?iť?
Current Path : /home/s/c/g/scgforma/www/soc064/htdocs/core/class/ |
Current File : /home/s/c/g/scgforma/www/soc064/htdocs/core/class/ldap.class.php |
<?php /* Copyright (C) 2004 Rodolphe Quiedeville <rodolphe@quiedeville.org> * Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be> * Copyright (C) 2005-2017 Regis Houssin <regis.houssin@inodbox.com> * Copyright (C) 2006-2015 Laurent Destailleur <eldy@users.sourceforge.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. * or see http://www.gnu.org/ */ /** * \file htdocs/core/class/ldap.class.php * \brief File of class to manage LDAP features */ /** * Class to manage LDAP features */ class Ldap { /** * @var string Error code (or message) */ public $error=''; /** * @var string[] Array of error strings */ public $errors = array(); /** * Tableau des serveurs (IP addresses ou nom d'hotes) */ public $server=array(); /** * Base DN (e.g. "dc=foo,dc=com") */ public $dn; /** * type de serveur, actuellement OpenLdap et Active Directory */ public $serverType; /** * Version du protocole ldap */ public $domain; /** * User administrateur Ldap * Active Directory ne supporte pas les connexions anonymes */ public $searchUser; /** * Mot de passe de l'administrateur * Active Directory ne supporte pas les connexions anonymes */ public $searchPassword; /** * DN des utilisateurs */ public $people; /** * DN des groupes */ public $groups; /** * Code erreur retourne par le serveur Ldap */ public $ldapErrorCode; /** * Message texte de l'erreur */ public $ldapErrorText; //Fetch user public $name; public $firstname; public $login; public $phone; public $skype; public $fax; public $mail; public $mobile; public $uacf; public $pwdlastset; public $ldapcharset='UTF-8'; // LDAP should be UTF-8 encoded /** * The internal LDAP connection handle */ public $connection; /** * Result of any connections etc. */ public $result; /** * Constructor */ public function __construct() { global $conf; // Server if (! empty($conf->global->LDAP_SERVER_HOST)) $this->server[] = $conf->global->LDAP_SERVER_HOST; if (! empty($conf->global->LDAP_SERVER_HOST_SLAVE)) $this->server[] = $conf->global->LDAP_SERVER_HOST_SLAVE; $this->serverPort = $conf->global->LDAP_SERVER_PORT; $this->ldapProtocolVersion = $conf->global->LDAP_SERVER_PROTOCOLVERSION; $this->dn = $conf->global->LDAP_SERVER_DN; $this->serverType = $conf->global->LDAP_SERVER_TYPE; $this->domain = $conf->global->LDAP_SERVER_DN; $this->searchUser = $conf->global->LDAP_ADMIN_DN; $this->searchPassword = $conf->global->LDAP_ADMIN_PASS; $this->people = $conf->global->LDAP_USER_DN; $this->groups = $conf->global->LDAP_GROUP_DN; $this->filter = $conf->global->LDAP_FILTER_CONNECTION; // Filter on user $this->filtermember = $conf->global->LDAP_MEMBER_FILTER; // Filter on member // Users $this->attr_login = $conf->global->LDAP_FIELD_LOGIN; //unix $this->attr_sambalogin = $conf->global->LDAP_FIELD_LOGIN_SAMBA; //samba, activedirectory $this->attr_name = $conf->global->LDAP_FIELD_NAME; $this->attr_firstname = $conf->global->LDAP_FIELD_FIRSTNAME; $this->attr_mail = $conf->global->LDAP_FIELD_MAIL; $this->attr_phone = $conf->global->LDAP_FIELD_PHONE; $this->attr_skype = $conf->global->LDAP_FIELD_SKYPE; $this->attr_fax = $conf->global->LDAP_FIELD_FAX; $this->attr_mobile = $conf->global->LDAP_FIELD_MOBILE; } // Connection handling methods ------------------------------------------- // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Connect and bind * Use this->server, this->serverPort, this->ldapProtocolVersion, this->serverType, this->searchUser, this->searchPassword * After return, this->connection and $this->bind are defined * * @return int <0 if KO, 1 if bind anonymous, 2 if bind auth */ public function connect_bind() { // phpcs:enable global $langs, $conf; $connected=0; $this->bind=0; // Check parameters if (count($this->server) == 0 || empty($this->server[0])) { $this->error='LDAP setup (file conf.php) is not complete'; dol_syslog(get_class($this)."::connect_bind ".$this->error, LOG_WARNING); return -1; } if (! function_exists("ldap_connect")) { $this->error='LDAPFunctionsNotAvailableOnPHP'; dol_syslog(get_class($this)."::connect_bind ".$this->error, LOG_WARNING); $return=-1; } if (empty($this->error)) { // Loop on each ldap server foreach ($this->server as $key => $host) { if ($connected) break; if (empty($host)) continue; if ($this->serverPing($host, $this->serverPort) === true) { $this->connection = ldap_connect($host, $this->serverPort); } else continue; if (is_resource($this->connection)) { // Begin TLS if requested by the configuration if (! empty($conf->global->LDAP_SERVER_USE_TLS)) { if (! ldap_start_tls($this->connection)) { dol_syslog(get_class($this)."::connect_bind failed to start tls", LOG_WARNING); $connected = 0; $this->close(); } } // Execute the ldap_set_option here (after connect and before bind) $this->setVersion(); ldap_set_option($this->connection, LDAP_OPT_SIZELIMIT, 0); // no limit here. should return true. if ($this->serverType == "activedirectory") { $result=$this->setReferrals(); dol_syslog(get_class($this)."::connect_bind try bindauth for activedirectory on ".$host." user=".$this->searchUser." password=".preg_replace('/./', '*', $this->searchPassword), LOG_DEBUG); $this->result=$this->bindauth($this->searchUser, $this->searchPassword); if ($this->result) { $this->bind=$this->result; $connected=2; break; } else { $this->error=ldap_errno($this->connection).' '.ldap_error($this->connection); } } else { // Try in auth mode if ($this->searchUser && $this->searchPassword) { dol_syslog(get_class($this)."::connect_bind try bindauth on ".$host." user=".$this->searchUser." password=".preg_replace('/./', '*', $this->searchPassword), LOG_DEBUG); $this->result=$this->bindauth($this->searchUser, $this->searchPassword); if ($this->result) { $this->bind=$this->result; $connected=2; break; } else { $this->error=ldap_errno($this->connection).' '.ldap_error($this->connection); } } // Try in anonymous if (! $this->bind) { dol_syslog(get_class($this)."::connect_bind try bind on ".$host, LOG_DEBUG); $result=$this->bind(); if ($result) { $this->bind=$this->result; $connected=1; break; } else { $this->error=ldap_errno($this->connection).' '.ldap_error($this->connection); } } } } if (! $connected) $this->close(); } } if ($connected) { $return=$connected; dol_syslog(get_class($this)."::connect_bind return=".$return, LOG_DEBUG); } else { $this->error='Failed to connect to LDAP'.($this->error?': '.$this->error:''); $return=-1; dol_syslog(get_class($this)."::connect_bind return=".$return.' - '.$this->error, LOG_WARNING); } return $return; } /** * Simply closes the connection set up earlier. * Returns true if OK, false if there was an error. * * @return boolean true or false */ public function close() { if ($this->connection && ! @ldap_close($this->connection)) { return false; } else { return true; } } /** * Anonymously binds to the connection. After this is done, * queries and searches can be done - but read-only. * * @return boolean true or false */ public function bind() { if (! $this->result=@ldap_bind($this->connection)) { $this->ldapErrorCode = ldap_errno($this->connection); $this->ldapErrorText = ldap_error($this->connection); $this->error=$this->ldapErrorCode." ".$this->ldapErrorText; return false; } else { return true; } } /** * Binds as an authenticated user, which usually allows for write * access. The FULL dn must be passed. For a directory manager, this is * "cn=Directory Manager" under iPlanet. For a user, it will be something * like "uid=jbloggs,ou=People,dc=foo,dc=com". * * @param string $bindDn DN * @param string $pass Password * @return boolean true or false */ public function bindauth($bindDn, $pass) { if (! $this->result = @ldap_bind($this->connection, $bindDn, $pass)) { $this->ldapErrorCode = ldap_errno($this->connection); $this->ldapErrorText = ldap_error($this->connection); $this->error=$this->ldapErrorCode." ".$this->ldapErrorText; return false; } else { return true; } } /** * Unbind du serveur ldap. * * @return boolean true or false */ public function unbind() { if (!$this->result=@ldap_unbind($this->connection)) { return false; } else { return true; } } /** * Verification de la version du serveur ldap. * * @return string version */ public function getVersion() { $version = 0; $version = @ldap_get_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, $version); return $version; } /** * Change ldap protocol version to use. * * @return boolean version */ public function setVersion() { // LDAP_OPT_PROTOCOL_VERSION est une constante qui vaut 17 $ldapsetversion = ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, $this->ldapProtocolVersion); return $ldapsetversion; } /** * changement du referrals. * * @return boolean referrals */ public function setReferrals() { // LDAP_OPT_REFERRALS est une constante qui vaut ? $ldapreferrals = ldap_set_option($this->connection, LDAP_OPT_REFERRALS, 0); return $ldapreferrals; } /** * Add a LDAP entry * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @param array $info Attributes array * @param User $user Objet user that create * @return int <0 if KO, >0 if OK */ public function add($dn, $info, $user) { global $conf; dol_syslog(get_class($this)."::add dn=".$dn." info=".join(',', $info)); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); foreach($info as $key => $val) { if (! is_array($val)) $info[$key]=$this->convFromOutputCharset($val, $this->ldapcharset); } $this->dump($dn, $info); //print_r($info); $result=@ldap_add($this->connection, $dn, $info); if ($result) { dol_syslog(get_class($this)."::add successfull", LOG_DEBUG); return 1; } else { $this->ldapErrorCode = @ldap_errno($this->connection); $this->ldapErrorText = @ldap_error($this->connection); $this->error=$this->ldapErrorCode." ".$this->ldapErrorText; dol_syslog(get_class($this)."::add failed: ".$this->error, LOG_ERR); return -1; } } /** * Modify a LDAP entry * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @param array $info Attributes array * @param User $user Objet user that modify * @return int <0 if KO, >0 if OK */ public function modify($dn, $info, $user) { global $conf; dol_syslog(get_class($this)."::modify dn=".$dn." info=".join(',', $info)); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); foreach($info as $key => $val) { if (! is_array($val)) $info[$key]=$this->convFromOutputCharset($val, $this->ldapcharset); } $this->dump($dn, $info); //print_r($info); $result=@ldap_modify($this->connection, $dn, $info); if ($result) { dol_syslog(get_class($this)."::modify successfull", LOG_DEBUG); return 1; } else { $this->error=@ldap_error($this->connection); dol_syslog(get_class($this)."::modify failed: ".$this->error, LOG_ERR); return -1; } } /** * Rename a LDAP entry * Ldap object connect and bind must have been done * * @param string $dn Old DN entry key (uid=qqq,ou=xxx,dc=aaa,dc=bbb) (before update) * @param string $newrdn New RDN entry key (uid=qqq) * @param string $newparent New parent (ou=xxx,dc=aaa,dc=bbb) * @param User $user Objet user that modify * @param bool $deleteoldrdn If true the old RDN value(s) is removed, else the old RDN value(s) is retained as non-distinguished values of the entry. * @return int <0 if KO, >0 if OK */ public function rename($dn, $newrdn, $newparent, $user, $deleteoldrdn = true) { global $conf; dol_syslog(get_class($this)."::modify dn=".$dn." newrdn=".$newrdn." newparent=".$newparent." deleteoldrdn=".($deleteoldrdn?1:0)); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); $newrdn=$this->convFromOutputCharset($newrdn, $this->ldapcharset); $newparent=$this->convFromOutputCharset($newparent, $this->ldapcharset); //print_r($info); $result=@ldap_rename($this->connection, $dn, $newrdn, $newparent, $deleteoldrdn); if ($result) { dol_syslog(get_class($this)."::rename successfull", LOG_DEBUG); return 1; } else { $this->error=@ldap_error($this->connection); dol_syslog(get_class($this)."::rename failed: ".$this->error, LOG_ERR); return -1; } } /** * Modify a LDAP entry (to use if dn != olddn) * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @param array $info Attributes array * @param User $user Objet user that update * @param string $olddn Old DN entry key (before update) * @param string $newrdn New RDN entry key (uid=qqq) (for ldap_rename) * @param string $newparent New parent (ou=xxx,dc=aaa,dc=bbb) (for ldap_rename) * @return int <0 if KO, >0 if OK */ public function update($dn, $info, $user, $olddn, $newrdn = false, $newparent = false) { global $conf; dol_syslog(get_class($this)."::update dn=".$dn." olddn=".$olddn); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } if (! $olddn || $olddn != $dn) { if (! empty($olddn) && ! empty($newrdn) && ! empty($newparent) && $conf->global->LDAP_SERVER_PROTOCOLVERSION === '3') { // This function currently only works with LDAPv3 $result = $this->rename($olddn, $newrdn, $newparent, $user, true); } else { // If change we make is rename the key of LDAP record, we create new one and if ok, we delete old one. $result = $this->add($dn, $info, $user); if ($result > 0 && $olddn && $olddn != $dn) $result = $this->delete($olddn); // If add fails, we do not try to delete old one } } else { //$result = $this->delete($olddn); $result = $this->add($dn, $info, $user); // If record has been deleted from LDAP, we recreate it. We ignore error if it already exists. $result = $this->modify($dn, $info, $user); // We use add/modify instead of delete/add when olddn is received } if ($result <= 0) { $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection)." ".$this->error; dol_syslog(get_class($this)."::update ".$this->error, LOG_ERR); //print_r($info); return -1; } else { dol_syslog(get_class($this)."::update done successfully"); return 1; } } /** * Delete a LDAP entry * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @return int <0 if KO, >0 if OK */ public function delete($dn) { global $conf; dol_syslog(get_class($this)."::delete Delete LDAP entry dn=".$dn); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); $result=@ldap_delete($this->connection, $dn); if ($result) return 1; return -1; } // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Build a LDAP message * * @param string $dn DN entry key * @param array $info Attributes array * @return string Content of file */ public function dump_content($dn, $info) { // phpcs:enable $content=''; // Create file content if (preg_match('/^ldap/', $this->server[0])) { $target="-H ".join(',', $this->server); } else { $target="-h ".join(',', $this->server)." -p ".$this->serverPort; } $content.="# ldapadd $target -c -v -D ".$this->searchUser." -W -f ldapinput.in\n"; $content.="# ldapmodify $target -c -v -D ".$this->searchUser." -W -f ldapinput.in\n"; $content.="# ldapdelete $target -c -v -D ".$this->searchUser." -W -f ldapinput.in\n"; if (in_array('localhost', $this->server)) $content.="# If commands fails to connect, try without -h and -p\n"; $content.="dn: ".$dn."\n"; foreach($info as $key => $value) { if (! is_array($value)) { $content.="$key: $value\n"; } else { foreach($value as $valuekey => $valuevalue) { $content.="$key: $valuevalue\n"; } } } return $content; } /** * Dump a LDAP message to ldapinput.in file * * @param string $dn DN entry key * @param array $info Attributes array * @return int <0 if KO, >0 if OK */ public function dump($dn, $info) { global $conf; // Create content $content=$this->dump_content($dn, $info); //Create file $result=dol_mkdir($conf->ldap->dir_temp); $outputfile=$conf->ldap->dir_temp.'/ldapinput.in'; $fp=fopen($outputfile, "w"); if ($fp) { fputs($fp, $content); fclose($fp); if (! empty($conf->global->MAIN_UMASK)) @chmod($outputfile, octdec($conf->global->MAIN_UMASK)); return 1; } else { return -1; } } /** * Ping a server before ldap_connect for avoid waiting * * @param string $host Server host or address * @param int $port Server port (default 389) * @param int $timeout Timeout in second (default 1s) * @return boolean true or false */ public function serverPing($host, $port = 389, $timeout = 1) { // Replace ldaps:// by ssl:// if (preg_match('/^ldaps:\/\/([^\/]+)\/?$/', $host, $regs)) { $host = 'ssl://'.$regs[1]; } // Remove ldap:// if (preg_match('/^ldap:\/\/([^\/]+)\/?$/', $host, $regs)) { $host = $regs[1]; } $op = @fsockopen($host, $port, $errno, $errstr, $timeout); if (!$op) return false; //DC is N/A else { fclose($op); //explicitly close open socket connection return true; //DC is up & running, we can safely connect with ldap_connect } } // Attribute methods ----------------------------------------------------- /** * Add a LDAP attribute in entry * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @param array $info Attributes array * @param User $user Objet user that create * @return int <0 if KO, >0 if OK */ public function addAttribute($dn, $info, $user) { global $conf; dol_syslog(get_class($this)."::addAttribute dn=".$dn." info=".join(',', $info)); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); foreach($info as $key => $val) { if (! is_array($val)) $info[$key]=$this->convFromOutputCharset($val, $this->ldapcharset); } $this->dump($dn, $info); //print_r($info); $result=@ldap_mod_add($this->connection, $dn, $info); if ($result) { dol_syslog(get_class($this)."::add_attribute successfull", LOG_DEBUG); return 1; } else { $this->error=@ldap_error($this->connection); dol_syslog(get_class($this)."::add_attribute failed: ".$this->error, LOG_ERR); return -1; } } /** * Update a LDAP attribute in entry * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @param array $info Attributes array * @param User $user Objet user that create * @return int <0 if KO, >0 if OK */ public function updateAttribute($dn, $info, $user) { global $conf; dol_syslog(get_class($this)."::updateAttribute dn=".$dn." info=".join(',', $info)); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); foreach($info as $key => $val) { if (! is_array($val)) $info[$key]=$this->convFromOutputCharset($val, $this->ldapcharset); } $this->dump($dn, $info); //print_r($info); $result=@ldap_mod_replace($this->connection, $dn, $info); if ($result) { dol_syslog(get_class($this)."::updateAttribute successfull", LOG_DEBUG); return 1; } else { $this->error=@ldap_error($this->connection); dol_syslog(get_class($this)."::updateAttribute failed: ".$this->error, LOG_ERR); return -1; } } /** * Delete a LDAP attribute in entry * Ldap object connect and bind must have been done * * @param string $dn DN entry key * @param array $info Attributes array * @param User $user Objet user that create * @return int <0 if KO, >0 if OK */ public function deleteAttribute($dn, $info, $user) { global $conf; dol_syslog(get_class($this)."::deleteAttribute dn=".$dn." info=".join(',', $info)); // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } // Encode to LDAP page code $dn=$this->convFromOutputCharset($dn, $this->ldapcharset); foreach($info as $key => $val) { if (! is_array($val)) $info[$key]=$this->convFromOutputCharset($val, $this->ldapcharset); } $this->dump($dn, $info); //print_r($info); $result=@ldap_mod_del($this->connection, $dn, $info); if ($result) { dol_syslog(get_class($this)."::deleteAttribute successfull", LOG_DEBUG); return 1; } else { $this->error=@ldap_error($this->connection); dol_syslog(get_class($this)."::deleteAttribute failed: ".$this->error, LOG_ERR); return -1; } } /** * Returns an array containing attributes and values for first record * * @param string $dn DN entry key * @param string $filter Filter * @return int|array <0 or false if KO, array if OK */ public function getAttribute($dn, $filter) { // Check parameters if (! $this->connection) { $this->error="NotConnected"; return -2; } if (! $this->bind) { $this->error="NotConnected"; return -3; } $search = ldap_search($this->connection, $dn, $filter); // Only one entry should ever be returned $entry = ldap_first_entry($this->connection, $search); if (!$entry) { $this->ldapErrorCode = -1; $this->ldapErrorText = "Couldn't find entry"; return 0; // Couldn't find entry... } // Get values if (! $values = ldap_get_attributes($this->connection, $entry)) { $this->ldapErrorCode = ldap_errno($this->connection); $this->ldapErrorText = ldap_error($this->connection); return 0; // No matching attributes } // Return an array containing the attributes. return $values; } /** * Returns an array containing values for an attribute and for first record matching filterrecord * * @param string $filterrecord Record * @param string $attribute Attributes * @return void */ public function getAttributeValues($filterrecord, $attribute) { $attributes=array(); $attributes[0] = $attribute; // We need to search for this user in order to get their entry. $this->result = @ldap_search($this->connection, $this->people, $filterrecord, $attributes); // Pourquoi cette ligne ? //$info = ldap_get_entries($this->connection, $this->result); // Only one entry should ever be returned (no user will have the same uid) $entry = ldap_first_entry($this->connection, $this->result); if (!$entry) { $this->ldapErrorCode = -1; $this->ldapErrorText = "Couldn't find user"; return false; // Couldn't find the user... } // Get values if (! $values = @ldap_get_values($this->connection, $entry, $attribute)) { $this->ldapErrorCode = ldap_errno($this->connection); $this->ldapErrorText = ldap_error($this->connection); return false; // No matching attributes } // Return an array containing the attributes. return $values; } /** * Returns an array containing a details or list of LDAP record(s) * ldapsearch -LLLx -hlocalhost -Dcn=admin,dc=parinux,dc=org -w password -b "ou=adherents,ou=people,dc=parinux,dc=org" userPassword * * @param string $search Value of fiel to search, '*' for all. Not used if $activefilter is set. * @param string $userDn DN (Ex: ou=adherents,ou=people,dc=parinux,dc=org) * @param string $useridentifier Name of key field (Ex: uid) * @param array $attributeArray Array of fields required. Note this array must also contains field $useridentifier (Ex: sn,userPassword) * @param int $activefilter '1' or 'user'=use field this->filter as filter instead of parameter $search, 'member'=use field this->filtermember as filter * @param array $attributeAsArray Array of fields wanted as an array not a string * @return array Array of [id_record][ldap_field]=value */ public function getRecords($search, $userDn, $useridentifier, $attributeArray, $activefilter = 0, $attributeAsArray = array()) { $fulllist=array(); dol_syslog(get_class($this)."::getRecords search=".$search." userDn=".$userDn." useridentifier=".$useridentifier." attributeArray=array(".join(',', $attributeArray).") activefilter=".$activefilter); // if the directory is AD, then bind first with the search user first if ($this->serverType == "activedirectory") { $this->bindauth($this->searchUser, $this->searchPassword); dol_syslog(get_class($this)."::bindauth serverType=activedirectory searchUser=".$this->searchUser); } // Define filter if (! empty($activefilter)) { if (((string) $activefilter == '1' || (string) $activefilter == 'user') && $this->filter) { $filter = '('.$this->filter.')'; } elseif (((string) $activefilter == 'member') && $this->filter) { $filter = '('.$this->filtermember.')'; } else // If this->filter is empty, make fiter on * (all) { $filter = '('.$useridentifier.'=*)'; } } else { $filter = '('.$useridentifier.'='.$search.')'; } if (is_array($attributeArray)) { // Return list with required fields $attributeArray=array_values($attributeArray); // This is to force to have index reordered from 0 (not make ldap_search fails) dol_syslog(get_class($this)."::getRecords connection=".$this->connection." userDn=".$userDn." filter=".$filter. " attributeArray=(".join(',', $attributeArray).")"); //var_dump($attributeArray); $this->result = @ldap_search($this->connection, $userDn, $filter, $attributeArray); } else { // Return list with fields selected by default dol_syslog(get_class($this)."::getRecords connection=".$this->connection." userDn=".$userDn." filter=".$filter); $this->result = @ldap_search($this->connection, $userDn, $filter); } if (!$this->result) { $this->error = 'LDAP search failed: '.ldap_errno($this->connection)." ".ldap_error($this->connection); return -1; } $info = @ldap_get_entries($this->connection, $this->result); // Warning: Dans info, les noms d'attributs sont en minuscule meme si passe // a ldap_search en majuscule !!! //print_r($info); for ($i = 0; $i < $info["count"]; $i++) { $recordid=$this->convToOutputCharset($info[$i][$useridentifier][0], $this->ldapcharset); if ($recordid) { //print "Found record with key $useridentifier=".$recordid."<br>\n"; $fulllist[$recordid][$useridentifier]=$recordid; // Add to the array for each attribute in my list $num = count($attributeArray); for ($j = 0; $j < $num; $j++) { $keyattributelower=strtolower($attributeArray[$j]); //print " Param ".$attributeArray[$j]."=".$info[$i][$keyattributelower][0]."<br>\n"; //permet de recuperer le SID avec Active Directory if ($this->serverType == "activedirectory" && $keyattributelower == "objectsid") { $objectsid = $this->getObjectSid($recordid); $fulllist[$recordid][$attributeArray[$j]] = $objectsid; } else { if(in_array($attributeArray[$j], $attributeAsArray) && is_array($info[$i][$keyattributelower])) { $valueTab = array(); foreach($info[$i][$keyattributelower] as $key => $value) { $valueTab[$key] = $this->convToOutputCharset($value, $this->ldapcharset); } $fulllist[$recordid][$attributeArray[$j]] = $valueTab; } else { $fulllist[$recordid][$attributeArray[$j]] = $this->convToOutputCharset($info[$i][$keyattributelower][0], $this->ldapcharset); } } } } } asort($fulllist); return $fulllist; } /** * Converts a little-endian hex-number to one, that 'hexdec' can convert * Required by Active Directory * * @param string $hex Hex value * @return string Little endian */ public function littleEndian($hex) { for ($x=dol_strlen($hex)-2; $x >= 0; $x=$x-2) { $result .= substr($hex, $x, 2); } return $result; } /** * Recupere le SID de l'utilisateur * Required by Active Directory * * @param string $ldapUser Login de l'utilisateur * @return string Sid */ public function getObjectSid($ldapUser) { $criteria = '('.$this->getUserIdentifier().'='.$ldapUser.')'; $justthese = array("objectsid"); // if the directory is AD, then bind first with the search user first if ($this->serverType == "activedirectory") { $this->bindauth($this->searchUser, $this->searchPassword); } $i = 0; $searchDN = $this->people; while ($i <= 2) { $ldapSearchResult = @ldap_search($this->connection, $searchDN, $criteria, $justthese); if (!$ldapSearchResult) { $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection); return -1; } $entry = ldap_first_entry($this->connection, $ldapSearchResult); if (!$entry) { // Si pas de resultat on cherche dans le domaine $searchDN = $this->domain; $i++; } else { $i++; $i++; } } if ($entry) { $ldapBinary = ldap_get_values_len($this->connection, $entry, "objectsid"); $SIDText = $this->binSIDtoText($ldapBinary[0]); return $SIDText; } else { $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection); return '?'; } } /** * Returns the textual SID * Indispensable pour Active Directory * * @param string $binsid Binary SID * @return string Textual SID */ public function binSIDtoText($binsid) { $hex_sid=bin2hex($binsid); $rev = hexdec(substr($hex_sid, 0, 2)); // Get revision-part of SID $subcount = hexdec(substr($hex_sid, 2, 2)); // Get count of sub-auth entries $auth = hexdec(substr($hex_sid, 4, 12)); // SECURITY_NT_AUTHORITY $result = "$rev-$auth"; for ($x=0;$x < $subcount; $x++) { $result .= "-".hexdec($this->littleEndian(substr($hex_sid, 16+($x*8), 8))); // get all SECURITY_NT_AUTHORITY } return $result; } /** * Fonction de recherche avec filtre * this->connection doit etre defini donc la methode bind ou bindauth doit avoir deja ete appelee * Ne pas utiliser pour recherche d'une liste donnee de proprietes * car conflit majuscule-minuscule. A n'utiliser que pour les pages * 'Fiche LDAP' qui affiche champ lisibles par defaut. * * @param string $checkDn DN de recherche (Ex: ou=users,cn=my-domain,cn=com) * @param string $filter Search filter (ex: (sn=nom_personne) ) * @return array|int Array with answers (key lowercased - value) */ public function search($checkDn, $filter) { dol_syslog(get_class($this)."::search checkDn=".$checkDn." filter=".$filter); $checkDn=$this->convFromOutputCharset($checkDn, $this->ldapcharset); $filter=$this->convFromOutputCharset($filter, $this->ldapcharset); // if the directory is AD, then bind first with the search user first if ($this->serverType == "activedirectory") { $this->bindauth($this->searchUser, $this->searchPassword); } $this->result = @ldap_search($this->connection, $checkDn, $filter); $result = @ldap_get_entries($this->connection, $this->result); if (! $result) { $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection); return -1; } else { ldap_free_result($this->result); return $result; } } /** * Load all attribute of a LDAP user * * @param User $user User to search for. Not used if a filter is provided. * @param string $filter Filter for search. Must start with &. * Examples: &(objectClass=inetOrgPerson) &(objectClass=user)(objectCategory=person) &(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com) * @return int >0 if OK, <0 if KO */ public function fetch($user, $filter) { // Perform the search and get the entry handles // if the directory is AD, then bind first with the search user first if ($this->serverType == "activedirectory") { $this->bindauth($this->searchUser, $this->searchPassword); } $searchDN = $this->people; // TODO Why searching in people then domain ? $result = ''; $i=0; while ($i <= 2) { dol_syslog(get_class($this)."::fetch search with searchDN=".$searchDN." filter=".$filter); $this->result = @ldap_search($this->connection, $searchDN, $filter); if ($this->result) { $result = @ldap_get_entries($this->connection, $this->result); if ($result['count'] > 0) dol_syslog('Ldap::fetch search found '.$result['count'].' records'); else dol_syslog('Ldap::fetch search returns but found no records'); //var_dump($result);exit; } else { $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection); dol_syslog(get_class($this)."::fetch search fails"); return -1; } if (! $result) { // Si pas de resultat on cherche dans le domaine $searchDN = $this->domain; $i++; } else { break; } } if (! $result) { $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection); return -1; } else { $this->name = $this->convToOutputCharset($result[0][$this->attr_name][0], $this->ldapcharset); $this->firstname = $this->convToOutputCharset($result[0][$this->attr_firstname][0], $this->ldapcharset); $this->login = $this->convToOutputCharset($result[0][$this->attr_login][0], $this->ldapcharset); $this->phone = $this->convToOutputCharset($result[0][$this->attr_phone][0], $this->ldapcharset); $this->skype = $this->convToOutputCharset($result[0][$this->attr_skype][0], $this->ldapcharset); $this->fax = $this->convToOutputCharset($result[0][$this->attr_fax][0], $this->ldapcharset); $this->mail = $this->convToOutputCharset($result[0][$this->attr_mail][0], $this->ldapcharset); $this->mobile = $this->convToOutputCharset($result[0][$this->attr_mobile][0], $this->ldapcharset); $this->uacf = $this->parseUACF($this->convToOutputCharset($result[0]["useraccountcontrol"][0], $this->ldapcharset)); if (isset($result[0]["pwdlastset"][0])) // If expiration on password exists { $this->pwdlastset = ($result[0]["pwdlastset"][0] != 0)?$this->convert_time($this->convToOutputCharset($result[0]["pwdlastset"][0], $this->ldapcharset)):0; } else { $this->pwdlastset = -1; } if (!$this->name && !$this->login) $this->pwdlastset = -1; $this->badpwdtime = $this->convert_time($this->convToOutputCharset($result[0]["badpasswordtime"][0], $this->ldapcharset)); // FQDN domain $domain = str_replace('dc=', '', $this->domain); $domain = str_replace(',', '.', $domain); $this->domainFQDN = $domain; // Set ldapUserDn (each user can have a different dn) //var_dump($result[0]);exit; $this->ldapUserDN=$result[0]['dn']; ldap_free_result($this->result); return 1; } } // helper methods /** * Returns the correct user identifier to use, based on the ldap server type * * @return string Login */ public function getUserIdentifier() { if ($this->serverType == "activedirectory") { return $this->attr_sambalogin; } else { return $this->attr_login; } } /** * UserAccountControl Flgs to more human understandable form... * * @param string $uacf UACF * @return void */ public function parseUACF($uacf) { //All flags array $flags = array( "TRUSTED_TO_AUTH_FOR_DELEGATION" => 16777216, "PASSWORD_EXPIRED" => 8388608, "DONT_REQ_PREAUTH" => 4194304, "USE_DES_KEY_ONLY" => 2097152, "NOT_DELEGATED" => 1048576, "TRUSTED_FOR_DELEGATION" => 524288, "SMARTCARD_REQUIRED" => 262144, "MNS_LOGON_ACCOUNT" => 131072, "DONT_EXPIRE_PASSWORD" => 65536, "SERVER_TRUST_ACCOUNT" => 8192, "WORKSTATION_TRUST_ACCOUNT" => 4096, "INTERDOMAIN_TRUST_ACCOUNT" => 2048, "NORMAL_ACCOUNT" => 512, "TEMP_DUPLICATE_ACCOUNT" => 256, "ENCRYPTED_TEXT_PWD_ALLOWED" => 128, "PASSWD_CANT_CHANGE" => 64, "PASSWD_NOTREQD" => 32, "LOCKOUT" => 16, "HOMEDIR_REQUIRED" => 8, "ACCOUNTDISABLE" => 2, "SCRIPT" => 1 ); //Parse flags to text $retval = array(); while (list($flag, $val) = each($flags)) { if ($uacf >= $val) { $uacf -= $val; $retval[$val] = $flag; } } //Return human friendly flags return($retval); } /** * SamAccountType value to text * * @param string $samtype SamType * @return string Sam string */ public function parseSAT($samtype) { $stypes = array( 805306368 => "NORMAL_ACCOUNT", 805306369 => "WORKSTATION_TRUST", 805306370 => "INTERDOMAIN_TRUST", 268435456 => "SECURITY_GLOBAL_GROUP", 268435457 => "DISTRIBUTION_GROUP", 536870912 => "SECURITY_LOCAL_GROUP", 536870913 => "DISTRIBUTION_LOCAL_GROUP" ); $retval = ""; while (list($sat, $val) = each($stypes)) { if ($samtype == $sat) { $retval = $val; break; } } if (empty($retval)) $retval = "UNKNOWN_TYPE_" . $samtype; return($retval); } // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Convertit le temps ActiveDirectory en Unix timestamp * * @param string $value AD time to convert * @return integer Unix timestamp */ public function convert_time($value) { // phpcs:enable $dateLargeInt=$value; // nano secondes depuis 1601 !!!! $secsAfterADEpoch = $dateLargeInt / (10000000); // secondes depuis le 1 jan 1601 $ADToUnixConvertor=((1970-1601) * 365.242190) * 86400; // UNIX start date - AD start date * jours * secondes $unixTimeStamp=intval($secsAfterADEpoch-$ADToUnixConvertor); // Unix time stamp return $unixTimeStamp; } /** * Convert a string into output/memory charset * * @param string $str String to convert * @param string $pagecodefrom Page code of src string * @return string Converted string */ private function convToOutputCharset($str, $pagecodefrom = 'UTF-8') { global $conf; if ($pagecodefrom == 'ISO-8859-1' && $conf->file->character_set_client == 'UTF-8') $str=utf8_encode($str); if ($pagecodefrom == 'UTF-8' && $conf->file->character_set_client == 'ISO-8859-1') $str=utf8_decode($str); return $str; } /** * Convert a string from output/memory charset * * @param string $str String to convert * @param string $pagecodeto Page code for result string * @return string Converted string */ public function convFromOutputCharset($str, $pagecodeto = 'UTF-8') { global $conf; if ($pagecodeto == 'ISO-8859-1' && $conf->file->character_set_client == 'UTF-8') $str=utf8_decode($str); if ($pagecodeto == 'UTF-8' && $conf->file->character_set_client == 'ISO-8859-1') $str=utf8_encode($str); return $str; } /** * Return available value of group GID * * @param string $keygroup Key of group * @return int gid number */ public function getNextGroupGid($keygroup = 'LDAP_KEY_GROUPS') { global $conf; if (empty($keygroup)) $keygroup='LDAP_KEY_GROUPS'; $search='('.$conf->global->$keygroup.'=*)'; $result = $this->search($this->groups, $search); if ($result) { $c = $result['count']; $gids = array(); for($i=0;$i<$c;$i++) { $gids[] = $result[$i]['gidnumber'][0]; } rsort($gids); return $gids[0]+1; } return 0; } }