diff options
Diffstat (limited to 'inc/auth_ldap.php')
-rw-r--r-- | inc/auth_ldap.php | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/inc/auth_ldap.php b/inc/auth_ldap.php new file mode 100644 index 000000000..2872e710f --- /dev/null +++ b/inc/auth_ldap.php @@ -0,0 +1,137 @@ +<?php +/** + * This is used to authenticate against an LDAP server + * + * tested with openldap 2.x on Debian only + * + * PHPs LDAP extension is needed + */ + +/** + * connects to the ldap server and holds the connection + * in global scope for multiple use + */ +function auth_ldap_connect(){ + global $LDAP_CONNECTION; + global $conf; + $cnf = $conf['auth']['ldap']; + + if(!$LDAP_CONNECTION){ + $LDAP_CONNECTION = @ldap_connect($cnf['server']); + if(!$LDAP_CONNECTION){ + msg("LDAP: couldn't connect to LDAP server",-1); + return false; + } + if($cnf['version']){ + if(!@ldap_set_option($LDAP_CONNECTION, + LDAP_OPT_PROTOCOL_VERSION, + $cnf['version'])){ + msg('Setting LDAP Protocol version '.$cnf['version'].' failed',-1); + } + } + } + return $LDAP_CONNECTION; +} + +/** + * required auth function + * + * Checks if the given user exists and the given + * plaintext password is correct + * + * It does so by trying to connect to the LDAP server + */ +function auth_checkPass($user,$pass){ + global $conf; + $cnf = $conf['auth']['ldap']; + + //connect to LDAP Server + $conn = auth_ldap_connect(); + if(!$conn) return false; + + //get dn for given user + $info = auth_getUserData($user); + $dn = $info['dn']; + if(!$dn) return false; + + //try to bind with dn + if(@ldap_bind($conn,$dn,$pass)){ + return true; + } + return false; +} + +/** + * Required auth function + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * This LDAP specific function returns the following + * addional fields + * + * dn string distinguished name (DN) + * uid string Posix User ID + */ +function auth_getUserData($user){ + global $conf; + $cnf = $conf['auth']['ldap']; + + //connect to LDAP Server + $conn = auth_ldap_connect(); + if(!$conn) return false; + + //anonymous bind to lookup userdata + if(!@ldap_bind($conn)){ + msg("LDAP: can not bind anonymously",-1); + return false; + } + + //get info for given user + $filter = str_replace('%u',$user,$cnf['userfilter']); + $base = str_replace('%u',$user,$cnf['usertree']); + $sr = ldap_search($conn, $base, $filter);; + $result = ldap_get_entries($conn, $sr); + if($result['count'] != 1){ + return false; //user not found + } + + //general user info + $info['dn'] = $result[0]['dn']; + $info['mail']= $result[0]['mail'][0]; + $info['name']= $result[0]['cn'][0]; + $info['uid'] = $result[0]['uid'][0]; + + //primary group id + $gid = $result[0]['gidnumber'][0]; + + //get groups for given user + $filter = "(&(objectClass=posixGroup)(|(gidNumber=$gid)(memberUID=".$info['uid'].")))"; + $sr = @ldap_search($conn, $cnf['grouptree'], $filter); + if(!$sr){ + msg("LDAP: Reading group memberships failed",-1); + return false; + } + $result = ldap_get_entries($conn, $sr); + foreach($result as $grp){ + if(!empty($grp['cn'][0])) + $info['grps'][] = $grp['cn'][0]; + } + return $info; +} + +/** + * Required auth function + * + * Not implemented + */ +function auth_createUser($user,$name,$mail){ + msg("Sorry. Creating users is not supported by the LDAP backend",-1); + return null; +} + +?> |