xref: /dokuwiki/lib/plugins/authldap/auth.php (revision cedfb22bac4b6df73fc632fd5b19a3893f62268b) 
1<?php
2// must be run within Dokuwiki
3if(!defined('DOKU_INC')) die();
4
5/**
6 * LDAP authentication backend
7 *
8 * @license   GPL 2 (http://www.gnu.org/licenses/gpl.html)
9 * @author    Andreas Gohr <andi@splitbrain.org>
10 * @author    Chris Smith <chris@jalakaic.co.uk>
11 * @author    Jan Schumann <js@schumann-it.com>
12 */
13class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
14    /* @var resource $con holds the LDAP connection*/
15    protected $con = null;
16
17    /* @var int $bound What type of connection does already exist? */
18    protected $bound = 0; // 0: anonymous, 1: user, 2: superuser
19
20    /* @var array $users User data cache */
21    protected $users = null;
22
23    /* @var array $_pattern User filter pattern */
24    protected $_pattern = null;
25
26    /**
27     * Constructor
28     */
29    public function __construct() {
30        parent::__construct();
31
32        // ldap extension is needed
33        if(!function_exists('ldap_connect')) {
34            $this->_debug("LDAP err: PHP LDAP extension not found.", -1, __LINE__, __FILE__);
35            $this->success = false;
36            return;
37        }
38
39        // Add the capabilities to change the password
40        $this->cando['modPass'] = true;
41    }
42
43    /**
44     * Check user+password
45     *
46     * Checks if the given user exists and the given
47     * plaintext password is correct by trying to bind
48     * to the LDAP server
49     *
50     * @author  Andreas Gohr <andi@splitbrain.org>
51     * @param string $user
52     * @param string $pass
53     * @return  bool
54     */
55    public function checkPass($user, $pass) {
56        // reject empty password
57        if(empty($pass)) return false;
58        if(!$this->_openLDAP()) return false;
59
60        // indirect user bind
61        if($this->getConf('binddn') && $this->getConf('bindpw')) {
62            // use superuser credentials
63            if(!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
64                $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
65                return false;
66            }
67            $this->bound = 2;
68        } else if($this->getConf('binddn') &&
69            $this->getConf('usertree') &&
70            $this->getConf('userfilter')
71        ) {
72            // special bind string
73            $dn = $this->_makeFilter(
74                $this->getConf('binddn'),
75                array('user'=> $user, 'server'=> $this->getConf('server'))
76            );
77
78        } else if(strpos($this->getConf('usertree'), '%{user}')) {
79            // direct user bind
80            $dn = $this->_makeFilter(
81                $this->getConf('usertree'),
82                array('user'=> $user, 'server'=> $this->getConf('server'))
83            );
84
85        } else {
86            // Anonymous bind
87            if(!@ldap_bind($this->con)) {
88                msg("LDAP: can not bind anonymously", -1);
89                $this->_debug('LDAP anonymous bind: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
90                return false;
91            }
92        }
93
94        // Try to bind to with the dn if we have one.
95        if(!empty($dn)) {
96            // User/Password bind
97            if(!@ldap_bind($this->con, $dn, $pass)) {
98                $this->_debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__);
99                $this->_debug('LDAP user dn bind: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
100                return false;
101            }
102            $this->bound = 1;
103            return true;
104        } else {
105            // See if we can find the user
106            $info = $this->getUserData($user, true);
107            if(empty($info['dn'])) {
108                return false;
109            } else {
110                $dn = $info['dn'];
111            }
112
113            // Try to bind with the dn provided
114            if(!@ldap_bind($this->con, $dn, $pass)) {
115                $this->_debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__);
116                $this->_debug('LDAP user bind: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
117                return false;
118            }
119            $this->bound = 1;
120            return true;
121        }
122    }
123
124    /**
125     * Return user info
126     *
127     * Returns info about the given user needs to contain
128     * at least these fields:
129     *
130     * name string  full name of the user
131     * mail string  email addres of the user
132     * grps array   list of groups the user is in
133     *
134     * This LDAP specific function returns the following
135     * addional fields:
136     *
137     * dn     string  distinguished name (DN)
138     * uid    string  Posix User ID
139     * inbind bool    for internal use - avoid loop in binding
140     *
141     * @author  Andreas Gohr <andi@splitbrain.org>
142     * @author  Trouble
143     * @author  Dan Allen <dan.j.allen@gmail.com>
144     * @author  <evaldas.auryla@pheur.org>
145     * @author  Stephane Chazelas <stephane.chazelas@emerson.com>
146     * @author  Steffen Schoch <schoch@dsb.net>
147     *
148     * @param   string $user
149     * @param   bool   $inbind authldap specific, true if in bind phase
150     * @return  array containing user data or false
151     */
152    public function getUserData($user, $inbind = false) {
153        global $conf;
154        if(!$this->_openLDAP()) return false;
155
156        // force superuser bind if wanted and not bound as superuser yet
157        if($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) {
158            // use superuser credentials
159            if(!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
160                $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
161                return false;
162            }
163            $this->bound = 2;
164        } elseif($this->bound == 0 && !$inbind) {
165            // in some cases getUserData is called outside the authentication workflow
166            // eg. for sending email notification on subscribed pages. This data might not
167            // be accessible anonymously, so we try to rebind the current user here
168            list($loginuser, $loginsticky, $loginpass) = auth_getCookie();
169            if($loginuser && $loginpass) {
170                $loginpass = auth_decrypt($loginpass, auth_cookiesalt(!$loginsticky, true));
171                $this->checkPass($loginuser, $loginpass);
172            }
173        }
174
175        $info['user']   = $user;
176        $info['server'] = $this->getConf('server');
177
178        //get info for given user
179        $base = $this->_makeFilter($this->getConf('usertree'), $info);
180        if($this->getConf('userfilter')) {
181            $filter = $this->_makeFilter($this->getConf('userfilter'), $info);
182        } else {
183            $filter = "(ObjectClass=*)";
184        }
185
186        $sr     = $this->_ldapsearch($this->con, $base, $filter, $this->getConf('userscope'));
187        $result = @ldap_get_entries($this->con, $sr);
188        $this->_debug('LDAP user search: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
189        $this->_debug('LDAP search at: '.htmlspecialchars($base.' '.$filter), 0, __LINE__, __FILE__);
190
191        // Don't accept more or less than one response
192        if(!is_array($result) || $result['count'] != 1) {
193            return false; //user not found
194        }
195
196        $user_result = $result[0];
197        ldap_free_result($sr);
198
199        // general user info
200        $info['dn']   = $user_result['dn'];
201        $info['gid']  = $user_result['gidnumber'][0];
202        $info['mail'] = $user_result['mail'][0];
203        $info['name'] = $user_result['cn'][0];
204        $info['grps'] = array();
205
206        // overwrite if other attribs are specified.
207        if(is_array($this->getConf('mapping'))) {
208            foreach($this->getConf('mapping') as $localkey => $key) {
209                if(is_array($key)) {
210                    // use regexp to clean up user_result
211                    list($key, $regexp) = each($key);
212                    if($user_result[$key]) foreach($user_result[$key] as $grpkey => $grp) {
213                        if($grpkey !== 'count' && preg_match($regexp, $grp, $match)) {
214                            if($localkey == 'grps') {
215                                $info[$localkey][] = $match[1];
216                            } else {
217                                $info[$localkey] = $match[1];
218                            }
219                        }
220                    }
221                } else {
222                    $info[$localkey] = $user_result[$key][0];
223                }
224            }
225        }
226        $user_result = array_merge($info, $user_result);
227
228        //get groups for given user if grouptree is given
229        if($this->getConf('grouptree') || $this->getConf('groupfilter')) {
230            $base   = $this->_makeFilter($this->getConf('grouptree'), $user_result);
231            $filter = $this->_makeFilter($this->getConf('groupfilter'), $user_result);
232            $sr     = $this->_ldapsearch($this->con, $base, $filter, $this->getConf('groupscope'), array($this->getConf('groupkey')));
233            $this->_debug('LDAP group search: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
234            $this->_debug('LDAP search at: '.htmlspecialchars($base.' '.$filter), 0, __LINE__, __FILE__);
235
236            if(!$sr) {
237                msg("LDAP: Reading group memberships failed", -1);
238                return false;
239            }
240            $result = ldap_get_entries($this->con, $sr);
241            ldap_free_result($sr);
242
243            if(is_array($result)) foreach($result as $grp) {
244                if(!empty($grp[$this->getConf('groupkey')])) {
245                    $group = $grp[$this->getConf('groupkey')];
246                    if(is_array($group)){
247                        $group = $group[0];
248                    } else {
249                        $this->_debug('groupkey did not return a detailled result', 0, __LINE__, __FILE__);
250                    }
251                    if($group === '') continue;
252
253                    $this->_debug('LDAP usergroup: '.htmlspecialchars($group), 0, __LINE__, __FILE__);
254                    $info['grps'][] = $group;
255                }
256            }
257        }
258
259        // always add the default group to the list of groups
260        if(!$info['grps'] or !in_array($conf['defaultgroup'], $info['grps'])) {
261            $info['grps'][] = $conf['defaultgroup'];
262        }
263        return $info;
264    }
265
266    /**
267     * Definition of the function modifyUser in order to modify the password
268     */
269
270    function modifyUser($user,$changes){
271
272        // open the connection to the ldap
273        if(!$this->_openLDAP()){
274            msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con)));
275            return false;
276        }
277
278        // find the information about the user, in particular the "dn"
279        $info = $this->getUserData($user,true);
280        if(empty($info['dn'])) {
281            msg('LDAP cannot find your user dn');
282            return false;
283        }
284        $dn = $info['dn'];
285
286        // find the old password of the user
287        list($loginuser,$loginsticky,$loginpass) = auth_getCookie();
288        if ($loginuser !== null) { // the user is currently logged in
289            $secret = auth_cookiesalt(!$loginsticky, true);
290            $pass   = auth_decrypt($loginpass, $secret);
291
292            // bind with the ldap
293            if(!@ldap_bind($this->con, $dn, $pass)){
294                msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
295                return false;
296            }
297        } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
298            // we are changing the password on behalf of the user (eg: forgotten password)
299            // bind with the superuser ldap
300            if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
301                $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
302                return false;
303            }
304        }
305        else {
306            return false; // no otherway
307        }
308
309        // Generate the salted hashed password for LDAP
310        $phash = new PassHash();
311        $hash = $phash->hash_ssha($changes['pass']);
312
313        // change the password
314        if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){
315            msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)));
316            return false;
317        }
318
319        return true;
320    }
321
322    /**
323     * Most values in LDAP are case-insensitive
324     *
325     * @return bool
326     */
327    public function isCaseSensitive() {
328        return false;
329    }
330
331    /**
332     * Bulk retrieval of user data
333     *
334     * @author  Dominik Eckelmann <dokuwiki@cosmocode.de>
335     * @param   int   $start     index of first user to be returned
336     * @param   int   $limit     max number of users to be returned
337     * @param   array $filter  array of field/pattern pairs, null for no filter
338     * @return  array of userinfo (refer getUserData for internal userinfo details)
339     */
340    function retrieveUsers($start = 0, $limit = 0, $filter = array()) {
341        if(!$this->_openLDAP()) return false;
342
343        if(is_null($this->users)) {
344            // Perform the search and grab all their details
345            if($this->getConf('userfilter')) {
346                $all_filter = str_replace('%{user}', '*', $this->getConf('userfilter'));
347            } else {
348                $all_filter = "(ObjectClass=*)";
349            }
350            $sr          = ldap_search($this->con, $this->getConf('usertree'), $all_filter);
351            $entries     = ldap_get_entries($this->con, $sr);
352            $users_array = array();
353            for($i = 0; $i < $entries["count"]; $i++) {
354                array_push($users_array, $entries[$i]["uid"][0]);
355            }
356            asort($users_array);
357            $result = $users_array;
358            if(!$result) return array();
359            $this->users = array_fill_keys($result, false);
360        }
361        $i     = 0;
362        $count = 0;
363        $this->_constructPattern($filter);
364        $result = array();
365
366        foreach($this->users as $user => &$info) {
367            if($i++ < $start) {
368                continue;
369            }
370            if($info === false) {
371                $info = $this->getUserData($user);
372            }
373            if($this->_filter($user, $info)) {
374                $result[$user] = $info;
375                if(($limit > 0) && (++$count >= $limit)) break;
376            }
377        }
378        return $result;
379    }
380
381    /**
382     * Make LDAP filter strings.
383     *
384     * Used by auth_getUserData to make the filter
385     * strings for grouptree and groupfilter
386     *
387     * @author  Troels Liebe Bentsen <tlb@rapanden.dk>
388     * @param   string $filter ldap search filter with placeholders
389     * @param   array  $placeholders placeholders to fill in
390     * @return  string
391     */
392    protected function _makeFilter($filter, $placeholders) {
393        preg_match_all("/%{([^}]+)/", $filter, $matches, PREG_PATTERN_ORDER);
394        //replace each match
395        foreach($matches[1] as $match) {
396            //take first element if array
397            if(is_array($placeholders[$match])) {
398                $value = $placeholders[$match][0];
399            } else {
400                $value = $placeholders[$match];
401            }
402            $value  = $this->_filterEscape($value);
403            $filter = str_replace('%{'.$match.'}', $value, $filter);
404        }
405        return $filter;
406    }
407
408    /**
409     * return true if $user + $info match $filter criteria, false otherwise
410     *
411     * @author Chris Smith <chris@jalakai.co.uk>
412     *
413     * @param  string $user the user's login name
414     * @param  array  $info the user's userinfo array
415     * @return bool
416     */
417    protected  function _filter($user, $info) {
418        foreach($this->_pattern as $item => $pattern) {
419            if($item == 'user') {
420                if(!preg_match($pattern, $user)) return false;
421            } else if($item == 'grps') {
422                if(!count(preg_grep($pattern, $info['grps']))) return false;
423            } else {
424                if(!preg_match($pattern, $info[$item])) return false;
425            }
426        }
427        return true;
428    }
429
430    /**
431     * Set the filter pattern
432     *
433     * @author Chris Smith <chris@jalakai.co.uk>
434     *
435     * @param $filter
436     * @return void
437     */
438    protected function _constructPattern($filter) {
439        $this->_pattern = array();
440        foreach($filter as $item => $pattern) {
441            $this->_pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters
442        }
443    }
444
445    /**
446     * Escape a string to be used in a LDAP filter
447     *
448     * Ported from Perl's Net::LDAP::Util escape_filter_value
449     *
450     * @author Andreas Gohr
451     * @param  string $string
452     * @return string
453     */
454    protected function _filterEscape($string) {
455        return preg_replace(
456            '/([\x00-\x1F\*\(\)\\\\])/e',
457            '"\\\\\".join("",unpack("H2","$1"))',
458            $string
459        );
460    }
461
462    /**
463     * Opens a connection to the configured LDAP server and sets the wanted
464     * option on the connection
465     *
466     * @author  Andreas Gohr <andi@splitbrain.org>
467     */
468    protected function _openLDAP() {
469        if($this->con) return true; // connection already established
470
471        $this->bound = 0;
472
473        $port    = $this->getConf('port');
474        $bound   = false;
475        $servers = explode(',', $this->getConf('server'));
476        foreach($servers as $server) {
477            $server    = trim($server);
478            $this->con = @ldap_connect($server, $port);
479            if(!$this->con) {
480                continue;
481            }
482
483            /*
484             * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does
485             * not actually connect but just initializes the connecting parameters. The actual
486             * connect happens with the next calls to ldap_* funcs, usually with ldap_bind().
487             *
488             * So we should try to bind to server in order to check its availability.
489             */
490
491            //set protocol version and dependend options
492            if($this->getConf('version')) {
493                if(!@ldap_set_option(
494                    $this->con, LDAP_OPT_PROTOCOL_VERSION,
495                    $this->getConf('version')
496                )
497                ) {
498                    msg('Setting LDAP Protocol version '.$this->getConf('version').' failed', -1);
499                    $this->_debug('LDAP version set: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
500                } else {
501                    //use TLS (needs version 3)
502                    if($this->getConf('starttls')) {
503                        if(!@ldap_start_tls($this->con)) {
504                            msg('Starting TLS failed', -1);
505                            $this->_debug('LDAP TLS set: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
506                        }
507                    }
508                    // needs version 3
509                    if($this->getConf('referrals')) {
510                        if(!@ldap_set_option(
511                            $this->con, LDAP_OPT_REFERRALS,
512                            $this->getConf('referrals')
513                        )
514                        ) {
515                            msg('Setting LDAP referrals to off failed', -1);
516                            $this->_debug('LDAP referal set: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
517                        }
518                    }
519                }
520            }
521
522            //set deref mode
523            if($this->getConf('deref')) {
524                if(!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->getConf('deref'))) {
525                    msg('Setting LDAP Deref mode '.$this->getConf('deref').' failed', -1);
526                    $this->_debug('LDAP deref set: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
527                }
528            }
529            /* As of PHP 5.3.0 we can set timeout to speedup skipping of invalid servers */
530            if(defined('LDAP_OPT_NETWORK_TIMEOUT')) {
531                ldap_set_option($this->con, LDAP_OPT_NETWORK_TIMEOUT, 1);
532            }
533
534            if($this->getConf('binddn') && $this->getConf('bindpw')) {
535                $bound = @ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'));
536                $this->bound = 2;
537            } else {
538                $bound = @ldap_bind($this->con);
539            }
540            if($bound) {
541                break;
542            }
543        }
544
545        if(!$bound) {
546            msg("LDAP: couldn't connect to LDAP server", -1);
547            return false;
548        }
549
550        $this->cando['getUsers'] = true;
551        return true;
552    }
553
554    /**
555     * Wraps around ldap_search, ldap_list or ldap_read depending on $scope
556     *
557     * @author Andreas Gohr <andi@splitbrain.org>
558     * @param resource $link_identifier
559     * @param string   $base_dn
560     * @param string   $filter
561     * @param string   $scope can be 'base', 'one' or 'sub'
562     * @param null     $attributes
563     * @param int      $attrsonly
564     * @param int      $sizelimit
565     * @param int      $timelimit
566     * @param int      $deref
567     * @return resource
568     */
569    protected function _ldapsearch($link_identifier, $base_dn, $filter, $scope = 'sub', $attributes = null,
570                         $attrsonly = 0, $sizelimit = 0) {
571        if(is_null($attributes)) $attributes = array();
572
573        if($scope == 'base') {
574            return @ldap_read(
575                $link_identifier, $base_dn, $filter, $attributes,
576                $attrsonly, $sizelimit
577            );
578        } elseif($scope == 'one') {
579            return @ldap_list(
580                $link_identifier, $base_dn, $filter, $attributes,
581                $attrsonly, $sizelimit
582            );
583        } else {
584            return @ldap_search(
585                $link_identifier, $base_dn, $filter, $attributes,
586                $attrsonly, $sizelimit
587            );
588        }
589    }
590
591    /**
592     * Wrapper around msg() but outputs only when debug is enabled
593     *
594     * @param string $message
595     * @param int    $err
596     * @param int    $line
597     * @param string $file
598     * @return void
599     */
600    protected function _debug($message, $err, $line, $file) {
601        if(!$this->getConf('debug')) return;
602        msg($message, $err, $line, $file);
603    }
604
605}
606