LDAPAccountManager/lam/lib/account.inc

1798 lines
50 KiB
PHP
Raw Normal View History

<?php
2003-04-23 15:47:00 +00:00
/*
2009-10-27 18:47:12 +00:00
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
2006-03-03 17:30:35 +00:00
Copyright (C) 2003 - 2006 Tilo Lutz
2020-01-28 19:45:38 +00:00
2009 - 2020 Roland Gruber
2003-04-23 15:47:00 +00:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* This provides several helper function for the account modules.
*
* @author Tilo Lutz
* @author Roland Gruber
*
2005-07-21 10:33:02 +00:00
* @package lib
*/
2003-12-29 14:07:06 +00:00
2005-08-12 13:18:05 +00:00
/**
* This function will return all values from $array without values of $values.
*
* @param array $values list of values which should be removed
* @param array $array list of original values
* @return array list of remaining values
*/
function array_delete($values, $array) {
// Loop for every entry and check if it should be removed
if (is_array($array)) {
$return = array();
2018-12-24 11:44:09 +00:00
foreach ($array as $array_value) {
if (!@in_array($array_value, $values)) {
$return[] = $array_value;
2018-12-24 11:44:09 +00:00
}
}
return $return;
}
2018-12-24 11:44:09 +00:00
return array();
2005-08-12 13:18:05 +00:00
}
2003-09-11 16:55:57 +00:00
/**
* Checks if a string exists in an array, ignoring case.
2015-06-26 18:52:01 +00:00
*
2012-07-15 12:05:47 +00:00
* @param String $needle search string
* @param array $haystack array
*/
function in_array_ignore_case($needle, $haystack) {
2018-12-24 11:44:09 +00:00
if (!is_array($haystack)) {
return false;
2018-12-24 11:44:09 +00:00
}
if (!is_string($needle)) {
return false;
2018-12-24 11:44:09 +00:00
}
foreach ($haystack as $element) {
if( is_string( $element ) && 0 == strcasecmp( $needle, $element ) ) {
return true;
2018-12-24 11:44:09 +00:00
}
}
return false;
}
2005-08-12 13:18:05 +00:00
/**
* This function will return the days from 1.1.1970 until now.
*
* @return number of days
*/
function getdays() {
2003-04-23 15:47:00 +00:00
$days = time() / 86400;
settype($days, 'integer');
return $days;
2018-12-24 11:44:09 +00:00
}
2003-04-23 15:47:00 +00:00
2005-08-12 13:18:05 +00:00
/**
* Takes a list of Samba flags and creates the corresponding flag string.
*
* @param array $input is an array of Samba flags (e.g. X or D)
* @return string Samba flag string
*/
function smbflag($input) {
// Start character
2003-04-23 15:47:00 +00:00
$flag = "[";
// Add Options
2018-12-24 11:44:09 +00:00
if ($input['W']) {
$flag .= "W";
}
else {
$flag .= "U";
}
if ($input['D']) {
$flag .= "D";
}
if ($input['X']) {
$flag .= "X";
}
if ($input['N']) {
$flag .= "N";
}
if ($input['S']) {
$flag .= "S";
}
if ($input['H']) {
$flag .= "H";
}
// Expand string to fixed length
$flag = str_pad($flag, 12);
// End character
2018-12-24 11:44:09 +00:00
return $flag . "]";
2005-08-12 13:18:05 +00:00
}
2003-04-23 15:47:00 +00:00
/**
* Generates the LM hash of a password.
*
* @param string password original password
* @return string password hash
*/
function lmPassword($password) {
2007-11-15 11:02:57 +00:00
// Needed to calculate Samba passwords
2018-12-23 16:52:56 +00:00
include_once(__DIR__ . "/createntlm.inc");
2007-11-15 11:02:57 +00:00
// get hash
$hash = new smbHash();
return $hash->lmhash($password);
}
/**
* Generates the NT hash of a password.
*
* @param string password original password
* @return string password hash
*/
function ntPassword($password) {
2007-11-15 11:02:57 +00:00
// Needed to calculate Samba passwords
2018-12-23 16:52:56 +00:00
include_once(__DIR__ . "/createntlm.inc");
2007-11-15 11:02:57 +00:00
// get hash
$hash = new smbHash();
return $hash->nthash($password);
}
/**
2012-08-26 17:54:31 +00:00
* Returns the hash value of a plain text password.
* @see getSupportedHashTypes()
*
* @param string $password the password string
* @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
2016-01-02 12:16:14 +00:00
* @param string $hashType password hash type (CRYPT, CRYPT-SHA512, SHA, SSHA, MD5, SMD5, PLAIN, K5KEY)
* @return string the password hash
*/
function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
// check for empty password
if (! $password || ($password == "")) {
return "";
}
$hash = "";
switch ($hashType) {
case 'CRYPT':
2018-07-31 17:10:42 +00:00
$hash = "{CRYPT}" . crypt($password, generateSalt(2));
break;
2012-08-26 17:54:31 +00:00
case 'CRYPT-SHA512':
$hash = "{CRYPT}" . crypt($password, '$6$' . generateSalt(16));
break;
case 'MD5':
2017-10-10 16:55:43 +00:00
$hash = "{MD5}" . base64_encode(hex2bin(md5($password)));
break;
case 'SMD5':
2016-01-02 12:16:14 +00:00
$salt = generateSalt(4);
2017-10-10 16:55:43 +00:00
$hash = "{SMD5}" . base64_encode(hex2bin(md5($password . $salt)) . $salt);
break;
case 'SHA':
2017-10-10 16:55:43 +00:00
$hash = "{SHA}" . base64_encode(hex2bin(sha1($password)));
break;
case 'PLAIN':
$hash = $password;
break;
2016-01-02 12:16:14 +00:00
case 'K5KEY':
$hash = '{K5KEY}';
break;
2008-02-25 20:54:11 +00:00
case 'SSHA':
default: // use SSHA if the setting is invalid
2012-08-26 17:54:31 +00:00
$salt = generateSalt(4);
2017-10-10 16:55:43 +00:00
$hash = "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt)) . $salt);
2008-02-25 20:54:11 +00:00
break;
}
// enable/disable password
2018-12-24 11:44:09 +00:00
if (!$enabled) {
return pwd_disable($hash);
}
return $hash;
}
2012-08-26 17:54:31 +00:00
/**
* Returns the list of supported hash types (e.g. SSHA).
2015-06-26 18:52:01 +00:00
*
2012-08-26 17:54:31 +00:00
* @return array hash types
*/
function getSupportedHashTypes() {
2018-07-07 12:05:39 +00:00
$hashes = array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY');
if (version_compare(phpversion(), '7.2.0') >= 0) {
$hashes[] = 'LDAP_EXOP';
}
return $hashes;
2012-08-26 17:54:31 +00:00
}
/**
2020-02-24 19:08:28 +00:00
* Calculates a password salt of the given length.
2012-08-26 17:54:31 +00:00
*
* @param int $len salt length
* @return String the salt string
*
*/
function generateSalt($len) {
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./';
$salt = '';
for ($i = 0; $i < $len; $i++) {
2016-04-19 18:41:51 +00:00
$pos = abs(getRandomNumber() % strlen($chars));
2020-06-05 14:00:59 +00:00
$salt .= $chars[$pos];
2012-08-26 17:54:31 +00:00
}
return $salt;
}
/**
* Marks an password hash as enabled and returns the new hash string
*
* @param string $hash hash value to enable
* @return string enabled password hash
*/
function pwd_enable($hash) {
// check if password is disabled (old wrong LAM method)
2018-12-28 10:19:15 +00:00
if ((substr($hash, 0, 2) == "!{") || (substr($hash, 0, 2) == "*{")) {
return substr($hash, 1, strlen($hash));
}
// check for "!" or "*" at beginning of password hash
else {
if (substr($hash, 0, 1) == "{") {
$pos = strpos($hash, "}");
if ((substr($hash, $pos + 1, 1) == "!") || (substr($hash, $pos + 1, 1) == "*")) {
// enable hash
return substr($hash, 0, $pos + 1) . substr($hash, $pos + 2, strlen($hash));
}
2018-12-24 11:44:09 +00:00
else {
return $hash; // not disabled
}
}
else {
return $hash; // password is plain text
}
}
}
/**
* Marks an password hash as disabled and returns the new hash string
*
* @param string $hash hash value to disable
* @return string disabled hash value
*/
function pwd_disable($hash) {
// check if password is disabled (old wrong LAM method)
2018-12-28 10:19:15 +00:00
if ((substr($hash, 0, 2) == "!{") || (substr($hash, 0, 2) == "*{")) {
return $hash;
}
// check for "!" or "*" at beginning of password hash
else {
if (substr($hash, 0, 1) == "{") {
$pos = strpos($hash, "}");
if ((substr($hash, $pos + 1, 1) == "!") || (substr($hash, $pos + 1, 1) == "*")) {
// hash already disabled
return $hash;
}
2018-12-24 11:44:09 +00:00
else {
return substr($hash, 0, $pos + 1) . "!" . substr($hash, $pos + 1, strlen($hash)); // not disabled
}
}
else {
return $hash; // password is plain text
}
}
}
/**
* Checks if a Unix password can be locked.
* This checks if the password is not plain text but e.g. contains {SSHA}.
2015-06-26 18:52:01 +00:00
*
* @param String $password password value
* @return boolean can be locked
*/
function pwd_is_lockable($password) {
if (($password == null) || (strlen($password) < 5)) {
return false;
}
2015-02-11 16:57:38 +00:00
// SASL is not lockable
if (strpos($password, '{SASL}') === 0) {
return false;
}
return ((substr($password, 0, 1) == "{") || (substr($password, 1, 1) == "{")) && (strpos($password, "}") > 3);
}
/**
* Checks if a password hash is enabled/disabled
*
* @param string $hash password hash to check
* @return boolean true if the password is marked as enabled
*/
function pwd_is_enabled($hash) {
// disabled passwords have a "!" or "*" at the beginning (old wrong LAM method)
2018-12-28 10:19:15 +00:00
if ((substr($hash, 0, 2) == "!{") || (substr($hash, 0, 2) == "*{")) {
2018-12-24 11:44:09 +00:00
return false;
}
if (substr($hash, 0, 1) == "{") {
$pos = strrpos($hash, "}");
// check if hash starts with "!" or "*"
2018-12-24 11:44:09 +00:00
return ((substr($hash, $pos + 1, 1) !== "!") && (substr($hash, $pos + 1, 1) !== "*"));
}
else {
return true;
}
}
/**
2019-08-13 15:03:30 +00:00
* Generates a random password with 12 digits by default.
*
2019-08-13 15:03:30 +00:00
* @param int $length length of password (defaults to 12)
* @return String password
*/
2019-08-13 15:03:30 +00:00
function generateRandomPassword($length = 12) {
$list = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-_';
$password = '';
2019-08-13 15:03:30 +00:00
$minLength = $_SESSION['cfgMain']->passwordMinLength;
if ($minLength > $length) {
$length = $minLength;
}
for ($x = 0; $x < 10000; $x++) {
$password = '';
for ($i = 0; $i < $length; $i++) {
2016-04-19 18:41:51 +00:00
$rand = abs(getRandomNumber() % 65);
$password .= $list[$rand];
}
2014-04-17 19:26:08 +00:00
if (checkPasswordStrength($password, null, null) === true) {
break;
}
}
return $password;
}
2013-07-26 19:04:56 +00:00
/**
2020-02-24 19:08:28 +00:00
* Checks if the given password matches the crypto hash.
2015-06-26 18:52:01 +00:00
*
2013-07-26 19:04:56 +00:00
* @param String type hash type (must be one of getSupportedHashTypes())
2020-02-24 19:08:28 +00:00
* @param string $hash password hash value
* @param string $password plain text password to check
* @return bool hash matches
2013-07-26 19:04:56 +00:00
* @see getSupportedHashTypes()
*/
function checkPasswordHash($type, $hash, $password) {
switch ($type) {
case 'SSHA':
$bin = base64_decode($hash);
$salt = substr($bin, 20);
2017-10-10 16:55:43 +00:00
$pwdHash = base64_encode(hex2bin(sha1($password . $salt)) . $salt);
2013-07-26 19:04:56 +00:00
return (strcmp($hash, $pwdHash) == 0);
break;
case 'SHA':
2017-10-10 16:55:43 +00:00
return (strcmp($hash, base64_encode(hex2bin(sha1($password)))) == 0);
2013-07-26 19:04:56 +00:00
break;
case 'SMD5':
$bin = base64_decode($hash);
$salt = substr($bin, 16);
2017-10-10 16:55:43 +00:00
$pwdHash = base64_encode(hex2bin(md5($password . $salt)) . $salt);
2013-07-26 19:04:56 +00:00
return (strcmp($hash, $pwdHash) == 0);
break;
case 'MD5':
2017-10-10 16:55:43 +00:00
return (strcmp($hash, base64_encode(hex2bin(md5($password)))) == 0);
2013-07-26 19:04:56 +00:00
break;
case 'CRYPT':
$parts = explode('$', $hash);
if (sizeof($parts) == 4) {
$version = $parts[1];
$salt = $parts[2];
$pwdHash = crypt($password, '$' . $version . '$' . $salt);
return (strcmp($hash, $pwdHash) == 0);
}
elseif (sizeof($parts) == 5) {
$version = $parts[1];
$rounds = $parts[2];
$salt = $parts[3];
$pwdHash = crypt($password, '$' . $version . '$' . $rounds . '$' . $salt);
return (strcmp($hash, $pwdHash) == 0);
}
return false;
break;
default:
return false;
}
return false;
}
2006-01-01 16:30:05 +00:00
/**
* Returns an array with all Samba 3 domain entries under the given suffix
*
2012-07-15 12:05:47 +00:00
* @param handle LDAP handle (if null then $_SESSION['ldap']->server() is used)
* @param String $suffix LDAP suffix to search (if null then $_SESSION['config']->get_Suffix('smbDomain') is used)
2006-01-01 16:30:05 +00:00
* @return array list of samba3domain objects
*/
function search_domains($server = null, $suffix = null) {
if ($suffix == null) {
$suffix = $_SESSION['config']->get_Suffix('smbDomain');
}
2006-01-01 16:30:05 +00:00
$ret = array();
$attr = array("DN", "sambaDomainName", "sambaSID", "sambaNextRid", "sambaNextGroupRid",
2016-05-20 17:38:36 +00:00
"sambaNextUserRid", "sambaAlgorithmicRidBase", 'sambaMinPwdAge', 'sambaMaxPwdAge',
'sambaPwdHistoryLength'
);
if ($server == null) {
$server = $_SESSION['ldap']->server();
}
2016-05-26 17:40:37 +00:00
$filter = '(objectclass=sambaDomain)';
$units = searchLDAPPaged($server, $suffix, $filter, $attr, false, 0);
2010-02-06 11:52:48 +00:00
// extract attributes
for ($i = 0; $i < sizeof($units); $i++) {
$ret[$i] = new samba3domain();
$ret[$i]->dn = $units[$i]['dn'];
$ret[$i]->name = $units[$i]['sambadomainname'][0];
$ret[$i]->SID = $units[$i]['sambasid'][0];
2018-12-24 11:44:09 +00:00
if (isset($units[$i]['sambanextrid'][0])) {
$ret[$i]->nextRID = $units[$i]['sambanextrid'][0];
}
if (isset($units[$i]['sambanextgrouprid'][0])) {
$ret[$i]->nextGroupRID = $units[$i]['sambanextgrouprid'][0];
}
if (isset($units[$i]['sambanextuserrid'][0])) {
$ret[$i]->nextUserRID = $units[$i]['sambanextuserrid'][0];
}
if (isset($units[$i]['sambaalgorithmicridbase'][0])) {
$ret[$i]->RIDbase = $units[$i]['sambaalgorithmicridbase'][0];
}
if (isset($units[$i]['sambaminpwdage'][0])) {
$ret[$i]->minPwdAge = $units[$i]['sambaminpwdage'][0];
}
if (isset($units[$i]['sambamaxpwdage'][0])) {
$ret[$i]->maxPwdAge = $units[$i]['sambamaxpwdage'][0];
}
if (isset($units[$i]['sambapwdhistorylength'][0])) {
$ret[$i]->pwdHistoryLength = $units[$i]['sambapwdhistorylength'][0];
}
}
2006-01-01 16:30:05 +00:00
return $ret;
}
/**
* Represents a Samba 3 domain entry
*
* @package modules
*/
class samba3domain {
/** DN */
2007-10-13 17:28:37 +00:00
public $dn;
/** Domain name */
2007-10-13 17:28:37 +00:00
public $name;
/** Domain SID */
2007-10-13 17:28:37 +00:00
public $SID;
/** Next RID */
2007-10-13 17:28:37 +00:00
public $nextRID;
/** Next user RID */
2007-10-13 17:28:37 +00:00
public $nextUserRID;
/** Next group RID */
2007-10-13 17:28:37 +00:00
public $nextGroupRID;
/** RID base to calculate RIDs, default 1000 */
2007-10-13 17:28:37 +00:00
public $RIDbase = 1000;
2015-06-26 18:52:01 +00:00
/** seconds after the password can be changed */
public $minPwdAge;
2015-06-26 18:52:01 +00:00
/** seconds after the password must be changed */
public $maxPwdAge;
2016-05-20 17:38:36 +00:00
/** password history length */
public $pwdHistoryLength;
}
2005-08-12 13:18:05 +00:00
/**
* Checks if a given value matches the selected regular expression.
*
* @param string $argument value to check
* @param string $regexp pattern name
* @return boolean true if matches, otherwise false
*/
function get_preg($argument, $regexp) {
2013-11-29 19:47:29 +00:00
/* Bug in php preg_match doesn't work correct with utf8 */
2014-02-02 12:36:12 +00:00
$language = $_SESSION['language'];
$language2 = explode ('.', $language);
setlocale(LC_ALL, $language2[0]);
// First we check "positive" cases
$pregexpr = '';
switch ($regexp) {
2005-08-12 13:18:05 +00:00
case 'password':
2013-01-13 10:40:47 +00:00
$pregexpr = '/^([[:alnum:]\\^\\ \\|\\#\\*\\,\\.\\;\\:\\_\\+\\!\\%\\&\\/\\?\\{\\(\\)\\}\\[\\]\\$§°@=-])*$/u';
break;
case 'groupname': // all letters, numbers, space and ._- are allowed characters
case 'username':
2015-06-26 18:52:01 +00:00
case 'hostname':
2014-07-03 20:01:44 +00:00
$pregexpr = '/^([[:alnum:]%#@\\.\\ \\_\\$-])+$/u';
break;
2015-06-26 18:52:01 +00:00
case 'krbUserName':
2013-11-08 18:14:06 +00:00
$pregexpr = '/^([[:alnum:]#@\\/\\.\\ \\_\\$-])+$/u';
2012-02-19 14:50:57 +00:00
break;
2010-04-03 13:31:13 +00:00
case 'hostObject':
2010-04-30 21:08:23 +00:00
$pregexpr = '/^[!]?([[:alnum:]@\\.\\ \\_\\$\\*-])+$/u';
break;
2004-09-27 16:51:17 +00:00
case 'usernameList': // comma separated list of user names
case 'groupnameList': // comma separated list of group names
2014-07-03 20:01:44 +00:00
$pregexpr = '/^([[:alnum:]%#@\\.\\ \\_-])+(,([[:alnum:]%#@\\.\\ \\_-])+)*$/u';
2004-09-27 16:51:17 +00:00
break;
2005-12-10 09:42:55 +00:00
case 'realname': // Allow all but \, <, >, =, $, ?
2005-12-10 09:47:09 +00:00
case 'cn':
$pregexpr = '/^[^\\\<>=\\$\\?]+(\\$)?$/';
break;
2006-06-29 11:24:55 +00:00
case "telephone": // Allow letters, numbers, space, brackets, /-+.
$pregexpr = '/^(\\+)*([0-9a-zA-Z\\.\\ \\(\\)\\/-])*$/';
break;
case "email":
$pregexpr = '/^([0-9a-zA-Z\'!~#+*%\\$\\/\\._-])+[@]([0-9a-zA-Z-])+([.]([0-9a-zA-Z-])+)*$/';
break;
case "emailWithName":
$pregexpr = '/^([[:alnum:] \'!~#+*%\\$\\(\\)_-])+ <([0-9a-zA-Z\'!~#+*%\\$\\/\\._-])+[@]([0-9a-zA-Z-])+([.]([0-9a-zA-Z-])+)*>$/u';
break;
2005-09-20 14:40:11 +00:00
case "mailLocalAddress":
2010-09-04 13:51:25 +00:00
$pregexpr = '/^([0-9a-zA-Z+\\/\\._-])+([@]([0-9a-zA-Z-])+([.]([0-9a-zA-Z-])+)*)?$/';
2005-09-20 14:40:11 +00:00
break;
2013-08-29 16:44:58 +00:00
case 'kolabEmailPrefix':
$pregexpr = '/^([-])?([0-9a-zA-Z+\\/\\._-])*([@]([0-9a-zA-Z\\.-])*)?$/';
break;
case "postalAddress": // Allow all but \, <, >, =, ?
$pregexpr = '/^[^\\\<>=\\?]*$/';
break;
case "postalCode": // Allow all but \, <, >, =, ?
2005-12-10 09:42:55 +00:00
case "street":
case "title":
case "employeeType":
2007-06-11 18:17:30 +00:00
case "businessCategory":
2005-12-10 09:42:55 +00:00
$pregexpr = '/^[^\\\<>=\\$\\?]*$/';
break;
case "homeDirectory": // Homapath, /path/......
2010-09-11 11:42:05 +00:00
case "filePath":
2008-01-29 18:22:36 +00:00
$pregexpr = '/^([\/]([[:alnum:]@\\$\\.\\ \\_-])+)+(\/)?$/u';
break;
case "digit": // Normal number
$pregexpr = '/^[[:digit:]]*$/';
break;
2013-08-20 18:56:52 +00:00
case "float": // float value
$pregexpr = '/^[[:digit:]]+(\\.[[:digit:]]+)?$/';
break;
case "UNC": // UNC Path, e.g. \\server\share\folder\...
2016-02-07 17:19:19 +00:00
$pregexpr = '/^((([\\\][\\\])|(%))([a-zA-Z0-9@%\\.-])+)([\\\]([[:alnum:]@%\\.\\$\\ \\_-])+)+$/u';
break;
case "logonscript": // path to login-script. normal unix file
2009-03-04 17:31:31 +00:00
$pregexpr = '/^(([\/\\\])*([[:alnum:]%\\.\\ \\$\\_-])+([\/\\\]([[:alnum:]%\\.\\ \\$\\_-])+)*((\\.bat)|(\\.cmd)|(\\.exe)|(\\.vbs)))*$/u';
break;
case "workstations": // comma separated list with windows-hosts
$pregexpr = '/^(([a-zA-Z0-9\\.\\_-])+(,[a-zA-Z0-9\\.\\_-])*)*$/';
break;
case "domainname": // Windows Domainname
2006-01-01 16:30:05 +00:00
$pregexpr = '/^([A-Za-z0-9\\.\\_-])+$/';
break;
case "unixhost": // Unix hosts
2006-05-05 10:28:23 +00:00
$pregexpr = '/^([a-z0-9,\\.\\*_-])*$/';
break;
case 'digit2': // Same as digit but also -1
2004-10-10 11:21:54 +00:00
$pregexpr = '/^(([-][1])|([[:digit:]]*))$/';
break;
2004-10-16 11:30:08 +00:00
case 'gecos':
2010-10-08 19:00:35 +00:00
$pregexpr = '/^[[:alnum:] \\._-]+([,][[:alnum:] \\._-]+)*$/u';
2004-10-16 11:30:08 +00:00
break;
2004-11-01 11:50:42 +00:00
case 'macAddress':
$pregexpr = '/^[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}$/';
break;
2012-11-25 11:01:08 +00:00
case 'date': // 31-12-2012
2006-02-12 11:03:20 +00:00
$pregexpr = '/^((0?[1-9])|([1-2][0-9])|30|31)\\-((0?[1-9])|(1[0-2]))\\-[1-3][0-9][0-9][0-9]$/';
2004-11-08 19:25:50 +00:00
break;
2007-07-02 18:23:13 +00:00
case 'date2':
$pregexpr = '/^((0[1-9])|([1-2][0-9])|30|31)\\.((0[1-9])|(1[0-2]))\\.[1-3][0-9][0-9][0-9]$/';
break;
2018-06-29 18:43:10 +00:00
case 'dateTime':
$pregexpr = '/^[1-3][0-9][0-9][0-9]\\-((0[1-9])|(1[0-2]))\\-((0[1-9])|([1-2][0-9])|30|31) ((0[0-9])|([1][0-9])|20|21|22|23):((0[0-9])|([1-5][0-9])):((0[0-9])|([1-5][0-9]))$/';
break;
2004-11-28 19:44:46 +00:00
case 'sambaLogonHours':
$pregexpr = '/^[0-9a-fA-F]{42}$/';
break;
2004-12-29 08:49:09 +00:00
case 'DNSname':
$pregexpr = '/^[0-9a-zA-Z_-]+(\\.[0-9a-zA-Z_-]+)*$/';
break;
case 'nis_alias':
2007-03-05 16:42:58 +00:00
$pregexpr = '/^([[:alnum:]@\\.\\ \\_-])+$/u';
2005-01-04 20:14:48 +00:00
break;
2011-04-19 17:47:41 +00:00
case 'nis_recipient':
$pregexpr = '/^([[:alnum:]+@\\.\\ \\_-])+$/u';
break;
2005-04-07 13:10:15 +00:00
case 'country': // Allow all letters and space
$pregexpr = '/^[[:alpha:]]([[:alpha:] ])+$/u';
break;
2005-07-02 12:03:49 +00:00
case 'dn': // LDAP DN
$pregexpr = '/^([^=,]+=[^=,]+)(,([^=,]+=[^=,]+))*$/';
break;
2006-01-01 16:30:05 +00:00
case 'domainSID': // Samba domain SID
$pregexpr = "/^S\\-[0-9]\\-[0-9]\\-[0-9]{2,2}\\-[0-9]+\\-[0-9]+\\-[0-9]+$/";
2010-04-30 21:08:23 +00:00
break;
2010-01-04 17:51:56 +00:00
case 'ip': // IP address
$pregexpr = '/^[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}$/';
break;
2013-10-05 14:54:56 +00:00
case 'ip6': // IPv6 address (only basic check)
$pregexpr = '/^[0-9a-f:]+$/i';
break;
2010-05-07 19:10:46 +00:00
case 'ascii': // ASCII
$pregexpr = '/^[' . chr(1) . '-' . chr(128) . ']*$/';
break;
2012-11-25 11:01:08 +00:00
case 'objectClass':
2015-07-26 08:19:55 +00:00
$pregexpr = '/^[[:alnum:]_-]+$/';
2012-11-25 11:01:08 +00:00
break;
2017-10-21 19:37:40 +00:00
case 'quotaNumber':
$pregexpr = '/^[[:digit:]]+[KMGTkmgt]?$/';
break;
2020-03-09 20:40:15 +00:00
case 'hostAndPort':
$pregexpr = '/^[[:alnum:]\\._-]+:[[:digit:]]+$/';
break;
}
2018-12-24 11:44:09 +00:00
if (($pregexpr != '') && preg_match($pregexpr, $argument)) {
/* Bug in php preg_match doesn't work correct with utf8 */
setlocale(LC_ALL, $language);
return true;
}
// Now we check "negative" cases, characters which are not allowed
$pregexpr = '';
switch ($regexp) {
case "!lower":
$pregexpr = '/[[:lower:]]/';
break;
case "!upper":
$pregexpr = '/[[:upper:]]/';
break;
case "!digit":
$pregexpr = '/[[:digit:]]/';
break;
}
2018-12-24 11:44:09 +00:00
if (($pregexpr != '') && !preg_match($pregexpr, $argument)) {
/* Bug in php preg_match doesn't work correct with utf8 */
setlocale(LC_ALL, $language);
return true;
}
2013-11-29 19:47:29 +00:00
/* Bug in php preg_match doesn't work correct with utf8 */
2014-02-02 12:36:12 +00:00
setlocale(LC_ALL, $language);
return false;
}
2008-09-04 17:21:29 +00:00
/**
* Escapes any special characters in an LDAP DN.
*
* @param String $dn DN
* @return String escaped DN
*/
function escapeDN($dn) {
return str_replace(
array(')', '(', ' ', '*'),
array('\\29', '\\28', '\\20', '\\2a'),
$dn
);
}
2018-05-20 06:22:51 +00:00
/**
* Escapes special characters in RDN part.
*
* @param string $rdn RDN
*/
function escapeRDN($rdn) {
return str_replace(
array(','),
array('\\2C'),
$rdn);
}
/**
* Converts the comma escaping from Windows to OpenLDAP style.
*
* @param string $dn DN
* @return string DN
*/
function convertCommaEscaping($dn) {
return str_replace(
array('\\,'),
array('\\2C'),
$dn);
}
2017-10-07 12:45:15 +00:00
/**
* Connects to an LDAP server using the given URL.
*
* @param string $serverURL URL
*/
function connectToLDAP($serverURL, $startTLS) {
$server = ldap_connect($serverURL);
if (!$server) {
return null;
}
2019-08-15 10:48:37 +00:00
if (defined('LDAP_OPT_X_TLS_CACERTFILE')) {
$cfgMain = new LAMCfgMain();
2020-01-24 17:42:34 +00:00
$certificates = $cfgMain->getSSLCaCertificates();
if (!empty($certificates)) {
2019-08-15 10:48:37 +00:00
ldap_set_option($server, LDAP_OPT_X_TLS_CACERTFILE, $cfgMain->getSSLCaCertPath());
}
}
2017-10-07 12:45:15 +00:00
// use LDAPv3
ldap_set_option($server, LDAP_OPT_PROTOCOL_VERSION, 3);
// start TLS if possible
if ($startTLS) {
ldap_start_tls($server);
if (ldap_errno($server) != 0) {
ldap_close($server);
logNewMessage(LOG_ERR, 'Unable to start TLS encryption. Please check if your server certificate is valid and if the LDAP server supports TLS at all.');
return null;
}
}
return $server;
}
/**
* This will search the given LDAP suffix for all entries which have the given attribute.
*
* @param String $name attribute name (may be null)
* @param String $value attribute value
* @param String $objectClass object class (may be null)
* @param array $attributes list of attributes to return
2010-02-06 11:52:48 +00:00
* @param array $scopes account types
* @return array list of found entries
*/
function searchLDAPByAttribute($name, $value, $objectClass, $attributes, $scopes) {
$return = array();
// build filter
$filter = '';
$filterParts = array();
if ($name != null) {
2020-04-21 18:01:35 +00:00
$filterParts[] = '(' . $name . '=' . ldap_escape($value, '*', LDAP_ESCAPE_FILTER) . ')';
}
if ($objectClass != null) {
$filterParts[] = '(objectClass=' . $objectClass . ')';
}
if (sizeof($filterParts) == 1) {
$filter = $filterParts[0];
}
elseif (sizeof($filterParts) > 1) {
$filter = '(& ' . implode(' ', $filterParts) . ')';
}
2017-01-07 18:10:12 +00:00
$typeManager = new \LAM\TYPES\TypeManager();
$activeTypes = $typeManager->getConfiguredTypes();
foreach ($activeTypes as $type) {
if (!in_array($type->getScope(), $scopes)) {
2014-01-18 09:55:56 +00:00
continue; // skip non-active account types
}
// search LDAP
2017-01-07 18:10:12 +00:00
$entries = searchLDAPPaged($_SESSION['ldap']->server(), escapeDN($type->getSuffix()),
2014-11-29 17:40:39 +00:00
$filter, $attributes, 0, $_SESSION['config']->get_searchLimit());
if (ldap_errno($_SESSION['ldap']->server()) == 4) {
logNewMessage(LOG_WARNING, 'LDAP size limit exeeded. Please increase the limit on your server.');
}
2014-11-29 17:40:39 +00:00
$return = array_merge($return, $entries);
2010-02-06 11:52:48 +00:00
}
return $return;
}
/**
* This will search the given LDAP suffix for all entries which match the given filter.
*
* @param String $filter
* @param array $attributes list of attributes to return
* @param array $scopes account types
2013-01-09 20:10:33 +00:00
* @param boolean $attrsOnly get only attributes but no values (default: false)
* @return array list of found entries
2010-02-06 11:52:48 +00:00
*/
2013-01-09 20:10:33 +00:00
function searchLDAPByFilter($filter, $attributes, $scopes, $attrsOnly = false) {
2010-02-06 11:52:48 +00:00
$return = array();
2013-01-09 20:10:33 +00:00
$readAttributesOnly = 0;
if ($attrsOnly) {
$readAttributesOnly = 1;
}
2017-01-07 18:14:29 +00:00
$typeManager = new \LAM\TYPES\TypeManager();
2017-03-21 17:47:05 +00:00
$types = $typeManager->getConfiguredTypesForScopes($scopes);
2017-01-07 18:14:29 +00:00
foreach ($types as $type) {
2010-02-06 11:52:48 +00:00
// search LDAP
2017-01-07 18:14:29 +00:00
$entries = searchLDAPPaged($_SESSION['ldap']->server(), escapeDN($type->getSuffix()),
2014-11-29 17:40:39 +00:00
$filter, $attributes, $readAttributesOnly, $_SESSION['config']->get_searchLimit());
if (ldap_errno($_SESSION['ldap']->server()) == 4) {
logNewMessage(LOG_WARNING, 'LDAP size limit exeeded. Please increase the limit on your server.');
}
2014-11-29 17:40:39 +00:00
$return = array_merge($return, $entries);
}
return $return;
}
/**
* Runs an LDAP search.
*
* @param String $suffix LDAP suffix
* @param String $filter filter
* @param array $attributes list of attributes to return
* @return array list of found entries
*/
function searchLDAP($suffix, $filter, $attributes) {
2017-05-25 09:00:58 +00:00
$limit = 0;
if (!empty($_SESSION['config'])) {
$limit = $_SESSION['config']->get_searchLimit();
}
$return = searchLDAPPaged(getLDAPServerHandle(), escapeDN($suffix), $filter, $attributes,
0, $limit);
if (ldap_errno(getLDAPServerHandle()) == 4) {
logNewMessage(LOG_WARNING, 'LDAP size limit exeeded. Please increase the limit on your server.');
}
2014-11-29 17:40:39 +00:00
return $return;
}
2017-05-25 09:00:58 +00:00
/**
* Returns the LDAP server handle.
*
* @return handle LDAP handle
*/
function getLDAPServerHandle() {
if (!empty($_SESSION['ldap'])) {
// admin pages
return $_SESSION['ldap']->server();
}
else {
// self service
return $_SESSION['ldapHandle'];
}
}
2014-11-29 17:40:39 +00:00
/**
* Runs an LDAP search and uses paging if configured.
2015-06-26 18:52:01 +00:00
*
2014-11-29 17:40:39 +00:00
* @param handle $server LDAP connection handle
* @param String $dn DN
* @param String $filter filter
* @param array $attributes attribute list
* @param boolean $attrsOnly return only attribute names
* @param int $limit size limit
*/
function searchLDAPPaged($server, $dn, $filter, $attributes, $attrsOnly, $limit) {
if (empty($_SESSION['config']) || ($_SESSION['config']->getPagedResults() !== 'true')) {
$sr = @ldap_search($server, $dn, $filter, $attributes, $attrsOnly, $limit, 0, LDAP_DEREF_NEVER);
if ($sr) {
$entries = ldap_get_entries($server, $sr);
if (!$entries) {
return array();
}
2011-05-21 10:58:22 +00:00
cleanLDAPResult($entries);
return $entries;
}
2014-11-29 17:40:39 +00:00
else {
return array();
}
}
2014-11-29 17:40:39 +00:00
$pageSize = 999;
$cookie = '';
$return = array();
do {
@ldap_control_paged_result($server, $pageSize, true, $cookie);
$sr = @ldap_search($server, $dn, $filter, $attributes, $attrsOnly, $limit, 0, LDAP_DEREF_NEVER);
if (!$sr) {
break;
}
$entries = ldap_get_entries($server, $sr);
if (!$entries) {
break;
}
$return = array_merge($return, $entries);
@ldap_control_paged_result_response($server, $sr, $cookie);
} while($cookie !== null && $cookie != '');
cleanLDAPResult($return);
return $return;
}
2011-04-25 17:56:06 +00:00
/**
* Returns the given DN.
2015-06-26 18:52:01 +00:00
*
2011-04-25 17:56:06 +00:00
* @param String $dn DN
* @param array $attributes list of attributes to fetch
2012-11-30 19:19:56 +00:00
* @param handle $handle LDAP handle (optional for admin interface pages)
2011-04-25 17:56:06 +00:00
* @return array attributes or null if not found
*/
2012-11-30 19:19:56 +00:00
function ldapGetDN($dn, $attributes = array('dn'), $handle = null) {
if ($handle == null) {
2019-08-11 07:39:47 +00:00
$handle = getLDAPServerHandle();
2012-11-30 19:19:56 +00:00
}
2011-04-25 17:56:06 +00:00
$return = null;
2014-12-11 18:22:35 +00:00
$sr = @ldap_read($handle, escapeDN($dn), 'objectClass=*', $attributes, 0, 0, 0, LDAP_DEREF_NEVER);
2011-04-25 17:56:06 +00:00
if ($sr) {
2015-03-01 19:20:29 +00:00
$entries = ldap_get_entries($handle, $sr);
2011-04-25 17:56:06 +00:00
if ($entries) {
2011-05-21 10:58:22 +00:00
cleanLDAPResult($entries);
$return = $entries[0];
2011-04-25 17:56:06 +00:00
}
@ldap_free_result($sr);
}
return $return;
}
2018-10-04 19:07:55 +00:00
/**
* Returns the DN and children of a given DN.
*
* @param String $dn DN
* @param String $filter LDAP filter
* @param array $attributes list of attributes to fetch
* @param handle $handle LDAP handle (optional for admin interface pages)
* @return array attributes or null if not found
*/
function ldapListDN($dn, $filter = '(objectclass=*)', $attributes = array('dn'), $handle = null) {
if ($handle == null) {
$handle = $_SESSION['ldap']->server();
}
$return = null;
$sr = @ldap_list($handle, escapeDN($dn), $filter, $attributes, 0, 0, 0, LDAP_DEREF_NEVER);
if ($sr) {
$entries = ldap_get_entries($handle, $sr);
if ($entries) {
cleanLDAPResult($entries);
$return = $entries;
}
@ldap_free_result($sr);
}
return $return;
}
/**
* Deletes a DN and all child entries.
*
* @param string $dn DN to delete
* @param boolean $recursive recursive delete also child entries
* @return array error messages
*/
function deleteDN($dn, $recursive) {
$errors = array();
if (($dn == null) || ($dn == '')) {
$errors[] = array('ERROR', _('Entry does not exist'));
return $errors;
}
if ($recursive) {
$sr = @ldap_list($_SESSION['ldap']->server(), $dn, 'objectClass=*', array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
if ($sr) {
$entries = ldap_get_entries($_SESSION['ldap']->server(), $sr);
cleanLDAPResult($entries);
for ($i = 0; $i < sizeof($entries); $i++) {
// delete recursively
$subErrors = deleteDN($entries[$i]['dn'], $recursive);
2018-12-24 11:44:09 +00:00
for ($e = 0; $e < sizeof($subErrors); $e++) {
$errors[] = $subErrors[$e];
}
}
}
else {
$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
return $errors;
}
}
// delete parent DN
$success = @ldap_delete($_SESSION['ldap']->server(), $dn);
if (!$success) {
2019-08-05 19:56:06 +00:00
logNewMessage(LOG_ERR, 'Unable to delete DN: ' . $dn . ' (' . ldap_error($_SESSION['ldap']->server()) . ').');
$errors[] = array ('ERROR', sprintf(_('Was unable to delete DN: %s.'), $dn), getDefaultLDAPErrorString($_SESSION['ldap']->server()));
}
else {
2019-08-05 19:56:06 +00:00
logNewMessage(LOG_NOTICE, 'Deleted DN: ' . $dn);
}
return $errors;
}
/**
2010-02-14 18:01:20 +00:00
* Returns the parameters for a StatusMessage of the last LDAP search.
*
2010-02-14 18:01:20 +00:00
* @return array parameters for StatusMessage or null if all was ok
*/
2010-02-14 18:01:20 +00:00
function getLastLDAPError() {
$errorNumber = ldap_errno($_SESSION["ldap"]->server());
switch ($errorNumber) {
// all ok
case 0:
return null;
break;
// size limit exceeded
case 4:
$error = array("WARN", _("LDAP sizelimit exceeded, not all entries are shown."));
if ($_SESSION['config']->get_searchLimit() == 0) {
// server limit exceeded
$error[] = _("See the manual for instructions to solve this problem.");
}
return $error;
break;
// other errors
default:
return array("ERROR", _("LDAP search failed! Please check your preferences."), ldap_error($_SESSION["ldap"]->server()));
break;
}
}
2010-02-06 11:52:48 +00:00
/**
* Cleans the result of an LDAP search.
* This will remove all 'count' entries and also all numeric array keys.
*
* @param array $entries LDAP entries in format $entries[entry number][attribute name][attribute values]
*/
2011-05-21 10:58:22 +00:00
function cleanLDAPResult(&$entries) {
if (isset($entries['count'])) {
unset($entries['count']);
}
// iterate over all results
2011-05-21 10:58:22 +00:00
$count = sizeof($entries);
for ($e = 0; $e < $count; $e++) {
// remove 'count' entries and numerical entries
for ($i = 0; $i < $entries[$e]['count']; $i++) {
if (isset($entries[$e][$i])) {
unset($entries[$e][$i]);
}
}
unset($entries[$e]['count']);
$attrNames = array_keys($entries[$e]);
2011-05-21 10:58:22 +00:00
$attrCount = sizeof($attrNames);
for ($i = 0; $i < $attrCount; $i++) {
if (is_array($entries[$e][$attrNames[$i]])) {
unset($entries[$e][$attrNames[$i]]['count']);
}
}
}
}
2010-05-28 18:49:59 +00:00
/**
* Transforms a DN into a more user friendly format.
* E.g. "dc=company,dc=de" is transformed to "company > de".
*
* @param String $dn DN
* @return String transformed DN
*/
function getAbstractDN($dn) {
if ($dn == '') {
2015-06-26 18:52:01 +00:00
return '';
2010-05-28 18:49:59 +00:00
}
$dn = str_replace('\\,', '\\2C', $dn);
2010-05-28 18:49:59 +00:00
$parts = explode(',', $dn);
for ($i = 0; $i < sizeof($parts); $i++) {
$subparts = explode('=', $parts[$i]);
if (sizeof($subparts) == 2) {
$parts[$i] = $subparts[1];
}
}
$abstractDn = implode(' > ', $parts);
return str_replace(array('\\2C', '\\,'), array(',', ','), $abstractDn);
2010-05-28 18:49:59 +00:00
}
2011-04-25 17:56:06 +00:00
/**
* Helper function to sort DNs.
*
* @param string $a first argument to compare
* @param string $b second argument to compare
* @return integer 0 if equal, 1 if $a is greater, -1 if $b is greater
*/
2013-10-27 15:54:36 +00:00
function compareDN(&$a, &$b) {
2011-04-25 17:56:06 +00:00
// split DNs
2013-10-27 15:54:36 +00:00
$array_a = explode(",", strtolower($a));
$array_b = explode(",", strtolower($b));
2011-04-25 17:56:06 +00:00
$len_a = sizeof($array_a);
$len_b = sizeof($array_b);
// check how many parts to compare
$len = min($len_a, $len_b);
// compare from last part on
for ($i = 0; $i < $len; $i++) {
// get parts to compare
2013-10-27 15:54:36 +00:00
$part_a = $array_a[$len_a - $i - 1];
$part_a = explode('=', $part_a);
2015-05-09 11:52:23 +00:00
$part_a = isset($part_a[1]) ? $part_a[1] : $part_a[0];
2013-10-27 15:54:36 +00:00
$part_b = $array_b[$len_b - $i - 1];
$part_b = explode('=', $part_b);
2015-05-09 11:52:23 +00:00
$part_b = isset($part_b[1]) ? $part_b[1] : $part_b[0];
2011-04-25 17:56:06 +00:00
// compare parts
if ($part_a == $part_b) { // part is identical
if ($i == ($len - 1)) {
2018-12-24 11:44:09 +00:00
if ($len_a > $len_b) {
return 1;
}
elseif ($len_a < $len_b) {
return -1;
}
else {
return 0; // DNs are identical
}
2011-04-25 17:56:06 +00:00
}
}
2013-03-12 20:05:41 +00:00
else {
return strnatcasecmp($part_a, $part_b);
}
2011-04-25 17:56:06 +00:00
}
return -1;
}
/**
* Formats an LDAP time string (e.g. from createTimestamp).
2015-06-26 18:52:01 +00:00
*
2012-07-15 12:05:47 +00:00
* @param String $time LDAP time value
2020-02-24 19:08:28 +00:00
* @return String formatted time
2011-04-25 17:56:06 +00:00
*/
function formatLDAPTimestamp($time) {
2015-11-07 08:09:49 +00:00
$dateTime = parseLDAPTimestamp($time);
return $dateTime->format('d.m.Y H:i:s');
}
/**
* Parses an LDAP time stamp and returns a DateTime in current time zone.
*
* @param String $time LDAP time value
* @return DateTime time
*/
function parseLDAPTimestamp($time) {
2015-11-01 10:20:39 +00:00
// Windows format: 20140118093807.0Z
// OpenLDAP format: 20140118093807Z
// cut off "Z"
$timeNumbers = substr($time, 0, -1);
2015-11-01 10:20:39 +00:00
// for Windows cut off ".0"
if (strpos($timeNumbers, '.') == (strlen($timeNumbers) - 2)) {
$timeNumbers = substr($timeNumbers, 0, -2);
}
$dateTime = DateTime::createFromFormat('YmdHis', $timeNumbers, new DateTimeZone('UTC'));
$dateTime->setTimezone(getTimeZone());
2015-11-07 08:09:49 +00:00
return $dateTime;
2011-04-25 17:56:06 +00:00
}
2011-07-23 15:01:20 +00:00
/**
* Simple function to obfuscate strings.
2015-06-26 18:52:01 +00:00
*
2011-07-23 15:01:20 +00:00
* @param String $text text to obfuscate
*/
function obfuscateText($text) {
if (($text == null) || ($text == '')) {
return $text;
}
return str_rot13(base64_encode('LAM_OBFUSCATE:'.$text));
}
/**
* Simple function to deobfuscate strings.
2015-06-26 18:52:01 +00:00
*
2011-07-23 15:01:20 +00:00
* @param String $text text to deobfuscate
*/
function deobfuscateText($text) {
if (($text == null) || ($text == '')) {
return $text;
}
2015-03-01 10:15:04 +00:00
if (!isObfuscatedText($text)) {
return $text;
}
2011-07-23 15:01:20 +00:00
return str_replace('LAM_OBFUSCATE:', '', base64_decode(str_rot13($text)));
}
/**
* Checks if the given text is obfuscated.
2015-06-26 18:52:01 +00:00
*
2011-07-23 15:01:20 +00:00
* @param String $text text to check
* @return boolean obfuscated or not
*/
function isObfuscatedText($text) {
if (($text == null) || ($text == '')) {
return false;
}
$deob = base64_decode(str_rot13($text));
2018-12-24 11:44:09 +00:00
return (strpos($deob, 'LAM_OBFUSCATE:') === 0);
2011-07-23 15:01:20 +00:00
}
/**
* Extracts the RDN attribute name from a given DN.
2015-06-26 18:52:01 +00:00
*
* @param String $dn DN
* @return String RDN attribute name
*/
function extractRDNAttribute($dn) {
2018-12-24 11:44:09 +00:00
if ($dn == null) {
return null;
}
$parts = explode("=", substr($dn, 0, strpos($dn, ',')));
return $parts[0];
}
2012-11-25 17:04:01 +00:00
/**
* Extracts the RDN attribute value from a given DN.
2015-06-26 18:52:01 +00:00
*
2012-11-25 17:04:01 +00:00
* @param String $dn DN
* @return String RDN attribute value
*/
function extractRDNValue($dn) {
2018-12-24 11:44:09 +00:00
if (empty($dn)) {
return null;
}
2018-01-06 17:17:50 +00:00
if (strpos($dn, '=') === false) {
return $dn;
}
$dnWork = $dn;
if (strpos($dnWork, ',') !== false) {
$dnWork = substr($dn, 0, strpos($dnWork, ','));
}
$parts = explode("=", $dnWork);
2012-11-25 17:04:01 +00:00
return $parts[1];
}
/**
* Extracts the DN suffix from a given DN.
* E.g. ou=people,dc=test,dc=com will result in dc=test,dc=com.
2015-06-26 18:52:01 +00:00
*
* @param String $dn DN
* @return String DN suffix
*/
function extractDNSuffix($dn) {
2018-12-24 11:44:09 +00:00
if ($dn == null) {
return null;
}
$dn = convertCommaEscaping($dn);
return substr($dn, strpos($dn, ',')+1);
}
/**
* Sends the password mail.
*
* @param String $pwd new password
* @param array $user LDAP attributes of user
* @param String $recipient recipient address (optional, $user['mail'][0] used by default)
* @return array list of arrays that can be used to create status messages
*/
function sendPasswordMail($pwd, $user, $recipient = null) {
$user = array_change_key_case($user, CASE_LOWER);
// read mail data
$mailTo = $user['mail'][0];
if (!empty($recipient)) {
$mailTo = $recipient;
}
2013-12-29 18:10:26 +00:00
if (empty($mailTo)) {
logNewMessage(LOG_ERR, 'Unable to send password mail, no TO address set.');
return array(
array('ERROR', _('Unable to send mail!'))
);
}
$mailFrom = $_SESSION['config']->getLamProMailFrom();
$mailReplyTo = $_SESSION['config']->getLamProMailReplyTo();
$mailSubject = $_SESSION['config']->getLamProMailSubject();
$mailText = $_SESSION['config']->getLamProMailText();
$mailIsHTML = $_SESSION['config']->getLamProMailIsHTML();
$subject = $mailSubject;
$body = $mailText;
$body = str_replace('@@newPassword@@', $pwd, $body);
$results = array();
$found = preg_match('/\@\@[^\@]+\@\@/', $body, $results);
while ($found == 1) {
$attr = str_replace('@', '', $results[0]);
$value = '';
if (isset($user[strtolower($attr)][0])) {
2013-04-28 10:20:54 +00:00
if (is_array($user[strtolower($attr)])) {
$value = $user[strtolower($attr)][0];
}
else {
$value = $user[strtolower($attr)];
}
}
$body = str_replace('@@' . $attr . '@@', $value, $body);
$found = preg_match('/\@\@[^\@]+\@\@/', $body, $results);
}
2020-03-10 20:08:20 +00:00
$success = sendEMail($mailTo, $subject, $body, $mailFrom, ($mailIsHTML == 'true'), $mailReplyTo);
if ($success) {
logNewMessage(LOG_DEBUG, 'Sent password mail to ' . $mailTo);
return array(
array('INFO', sprintf(_('Mail successfully sent to %s.'), htmlspecialchars($mailTo)))
);
}
else {
logNewMessage(LOG_ERR, 'Unable to send password mail to ' . htmlspecialchars($mailTo));
return array(
array('ERROR', _('Unable to send mail!'))
);
}
}
2013-10-16 16:48:59 +00:00
/**
* Sends out an email.
2015-06-26 18:52:01 +00:00
*
2013-10-16 16:48:59 +00:00
* @param String $to TO address
* @param String $subject email subject
* @param String $text mail body (with \r\n EOL)
2020-03-10 20:08:20 +00:00
* @param String $from FROM address
* @param bool $isHTML HTML format
* @param String $replyTo REPLY-TO address (optional)
* @param String $cc CC address (optional)
* @param String $bcc BCC address (optional)
2013-10-16 16:48:59 +00:00
*/
2020-03-10 20:08:20 +00:00
function sendEMail($to, $subject, $text, $from, $isHTML, $replyTo = null, $cc = null, $bcc = null) {
include_once __DIR__ . '/3rdParty/composer/autoload.php';
$returnPath = ($replyTo === null) ? $from : $replyTo;
$returnPathParsed = PHPMailer\PHPMailer\PHPMailer::parseAddresses($returnPath);
2014-12-01 19:18:50 +00:00
logNewMessage(LOG_DEBUG, "Send mail to $to\n" . $text);
2020-03-10 20:08:20 +00:00
$mailer = new PHPMailer\PHPMailer\PHPMailer(true);
try {
$cfgMain = $_SESSION['cfgMain'];
if (!empty($cfgMain->mailServer)) {
$mailer->isSMTP();
$serverParts = explode(':', $cfgMain->mailServer);
$mailer->Host = $serverParts[0];
$mailer->Port = $serverParts[1];
if (!empty($cfgMain->mailUser)) {
$mailer->SMTPAuth = true;
$mailer->Username = $cfgMain->mailUser;
$mailer->Password = $cfgMain->mailPassword;
$mailer->SMTPSecure = PHPMailer\PHPMailer\PHPMailer::ENCRYPTION_STARTTLS;
}
}
$mailer->CharSet = PHPMailer\PHPMailer\PHPMailer::CHARSET_UTF8;
$mailer->addAddress($to);
$mailer->Subject = $subject;
$mailer->Body = $text;
$mailer->Sender = $returnPathParsed[0]['address'];
$fromParsed = PHPMailer\PHPMailer\PHPMailer::parseAddresses($from);
$mailer->setFrom($fromParsed[0]['address'], $fromParsed[0]['name']);
$mailer->isHTML($isHTML);
if (!empty($replyTo)) {
$replyToParsed = PHPMailer\PHPMailer\PHPMailer::parseAddresses($replyTo);
$mailer->addReplyTo($replyToParsed[0]['address'], $replyToParsed[0]['name']);
}
if (!empty($cc)) {
$ccParsed = PHPMailer\PHPMailer\PHPMailer::parseAddresses($cc);
$mailer->addCC($ccParsed[0]['address'], $ccParsed[0]['name']);
}
if (!empty($bcc)) {
$bccParsed = PHPMailer\PHPMailer\PHPMailer::parseAddresses($bcc);
$mailer->addBCC($bccParsed[0]['address'], $bccParsed[0]['name']);
}
$mailer->XMailer = 'LDAP Account Manager';
$mailer->send();
return true;
}
catch (Exception $e) {
logNewMessage(LOG_ERR, 'Mail sending failed: ' . $e->getMessage());
return false;
2020-01-28 19:45:38 +00:00
}
}
/**
* Checks if an email address is safe for use on commandline
*
* @param $address email address
* @return bool is safe
*/
function isCommandlineSafeEmailAddress($address) {
$cmdEscaped = escapeshellcmd($address);
$argEscaped = escapeshellarg($address);
if (($address !== $cmdEscaped) || ("'$address'" !== $argEscaped)) {
return false;
}
$addressLength = strlen($address);
$allowedSpecialChars = array('@', '_', '-', '.');
for ($i = 0; $i < $addressLength; $i++) {
$char = $address[$i];
if (!ctype_alnum($char) && !in_array($char, $allowedSpecialChars)) {
return false;
}
}
return true;
2013-10-16 16:48:59 +00:00
}
2013-05-09 19:10:35 +00:00
/**
* Caches module objects.
* This improves performance if the same module does not need to be created multiple times (calling get_metaData() each time).
2015-06-26 18:52:01 +00:00
*
2013-05-09 19:10:35 +00:00
* @author Roland Gruber
*/
class moduleCache {
2015-06-26 18:52:01 +00:00
2013-05-09 19:10:35 +00:00
/** module cache ("name:scope" => module) */
private static $cache = array();
2015-06-26 18:52:01 +00:00
2013-05-09 19:10:35 +00:00
/**
* Returns a new/cached module with the given name and scope.
2015-06-26 18:52:01 +00:00
*
2013-05-09 19:10:35 +00:00
* @param String $name module name
* @param String $scope module scope (e.g. user)
*/
public static function getModule($name, $scope) {
2020-03-19 18:48:38 +00:00
if (isset(self::$cache[$name . ':' . $scope])) {
return self::$cache[$name . ':' . $scope];
2013-05-09 19:10:35 +00:00
}
else {
2020-03-19 18:48:38 +00:00
self::$cache[$name . ':' . $scope] = new $name($scope);
return self::$cache[$name . ':' . $scope];
2013-05-09 19:10:35 +00:00
}
}
2015-06-26 18:52:01 +00:00
2013-05-09 19:10:35 +00:00
}
2013-07-21 11:34:31 +00:00
/**
* Returns a random number.
2015-06-26 18:52:01 +00:00
*
2013-07-21 11:34:31 +00:00
* @return int random number
*/
function getRandomNumber() {
2013-07-21 11:47:49 +00:00
if (function_exists('openssl_random_pseudo_bytes')) {
2013-11-24 10:04:46 +00:00
return abs(hexdec(bin2hex(openssl_random_pseudo_bytes(5))));
2013-07-21 11:47:49 +00:00
}
2013-11-24 10:04:46 +00:00
return abs(mt_rand());
2013-07-21 11:34:31 +00:00
}
/**
* Connects to the LDAP server and extracts the certificates.
2015-06-26 18:52:01 +00:00
*
* @param String $server server name
* @param String $port server port
2015-06-26 18:52:01 +00:00
* @return mixed false on error and certificate if extracted successfully
*/
function getLDAPSSLCertificate($server, $port) {
$stream = @stream_context_create(array("ssl" => array("capture_peer_cert_chain" => true, "verify_peer" => false, "allow_self_signed" => true)));
if (!$stream) {
return false;
}
$client = @stream_socket_client('ssl://' . $server . ':' . $port, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $stream);
if (!$client) {
return false;
}
$context = stream_context_get_params($client);
if (!isset($context['options']['ssl']['peer_certificate_chain'])) {
return false;
}
$finalPEM = '';
for ($i = 0; $i < sizeof($context['options']['ssl']['peer_certificate_chain']); $i++) {
$cert = $context['options']['ssl']['peer_certificate_chain'][$i];
$pemData = null;
$pemResult = @openssl_x509_export($cert, $pemData);
if ($pemResult) {
$finalPEM .= $pemData;
}
else {
return false;
}
}
return $finalPEM;
}
2013-09-15 14:57:55 +00:00
/**
* Returns the extended LDAP error message if any.
2015-06-26 18:52:01 +00:00
*
2013-09-15 14:57:55 +00:00
* @param handle $server LDAP server handle
* @return String error message
*/
function getExtendedLDAPErrorMessage($server) {
$ldapMsg = null;
ldap_get_option($server, LDAP_OPT_ERROR_STRING, $ldapMsg);
if (empty($ldapMsg)) {
2018-08-29 16:19:17 +00:00
return ldap_error($server);
2013-09-15 14:57:55 +00:00
}
2013-10-16 17:37:17 +00:00
return $ldapMsg;
}
/**
* Returns the default error message to display on the web page.
* HTML special characters are already escaped.
2015-06-26 18:52:01 +00:00
*
2013-10-16 17:37:17 +00:00
* @param handle $server LDAP server handle
* @return String error message
*/
function getDefaultLDAPErrorString($server) {
2014-02-27 20:50:57 +00:00
$extError = htmlspecialchars(getExtendedLDAPErrorMessage($server));
// Active Directory message translations
if ((strpos($extError, 'DSID-031A120C') !== false) && (strpos($extError, '5003') !== false)) {
logNewMessage(LOG_DEBUG, 'Password change failed because of ' . $extError);
$extError = _('Your password does not meet the password strength qualifications. Please retry with another one.');
2014-02-27 20:50:57 +00:00
}
2020-06-17 09:28:05 +00:00
$genericErrorMessage = ldap_error($server);
$message = _('LDAP error, server says:') . ' ' . $genericErrorMessage;
if (!empty($extError) && ($genericErrorMessage != $extError)) {
2013-10-16 17:37:17 +00:00
$message .= ' - ' . $extError;
}
2014-02-27 20:50:57 +00:00
return $message;
2013-09-15 14:57:55 +00:00
}
2013-10-15 18:51:36 +00:00
/**
* Returns the URL under which the page was loaded.
* This includes any GET parameters set.
2015-06-26 18:52:01 +00:00
*
2019-03-09 10:10:42 +00:00
* @param $baseUrl base URL (e.g. http://www.example.com)
2013-10-15 18:51:36 +00:00
* @return String URL
*/
2019-03-09 10:10:42 +00:00
function getCallingURL($baseUrl = '') {
2013-10-15 18:51:36 +00:00
$url = null;
2019-03-09 10:10:42 +00:00
if (!empty($baseUrl) && !empty($_SERVER['REQUEST_URI'])) {
$url = $baseUrl . $_SERVER['REQUEST_URI'];
}
elseif (!empty($_SERVER['REQUEST_URI']) && !empty($_SERVER['HTTP_HOST'])) {
2013-10-15 18:51:36 +00:00
$proto = 'http://';
if (!empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] != 'off')) {
$proto = 'https://';
}
$url = $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
}
2014-01-12 19:52:14 +00:00
elseif (!empty($_SERVER['HTTP_REFERER'])) {
$url = $_SERVER['HTTP_REFERER'];
}
2013-10-15 18:51:36 +00:00
return $url;
}
/**
* Returns the offset in hours from configured time zone to GMT.
2015-06-26 18:52:01 +00:00
*
* @return int offset
*/
function getTimeZoneOffsetHours() {
2015-11-07 08:30:52 +00:00
$dtz = getTimeZone();
return round($dtz->getOffset(new DateTime('UTC')) / 3600);
}
/**
* Returns the configured time zone.
2015-06-26 18:52:01 +00:00
*
* @return DateTimeZone time zone
*/
function getTimeZone() {
2015-11-07 09:14:48 +00:00
$timeZoneName = 'UTC';
if (!empty($_SESSION['config'])) {
$timeZoneName = $_SESSION['config']->getTimeZone();
}
2015-11-07 09:14:48 +00:00
elseif (!empty($_SESSION['selfServiceProfile']->timeZone)) {
$timeZoneName = $_SESSION['selfServiceProfile']->timeZone;
}
return new DateTimeZone($timeZoneName);
}
2015-08-23 17:56:27 +00:00
/**
* Returns the current time in formatted form.
*
2015-09-02 16:34:00 +00:00
* @param unknown $format format to use (e.g. 'Y-m-d H:i:s')
2015-08-23 17:56:27 +00:00
*/
function getFormattedTime($format) {
$time = new DateTime(null, getTimeZone());
return $time->format($format);
}
2015-07-26 08:19:55 +00:00
/**
* Formats a number of seconds to a more human readable format with minutes, hours, etc.
* E.g. 70 seconds will return 1m10s.
*
* @param int $numSeconds number of seconds
2020-02-24 19:08:28 +00:00
* @return String formatted number
2015-07-26 08:19:55 +00:00
*/
function formatSecondsToShortFormat($numSeconds) {
if (empty($numSeconds)) {
return '';
}
$seconds = $numSeconds % 60;
$seconds = ($seconds == 0) ? '' : $seconds . 's';
$minutes = floor(($numSeconds % 3600) / 60);
$minutes = ($minutes == 0) ? '' : $minutes . 'm';
$hours = floor(($numSeconds % 86400) / 3600);
$hours = ($hours == 0) ? '' : $hours . 'h';
2018-11-14 19:13:31 +00:00
$days = floor(($numSeconds % 604800) / 86400);
2015-07-26 08:19:55 +00:00
$days = ($days == 0) ? '' : $days . 'd';
2018-11-14 19:13:31 +00:00
$weeks = floor($numSeconds / 604800);
$weeks = ($weeks == 0) ? '' : $weeks . 'w';
return $weeks . $days . $hours . $minutes . $seconds;
2015-07-26 08:19:55 +00:00
}
/**
* Unformats text like 1m10s back to number of seconds.
*
* @param String $text formatted text
* @return int number of seconds
*/
function unformatShortFormatToSeconds($text) {
if (empty($text)) {
return $text;
}
$matches = array();
2018-11-14 19:13:31 +00:00
if (preg_match('/^(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?$/', $text, $matches)) {
2015-07-26 08:19:55 +00:00
$newValue = 0;
if (!empty($matches[2])) {
2018-11-14 19:13:31 +00:00
$newValue += $matches[2] * 604800;
2015-07-26 08:19:55 +00:00
}
if (!empty($matches[4])) {
2018-11-14 19:13:31 +00:00
$newValue += $matches[4] * 86400;
2018-11-11 19:20:20 +00:00
}
if (!empty($matches[6])) {
2018-11-14 19:13:31 +00:00
$newValue += $matches[6] * 3600;
2018-11-11 19:20:20 +00:00
}
if (!empty($matches[8])) {
2018-11-14 19:13:31 +00:00
$newValue += $matches[8] * 60;
}
if (!empty($matches[10])) {
$newValue += $matches[10];
2015-07-26 08:19:55 +00:00
}
return $newValue;
}
return $text;
}
2016-04-02 11:30:06 +00:00
/**
* Validates the Google reCAPTCHA input.
*
* @param String $secretKey secret key
* @return boolean valid
*/
function validateReCAPTCHA($secretKey) {
$url = 'https://www.google.com/recaptcha/api/siteverify';
$vars = array('secret' => $secretKey, 'response' => $_POST['g-recaptcha-response']);
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($vars)
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === FALSE) {
logNewMessage(LOG_ERR, 'reCAPTCHA validation failed, invalid server response.');
return false;
}
$responseJSON = json_decode($result);
2018-02-11 09:27:23 +00:00
logNewMessage(LOG_DEBUG, "ReCAPTCHA result: " . $result);
2016-04-02 11:30:06 +00:00
return $responseJSON->{'success'} === true;
}
2017-02-11 16:11:37 +00:00
/**
* Checks if the user is logged in. Stops script execution if not.
*
* @param boolean $check2ndFactor check if the 2nd factor was provided if required
*/
function enforceUserIsLoggedIn($check2ndFactor = true) {
if ((!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) && empty($_SESSION['selfService_clientPassword'])) {
2017-02-11 16:11:37 +00:00
logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login: ' . $_SERVER["SCRIPT_FILENAME"]);
die();
}
if ($check2ndFactor && isset($_SESSION['2factorRequired'])) {
logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login (2nd factor not provided): ' . $_SERVER["SCRIPT_FILENAME"]);
2019-11-21 21:02:38 +00:00
die();
2017-02-11 16:11:37 +00:00
}
}
2017-11-04 09:49:28 +00:00
/**
* Prints the content of the header part.
*
* @param string $title page title
* @param string $prefix prefix to LAM main folder (e.g. "..")
*/
function printHeaderContents($title, $prefix) {
echo '<meta name="viewport" content="width=device-width, initial-scale=1.0">';
echo '<title>';
echo $title;
echo '</title>';
2017-11-04 10:29:38 +00:00
// include responsive CSS
$cssDirName = dirname(__FILE__) . '/../style/responsive';
2017-11-04 09:49:28 +00:00
$cssDir = dir($cssDirName);
$cssFiles = array();
$cssEntry = $cssDir->read();
while ($cssEntry !== false) {
if (substr($cssEntry, strlen($cssEntry) - 4, 4) == '.css') {
$cssFiles[] = $cssEntry;
}
$cssEntry = $cssDir->read();
}
sort($cssFiles);
foreach ($cssFiles as $cssEntry) {
2017-11-04 10:29:38 +00:00
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"$prefix/style/responsive/$cssEntry\">";
2017-11-04 09:49:28 +00:00
}
2017-11-04 10:29:38 +00:00
// include all other CSS files
$cssDirName = dirname(__FILE__) . '/../style';
2017-11-04 09:49:28 +00:00
$cssDir = dir($cssDirName);
$cssFiles = array();
$cssEntry = $cssDir->read();
while ($cssEntry !== false) {
if (substr($cssEntry, strlen($cssEntry) - 4, 4) == '.css') {
$cssFiles[] = $cssEntry;
}
$cssEntry = $cssDir->read();
}
sort($cssFiles);
foreach ($cssFiles as $cssEntry) {
2017-11-04 10:29:38 +00:00
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"$prefix/style/$cssEntry\">";
2017-11-04 09:49:28 +00:00
}
echo '<link rel="shortcut icon" type="image/x-icon" href="' . $prefix . '/graphics/favicon.ico">';
echo '<link rel="icon" href="' . $prefix . '/graphics/logo136.png">';
}
/**
* Prints script tags for all LAM JS files.
*
* @param string $prefix prefix to LAM main folder (e.g. "..")
*/
function printJsIncludes($prefix) {
$jsDirName = dirname(__FILE__) . '/../templates/lib';
$jsDir = dir($jsDirName);
$jsFiles = array();
$jsEntry = $jsDir->read();
while ($jsEntry !== false) {
2017-12-15 15:52:56 +00:00
if ((substr($jsEntry, strlen($jsEntry) - 3, 3) == '.js') || (substr($jsEntry, strlen($jsEntry) - 4, 4) == '.php')) {
2017-11-04 09:49:28 +00:00
$jsFiles[] = $jsEntry;
}
$jsEntry = $jsDir->read();
}
sort($jsFiles);
foreach ($jsFiles as $jsEntry) {
echo "<script type=\"text/javascript\" src=\"$prefix/templates/lib/" . $jsEntry . "\"></script>\n";
}
}
2018-11-23 17:31:47 +00:00
/**
* Converts an UTF-8 string to UTF16LE.
*
* @param string $input UTF-8 value
*/
function convertUtf8ToUtf16Le($input) {
if (($input == null) || (strlen($input) == 0)) {
return $input;
}
$output = iconv('UTF-8', 'UTF-16LE', $input);
if (($output === false) || ($output == '')) {
$output = mb_convert_encoding($input, 'UTF-8', 'UTF-16LE');
}
return $output;
}
2019-05-12 07:50:23 +00:00
/**
* Returns the text with LAM and its version for header area.
*
* @return string LAM version text
*/
function getLAMVersionText() {
$text = 'LDAP Account Manager';
if (isLAMProVersion()) {
$text .= ' Pro';
}
return $text . ' - ' . LAMVersion();
}
2020-04-10 18:34:36 +00:00
/**
* Returns if the given release is a developer version.
*
* @param string version
* @return bool is developer version
*/
function isDeveloperVersion($version) {
return strpos($version, 'DEV') !== false;
}
2017-12-15 15:52:56 +00:00
/**
* LAM exception with title and message.
*
* @author Roland Gruber
*/
2017-01-03 19:02:29 +00:00
class LAMException extends Exception {
private $title;
/**
* Constructor.
*
* @param string $title title
* @param string $message message (optional)
* @param Exception $cause (optional)
*/
public function __construct($title, $message = null, $cause = null) {
parent::__construct($message, null, $cause);
$this->title = $title;
}
/**
* Returns the message title.
*
* @return string title
*/
public function getTitle() {
return $this->title;
}
}
?>