {
578                    //use TLS (needs version 3)
579                    if ($this->getConf('starttls')) {
580                        if (!@ldap_start_tls($this->con)) {
581                            msg('Starting TLS failed', -1);
582                            $this->debug('LDAP TLS set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
583                        }
584                    }
585                    // needs version 3
586                    if ($this->getConf('referrals') > -1) {
587                        if (!@ldap_set_option(
588                            $this->con,
589                            LDAP_OPT_REFERRALS,
590                            $this->getConf('referrals')
591                        )
592                        ) {
593                            msg('Setting LDAP referrals failed', -1);
594                            $this->debug('LDAP referal set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
595                        }
596                    }
597                }
598            }
599
600            //set deref mode
601            if ($this->getConf('deref')) {
602                if (!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->getConf('deref'))) {
603                    msg('Setting LDAP Deref mode ' . $this->getConf('deref') . ' failed', -1);
604                    $this->debug('LDAP deref set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__);
605                }
606            }
607            /* As of PHP 5.3.0 we can set timeout to speedup skipping of invalid servers */
608            if (defined('LDAP_OPT_NETWORK_TIMEOUT')) {
609                ldap_set_option($this->con, LDAP_OPT_NETWORK_TIMEOUT, 1);
610            }
611
612            if ($this->getConf('binddn') && $this->getConf('bindpw')) {
613                $bound = @ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')));
614                $this->bound = 2;
615            } else {
616                $bound = @ldap_bind($this->con);
617            }
618            if ($bound) {
619                break;
620            }
621        }
622
623        if (!$bound) {
624            msg("LDAP: couldn't connect to LDAP server", -1);
625            $this->debug(ldap_error($this->con), 0, __LINE__, __FILE__);
626            return false;
627        }
628
629        $this->cando['getUsers'] = true;
630        return true;
631    }
632
633    /**
634     * Wraps around ldap_search, ldap_list or ldap_read depending on $scope
635     *
636     * @param resource $link_identifier
637     * @param string $base_dn
638     * @param string $filter
639     * @param string $scope can be 'base', 'one' or 'sub'
640     * @param null|array $attributes
641     * @param int $attrsonly
642     * @param int $sizelimit
643     * @return resource
644     * @author Andreas Gohr <andi@splitbrain.org>
645     */
646    protected function ldapSearch(
647        $link_identifier,
648        $base_dn,
649        $filter,
650        $scope = 'sub',
651        $attributes = null,
652        $attrsonly = 0,
653        $sizelimit = 0
654    )
655    {
656        if (is_null($attributes)) $attributes = array();
657
658        if ($scope == 'base') {
659            return @ldap_read(
660                $link_identifier,
661                $base_dn,
662                $filter,
663                $attributes,
664                $attrsonly,
665                $sizelimit
666            );
667        } elseif ($scope == 'one') {
668            return @ldap_list(
669                $link_identifier,
670                $base_dn,
671                $filter,
672                $attributes,
673                $attrsonly,
674                $sizelimit
675            );
676        } else {
677            return @ldap_search(
678                $link_identifier,
679                $base_dn,
680                $filter,
681                $attributes,
682                $attrsonly,
683                $sizelimit
684            );
685        }
686    }
687
688    /**
689     * Wrapper around msg() but outputs only when debug is enabled
690     *
691     * @param string $message
692     * @param int $err
693     * @param int $line
694     * @param string $file
695     * @return void
696     */
697    protected function debug($message, $err, $line, $file)
698    {
699        if (!$this->getConf('debug')) return;
700        msg($message, $err, $line, $file);
701    }
702}
703