diff options
Diffstat (limited to 'platform/www/lib/plugins/authad')
20 files changed, 4819 insertions, 0 deletions
diff --git a/platform/www/lib/plugins/authad/action.php b/platform/www/lib/plugins/authad/action.php new file mode 100644 index 0000000..a9fc01c --- /dev/null +++ b/platform/www/lib/plugins/authad/action.php @@ -0,0 +1,90 @@ +<?php +/** + * DokuWiki Plugin addomain (Action Component) + * + * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html + * @author Andreas Gohr <gohr@cosmocode.de> + */ + +/** + * Class action_plugin_addomain + */ +class action_plugin_authad extends DokuWiki_Action_Plugin +{ + + /** + * Registers a callback function for a given event + */ + public function register(Doku_Event_Handler $controller) + { + + $controller->register_hook('AUTH_LOGIN_CHECK', 'BEFORE', $this, 'handleAuthLoginCheck'); + $controller->register_hook('HTML_LOGINFORM_OUTPUT', 'BEFORE', $this, 'handleHtmlLoginformOutput'); + } + + /** + * Adds the selected domain as user postfix when attempting a login + * + * @param Doku_Event $event + * @param array $param + */ + public function handleAuthLoginCheck(Doku_Event $event, $param) + { + global $INPUT; + + /** @var auth_plugin_authad $auth */ + global $auth; + if (!is_a($auth, 'auth_plugin_authad')) return; // AD not even used + + if ($INPUT->str('dom')) { + $usr = $auth->cleanUser($event->data['user']); + $dom = $auth->getUserDomain($usr); + if (!$dom) { + $usr = "$usr@".$INPUT->str('dom'); + } + $INPUT->post->set('u', $usr); + $event->data['user'] = $usr; + } + } + + /** + * Shows a domain selection in the login form when more than one domain is configured + * + * @param Doku_Event $event + * @param array $param + */ + public function handleHtmlLoginformOutput(Doku_Event $event, $param) + { + global $INPUT; + /** @var auth_plugin_authad $auth */ + global $auth; + if (!is_a($auth, 'auth_plugin_authad')) return; // AD not even used + $domains = $auth->getConfiguredDomains(); + if (count($domains) <= 1) return; // no choice at all + + /** @var Doku_Form $form */ + $form =& $event->data; + + // any default? + $dom = ''; + if ($INPUT->has('u')) { + $usr = $auth->cleanUser($INPUT->str('u')); + $dom = $auth->getUserDomain($usr); + + // update user field value + if ($dom) { + $usr = $auth->getUserName($usr); + $pos = $form->findElementByAttribute('name', 'u'); + $ele =& $form->getElementAt($pos); + $ele['value'] = $usr; + } + } + + // add select box + $element = form_makeListboxField('dom', $domains, $dom, $this->getLang('domain'), '', 'block'); + $pos = $form->findElementByAttribute('name', 'p'); + $form->insertElement($pos + 1, $element); + } +} + +// vim:ts=4:sw=4:et: diff --git a/platform/www/lib/plugins/authad/adLDAP/adLDAP.php b/platform/www/lib/plugins/authad/adLDAP/adLDAP.php new file mode 100644 index 0000000..c84a4f4 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/adLDAP.php @@ -0,0 +1,949 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 169 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ + +/** +* Main adLDAP class +* +* Can be initialised using $adldap = new adLDAP(); +* +* Something to keep in mind is that Active Directory is a permissions +* based directory. If you bind as a domain user, you can't fetch as +* much information on other users as you could as a domain admin. +* +* Before asking questions, please read the Documentation at +* http://adldap.sourceforge.net/wiki/doku.php?id=api +*/ +require_once(dirname(__FILE__) . '/collections/adLDAPCollection.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPGroups.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPUsers.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPFolders.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPUtils.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPContacts.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPExchange.php'); +require_once(dirname(__FILE__) . '/classes/adLDAPComputers.php'); + +class adLDAP { + + /** + * Define the different types of account in AD + */ + const ADLDAP_NORMAL_ACCOUNT = 805306368; + const ADLDAP_WORKSTATION_TRUST = 805306369; + const ADLDAP_INTERDOMAIN_TRUST = 805306370; + const ADLDAP_SECURITY_GLOBAL_GROUP = 268435456; + const ADLDAP_DISTRIBUTION_GROUP = 268435457; + const ADLDAP_SECURITY_LOCAL_GROUP = 536870912; + const ADLDAP_DISTRIBUTION_LOCAL_GROUP = 536870913; + const ADLDAP_FOLDER = 'OU'; + const ADLDAP_CONTAINER = 'CN'; + + /** + * The default port for LDAP non-SSL connections + */ + const ADLDAP_LDAP_PORT = '389'; + /** + * The default port for LDAPS SSL connections + */ + const ADLDAP_LDAPS_PORT = '636'; + + /** + * The account suffix for your domain, can be set when the class is invoked + * + * @var string + */ + protected $accountSuffix = "@mydomain.local"; + + /** + * The base dn for your domain + * + * If this is set to null then adLDAP will attempt to obtain this automatically from the rootDSE + * + * @var string + */ + protected $baseDn = "DC=mydomain,DC=local"; + + /** + * Port used to talk to the domain controllers. + * + * @var int + */ + protected $adPort = self::ADLDAP_LDAP_PORT; + + /** + * Array of domain controllers. Specifiy multiple controllers if you + * would like the class to balance the LDAP queries amongst multiple servers + * + * @var array + */ + protected $domainControllers = array("dc01.mydomain.local"); + + /** + * Optional account with higher privileges for searching + * This should be set to a domain admin account + * + * @var string + * @var string + */ + protected $adminUsername = NULL; + protected $adminPassword = NULL; + + /** + * AD does not return the primary group. http://support.microsoft.com/?kbid=321360 + * This tweak will resolve the real primary group. + * Setting to false will fudge "Domain Users" and is much faster. Keep in mind though that if + * someone's primary group is NOT domain users, this is obviously going to mess up the results + * + * @var bool + */ + protected $realPrimaryGroup = true; + + /** + * Use SSL (LDAPS), your server needs to be setup, please see + * http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl + * + * @var bool + */ + protected $useSSL = false; + + /** + * Use TLS + * If you wish to use TLS you should ensure that $useSSL is set to false and vice-versa + * + * @var bool + */ + protected $useTLS = false; + + /** + * Use SSO + * To indicate to adLDAP to reuse password set by the brower through NTLM or Kerberos + * + * @var bool + */ + protected $useSSO = false; + + /** + * When querying group memberships, do it recursively + * eg. User Fred is a member of Group A, which is a member of Group B, which is a member of Group C + * user_ingroup("Fred","C") will returns true with this option turned on, false if turned off + * + * @var bool + */ + protected $recursiveGroups = true; + + // You should not need to edit anything below this line + //****************************************************************************************** + + /** + * Connection and bind default variables + * + * @var mixed + * @var mixed + */ + protected $ldapConnection; + protected $ldapBind; + + /** + * Get the active LDAP Connection + * + * @return resource + */ + public function getLdapConnection() { + if ($this->ldapConnection) { + return $this->ldapConnection; + } + return false; + } + + /** + * Get the bind status + * + * @return bool + */ + public function getLdapBind() { + return $this->ldapBind; + } + + /** + * Get the current base DN + * + * @return string + */ + public function getBaseDn() { + return $this->baseDn; + } + + /** + * The group class + * + * @var adLDAPGroups + */ + protected $groupClass; + + /** + * Get the group class interface + * + * @return adLDAPGroups + */ + public function group() { + if (!$this->groupClass) { + $this->groupClass = new adLDAPGroups($this); + } + return $this->groupClass; + } + + /** + * The user class + * + * @var adLDAPUsers + */ + protected $userClass; + + /** + * Get the userclass interface + * + * @return adLDAPUsers + */ + public function user() { + if (!$this->userClass) { + $this->userClass = new adLDAPUsers($this); + } + return $this->userClass; + } + + /** + * The folders class + * + * @var adLDAPFolders + */ + protected $folderClass; + + /** + * Get the folder class interface + * + * @return adLDAPFolders + */ + public function folder() { + if (!$this->folderClass) { + $this->folderClass = new adLDAPFolders($this); + } + return $this->folderClass; + } + + /** + * The utils class + * + * @var adLDAPUtils + */ + protected $utilClass; + + /** + * Get the utils class interface + * + * @return adLDAPUtils + */ + public function utilities() { + if (!$this->utilClass) { + $this->utilClass = new adLDAPUtils($this); + } + return $this->utilClass; + } + + /** + * The contacts class + * + * @var adLDAPContacts + */ + protected $contactClass; + + /** + * Get the contacts class interface + * + * @return adLDAPContacts + */ + public function contact() { + if (!$this->contactClass) { + $this->contactClass = new adLDAPContacts($this); + } + return $this->contactClass; + } + + /** + * The exchange class + * + * @var adLDAPExchange + */ + protected $exchangeClass; + + /** + * Get the exchange class interface + * + * @return adLDAPExchange + */ + public function exchange() { + if (!$this->exchangeClass) { + $this->exchangeClass = new adLDAPExchange($this); + } + return $this->exchangeClass; + } + + /** + * The computers class + * + * @var adLDAPComputers + */ + protected $computersClass; + + /** + * Get the computers class interface + * + * @return adLDAPComputers + */ + public function computer() { + if (!$this->computerClass) { + $this->computerClass = new adLDAPComputers($this); + } + return $this->computerClass; + } + + /** + * Getters and Setters + */ + + /** + * Set the account suffix + * + * @param string $accountSuffix + * @return void + */ + public function setAccountSuffix($accountSuffix) + { + $this->accountSuffix = $accountSuffix; + } + + /** + * Get the account suffix + * + * @return string + */ + public function getAccountSuffix() + { + return $this->accountSuffix; + } + + /** + * Set the domain controllers array + * + * @param array $domainControllers + * @return void + */ + public function setDomainControllers(array $domainControllers) + { + $this->domainControllers = $domainControllers; + } + + /** + * Get the list of domain controllers + * + * @return void + */ + public function getDomainControllers() + { + return $this->domainControllers; + } + + /** + * Sets the port number your domain controller communicates over + * + * @param int $adPort + */ + public function setPort($adPort) + { + $this->adPort = $adPort; + } + + /** + * Gets the port number your domain controller communicates over + * + * @return int + */ + public function getPort() + { + return $this->adPort; + } + + /** + * Set the username of an account with higher priviledges + * + * @param string $adminUsername + * @return void + */ + public function setAdminUsername($adminUsername) + { + $this->adminUsername = $adminUsername; + } + + /** + * Get the username of the account with higher priviledges + * + * This will throw an exception for security reasons + */ + public function getAdminUsername() + { + throw new adLDAPException('For security reasons you cannot access the domain administrator account details'); + } + + /** + * Set the password of an account with higher priviledges + * + * @param string $adminPassword + * @return void + */ + public function setAdminPassword($adminPassword) + { + $this->adminPassword = $adminPassword; + } + + /** + * Get the password of the account with higher priviledges + * + * This will throw an exception for security reasons + */ + public function getAdminPassword() + { + throw new adLDAPException('For security reasons you cannot access the domain administrator account details'); + } + + /** + * Set whether to detect the true primary group + * + * @param bool $realPrimaryGroup + * @return void + */ + public function setRealPrimaryGroup($realPrimaryGroup) + { + $this->realPrimaryGroup = $realPrimaryGroup; + } + + /** + * Get the real primary group setting + * + * @return bool + */ + public function getRealPrimaryGroup() + { + return $this->realPrimaryGroup; + } + + /** + * Set whether to use SSL + * + * @param bool $useSSL + * @return void + */ + public function setUseSSL($useSSL) + { + $this->useSSL = $useSSL; + // Set the default port correctly + if($this->useSSL) { + $this->setPort(self::ADLDAP_LDAPS_PORT); + } + else { + $this->setPort(self::ADLDAP_LDAP_PORT); + } + } + + /** + * Get the SSL setting + * + * @return bool + */ + public function getUseSSL() + { + return $this->useSSL; + } + + /** + * Set whether to use TLS + * + * @param bool $useTLS + * @return void + */ + public function setUseTLS($useTLS) + { + $this->useTLS = $useTLS; + } + + /** + * Get the TLS setting + * + * @return bool + */ + public function getUseTLS() + { + return $this->useTLS; + } + + /** + * Set whether to use SSO + * Requires ldap_sasl_bind support. Be sure --with-ldap-sasl is used when configuring PHP otherwise this function will be undefined. + * + * @param bool $useSSO + * @return void + */ + public function setUseSSO($useSSO) + { + if ($useSSO === true && !$this->ldapSaslSupported()) { + throw new adLDAPException('No LDAP SASL support for PHP. See: http://php.net/ldap_sasl_bind'); + } + $this->useSSO = $useSSO; + } + + /** + * Get the SSO setting + * + * @return bool + */ + public function getUseSSO() + { + return $this->useSSO; + } + + /** + * Set whether to lookup recursive groups + * + * @param bool $recursiveGroups + * @return void + */ + public function setRecursiveGroups($recursiveGroups) + { + $this->recursiveGroups = $recursiveGroups; + } + + /** + * Get the recursive groups setting + * + * @return bool + */ + public function getRecursiveGroups() + { + return $this->recursiveGroups; + } + + /** + * Default Constructor + * + * Tries to bind to the AD domain over LDAP or LDAPs + * + * @param array $options Array of options to pass to the constructor + * @throws Exception - if unable to bind to Domain Controller + * @return bool + */ + function __construct($options = array()) { + // You can specifically overide any of the default configuration options setup above + if (count($options) > 0) { + if (array_key_exists("account_suffix",$options)){ $this->accountSuffix = $options["account_suffix"]; } + if (array_key_exists("base_dn",$options)){ $this->baseDn = $options["base_dn"]; } + if (array_key_exists("domain_controllers",$options)){ + if (!is_array($options["domain_controllers"])) { + throw new adLDAPException('[domain_controllers] option must be an array'); + } + $this->domainControllers = $options["domain_controllers"]; + } + if (array_key_exists("admin_username",$options)){ $this->adminUsername = $options["admin_username"]; } + if (array_key_exists("admin_password",$options)){ $this->adminPassword = $options["admin_password"]; } + if (array_key_exists("real_primarygroup",$options)){ $this->realPrimaryGroup = $options["real_primarygroup"]; } + if (array_key_exists("use_ssl",$options)){ $this->setUseSSL($options["use_ssl"]); } + if (array_key_exists("use_tls",$options)){ $this->useTLS = $options["use_tls"]; } + if (array_key_exists("recursive_groups",$options)){ $this->recursiveGroups = $options["recursive_groups"]; } + if (array_key_exists("ad_port",$options)){ $this->setPort($options["ad_port"]); } + if (array_key_exists("sso",$options)) { + $this->setUseSSO($options["sso"]); + if (!$this->ldapSaslSupported()) { + $this->setUseSSO(false); + } + } + } + + if ($this->ldapSupported() === false) { + throw new adLDAPException('No LDAP support for PHP. See: http://php.net/ldap'); + } + + return $this->connect(); + } + + /** + * Default Destructor + * + * Closes the LDAP connection + * + * @return void + */ + function __destruct() { + $this->close(); + } + + /** + * Connects and Binds to the Domain Controller + * + * @return bool + */ + public function connect() + { + // Connect to the AD/LDAP server as the username/password + $domainController = $this->randomController(); + if ($this->useSSL) { + $this->ldapConnection = ldap_connect("ldaps://" . $domainController, $this->adPort); + } else { + $this->ldapConnection = ldap_connect($domainController, $this->adPort); + } + + // Set some ldap options for talking to AD + ldap_set_option($this->ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($this->ldapConnection, LDAP_OPT_REFERRALS, 0); + + if ($this->useTLS) { + ldap_start_tls($this->ldapConnection); + } + + // Bind as a domain admin if they've set it up + if ($this->adminUsername !== NULL && $this->adminPassword !== NULL) { + $this->ldapBind = @ldap_bind($this->ldapConnection, $this->adminUsername . $this->accountSuffix, $this->adminPassword); + if (!$this->ldapBind) { + if ($this->useSSL && !$this->useTLS) { + // If you have problems troubleshooting, remove the @ character from the ldapldapBind command above to get the actual error message + throw new adLDAPException('Bind to Active Directory failed. Either the LDAPs connection failed or the login credentials are incorrect. AD said: ' . $this->getLastError()); + } + else { + throw new adLDAPException('Bind to Active Directory failed. Check the login credentials and/or server details. AD said: ' . $this->getLastError()); + } + } + } + if ($this->useSSO && $_SERVER['REMOTE_USER'] && $this->adminUsername === null && $_SERVER['KRB5CCNAME']) { + putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']); + $this->ldapBind = @ldap_sasl_bind($this->ldapConnection, NULL, NULL, "GSSAPI"); + if (!$this->ldapBind){ + throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError()); + } + else { + return true; + } + } + + + if ($this->baseDn == NULL) { + $this->baseDn = $this->findBaseDn(); + } + + return true; + } + + /** + * Closes the LDAP connection + * + * @return void + */ + public function close() { + if ($this->ldapConnection) { + @ldap_close($this->ldapConnection); + } + } + + /** + * Validate a user's login credentials + * + * @param string $username A user's AD username + * @param string $password A user's AD password + * @param bool optional $preventRebind + * @return bool + */ + public function authenticate($username, $password, $preventRebind = false) { + // Prevent null binding + if ($username === NULL || $password === NULL) { return false; } + if (empty($username) || empty($password)) { return false; } + + // Allow binding over SSO for Kerberos + if ($this->useSSO && $_SERVER['REMOTE_USER'] && $_SERVER['REMOTE_USER'] == $username && $this->adminUsername === NULL && $_SERVER['KRB5CCNAME']) { + putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']); + $this->ldapBind = @ldap_sasl_bind($this->ldapConnection, NULL, NULL, "GSSAPI"); + if (!$this->ldapBind) { + throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError()); + } + else { + return true; + } + } + + // Bind as the user + $ret = true; + $this->ldapBind = @ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password); + if (!$this->ldapBind){ + $ret = false; + } + + // Cnce we've checked their details, kick back into admin mode if we have it + if ($this->adminUsername !== NULL && !$preventRebind) { + $this->ldapBind = @ldap_bind($this->ldapConnection, $this->adminUsername . $this->accountSuffix , $this->adminPassword); + if (!$this->ldapBind){ + // This should never happen in theory + throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError()); + } + } + + return $ret; + } + + /** + * Find the Base DN of your domain controller + * + * @return string + */ + public function findBaseDn() + { + $namingContext = $this->getRootDse(array('defaultnamingcontext')); + return $namingContext[0]['defaultnamingcontext'][0]; + } + + /** + * Get the RootDSE properties from a domain controller + * + * @param array $attributes The attributes you wish to query e.g. defaultnamingcontext + * @return array + */ + public function getRootDse($attributes = array("*", "+")) { + if (!$this->ldapBind){ return (false); } + + $sr = @ldap_read($this->ldapConnection, NULL, 'objectClass=*', $attributes); + $entries = @ldap_get_entries($this->ldapConnection, $sr); + return $entries; + } + + /** + * Get last error from Active Directory + * + * This function gets the last message from Active Directory + * This may indeed be a 'Success' message but if you get an unknown error + * it might be worth calling this function to see what errors were raised + * + * return string + */ + public function getLastError() { + return @ldap_error($this->ldapConnection); + } + + /** + * Detect LDAP support in php + * + * @return bool + */ + protected function ldapSupported() + { + if (!function_exists('ldap_connect')) { + return false; + } + return true; + } + + /** + * Detect ldap_sasl_bind support in PHP + * + * @return bool + */ + protected function ldapSaslSupported() + { + if (!function_exists('ldap_sasl_bind')) { + return false; + } + return true; + } + + /** + * Schema + * + * @param array $attributes Attributes to be queried + * @return array + */ + public function adldap_schema($attributes){ + + // LDAP doesn't like NULL attributes, only set them if they have values + // If you wish to remove an attribute you should set it to a space + // TO DO: Adapt user_modify to use ldap_mod_delete to remove a NULL attribute + $mod=array(); + + // Check every attribute to see if it contains 8bit characters and then UTF8 encode them + array_walk($attributes, array($this, 'encode8bit')); + + if ($attributes["address_city"]){ $mod["l"][0]=$attributes["address_city"]; } + if ($attributes["address_code"]){ $mod["postalCode"][0]=$attributes["address_code"]; } + //if ($attributes["address_country"]){ $mod["countryCode"][0]=$attributes["address_country"]; } // use country codes? + if ($attributes["address_country"]){ $mod["c"][0]=$attributes["address_country"]; } + if ($attributes["address_pobox"]){ $mod["postOfficeBox"][0]=$attributes["address_pobox"]; } + if ($attributes["address_state"]){ $mod["st"][0]=$attributes["address_state"]; } + if ($attributes["address_street"]){ $mod["streetAddress"][0]=$attributes["address_street"]; } + if ($attributes["company"]){ $mod["company"][0]=$attributes["company"]; } + if ($attributes["change_password"]){ $mod["pwdLastSet"][0]=0; } + if ($attributes["department"]){ $mod["department"][0]=$attributes["department"]; } + if ($attributes["description"]){ $mod["description"][0]=$attributes["description"]; } + if ($attributes["display_name"]){ $mod["displayName"][0]=$attributes["display_name"]; } + if ($attributes["email"]){ $mod["mail"][0]=$attributes["email"]; } + if ($attributes["expires"]){ $mod["accountExpires"][0]=$attributes["expires"]; } //unix epoch format? + if ($attributes["firstname"]){ $mod["givenName"][0]=$attributes["firstname"]; } + if ($attributes["home_directory"]){ $mod["homeDirectory"][0]=$attributes["home_directory"]; } + if ($attributes["home_drive"]){ $mod["homeDrive"][0]=$attributes["home_drive"]; } + if ($attributes["initials"]){ $mod["initials"][0]=$attributes["initials"]; } + if ($attributes["logon_name"]){ $mod["userPrincipalName"][0]=$attributes["logon_name"]; } + if ($attributes["manager"]){ $mod["manager"][0]=$attributes["manager"]; } //UNTESTED ***Use DistinguishedName*** + if ($attributes["office"]){ $mod["physicalDeliveryOfficeName"][0]=$attributes["office"]; } + if ($attributes["password"]){ $mod["unicodePwd"][0]=$this->user()->encodePassword($attributes["password"]); } + if ($attributes["profile_path"]){ $mod["profilepath"][0]=$attributes["profile_path"]; } + if ($attributes["script_path"]){ $mod["scriptPath"][0]=$attributes["script_path"]; } + if ($attributes["surname"]){ $mod["sn"][0]=$attributes["surname"]; } + if ($attributes["title"]){ $mod["title"][0]=$attributes["title"]; } + if ($attributes["telephone"]){ $mod["telephoneNumber"][0]=$attributes["telephone"]; } + if ($attributes["mobile"]){ $mod["mobile"][0]=$attributes["mobile"]; } + if ($attributes["pager"]){ $mod["pager"][0]=$attributes["pager"]; } + if ($attributes["ipphone"]){ $mod["ipphone"][0]=$attributes["ipphone"]; } + if ($attributes["web_page"]){ $mod["wWWHomePage"][0]=$attributes["web_page"]; } + if ($attributes["fax"]){ $mod["facsimileTelephoneNumber"][0]=$attributes["fax"]; } + if ($attributes["enabled"]){ $mod["userAccountControl"][0]=$attributes["enabled"]; } + if ($attributes["homephone"]){ $mod["homephone"][0]=$attributes["homephone"]; } + + // Distribution List specific schema + if ($attributes["group_sendpermission"]){ $mod["dlMemSubmitPerms"][0]=$attributes["group_sendpermission"]; } + if ($attributes["group_rejectpermission"]){ $mod["dlMemRejectPerms"][0]=$attributes["group_rejectpermission"]; } + + // Exchange Schema + if ($attributes["exchange_homemdb"]){ $mod["homeMDB"][0]=$attributes["exchange_homemdb"]; } + if ($attributes["exchange_mailnickname"]){ $mod["mailNickname"][0]=$attributes["exchange_mailnickname"]; } + if ($attributes["exchange_proxyaddress"]){ $mod["proxyAddresses"][0]=$attributes["exchange_proxyaddress"]; } + if ($attributes["exchange_usedefaults"]){ $mod["mDBUseDefaults"][0]=$attributes["exchange_usedefaults"]; } + if ($attributes["exchange_policyexclude"]){ $mod["msExchPoliciesExcluded"][0]=$attributes["exchange_policyexclude"]; } + if ($attributes["exchange_policyinclude"]){ $mod["msExchPoliciesIncluded"][0]=$attributes["exchange_policyinclude"]; } + if ($attributes["exchange_addressbook"]){ $mod["showInAddressBook"][0]=$attributes["exchange_addressbook"]; } + if ($attributes["exchange_altrecipient"]){ $mod["altRecipient"][0]=$attributes["exchange_altrecipient"]; } + if ($attributes["exchange_deliverandredirect"]){ $mod["deliverAndRedirect"][0]=$attributes["exchange_deliverandredirect"]; } + + // This schema is designed for contacts + if ($attributes["exchange_hidefromlists"]){ $mod["msExchHideFromAddressLists"][0]=$attributes["exchange_hidefromlists"]; } + if ($attributes["contact_email"]){ $mod["targetAddress"][0]=$attributes["contact_email"]; } + + //echo ("<pre>"); print_r($mod); + /* + // modifying a name is a bit fiddly + if ($attributes["firstname"] && $attributes["surname"]){ + $mod["cn"][0]=$attributes["firstname"]." ".$attributes["surname"]; + $mod["displayname"][0]=$attributes["firstname"]." ".$attributes["surname"]; + $mod["name"][0]=$attributes["firstname"]." ".$attributes["surname"]; + } + */ + + if (count($mod)==0){ return (false); } + return ($mod); + } + + /** + * Convert 8bit characters e.g. accented characters to UTF8 encoded characters + */ + protected function encode8Bit(&$item, $key) { + $encode = false; + if (is_string($item)) { + for ($i=0; $i<strlen($item); $i++) { + if (ord($item[$i]) >> 7) { + $encode = true; + } + } + } + if ($encode === true && $key != 'password') { + $item = utf8_encode($item); + } + } + + /** + * Select a random domain controller from your domain controller array + * + * @return string + */ + protected function randomController() + { + mt_srand(doubleval(microtime()) * 100000000); // For older PHP versions + /*if (sizeof($this->domainControllers) > 1) { + $adController = $this->domainControllers[array_rand($this->domainControllers)]; + // Test if the controller is responding to pings + $ping = $this->pingController($adController); + if ($ping === false) { + // Find the current key in the domain controllers array + $key = array_search($adController, $this->domainControllers); + // Remove it so that we don't end up in a recursive loop + unset($this->domainControllers[$key]); + // Select a new controller + return $this->randomController(); + } + else { + return ($adController); + } + } */ + return $this->domainControllers[array_rand($this->domainControllers)]; + } + + /** + * Test basic connectivity to controller + * + * @return bool + */ + protected function pingController($host) { + $port = $this->adPort; + fsockopen($host, $port, $errno, $errstr, 10); + if ($errno > 0) { + return false; + } + return true; + } + +} + +/** +* adLDAP Exception Handler +* +* Exceptions of this type are thrown on bind failure or when SSL is required but not configured +* Example: +* try { +* $adldap = new adLDAP(); +* } +* catch (adLDAPException $e) { +* echo $e; +* exit(); +* } +*/ +class adLDAPException extends Exception {} diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php new file mode 100644 index 0000000..aabd88f --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php @@ -0,0 +1,153 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Computers + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ +require_once(dirname(__FILE__) . '/../adLDAP.php'); +require_once(dirname(__FILE__) . '/../collections/adLDAPComputerCollection.php'); + +/** +* COMPUTER MANAGEMENT FUNCTIONS +*/ +class adLDAPComputers { + + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + /** + * Get information about a specific computer. Returned in a raw array format from AD + * + * @param string $computerName The name of the computer + * @param array $fields Attributes to return + * @return array + */ + public function info($computerName, $fields = NULL) + { + if ($computerName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = "(&(objectClass=computer)(cn=" . $computerName . "))"; + if ($fields === NULL) { + $fields = array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion"); + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + return $entries; + } + + /** + * Find information about the computers. Returned in a raw array format from AD + * + * @param string $computerName The name of the computer + * @param array $fields Array of parameters to query + * @return mixed + */ + public function infoCollection($computerName, $fields = NULL) + { + if ($computerName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($computerName, $fields); + + if ($info !== false) { + $collection = new adLDAPComputerCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Check if a computer is in a group + * + * @param string $computerName The name of the computer + * @param string $group The group to check + * @param bool $recursive Whether to check recursively + * @return array + */ + public function inGroup($computerName, $group, $recursive = NULL) + { + if ($computerName === NULL) { return false; } + if ($group === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // use the default option if they haven't set it + + //get a list of the groups + $groups = $this->groups($computerName, array("memberof"), $recursive); + + //return true if the specified group is in the group list + if (in_array($group, $groups)){ + return true; + } + + return false; + } + + /** + * Get the groups a computer is in + * + * @param string $computerName The name of the computer + * @param bool $recursive Whether to check recursively + * @return array + */ + public function groups($computerName, $recursive = NULL) + { + if ($computerName === NULL) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + if (!$this->adldap->getLdapBind()){ return false; } + + //search the directory for their information + $info = @$this->info($computerName, array("memberof", "primarygroupid")); + $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames) + + if ($recursive === true) { + foreach ($groups as $id => $groupName){ + $extraGroups = $this->adldap->group()->recursiveGroups($groupName); + $groups = array_merge($groups, $extraGroups); + } + } + + return $groups; + } + +} +?>
\ No newline at end of file diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php new file mode 100644 index 0000000..42a0d75 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php @@ -0,0 +1,294 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Contacts + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ + +require_once(dirname(__FILE__) . '/../adLDAP.php'); +require_once(dirname(__FILE__) . '/../collections/adLDAPContactCollection.php'); + +class adLDAPContacts { + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + //***************************************************************************************************************** + // CONTACT FUNCTIONS + // * Still work to do in this area, and new functions to write + + /** + * Create a contact + * + * @param array $attributes The attributes to set to the contact + * @return bool + */ + public function create($attributes) + { + // Check for compulsory fields + if (!array_key_exists("display_name", $attributes)) { return "Missing compulsory field [display_name]"; } + if (!array_key_exists("email", $attributes)) { return "Missing compulsory field [email]"; } + if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; } + if (!is_array($attributes["container"])) { return "Container attribute must be an array."; } + + // Translate the schema + $add = $this->adldap->adldap_schema($attributes); + + // Additional stuff only used for adding contacts + $add["cn"][0] = $attributes["display_name"]; + $add["objectclass"][0] = "top"; + $add["objectclass"][1] = "person"; + $add["objectclass"][2] = "organizationalPerson"; + $add["objectclass"][3] = "contact"; + if (!isset($attributes['exchange_hidefromlists'])) { + $add["msExchHideFromAddressLists"][0] = "TRUE"; + } + + // Determine the container + $attributes["container"] = array_reverse($attributes["container"]); + $container= "OU=" . implode(",OU=", $attributes["container"]); + + // Add the entry + $result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $this->adldap->utilities()->escapeCharacters($add["cn"][0]) . ", " . $container . "," . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + + return true; + } + + /** + * Determine the list of groups a contact is a member of + * + * @param string $distinguisedname The full DN of a contact + * @param bool $recursive Recursively check groups + * @return array + */ + public function groups($distinguishedName, $recursive = NULL) + { + if ($distinguishedName === NULL) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + if (!$this->adldap->getLdapBind()){ return false; } + + // Search the directory for their information + $info = @$this->info($distinguishedName, array("memberof", "primarygroupid")); + $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our contact + + if ($recursive === true){ + foreach ($groups as $id => $groupName){ + $extraGroups = $this->adldap->group()->recursiveGroups($groupName); + $groups = array_merge($groups, $extraGroups); + } + } + + return $groups; + } + + /** + * Get contact information. Returned in a raw array format from AD + * + * @param string $distinguisedname The full DN of a contact + * @param array $fields Attributes to be returned + * @return array + */ + public function info($distinguishedName, $fields = NULL) + { + if ($distinguishedName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = "distinguishedName=" . $distinguishedName; + if ($fields === NULL) { + $fields = array("distinguishedname", "mail", "memberof", "department", "displayname", "telephonenumber", "primarygroupid", "objectsid"); + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if ($entries[0]['count'] >= 1) { + // AD does not return the primary group in the ldap query, we may need to fudge it + if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){ + //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]); + $entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]); + } else { + $entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn(); + } + } + + $entries[0]["memberof"]["count"]++; + return $entries; + } + + /** + * Find information about the contacts. Returned in a raw array format from AD + * + * @param string $distinguishedName The full DN of a contact + * @param array $fields Array of parameters to query + * @return mixed + */ + public function infoCollection($distinguishedName, $fields = NULL) + { + if ($distinguishedName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($distinguishedName, $fields); + + if ($info !== false) { + $collection = new adLDAPContactCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Determine if a contact is a member of a group + * + * @param string $distinguisedName The full DN of a contact + * @param string $group The group name to query + * @param bool $recursive Recursively check groups + * @return bool + */ + public function inGroup($distinguisedName, $group, $recursive = NULL) + { + if ($distinguisedName === NULL) { return false; } + if ($group === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + + // Get a list of the groups + $groups = $this->groups($distinguisedName, array("memberof"), $recursive); + + // Return true if the specified group is in the group list + if (in_array($group, $groups)){ + return true; + } + + return false; + } + + /** + * Modify a contact + * + * @param string $distinguishedName The contact to query + * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes + * @return bool + */ + public function modify($distinguishedName, $attributes) { + if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedname]"; } + + // Translate the update to the LDAP schema + $mod = $this->adldap->adldap_schema($attributes); + + // Check to see if this is an enabled status update + if (!$mod) { + return false; + } + + // Do the update + $result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod); + if ($result == false) { + return false; + } + + return true; + } + + /** + * Delete a contact + * + * @param string $distinguishedName The contact dn to delete (please be careful here!) + * @return array + */ + public function delete($distinguishedName) + { + $result = $this->folder()->delete($distinguishedName); + if ($result != true) { + return false; + } + return true; + } + + /** + * Return a list of all contacts + * + * @param bool $includeDescription Include a description of a contact + * @param string $search The search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function all($includeDescription = false, $search = "*", $sorted = true) { + if (!$this->adldap->getLdapBind()) { return false; } + + // Perform the search and grab all their details + $filter = "(&(objectClass=contact)(cn=" . $search . "))"; + $fields = array("displayname","distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $usersArray = array(); + for ($i=0; $i<$entries["count"]; $i++){ + if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){ + $usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["displayname"][0]; + } elseif ($includeDescription){ + $usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["distinguishedname"][0]; + } else { + array_push($usersArray, $entries[$i]["distinguishedname"][0]); + } + } + if ($sorted) { + asort($usersArray); + } + return $usersArray; + } + + /** + * Mail enable a contact + * Allows email to be sent to them through Exchange + * + * @param string $distinguishedname The contact to mail enable + * @param string $emailaddress The email address to allow emails to be sent through + * @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name + * @return bool + */ + public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL){ + return $this->adldap->exchange()->contactMailEnable($distinguishedName, $emailAddress, $mailNickname); + } + + +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php new file mode 100644 index 0000000..d70aac7 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php @@ -0,0 +1,390 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Exchange + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ +require_once(dirname(__FILE__) . '/../adLDAP.php'); + +/** +* MICROSOFT EXCHANGE FUNCTIONS +*/ +class adLDAPExchange { + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + /** + * Create an Exchange account + * + * @param string $username The username of the user to add the Exchange account to + * @param array $storageGroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN + * If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn + * @param string $emailAddress The primary email address to add to this user + * @param string $mailNickname The mail nick name. If mail nickname is blank, the username will be used + * @param bool $mdbUseDefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota. + * @param string $baseDn Specify an alternative base_dn for the Exchange storage group + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function createMailbox($username, $storageGroup, $emailAddress, $mailNickname=NULL, $useDefaults=TRUE, $baseDn=NULL, $isGUID=false) + { + if ($username === NULL){ return "Missing compulsory field [username]"; } + if ($storageGroup === NULL) { return "Missing compulsory array [storagegroup]"; } + if (!is_array($storageGroup)) { return "[storagegroup] must be an array"; } + if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; } + + if ($baseDn === NULL) { + $baseDn = $this->adldap->getBaseDn(); + } + + $container = "CN=" . implode(",CN=", $storageGroup); + + if ($mailNickname === NULL) { + $mailNickname = $username; + } + $mdbUseDefaults = $this->adldap->utilities()->boolToString($useDefaults); + + $attributes = array( + 'exchange_homemdb'=>$container.",".$baseDn, + 'exchange_proxyaddress'=>'SMTP:' . $emailAddress, + 'exchange_mailnickname'=>$mailNickname, + 'exchange_usedefaults'=>$mdbUseDefaults + ); + $result = $this->adldap->user()->modify($username, $attributes, $isGUID); + if ($result == false) { + return false; + } + return true; + } + + /** + * Add an X400 address to Exchange + * See http://tools.ietf.org/html/rfc1685 for more information. + * An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John; + * + * @param string $username The username of the user to add the X400 to to + * @param string $country Country + * @param string $admd Administration Management Domain + * @param string $pdmd Private Management Domain (often your AD domain) + * @param string $org Organization + * @param string $surname Surname + * @param string $givenName Given name + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function addX400($username, $country, $admd, $pdmd, $org, $surname, $givenName, $isGUID=false) + { + if ($username === NULL){ return "Missing compulsory field [username]"; } + + $proxyValue = 'X400:'; + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL) { return false; } + $userDn = $user[0]["dn"]; + + // We do not have to demote an email address from the default so we can just add the new proxy address + $attributes['exchange_proxyaddress'] = $proxyValue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenName . ';'; + + // Translate the update to the LDAP schema + $add = $this->adldap->adldap_schema($attributes); + + if (!$add) { return false; } + + // Do the update + // Take out the @ to see any errors, usually this error might occur because the address already + // exists in the list of proxyAddresses + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn, $add); + if ($result == false) { + return false; + } + + return true; + } + + /** + * Add an address to Exchange + * + * @param string $username The username of the user to add the Exchange account to + * @param string $emailAddress The email address to add to this user + * @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function addAddress($username, $emailAddress, $default = FALSE, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } + + $proxyValue = 'smtp:'; + if ($default === true) { + $proxyValue = 'SMTP:'; + } + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL){ return false; } + $userDn = $user[0]["dn"]; + + // We need to scan existing proxy addresses and demote the default one + if (is_array($user[0]["proxyaddresses"]) && $default === true) { + $modAddresses = array(); + for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) { + if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) { + $user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]); + } + if ($user[0]['proxyaddresses'][$i] != '') { + $modAddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i]; + } + } + $modAddresses['proxyAddresses'][(sizeof($user[0]['proxyaddresses'])-1)] = 'SMTP:' . $emailAddress; + + $result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $modAddresses); + if ($result == false) { + return false; + } + + return true; + } + else { + // We do not have to demote an email address from the default so we can just add the new proxy address + $attributes['exchange_proxyaddress'] = $proxyValue . $emailAddress; + + // Translate the update to the LDAP schema + $add = $this->adldap->adldap_schema($attributes); + + if (!$add) { + return false; + } + + // Do the update + // Take out the @ to see any errors, usually this error might occur because the address already + // exists in the list of proxyAddresses + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn,$add); + if ($result == false) { + return false; + } + + return true; + } + } + + /** + * Remove an address to Exchange + * If you remove a default address the account will no longer have a default, + * we recommend changing the default address first + * + * @param string $username The username of the user to add the Exchange account to + * @param string $emailAddress The email address to add to this user + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function deleteAddress($username, $emailAddress, $isGUID=false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL) { return false; } + $userDn = $user[0]["dn"]; + + if (is_array($user[0]["proxyaddresses"])) { + $mod = array(); + for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) { + if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false && $user[0]['proxyaddresses'][$i] == 'SMTP:' . $emailAddress) { + $mod['proxyAddresses'][0] = 'SMTP:' . $emailAddress; + } + elseif (strstr($user[0]['proxyaddresses'][$i], 'smtp:') !== false && $user[0]['proxyaddresses'][$i] == 'smtp:' . $emailAddress) { + $mod['proxyAddresses'][0] = 'smtp:' . $emailAddress; + } + } + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $userDn,$mod); + if ($result == false) { + return false; + } + + return true; + } + else { + return false; + } + } + /** + * Change the default address + * + * @param string $username The username of the user to add the Exchange account to + * @param string $emailAddress The email address to make default + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function primaryAddress($username, $emailAddress, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL){ return false; } + $userDn = $user[0]["dn"]; + + if (is_array($user[0]["proxyaddresses"])) { + $modAddresses = array(); + for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) { + if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) { + $user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]); + } + if ($user[0]['proxyaddresses'][$i] == 'smtp:' . $emailAddress) { + $user[0]['proxyaddresses'][$i] = str_replace('smtp:', 'SMTP:', $user[0]['proxyaddresses'][$i]); + } + if ($user[0]['proxyaddresses'][$i] != '') { + $modAddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i]; + } + } + + $result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $modAddresses); + if ($result == false) { + return false; + } + + return true; + } + + } + + /** + * Mail enable a contact + * Allows email to be sent to them through Exchange + * + * @param string $distinguishedName The contact to mail enable + * @param string $emailAddress The email address to allow emails to be sent through + * @param string $mailNickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name + * @return bool + */ + public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL) + { + if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedName]"; } + if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; } + + if ($mailNickname !== NULL) { + // Find the dn of the user + $user = $this->adldap->contact()->info($distinguishedName, array("cn","displayname")); + if ($user[0]["displayname"] === NULL) { return false; } + $mailNickname = $user[0]['displayname'][0]; + } + + $attributes = array("email"=>$emailAddress,"contact_email"=>"SMTP:" . $emailAddress,"exchange_proxyaddress"=>"SMTP:" . $emailAddress,"exchange_mailnickname" => $mailNickname); + + // Translate the update to the LDAP schema + $mod = $this->adldap->adldap_schema($attributes); + + // Check to see if this is an enabled status update + if (!$mod) { return false; } + + // Do the update + $result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod); + if ($result == false) { return false; } + + return true; + } + + /** + * Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain + * + * @param array $attributes An array of the AD attributes you wish to return + * @return array + */ + public function servers($attributes = array('cn','distinguishedname','serialnumber')) + { + if (!$this->adldap->getLdapBind()){ return false; } + + $configurationNamingContext = $this->adldap->getRootDse(array('configurationnamingcontext')); + $sr = @ldap_search($this->adldap->getLdapConnection(), $configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))', $attributes); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + return $entries; + } + + /** + * Returns a list of Storage Groups in Exchange for a given mail server + * + * @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server + * @param array $attributes An array of the AD attributes you wish to return + * @param bool $recursive If enabled this will automatically query the databases within a storage group + * @return array + */ + public function storageGroups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($exchangeServer === NULL) { return "Missing compulsory field [exchangeServer]"; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } + + $filter = '(&(objectCategory=msExchStorageGroup))'; + $sr = @ldap_search($this->adldap->getLdapConnection(), $exchangeServer, $filter, $attributes); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if ($recursive === true) { + for ($i=0; $i<$entries['count']; $i++) { + $entries[$i]['msexchprivatemdb'] = $this->storageDatabases($entries[$i]['distinguishedname'][0]); + } + } + + return $entries; + } + + /** + * Returns a list of Databases within any given storage group in Exchange for a given mail server + * + * @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN + * @param array $attributes An array of the AD attributes you wish to return + * @return array + */ + public function storageDatabases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) { + if (!$this->adldap->getLdapBind()){ return false; } + if ($storageGroup === NULL) { return "Missing compulsory field [storageGroup]"; } + + $filter = '(&(objectCategory=msExchPrivateMDB))'; + $sr = @ldap_search($this->adldap->getLdapConnection(), $storageGroup, $filter, $attributes); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + return $entries; + } +} +?>
\ No newline at end of file diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php new file mode 100644 index 0000000..67b1474 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php @@ -0,0 +1,179 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Folders + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ +require_once(dirname(__FILE__) . '/../adLDAP.php'); + +/** +* FOLDER / OU MANAGEMENT FUNCTIONS +*/ +class adLDAPFolders { + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + /** + * Delete a distinguished name from Active Directory + * You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete + * + * @param string $dn The distinguished name to delete + * @return bool + */ + public function delete($dn){ + $result = ldap_delete($this->adldap->getLdapConnection(), $dn); + if ($result != true) { + return false; + } + return true; + } + + /** + * Returns a folder listing for a specific OU + * See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions + * + * @param array $folderName An array to the OU you wish to list. + * If set to NULL will list the root, strongly recommended to set + * $recursive to false in that instance! + * @param string $dnType The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER. + * @param bool $recursive Recursively search sub folders + * @param bool $type Specify a type of object to search for + * @return array + */ + public function listing($folderName = NULL, $dnType = adLDAP::ADLDAP_FOLDER, $recursive = NULL, $type = NULL) + { + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = '(&'; + if ($type !== NULL) { + switch ($type) { + case 'contact': + $filter .= '(objectClass=contact)'; + break; + case 'computer': + $filter .= '(objectClass=computer)'; + break; + case 'group': + $filter .= '(objectClass=group)'; + break; + case 'folder': + $filter .= '(objectClass=organizationalUnit)'; + break; + case 'container': + $filter .= '(objectClass=container)'; + break; + case 'domain': + $filter .= '(objectClass=builtinDomain)'; + break; + default: + $filter .= '(objectClass=user)'; + break; + } + } + else { + $filter .= '(objectClass=*)'; + } + // If the folder name is null then we will search the root level of AD + // This requires us to not have an OU= part, just the base_dn + $searchOu = $this->adldap->getBaseDn(); + if (is_array($folderName)) { + $ou = $dnType . "=" . implode("," . $dnType . "=", $folderName); + $filter .= '(!(distinguishedname=' . $ou . ',' . $this->adldap->getBaseDn() . ')))'; + $searchOu = $ou . ',' . $this->adldap->getBaseDn(); + } + else { + $filter .= '(!(distinguishedname=' . $this->adldap->getBaseDn() . ')))'; + } + + if ($recursive === true) { + $sr = ldap_search($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname')); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (is_array($entries)) { + return $entries; + } + } + else { + $sr = ldap_list($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname')); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (is_array($entries)) { + return $entries; + } + } + + return false; + } + + /** + * Create an organizational unit + * + * @param array $attributes Default attributes of the ou + * @return bool + */ + public function create($attributes) + { + if (!is_array($attributes)){ return "Attributes must be an array"; } + if (!is_array($attributes["container"])) { return "Container attribute must be an array."; } + if (!array_key_exists("ou_name",$attributes)) { return "Missing compulsory field [ou_name]"; } + if (!array_key_exists("container",$attributes)) { return "Missing compulsory field [container]"; } + + $attributes["container"] = array_reverse($attributes["container"]); + + $add=array(); + $add["objectClass"] = "organizationalUnit"; + $add["OU"] = $attributes['ou_name']; + $containers = ""; + if (count($attributes['container']) > 0) { + $containers = "OU=" . implode(",OU=", $attributes["container"]) . ","; + } + + $containers = "OU=" . implode(",OU=", $attributes["container"]); + $result = ldap_add($this->adldap->getLdapConnection(), "OU=" . $add["OU"] . ", " . $containers . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + + return true; + } + +} + +?>
\ No newline at end of file diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php new file mode 100644 index 0000000..94bc048 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php @@ -0,0 +1,631 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Groups + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ +require_once(dirname(__FILE__) . '/../adLDAP.php'); +require_once(dirname(__FILE__) . '/../collections/adLDAPGroupCollection.php'); + +/** +* GROUP FUNCTIONS +*/ +class adLDAPGroups { + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + /** + * Add a group to a group + * + * @param string $parent The parent group name + * @param string $child The child group name + * @return bool + */ + public function addGroup($parent,$child){ + + // Find the parent group's dn + $parentGroup = $this->ginfo($parent, array("cn")); + if ($parentGroup[0]["dn"] === NULL){ + return false; + } + $parentDn = $parentGroup[0]["dn"]; + + // Find the child group's dn + $childGroup = $this->info($child, array("cn")); + if ($childGroup[0]["dn"] === NULL){ + return false; + } + $childDn = $childGroup[0]["dn"]; + + $add = array(); + $add["member"] = $childDn; + + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $parentDn, $add); + if ($result == false) { + return false; + } + return true; + } + + /** + * Add a user to a group + * + * @param string $group The group to add the user to + * @param string $user The user to add to the group + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function addUser($group, $user, $isGUID = false) + { + // Adding a user is a bit fiddly, we need to get the full DN of the user + // and add it using the full DN of the group + + // Find the user's dn + $userDn = $this->adldap->user()->dn($user, $isGUID); + if ($userDn === false) { + return false; + } + + // Find the group's dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL) { + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + $add = array(); + $add["member"] = $userDn; + + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add); + if ($result == false) { + return false; + } + return true; + } + + /** + * Add a contact to a group + * + * @param string $group The group to add the contact to + * @param string $contactDn The DN of the contact to add + * @return bool + */ + public function addContact($group, $contactDn) + { + // To add a contact we take the contact's DN + // and add it using the full DN of the group + + // Find the group's dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL) { + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + $add = array(); + $add["member"] = $contactDn; + + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add); + if ($result == false) { + return false; + } + return true; + } + + /** + * Create a group + * + * @param array $attributes Default attributes of the group + * @return bool + */ + public function create($attributes) + { + if (!is_array($attributes)){ return "Attributes must be an array"; } + if (!array_key_exists("group_name", $attributes)){ return "Missing compulsory field [group_name]"; } + if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; } + if (!array_key_exists("description", $attributes)){ return "Missing compulsory field [description]"; } + if (!is_array($attributes["container"])){ return "Container attribute must be an array."; } + $attributes["container"] = array_reverse($attributes["container"]); + + //$member_array = array(); + //$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com"; + //$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com"; + + $add = array(); + $add["cn"] = $attributes["group_name"]; + $add["samaccountname"] = $attributes["group_name"]; + $add["objectClass"] = "Group"; + $add["description"] = $attributes["description"]; + //$add["member"] = $member_array; UNTESTED + + $container = "OU=" . implode(",OU=", $attributes["container"]); + $result = ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"] . ", " . $container . "," . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + return true; + } + + /** + * Delete a group account + * + * @param string $group The group to delete (please be careful here!) + * + * @return array + */ + public function delete($group) { + if (!$this->adldap->getLdapBind()){ return false; } + if ($group === null){ return "Missing compulsory field [group]"; } + + $groupInfo = $this->info($group, array("*")); + $dn = $groupInfo[0]['distinguishedname'][0]; + $result = $this->adldap->folder()->delete($dn); + if ($result !== true) { + return false; + } return true; + } + + /** + * Remove a group from a group + * + * @param string $parent The parent group name + * @param string $child The child group name + * @return bool + */ + public function removeGroup($parent , $child) + { + + // Find the parent dn + $parentGroup = $this->info($parent, array("cn")); + if ($parentGroup[0]["dn"] === NULL) { + return false; + } + $parentDn = $parentGroup[0]["dn"]; + + // Find the child dn + $childGroup = $this->info($child, array("cn")); + if ($childGroup[0]["dn"] === NULL) { + return false; + } + $childDn = $childGroup[0]["dn"]; + + $del = array(); + $del["member"] = $childDn; + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $parentDn, $del); + if ($result == false) { + return false; + } + return true; + } + + /** + * Remove a user from a group + * + * @param string $group The group to remove a user from + * @param string $user The AD user to remove from the group + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function removeUser($group, $user, $isGUID = false) + { + + // Find the parent dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL){ + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + // Find the users dn + $userDn = $this->adldap->user()->dn($user, $isGUID); + if ($userDn === false) { + return false; + } + + $del = array(); + $del["member"] = $userDn; + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del); + if ($result == false) { + return false; + } + return true; + } + + /** + * Remove a contact from a group + * + * @param string $group The group to remove a user from + * @param string $contactDn The DN of a contact to remove from the group + * @return bool + */ + public function removeContact($group, $contactDn) + { + + // Find the parent dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL) { + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + $del = array(); + $del["member"] = $contactDn; + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del); + if ($result == false) { + return false; + } + return true; + } + + /** + * Return a list of groups in a group + * + * @param string $group The group to query + * @param bool $recursive Recursively get groups + * @return array + */ + public function inGroup($group, $recursive = NULL) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + + // Search the directory for the members of a group + $info = $this->info($group, array("member","cn")); + $groups = $info[0]["member"]; + if (!is_array($groups)) { + return false; + } + + $groupArray = array(); + + for ($i=0; $i<$groups["count"]; $i++){ + $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))"; + $fields = array("samaccountname", "distinguishedname", "objectClass"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + // not a person, look for a group + if ($entries['count'] == 0 && $recursive == true) { + $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))"; + $fields = array("distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (!isset($entries[0]['distinguishedname'][0])) { + continue; + } + $subGroups = $this->inGroup($entries[0]['distinguishedname'][0], $recursive); + if (is_array($subGroups)) { + $groupArray = array_merge($groupArray, $subGroups); + $groupArray = array_unique($groupArray); + } + continue; + } + + $groupArray[] = $entries[0]['distinguishedname'][0]; + } + return $groupArray; + } + + /** + * Return a list of members in a group + * + * @param string $group The group to query + * @param bool $recursive Recursively get group members + * @return array + */ + public function members($group, $recursive = NULL) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + // Search the directory for the members of a group + $info = $this->info($group, array("member","cn")); + $users = $info[0]["member"]; + if (!is_array($users)) { + return false; + } + + $userArray = array(); + + for ($i=0; $i<$users["count"]; $i++){ + $filter = "(&(objectCategory=person)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))"; + $fields = array("samaccountname", "distinguishedname", "objectClass"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + // not a person, look for a group + if ($entries['count'] == 0 && $recursive == true) { + $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))"; + $fields = array("samaccountname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (!isset($entries[0]['samaccountname'][0])) { + continue; + } + $subUsers = $this->members($entries[0]['samaccountname'][0], $recursive); + if (is_array($subUsers)) { + $userArray = array_merge($userArray, $subUsers); + $userArray = array_unique($userArray); + } + continue; + } + else if ($entries['count'] == 0) { + continue; + } + + if ((!isset($entries[0]['samaccountname'][0]) || $entries[0]['samaccountname'][0] === NULL) && $entries[0]['distinguishedname'][0] !== NULL) { + $userArray[] = $entries[0]['distinguishedname'][0]; + } + else if ($entries[0]['samaccountname'][0] !== NULL) { + $userArray[] = $entries[0]['samaccountname'][0]; + } + } + return $userArray; + } + + /** + * Group Information. Returns an array of raw information about a group. + * The group name is case sensitive + * + * @param string $groupName The group name to retrieve info about + * @param array $fields Fields to retrieve + * @return array + */ + public function info($groupName, $fields = NULL) + { + if ($groupName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + if (stristr($groupName, '+')) { + $groupName = stripslashes($groupName); + } + + $filter = "(&(objectCategory=group)(name=" . $this->adldap->utilities()->ldapSlashes($groupName) . "))"; + if ($fields === NULL) { + $fields = array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname"); + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + return $entries; + } + + /** + * Group Information. Returns an collection + * The group name is case sensitive + * + * @param string $groupName The group name to retrieve info about + * @param array $fields Fields to retrieve + * @return adLDAPGroupCollection + */ + public function infoCollection($groupName, $fields = NULL) + { + if ($groupName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($groupName, $fields); + if ($info !== false) { + $collection = new adLDAPGroupCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Return a complete list of "groups in groups" + * + * @param string $group The group to get the list from + * @return array + */ + public function recursiveGroups($group) + { + if ($group === NULL) { return false; } + + $stack = array(); + $processed = array(); + $retGroups = array(); + + array_push($stack, $group); // Initial Group to Start with + while (count($stack) > 0) { + $parent = array_pop($stack); + array_push($processed, $parent); + + $info = $this->info($parent, array("memberof")); + + if (isset($info[0]["memberof"]) && is_array($info[0]["memberof"])) { + $groups = $info[0]["memberof"]; + if ($groups) { + $groupNames = $this->adldap->utilities()->niceNames($groups); + $retGroups = array_merge($retGroups, $groupNames); //final groups to return + foreach ($groupNames as $id => $groupName) { + if (!in_array($groupName, $processed)) { + array_push($stack, $groupName); + } + } + } + } + } + + return $retGroups; + } + + /** + * Returns a complete list of the groups in AD based on a SAM Account Type + * + * @param string $sAMAaccountType The account type to return + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function search($sAMAaccountType = adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription = false, $search = "*", $sorted = true) { + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = '(&(objectCategory=group)'; + if ($sAMAaccountType !== null) { + $filter .= '(samaccounttype='. $sAMAaccountType .')'; + } + $filter .= '(cn=' . $search . '))'; + // Perform the search and grab all their details + $fields = array("samaccountname", "description"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $groupsArray = array(); + for ($i=0; $i<$entries["count"]; $i++){ + if ($includeDescription && strlen($entries[$i]["description"][0]) > 0 ) { + $groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["description"][0]; + } + else if ($includeDescription){ + $groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; + } + else { + array_push($groupsArray, $entries[$i]["samaccountname"][0]); + } + } + if ($sorted) { + asort($groupsArray); + } + return $groupsArray; + } + + /** + * Returns a complete list of all groups in AD + * + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function all($includeDescription = false, $search = "*", $sorted = true){ + $groupsArray = $this->search(null, $includeDescription, $search, $sorted); + return $groupsArray; + } + + /** + * Returns a complete list of security groups in AD + * + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function allSecurity($includeDescription = false, $search = "*", $sorted = true){ + $groupsArray = $this->search(adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription, $search, $sorted); + return $groupsArray; + } + + /** + * Returns a complete list of distribution lists in AD + * + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function allDistribution($includeDescription = false, $search = "*", $sorted = true){ + $groupsArray = $this->search(adLDAP::ADLDAP_DISTRIBUTION_GROUP, $includeDescription, $search, $sorted); + return $groupsArray; + } + + /** + * Coping with AD not returning the primary group + * http://support.microsoft.com/?kbid=321360 + * + * This is a re-write based on code submitted by Bruce which prevents the + * need to search each security group to find the true primary group + * + * @param string $gid Group ID + * @param string $usersid User's Object SID + * @return mixed + */ + public function getPrimaryGroup($gid, $usersid) + { + if ($gid === NULL || $usersid === NULL) { return false; } + $sr = false; + + $gsid = substr_replace($usersid, pack('V',$gid), strlen($usersid)-4,4); + $filter = '(objectsid=' . $this->adldap->utilities()->getTextSID($gsid).')'; + $fields = array("samaccountname","distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if (isset($entries[0]['distinguishedname'][0])) { + return $entries[0]['distinguishedname'][0]; + } + return false; + } + + /** + * Coping with AD not returning the primary group + * http://support.microsoft.com/?kbid=321360 + * + * For some reason it's not possible to search on primarygrouptoken=XXX + * If someone can show otherwise, I'd like to know about it :) + * this way is resource intensive and generally a pain in the @#%^ + * + * @deprecated deprecated since version 3.1, see get get_primary_group + * @param string $gid Group ID + * @return string + */ + public function cn($gid){ + if ($gid === NULL) { return false; } + $sr = false; + $r = ''; + + $filter = "(&(objectCategory=group)(samaccounttype=" . adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP . "))"; + $fields = array("primarygrouptoken", "samaccountname", "distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + for ($i=0; $i<$entries["count"]; $i++){ + if ($entries[$i]["primarygrouptoken"][0] == $gid) { + $r = $entries[$i]["distinguishedname"][0]; + $i = $entries["count"]; + } + } + + return $r; + } +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php new file mode 100644 index 0000000..dc3ebd7 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php @@ -0,0 +1,682 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage User + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ +require_once(dirname(__FILE__) . '/../adLDAP.php'); +require_once(dirname(__FILE__) . '/../collections/adLDAPUserCollection.php'); + +/** +* USER FUNCTIONS +*/ +class adLDAPUsers { + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + /** + * Validate a user's login credentials + * + * @param string $username A user's AD username + * @param string $password A user's AD password + * @param bool optional $prevent_rebind + * @return bool + */ + public function authenticate($username, $password, $preventRebind = false) { + return $this->adldap->authenticate($username, $password, $preventRebind); + } + + /** + * Create a user + * + * If you specify a password here, this can only be performed over SSL + * + * @param array $attributes The attributes to set to the user account + * @return bool + */ + public function create($attributes) + { + // Check for compulsory fields + if (!array_key_exists("username", $attributes)){ return "Missing compulsory field [username]"; } + if (!array_key_exists("firstname", $attributes)){ return "Missing compulsory field [firstname]"; } + if (!array_key_exists("surname", $attributes)){ return "Missing compulsory field [surname]"; } + if (!array_key_exists("email", $attributes)){ return "Missing compulsory field [email]"; } + if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; } + if (!is_array($attributes["container"])){ return "Container attribute must be an array."; } + + if (array_key_exists("password",$attributes) && (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS())){ + throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.'); + } + + if (!array_key_exists("display_name", $attributes)) { + $attributes["display_name"] = $attributes["firstname"] . " " . $attributes["surname"]; + } + + // Translate the schema + $add = $this->adldap->adldap_schema($attributes); + + // Additional stuff only used for adding accounts + $add["cn"][0] = $attributes["display_name"]; + $add["samaccountname"][0] = $attributes["username"]; + $add["objectclass"][0] = "top"; + $add["objectclass"][1] = "person"; + $add["objectclass"][2] = "organizationalPerson"; + $add["objectclass"][3] = "user"; //person? + //$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"]; + + // Set the account control attribute + $control_options = array("NORMAL_ACCOUNT"); + if (!$attributes["enabled"]) { + $control_options[] = "ACCOUNTDISABLE"; + } + $add["userAccountControl"][0] = $this->accountControl($control_options); + + // Determine the container + $attributes["container"] = array_reverse($attributes["container"]); + $container = "OU=" . implode(", OU=",$attributes["container"]); + + // Add the entry + $result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"][0] . ", " . $container . "," . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + + return true; + } + + /** + * Account control options + * + * @param array $options The options to convert to int + * @return int + */ + protected function accountControl($options) + { + $val=0; + + if (is_array($options)) { + if (in_array("SCRIPT",$options)){ $val=$val+1; } + if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; } + if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; } + if (in_array("LOCKOUT",$options)){ $val=$val+16; } + if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; } + //PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute. + //For information about how to set the permission programmatically, see the "Property flag descriptions" section. + if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; } + if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; } + if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; } + if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; } + if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; } + if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; } + if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; } + if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; } + if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; } + if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; } + if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; } + if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; } + if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; } + if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; } + if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; } + } + return $val; + } + + /** + * Delete a user account + * + * @param string $username The username to delete (please be careful here!) + * @param bool $isGUID Is the username a GUID or a samAccountName + * @return array + */ + public function delete($username, $isGUID = false) + { + $userinfo = $this->info($username, array("*"), $isGUID); + $dn = $userinfo[0]['distinguishedname'][0]; + $result = $this->adldap->folder()->delete($dn); + if ($result != true) { + return false; + } + return true; + } + + /** + * Groups the user is a member of + * + * @param string $username The username to query + * @param bool $recursive Recursive list of groups + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return array + */ + public function groups($username, $recursive = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + if (!$this->adldap->getLdapBind()) { return false; } + + // Search the directory for their information + $info = @$this->info($username, array("memberof", "primarygroupid"), $isGUID); + $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames) + + if ($recursive === true){ + foreach ($groups as $id => $groupName){ + $extraGroups = $this->adldap->group()->recursiveGroups($groupName); + $groups = array_merge($groups, $extraGroups); + } + } + + return $groups; + } + + /** + * Find information about the users. Returned in a raw array format from AD + * + * @param string $username The username to query + * @param array $fields Array of parameters to query + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return array + */ + public function info($username, $fields = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + if ($isGUID === true) { + $username = $this->adldap->utilities()->strGuidToHex($username); + $filter = "objectguid=" . $username; + } + else if (strstr($username, "@")) { + $filter = "userPrincipalName=" . $username; + } + else { + $filter = "samaccountname=" . $username; + } + $filter = "(&(objectCategory=person)({$filter}))"; + if ($fields === NULL) { + $fields = array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); + } + if (!in_array("objectsid", $fields)) { + $fields[] = "objectsid"; + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if (isset($entries[0])) { + if ($entries[0]['count'] >= 1) { + if (in_array("memberof", $fields)) { + // AD does not return the primary group in the ldap query, we may need to fudge it + if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])){ + //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]); + $entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]); + } else { + $entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn(); + } + if (!isset($entries[0]["memberof"]["count"])) { + $entries[0]["memberof"]["count"] = 0; + } + $entries[0]["memberof"]["count"]++; + } + } + + return $entries; + } + return false; + } + + /** + * Find information about the users. Returned in a raw array format from AD + * + * @param string $username The username to query + * @param array $fields Array of parameters to query + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return mixed + */ + public function infoCollection($username, $fields = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($username, $fields, $isGUID); + + if ($info !== false) { + $collection = new adLDAPUserCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Determine if a user is in a specific group + * + * @param string $username The username to query + * @param string $group The name of the group to check against + * @param bool $recursive Check groups recursively + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function inGroup($username, $group, $recursive = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if ($group === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + + // Get a list of the groups + $groups = $this->groups($username, $recursive, $isGUID); + + // Return true if the specified group is in the group list + if (in_array($group, $groups)) { + return true; + } + + return false; + } + + /** + * Determine a user's password expiry date + * + * @param string $username The username to query + * @param book $isGUID Is the username passed a GUID or a samAccountName + * @requires bcmath http://php.net/manual/en/book.bc.php + * @return array + */ + public function passwordExpiry($username, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if (!$this->adldap->getLdapBind()) { return false; } + if (!function_exists('bcmod')) { throw new adLDAPException("Missing function support [bcmod] http://php.net/manual/en/book.bc.php"); }; + + $userInfo = $this->info($username, array("pwdlastset", "useraccountcontrol"), $isGUID); + $pwdLastSet = $userInfo[0]['pwdlastset'][0]; + $status = array(); + + if ($userInfo[0]['useraccountcontrol'][0] == '66048') { + // Password does not expire + return "Does not expire"; + } + if ($pwdLastSet === '0') { + // Password has already expired + return "Password has expired"; + } + + // Password expiry in AD can be calculated from TWO values: + // - User's own pwdLastSet attribute: stores the last time the password was changed + // - Domain's maxPwdAge attribute: how long passwords last in the domain + // + // Although Microsoft chose to use a different base and unit for time measurements. + // This function will convert them to Unix timestamps + $sr = ldap_read($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), 'objectclass=*', array('maxPwdAge')); + if (!$sr) { + return false; + } + $info = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + $maxPwdAge = $info[0]['maxpwdage'][0]; + + + // See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx + // + // pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC), + // stored in a 64 bit integer. + // + // The number of seconds between this date and Unix epoch is 11644473600. + // + // maxPwdAge is stored as a large integer that represents the number of 100 nanosecond + // intervals from the time the password was set before the password expires. + // + // We also need to scale this to seconds but also this value is a _negative_ quantity! + // + // If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire + // + // Unfortunately the maths involved are too big for PHP integers, so I've had to require + // BCMath functions to work with arbitrary precision numbers. + if (bcmod($maxPwdAge, 4294967296) === '0') { + return "Domain does not expire passwords"; + } + + // Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's + // time units. Because maxpwd age is negative we need to subtract it. + $pwdExpire = bcsub($pwdLastSet, $maxPwdAge); + + // Convert MS's time to Unix time + $status['expiryts'] = bcsub(bcdiv($pwdExpire, '10000000'), '11644473600'); + $status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdExpire, '10000000'), '11644473600')); + + return $status; + } + + /** + * Modify a user + * + * @param string $username The username to query + * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function modify($username, $attributes, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if (array_key_exists("password", $attributes) && !$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) { + throw new adLDAPException('SSL/TLS must be configured on your webserver and enabled in the class to set passwords.'); + } + + // Find the dn of the user + $userDn = $this->dn($username, $isGUID); + if ($userDn === false) { + return false; + } + + // Translate the update to the LDAP schema + $mod = $this->adldap->adldap_schema($attributes); + + // Check to see if this is an enabled status update + if (!$mod && !array_key_exists("enabled", $attributes)){ + return false; + } + + // Set the account control attribute (only if specified) + if (array_key_exists("enabled", $attributes)){ + if ($attributes["enabled"]){ + $controlOptions = array("NORMAL_ACCOUNT"); + } + else { + $controlOptions = array("NORMAL_ACCOUNT", "ACCOUNTDISABLE"); + } + $mod["userAccountControl"][0] = $this->accountControl($controlOptions); + } + + // Do the update + $result = @ldap_modify($this->adldap->getLdapConnection(), $userDn, $mod); + if ($result == false) { + return false; + } + + return true; + } + + /** + * Disable a user account + * + * @param string $username The username to disable + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function disable($username, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + $attributes = array("enabled" => 0); + $result = $this->modify($username, $attributes, $isGUID); + if ($result == false) { return false; } + + return true; + } + + /** + * Enable a user account + * + * @param string $username The username to enable + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function enable($username, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + $attributes = array("enabled" => 1); + $result = $this->modify($username, $attributes, $isGUID); + if ($result == false) { return false; } + + return true; + } + + /** + * Set the password of a user - This must be performed over SSL + * + * @param string $username The username to modify + * @param string $password The new password + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function password($username, $password, $isGUID = false) + { + if ($username === NULL) { return false; } + if ($password === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) { + throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.'); + } + + $userDn = $this->dn($username, $isGUID); + if ($userDn === false) { + return false; + } + + $add=array(); + $add["unicodePwd"][0] = $this->encodePassword($password); + + $result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $add); + if ($result === false){ + $err = ldap_errno($this->adldap->getLdapConnection()); + if ($err) { + $msg = 'Error ' . $err . ': ' . ldap_err2str($err) . '.'; + if($err == 53) { + $msg .= ' Your password might not match the password policy.'; + } + throw new adLDAPException($msg); + } + else { + return false; + } + } + + return true; + } + + /** + * Encode a password for transmission over LDAP + * + * @param string $password The password to encode + * @return string + */ + public function encodePassword($password) + { + $password="\"".$password."\""; + $encoded=""; + for ($i=0; $i <strlen($password); $i++){ $encoded.="{$password{$i}}\000"; } + return $encoded; + } + + /** + * Obtain the user's distinguished name based on their userid + * + * + * @param string $username The username + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return string + */ + public function dn($username, $isGUID=false) + { + $user = $this->info($username, array("cn"), $isGUID); + if ($user[0]["dn"] === NULL) { + return false; + } + $userDn = $user[0]["dn"]; + return $userDn; + } + + /** + * Return a list of all users in AD + * + * @param bool $includeDescription Return a description of the user + * @param string $search Search parameter + * @param bool $sorted Sort the user accounts + * @return array + */ + public function all($includeDescription = false, $search = "*", $sorted = true) + { + if (!$this->adldap->getLdapBind()) { return false; } + + // Perform the search and grab all their details + $filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=" . $search . "))"; + $fields = array("samaccountname","displayname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $usersArray = array(); + for ($i=0; $i<$entries["count"]; $i++){ + if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){ + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0]; + } elseif ($includeDescription){ + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; + } else { + array_push($usersArray, $entries[$i]["samaccountname"][0]); + } + } + if ($sorted) { + asort($usersArray); + } + return $usersArray; + } + + /** + * Converts a username (samAccountName) to a GUID + * + * @param string $username The username to query + * @return string + */ + public function usernameToGuid($username) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($username === null){ return "Missing compulsory field [username]"; } + + $filter = "samaccountname=" . $username; + $fields = array("objectGUID"); + $sr = @ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + if (ldap_count_entries($this->adldap->getLdapConnection(), $sr) > 0) { + $entry = @ldap_first_entry($this->adldap->getLdapConnection(), $sr); + $guid = @ldap_get_values_len($this->adldap->getLdapConnection(), $entry, 'objectGUID'); + $strGUID = $this->adldap->utilities()->binaryToText($guid[0]); + return $strGUID; + } + return false; + } + + /** + * Return a list of all users in AD that have a specific value in a field + * + * @param bool $includeDescription Return a description of the user + * @param string $searchField Field to search search for + * @param string $searchFilter Value to search for in the specified field + * @param bool $sorted Sort the user accounts + * @return array + */ + public function find($includeDescription = false, $searchField = false, $searchFilter = false, $sorted = true){ + if (!$this->adldap->getLdapBind()){ return false; } + + // Perform the search and grab all their details + $searchParams = ""; + if ($searchField) { + $searchParams = "(" . $searchField . "=" . $searchFilter . ")"; + } + $filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)" . $searchParams . ")"; + $fields = array("samaccountname","displayname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $usersArray = array(); + for ($i=0; $i < $entries["count"]; $i++) { + if ($includeDescription && strlen($entries[$i]["displayname"][0]) > 0) { + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0]; + } + else if ($includeDescription) { + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; + } + else { + array_push($usersArray, $entries[$i]["samaccountname"][0]); + } + } + if ($sorted){ + asort($usersArray); + } + return ($usersArray); + } + + /** + * Move a user account to a different OU + * + * @param string $username The username to move (please be careful here!) + * @param array $container The container or containers to move the user to (please be careful here!). + * accepts containers in 1. parent 2. child order + * @return array + */ + public function move($username, $container) + { + if (!$this->adldap->getLdapBind()) { return false; } + if ($username === null) { return "Missing compulsory field [username]"; } + if ($container === null) { return "Missing compulsory field [container]"; } + if (!is_array($container)) { return "Container must be an array"; } + + $userInfo = $this->info($username, array("*")); + $dn = $userInfo[0]['distinguishedname'][0]; + $newRDn = "cn=" . $username; + $container = array_reverse($container); + $newContainer = "ou=" . implode(",ou=",$container); + $newBaseDn = strtolower($newContainer) . "," . $this->adldap->getBaseDn(); + $result = @ldap_rename($this->adldap->getLdapConnection(), $dn, $newRDn, $newBaseDn, true); + if ($result !== true) { + return false; + } + return true; + } + + /** + * Get the last logon time of any user as a Unix timestamp + * + * @param string $username + * @return long $unixTimestamp + */ + public function getLastLogon($username) { + if (!$this->adldap->getLdapBind()) { return false; } + if ($username === null) { return "Missing compulsory field [username]"; } + $userInfo = $this->info($username, array("lastLogonTimestamp")); + $lastLogon = adLDAPUtils::convertWindowsTimeToUnixTime($userInfo[0]['lastLogonTimestamp'][0]); + return $lastLogon; + } + +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php new file mode 100644 index 0000000..6f94fe2 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php @@ -0,0 +1,268 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Utils + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ + */ +require_once(dirname(__FILE__) . '/../adLDAP.php'); + +/** +* UTILITY FUNCTIONS +*/ +class adLDAPUtils { + const ADLDAP_VERSION = '4.0.4'; + + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + public function __construct(adLDAP $adldap) { + $this->adldap = $adldap; + } + + + /** + * Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN) + * + * @param array $groups + * @return array + */ + public function niceNames($groups) + { + + $groupArray = array(); + for ($i=0; $i<$groups["count"]; $i++){ // For each group + $line = $groups[$i]; + + if (strlen($line)>0) { + // More presumptions, they're all prefixed with CN= + // so we ditch the first three characters and the group + // name goes up to the first comma + $bits=explode(",", $line); + $groupArray[] = substr($bits[0], 3, (strlen($bits[0])-3)); + } + } + return $groupArray; + } + + /** + * Escape characters for use in an ldap_create function + * + * @param string $str + * @return string + */ + public function escapeCharacters($str) { + $str = str_replace(",", "\,", $str); + return $str; + } + + /** + * Escape strings for the use in LDAP filters + * + * DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT + * Ported from Perl's Net::LDAP::Util escape_filter_value + * + * @param string $str The string the parse + * @author Port by Andreas Gohr <andi@splitbrain.org> + * @return string + */ + public function ldapSlashes($str) { + // see https://github.com/adldap/adLDAP/issues/22 + return preg_replace_callback( + '/([\x00-\x1F\*\(\)\\\\])/', + function ($matches) { + return "\\".join("", unpack("H2", $matches[1])); + }, + $str + ); + } + /** + * Converts a string GUID to a hexdecimal value so it can be queried + * + * @param string $strGUID A string representation of a GUID + * @return string + */ + public function strGuidToHex($strGUID) + { + $strGUID = str_replace('-', '', $strGUID); + + $octet_str = '\\' . substr($strGUID, 6, 2); + $octet_str .= '\\' . substr($strGUID, 4, 2); + $octet_str .= '\\' . substr($strGUID, 2, 2); + $octet_str .= '\\' . substr($strGUID, 0, 2); + $octet_str .= '\\' . substr($strGUID, 10, 2); + $octet_str .= '\\' . substr($strGUID, 8, 2); + $octet_str .= '\\' . substr($strGUID, 14, 2); + $octet_str .= '\\' . substr($strGUID, 12, 2); + //$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID)); + for ($i=16; $i<=(strlen($strGUID)-2); $i++) { + if (($i % 2) == 0) { + $octet_str .= '\\' . substr($strGUID, $i, 2); + } + } + + return $octet_str; + } + + /** + * Convert a binary SID to a text SID + * + * @param string $binsid A Binary SID + * @return string + */ + public function getTextSID($binsid) { + $hex_sid = bin2hex($binsid); + $rev = hexdec(substr($hex_sid, 0, 2)); + $subcount = hexdec(substr($hex_sid, 2, 2)); + $auth = hexdec(substr($hex_sid, 4, 12)); + $result = "$rev-$auth"; + + for ($x=0;$x < $subcount; $x++) { + $subauth[$x] = + hexdec($this->littleEndian(substr($hex_sid, 16 + ($x * 8), 8))); + $result .= "-" . $subauth[$x]; + } + + // Cheat by tacking on the S- + return 'S-' . $result; + } + + /** + * Converts a little-endian hex number to one that hexdec() can convert + * + * @param string $hex A hex code + * @return string + */ + public function littleEndian($hex) + { + $result = ''; + for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) { + $result .= substr($hex, $x, 2); + } + return $result; + } + + /** + * Converts a binary attribute to a string + * + * @param string $bin A binary LDAP attribute + * @return string + */ + public function binaryToText($bin) + { + $hex_guid = bin2hex($bin); + $hex_guid_to_guid_str = ''; + for($k = 1; $k <= 4; ++$k) { + $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2); + } + $hex_guid_to_guid_str .= '-'; + for($k = 1; $k <= 2; ++$k) { + $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2); + } + $hex_guid_to_guid_str .= '-'; + for($k = 1; $k <= 2; ++$k) { + $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2); + } + $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4); + $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20); + return strtoupper($hex_guid_to_guid_str); + } + + /** + * Converts a binary GUID to a string GUID + * + * @param string $binaryGuid The binary GUID attribute to convert + * @return string + */ + public function decodeGuid($binaryGuid) + { + if ($binaryGuid === null){ return "Missing compulsory field [binaryGuid]"; } + + $strGUID = $this->binaryToText($binaryGuid); + return $strGUID; + } + + /** + * Convert a boolean value to a string + * You should never need to call this yourself + * + * @param bool $bool Boolean value + * @return string + */ + public function boolToStr($bool) + { + return ($bool) ? 'TRUE' : 'FALSE'; + } + + /** + * Convert 8bit characters e.g. accented characters to UTF8 encoded characters + */ + public function encode8Bit(&$item, $key) { + $encode = false; + if (is_string($item)) { + for ($i=0; $i<strlen($item); $i++) { + if (ord($item[$i]) >> 7) { + $encode = true; + } + } + } + if ($encode === true && $key != 'password') { + $item = utf8_encode($item); + } + } + + /** + * Get the current class version number + * + * @return string + */ + public function getVersion() { + return self::ADLDAP_VERSION; + } + + /** + * Round a Windows timestamp down to seconds and remove the seconds between 1601-01-01 and 1970-01-01 + * + * @param long $windowsTime + * @return long $unixTime + */ + public static function convertWindowsTimeToUnixTime($windowsTime) { + $unixTime = round($windowsTime / 10000000) - 11644477200; + return $unixTime; + } +} + +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPCollection.php b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPCollection.php new file mode 100644 index 0000000..433d39f --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPCollection.php @@ -0,0 +1,137 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage Collection + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ +*/ + +abstract class adLDAPCollection +{ + /** + * The current adLDAP connection via dependency injection + * + * @var adLDAP + */ + protected $adldap; + + /** + * The current object being modifed / called + * + * @var mixed + */ + protected $currentObject; + + /** + * The raw info array from Active Directory + * + * @var array + */ + protected $info; + + public function __construct($info, adLDAP $adldap) + { + $this->setInfo($info); + $this->adldap = $adldap; + } + + /** + * Set the raw info array from Active Directory + * + * @param array $info + */ + public function setInfo(array $info) + { + if ($this->info && sizeof($info) >= 1) { + unset($this->info); + } + $this->info = $info; + } + + /** + * Magic get method to retrieve data from the raw array in a formatted way + * + * @param string $attribute + * @return mixed + */ + public function __get($attribute) + { + if (isset($this->info[0]) && is_array($this->info[0])) { + foreach ($this->info[0] as $keyAttr => $valueAttr) { + if (strtolower($keyAttr) == strtolower($attribute)) { + if ($this->info[0][strtolower($attribute)]['count'] == 1) { + return $this->info[0][strtolower($attribute)][0]; + } + else { + $array = array(); + foreach ($this->info[0][strtolower($attribute)] as $key => $value) { + if ((string)$key != 'count') { + $array[$key] = $value; + } + } + return $array; + } + } + } + } + else { + return NULL; + } + } + + /** + * Magic set method to update an attribute + * + * @param string $attribute + * @param string $value + * @return bool + */ + abstract public function __set($attribute, $value); + + /** + * Magic isset method to check for the existence of an attribute + * + * @param string $attribute + * @return bool + */ + public function __isset($attribute) { + if (isset($this->info[0]) && is_array($this->info[0])) { + foreach ($this->info[0] as $keyAttr => $valueAttr) { + if (strtolower($keyAttr) == strtolower($attribute)) { + return true; + } + } + } + return false; + } +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPComputerCollection.php b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPComputerCollection.php new file mode 100644 index 0000000..09f82ca --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPComputerCollection.php @@ -0,0 +1,46 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage ComputerCollection + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ +*/ + +class adLDAPComputerCollection extends adLDAPCollection +{ + + public function __set($attribute, $value) + { + + } +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPContactCollection.php b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPContactCollection.php new file mode 100644 index 0000000..a9efad5 --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPContactCollection.php @@ -0,0 +1,46 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage ContactCollection + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ +*/ + +class adLDAPContactCollection extends adLDAPCollection +{ + + public function __set($attribute, $value) + { + + } +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPGroupCollection.php b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPGroupCollection.php new file mode 100644 index 0000000..ef4af8d --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPGroupCollection.php @@ -0,0 +1,46 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage GroupCollection + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ +*/ + +class adLDAPGroupCollection extends adLDAPCollection +{ + + public function __set($attribute, $value) + { + + } +} +?> diff --git a/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPUserCollection.php b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPUserCollection.php new file mode 100644 index 0000000..63fce5f --- /dev/null +++ b/platform/www/lib/plugins/authad/adLDAP/collections/adLDAPUserCollection.php @@ -0,0 +1,46 @@ +<?php +/** + * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY + * Version 4.0.4 + * + * PHP Version 5 with SSL and LDAP support + * + * Written by Scott Barnett, Richard Hyland + * email: scott@wiggumworld.com, adldap@richardhyland.com + * http://adldap.sourceforge.net/ + * + * Copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * + * We'd appreciate any improvements or additions to be submitted back + * to benefit the entire community :) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * @category ToolsAndUtilities + * @package adLDAP + * @subpackage UserCollection + * @author Scott Barnett, Richard Hyland + * @copyright (c) 2006-2012 Scott Barnett, Richard Hyland + * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1 + * @revision $Revision: 97 $ + * @version 4.0.4 + * @link http://adldap.sourceforge.net/ +*/ + +class adLDAPUserCollection extends adLDAPCollection +{ + + public function __set($attribute, $value) + { + + } +} +?> diff --git a/platform/www/lib/plugins/authad/auth.php b/platform/www/lib/plugins/authad/auth.php new file mode 100644 index 0000000..27a6b22 --- /dev/null +++ b/platform/www/lib/plugins/authad/auth.php @@ -0,0 +1,786 @@ +<?php + +/** + * Active Directory authentication backend for DokuWiki + * + * This makes authentication with a Active Directory server much easier + * than when using the normal LDAP backend by utilizing the adLDAP library + * + * Usage: + * Set DokuWiki's local.protected.php auth setting to read + * + * $conf['authtype'] = 'authad'; + * + * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org'; + * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org'; + * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; + * + * //optional: + * $conf['plugin']['authad']['sso'] = 1; + * $conf['plugin']['authad']['admin_username'] = 'root'; + * $conf['plugin']['authad']['admin_password'] = 'pass'; + * $conf['plugin']['authad']['real_primarygroup'] = 1; + * $conf['plugin']['authad']['use_ssl'] = 1; + * $conf['plugin']['authad']['use_tls'] = 1; + * $conf['plugin']['authad']['debug'] = 1; + * // warn user about expiring password this many days in advance: + * $conf['plugin']['authad']['expirywarn'] = 5; + * + * // get additional information to the userinfo array + * // add a list of comma separated ldap contact fields. + * $conf['plugin']['authad']['additional'] = 'field1,field2'; + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author James Van Lommel <jamesvl@gmail.com> + * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ + * @author Andreas Gohr <andi@splitbrain.org> + * @author Jan Schumann <js@schumann-it.com> + */ +class auth_plugin_authad extends DokuWiki_Auth_Plugin +{ + + /** + * @var array hold connection data for a specific AD domain + */ + protected $opts = array(); + + /** + * @var array open connections for each AD domain, as adLDAP objects + */ + protected $adldap = array(); + + /** + * @var bool message state + */ + protected $msgshown = false; + + /** + * @var array user listing cache + */ + protected $users = array(); + + /** + * @var array filter patterns for listing users + */ + protected $pattern = array(); + + protected $grpsusers = array(); + + /** + * Constructor + */ + public function __construct() + { + global $INPUT; + parent::__construct(); + + require_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php'); + require_once(DOKU_PLUGIN.'authad/adLDAP/classes/adLDAPUtils.php'); + + // we load the config early to modify it a bit here + $this->loadConfig(); + + // additional information fields + if (isset($this->conf['additional'])) { + $this->conf['additional'] = str_replace(' ', '', $this->conf['additional']); + $this->conf['additional'] = explode(',', $this->conf['additional']); + } else $this->conf['additional'] = array(); + + // ldap extension is needed + if (!function_exists('ldap_connect')) { + if ($this->conf['debug']) + msg("AD Auth: PHP LDAP extension not found.", -1); + $this->success = false; + return; + } + + // Prepare SSO + if (!empty($_SERVER['REMOTE_USER'])) { + // make sure the right encoding is used + if ($this->getConf('sso_charset')) { + $_SERVER['REMOTE_USER'] = iconv($this->getConf('sso_charset'), 'UTF-8', $_SERVER['REMOTE_USER']); + } elseif (!\dokuwiki\Utf8\Clean::isUtf8($_SERVER['REMOTE_USER'])) { + $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']); + } + + // trust the incoming user + if ($this->conf['sso']) { + $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']); + + // we need to simulate a login + if (empty($_COOKIE[DOKU_COOKIE])) { + $INPUT->set('u', $_SERVER['REMOTE_USER']); + $INPUT->set('p', 'sso_only'); + } + } + } + + // other can do's are changed in $this->_loadServerConfig() base on domain setup + $this->cando['modName'] = (bool)$this->conf['update_name']; + $this->cando['modMail'] = (bool)$this->conf['update_mail']; + $this->cando['getUserCount'] = true; + } + + /** + * Load domain config on capability check + * + * @param string $cap + * @return bool + */ + public function canDo($cap) + { + //capabilities depend on config, which may change depending on domain + $domain = $this->getUserDomain($_SERVER['REMOTE_USER']); + $this->loadServerConfig($domain); + return parent::canDo($cap); + } + + /** + * Check user+password [required auth function] + * + * Checks if the given user exists and the given + * plaintext password is correct by trying to bind + * to the LDAP server + * + * @author James Van Lommel <james@nosq.com> + * @param string $user + * @param string $pass + * @return bool + */ + public function checkPass($user, $pass) + { + if ($_SERVER['REMOTE_USER'] && + $_SERVER['REMOTE_USER'] == $user && + $this->conf['sso'] + ) return true; + + $adldap = $this->initAdLdap($this->getUserDomain($user)); + if (!$adldap) return false; + + try { + return $adldap->authenticate($this->getUserName($user), $pass); + } catch (adLDAPException $e) { + // shouldn't really happen + return false; + } + } + + /** + * Return user info [required auth function] + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email address of the user + * grps array list of groups the user is in + * + * This AD specific function returns the following + * addional fields: + * + * dn string distinguished name (DN) + * uid string samaccountname + * lastpwd int timestamp of the date when the password was set + * expires true if the password expires + * expiresin int seconds until the password expires + * any fields specified in the 'additional' config option + * + * @author James Van Lommel <james@nosq.com> + * @param string $user + * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin + * @return array + */ + public function getUserData($user, $requireGroups = true) + { + global $conf; + global $lang; + global $ID; + $adldap = $this->initAdLdap($this->getUserDomain($user)); + if (!$adldap) return array(); + + if ($user == '') return array(); + + $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol'); + + // add additional fields to read + $fields = array_merge($fields, $this->conf['additional']); + $fields = array_unique($fields); + $fields = array_filter($fields); + + //get info for given user + $result = $adldap->user()->info($this->getUserName($user), $fields); + if ($result == false) { + return array(); + } + + //general user info + $info = array(); + $info['name'] = $result[0]['displayname'][0]; + $info['mail'] = $result[0]['mail'][0]; + $info['uid'] = $result[0]['samaccountname'][0]; + $info['dn'] = $result[0]['dn']; + //last password set (Windows counts from January 1st 1601) + $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600; + //will it expire? + $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD + + // additional information + foreach ($this->conf['additional'] as $field) { + if (isset($result[0][strtolower($field)])) { + $info[$field] = $result[0][strtolower($field)][0]; + } + } + + // handle ActiveDirectory memberOf + $info['grps'] = $adldap->user()->groups($this->getUserName($user), (bool) $this->opts['recursive_groups']); + + if (is_array($info['grps'])) { + foreach ($info['grps'] as $ndx => $group) { + $info['grps'][$ndx] = $this->cleanGroup($group); + } + } + + // always add the default group to the list of groups + if (!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) { + $info['grps'][] = $conf['defaultgroup']; + } + + // add the user's domain to the groups + $domain = $this->getUserDomain($user); + if ($domain && !in_array("domain-$domain", (array) $info['grps'])) { + $info['grps'][] = $this->cleanGroup("domain-$domain"); + } + + // check expiry time + if ($info['expires'] && $this->conf['expirywarn']) { + try { + $expiry = $adldap->user()->passwordExpiry($user); + if (is_array($expiry)) { + $info['expiresat'] = $expiry['expiryts']; + $info['expiresin'] = round(($info['expiresat'] - time())/(24*60*60)); + + // if this is the current user, warn him (once per request only) + if (($_SERVER['REMOTE_USER'] == $user) && + ($info['expiresin'] <= $this->conf['expirywarn']) && + !$this->msgshown + ) { + $msg = sprintf($this->getLang('authpwdexpire'), $info['expiresin']); + if ($this->canDo('modPass')) { + $url = wl($ID, array('do'=> 'profile')); + $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>'; + } + msg($msg); + $this->msgshown = true; + } + } + } catch (adLDAPException $e) { + // ignore. should usually not happen + } + } + + return $info; + } + + /** + * Make AD group names usable by DokuWiki. + * + * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. + * + * @author James Van Lommel (jamesvl@gmail.com) + * @param string $group + * @return string + */ + public function cleanGroup($group) + { + $group = str_replace('\\', '', $group); + $group = str_replace('#', '', $group); + $group = preg_replace('[\s]', '_', $group); + $group = \dokuwiki\Utf8\PhpString::strtolower(trim($group)); + return $group; + } + + /** + * Sanitize user names + * + * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup) + * + * @author Andreas Gohr <gohr@cosmocode.de> + * @param string $user + * @return string + */ + public function cleanUser($user) + { + $domain = ''; + + // get NTLM or Kerberos domain part + list($dom, $user) = explode('\\', $user, 2); + if (!$user) $user = $dom; + if ($dom) $domain = $dom; + list($user, $dom) = explode('@', $user, 2); + if ($dom) $domain = $dom; + + // clean up both + $domain = \dokuwiki\Utf8\PhpString::strtolower(trim($domain)); + $user = \dokuwiki\Utf8\PhpString::strtolower(trim($user)); + + // is this a known, valid domain or do we work without account suffix? if not discard + if (!is_array($this->conf[$domain]) && $this->conf['account_suffix'] !== '') { + $domain = ''; + } + + // reattach domain + if ($domain) $user = "$user@$domain"; + return $user; + } + + /** + * Most values in LDAP are case-insensitive + * + * @return bool + */ + public function isCaseSensitive() + { + return false; + } + + /** + * Create a Search-String useable by adLDAPUsers::all($includeDescription = false, $search = "*", $sorted = true) + * + * @param array $filter + * @return string + */ + protected function constructSearchString($filter) + { + if (!$filter) { + return '*'; + } + $adldapUtils = new adLDAPUtils($this->initAdLdap(null)); + $result = '*'; + if (isset($filter['name'])) { + $result .= ')(displayname=*' . $adldapUtils->ldapSlashes($filter['name']) . '*'; + unset($filter['name']); + } + + if (isset($filter['user'])) { + $result .= ')(samAccountName=*' . $adldapUtils->ldapSlashes($filter['user']) . '*'; + unset($filter['user']); + } + + if (isset($filter['mail'])) { + $result .= ')(mail=*' . $adldapUtils->ldapSlashes($filter['mail']) . '*'; + unset($filter['mail']); + } + return $result; + } + + /** + * Return a count of the number of user which meet $filter criteria + * + * @param array $filter $filter array of field/pattern pairs, empty array for no filter + * @return int number of users + */ + public function getUserCount($filter = array()) + { + $adldap = $this->initAdLdap(null); + if (!$adldap) { + dbglog("authad/auth.php getUserCount(): _adldap not set."); + return -1; + } + if ($filter == array()) { + $result = $adldap->user()->all(); + } else { + $searchString = $this->constructSearchString($filter); + $result = $adldap->user()->all(false, $searchString); + if (isset($filter['grps'])) { + $this->users = array_fill_keys($result, false); + /** @var admin_plugin_usermanager $usermanager */ + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(true); + if (!isset($this->grpsusers[$this->filterToString($filter)])) { + $this->fillGroupUserArray($filter, $usermanager->getStart() + 3*$usermanager->getPagesize()); + } elseif (count($this->grpsusers[$this->filterToString($filter)]) < + $usermanager->getStart() + 3*$usermanager->getPagesize() + ) { + $this->fillGroupUserArray( + $filter, + $usermanager->getStart() + + 3*$usermanager->getPagesize() - + count($this->grpsusers[$this->filterToString($filter)]) + ); + } + $result = $this->grpsusers[$this->filterToString($filter)]; + } else { + /** @var admin_plugin_usermanager $usermanager */ + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(false); + } + } + + if (!$result) { + return 0; + } + return count($result); + } + + /** + * + * create a unique string for each filter used with a group + * + * @param array $filter + * @return string + */ + protected function filterToString($filter) + { + $result = ''; + if (isset($filter['user'])) { + $result .= 'user-' . $filter['user']; + } + if (isset($filter['name'])) { + $result .= 'name-' . $filter['name']; + } + if (isset($filter['mail'])) { + $result .= 'mail-' . $filter['mail']; + } + if (isset($filter['grps'])) { + $result .= 'grps-' . $filter['grps']; + } + return $result; + } + + /** + * Create an array of $numberOfAdds users passing a certain $filter, including belonging + * to a certain group and save them to a object-wide array. If the array + * already exists try to add $numberOfAdds further users to it. + * + * @param array $filter + * @param int $numberOfAdds additional number of users requested + * @return int number of Users actually add to Array + */ + protected function fillGroupUserArray($filter, $numberOfAdds) + { + if (isset($this->grpsusers[$this->filterToString($filter)])) { + $actualstart = count($this->grpsusers[$this->filterToString($filter)]); + } else { + $this->grpsusers[$this->filterToString($filter)] = []; + $actualstart = 0; + } + + $i=0; + $count = 0; + $this->constructPattern($filter); + foreach ($this->users as $user => &$info) { + if ($i++ < $actualstart) { + continue; + } + if ($info === false) { + $info = $this->getUserData($user); + } + if ($this->filter($user, $info)) { + $this->grpsusers[$this->filterToString($filter)][$user] = $info; + if (($numberOfAdds > 0) && (++$count >= $numberOfAdds)) break; + } + } + return $count; + } + + /** + * Bulk retrieval of user data + * + * @author Dominik Eckelmann <dokuwiki@cosmocode.de> + * + * @param int $start index of first user to be returned + * @param int $limit max number of users to be returned + * @param array $filter array of field/pattern pairs, null for no filter + * @return array userinfo (refer getUserData for internal userinfo details) + */ + public function retrieveUsers($start = 0, $limit = 0, $filter = array()) + { + $adldap = $this->initAdLdap(null); + if (!$adldap) return array(); + + //if (!$this->users) { + //get info for given user + $result = $adldap->user()->all(false, $this->constructSearchString($filter)); + if (!$result) return array(); + $this->users = array_fill_keys($result, false); + //} + + $i = 0; + $count = 0; + $result = array(); + + if (!isset($filter['grps'])) { + /** @var admin_plugin_usermanager $usermanager */ + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(false); + $this->constructPattern($filter); + foreach ($this->users as $user => &$info) { + if ($i++ < $start) { + continue; + } + if ($info === false) { + $info = $this->getUserData($user); + } + $result[$user] = $info; + if (($limit > 0) && (++$count >= $limit)) break; + } + } else { + /** @var admin_plugin_usermanager $usermanager */ + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(true); + if (!isset($this->grpsusers[$this->filterToString($filter)]) || + count($this->grpsusers[$this->filterToString($filter)]) < ($start+$limit) + ) { + if(!isset($this->grpsusers[$this->filterToString($filter)])) { + $this->grpsusers[$this->filterToString($filter)] = []; + } + + $this->fillGroupUserArray( + $filter, + $start+$limit - count($this->grpsusers[$this->filterToString($filter)]) +1 + ); + } + if (!$this->grpsusers[$this->filterToString($filter)]) return array(); + foreach ($this->grpsusers[$this->filterToString($filter)] as $user => &$info) { + if ($i++ < $start) { + continue; + } + $result[$user] = $info; + if (($limit > 0) && (++$count >= $limit)) break; + } + } + return $result; + } + + /** + * Modify user data + * + * @param string $user nick of the user to be changed + * @param array $changes array of field/value pairs to be changed + * @return bool + */ + public function modifyUser($user, $changes) + { + $return = true; + $adldap = $this->initAdLdap($this->getUserDomain($user)); + if (!$adldap) { + msg($this->getLang('connectfail'), -1); + return false; + } + + // password changing + if (isset($changes['pass'])) { + try { + $return = $adldap->user()->password($this->getUserName($user), $changes['pass']); + } catch (adLDAPException $e) { + if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); + $return = false; + } + if (!$return) msg($this->getLang('passchangefail'), -1); + } + + // changing user data + $adchanges = array(); + if (isset($changes['name'])) { + // get first and last name + $parts = explode(' ', $changes['name']); + $adchanges['surname'] = array_pop($parts); + $adchanges['firstname'] = join(' ', $parts); + $adchanges['display_name'] = $changes['name']; + } + if (isset($changes['mail'])) { + $adchanges['email'] = $changes['mail']; + } + if (count($adchanges)) { + try { + $return = $return & $adldap->user()->modify($this->getUserName($user), $adchanges); + } catch (adLDAPException $e) { + if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1); + $return = false; + } + if (!$return) msg($this->getLang('userchangefail'), -1); + } + + return $return; + } + + /** + * Initialize the AdLDAP library and connect to the server + * + * When you pass null as domain, it will reuse any existing domain. + * Eg. the one of the logged in user. It falls back to the default + * domain if no current one is available. + * + * @param string|null $domain The AD domain to use + * @return adLDAP|bool true if a connection was established + */ + protected function initAdLdap($domain) + { + if (is_null($domain) && is_array($this->opts)) { + $domain = $this->opts['domain']; + } + + $this->opts = $this->loadServerConfig((string) $domain); + if (isset($this->adldap[$domain])) return $this->adldap[$domain]; + + // connect + try { + $this->adldap[$domain] = new adLDAP($this->opts); + return $this->adldap[$domain]; + } catch (Exception $e) { + if ($this->conf['debug']) { + msg('AD Auth: '.$e->getMessage(), -1); + } + $this->success = false; + $this->adldap[$domain] = null; + } + return false; + } + + /** + * Get the domain part from a user + * + * @param string $user + * @return string + */ + public function getUserDomain($user) + { + list(, $domain) = explode('@', $user, 2); + return $domain; + } + + /** + * Get the user part from a user + * + * When an account suffix is set, we strip the domain part from the user + * + * @param string $user + * @return string + */ + public function getUserName($user) + { + if ($this->conf['account_suffix'] !== '') { + list($user) = explode('@', $user, 2); + } + return $user; + } + + /** + * Fetch the configuration for the given AD domain + * + * @param string $domain current AD domain + * @return array + */ + protected function loadServerConfig($domain) + { + // prepare adLDAP standard configuration + $opts = $this->conf; + + $opts['domain'] = $domain; + + // add possible domain specific configuration + if ($domain && is_array($this->conf[$domain])) foreach ($this->conf[$domain] as $key => $val) { + $opts[$key] = $val; + } + + // handle multiple AD servers + $opts['domain_controllers'] = explode(',', $opts['domain_controllers']); + $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']); + $opts['domain_controllers'] = array_filter($opts['domain_controllers']); + + // compatibility with old option name + if (empty($opts['admin_username']) && !empty($opts['ad_username'])) { + $opts['admin_username'] = $opts['ad_username']; + } + if (empty($opts['admin_password']) && !empty($opts['ad_password'])) { + $opts['admin_password'] = $opts['ad_password']; + } + $opts['admin_password'] = conf_decodeString($opts['admin_password']); // deobfuscate + + // we can change the password if SSL is set + if ($opts['use_ssl'] || $opts['use_tls']) { + $this->cando['modPass'] = true; + } else { + $this->cando['modPass'] = false; + } + + // adLDAP expects empty user/pass as NULL, we're less strict FS#2781 + if (empty($opts['admin_username'])) $opts['admin_username'] = null; + if (empty($opts['admin_password'])) $opts['admin_password'] = null; + + // user listing needs admin priviledges + if (!empty($opts['admin_username']) && !empty($opts['admin_password'])) { + $this->cando['getUsers'] = true; + } else { + $this->cando['getUsers'] = false; + } + + return $opts; + } + + /** + * Returns a list of configured domains + * + * The default domain has an empty string as key + * + * @return array associative array(key => domain) + */ + public function getConfiguredDomains() + { + $domains = array(); + if (empty($this->conf['account_suffix'])) return $domains; // not configured yet + + // add default domain, using the name from account suffix + $domains[''] = ltrim($this->conf['account_suffix'], '@'); + + // find additional domains + foreach ($this->conf as $key => $val) { + if (is_array($val) && isset($val['account_suffix'])) { + $domains[$key] = ltrim($val['account_suffix'], '@'); + } + } + ksort($domains); + + return $domains; + } + + /** + * Check provided user and userinfo for matching patterns + * + * The patterns are set up with $this->_constructPattern() + * + * @author Chris Smith <chris@jalakai.co.uk> + * + * @param string $user + * @param array $info + * @return bool + */ + protected function filter($user, $info) + { + foreach ($this->pattern as $item => $pattern) { + if ($item == 'user') { + if (!preg_match($pattern, $user)) return false; + } elseif ($item == 'grps') { + if (!count(preg_grep($pattern, $info['grps']))) return false; + } else { + if (!preg_match($pattern, $info[$item])) return false; + } + } + return true; + } + + /** + * Create a pattern for $this->_filter() + * + * @author Chris Smith <chris@jalakai.co.uk> + * + * @param array $filter + */ + protected function constructPattern($filter) + { + $this->pattern = array(); + foreach ($filter as $item => $pattern) { + $this->pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters + } + } +} diff --git a/platform/www/lib/plugins/authad/conf/default.php b/platform/www/lib/plugins/authad/conf/default.php new file mode 100644 index 0000000..84094cc --- /dev/null +++ b/platform/www/lib/plugins/authad/conf/default.php @@ -0,0 +1,18 @@ +<?php + +$conf['account_suffix'] = ''; +$conf['base_dn'] = ''; +$conf['domain_controllers'] = ''; +$conf['sso'] = 0; +$conf['sso_charset'] = ''; +$conf['admin_username'] = ''; +$conf['admin_password'] = ''; +$conf['real_primarygroup'] = 0; +$conf['use_ssl'] = 0; +$conf['use_tls'] = 0; +$conf['debug'] = 0; +$conf['expirywarn'] = 0; +$conf['additional'] = ''; +$conf['update_name'] = 0; +$conf['update_mail'] = 0; +$conf['recursive_groups'] = 0; diff --git a/platform/www/lib/plugins/authad/conf/metadata.php b/platform/www/lib/plugins/authad/conf/metadata.php new file mode 100644 index 0000000..945474c --- /dev/null +++ b/platform/www/lib/plugins/authad/conf/metadata.php @@ -0,0 +1,18 @@ +<?php + +$meta['account_suffix'] = array('string','_caution' => 'danger'); +$meta['base_dn'] = array('string','_caution' => 'danger'); +$meta['domain_controllers'] = array('string','_caution' => 'danger'); +$meta['sso'] = array('onoff','_caution' => 'danger'); +$meta['sso_charset'] = array('string','_caution' => 'danger'); +$meta['admin_username'] = array('string','_caution' => 'danger'); +$meta['admin_password'] = array('password','_caution' => 'danger','_code' => 'base64'); +$meta['real_primarygroup'] = array('onoff','_caution' => 'danger'); +$meta['use_ssl'] = array('onoff','_caution' => 'danger'); +$meta['use_tls'] = array('onoff','_caution' => 'danger'); +$meta['debug'] = array('onoff','_caution' => 'security'); +$meta['expirywarn'] = array('numeric', '_min'=>0,'_caution' => 'danger'); +$meta['additional'] = array('string','_caution' => 'danger'); +$meta['update_name'] = array('onoff','_caution' => 'danger'); +$meta['update_mail'] = array('onoff','_caution' => 'danger'); +$meta['recursive_groups'] = array('onoff','_caution' => 'danger'); diff --git a/platform/www/lib/plugins/authad/lang/en/lang.php b/platform/www/lib/plugins/authad/lang/en/lang.php new file mode 100644 index 0000000..3e8a9e2 --- /dev/null +++ b/platform/www/lib/plugins/authad/lang/en/lang.php @@ -0,0 +1,15 @@ +<?php +/** + * English language file for addomain plugin + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * + * @author Andreas Gohr <gohr@cosmocode.de> + */ + +$lang['domain'] = 'Logon Domain'; +$lang['authpwdexpire'] = 'Your password will expire in %d days, you should change it soon.'; +$lang['passchangefail'] = 'Failed to change the password. Maybe the password policy was not met?'; +$lang['userchangefail'] = 'Failed to change user attributes. Maybe your account does not have permissions to make changes?'; +$lang['connectfail'] = 'Failed to connect to Active Directory server.'; + +//Setup VIM: ex: et ts=4 : diff --git a/platform/www/lib/plugins/authad/lang/en/settings.php b/platform/www/lib/plugins/authad/lang/en/settings.php new file mode 100644 index 0000000..3de9a72 --- /dev/null +++ b/platform/www/lib/plugins/authad/lang/en/settings.php @@ -0,0 +1,18 @@ +<?php + +$lang['account_suffix'] = 'Your account suffix. Eg. <code>@my.domain.org</code>'; +$lang['base_dn'] = 'Your base DN. Eg. <code>DC=my,DC=domain,DC=org</code>'; +$lang['domain_controllers'] = 'A comma separated list of Domain controllers. Eg. <code>srv1.domain.org,srv2.domain.org</code>'; +$lang['admin_username'] = 'A privileged Active Directory user with access to all other user\'s data. Optional, but needed for certain actions like sending subscription mails.'; +$lang['admin_password'] = 'The password of the above user.'; +$lang['sso'] = 'Should Single-Sign-On via Kerberos or NTLM be used?'; +$lang['sso_charset'] = 'The charset your webserver will pass the Kerberos or NTLM username in. Empty for UTF-8 or latin-1. Requires the iconv extension.'; +$lang['real_primarygroup'] = 'Should the real primary group be resolved instead of assuming "Domain Users" (slower).'; +$lang['use_ssl'] = 'Use SSL connection? If used, do not enable TLS below.'; +$lang['use_tls'] = 'Use TLS connection? If used, do not enable SSL above.'; +$lang['debug'] = 'Display additional debugging output on errors?'; +$lang['expirywarn'] = 'Days in advance to warn user about expiring password. 0 to disable.'; +$lang['additional'] = 'A comma separated list of additional AD attributes to fetch from user data. Used by some plugins.'; +$lang['update_name'] = 'Allow users to update their AD display name?'; +$lang['update_mail'] = 'Allow users to update their email address?'; +$lang['recursive_groups'] = 'Resolve nested groups to their respective members (slower).'; diff --git a/platform/www/lib/plugins/authad/plugin.info.txt b/platform/www/lib/plugins/authad/plugin.info.txt new file mode 100644 index 0000000..57e1387 --- /dev/null +++ b/platform/www/lib/plugins/authad/plugin.info.txt @@ -0,0 +1,7 @@ +base authad +author Andreas Gohr +email andi@splitbrain.org +date 2015-07-13 +name Active Directory Auth Plugin +desc Provides user authentication against a Microsoft Active Directory +url http://www.dokuwiki.org/plugin:authad |