/
ldap_api.php
160 lines (130 loc) · 5.32 KB
/
ldap_api.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
<?php
# Mantis - a php based bugtracking system
# Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
# Copyright (C) 2002 - 2004 Mantis Team - mantisbt-dev@lists.sourceforge.net
# This program is distributed under the terms and conditions of the GPL
# See the README and LICENSE files for details
# --------------------------------------------------------
# $Id: ldap_api.php,v 1.20 2007-07-21 13:38:26 prichards Exp $
# --------------------------------------------------------
###########################################################################
# LDAP API
###########################################################################
# --------------------
# Connect and bind to the LDAP directory
function ldap_connect_bind( $p_binddn = '', $p_password = '' ) {
$t_ldap_server = config_get( 'ldap_server' );
$t_ldap_port = config_get( 'ldap_port' );
if (!extension_loaded('ldap')) {
trigger_error(ERROR_LDAP_EXTENSION_NOT_LOADED,ERROR);
}
$t_ds = @ldap_connect ( $t_ldap_server, $t_ldap_port );
if ( $t_ds > 0 ) {
$t_protocol_version = config_get( 'ldap_protocol_version' );
if ( $t_protocol_version > 0 ) {
ldap_set_option( $t_ds, LDAP_OPT_PROTOCOL_VERSION, $t_protocol_version );
}
# If no Bind DN and Password is set, attempt to login as the configured
# Bind DN.
if ( is_blank( $p_binddn ) && is_blank( $p_password ) ) {
$p_binddn = config_get( 'ldap_bind_dn', '' );
$p_password = config_get( 'ldap_bind_passwd', '' );
}
if ( !is_blank( $p_binddn ) && !is_blank( $p_password ) ) {
$t_br = @ldap_bind( $t_ds, $p_binddn, $p_password );
} else {
# Either the Bind DN or the Password are empty, so attempt an anonymous bind.
$t_br = @ldap_bind( $t_ds );
}
if ( !$t_br ) {
trigger_error( ERROR_LDAP_AUTH_FAILED, ERROR );
}
} else {
trigger_error( ERROR_LDAP_SERVER_CONNECT_FAILED, ERROR );
}
return $t_ds;
}
# --------------------
# Return an email address from LDAP, given a userid
function ldap_email( $p_user_id ) {
$t_username = user_get_field( $p_user_id, 'username' );
return ldap_email_from_username($t_username);
}
# --------------------
# Return an email address from LDAP, given a username
function ldap_email_from_username( $p_username ) {
$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );
$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ;
$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$p_username))";
$t_search_attrs = array( $t_ldap_uid_field, 'mail', 'dn' );
$t_ds = ldap_connect_bind();
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_info = ldap_get_entries( $t_ds, $t_sr );
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );
return $t_info[0]['mail'][0];
}
# --------------------
# Return true if the $uid has an assigngroup=$p_group tag, false otherwise
function ldap_has_group( $p_user_id, $p_group ) {
$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );
$t_username = user_get_field( $p_user_id, 'username' );
$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ;
$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username)(assignedgroup=$p_group))";
$t_search_attrs = array( $t_ldap_uid_field, 'dn', 'assignedgroup' );
$t_ds = ldap_connect_bind();
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_entries = ldap_count_entries( $t_ds, $t_sr );
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );
if ( $t_entries > 0 ) {
return true;
} else {
return false;
}
}
# --------------------
# Attempt to authenticate the user against the LDAP directory
# return true on successful authentication, false otherwise
function ldap_authenticate( $p_user_id, $p_password ) {
# if password is empty and ldap allows anonymous login, then
# the user will be able to login, hence, we need to check
# for this special case.
if ( is_blank( $p_password ) ) {
return false;
}
$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );
$t_username = user_get_field( $p_user_id, 'username' );
$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ;
$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
$t_search_attrs = array( $t_ldap_uid_field, 'dn' );
$t_ds = ldap_connect_bind();
# Search for the user id
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_info = ldap_get_entries( $t_ds, $t_sr );
$t_authenticated = false;
if ( $t_info ) {
# Try to authenticate to each until we get a match
for ( $i = 0 ; $i < $t_info['count'] ; $i++ ) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
$t_authenticated = true;
break; # Don't need to go any further
}
}
}
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );
return $t_authenticated;
}
# --------------------
# Create a new user account in the LDAP Directory.
# --------------------
# Update the user's account in the LDAP Directory
# --------------------
# Change the user's password in the LDAP Directory
?>