bn8/ldapsaisie
1
0
Fork 0
mirror of https://gitlab.easter-eggs.com/ee/ldapsaisie.git synced 2024-05-01 20:18:57 +02:00
Code Issues Projects Releases Wiki Activity
ldapsaisie/src/includes/class/class.LSldap.php
Benjamin Renard 59ecc0d7fa Add authz proxy authorization support 
Add useAuthzProxyControl parameter to combine with useUserCredentials to 
also using authz proxy authorization.
2021-08-26 20:16:22 +02:00

640 lines
20 KiB
PHP
Raw Blame History

<?php
/*******************************************************************************
* Copyright (C) 2007 Easter-eggs
* https://ldapsaisie.org
*
* Author: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
LSsession :: loadLSclass('LSlog_staticLoggerClass');
/**
* Gestion de l'accès à l'annaire Ldap
*
* Cette classe gère l'accès à l'annuaire ldap en s'appuyant sur PEAR :: Net_LDAP2
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*/
class LSldap extends LSlog_staticLoggerClass {
private static $config;
private static $cnx = NULL;
/**
* D<>fini la configuration
*
* Cette methode définis la configuration de l'accès à l'annuaire
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $config array Tableau de configuration au format Net_LDAP2
*
* @retval void
*/
public static function setConfig ($config) {
self :: $config = $config;
}
/**
* Connect to LDAP server
*
* This method establish connection to LDAP server
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $config array LDAP configuration array in format of Net_LDAP2
*
* @retval boolean true if connected, false instead
*/
public static function connect($config = null) {
if ($config) {
self :: setConfig($config);
}
self :: $cnx = Net_LDAP2::connect(self :: $config);
if (Net_LDAP2::isError(self :: $cnx)) {
LSerror :: addErrorCode('LSldap_01',self :: $cnx -> getMessage());
self :: $cnx = NULL;
return;
}
return true;
}
/**
* Reconnect (or connect) with other credentials
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $dn string Bind DN
* @param[in] $pwd array Bind password
* @param[in] $config array LDAP configuration array in format of Net_LDAP2
* (optional, default: keep current)
*
* @retval boolean true if connected, false instead
*/
public static function reconnectAs($dn, $pwd, $config=null) {
if ($config) {
self :: setConfig($config);
}
if (self :: $cnx) {
self :: $cnx -> done();
}
$config = self :: $config;
$config['binddn'] = $dn;
$config['bindpw'] = $pwd;
self :: $cnx = Net_LDAP2::connect($config);
if (Net_LDAP2::isError(self :: $cnx)) {
LSerror :: addErrorCode('LSldap_01', self :: $cnx -> getMessage());
self :: $cnx = NULL;
return;
}
return true;
}
/**
* Set authz proxy control
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $dn string Bind DN
*
* @retval boolean true if authz proxy controle is set, false otherwise
*/
public static function setAuthzProxyControl($dn) {
if (!self :: $cnx) {
self :: connect();
}
$result = self :: $cnx -> setOption(
'LDAP_OPT_SERVER_CONTROLS',
array (
array(
'oid' => '2.16.840.1.113730.3.4.18',
'value' => "dn:$dn",
'iscritical' => true
)
)
);
// Also check user exists to validate the connection with
// authz proxy control.
if ($result !== True || !self :: exists($dn)) {
LSerror :: addErrorCode('LSldap_09');
return False;
}
return True;
}
/**
* Déconnection
*
* Cette methode clos la connexion à l'annuaire Ldap
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @retval void
*/
public static function close() {
self :: $cnx -> done();
}
/**
* Recherche dans l'annuaire
*
* Cette methode effectue une recherche dans l'annuaire et retourne le resultat
* de celle-ci sous la forme d'un tableau.
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $filter [<b>required</b>] string Filtre de recherche Ldap
* @param[in] $basedn string DN de base pour la recherche
* @param[in] $params array Paramètres de recherche au format Net_LDAP2::search()
*
* @see Net_LDAP2::search()
*
* @retval array Retourne un tableau associatif contenant :
* - ['dn'] : le DN de l'entré
* - ['attrs'] : tableau associatif contenant les attributs (clé)
* et leur valeur (valeur).
*/
public static function search($filter, $basedn=NULL, $params=array()) {
$filterstr = (is_a($filter, 'Net_LDAP2_Filter')?$filter->as_string():$filter);
if (is_empty($basedn)) {
$basedn = self :: getConfig('basedn');
if (is_empty($basedn)) {
LSerror :: addErrorCode('LSldap_08');
return;
}
self :: log_debug("LSldap::search($filterstr): empty basedn provided, use basedn from configuration: ".varDump($basedn));
}
self :: log_trace("LSldap::search($filterstr, $basedn): run search with parameters: ".varDump($params));
$ret = self :: $cnx -> search($basedn, $filter, $params);
if (Net_LDAP2::isError($ret)) {
LSerror :: addErrorCode('LSldap_02', $ret -> getMessage());
return;
}
self :: log_debug("LSldap::search($filterstr, $basedn) : return ".$ret->count()." objet(s)");
$retInfos = array();
foreach($ret as $dn => $entry) {
if (!$entry instanceof Net_LDAP2_Entry) {
LSerror :: addErrorCode('LSldap_02', "LDAP search return an ".get_class($entry).". object");
continue;
}
$retInfos[] = array(
'dn' => $dn,
'attrs' => $entry -> getValues()
);
}
return $retInfos;
}
/**
* Compte le nombre de retour d'une recherche dans l'annuaire
*
* Cette methode effectue une recherche dans l'annuaire et retourne le nombre
* d'entrés trouvées.
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $filter [<b>required</b>] string Filtre de recherche Ldap
* @param[in] $basedn string DN de base pour la recherche
* @param[in] $params array Paramètres de recherche au format Net_LDAP2::search()
*
* @see Net_LDAP2::search()
*
* @retval numeric Le nombre d'entré trouvées
*/
public static function getNumberResult($filter, $basedn=NULL, $params=array()) {
if (empty($filter))
$filter = NULL;
$filterstr = (is_a($filter, 'Net_LDAP2_Filter')?$filter->as_string():$filter);
if (is_empty($basedn)) {
$basedn = self :: getConfig('basedn');
if (is_empty($basedn)) {
LSerror :: addErrorCode('LSldap_08');
return;
}
self :: log_debug("LSldap::getNumberResult($filterstr): empty basedn provided, use basedn from configuration: ".varDump($basedn));
}
self :: log_trace("LSldap::getNumberResult($filterstr, $basedn): run search with parameters: ".varDump($params));
$ret = self :: $cnx -> search($basedn, $filter, $params);
if (Net_LDAP2::isError($ret)) {
LSerror :: addErrorCode('LSldap_02',$ret -> getMessage());
return;
}
$count = $ret -> count();
self :: log_trace("LSldap::getNumberResult($filterstr, $basedn): result=$count");
return $count;
}
/**
* Load values of an LDAP entry attributes
*
* This method retrieve attributes values of an LDAP entry and return it
* as associative array.
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $dn string DN de l'entré Ldap
* @param[in] $filter string LDAP filter string (optional, default: null == '(objectClass=*)')
* @param[in] $attrs array|null Array of requested attribute (optional, default: null == all attributes, excepted internal)
* @param[in] $include_internal boolean If true, internal attributes will be included (default: false)
*
* @retval array|false Associative array of attributes values (with attribute name as key), or false on error
*/
public static function getAttrs($dn, $filter=null, $attrs=null, $include_internal=false) {
$infos = ldap_explode_dn($dn,0);
if((!$infos)||($infos['count']==0))
return;
if (!$filter)
$filter = '(objectClass=*)';
$params = array(
'scope' => 'base',
'attributes' => (is_array($attrs)?$attrs:array('*')),
);
if ($include_internal && !in_array('+', $params['attributes']))
$params['attributes'][] = '+';
$return = self :: search($filter, $dn, $params);
if (is_array($return) && count($return) == 1)
return $return[0]['attrs'];
return false;
}
/**
* Retourne une entrée existante ou nouvelle
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $object_type string Type de l'objet Ldap
* @param[in] $dn string DN de l'entré Ldap
*
* @retval ldapentry|array Un objet ldapentry (PEAR::Net_LDAP2)
* ou un tableau (si c'est une nouvelle entr<74>e):
* Array (
* 'entry' => ldapentry,
* 'new' => true
* )
*/
public static function getEntry($object_type,$dn) {
$obj_classes = LSconfig :: get("LSobjects.$object_type.objectclass");
if(!is_array($obj_classes)){
LSerror :: addErrorCode('LSldap_03');
return;
}
$entry = self :: getLdapEntry($dn);
if ($entry === false) {
$newentry = self :: getNewEntry($dn, $obj_classes, array());
if (!$newentry) {
return;
}
// Mark entry as new
$newentry -> markAsNew();
return $newentry;
}
// Mark entry as NOT new
$entry -> markAsNew(false);
return $entry;
}
/**
* Retourne un object NetLDAP d'une entree existante
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $dn string DN de l'entré Ldap
*
* @retval ldapentry|boolean Un objet ldapentry (PEAR::Net_LDAP2) ou false en
* cas de probl<62>me
*/
public static function getLdapEntry($dn) {
$entry = self :: $cnx -> getEntry($dn);
if (Net_LDAP2::isError($entry)) {
return false;
}
else {
return $entry;
}
}
/**
* Check if an LDAP object exists
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $dn string DN of the LDAP entry to check
*
* @retval boolean True if entry exists, false otherwise
*/
public static function exists($dn) {
return is_a(self :: getLdapEntry($dn), 'Net_LDAP2_Entry');
}
/**
* Retourne une nouvelle entr<74>e
*
* @param[in] $dn string Le DN de l'objet
* @param[in] $objectClass array Un tableau contenant les objectClass de l'objet
* @param[in] $attrs array Un tabeau du type array('attr_name' => attr_value, ...)
*
* @retval mixed Le nouvelle objet en cas de succ<63>s, false sinon
*/
public static function getNewEntry($dn,$objectClass,$attrs,$add=false) {
$newentry = Net_LDAP2_Entry::createFresh($dn,array_merge(array('objectclass' =>$objectClass),(array)$attrs));
if(Net_LDAP2::isError($newentry)) {
return false;
}
if($add) {
if(!self :: $cnx -> add($newentry)) {
return;
}
}
return $newentry;
}
/**
* Met à jour une entrée dans l'annuaire
*
* Remarque : Supprime les valeurs vides de attributs et les attributs sans valeur.
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $object_type string Type de l'objet Ldap
* @param[in] $dn string DN de l'entré Ldap
* @param[in] $change array Tableau des modifications à apporter
*
* @retval boolean true si l'objet a bien été mis à jour, false sinon
*/
public static function update($object_type, $dn, $change) {
self :: log_trace("update($object_type, $dn): change=".varDump($change));
// Retrieve current LDAP entry
$entry = self :: getEntry($object_type, $dn);
if(!is_a($entry, 'Net_LDAP2_Entry')) {
LSerror :: addErrorCode('LSldap_04');
return;
}
// Distinguish drop attributes from change attributes
$changed_attrs = array();
$dropped_attrs = array();
foreach($change as $attrName => $attrVal) {
$drop = true;
if (is_array($attrVal)) {
foreach($attrVal as $val) {
if (!is_empty($val)) {
$drop = false;
$changed_attrs[$attrName][]=$val;
}
}
}
else {
if (!is_empty($val)) {
$drop = false;
$changed_attrs[$attrName][]=$attrVal;
}
}
if($drop) {
$dropped_attrs[] = $attrName;
}
}
self :: log_trace("update($object_type, $dn): changed attrs=".varDump($changed_attrs));
self :: log_trace("update($object_type, $dn): dropped attrs=".varDump($dropped_attrs));
// Set an error flag to false
$error = false;
// Handle attributes changes (if need)
if ($changed_attrs) {
$entry -> replace($changed_attrs);
if ($entry -> isNew()) {
self :: log_debug("update($object_type, $dn): add new entry");
$ret = self :: $cnx -> add($entry);
}
else {
self :: log_debug("update($object_type, $dn): update entry (for changed attributes)");
$ret = $entry -> update();
}
if (Net_LDAP2::isError($ret)) {
LSerror :: addErrorCode('LSldap_05',$dn);
LSerror :: addErrorCode(0,'NetLdap-Error : '.$ret->getMessage());
return false;
}
}
elseif ($entry -> isNew()) {
self :: log_error("update($object_type, $dn): no changed attribute but it's a new entry...");
return false;
}
else {
self :: log_debug("update($object_type, $dn): no changed attribute");
}
// Handle droped attributes (is need and not a new entry)
if ($dropped_attrs && !$entry -> isNew()) {
// $entry -> delete() method is buggy (for some attribute like jpegPhoto)
// Prefer replace attribute by an empty array
$replace_attrs = array();
foreach($dropped_attrs as $attr) {
// Check if attribute is present
if(!$entry -> exists($attr)) {
// Attribute not present on LDAP entry
self :: log_debug("update($object_type, $dn): dropped attr $attr is not present in LDAP entry => ignore it");
continue;
}
$replace_attrs[$attr] = array();
}
if (!$replace_attrs) {
self :: log_debug("update($object_type, $dn): no attribute to drop");
return true;
}
// Replace values in LDAP
$entry -> replace($replace_attrs);
self :: log_debug("update($object_type, $dn): update entry (for dropped attributes: ".implode(', ', array_keys($replace_attrs)).")");
$ret = $entry -> update();
// Check result
if (Net_LDAP2::isError($ret)) {
LSerror :: addErrorCode('LSldap_06');
LSerror :: addErrorCode(0,'NetLdap-Error : '.$ret->getMessage());
return false;
}
}
return true;
}
/**
* Test de bind
*
* Cette methode établie une connexion à l'annuaire Ldap et test un bind
* avec un login et un mot de passe passé en paramètre
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @retval boolean true si la connection à réussi, false sinon
*/
public static function checkBind($dn,$pwd) {
$config = self :: $config;
$config['binddn'] = $dn;
$config['bindpw'] = $pwd;
$cnx = Net_LDAP2::connect($config);
if (Net_LDAP2::isError($cnx)) {
return;
}
return true;
}
/**
* Retourne l'état de la connexion Ldap
*
* @retval boolean True si le serveur est connecté, false sinon.
*/
public static function isConnected() {
return (self :: $cnx == NULL)?false:true;
}
/**
* Supprime un objet de l'annuaire
*
* @param[in] string DN de l'objet à supprimer
*
* @retval boolean True si l'objet à été supprimé, false sinon
*/
public static function remove($dn) {
$ret = self :: $cnx -> delete($dn,array('recursive' => true));
if (Net_LDAP2::isError($ret)) {
LSerror :: addErrorCode(0,'NetLdap-Error : '.$ret->getMessage());
return;
}
return true;
}
/**
* D<>place un objet LDAP dans l'annuaire
*
* @param[in] $old string Le DN actuel
* @param[in] $new string Le futur DN
*
* @retval boolean True si l'objet a <20>t<EFBFBD> d<>plac<61>, false sinon
*/
public static function move($old,$new) {
$ret = self :: $cnx -> move($old, $new);
if (Net_LDAP2::isError($ret)) {
LSerror :: addErrorCode('LSldap_07');
LSerror :: addErrorCode(0,'NetLdap-Error : '.$ret->getMessage());
return;
}
return true;
}
/**
* Combine LDAP Filters
*
* @params array Array of LDAP filters
*
* @retval Net_LDAP2_Filter | False The combined filter or False
**/
public static function combineFilters($op,$filters,$asStr=false) {
if (is_array($filters) && !empty($filters)) {
if (count($filters)==1) {
if ($asStr && $filters[0] instanceof Net_LDAP2_Filter) {
return $filters[0]->asString();
}
else {
return $filters[0];
}
}
$filter=Net_LDAP2_Filter::combine($op,$filters);
if (!Net_LDAP2::isError($filter)) {
if ($asStr) {
return $filter->asString();
}
else {
return $filter;
}
}
else {
LSerror :: addErrorCode(0,$filter -> getMessage());
}
}
return;
}
/**
* Check LDAP Filters String
*
* @params string A LDAP filter as string
*
* @retval boolean True only if the filter could be parsed
**/
public static function isValidFilter($filter) {
if (is_string($filter) && !empty($filter)) {
$filter=Net_LDAP2_Filter::parse($filter);
if (!Net_LDAP2::isError($filter)) {
return true;
}
else {
LSerror :: addErrorCode(0,$filter -> getMessage());
}
}
return;
}
/**
* Return a configuration parameter (or default value)
*
* @param[] $param The configuration parameter
* @param[] $default The default value (default : null)
* @param[] $cast Cast resulting value in specific type (default : disabled)
*
* @retval mixed The configuration parameter value or default value if not set
**/
private static function getConfig($param, $default=null, $cast=null) {
return LSconfig :: get($param, $default, $cast, self :: $config);
}
}
/*
* Error Codes
*/
LSerror :: defineError('LSldap_01',
___("LSldap: Error during the LDAP server connection (%{msg}).")
);
LSerror :: defineError('LSldap_02',
___("LSldap: Error during the LDAP search (%{msg}).")
);
LSerror :: defineError('LSldap_03',
___("LSldap: Object type unknown.")
);
LSerror :: defineError('LSldap_04',
___("LSldap: Error while fetching the LDAP entry.")
);
LSerror :: defineError('LSldap_05',
___("LSldap: Error while changing the LDAP entry (DN : %{dn}).")
);
LSerror :: defineError('LSldap_06',
___("LSldap: Error while deleting empty attributes.")
);
LSerror :: defineError('LSldap_07',
___("LSldap: Error while changing the DN of the object.")
);
LSerror :: defineError('LSldap_08',
___("LSldap: LDAP server base DN not configured.")
);
LSerror :: defineError('LSldap_09',
___("LSldap: Fail to set authz proxy option on LDAP server connection.")
);
Reference in a new issue View git blame Copy permalink