Viewing file:  user-ldap.php (12.86 KB) -rw-rw-rw-
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?php
if ( empty ( $PHP_SELF ) && ! empty ( $_SERVER ) &&
! empty ( $_SERVER['PHP_SELF'] ) ) {
$PHP_SELF = $_SERVER['PHP_SELF'];
}
if ( ! empty ( $PHP_SELF ) && preg_match ( "/\/includes\//", $PHP_SELF ) ) {
die ( "You can't access this file directly!" );
}
// LDAP user functions.
// This file is intended to be used instead of the standard user.php
// file. I have not tested this yet (I do not have an LDAP server
// running yet), so please provide feedback.
//
// This file contains all the functions for getting information
// about users. So, if you want to use an authentication scheme
// other than the webcal_user table, you can just create a new
// version of each function found below.
//
// Note: this application assumes that usernames (logins) are unique.
//
// Note #2: If you are using HTTP-based authentication, then you still
// need these functions and you will still need to add users to
// webcal_user.
/***************************** Config *******************************/
// Set some global config variables about your system.
// Next three are NOT yet implemented for LDAP
$user_can_update_password = false;
$admin_can_add_user = false;
$admin_can_delete_user = false;
//------ LDAP General Server Settings ------//
//
// Name or address of the LDAP server
// For SSL/TLS use 'ldaps://localhost'
$ldap_server = 'localhost';
// Port LDAP listens on (default 389)
$ldap_port = '389';
// Use TLS for the connection (not the same as ldaps://)
$ldap_start_tls = false;
// If you need to set LDAP_OPT_PROTOCOL_VERSION
$set_ldap_version = false;
$ldap_version = '3'; // (usually 3)
// base DN to search for users
$ldap_base_dn = 'ou=people,dc=company,dc=com';
// The ldap attribute used to find a user (login).
// E.g., if you use cn, your login might be "Jane Smith"
// if you use uid, your login might be "jsmith"
$ldap_login_attr = 'uid';
// Account used to bind to the server and search for information.
// This user must have the correct rights to perform search.
// If left empty the search will be made in anonymous.
//
// *** We do NOT recommend storing the root LDAP account info here ***
$ldap_admin_dn = ''; // user DN
$ldap_admin_pwd = ''; // user password
//------ Admin Group Settings ------//
//
// A group name (complete DN) to find users with admin rights
$ldap_admin_group_name = 'cn=webcal_admin,ou=group,dc=company,dc=com';
// What type of group do we want (posixgroup, groupofnames, groupofuniquenames)
$ldap_admin_group_type = 'posixgroup';
// The LDAP attribute used to store member of a group
$ldap_admin_group_attr = 'memberuid';
//------ LDAP Search Settings ------//
//
// LDAP filter to find a user list.
$ldap_user_filter = '(objectclass=person)';
// Attributes to fetch from LDAP and corresponding user variables in the
// application. Do change according to your LDAP Schema
$ldap_user_attr = array(
// LDAP attribute //WebCalendar variable
'uid', //login
'sn', //lastname
'givenname', //firstname
'cn', //fullname
'mail' //email
);
/*************************** End Config *****************************/
// Convert group name to lower case to prevent problems
$ldap_admin_group_attr = strtolower($ldap_admin_group_attr);
$ldap_admin_group_type = strtolower($ldap_admin_group_type);
// Function to search the dn of a given user the error message will
// be placed in $error.
// params:
// $login - user login
// $dn - complete dn for the user (must be given by ref )
// return:
// TRUE if the user is found, FALSE in other case
function user_search_dn ( $login ,$dn ) {
global $error, $ds, $ldap_base_dn, $ldap_login_attr, $ldap_user_attr;
$ret = false;
if ($r = connect_and_bind()) {
$sr = @ldap_search ( $ds, $ldap_base_dn, "($ldap_login_attr=$login)", $ldap_user_attr );
if (!$sr) {
$error = 'Error searching LDAP server: ' . ldap_error();
} else {
$info = @ldap_get_entries ( $ds, $sr );
if ( $info['count'] != 1 ) {
$error = 'Invalid login';
} else {
$ret = true;
$dn = $info[0]['dn'];
}
@ldap_free_result ( $sr );
}
@ldap_close ( $ds );
}
return $ret;
}
// Check to see if a given login/password is valid. If invalid,
// the error message will be placed in $error.
// params:
// $login - user login
// $password - user password
// returns: true or false
function user_valid_login ( $login, $password ) {
global $error, $ldap_server, $ldap_port, $ldap_base_dn, $ldap_login_attr;
global $ldap_admin_dn, $ldap_admin_pwd, $ldap_start_tls, $set_ldap_version, $ldap_version;
$ret = false;
$ds = @ldap_connect ( $ldap_server, $ldap_port );
if ( $ds ) {
if ($set_ldap_version || $ldap_start_tls)
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
if ($ldap_start_tls) {
if (!ldap_start_tls($ds)) {
$error = 'Could not start TLS for LDAP connection';
return $ret;
}
}
if ( user_search_dn ( $login, &$dn) ) {
$r = @ldap_bind ( $ds, $dn, $password );
if (!$r) {
$error = 'Invalid login';
//$error .= ': incorrect password'; // uncomment for debugging
} else {
$ret = true;
}
} else {
$error = 'Invalid login';
//$error .= ': no such user'; // uncomment for debugging
}
@ldap_close ( $ds );
} else {
$error = 'Error connecting to LDAP server';
}
return $ret;
}
// TODO: implement this function properly for LDAP.
// Check to see if a given login/crypted password is valid. If invalid,
// the error message will be placed in $error.
// params:
// $login - user login
// $crypt_password - crypted user password
// returns: true or false
function user_valid_crypt ( $login, $crypt_password ) {
return true;
}
// Load info about a user (first name, last name, admin) and set globally.
// params:
// $user - user login
// $prefix - variable prefix to use
function user_load_variables ( $login, $prefix ) {
global $error, $ds, $ldap_base_dn, $ldap_login_attr, $ldap_user_attr;
global $PUBLIC_ACCESS_FULLNAME, $NONUSER_PREFIX;
if ($NONUSER_PREFIX && substr($login, 0, strlen($NONUSER_PREFIX) ) == $NONUSER_PREFIX ) {
nonuser_load_variables ( $login, $prefix );
return true;
}
if ( $login == '__public__' ) {
$GLOBALS[$prefix . 'login'] = $login;
$GLOBALS[$prefix . 'firstname'] = '';
$GLOBALS[$prefix . 'lastname'] = '';
$GLOBALS[$prefix . 'is_admin'] = 'N';
$GLOBALS[$prefix . 'email'] = '';
$GLOBALS[$prefix . 'fullname'] = $PUBLIC_ACCESS_FULLNAME;
$GLOBALS[$prefix . 'password'] = '';
return true;
}
$ret = false;
if ($r = connect_and_bind()) {
$sr = @ldap_search ( $ds, $ldap_base_dn, "($ldap_login_attr=$login)", $ldap_user_attr );
if (!$sr) {
$error = 'Error searching LDAP server: ' . ldap_error();
} else {
$info = @ldap_get_entries ( $ds, $sr );
if ( $info['count'] != 1 ) {
$error = 'Invalid login';
} else {
$GLOBALS[$prefix . 'login'] = $login;
$GLOBALS[$prefix . 'firstname'] = $info[0][$ldap_user_attr[2]][0];
$GLOBALS[$prefix . 'lastname'] = $info[0][$ldap_user_attr[1]][0];
$GLOBALS[$prefix . 'email'] = $info[0][$ldap_user_attr[4]][0];
$GLOBALS[$prefix . 'fullname'] = $info[0][$ldap_user_attr[3]][0];
$GLOBALS[$prefix . 'is_admin'] = user_is_admin($login,get_admins());
$ret = true;
}
@ldap_free_result ( $sr );
}
@ldap_close ( $ds );
}
return $ret;
}
// Add a new user.
// params:
// $user - user login
// $password - user password
// $firstname - first name
// $lastname - last name
// $email - email address
// $admin - is admin? ("Y" or "N")
function user_add_user ( $user, $password, $firstname, $lastname, $email, $admin ) {
global $error;
$error = 'Not yet supported.';
return false;
}
// Update a user
// params:
// $user - user login
// $firstname - first name
// $lastname - last name
// $email - email address
// $admin - is admin?
function user_update_user ( $user, $firstname, $lastname, $email, $admin ) {
global $error;
$error = 'Not yet supported.';
return false;
}
// Update user password
// params:
// $user - user login
// $password - last name
function user_update_user_password ( $user, $password ) {
global $error;
$error = 'Not yet supported';
return false;
}
// Delete a user from the system.
// Once this does get implemented, be sure to delete the user from
// various WebCalendar tables (see user.php user_delete_user function).
// params:
// $user - user to delete
function user_delete_user ( $user ) {
$error = 'Not yet supported';
return false;
}
// Get a list of users and return info in an array.
// returns: array of users
function user_get_users () {
global $error, $ds, $ldap_base_dn, $ldap_user_attr, $ldap_user_filter;
global $public_access, $PUBLIC_ACCESS_FULLNAME;
$Admins = get_admins();
$count = 0;
$ret = array ();
if ( $public_access == 'Y' )
$ret[$count++] = array (
'cal_login' => '__public__',
'cal_lastname' => '',
'cal_firstname' => '',
'cal_is_admin' => 'N',
'cal_email' => '',
'cal_password' => '',
'cal_fullname' => $PUBLIC_ACCESS_FULLNAME );
if ($r = connect_and_bind()) {
$sr = @ldap_search ( $ds, $ldap_base_dn, $ldap_user_filter, $ldap_user_attr );
if (!$sr) {
$error = 'Error searching LDAP server: ' . ldap_error();
} else {
if ( (float)substr(PHP_VERSION,0,3) >= 4.2 ) ldap_sort ( $ds, $sr, $ldap_user_attr[3]);
$info = @ldap_get_entries( $ds, $sr );
for ( $i = 0; $i < $info['count']; $i++ ) {
$ret[$count++] = array (
'cal_login' => $info[$i][$ldap_user_attr[0]][0],
'cal_lastname' => $info[$i][$ldap_user_attr[1]][0],
'cal_firstname' => $info[$i][$ldap_user_attr[2]][0],
'cal_email' => $info[$i][$ldap_user_attr[4]][0],
'cal_is_admin' => user_is_admin($info[$i][$ldap_user_attr[0]][0],$Admins),
'cal_fullname' => $info[$i][$ldap_user_attr[3]][0]
);
}
@ldap_free_result($sr);
}
@ldap_close ( $ds );
}
return $ret;
}
// Test if a user is an admin, that is: if the user is a member of a special
// group in the LDAP Server
// params:
// $values - the login name
// returns: Y if user is admin, N if not
function user_is_admin($values,$Admins) {
if ( ! $Admins ) {
return 'N';
} else if (in_array ($values, $Admins)) {
return 'Y';
} else {
return 'N';
}
}
// Searches $ldap_admin_group_name and returns an array of the group members.
// Do this search only once per request.
// returns: array of admins
function get_admins() {
global $error, $ds, $cached_admins;
global $ldap_admin_group_name,$ldap_admin_group_attr,$ldap_admin_group_type;
if ( ! empty ( $cached_admins ) ) return $cached_admins;
$cached_admins = array ();
if ($r = connect_and_bind()) {
$search_filter = "($ldap_admin_group_attr=*)";
$sr = @ldap_search ( $ds, $ldap_admin_group_name, $search_filter, array($ldap_admin_group_attr) );
if (!$sr) {
$error = 'Error searching LDAP server: ' . ldap_error();
} else {
$admins = ldap_get_entries( $ds, $sr );
for( $x = 0; $x <= $admins[0][$ldap_admin_group_attr]['count']; $x ++ ) {
if ($ldap_admin_group_type != 'posixgroup') {
$cached_admins[] = stripdn($admins[0][$ldap_admin_group_attr][$x]);
} else {
$cached_admins[] = $admins[0][$ldap_admin_group_attr][$x];
}
}
@ldap_free_result($sr);
}
@ldap_close ( $ds );
}
return $cached_admins;
}
// Strip everything but the username (uid) from a dn.
// params:
// $dn - the dn you want to strip the uid from.
// returns: string - userid
//
// ex: stripdn(uid=jeffh,ou=people,dc=example,dc=com) returns jeffh
function stripdn($dn){
list ($uid,$trash) = split (',', $dn, 2);
list ($trash,$user) = split ('=', $uid);
return($user);
}
// Connects and binds to the LDAP server
// Tries to connect as $ldap_admin_dn if we set it.
// returns: bind result or false
function connect_and_bind() {
global $ds, $error, $ldap_server, $ldap_port, $ldap_version;
global $ldap_admin_dn, $ldap_admin_pwd, $ldap_start_tls, $set_ldap_version;
$ret = false;
$ds = @ldap_connect ( $ldap_server, $ldap_port );
if ( $ds ) {
if ($set_ldap_version || $ldap_start_tls)
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
if ($ldap_start_tls) {
if (!ldap_start_tls($ds)) {
$error = 'Could not start TLS for LDAP connection';
return $ret;
}
}
if ( $ldap_admin_dn != '') {
$r = @ldap_bind ( $ds, $ldap_admin_dn, $ldap_admin_pwd );
} else {
$r = @ldap_bind ( $ds );
}
if (!$r) {
$error = 'Invalid Admin login for LDAP Server';
} else {
$ret = $r;
}
} else {
$error = 'Error connecting to LDAP server';
$ret = false;
}
return $ret;
}
?>
|