LDAPAccountManager/lam/lib/ldap.inc

<?php
/*

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2020  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

*/

/**
* ldap.inc provides basic functions to connect to the OpenLDAP server.
*
* @package LDAP
* @author Roland Gruber
*/

/** Access to configuration data */
include_once(__DIR__ . "/config.inc");

/**
* Ldap manages connection to LDAP and includes several helper functions.
*
* @package LDAP
*/
class Ldap{

	/** Object of Config to access preferences */
	private $conf;

	/** Server handle */
	private $server;

	/** LDAP connection established */
	private $is_connected = false;

	/** LDAP username used for bind */
	private $username;
	/** LDAP password used for bind */
	private $password;

	/**
	* Creates a new LDAP object.
	*
	* @param object $config an object of class Config
	*/
	public function __construct($config) {
		if (is_object($config)) {
			$this->conf = $config;
		}
		else {
			return false;
		}
		return true;
	}

	/**
	 * Connects to the server using the given username and password
	 *
	 * @param string $user user name
	 * @param string $passwd password
	 * @param boolean $allowAnonymous specifies if anonymous binds are allowed
	 * @throws LAMException unable to connect
	 */
	public function connect($user, $passwd, $allowAnonymous=false) {
		// close any prior connection
		@$this->close();
		// do not allow anonymous bind
		if (!$allowAnonymous && ((!$user)||($user == "")||(!$passwd))) {
			throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
		}
		// save password und username encrypted
		$this->encrypt_login($user, $passwd);
		$startTLS = $this->conf->getUseTLS();
		$startTLS = ($startTLS === 'yes');
		$this->server = connectToLDAP($this->conf->get_ServerURL(), $startTLS);
		if ($this->server != null) {
			// referral following
			$followReferrals = ($this->conf->getFollowReferrals() === 'true') ? 1 : 0;
			ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals);
			$bind = @ldap_bind($this->server, $user, $passwd);
			if ($bind) {
				$return = ldap_errno($this->server);
				$this->is_connected = true;
				return;
			}
			// return error number
			$errorNumber = ldap_errno($this->server);
			$clientSource = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];
			if (($errorNumber === False)
				|| ($errorNumber == 81)) {
				// connection failed
				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
				throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
			}
			elseif ($errorNumber == 49) {
				// user name/password invalid. Return to login page.
				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server));
				throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server));
			}
			else {
				// other errors
				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
				throw new LAMException(_("LDAP error, server says:"),  "($errorNumber) " . getDefaultLDAPErrorString($this->server));
			}
		}
		throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
	}

	/** Closes connection to server */
	public function close() {
		if ($this->server != null) {
			@ldap_close($this->server);
		}
	}

	/**
	* Returns the LDAP connection handle
	*
	* @return object connection handle
	*/
	public function server() {
		if (!$this->is_connected) {
			try {
				$this->connect($this->getUserName(), $this->getPassword());
				$this->is_connected = true;
			}
			catch (LAMException $e) {
				logNewMessage(LOG_ERR, $e->getTitle() . ' ' . $e->getMessage());
			}
		}
		return $this->server;
	}

	/** Closes connection to LDAP server before serialization */
	public function __sleep() {
		$this->close();
		// define which attributes to save
		return array("conf", "username", "password");
	}

	/** Reconnects to LDAP server when deserialized */
	public function __wakeup() {
		$this->is_connected = false;
		// delete PDF files and images which are older than 15 min
		$tmpDir = dirname(__FILE__) . '/../tmp/';
		$time = time();
		$dir = @opendir($tmpDir);
		$file = @readdir($dir);
		while ($file) {
			$path = $tmpDir . $file;
			if ((substr($file, 0, 1) != '.')
				&& !is_dir($path)
				&& ($time - filemtime($path) > 900)) {
				@unlink($path);
			}
			$file = @readdir($dir);
		}
		@closedir($dir);
		// clean internal files that are older than 24 hours
		$tmpDir = dirname(__FILE__) . '/../tmp/internal/';
		$time = time();
		$dir = @opendir($tmpDir);
		$file = @readdir($dir);
		while ($file) {
			if (substr($file, -4) == '.tmp') {
				$path = $tmpDir . $file;
				if ($time - filemtime($path) > (3600 * 24)) {
					@unlink($path);
				}
			}
			$file = @readdir($dir);
		}
		@closedir($dir);
	}

	/**
	* Encrypts username and password
	*
	* @param string $username LDAP user name
	* @param string $password LDAP password
	*/
	public function encrypt_login($username, $password) {
		// encrypt username and password
		$this->username = base64_encode(lamEncrypt($username));
		$this->password = base64_encode(lamEncrypt($password));
	}

	/**
	 * Returns the LDAP user name.
	 *
	 * @return string user name
	 */
	public function getUserName() {
		return lamDecrypt(base64_decode($this->username));
	}

	/**
	 * Returns the LDAP password.
	 *
	 * @return string password
	 */
	public function getPassword() {
		return lamDecrypt(base64_decode($this->password));
	}

	/** Closes connection to LDAP server and deletes encrypted username/password */
	public function destroy() {
		$this->close();
		$this->username="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
		$this->password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
	}


}

?>
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00			`<?php`
			`/*`

new homepage 2009-10-27 18:47:12 +00:00			`This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)`
refactoring 2020-03-19 19:42:36 +00:00			`Copyright (C) 2003 - 2020 Roland Gruber`
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00
			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 2 of the License, or`
			`(at your option) any later version.`
fixed search_units() if no OUs are in the suffix 2003-06-28 08:05:58 +00:00
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`
fixed search_units() if no OUs are in the suffix 2003-06-28 08:05:58 +00:00
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00			`You should have received a copy of the GNU General Public License`
			`along with this program; if not, write to the Free Software`
			`Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA`

			`*/`

documentation update 2004-05-31 14:04:00 +00:00			`/**`
			`* ldap.inc provides basic functions to connect to the OpenLDAP server.`
			`*`
			`* @package LDAP`
			`* @author Roland Gruber`
			`*/`
removed deprecated functions 2003-04-27 16:29:53 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/** Access to configuration data */`
refactoring 2018-12-23 16:52:56 +00:00			`include_once(__DIR__ . "/config.inc");`
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/**`
			`* Ldap manages connection to LDAP and includes several helper functions.`
			`*`
			`* @package LDAP`
			`*/`
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00			`class Ldap{`

documentation update 2004-05-31 14:04:00 +00:00			`/** Object of Config to access preferences */`
private variables 2007-07-08 11:33:31 +00:00			`private $conf;`
translation update, minor fixes 2003-07-30 20:46:07 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/** Server handle */`
private variables 2007-07-08 11:33:31 +00:00			`private $server;`
formatting 2015-06-24 17:40:20 +00:00
PHPDoc update 2012-07-15 12:05:47 +00:00			`/** LDAP connection established */`
reduced LDAP connects 2007-07-21 08:27:13 +00:00			`private $is_connected = false;`
translation update, minor fixes 2003-07-30 20:46:07 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/** LDAP username used for bind */`
private variables 2007-07-08 11:33:31 +00:00			`private $username;`
documentation update 2004-05-31 14:04:00 +00:00			`/** LDAP password used for bind */`
private variables 2007-07-08 11:33:31 +00:00			`private $password;`
translation update, minor fixes 2003-07-30 20:46:07 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/**`
PHPDoc update 2012-07-15 12:05:47 +00:00			`* Creates a new LDAP object.`
formatting 2015-06-24 17:40:20 +00:00			`*`
documentation update 2004-05-31 14:04:00 +00:00			`* @param object $config an object of class Config`
			`*/`
refactoring 2018-12-29 20:06:27 +00:00			`public function __construct($config) {`
use new random number function 2013-07-21 11:34:31 +00:00			`if (is_object($config)) {`
			`$this->conf = $config;`
			`}`
			`else {`
			`return false;`
			`}`
translation update, minor fixes 2003-07-30 20:46:07 +00:00			`return true;`
			`}`

documentation update 2004-05-31 14:04:00 +00:00			`/**`
better error messages on login 2020-06-17 09:28:05 +00:00			`* Connects to the server using the given username and password`
			`*`
			`* @param string $user user name`
			`* @param string $passwd password`
			`* @param boolean $allowAnonymous specifies if anonymous binds are allowed`
			`* @throws LAMException unable to connect`
			`*/`
refactoring 2018-12-29 20:06:27 +00:00			`public function connect($user, $passwd, $allowAnonymous=false) {`
translation update, minor fixes 2003-07-30 20:46:07 +00:00			`// close any prior connection`
			`@$this->close();`
			`// do not allow anonymous bind`
optionally alllow anonymous login 2009-03-07 18:15:27 +00:00			`if (!$allowAnonymous && ((!$user)\|\|($user == "")\|\|(!$passwd))) {`
better error messages on login 2020-06-17 09:28:05 +00:00			`throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));`
translation update, minor fixes 2003-07-30 20:46:07 +00:00			`}`
			`// save password und username encrypted`
Blowfish update 2004-01-10 11:08:10 +00:00			`$this->encrypt_login($user, $passwd);`
central function for LDAP connect 2017-10-07 12:45:15 +00:00			`$startTLS = $this->conf->getUseTLS();`
			`$startTLS = ($startTLS === 'yes');`
			`$this->server = connectToLDAP($this->conf->get_ServerURL(), $startTLS);`
			`if ($this->server != null) {`
added option if referrals should be followed 2014-01-12 10:18:35 +00:00			`// referral following`
			`$followReferrals = ($this->conf->getFollowReferrals() === 'true') ? 1 : 0;`
			`ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals);`
translation update, minor fixes 2003-07-30 20:46:07 +00:00			`$bind = @ldap_bind($this->server, $user, $passwd);`
			`if ($bind) {`
fixed login problems for AD servers 2006-02-02 19:56:41 +00:00			`$return = ldap_errno($this->server);`
fixed LDAP search login method 2009-11-03 20:57:53 +00:00			`$this->is_connected = true;`
better error messages on login 2020-06-17 09:28:05 +00:00			`return;`
translation update, minor fixes 2003-07-30 20:46:07 +00:00			`}`
better error handling at login 2003-12-03 23:03:10 +00:00			`// return error number`
better error messages on login 2020-06-17 09:28:05 +00:00			`$errorNumber = ldap_errno($this->server);`
			`$clientSource = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];`
			`if (($errorNumber === False)`
			`\|\| ($errorNumber == 81)) {`
			`// connection failed`
			`logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');`
			`throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));`
			`}`
			`elseif ($errorNumber == 49) {`
			`// user name/password invalid. Return to login page.`
			`logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server));`
			`throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server));`
			`}`
removed decrypt_login() 2019-08-05 19:56:06 +00:00			`else {`
better error messages on login 2020-06-17 09:28:05 +00:00			`// other errors`
			`logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');`
			`throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server));`
removed decrypt_login() 2019-08-05 19:56:06 +00:00			`}`
			`}`
better error messages on login 2020-06-17 09:28:05 +00:00			`throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));`
translation update, minor fixes 2003-07-30 20:46:07 +00:00			`}`
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/** Closes connection to server */`
refactoring 2018-12-29 20:06:27 +00:00			`public function close() {`
allow to create PDF file on upload 2012-02-05 10:38:59 +00:00			`if ($this->server != null) {`
			`@ldap_close($this->server);`
			`}`
prepare Samba 3 support 2003-06-08 18:58:01 +00:00			`}`
added search_domains() function 2003-07-26 12:37:31 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/**`
			`* Returns the LDAP connection handle`
			`*`
			`* @return object connection handle`
			`*/`
refactoring 2018-12-29 20:06:27 +00:00			`public function server() {`
reduced LDAP connects 2007-07-21 08:27:13 +00:00			`if (!$this->is_connected) {`
better error messages on login 2020-06-17 09:28:05 +00:00			`try {`
			`$this->connect($this->getUserName(), $this->getPassword());`
			`$this->is_connected = true;`
			`}`
			`catch (LAMException $e) {`
			`logNewMessage(LOG_ERR, $e->getTitle() . ' ' . $e->getMessage());`
			`}`
reduced LDAP connects 2007-07-21 08:27:13 +00:00			`}`
added search_domains() function 2003-07-26 12:37:31 +00:00			`return $this->server;`
			`}`
fixed search_units() if no OUs are in the suffix 2003-06-28 08:05:58 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/** Closes connection to LDAP server before serialization */`
refactoring 2018-12-29 20:06:27 +00:00			`public function __sleep() {`
added search_domains() function 2003-07-26 12:37:31 +00:00			`$this->close();`
			`// define which attributes to save`
use new random number function 2013-07-21 11:34:31 +00:00			`return array("conf", "username", "password");`
added search_domains() function 2003-07-26 12:37:31 +00:00			`}`
fixed search_units() if no OUs are in the suffix 2003-06-28 08:05:58 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/** Reconnects to LDAP server when deserialized */`
refactoring 2018-12-29 20:06:27 +00:00			`public function __wakeup() {`
reduced LDAP connects 2007-07-21 08:27:13 +00:00			`$this->is_connected = false;`
clean all temporary files after 15min 2013-01-28 21:14:26 +00:00			`// delete PDF files and images which are older than 15 min`
removed lampath session variable 2010-04-01 18:12:07 +00:00			`$tmpDir = dirname(__FILE__) . '/../tmp/';`
			`$time = time();`
			`$dir = @opendir($tmpDir);`
			`$file = @readdir($dir);`
			`while ($file) {`
clean all temporary files after 15min 2013-01-28 21:14:26 +00:00			`$path = $tmpDir . $file;`
refactoring 2020-03-19 19:42:36 +00:00			`if ((substr($file, 0, 1) != '.')`
			`&& !is_dir($path)`
			`&& ($time - filemtime($path) > 900)) {`
			`@unlink($path);`
delete PDF files which are older than 10 min 2003-11-03 14:32:27 +00:00			`}`
removed lampath session variable 2010-04-01 18:12:07 +00:00			`$file = @readdir($dir);`
delete PDF files which are older than 10 min 2003-11-03 14:32:27 +00:00			`}`
removed lampath session variable 2010-04-01 18:12:07 +00:00			`@closedir($dir);`
delete internal files after 24h 2012-01-26 20:02:38 +00:00			`// clean internal files that are older than 24 hours`
			`$tmpDir = dirname(__FILE__) . '/../tmp/internal/';`
			`$time = time();`
			`$dir = @opendir($tmpDir);`
			`$file = @readdir($dir);`
			`while ($file) {`
refactoring 2018-12-28 10:19:15 +00:00			`if (substr($file, -4) == '.tmp') {`
delete internal files after 24h 2012-01-26 20:02:38 +00:00			`$path = $tmpDir . $file;`
			`if ($time - filemtime($path) > (3600 * 24)) {`
			`@unlink($path);`
			`}`
			`}`
			`$file = @readdir($dir);`
			`}`
			`@closedir($dir);`
added search_domains() function 2003-07-26 12:37:31 +00:00			`}`
fixed search_units() if no OUs are in the suffix 2003-06-28 08:05:58 +00:00
documentation update 2004-05-31 14:04:00 +00:00			`/**`
			`* Encrypts username and password`
			`*`
			`* @param string $username LDAP user name`
			`* @param string $password LDAP password`
			`*/`
refactoring 2018-12-29 20:06:27 +00:00			`public function encrypt_login($username, $password) {`
sort entries from search_units() 2003-07-02 17:58:55 +00:00			`// encrypt username and password`
moved encryption functions to security.inc 2016-08-07 08:40:36 +00:00			`$this->username = base64_encode(lamEncrypt($username));`
			`$this->password = base64_encode(lamEncrypt($password));`
sort entries from search_units() 2003-07-02 17:58:55 +00:00			`}`
ldap is now correctly (de)serialized username and password are not encrypted at the moment 2003-03-19 18:39:09 +00:00
refactoring 2018-12-29 20:06:27 +00:00			`/**`
			`* Returns the LDAP user name.`
			`*`
			`* @return string user name`
			`*/`
			`public function getUserName() {`
			`return lamDecrypt(base64_decode($this->username));`
			`}`

			`/**`
			`* Returns the LDAP password.`
			`*`
			`* @return string password`
			`*/`
			`public function getPassword() {`
			`return lamDecrypt(base64_decode($this->password));`
			`}`

documentation update 2004-05-31 14:04:00 +00:00			`/** Closes connection to LDAP server and deletes encrypted username/password */`
refactoring 2018-12-29 20:06:27 +00:00			`public function destroy() {`
sort entries from search_units() 2003-07-02 17:58:55 +00:00			`$this->close();`
			`$this->username="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";`
			`$this->password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";`
			`}`
ldap is now correctly (de)serialized username and password are not encrypted at the moment 2003-03-19 18:39:09 +00:00
added arrays with known LDAP attributes 2003-04-01 14:17:32 +00:00
added search_domains() function 2003-07-26 12:37:31 +00:00			`}`
ldap.php: initial release, just interface, no implementation config/*: minor changes 2003-03-05 16:05:23 +00:00
added arrays with known LDAP attributes 2003-04-01 14:17:32 +00:00			`?>`