summaryrefslogtreecommitdiff
path: root/lib/plugins/authad/auth.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/plugins/authad/auth.php')
-rw-r--r--lib/plugins/authad/auth.php459
1 files changed, 312 insertions, 147 deletions
diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php
index 70d3cfb8c..35c19f471 100644
--- a/lib/plugins/authad/auth.php
+++ b/lib/plugins/authad/auth.php
@@ -1,10 +1,4 @@
<?php
-/**
- * Plugin auth provider
- *
- * @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
- * @author Jan Schumann <js@schumann-it.com>
- */
// must be run within Dokuwiki
if(!defined('DOKU_INC')) die();
@@ -25,94 +19,101 @@ require_once(DOKU_INC.'inc/adLDAP.php');
* $conf['authtype'] = 'authad';
* $conf['passcrypt'] = 'ssha';
*
- * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org';
- * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org';
- * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org';
+ * $conf['auth']['ad']['account_suffix'] = '
+ *
+ * @my.domain.org';
+ * $conf['auth']['ad']['base_dn'] = 'DC=my,DC=domain,DC=org';
+ * $conf['auth']['ad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org';
*
* //optional:
- * $conf['plugin']['authad']['sso'] = 1;
- * $conf['plugin']['authad']['ad_username'] = 'root';
- * $conf['plugin']['authad']['ad_password'] = 'pass';
- * $conf['plugin']['authad']['real_primarygroup'] = 1;
- * $conf['plugin']['authad']['use_ssl'] = 1;
- * $conf['plugin']['authad']['use_tls'] = 1;
- * $conf['plugin']['authad']['debug'] = 1;
+ * $conf['auth']['ad']['sso'] = 1;
+ * $conf['auth']['ad']['ad_username'] = 'root';
+ * $conf['auth']['ad']['ad_password'] = 'pass';
+ * $conf['auth']['ad']['real_primarygroup'] = 1;
+ * $conf['auth']['ad']['use_ssl'] = 1;
+ * $conf['auth']['ad']['use_tls'] = 1;
+ * $conf['auth']['ad']['debug'] = 1;
+ * // warn user about expiring password this many days in advance:
+ * $conf['auth']['ad']['expirywarn'] = 5;
*
* // get additional information to the userinfo array
* // add a list of comma separated ldap contact fields.
* $conf['plugin']['authad']['additional'] = 'field1,field2';
*
- * @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
- * @author James Van Lommel <jamesvl@gmail.com>
- * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/
- * @author Andreas Gohr <andi@splitbrain.org>
- * @author Jan Schumann <js@schumann-it.com>
+ * @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
+ * @author James Van Lommel <jamesvl@gmail.com>
+ * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/
+ * @author Andreas Gohr <andi@splitbrain.org>
+ * @author Jan Schumann <js@schumann-it.com>
*/
-class auth_plugin_authad extends DokuWiki_Auth_Plugin
-{
- var $cnf = null;
- var $opts = null;
- var $adldap = null;
- var $users = null;
+
+require_once(DOKU_INC.'inc/adLDAP/adLDAP.php');
+
+class auth_plugin_authad extends DokuWiki_Auth_Plugin {
+ /**
+ * @var array copy of the auth backend configuration
+ */
+ protected $cnf = array();
+ /**
+ * @var array hold connection data for a specific AD domain
+ */
+ protected $opts = array();
+ /**
+ * @var array open connections for each AD domain, as adLDAP objects
+ */
+ protected $adldap = array();
+
+ /**
+ * @var bool message state
+ */
+ protected $msgshown = false;
+
+ /**
+ * @var array user listing cache
+ */
+ protected $users = array();
+
+ /**
+ * @var array filter patterns for listing users
+ */
+ protected $_pattern = array();
/**
* Constructor
*/
- function auth_plugin_authad() {
+ public function __construct() {
global $conf;
$this->cnf = $conf['auth']['ad'];
-
// additional information fields
- if (isset($this->cnf['additional'])) {
+ if(isset($this->cnf['additional'])) {
$this->cnf['additional'] = str_replace(' ', '', $this->cnf['additional']);
$this->cnf['additional'] = explode(',', $this->cnf['additional']);
} else $this->cnf['additional'] = array();
// ldap extension is needed
- if (!function_exists('ldap_connect')) {
- if ($this->cnf['debug'])
- msg("AD Auth: PHP LDAP extension not found.",-1);
+ if(!function_exists('ldap_connect')) {
+ if($this->cnf['debug'])
+ msg("AD Auth: PHP LDAP extension not found.", -1);
$this->success = false;
return;
}
// Prepare SSO
- if($_SERVER['REMOTE_USER'] && $this->cnf['sso']){
- // remove possible NTLM domain
- list($dom,$usr) = explode('\\',$_SERVER['REMOTE_USER'],2);
- if(!$usr) $usr = $dom;
-
- // remove possible Kerberos domain
- list($usr,$dom) = explode('@',$usr);
-
- $dom = strtolower($dom);
- $_SERVER['REMOTE_USER'] = $usr;
-
- // we need to simulate a login
- if(empty($_COOKIE[DOKU_COOKIE])){
- $_REQUEST['u'] = $_SERVER['REMOTE_USER'];
- $_REQUEST['p'] = 'sso_only';
- }
+ if(!utf8_check($_SERVER['REMOTE_USER'])) {
+ $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']);
}
+ if($_SERVER['REMOTE_USER'] && $this->cnf['sso']) {
+ $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']);
- // prepare adLDAP standard configuration
- $this->opts = $this->cnf;
-
- // add possible domain specific configuration
- if($dom && is_array($this->cnf[$dom])) foreach($this->cnf[$dom] as $key => $val){
- $this->opts[$key] = $val;
+ // we need to simulate a login
+ if(empty($_COOKIE[DOKU_COOKIE])) {
+ $_REQUEST['u'] = $_SERVER['REMOTE_USER'];
+ $_REQUEST['p'] = 'sso_only';
+ }
}
- // handle multiple AD servers
- $this->opts['domain_controllers'] = explode(',',$this->opts['domain_controllers']);
- $this->opts['domain_controllers'] = array_map('trim',$this->opts['domain_controllers']);
- $this->opts['domain_controllers'] = array_filter($this->opts['domain_controllers']);
-
- // we can change the password if SSL is set
- if($this->opts['use_ssl'] || $this->opts['use_tls']){
- $this->cando['modPass'] = true;
- }
+ // other can do's are changed in $this->_loadServerConfig() base on domain setup
$this->cando['modName'] = true;
$this->cando['modMail'] = true;
}
@@ -125,15 +126,20 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin
* to the LDAP server
*
* @author James Van Lommel <james@nosq.com>
+ * @param string $user
+ * @param string $pass
* @return bool
*/
- function checkPass($user, $pass){
+ public function checkPass($user, $pass) {
if($_SERVER['REMOTE_USER'] &&
- $_SERVER['REMOTE_USER'] == $user &&
- $this->cnf['sso']) return true;
+ $_SERVER['REMOTE_USER'] == $user &&
+ $this->cnf['sso']
+ ) return true;
- if(!$this->_init()) return false;
- return $this->adldap->authenticate($user, $pass);
+ $adldap = $this->_adldap($this->_userDomain($user));
+ if(!$adldap) return false;
+
+ return $adldap->authenticate($this->_userName($user), $pass);
}
/**
@@ -142,57 +148,103 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin
* Returns info about the given user needs to contain
* at least these fields:
*
- * name string full name of the user
- * mail string email address of the user
- * grps array list of groups the user is in
+ * name string full name of the user
+ * mail string email address of the user
+ * grps array list of groups the user is in
*
- * This LDAP specific function returns the following
+ * This AD specific function returns the following
* addional fields:
*
- * dn string distinguished name (DN)
- * uid string Posix User ID
+ * dn string distinguished name (DN)
+ * uid string samaccountname
+ * lastpwd int timestamp of the date when the password was set
+ * expires true if the password expires
+ * expiresin int seconds until the password expires
+ * any fields specified in the 'additional' config option
*
* @author James Van Lommel <james@nosq.com>
+ * @param string $user
+ * @return array
*/
- function getUserData($user){
+ public function getUserData($user) {
global $conf;
- if(!$this->_init()) return false;
+ global $lang;
+ global $ID;
+ $adldap = $this->_adldap($this->_userDomain($user));
+ if(!$adldap) return false;
+
+ if($user == '') return array();
- $fields = array('mail','displayname','samaccountname');
+ $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol');
// add additional fields to read
$fields = array_merge($fields, $this->cnf['additional']);
$fields = array_unique($fields);
//get info for given user
- $result = $this->adldap->user_info($user, $fields);
+ $result = $this->adldap->user()->info($this->_userName($user), $fields);
+ if($result == false){
+ return array();
+ }
+
//general user info
$info['name'] = $result[0]['displayname'][0];
$info['mail'] = $result[0]['mail'][0];
$info['uid'] = $result[0]['samaccountname'][0];
$info['dn'] = $result[0]['dn'];
+ //last password set (Windows counts from January 1st 1601)
+ $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600;
+ //will it expire?
+ $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD
// additional information
- foreach ($this->cnf['additional'] as $field) {
- if (isset($result[0][strtolower($field)])) {
+ foreach($this->cnf['additional'] as $field) {
+ if(isset($result[0][strtolower($field)])) {
$info[$field] = $result[0][strtolower($field)][0];
}
}
// handle ActiveDirectory memberOf
- $info['grps'] = $this->adldap->user_groups($user,(bool) $this->opts['recursive_groups']);
+ $info['grps'] = $this->adldap->user()->groups($this->_userName($user),(bool) $this->opts['recursive_groups']);
- if (is_array($info['grps'])) {
- foreach ($info['grps'] as $ndx => $group) {
+ if(is_array($info['grps'])) {
+ foreach($info['grps'] as $ndx => $group) {
$info['grps'][$ndx] = $this->cleanGroup($group);
}
}
// always add the default group to the list of groups
- if(!is_array($info['grps']) || !in_array($conf['defaultgroup'],$info['grps'])){
+ if(!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) {
$info['grps'][] = $conf['defaultgroup'];
}
+ // add the user's domain to the groups
+ $domain = $this->_userDomain($user);
+ if($domain && !in_array("domain-$domain", (array) $info['grps'])) {
+ $info['grps'][] = $this->cleanGroup("domain-$domain");
+ }
+
+ // check expiry time
+ if($info['expires'] && $this->cnf['expirywarn']){
+ $timeleft = $this->adldap->user()->passwordExpiry($user); // returns unixtime
+ $timeleft = round($timeleft/(24*60*60));
+ $info['expiresin'] = $timeleft;
+
+ // if this is the current user, warn him (once per request only)
+ if(($_SERVER['REMOTE_USER'] == $user) &&
+ ($timeleft <= $this->cnf['expirywarn']) &&
+ !$this->msgshown
+ ) {
+ $msg = sprintf($lang['authpwdexpire'], $timeleft);
+ if($this->canDo('modPass')) {
+ $url = wl($ID, array('do'=> 'profile'));
+ $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>';
+ }
+ msg($msg);
+ $this->msgshown = true;
+ }
+ }
+
return $info;
}
@@ -202,25 +254,56 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin
* Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores.
*
* @author James Van Lommel (jamesvl@gmail.com)
+ * @param string $group
+ * @return string
*/
- function cleanGroup($name) {
- $sName = str_replace('\\', '', $name);
- $sName = str_replace('#', '', $sName);
- $sName = preg_replace('[\s]', '_', $sName);
- return $sName;
+ public function cleanGroup($group) {
+ $group = str_replace('\\', '', $group);
+ $group = str_replace('#', '', $group);
+ $group = preg_replace('[\s]', '_', $group);
+ $group = utf8_strtolower(trim($group));
+ return $group;
}
/**
* Sanitize user names
+ *
+ * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup)
+ *
+ * @author Andreas Gohr <gohr@cosmocode.de>
+ * @param string $user
+ * @return string
*/
- function cleanUser($name) {
- return $this->cleanGroup($name);
+ public function cleanUser($user) {
+ $domain = '';
+
+ // get NTLM or Kerberos domain part
+ list($dom, $user) = explode('\\', $user, 2);
+ if(!$user) $user = $dom;
+ if($dom) $domain = $dom;
+ list($user, $dom) = explode('@', $user, 2);
+ if($dom) $domain = $dom;
+
+ // clean up both
+ $domain = utf8_strtolower(trim($domain));
+ $user = utf8_strtolower(trim($user));
+
+ // is this a known, valid domain? if not discard
+ if(!is_array($this->cnf[$domain])) {
+ $domain = '';
+ }
+
+ // reattach domain
+ if($domain) $user = "$user@$domain";
+ return $user;
}
/**
* Most values in LDAP are case-insensitive
+ *
+ * @return bool
*/
- function isCaseSensitive(){
+ public function isCaseSensitive() {
return false;
}
@@ -228,36 +311,37 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin
* Bulk retrieval of user data
*
* @author Dominik Eckelmann <dokuwiki@cosmocode.de>
- * @param start index of first user to be returned
- * @param limit max number of users to be returned
- * @param filter array of field/pattern pairs, null for no filter
- * @return array of userinfo (refer getUserData for internal userinfo details)
+ * @param int $start index of first user to be returned
+ * @param int $limit max number of users to be returned
+ * @param array $filter array of field/pattern pairs, null for no filter
+ * @return array userinfo (refer getUserData for internal userinfo details)
*/
- function retrieveUsers($start=0,$limit=-1,$filter=array()) {
- if(!$this->_init()) return false;
+ public function retrieveUsers($start = 0, $limit = -1, $filter = array()) {
+ $adldap = $this->_adldap(null);
+ if(!$adldap) return false;
- if ($this->users === null) {
+ if($this->users === null) {
//get info for given user
- $result = $this->adldap->all_users();
+ $result = $this->adldap->user()->all();
if (!$result) return array();
$this->users = array_fill_keys($result, false);
}
- $i = 0;
+ $i = 0;
$count = 0;
$this->_constructPattern($filter);
$result = array();
- foreach ($this->users as $user => &$info) {
- if ($i++ < $start) {
+ foreach($this->users as $user => &$info) {
+ if($i++ < $start) {
continue;
}
- if ($info === false) {
+ if($info === false) {
$info = $this->getUserData($user);
}
- if ($this->_filter($user, $info)) {
+ if($this->_filter($user, $info)) {
$result[$user] = $info;
- if (($limit >= 0) && (++$count >= $limit)) break;
+ if(($limit >= 0) && (++$count >= $limit)) break;
}
}
return $result;
@@ -266,39 +350,41 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin
/**
* Modify user data
*
- * @param $user nick of the user to be changed
- * @param $changes array of field/value pairs to be changed
+ * @param string $user nick of the user to be changed
+ * @param array $changes array of field/value pairs to be changed
* @return bool
- */
- function modifyUser($user, $changes) {
+ */
+ public function modifyUser($user, $changes) {
$return = true;
+ $adldap = $this->_adldap($this->_userDomain($user));
+ if(!$adldap) return false;
// password changing
- if(isset($changes['pass'])){
+ if(isset($changes['pass'])) {
try {
- $return = $this->adldap->user_password($user,$changes['pass']);
+ $return = $this->adldap->user()->password($this->_userName($user),$changes['pass']);
} catch (adLDAPException $e) {
if ($this->cnf['debug']) msg('AD Auth: '.$e->getMessage(), -1);
$return = false;
}
- if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?',-1);
+ if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?', -1);
}
// changing user data
$adchanges = array();
- if(isset($changes['name'])){
+ if(isset($changes['name'])) {
// get first and last name
- $parts = explode(' ',$changes['name']);
- $adchanges['surname'] = array_pop($parts);
- $adchanges['firstname'] = join(' ',$parts);
+ $parts = explode(' ', $changes['name']);
+ $adchanges['surname'] = array_pop($parts);
+ $adchanges['firstname'] = join(' ', $parts);
$adchanges['display_name'] = $changes['name'];
}
- if(isset($changes['mail'])){
+ if(isset($changes['mail'])) {
$adchanges['email'] = $changes['mail'];
}
- if(count($adchanges)){
+ if(count($adchanges)) {
try {
- $return = $return & $this->adldap->user_modify($user,$adchanges);
+ $return = $return & $this->adldap->user()->modify($this->_userName($user),$adchanges);
} catch (adLDAPException $e) {
if ($this->cnf['debug']) msg('AD Auth: '.$e->getMessage(), -1);
$return = false;
@@ -310,50 +396,129 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin
/**
* Initialize the AdLDAP library and connect to the server
+ *
+ * When you pass null as domain, it will reuse any existing domain.
+ * Eg. the one of the logged in user. It falls back to the default
+ * domain if no current one is available.
+ *
+ * @param string|null $domain The AD domain to use
+ * @return adLDAP|bool true if a connection was established
*/
- function _init(){
- if(!is_null($this->adldap)) return true;
+ protected function _adldap($domain) {
+ if(is_null($domain) && is_array($this->opts)) {
+ $domain = $this->opts['domain'];
+ }
+
+ $this->opts = $this->_loadServerConfig((string) $domain);
+ if(isset($this->adldap[$domain])) return $this->adldap[$domain];
// connect
try {
- $this->adldap = new adLDAP($this->opts);
- if (isset($this->opts['ad_username']) && isset($this->opts['ad_password'])) {
- $this->canDo['getUsers'] = true;
- }
- return true;
- } catch (adLDAPException $e) {
- if ($this->cnf['debug']) {
+ $this->adldap[$domain] = new adLDAP($this->opts);
+ return $this->adldap[$domain];
+ } catch(adLDAPException $e) {
+ if($this->cnf['debug']) {
msg('AD Auth: '.$e->getMessage(), -1);
}
- $this->success = false;
- $this->adldap = null;
+ $this->success = false;
+ $this->adldap[$domain] = null;
}
return false;
}
/**
- * return 1 if $user + $info match $filter criteria, 0 otherwise
+ * Get the domain part from a user
+ *
+ * @param $user
+ * @return string
+ */
+ public function _userDomain($user) {
+ list(, $domain) = explode('@', $user, 2);
+ return $domain;
+ }
+
+ /**
+ * Get the user part from a user
+ *
+ * @param $user
+ * @return string
+ */
+ public function _userName($user) {
+ list($name) = explode('@', $user, 2);
+ return $name;
+ }
+
+ /**
+ * Fetch the configuration for the given AD domain
+ *
+ * @param string $domain current AD domain
+ * @return array
+ */
+ protected function _loadServerConfig($domain) {
+ // prepare adLDAP standard configuration
+ $opts = $this->cnf;
+
+ $opts['domain'] = $domain;
+
+ // add possible domain specific configuration
+ if($domain && is_array($this->cnf[$domain])) foreach($this->cnf[$domain] as $key => $val) {
+ $opts[$key] = $val;
+ }
+
+ // handle multiple AD servers
+ $opts['domain_controllers'] = explode(',', $opts['domain_controllers']);
+ $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']);
+ $opts['domain_controllers'] = array_filter($opts['domain_controllers']);
+
+ // we can change the password if SSL is set
+ if($opts['use_ssl'] || $opts['use_tls']) {
+ $this->cando['modPass'] = true;
+ } else {
+ $this->cando['modPass'] = false;
+ }
+
+ if(isset($opts['ad_username']) && isset($opts['ad_password'])) {
+ $this->cando['getUsers'] = true;
+ } else {
+ $this->cando['getUsers'] = true;
+ }
+
+ return $opts;
+ }
+
+ /**
+ * Check provided user and userinfo for matching patterns
+ *
+ * The patterns are set up with $this->_constructPattern()
*
- * @author Chris Smith <chris@jalakai.co.uk>
+ * @author Chris Smith <chris@jalakai.co.uk>
+ * @param string $user
+ * @param array $info
+ * @return bool
*/
- function _filter($user, $info) {
- foreach ($this->_pattern as $item => $pattern) {
- if ($item == 'user') {
- if (!preg_match($pattern, $user)) return 0;
- } else if ($item == 'grps') {
- if (!count(preg_grep($pattern, $info['grps']))) return 0;
+ protected function _filter($user, $info) {
+ foreach($this->_pattern as $item => $pattern) {
+ if($item == 'user') {
+ if(!preg_match($pattern, $user)) return false;
+ } else if($item == 'grps') {
+ if(!count(preg_grep($pattern, $info['grps']))) return false;
} else {
- if (!preg_match($pattern, $info[$item])) return 0;
+ if(!preg_match($pattern, $info[$item])) return false;
}
}
- return 1;
+ return true;
}
- function _constructPattern($filter) {
+ /**
+ * Create a pattern for $this->_filter()
+ *
+ * @author Chris Smith <chris@jalakai.co.uk>
+ * @param array $filter
+ */
+ protected function _constructPattern($filter) {
$this->_pattern = array();
- foreach ($filter as $item => $pattern) {
-// $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters
- $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters
+ foreach($filter as $item => $pattern) {
+ $this->_pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters
}
}
-} \ No newline at end of file
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 08:49:57 +0000