// Suchi & Berg GmbH // +---------------------------------------------------------------------------+ // This program is free software; you can redistribute it and/or // modify it under the terms of the GNU General Public License // as published by the Free Software Foundation; either version 2 // of the License, or any later version. // +---------------------------------------------------------------------------+ // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // You should have received a copy of the GNU General Public License // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. // +---------------------------------------------------------------------------+ /** * Stud.IP authentication against LDAP Server * * Stud.IP authentication against LDAP Server * * @access public * @author André Noack * @package */ class StudipAuthLdap extends StudipAuthAbstract { public $anonymous_bind = true; public $host; public $base_dn; public $username_attribute = 'uid'; public $ldap_filter; public $bad_char_regex = '/[^0-9_a-zA-Z]/'; public $conn = null; public $user_data = null; function getLdapFilter($username) { if (isset($this->ldap_filter)) { list($user, $domain) = explode('@', $username); $search = ['%u', '%U', '%d', '%%']; $replace = [$username, $user, $domain, '%']; return str_replace($search, $replace, $this->ldap_filter); } return $this->username_attribute . '=' . $username; } function doLdapConnect() { if (!($this->conn = ldap_connect($this->host))) { $this->error_msg = _('Keine Verbindung zum LDAP Server möglich.'); return false; } if (!($r = ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3))) { $this->error_msg = _('Setzen der LDAP Protokolversion fehlgeschlagen.'); return false; } if ($this->start_tls) { if (!ldap_start_tls($this->conn)) { $this->error_msg = _('"Start TLS" fehlgeschlagen.'); return false; } } return true; } function getUserDn($username) { $user_dn = ''; if ($this->anonymous_bind) { if (!($r = @ldap_bind($this->conn))) { $this->error_msg = _('Anonymer Bind fehlgeschlagen.') . $this->getLdapError(); return false; } if (!($result = @ldap_search($this->conn, $this->base_dn, $this->getLdapFilter($username), ['dn']))) { $this->error_msg = _('Anonymes Durchsuchen des LDAP Baumes fehlgeschlagen.') . $this->getLdapError(); return false; } if (!ldap_count_entries($this->conn, $result)) { $this->error_msg = sprintf(_('%s wurde nicht unterhalb von %s gefunden.'), $username, $this->base_dn); return false; } if (!($entry = @ldap_first_entry($this->conn, $result))) { $this->error_msg = $this->getLdapError(); return false; } if (!($user_dn = @ldap_get_dn($this->conn, $entry))) { $this->error_msg = $this->getLdapError(); return false; } } else { $user_dn = $this->username_attribute . '=' . $username . ',' . $this->base_dn; } return $user_dn; } function doLdapBind($username, $password) { if (!$this->doLdapConnect()) { return false; } if (!($user_dn = $this->getUserDn($username))) { return false; } if (!$password) { $this->error_msg = _('Kein Passwort eingegeben.'); //some ldap servers seem to allow binding with a user dn and without a password, if anonymous bind is enabled return false; } if (!($r = @ldap_bind($this->conn, $user_dn, $password))) { if (ldap_errno($this->conn) == 49) { $this->error_msg = _('Bitte überprüfen Sie ihre Zugangsdaten.'); } $this->error_msg = _('Anmeldung fehlgeschlagen.') . $this->getLdapError(); return false; } if (!($result = @ldap_search($this->conn, $user_dn, 'objectclass=*'))) { $this->error_msg = _('Abholen der Benutzer Attribute fehlgeschlagen.') . $this->getLdapError(); return false; } if (@ldap_count_entries($this->conn, $result)) { if (!($info = @ldap_get_entries($this->conn, $result))) { $this->error_msg = $this->getLdapError(); return false; } } $this->user_data = $info[0]; return true; } /** * * * * @access private * */ function isAuthenticated($username, $password) { if (!$this->doLdapBind($username, $password)) { ldap_unbind($this->conn); return false; } ldap_unbind($this->conn); return true; } function doLdapMap($map_params) { if (isset($this->user_data[$map_params][0])) { $ret = $this->user_data[$map_params][0]; if ($ret[0] === ':') { $ret = base64_decode($ret); } } return $ret; } function doLdapMapDatafield($params) { $datafield_id = $params[1]; $user = $params[2]; $ldap_field = $this->doLdapMap($params[3]); if (isset($ldap_field)) { $df = $user->datafields->findOneBy('datafield_id', $datafield_id); if ($df) { $df->content = $ldap_field; return true; } } } function isUsedUsername($username) { if (!$this->anonymous_bind) { $this->error_msg = _('Kann den Benutzernamen nicht überprüfen, anonymous_bind ist ausgeschaltet!'); return false; } if (!$this->doLdapConnect()) { return false; } if (!($r = @ldap_bind($this->conn))) { $this->error_msg = _('Anonymer Bind fehlgeschlagen.') . $this->getLdapError(); return false; } if (!($result = @ldap_search($this->conn, $this->base_dn, $this->getLdapFilter($username), ['dn']))) { $this->error_msg = _('Anonymes Durchsuchen des LDAP Baumes fehlgeschlagen.') . $this->getLdapError(); return false; } if (!ldap_count_entries($this->conn, $result)) { $this->error_msg = _('Der Benutzername wurde nicht gefunden.'); return false; } return true; } function getLdapError() { return _('
LDAP Fehler: ') . ldap_error($this->conn) . ' (#' . ldap_errno($this->conn) . ')'; } }