<?php
/* Copyright (C) 2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be>
* Copyright (C) 2005-2021 Regis Houssin <regis.houssin@inodbox.com>
* Copyright (C) 2006-2021 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2024 William Mead <william.mead@manchenumerique.fr>
* Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
* or see https://www.gnu.org/
*/
/**
* \file htdocs/core/class/ldap.class.php
* \brief File of class to manage LDAP features
*
* Note:
* LDAP_ESCAPE_FILTER is to escape char array('\\', '*', '(', ')', "\x00")
* LDAP_ESCAPE_DN is to escape char array('\\', ',', '=', '+', '<', '>', ';', '"', '#')
* @phan-file-suppress PhanTypeMismatchArgumentInternal (notifications concern 'resource)
*/
/**
* Class to manage LDAP features
*/
class Ldap
{
/**
* @var string Error code (or message)
*/
public $error = '';
/**
* @var string[] Array of error strings
*/
public $errors = array();
/**
* @var array Servers (IP addresses or hostnames)
*/
public $server = array();
/**
* @var string Current connected server
*/
public $connectedServer;
/**
* @var int server port
*/
public $serverPort;
/**
* @var string Base DN (e.g. "dc=foo,dc=com")
*/
public $dn;
/**
* @var string Server type: OpenLDAP or Active Directory
*/
public $serverType;
/**
* @var string LDAP protocol version
*/
public $ldapProtocolVersion;
/**
* @var string Server DN
*/
public $domain;
/**
* @var string Server FQDN
*/
public $domainFQDN;
/**
* @var bool LDAP bind
*/
public $bind;
/**
* @var string LDAP administrator user
* Active Directory does not allow anonymous connections
*/
public $searchUser;
/**
* @var string LDAP administrator password
* Active Directory does not allow anonymous connections
*/
public $searchPassword;
/**
* @var string Users DN
*/
public $people;
/**
* @var string Groups DN
*/
public $groups;
/**
* @var int|null Error code provided by the LDAP server
*/
public $ldapErrorCode;
/**
* @var string|null Error text message
*/
public $ldapErrorText;
/**
* @var string
*/
public $filter;
/**
* @var string
*/
public $filtergroup;
/**
* @var string
*/
public $filtermember;
/**
* @var string attr_login
*/
public $attr_login;
/**
* @var string attr_sambalogin
*/
public $attr_sambalogin;
/**
* @var string attr_name
*/
public $attr_name;
/**
* @var string attr_firstname
*/
public $attr_firstname;
/**
* @var string attr_mail
*/
public $attr_mail;
/**
* @var string attr_phone
*/
public $attr_phone;
/**
* @var string attr_fax
*/
public $attr_fax;
/**
* @var string attr_mobile
*/
public $attr_mobile;
/**
* @var int badpwdtime
*/
public $badpwdtime;
/**
* @var string LDAP user DN
*/
public $ldapUserDN;
/**
* @var string Fetched username
*/
public $name;
/**
* @var string Fetched user first name
*/
public $firstname;
/**
* @var string Fetched user login
*/
public $login;
/**
* @var string Fetched user phone number
*/
public $phone;
/**
* @var string Fetched user fax number
*/
public $fax;
/**
* @var string Fetched user email
*/
public $mail;
/**
* @var string Fetched user mobile number
*/
public $mobile;
/**
* @var array UserAccountControl Flags
*/
public $uacf;
/**
* @var int Password last set time
*/
public $pwdlastset;
/**
* @var string LDAP charset.
* LDAP should be UTF-8 encoded
*/
public $ldapcharset = 'UTF-8';
/**
* @var bool|resource The internal LDAP connection handle
*/
public $connection;
/**
* @var bool|resource Result of any connections or search.
*/
public $result;
/**
* @var int No LDAP synchronization
*/
const SYNCHRO_NONE = 0;
/**
* @var int Dolibarr to LDAP synchronization
*/
const SYNCHRO_DOLIBARR_TO_LDAP = 1;
/**
* @var int LDAP to Dolibarr synchronization
*/
const SYNCHRO_LDAP_TO_DOLIBARR = 2;
/**
* Constructor
*/
public function __construct()
{
// Server
if (getDolGlobalString('LDAP_SERVER_HOST')) {
$this->server[] = getDolGlobalString('LDAP_SERVER_HOST');
}
if (getDolGlobalString('LDAP_SERVER_HOST_SLAVE')) {
$this->server[] = getDolGlobalString('LDAP_SERVER_HOST_SLAVE');
}
$this->serverPort = getDolGlobalInt('LDAP_SERVER_PORT', 389);
$this->ldapProtocolVersion = getDolGlobalString('LDAP_SERVER_PROTOCOLVERSION');
$this->dn = getDolGlobalString('LDAP_SERVER_DN');
$this->serverType = getDolGlobalString('LDAP_SERVER_TYPE');
$this->domain = getDolGlobalString('LDAP_SERVER_DN');
$this->searchUser = getDolGlobalString('LDAP_ADMIN_DN');
$this->searchPassword = getDolGlobalString('LDAP_ADMIN_PASS');
$this->people = getDolGlobalString('LDAP_USER_DN');
$this->groups = getDolGlobalString('LDAP_GROUP_DN');
$this->filter = getDolGlobalString('LDAP_FILTER_CONNECTION'); // Filter on user
$this->filtergroup = getDolGlobalString('LDAP_GROUP_FILTER'); // Filter on groups
$this->filtermember = getDolGlobalString('LDAP_MEMBER_FILTER'); // Filter on member
// Users
$this->attr_login = getDolGlobalString('LDAP_FIELD_LOGIN'); //unix
$this->attr_sambalogin = getDolGlobalString('LDAP_FIELD_LOGIN_SAMBA'); //samba, activedirectory
$this->attr_name = getDolGlobalString('LDAP_FIELD_NAME');
$this->attr_firstname = getDolGlobalString('LDAP_FIELD_FIRSTNAME');
$this->attr_mail = getDolGlobalString('LDAP_FIELD_MAIL');
$this->attr_phone = getDolGlobalString('LDAP_FIELD_PHONE');
$this->attr_fax = getDolGlobalString('LDAP_FIELD_FAX');
$this->attr_mobile = getDolGlobalString('LDAP_FIELD_MOBILE');
}
// Connection handling methods -------------------------------------------
/**
* Connect and bind
* Use this->server, this->serverPort, this->ldapProtocolVersion, this->serverType, this->searchUser, this->searchPassword
* After return, this->connection and $this->bind are defined
*
* @see connect_bind renamed
* @return int if KO: <0 || if bind anonymous: 1 || if bind auth: 2
*/
public function connectBind()
{
global $dolibarr_main_auth_ldap_debug;
$connected = 0;
$this->bind = false;
$this->error = '';
$this->connectedServer = '';
$ldapdebug = !((empty($dolibarr_main_auth_ldap_debug) || $dolibarr_main_auth_ldap_debug == "false"));
if ($ldapdebug) {
dol_syslog(get_class($this)."::connectBind");
print "DEBUG: connectBind<br>\n";
}
// Check parameters
if (count($this->server) == 0 || empty($this->server[0])) {
$this->error = 'LDAP setup (file conf.php) is not complete';
dol_syslog(get_class($this)."::connectBind ".$this->error, LOG_WARNING);
return -1;
}
if (!function_exists("ldap_connect")) {
$this->error = 'LDAPFunctionsNotAvailableOnPHP';
dol_syslog(get_class($this)."::connectBind ".$this->error, LOG_WARNING);
return -1;
}
if (empty($this->error)) {
// Loop on each ldap server
foreach ($this->server as $host) {
if ($connected) {
break;
}
if (empty($host)) {
continue;
}
if ($this->serverPing($host, $this->serverPort)) {
if ($ldapdebug) {
dol_syslog(get_class($this)."::connectBind serverPing true, we try ldap_connect to ".$host, LOG_DEBUG);
}
if (version_compare(PHP_VERSION, '8.3.0', '>=')) {
$uri = $host.':'.$this->serverPort;
$this->connection = ldap_connect($uri);
} else {
$this->connection = ldap_connect($host, $this->serverPort);
}
} else {
if (preg_match('/^ldaps/i', $host)) {
// With host = ldaps://server, the serverPing to ssl://server sometimes fails, even if the ldap_connect succeed, so
// we test this case and continue in such a case even if serverPing fails.
if ($ldapdebug) {
dol_syslog(get_class($this)."::connectBind serverPing false, we try ldap_connect to ".$host, LOG_DEBUG);
}
if (version_compare(PHP_VERSION, '8.3.0', '>=')) {
$uri = $host.':'.$this->serverPort;
$this->connection = ldap_connect($uri);
} else {
$this->connection = ldap_connect($host, $this->serverPort);
}
} else {
if ($ldapdebug) {
dol_syslog(get_class($this)."::connectBind serverPing false, no ldap_connect ".$host, LOG_DEBUG);
}
continue;
}
}
if (is_resource($this->connection) || is_object($this->connection)) {
if ($ldapdebug) {
dol_syslog(get_class($this)."::connectBind this->connection is ok", LOG_DEBUG);
}
// Upgrade connection to TLS, if requested by the configuration
if (getDolGlobalString('LDAP_SERVER_USE_TLS')) {
// For test/debug
//ldap_set_option($this->connection, LDAP_OPT_DEBUG_LEVEL, 7);
//ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, 3);
//ldap_set_option($this->connection, LDAP_OPT_REFERRALS, 0);
$resulttls = ldap_start_tls($this->connection);
if (!$resulttls) {
dol_syslog(get_class($this)."::connectBind failed to start tls", LOG_WARNING);
$this->error = 'ldap_start_tls Failed to start TLS '.ldap_errno($this->connection).' '.ldap_error($this->connection);
$connected = 0;
$this->unbind();
}
}
// Execute the ldap_set_option here (after connect and before bind)
$this->setVersion();
$this->setSizeLimit();
if ($this->serverType == "activedirectory") {
$result = $this->setReferrals();
dol_syslog(get_class($this)."::connectBind try bindauth for activedirectory on ".$host." user=".$this->searchUser." password=".preg_replace('/./', '*', $this->searchPassword), LOG_DEBUG);
$this->result = $this->bindauth($this->searchUser, $this->searchPassword);
if ($this->result) {
$this->bind = $this->result;
$connected = 2;
$this->connectedServer = $host;
break;
} else {
$this->error = ldap_errno($this->connection).' '.ldap_error($this->connection);
}
} else {
// Try in auth mode
if ($this->searchUser && $this->searchPassword) {
dol_syslog(get_class($this)."::connectBind try bindauth on ".$host." user=".$this->searchUser." password=".preg_replace('/./', '*', $this->searchPassword), LOG_DEBUG);
$this->result = $this->bindauth($this->searchUser, $this->searchPassword);
if ($this->result) {
$this->bind = $this->result;
$connected = 2;
$this->connectedServer = $host;
break;
} else {
$this->error = ldap_errno($this->connection).' '.ldap_error($this->connection);
}
}
// Try in anonymous
if (!$this->bind) {
dol_syslog(get_class($this)."::connectBind try bind anonymously on ".$host, LOG_DEBUG);
$result = $this->bind();
if ($result) {
$this->bind = $this->result;
$connected = 1;
$this->connectedServer = $host;
break;
} else {
$this->error = ldap_errno($this->connection).' '.ldap_error($this->connection);
}
}
}
}
if (!$connected) {
$this->unbind();
}
} // End loop on each server
}
if ($connected) {
dol_syslog(get_class($this)."::connectBind ".$connected, LOG_DEBUG);
return $connected;
} else {
$this->error = 'Failed to connect to LDAP'.($this->error ? ': '.$this->error : '');
dol_syslog(get_class($this)."::connectBind ".$this->error, LOG_WARNING);
return -1;
}
}
/**
* Simply closes the connection set up earlier. Returns true if OK, false if there was an error.
* This method seems a duplicate/alias of unbind().
*
* @return boolean true or false
* @deprecated ldap_close is an alias of ldap_unbind, so use unbind() instead.
* @see unbind()
*/
public function close()
{
return $this->unbind();
}
/**
* Anonymously binds to the connection. After this is done,
* queries and searches can be done - but read-only.
*
* @return boolean true or false
*/
public function bind()
{
if (!$this->result = @ldap_bind($this->connection)) {
$this->ldapErrorCode = ldap_errno($this->connection);
$this->ldapErrorText = ldap_error($this->connection);
$this->error = $this->ldapErrorCode." ".$this->ldapErrorText;
return false;
} else {
return true;
}
}
/**
* Binds as an authenticated user, which usually allows for write
* access. The FULL dn must be passed. For a directory manager, this is
* "cn=Directory Manager" under iPlanet. For a user, it will be something
* like "uid=jbloggs,ou=People,dc=foo,dc=com".
*
* @param string $bindDn DN
* @param string $pass Password
* @return boolean true or false
*/
public function bindauth($bindDn, $pass)
{
if (!$this->result = @ldap_bind($this->connection, $bindDn, $pass)) {
$this->ldapErrorCode = ldap_errno($this->connection);
$this->ldapErrorText = ldap_error($this->connection);
$this->error = $this->ldapErrorCode." ".$this->ldapErrorText;
return false;
} else {
return true;
}
}
/**
* Unbind of LDAP server (close connection).
*
* @return boolean true or false
* @see close()
*/
public function unbind()
{
$this->result = true;
if (version_compare(PHP_VERSION, '8.1.0', '>=')) {
if (is_object($this->connection)) {
try {
$this->result = ldap_unbind($this->connection);
} catch (Throwable $exception) {
$this->error = 'Failed to unbind LDAP connection: '.$exception;
$this->result = false;
dol_syslog(get_class($this).'::unbind - '.$this->error, LOG_WARNING);
}
}
} else {
if (is_resource($this->connection)) {
// @phan-suppress-next-line PhanTypeMismatchArgumentInternalReal
$this->result = @ldap_unbind($this->connection);
}
}
if ($this->result) {
return true;
} else {
return false;
}
}
/**
* Verify LDAP server version
*
* @return int version
*/
public function getVersion()
{
@ldap_get_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, $version);
return $version;
}
/**
* Set LDAP protocol version.
* LDAP_OPT_PROTOCOL_VERSION is a constant equal to 3
*
* @return boolean if set LDAP option OK: true, if KO: false
*/
public function setVersion()
{
return ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, $this->ldapProtocolVersion);
}
/**
* Set LDAP size limit.
*
* @return boolean if set LDAP option OK: true, if KO: false
*/
public function setSizeLimit()
{
return ldap_set_option($this->connection, LDAP_OPT_SIZELIMIT, 0);
}
/**
* Set LDAP referrals.
* LDAP_OPT_REFERRALS is a constant equal to ?
*
* @return boolean if set LDAP option OK: true, if KO: false
*/
public function setReferrals()
{
return ldap_set_option($this->connection, LDAP_OPT_REFERRALS, 0);
}
/**
* Add an LDAP entry
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @param User $user Object user that create
* @return int if KO: <0 || if OK: >0
*/
public function add($dn, $info, $user)
{
dol_syslog(get_class($this)."::add dn=".$dn." info=".print_r($info, true));
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
foreach ($info as $key => $val) {
if (!is_array($val)) {
$info[$key] = $this->convFromOutputCharset($val, $this->ldapcharset);
}
}
$this->dump($dn, $info);
//print_r($info);
$result = @ldap_add($this->connection, $dn, $info);
if ($result) {
dol_syslog(get_class($this)."::add successful", LOG_DEBUG);
return 1;
} else {
$this->ldapErrorCode = @ldap_errno($this->connection);
$this->ldapErrorText = @ldap_error($this->connection);
$this->error = $this->ldapErrorCode." ".$this->ldapErrorText;
dol_syslog(get_class($this)."::add failed: ".$this->error, LOG_ERR);
return -1;
}
}
/**
* Modify an LDAP entry
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @param User $user Object user that modify
* @return int if KO: <0 || if OK: >0
*/
public function modify($dn, $info, $user)
{
dol_syslog(get_class($this)."::modify dn=".$dn." info=".print_r($info, true));
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
foreach ($info as $key => $val) {
if (!is_array($val)) {
$info[$key] = $this->convFromOutputCharset($val, $this->ldapcharset);
}
}
$this->dump($dn, $info);
//print_r($info);
// For better compatibility with Samba4 AD
if ($this->serverType == "activedirectory") {
unset($info['cn']); // To avoid error : Operation not allowed on RDN (Code 67)
// To avoid error : LDAP Error: 53 (Unwilling to perform)
if (isset($info['unicodePwd'])) {
$info['unicodePwd'] = mb_convert_encoding("\"".$info['unicodePwd']."\"", "UTF-16LE", "UTF-8");
}
}
$result = @ldap_mod_replace($this->connection, $dn, $info);
if ($result) {
dol_syslog(get_class($this)."::modify successful", LOG_DEBUG);
return 1;
} else {
$this->error = @ldap_error($this->connection);
dol_syslog(get_class($this)."::modify failed: ".$this->error, LOG_ERR);
return -1;
}
}
/**
* Rename an LDAP entry
* LDAP object connect and bind must have been done
*
* @param string $dn Old DN entry key (uid=qqq,ou=xxx,dc=aaa,dc=bbb) (before update)
* @param string $newrdn New RDN entry key (uid=qqq)
* @param string $newparent New parent (ou=xxx,dc=aaa,dc=bbb)
* @param User $user Object user that modify
* @param bool $deleteoldrdn If true the old RDN value(s) is removed, else the old RDN value(s) is retained as non-distinguished values of the entry.
* @return int if KO: <0 || if OK: >0
*/
public function rename($dn, $newrdn, $newparent, $user, $deleteoldrdn = true)
{
dol_syslog(get_class($this)."::modify dn=".$dn." newrdn=".$newrdn." newparent=".$newparent." deleteoldrdn=".($deleteoldrdn ? 1 : 0));
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
$newrdn = $this->convFromOutputCharset($newrdn, $this->ldapcharset);
$newparent = $this->convFromOutputCharset($newparent, $this->ldapcharset);
//print_r($info);
$result = @ldap_rename($this->connection, $dn, $newrdn, $newparent, $deleteoldrdn);
if ($result) {
dol_syslog(get_class($this)."::rename successful", LOG_DEBUG);
return 1;
} else {
$this->error = @ldap_error($this->connection);
dol_syslog(get_class($this)."::rename failed: ".$this->error, LOG_ERR);
return -1;
}
}
/**
* Modify an LDAP entry (to use if dn != olddn)
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @param User $user Object user that update
* @param string $olddn Old DN entry key (before update)
* @param string $newrdn New RDN entry key (uid=qqq) (for ldap_rename)
* @param string $newparent New parent (ou=xxx,dc=aaa,dc=bbb) (for ldap_rename)
* @return int if KO: <0 || if OK: >0
*/
public function update($dn, $info, $user, $olddn, $newrdn = '', $newparent = '')
{
dol_syslog(get_class($this)."::update dn=".$dn." olddn=".$olddn);
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
if (!$olddn || $olddn != $dn) {
if (!empty($olddn) && !empty($newrdn) && !empty($newparent) && $this->ldapProtocolVersion === '3') {
// This function currently only works with LDAPv3
$result = $this->rename($olddn, $newrdn, $newparent, $user, true);
$result = $this->modify($dn, $info, $user); // We force "modify" for avoid some fields not modify
} else {
// If change we make is rename the key of LDAP record, we create new one and if ok, we delete old one.
$result = $this->add($dn, $info, $user);
if ($result > 0 && $olddn && $olddn != $dn) {
$result = $this->delete($olddn); // If add fails, we do not try to delete old one
}
}
} else {
//$result = $this->delete($olddn);
$result = $this->add($dn, $info, $user); // If record has been deleted from LDAP, we recreate it. We ignore error if it already exists.
$result = $this->modify($dn, $info, $user); // We use add/modify instead of delete/add when olddn is received
}
if ($result <= 0) {
$this->error = ldap_error($this->connection).' (Code '.ldap_errno($this->connection).") ".$this->error;
dol_syslog(get_class($this)."::update ".$this->error, LOG_ERR);
//print_r($info);
return -1;
} else {
dol_syslog(get_class($this)."::update done successfully");
return 1;
}
}
/**
* Delete an LDAP entry
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @return int if KO: <0 || if OK: >0
*/
public function delete($dn)
{
dol_syslog(get_class($this)."::delete Delete LDAP entry dn=".$dn);
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
$result = @ldap_delete($this->connection, $dn);
if ($result) {
return 1;
}
return -1;
}
/**
* Build an LDAP message
*
* @see dump_content renamed
* @param string $dn DN entry key
* @param array $info Attributes array
* @return string Content of file
*/
public function dumpContent($dn, $info)
{
$content = '';
// Create file content
if (preg_match('/^ldap/', $this->server[0])) {
$target = "-H ".implode(',', $this->server);
} else {
$target = "-h ".implode(',', $this->server)." -p ".$this->serverPort;
}
$content .= "# ldapadd $target -c -v -D ".$this->searchUser." -W -f ldapinput.in\n";
$content .= "# ldapmodify $target -c -v -D ".$this->searchUser." -W -f ldapinput.in\n";
$content .= "# ldapdelete $target -c -v -D ".$this->searchUser." -W -f ldapinput.in\n";
if (in_array('localhost', $this->server)) {
$content .= "# If commands fails to connect, try without -h and -p\n";
}
$content .= "dn: ".$dn."\n";
foreach ($info as $key => $value) {
if (!is_array($value)) {
$content .= "$key: $value\n";
} else {
foreach ($value as $valuevalue) {
$content .= "$key: $valuevalue\n";
}
}
}
return $content;
}
/**
* Dump an LDAP message to ldapinput.in file
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @return int if KO: <0 || if OK: >0
*/
public function dump($dn, $info)
{
global $conf;
$ldapDirTemp = $conf->ldap->dir_temp;
// Create content
$content = $this->dumpContent($dn, $info);
//Create directory & file
$result = dol_mkdir($ldapDirTemp);
if ($result != 0) {
$outputfile = $ldapDirTemp.'/ldapinput.in';
$fp = fopen($outputfile, "w");
if ($fp) {
fwrite($fp, $content);
fclose($fp);
dolChmod($outputfile);
return 1;
} else {
return -1;
}
} else {
return -1;
}
}
/**
* Ping a server before ldap_connect for avoid waiting
*
* @param string $host Server host or address
* @param int $port Server port (default 389)
* @param int $timeout Timeout in second (default 1s)
* @return boolean true or false
*/
public function serverPing($host, $port = 389, $timeout = 1)
{
$regs = array();
if (preg_match('/^ldaps:\/\/([^\/]+)\/?$/', $host, $regs)) {
// Replace ldaps:// by ssl://
$host = 'ssl://'.$regs[1];
} elseif (preg_match('/^ldap:\/\/([^\/]+)\/?$/', $host, $regs)) {
// Remove ldap://
$host = $regs[1];
}
//var_dump($newhostforstream); var_dump($host); var_dump($port);
//$host = 'ssl://ldap.test.local:636';
//$port = 636;
$errno = $errstr = 0;
/*
if ($methodtochecktcpconnect == 'socket') {
Try to use socket_create() method.
Method that use stream_context_create() works only on registered listed in stream stream_get_wrappers(): http, https, ftp, ...
}
*/
// Use the method fsockopen to test tcp connect. No way to ignore ssl certificate errors with this method !
$op = @fsockopen($host, $port, $errno, $errstr, $timeout);
//var_dump($op);
if (!$op) {
return false; //DC is N/A
} else {
fclose($op); //explicitly close open socket connection
return true; //DC is up & running, we can safely connect with ldap_connect
}
}
// Attribute methods -----------------------------------------------------
/**
* Add an LDAP attribute in entry
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @param User $user Object user that create
* @return int if KO: <0 || if OK: >0
*/
public function addAttribute($dn, $info, $user)
{
dol_syslog(get_class($this)."::addAttribute dn=".$dn." info=".implode(',', $info));
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
foreach ($info as $key => $val) {
if (!is_array($val)) {
$info[$key] = $this->convFromOutputCharset($val, $this->ldapcharset);
}
}
$this->dump($dn, $info);
//print_r($info);
$result = @ldap_mod_add($this->connection, $dn, $info);
if ($result) {
dol_syslog(get_class($this)."::add_attribute successful", LOG_DEBUG);
return 1;
} else {
$this->error = @ldap_error($this->connection);
dol_syslog(get_class($this)."::add_attribute failed: ".$this->error, LOG_ERR);
return -1;
}
}
/**
* Update an LDAP attribute in entry
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @param User $user Object user that create
* @return int if KO: <0 || if OK: >0
*/
public function updateAttribute($dn, $info, $user)
{
dol_syslog(get_class($this)."::updateAttribute dn=".$dn." info=".implode(',', $info));
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
foreach ($info as $key => $val) {
if (!is_array($val)) {
$info[$key] = $this->convFromOutputCharset($val, $this->ldapcharset);
}
}
$this->dump($dn, $info);
//print_r($info);
$result = @ldap_mod_replace($this->connection, $dn, $info);
if ($result) {
dol_syslog(get_class($this)."::updateAttribute successful", LOG_DEBUG);
return 1;
} else {
$this->error = @ldap_error($this->connection);
dol_syslog(get_class($this)."::updateAttribute failed: ".$this->error, LOG_ERR);
return -1;
}
}
/**
* Delete an LDAP attribute in entry
* LDAP object connect and bind must have been done
*
* @param string $dn DN entry key
* @param array $info Attributes array
* @param User $user Object user that create
* @return int if KO: <0 || if OK: >0
*/
public function deleteAttribute($dn, $info, $user)
{
dol_syslog(get_class($this)."::deleteAttribute dn=".$dn." info=".implode(',', $info));
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
// Encode to LDAP page code
$dn = $this->convFromOutputCharset($dn, $this->ldapcharset);
foreach ($info as $key => $val) {
if (!is_array($val)) {
$info[$key] = $this->convFromOutputCharset($val, $this->ldapcharset);
}
}
$this->dump($dn, $info);
//print_r($info);
$result = @ldap_mod_del($this->connection, $dn, $info);
if ($result) {
dol_syslog(get_class($this)."::deleteAttribute successful", LOG_DEBUG);
return 1;
} else {
$this->error = @ldap_error($this->connection);
dol_syslog(get_class($this)."::deleteAttribute failed: ".$this->error, LOG_ERR);
return -1;
}
}
/**
* Returns an array containing attributes and values for first record
*
* array{count:int,0..max:string,string:array}
*
* @param string $dn DN entry key
* @param string $filter Filter
* @return int|array<'count'|int|string,int|string|array> if KO: <=0 || if OK: array
*/
public function getAttribute($dn, $filter)
{
// Check parameters
if (!$this->connection) {
$this->error = "NotConnected";
return -2;
}
if (!$this->bind) {
$this->error = "NotConnected";
return -3;
}
$search = @ldap_search($this->connection, $dn, $filter);
// Only one entry should ever be returned
$entry = @ldap_first_entry($this->connection, $search);
if (!$entry) {
$this->ldapErrorCode = -1;
$this->ldapErrorText = "Couldn't find entry";
return 0; // Couldn't find entry...
}
// Get values
if (!($values = ldap_get_attributes($this->connection, $entry))) {
$this->ldapErrorCode = ldap_errno($this->connection);
$this->ldapErrorText = ldap_error($this->connection);
return 0; // No matching attributes
}
// Return an array containing the attributes.
return $values;
}
/**
* Returns an array containing values for an attribute and for first record matching filterrecord
*
* @param string $filterrecord Record
* @param string $attribute Attributes
* @return array|boolean
*/
public function getAttributeValues($filterrecord, $attribute)
{
$attributes = array();
$attributes[0] = $attribute;
// We need to search for this user in order to get their entry.
$this->result = @ldap_search($this->connection, $this->people, $filterrecord, $attributes);
// Pourquoi cette ligne ?
//$info = ldap_get_entries($this->connection, $this->result);
// Only one entry should ever be returned (no user will have the same uid)
$entry = ldap_first_entry($this->connection, $this->result);
if (!$entry) {
$this->ldapErrorCode = -1;
$this->ldapErrorText = "Couldn't find user";
return false; // Couldn't find the user...
}
// Get values
if (!$values = @ldap_get_values_len($this->connection, $entry, $attribute)) {
$this->ldapErrorCode = ldap_errno($this->connection);
$this->ldapErrorText = ldap_error($this->connection);
return false; // No matching attributes
}
// Return an array containing the attributes.
return $values;
}
/**
* Returns an array containing a details or list of LDAP record(s).
* ldapsearch -LLLx -hlocalhost -Dcn=admin,dc=parinux,dc=org -w password -b "ou=adherents,ou=people,dc=parinux,dc=org" userPassword
*
* @param string $search Value of field to search, '*' for all. Not used if $activefilter is set.
* @param string $userDn DN (Ex: ou=adherents,ou=people,dc=parinux,dc=org)
* @param string $useridentifier Name of key field (Ex: uid).
* @param array $attributeArray Array of fields required. Note this array must also contain field $useridentifier (Ex: sn,userPassword)
* @param int $activefilter '1' or 'user'=use field this->filter as filter instead of parameter $search, 'group'=use field this->filtergroup as filter, 'member'=use field this->filtermember as filter
* @param array $attributeAsArray Array of fields wanted as an array not a string
* @return array|int if KO: <0 || if OK: array of [id_record][ldap_field]=value
*/
public function getRecords($search, $userDn, $useridentifier, $attributeArray, $activefilter = 0, $attributeAsArray = array())
{
$fulllist = array();
dol_syslog(get_class($this)."::getRecords search=".$search." userDn=".$userDn." useridentifier=".$useridentifier." attributeArray=array(".implode(',', $attributeArray).") activefilter=".$activefilter);
// if the directory is AD, then bind first with the search user first
if ($this->serverType == "activedirectory") {
$this->bindauth($this->searchUser, $this->searchPassword);
dol_syslog(get_class($this)."::bindauth serverType=activedirectory searchUser=".$this->searchUser);
}
// Define filter
if (!empty($activefilter)) { // Use a predefined trusted filter (defined into setup by admin).
if (((string) $activefilter == '1' || (string) $activefilter == 'user') && $this->filter) {
$filter = '('.$this->filter.')';
} elseif (((string) $activefilter == 'group') && $this->filtergroup) {
$filter = '('.$this->filtergroup.')';
} elseif (((string) $activefilter == 'member') && $this->filter) {
$filter = '('.$this->filtermember.')';
} else {
// If this->filter/this->filtergroup is empty, make filter on * (all)
$filter = '('.ldap_escape($useridentifier, '', LDAP_ESCAPE_FILTER).'=*)';
}
} else { // Use a filter forged using the $search value
$filter = '('.ldap_escape($useridentifier, '', LDAP_ESCAPE_FILTER).'='.ldap_escape($search, '', LDAP_ESCAPE_FILTER).')';
}
if (is_array($attributeArray)) {
// Return list with required fields
$attributeArray = array_values($attributeArray); // This is to force to have index reordered from 0 (not make ldap_search fails)
dol_syslog(get_class($this)."::getRecords connection=".$this->connectedServer.":".$this->serverPort." userDn=".$userDn." filter=".$filter." attributeArray=(".implode(',', $attributeArray).")");
//var_dump($attributeArray);
$this->result = @ldap_search($this->connection, $userDn, $filter, $attributeArray);
} else {
// Return list with fields selected by default
dol_syslog(get_class($this)."::getRecords connection=".$this->connectedServer.":".$this->serverPort." userDn=".$userDn." filter=".$filter);
$this->result = @ldap_search($this->connection, $userDn, $filter);
}
if (!$this->result) {
$this->error = 'LDAP search failed: '.ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
$info = @ldap_get_entries($this->connection, $this->result);
// Warning: Dans info, les noms d'attributs sont en minuscule meme si passe
// a ldap_search en majuscule !!!
//print_r($info);
for ($i = 0; $i < $info["count"]; $i++) {
$recordid = $this->convToOutputCharset($info[$i][strtolower($useridentifier)][0], $this->ldapcharset);
if ($recordid) {
//print "Found record with key $useridentifier=".$recordid."<br>\n";
$fulllist[$recordid][$useridentifier] = $recordid;
// Add to the array for each attribute in my list
$num = count($attributeArray);
for ($j = 0; $j < $num; $j++) {
$keyattributelower = strtolower($attributeArray[$j]);
//print " Param ".$attributeArray[$j]."=".$info[$i][$keyattributelower][0]."<br>\n";
//permet de recuperer le SID avec Active Directory
if ($this->serverType == "activedirectory" && $keyattributelower == "objectsid") {
$objectsid = $this->getObjectSid($recordid);
$fulllist[$recordid][$attributeArray[$j]] = $objectsid;
} else {
if (in_array($attributeArray[$j], $attributeAsArray) && is_array($info[$i][$keyattributelower])) {
$valueTab = array();
foreach ($info[$i][$keyattributelower] as $key => $value) {
$valueTab[$key] = $this->convToOutputCharset($value, $this->ldapcharset);
}
$fulllist[$recordid][$attributeArray[$j]] = $valueTab;
} else {
$fulllist[$recordid][$attributeArray[$j]] = $this->convToOutputCharset($info[$i][$keyattributelower][0], $this->ldapcharset);
}
}
}
}
}
asort($fulllist);
return $fulllist;
}
/**
* Converts a little-endian hex-number to one, that 'hexdec' can convert
* Required by Active Directory
*
* @param string $hex Hex value
* @return string Little endian
*/
public function littleEndian($hex)
{
$result = '';
for ($x = dol_strlen($hex) - 2; $x >= 0; $x -= 2) {
$result .= substr($hex, $x, 2);
}
return $result;
}
/**
* Gets LDAP user SID.
* Required by Active Directory
*
* @param string $ldapUser User login
* @return int|string if SID OK: SID string, if KO: -1
*/
public function getObjectSid($ldapUser)
{
$criteria = '('.$this->getUserIdentifier().'='.$ldapUser.')';
$justthese = array("objectsid");
// if the directory is AD, then bind first with the search user first
if ($this->serverType == "activedirectory") {
$this->bindauth($this->searchUser, $this->searchPassword);
}
$i = 0;
$searchDN = $this->people;
while ($i <= 2) {
$ldapSearchResult = @ldap_search($this->connection, $searchDN, $criteria, $justthese);
if (!$ldapSearchResult) {
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
$entry = ldap_first_entry($this->connection, $ldapSearchResult);
if (!$entry) {
// Si pas de resultat on cherche dans le domaine
$searchDN = $this->domain;
$i++;
} else {
$i++;
$i++;
}
}
if ($entry) {
$ldapBinary = ldap_get_values_len($this->connection, $entry, "objectsid");
$SIDText = $this->binSIDtoText($ldapBinary[0]);
return $SIDText;
} else {
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
}
/**
* Returns the textual SID
* Required by Active Directory
*
* @param string $binsid Binary SID
* @return string Textual SID
*/
public function binSIDtoText($binsid)
{
$hex_sid = bin2hex($binsid);
$rev = hexdec(substr($hex_sid, 0, 2)); // Get revision-part of SID
$subcount = hexdec(substr($hex_sid, 2, 2)); // Get count of sub-auth entries
$auth = hexdec(substr($hex_sid, 4, 12)); // SECURITY_NT_AUTHORITY
$result = "$rev-$auth";
for ($x = 0; $x < $subcount; $x++) {
$result .= "-".hexdec($this->littleEndian(substr($hex_sid, 16 + ($x * 8), 8))); // get all SECURITY_NT_AUTHORITY
}
return $result;
}
/**
* Search method with filter
* this->connection must be defined. The bind or bindauth methods must already have been called.
* Do not use for search of a given properties list because of upper-lower case conflict.
* Only use for pages.
* 'Fiche LDAP' shows readable fields by default.
* @see bind
* @see bindauth
*
* @param string $checkDn Search DN (Ex: ou=users,cn=my-domain,cn=com)
* @param string $filter Search filter (ex: (sn=name_person) )
* @return array|int Array with answers (lowercase key - value)
*/
public function search($checkDn, $filter)
{
dol_syslog(get_class($this)."::search checkDn=".$checkDn." filter=".$filter);
$checkDn = $this->convFromOutputCharset($checkDn, $this->ldapcharset);
$filter = $this->convFromOutputCharset($filter, $this->ldapcharset);
// if the directory is AD, then bind first with the search user first
if ($this->serverType == "activedirectory") {
$this->bindauth($this->searchUser, $this->searchPassword);
}
$this->result = @ldap_search($this->connection, $checkDn, $filter);
$result = @ldap_get_entries($this->connection, $this->result);
if (!$result) {
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
} else {
ldap_free_result($this->result);
return $result;
}
}
/**
* Load all attributes of an LDAP user
*
* @param User|string $user Not used.
* @param string $filter Filter for search. Must start with &.
* Examples: &(objectClass=inetOrgPerson) &(objectClass=user)(objectCategory=person) &(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com)
* @return int if KO: <0 || if OK: > 0
*/
public function fetch($user, $filter)
{
// Perform the search and get the entry handles
// if the directory is AD, then bind first with the search user first
if ($this->serverType == "activedirectory") {
$this->bindauth($this->searchUser, $this->searchPassword);
}
$searchDN = $this->people; // TODO Why searching in people then domain ?
$result = '';
$i = 0;
while ($i <= 2) {
dol_syslog(get_class($this)."::fetch search with searchDN=".$searchDN." filter=".$filter);
$this->result = @ldap_search($this->connection, $searchDN, $filter);
if ($this->result) {
$result = @ldap_get_entries($this->connection, $this->result);
if ($result['count'] > 0) {
dol_syslog('Ldap::fetch search found '.$result['count'].' records');
} else {
dol_syslog('Ldap::fetch search returns but found no records');
}
//var_dump($result);exit;
} else {
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
dol_syslog(get_class($this)."::fetch search fails");
return -1;
}
if (!$result) {
// Si pas de resultat on cherche dans le domaine
$searchDN = $this->domain;
$i++;
} else {
break;
}
}
if (!$result) {
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
} else {
$this->name = $this->convToOutputCharset($result[0][$this->attr_name][0], $this->ldapcharset);
$this->firstname = $this->convToOutputCharset($result[0][$this->attr_firstname][0], $this->ldapcharset);
$this->login = $this->convToOutputCharset($result[0][$this->attr_login][0], $this->ldapcharset);
$this->phone = $this->convToOutputCharset($result[0][$this->attr_phone][0], $this->ldapcharset);
$this->fax = $this->convToOutputCharset($result[0][$this->attr_fax][0], $this->ldapcharset);
$this->mail = $this->convToOutputCharset($result[0][$this->attr_mail][0], $this->ldapcharset);
$this->mobile = $this->convToOutputCharset($result[0][$this->attr_mobile][0], $this->ldapcharset);
$this->uacf = $this->parseUACF($this->convToOutputCharset($result[0]["useraccountcontrol"][0], $this->ldapcharset));
if (isset($result[0]["pwdlastset"][0])) { // If expiration on password exists
$this->pwdlastset = ($result[0]["pwdlastset"][0] != 0) ? $this->convertTime($this->convToOutputCharset($result[0]["pwdlastset"][0], $this->ldapcharset)) : 0;
} else {
$this->pwdlastset = -1;
}
if (!$this->name && !$this->login) {
$this->pwdlastset = -1;
}
$this->badpwdtime = $this->convertTime($this->convToOutputCharset($result[0]["badpasswordtime"][0], $this->ldapcharset));
// FQDN domain
$domain = str_replace('dc=', '', $this->domain);
$domain = str_replace(',', '.', $domain);
$this->domainFQDN = $domain;
// Set ldapUserDn (each user can have a different dn)
//var_dump($result[0]);exit;
$this->ldapUserDN = $result[0]['dn'];
ldap_free_result($this->result);
return 1;
}
}
// helper methods
/**
* Returns the correct user identifier to use, based on the LDAP server type
*
* @return string Login
*/
public function getUserIdentifier()
{
if ($this->serverType == "activedirectory") {
return $this->attr_sambalogin;
} else {
return $this->attr_login;
}
}
/**
* UserAccountControl Flags to more human understandable form...
*
* @param string $uacf UACF
* @return array
*/
public function parseUACF($uacf)
{
//All flags array
$flags = array(
"TRUSTED_TO_AUTH_FOR_DELEGATION" => 16777216,
"PASSWORD_EXPIRED" => 8388608,
"DONT_REQ_PREAUTH" => 4194304,
"USE_DES_KEY_ONLY" => 2097152,
"NOT_DELEGATED" => 1048576,
"TRUSTED_FOR_DELEGATION" => 524288,
"SMARTCARD_REQUIRED" => 262144,
"MNS_LOGON_ACCOUNT" => 131072,
"DONT_EXPIRE_PASSWORD" => 65536,
"SERVER_TRUST_ACCOUNT" => 8192,
"WORKSTATION_TRUST_ACCOUNT" => 4096,
"INTERDOMAIN_TRUST_ACCOUNT" => 2048,
"NORMAL_ACCOUNT" => 512,
"TEMP_DUPLICATE_ACCOUNT" => 256,
"ENCRYPTED_TEXT_PWD_ALLOWED" => 128,
"PASSWD_CANT_CHANGE" => 64,
"PASSWD_NOTREQD" => 32,
"LOCKOUT" => 16,
"HOMEDIR_REQUIRED" => 8,
"ACCOUNTDISABLE" => 2,
"SCRIPT" => 1
);
//Parse flags to text
$retval = array();
//while (list($flag, $val) = each($flags)) {
foreach ($flags as $flag => $val) {
if ($uacf >= $val) {
$uacf -= $val;
$retval[$val] = $flag;
}
}
//Return human friendly flags
return $retval;
}
/**
* SamAccountType value to text
*
* @param string $samtype SamType
* @return string Sam string
*/
public function parseSAT($samtype)
{
$stypes = array(
805306368 => "NORMAL_ACCOUNT",
805306369 => "WORKSTATION_TRUST",
805306370 => "INTERDOMAIN_TRUST",
268435456 => "SECURITY_GLOBAL_GROUP",
268435457 => "DISTRIBUTION_GROUP",
536870912 => "SECURITY_LOCAL_GROUP",
536870913 => "DISTRIBUTION_LOCAL_GROUP"
);
$retval = "";
foreach ($stypes as $sat => $val) {
if ($samtype == $sat) {
$retval = $val;
break;
}
}
if (empty($retval)) {
$retval = "UNKNOWN_TYPE_".$samtype;
}
return $retval;
}
/**
* Converts ActiveDirectory time to Unix timestamp
*
* @param string $value AD time to convert (ns since 1601)
* @return integer Unix timestamp
*/
public function convertTime($value)
{
$dateLargeInt = $value; // nano secondes depuis 1601 !!!!
if (PHP_INT_SIZE < 8) {
// 32 bit platform
$secsAfterADEpoch = (float) $dateLargeInt / (10000000.); // secondes depuis le 1 jan 1601
} else {
// At least 64 bit platform
$secsAfterADEpoch = (int) $dateLargeInt / (10000000); // secondes depuis le 1 jan 1601
}
$ADToUnixConvertor = ((1970 - 1601) * 365.242190) * 86400; // UNIX start date - AD start date * jours * secondes
$unixTimeStamp = intval($secsAfterADEpoch - $ADToUnixConvertor); // Unix time stamp
return $unixTimeStamp;
}
/**
* Convert a string into output/memory charset
*
* @param string $str String to convert
* @param string $pagecodefrom Page code of src string
* @return string Converted string
*/
private function convToOutputCharset($str, $pagecodefrom = 'UTF-8')
{
global $conf;
if ($pagecodefrom == 'ISO-8859-1' && $conf->file->character_set_client == 'UTF-8') {
$str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
}
if ($pagecodefrom == 'UTF-8' && $conf->file->character_set_client == 'ISO-8859-1') {
$str = mb_convert_encoding($str, 'ISO-8859-1');
}
return $str;
}
/**
* Convert a string from output/memory charset
*
* @param string $str String to convert
* @param string $pagecodeto Page code for result string
* @return string Converted string
*/
public function convFromOutputCharset($str, $pagecodeto = 'UTF-8')
{
global $conf;
if ($pagecodeto == 'ISO-8859-1' && $conf->file->character_set_client == 'UTF-8') {
$str = mb_convert_encoding($str, 'ISO-8859-1');
}
if ($pagecodeto == 'UTF-8' && $conf->file->character_set_client == 'ISO-8859-1') {
$str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
}
return $str;
}
/**
* Return available value of group GID
*
* @param string $keygroup Key of group
* @return int gid number
*/
public function getNextGroupGid($keygroup = 'LDAP_KEY_GROUPS')
{
if (empty($keygroup)) {
$keygroup = 'LDAP_KEY_GROUPS';
}
$search = '(' . getDolGlobalString($keygroup).'=*)';
$result = $this->search($this->groups, $search);
if ($result) {
$c = $result['count'];
$gids = array();
for ($i = 0; $i < $c; $i++) {
$gids[] = $result[$i]['gidnumber'][0];
}
rsort($gids);
return $gids[0] + 1;
}
return 0;
}
}