1<?php 2use dokuwiki\Extension\AuthPlugin; 3use dokuwiki\PassHash; 4use dokuwiki\Utf8\Sort; 5 6/** 7 * LDAP authentication backend 8 * 9 * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 10 * @author Andreas Gohr <andi@splitbrain.org> 11 * @author Chris Smith <chris@jalakaic.co.uk> 12 * @author Jan Schumann <js@schumann-it.com> 13 */ 14class auth_plugin_authldap extends AuthPlugin 15{ 16 /* @var resource $con holds the LDAP connection */ 17 protected $con; 18 19 /* @var int $bound What type of connection does already exist? */ 20 protected $bound = 0; // 0: anonymous, 1: user, 2: superuser 21 22 /* @var array $users User data cache */ 23 protected $users; 24 25 /* @var array $pattern User filter pattern */ 26 protected $pattern; 27 28 /** 29 * Constructor 30 */ 31 public function __construct() 32 { 33 parent::__construct(); 34 35 // ldap extension is needed 36 if (!function_exists('ldap_connect')) { 37 $this->debug("LDAP err: PHP LDAP extension not found.", -1, __LINE__, __FILE__); 38 $this->success = false; 39 return; 40 } 41 42 // Add the capabilities to change the password 43 $this->cando['modPass'] = $this->getConf('modPass'); 44 } 45 46 /** 47 * Check user+password 48 * 49 * Checks if the given user exists and the given 50 * plaintext password is correct by trying to bind 51 * to the LDAP server 52 * 53 * @param string $user 54 * @param string $pass 55 * @return bool 56 * @author Andreas Gohr <andi@splitbrain.org> 57 */ 58 public function checkPass($user, $pass) 59 { 60 // reject empty password 61 if (empty($pass)) return false; 62 if (!$this->openLDAP()) return false; 63 64 // indirect user bind 65 if ($this->getConf('binddn') && $this->getConf('bindpw')) { 66 // use superuser credentials 67 if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) { 68 $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 69 return false; 70 } 71 $this->bound = 2; 72 } elseif ($this->getConf('binddn') && 73 $this->getConf('usertree') && 74 $this->getConf('userfilter') 75 ) { 76 // special bind string 77 $dn = $this->makeFilter( 78 $this->getConf('binddn'), 79 ['user' => $user, 'server' => $this->getConf('server')] 80 ); 81 } elseif (strpos($this->getConf('usertree'), '%{user}')) { 82 // direct user bind 83 $dn = $this->makeFilter( 84 $this->getConf('usertree'), 85 ['user' => $user, 'server' => $this->getConf('server')] 86 ); 87 } elseif (!@ldap_bind($this->con)) { 88 // Anonymous bind 89 msg("LDAP: can not bind anonymously", -1); 90 $this->debug('LDAP anonymous bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 91 return false; 92 } 93 94 // Try to bind to with the dn if we have one. 95 if (!empty($dn)) { 96 // User/Password bind 97 if (!@ldap_bind($this->con, $dn, $pass)) { 98 $this->debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__); 99 $this->debug('LDAP user dn bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 100 return false; 101 } 102 $this->bound = 1; 103 return true; 104 } else { 105 // See if we can find the user 106 $info = $this->fetchUserData($user, true); 107 if (empty($info['dn'])) { 108 return false; 109 } else { 110 $dn = $info['dn']; 111 } 112 113 // Try to bind with the dn provided 114 if (!@ldap_bind($this->con, $dn, $pass)) { 115 $this->debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__); 116 $this->debug('LDAP user bind: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 117 return false; 118 } 119 $this->bound = 1; 120 return true; 121 } 122 } 123 124 /** 125 * Return user info 126 * 127 * Returns info about the given user needs to contain 128 * at least these fields: 129 * 130 * name string full name of the user 131 * mail string email addres of the user 132 * grps array list of groups the user is in 133 * 134 * This LDAP specific function returns the following 135 * addional fields: 136 * 137 * dn string distinguished name (DN) 138 * uid string Posix User ID 139 * inbind bool for internal use - avoid loop in binding 140 * 141 * @param string $user 142 * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin 143 * @return array containing user data or false 144 * @author <evaldas.auryla@pheur.org> 145 * @author Stephane Chazelas <stephane.chazelas@emerson.com> 146 * @author Steffen Schoch <schoch@dsb.net> 147 * 148 * @author Andreas Gohr <andi@splitbrain.org> 149 * @author Trouble 150 * @author Dan Allen <dan.j.allen@gmail.com> 151 */ 152 public function getUserData($user, $requireGroups = true) 153 { 154 return $this->fetchUserData($user); 155 } 156 157 /** 158 * @param string $user 159 * @param bool $inbind authldap specific, true if in bind phase 160 * @return array containing user data or false 161 */ 162 protected function fetchUserData($user, $inbind = false) 163 { 164 global $conf; 165 if (!$this->openLDAP()) return []; 166 167 // force superuser bind if wanted and not bound as superuser yet 168 if ($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) { 169 // use superuser credentials 170 if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) { 171 $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 172 return []; 173 } 174 $this->bound = 2; 175 } elseif ($this->bound == 0 && !$inbind) { 176 // in some cases getUserData is called outside the authentication workflow 177 // eg. for sending email notification on subscribed pages. This data might not 178 // be accessible anonymously, so we try to rebind the current user here 179 [$loginuser, $loginsticky, $loginpass] = auth_getCookie(); 180 if ($loginuser && $loginpass) { 181 $loginpass = auth_decrypt($loginpass, auth_cookiesalt(!$loginsticky, true)); 182 $this->checkPass($loginuser, $loginpass); 183 } 184 } 185 186 $info = []; 187 $info['user'] = $user; 188 $this->debug('LDAP user to find: ' . hsc($info['user']), 0, __LINE__, __FILE__); 189 190 $info['server'] = $this->getConf('server'); 191 $this->debug('LDAP Server: ' . hsc($info['server']), 0, __LINE__, __FILE__); 192 193 //get info for given user 194 $base = $this->makeFilter($this->getConf('usertree'), $info); 195 if ($this->getConf('userfilter')) { 196 $filter = $this->makeFilter($this->getConf('userfilter'), $info); 197 } else { 198 $filter = "(ObjectClass=*)"; 199 } 200 201 $this->debug('LDAP Filter: ' . hsc($filter), 0, __LINE__, __FILE__); 202 203 $this->debug('LDAP user search: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 204 $this->debug('LDAP search at: ' . hsc($base . ' ' . $filter), 0, __LINE__, __FILE__); 205 $sr = $this->ldapSearch($this->con, $base, $filter, $this->getConf('userscope'), $this->getConf('attributes')); 206 if ($sr === false) { 207 $this->debug('User ldap_search failed. Check configuration.', 0, __LINE__, __FILE__); 208 return false; 209 } 210 211 $result = @ldap_get_entries($this->con, $sr); 212 213 // if result is not an array 214 if (!is_array($result)) { 215 // no objects found 216 $this->debug('LDAP search returned non-array result: ' . hsc(print($result)), -1, __LINE__, __FILE__); 217 return []; 218 } 219 220 // Don't accept more or less than one response 221 if ($result['count'] != 1) { 222 $this->debug( 223 'LDAP search returned ' . hsc($result['count']) . ' results while it should return 1!', 224 -1, 225 __LINE__, 226 __FILE__ 227 ); 228 //for($i = 0; $i < $result["count"]; $i++) { 229 //$this->_debug('result: '.hsc(print_r($result[$i])), 0, __LINE__, __FILE__); 230 //} 231 return []; 232 } 233 234 $this->debug('LDAP search found single result !', 0, __LINE__, __FILE__); 235 236 $user_result = $result[0]; 237 ldap_free_result($sr); 238 239 // general user info 240 $info['dn'] = $user_result['dn']; 241 $info['gid'] = $user_result['gidnumber'][0] ?? null; 242 $info['mail'] = $user_result['mail'][0]; 243 $info['name'] = $user_result['cn'][0]; 244 $info['grps'] = []; 245 246 // overwrite if other attribs are specified. 247 if (is_array($this->getConf('mapping'))) { 248 foreach ($this->getConf('mapping') as $localkey => $key) { 249 if (is_array($key)) { 250 // use regexp to clean up user_result 251 // $key = array($key=>$regexp), only handles the first key-value 252 $regexp = current($key); 253 $key = key($key); 254 if ($user_result[$key]) foreach ($user_result[$key] as $grpkey => $grp) { 255 if ($grpkey !== 'count' && preg_match($regexp, $grp, $match)) { 256 if ($localkey == 'grps') { 257 $info[$localkey][] = $match[1]; 258 } else { 259 $info[$localkey] = $match[1]; 260 } 261 } 262 } 263 } else { 264 $info[$localkey] = $user_result[$key][0]; 265 } 266 } 267 } 268 $user_result = array_merge($info, $user_result); 269 270 //get groups for given user if grouptree is given 271 if ($this->getConf('grouptree') || $this->getConf('groupfilter')) { 272 $base = $this->makeFilter($this->getConf('grouptree'), $user_result); 273 $filter = $this->makeFilter($this->getConf('groupfilter'), $user_result); 274 $sr = $this->ldapSearch( 275 $this->con, 276 $base, 277 $filter, 278 $this->getConf('groupscope'), 279 [$this->getConf('groupkey')] 280 ); 281 $this->debug('LDAP group search: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 282 $this->debug('LDAP search at: ' . hsc($base . ' ' . $filter), 0, __LINE__, __FILE__); 283 284 if (!$sr) { 285 msg("LDAP: Reading group memberships failed", -1); 286 return []; 287 } 288 $result = ldap_get_entries($this->con, $sr); 289 ldap_free_result($sr); 290 291 if (is_array($result)) foreach ($result as $grp) { 292 if (!empty($grp[$this->getConf('groupkey')])) { 293 $group = $grp[$this->getConf('groupkey')]; 294 if (is_array($group)) { 295 $group = $group[0]; 296 } else { 297 $this->debug('groupkey did not return a detailled result', 0, __LINE__, __FILE__); 298 } 299 if ($group === '') continue; 300 301 $this->debug('LDAP usergroup: ' . hsc($group), 0, __LINE__, __FILE__); 302 $info['grps'][] = $group; 303 } 304 } 305 } 306 307 // always add the default group to the list of groups 308 if (!$info['grps'] || !in_array($conf['defaultgroup'], $info['grps'])) { 309 $info['grps'][] = $conf['defaultgroup']; 310 } 311 return $info; 312 } 313 314 /** 315 * Definition of the function modifyUser in order to modify the password 316 * 317 * @param string $user nick of the user to be changed 318 * @param array $changes array of field/value pairs to be changed (password will be clear text) 319 * @return bool true on success, false on error 320 */ 321 public function modifyUser($user, $changes) 322 { 323 324 // open the connection to the ldap 325 if (!$this->openLDAP()) { 326 $this->debug('LDAP cannot connect: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 327 return false; 328 } 329 330 // find the information about the user, in particular the "dn" 331 $info = $this->getUserData($user, true); 332 if (empty($info['dn'])) { 333 $this->debug('LDAP cannot find your user dn', 0, __LINE__, __FILE__); 334 return false; 335 } 336 $dn = $info['dn']; 337 338 // find the old password of the user 339 [$loginuser, $loginsticky, $loginpass] = auth_getCookie(); 340 if ($loginuser !== null) { // the user is currently logged in 341 $secret = auth_cookiesalt(!$loginsticky, true); 342 $pass = auth_decrypt($loginpass, $secret); 343 344 // bind with the ldap 345 if (!@ldap_bind($this->con, $dn, $pass)) { 346 $this->debug( 347 'LDAP user bind failed: ' . hsc($dn) . ': ' . hsc(ldap_error($this->con)), 348 0, 349 __LINE__, 350 __FILE__ 351 ); 352 return false; 353 } 354 } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) { 355 // we are changing the password on behalf of the user (eg: forgotten password) 356 // bind with the superuser ldap 357 if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) { 358 $this->debug('LDAP bind as superuser: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 359 return false; 360 } 361 } else { 362 return false; // no otherway 363 } 364 365 // Generate the salted hashed password for LDAP 366 $phash = new PassHash(); 367 $hash = $phash->hash_ssha($changes['pass']); 368 369 // change the password 370 if (!@ldap_mod_replace($this->con, $dn, ['userpassword' => $hash])) { 371 $this->debug( 372 'LDAP mod replace failed: ' . hsc($dn) . ': ' . hsc(ldap_error($this->con)), 373 0, 374 __LINE__, 375 __FILE__ 376 ); 377 return false; 378 } 379 380 return true; 381 } 382 383 /** 384 * Most values in LDAP are case-insensitive 385 * 386 * @return bool 387 */ 388 public function isCaseSensitive() 389 { 390 return false; 391 } 392 393 /** 394 * Bulk retrieval of user data 395 * 396 * @param int $start index of first user to be returned 397 * @param int $limit max number of users to be returned 398 * @param array $filter array of field/pattern pairs, null for no filter 399 * @return array of userinfo (refer getUserData for internal userinfo details) 400 * @author Dominik Eckelmann <dokuwiki@cosmocode.de> 401 */ 402 public function retrieveUsers($start = 0, $limit = 0, $filter = []) 403 { 404 if (!$this->openLDAP()) return []; 405 406 if (is_null($this->users)) { 407 // Perform the search and grab all their details 408 if ($this->getConf('userfilter')) { 409 $all_filter = str_replace('%{user}', '*', $this->getConf('userfilter')); 410 } else { 411 $all_filter = "(ObjectClass=*)"; 412 } 413 $sr = ldap_search($this->con, $this->getConf('usertree'), $all_filter); 414 $entries = ldap_get_entries($this->con, $sr); 415 $users_array = []; 416 $userkey = $this->getConf('userkey'); 417 for ($i = 0; $i < $entries["count"]; $i++) { 418 $users_array[] = $entries[$i][$userkey][0]; 419 } 420 Sort::asort($users_array); 421 $result = $users_array; 422 if (!$result) return []; 423 $this->users = array_fill_keys($result, false); 424 } 425 $i = 0; 426 $count = 0; 427 $this->constructPattern($filter); 428 $result = []; 429 430 foreach ($this->users as $user => &$info) { 431 if ($i++ < $start) { 432 continue; 433 } 434 if ($info === false) { 435 $info = $this->getUserData($user); 436 } 437 if ($this->filter($user, $info)) { 438 $result[$user] = $info; 439 if (($limit > 0) && (++$count >= $limit)) break; 440 } 441 } 442 return $result; 443 } 444 445 /** 446 * Make LDAP filter strings. 447 * 448 * Used by auth_getUserData to make the filter 449 * strings for grouptree and groupfilter 450 * 451 * @param string $filter ldap search filter with placeholders 452 * @param array $placeholders placeholders to fill in 453 * @return string 454 * @author Troels Liebe Bentsen <tlb@rapanden.dk> 455 */ 456 protected function makeFilter($filter, $placeholders) 457 { 458 preg_match_all("/%{([^}]+)/", $filter, $matches, PREG_PATTERN_ORDER); 459 //replace each match 460 foreach ($matches[1] as $match) { 461 //take first element if array 462 if (is_array($placeholders[$match])) { 463 $value = $placeholders[$match][0]; 464 } else { 465 $value = $placeholders[$match]; 466 } 467 $value = $this->filterEscape($value); 468 $filter = str_replace('%{' . $match . '}', $value, $filter); 469 } 470 return $filter; 471 } 472 473 /** 474 * return true if $user + $info match $filter criteria, false otherwise 475 * 476 * @param string $user the user's login name 477 * @param array $info the user's userinfo array 478 * @return bool 479 * @author Chris Smith <chris@jalakai.co.uk> 480 * 481 */ 482 protected function filter($user, $info) 483 { 484 foreach ($this->pattern as $item => $pattern) { 485 if ($item == 'user') { 486 if (!preg_match($pattern, $user)) return false; 487 } elseif ($item == 'grps') { 488 if (!count(preg_grep($pattern, $info['grps']))) return false; 489 } elseif (!preg_match($pattern, $info[$item])) { 490 return false; 491 } 492 } 493 return true; 494 } 495 496 /** 497 * Set the filter pattern 498 * 499 * @param $filter 500 * @return void 501 * @author Chris Smith <chris@jalakai.co.uk> 502 * 503 */ 504 protected function constructPattern($filter) 505 { 506 $this->pattern = []; 507 foreach ($filter as $item => $pattern) { 508 $this->pattern[$item] = '/' . str_replace('/', '\/', $pattern) . '/i'; // allow regex characters 509 } 510 } 511 512 /** 513 * Escape a string to be used in a LDAP filter 514 * 515 * Ported from Perl's Net::LDAP::Util escape_filter_value 516 * 517 * @param string $string 518 * @return string 519 * @author Andreas Gohr 520 */ 521 protected function filterEscape($string) 522 { 523 // see https://github.com/adldap/adLDAP/issues/22 524 return preg_replace_callback( 525 '/([\x00-\x1F\*\(\)\\\\])/', 526 static fn($matches) => "\\" . implode("", unpack("H2", $matches[1])), 527 $string 528 ); 529 } 530 531 /** 532 * Opens a connection to the configured LDAP server and sets the wanted 533 * option on the connection 534 * 535 * @author Andreas Gohr <andi@splitbrain.org> 536 */ 537 protected function openLDAP() 538 { 539 if ($this->con) return true; // connection already established 540 541 if ($this->getConf('debug')) { 542 ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7); 543 } 544 545 $this->bound = 0; 546 547 $port = $this->getConf('port'); 548 $bound = false; 549 $servers = explode(',', $this->getConf('server')); 550 foreach ($servers as $server) { 551 $server = trim($server); 552 $this->con = @ldap_connect($server, $port); 553 if (!$this->con) { 554 continue; 555 } 556 557 /* 558 * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does 559 * not actually connect but just initializes the connecting parameters. The actual 560 * connect happens with the next calls to ldap_* funcs, usually with ldap_bind(). 561 * 562 * So we should try to bind to server in order to check its availability. 563 */ 564 565 //set protocol version and dependend options 566 if ($this->getConf('version')) { 567 if (!@ldap_set_option( 568 $this->con, 569 LDAP_OPT_PROTOCOL_VERSION, 570 $this->getConf('version') 571 ) 572 ) { 573 msg('Setting LDAP Protocol version ' . $this->getConf('version') . ' failed', -1); 574 $this->debug('LDAP version set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 575 } else { 576 //use TLS (needs version 3) 577 if ($this->getConf('starttls')) { 578 if (!@ldap_start_tls($this->con)) { 579 msg('Starting TLS failed', -1); 580 $this->debug('LDAP TLS set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 581 } 582 } 583 // needs version 3 584 if ($this->getConf('referrals') > -1) { 585 if (!@ldap_set_option( 586 $this->con, 587 LDAP_OPT_REFERRALS, 588 $this->getConf('referrals') 589 ) 590 ) { 591 msg('Setting LDAP referrals failed', -1); 592 $this->debug('LDAP referal set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 593 } 594 } 595 } 596 } 597 598 //set deref mode 599 if ($this->getConf('deref')) { 600 if (!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->getConf('deref'))) { 601 msg('Setting LDAP Deref mode ' . $this->getConf('deref') . ' failed', -1); 602 $this->debug('LDAP deref set: ' . hsc(ldap_error($this->con)), 0, __LINE__, __FILE__); 603 } 604 } 605 /* As of PHP 5.3.0 we can set timeout to speedup skipping of invalid servers */ 606 if (defined('LDAP_OPT_NETWORK_TIMEOUT')) { 607 ldap_set_option($this->con, LDAP_OPT_NETWORK_TIMEOUT, 1); 608 } 609 610 if ($this->getConf('binddn') && $this->getConf('bindpw')) { 611 $bound = @ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw'))); 612 $this->bound = 2; 613 } else { 614 $bound = @ldap_bind($this->con); 615 } 616 if ($bound) { 617 break; 618 } 619 } 620 621 if (!$bound) { 622 msg("LDAP: couldn't connect to LDAP server", -1); 623 $this->debug(ldap_error($this->con), 0, __LINE__, __FILE__); 624 return false; 625 } 626 627 $this->cando['getUsers'] = true; 628 return true; 629 } 630 631 /** 632 * Wraps around ldap_search, ldap_list or ldap_read depending on $scope 633 * 634 * @param resource $link_identifier 635 * @param string $base_dn 636 * @param string $filter 637 * @param string $scope can be 'base', 'one' or 'sub' 638 * @param null|array $attributes 639 * @param int $attrsonly 640 * @param int $sizelimit 641 * @return resource 642 * @author Andreas Gohr <andi@splitbrain.org> 643 */ 644 protected function ldapSearch( 645 $link_identifier, 646 $base_dn, 647 $filter, 648 $scope = 'sub', 649 $attributes = null, 650 $attrsonly = 0, 651 $sizelimit = 0 652 ) { 653 if (is_null($attributes)) $attributes = []; 654 655 if ($scope == 'base') { 656 return @ldap_read( 657 $link_identifier, 658 $base_dn, 659 $filter, 660 $attributes, 661 $attrsonly, 662 $sizelimit 663 ); 664 } elseif ($scope == 'one') { 665 return @ldap_list( 666 $link_identifier, 667 $base_dn, 668 $filter, 669 $attributes, 670 $attrsonly, 671 $sizelimit 672 ); 673 } else { 674 return @ldap_search( 675 $link_identifier, 676 $base_dn, 677 $filter, 678 $attributes, 679 $attrsonly, 680 $sizelimit 681 ); 682 } 683 } 684 685 /** 686 * Wrapper around msg() but outputs only when debug is enabled 687 * 688 * @param string $message 689 * @param int $err 690 * @param int $line 691 * @param string $file 692 * @return void 693 */ 694 protected function debug($message, $err, $line, $file) 695 { 696 if (!$this->getConf('debug')) return; 697 msg($message, $err, $line, $file); 698 } 699} 700