From ccfec5606dae81e6524f6cfcdaca09d4cde7f111 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sat, 7 Dec 2013 23:10:05 +0000 Subject: crlf 2 lf whitespace fixes --- .../authad/adLDAP/classes/adLDAPComputers.php | 304 ++--- .../authad/adLDAP/classes/adLDAPContacts.php | 588 ++++----- .../authad/adLDAP/classes/adLDAPExchange.php | 778 +++++------ .../authad/adLDAP/classes/adLDAPFolders.php | 356 ++--- lib/plugins/authad/adLDAP/classes/adLDAPGroups.php | 1262 +++++++++--------- lib/plugins/authad/adLDAP/classes/adLDAPUsers.php | 1364 ++++++++++---------- lib/plugins/authad/adLDAP/classes/adLDAPUtils.php | 526 ++++---- 7 files changed, 2589 insertions(+), 2589 deletions(-) (limited to 'lib/plugins/authad/adLDAP/classes') diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php b/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php index 71b24a04f..aabd88fa5 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php @@ -1,153 +1,153 @@ -adldap = $adldap; - } - - /** - * Get information about a specific computer. Returned in a raw array format from AD - * - * @param string $computerName The name of the computer - * @param array $fields Attributes to return - * @return array - */ - public function info($computerName, $fields = NULL) - { - if ($computerName === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - $filter = "(&(objectClass=computer)(cn=" . $computerName . "))"; - if ($fields === NULL) { - $fields = array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion"); - } - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - return $entries; - } - - /** - * Find information about the computers. Returned in a raw array format from AD - * - * @param string $computerName The name of the computer - * @param array $fields Array of parameters to query - * @return mixed - */ - public function infoCollection($computerName, $fields = NULL) - { - if ($computerName === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - $info = $this->info($computerName, $fields); - - if ($info !== false) { - $collection = new adLDAPComputerCollection($info, $this->adldap); - return $collection; - } - return false; - } - - /** - * Check if a computer is in a group - * - * @param string $computerName The name of the computer - * @param string $group The group to check - * @param bool $recursive Whether to check recursively - * @return array - */ - public function inGroup($computerName, $group, $recursive = NULL) - { - if ($computerName === NULL) { return false; } - if ($group === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // use the default option if they haven't set it - - //get a list of the groups - $groups = $this->groups($computerName, array("memberof"), $recursive); - - //return true if the specified group is in the group list - if (in_array($group, $groups)){ - return true; - } - - return false; - } - - /** - * Get the groups a computer is in - * - * @param string $computerName The name of the computer - * @param bool $recursive Whether to check recursively - * @return array - */ - public function groups($computerName, $recursive = NULL) - { - if ($computerName === NULL) { return false; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it - if (!$this->adldap->getLdapBind()){ return false; } - - //search the directory for their information - $info = @$this->info($computerName, array("memberof", "primarygroupid")); - $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames) - - if ($recursive === true) { - foreach ($groups as $id => $groupName){ - $extraGroups = $this->adldap->group()->recursiveGroups($groupName); - $groups = array_merge($groups, $extraGroups); - } - } - - return $groups; - } - -} +adldap = $adldap; + } + + /** + * Get information about a specific computer. Returned in a raw array format from AD + * + * @param string $computerName The name of the computer + * @param array $fields Attributes to return + * @return array + */ + public function info($computerName, $fields = NULL) + { + if ($computerName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = "(&(objectClass=computer)(cn=" . $computerName . "))"; + if ($fields === NULL) { + $fields = array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion"); + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + return $entries; + } + + /** + * Find information about the computers. Returned in a raw array format from AD + * + * @param string $computerName The name of the computer + * @param array $fields Array of parameters to query + * @return mixed + */ + public function infoCollection($computerName, $fields = NULL) + { + if ($computerName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($computerName, $fields); + + if ($info !== false) { + $collection = new adLDAPComputerCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Check if a computer is in a group + * + * @param string $computerName The name of the computer + * @param string $group The group to check + * @param bool $recursive Whether to check recursively + * @return array + */ + public function inGroup($computerName, $group, $recursive = NULL) + { + if ($computerName === NULL) { return false; } + if ($group === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // use the default option if they haven't set it + + //get a list of the groups + $groups = $this->groups($computerName, array("memberof"), $recursive); + + //return true if the specified group is in the group list + if (in_array($group, $groups)){ + return true; + } + + return false; + } + + /** + * Get the groups a computer is in + * + * @param string $computerName The name of the computer + * @param bool $recursive Whether to check recursively + * @return array + */ + public function groups($computerName, $recursive = NULL) + { + if ($computerName === NULL) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + if (!$this->adldap->getLdapBind()){ return false; } + + //search the directory for their information + $info = @$this->info($computerName, array("memberof", "primarygroupid")); + $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames) + + if ($recursive === true) { + foreach ($groups as $id => $groupName){ + $extraGroups = $this->adldap->group()->recursiveGroups($groupName); + $groups = array_merge($groups, $extraGroups); + } + } + + return $groups; + } + +} ?> \ No newline at end of file diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php b/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php index addd3e5f0..42a0d756b 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php @@ -1,294 +1,294 @@ -adldap = $adldap; - } - - //***************************************************************************************************************** - // CONTACT FUNCTIONS - // * Still work to do in this area, and new functions to write - - /** - * Create a contact - * - * @param array $attributes The attributes to set to the contact - * @return bool - */ - public function create($attributes) - { - // Check for compulsory fields - if (!array_key_exists("display_name", $attributes)) { return "Missing compulsory field [display_name]"; } - if (!array_key_exists("email", $attributes)) { return "Missing compulsory field [email]"; } - if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; } - if (!is_array($attributes["container"])) { return "Container attribute must be an array."; } - - // Translate the schema - $add = $this->adldap->adldap_schema($attributes); - - // Additional stuff only used for adding contacts - $add["cn"][0] = $attributes["display_name"]; - $add["objectclass"][0] = "top"; - $add["objectclass"][1] = "person"; - $add["objectclass"][2] = "organizationalPerson"; - $add["objectclass"][3] = "contact"; - if (!isset($attributes['exchange_hidefromlists'])) { - $add["msExchHideFromAddressLists"][0] = "TRUE"; - } - - // Determine the container - $attributes["container"] = array_reverse($attributes["container"]); - $container= "OU=" . implode(",OU=", $attributes["container"]); - - // Add the entry - $result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $this->adldap->utilities()->escapeCharacters($add["cn"][0]) . ", " . $container . "," . $this->adldap->getBaseDn(), $add); - if ($result != true) { - return false; - } - - return true; - } - - /** - * Determine the list of groups a contact is a member of - * - * @param string $distinguisedname The full DN of a contact - * @param bool $recursive Recursively check groups - * @return array - */ - public function groups($distinguishedName, $recursive = NULL) - { - if ($distinguishedName === NULL) { return false; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it - if (!$this->adldap->getLdapBind()){ return false; } - - // Search the directory for their information - $info = @$this->info($distinguishedName, array("memberof", "primarygroupid")); - $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our contact - - if ($recursive === true){ - foreach ($groups as $id => $groupName){ - $extraGroups = $this->adldap->group()->recursiveGroups($groupName); - $groups = array_merge($groups, $extraGroups); - } - } - - return $groups; - } - - /** - * Get contact information. Returned in a raw array format from AD - * - * @param string $distinguisedname The full DN of a contact - * @param array $fields Attributes to be returned - * @return array - */ - public function info($distinguishedName, $fields = NULL) - { - if ($distinguishedName === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - $filter = "distinguishedName=" . $distinguishedName; - if ($fields === NULL) { - $fields = array("distinguishedname", "mail", "memberof", "department", "displayname", "telephonenumber", "primarygroupid", "objectsid"); - } - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - if ($entries[0]['count'] >= 1) { - // AD does not return the primary group in the ldap query, we may need to fudge it - if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){ - //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]); - $entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]); - } else { - $entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn(); - } - } - - $entries[0]["memberof"]["count"]++; - return $entries; - } - - /** - * Find information about the contacts. Returned in a raw array format from AD - * - * @param string $distinguishedName The full DN of a contact - * @param array $fields Array of parameters to query - * @return mixed - */ - public function infoCollection($distinguishedName, $fields = NULL) - { - if ($distinguishedName === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - $info = $this->info($distinguishedName, $fields); - - if ($info !== false) { - $collection = new adLDAPContactCollection($info, $this->adldap); - return $collection; - } - return false; - } - - /** - * Determine if a contact is a member of a group - * - * @param string $distinguisedName The full DN of a contact - * @param string $group The group name to query - * @param bool $recursive Recursively check groups - * @return bool - */ - public function inGroup($distinguisedName, $group, $recursive = NULL) - { - if ($distinguisedName === NULL) { return false; } - if ($group === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it - - // Get a list of the groups - $groups = $this->groups($distinguisedName, array("memberof"), $recursive); - - // Return true if the specified group is in the group list - if (in_array($group, $groups)){ - return true; - } - - return false; - } - - /** - * Modify a contact - * - * @param string $distinguishedName The contact to query - * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes - * @return bool - */ - public function modify($distinguishedName, $attributes) { - if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedname]"; } - - // Translate the update to the LDAP schema - $mod = $this->adldap->adldap_schema($attributes); - - // Check to see if this is an enabled status update - if (!$mod) { - return false; - } - - // Do the update - $result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod); - if ($result == false) { - return false; - } - - return true; - } - - /** - * Delete a contact - * - * @param string $distinguishedName The contact dn to delete (please be careful here!) - * @return array - */ - public function delete($distinguishedName) - { - $result = $this->folder()->delete($distinguishedName); - if ($result != true) { - return false; - } - return true; - } - - /** - * Return a list of all contacts - * - * @param bool $includeDescription Include a description of a contact - * @param string $search The search parameters - * @param bool $sorted Whether to sort the results - * @return array - */ - public function all($includeDescription = false, $search = "*", $sorted = true) { - if (!$this->adldap->getLdapBind()) { return false; } - - // Perform the search and grab all their details - $filter = "(&(objectClass=contact)(cn=" . $search . "))"; - $fields = array("displayname","distinguishedname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - $usersArray = array(); - for ($i=0; $i<$entries["count"]; $i++){ - if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){ - $usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["displayname"][0]; - } elseif ($includeDescription){ - $usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["distinguishedname"][0]; - } else { - array_push($usersArray, $entries[$i]["distinguishedname"][0]); - } - } - if ($sorted) { - asort($usersArray); - } - return $usersArray; - } - - /** - * Mail enable a contact - * Allows email to be sent to them through Exchange - * - * @param string $distinguishedname The contact to mail enable - * @param string $emailaddress The email address to allow emails to be sent through - * @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name - * @return bool - */ - public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL){ - return $this->adldap->exchange()->contactMailEnable($distinguishedName, $emailAddress, $mailNickname); - } - - -} -?> +adldap = $adldap; + } + + //***************************************************************************************************************** + // CONTACT FUNCTIONS + // * Still work to do in this area, and new functions to write + + /** + * Create a contact + * + * @param array $attributes The attributes to set to the contact + * @return bool + */ + public function create($attributes) + { + // Check for compulsory fields + if (!array_key_exists("display_name", $attributes)) { return "Missing compulsory field [display_name]"; } + if (!array_key_exists("email", $attributes)) { return "Missing compulsory field [email]"; } + if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; } + if (!is_array($attributes["container"])) { return "Container attribute must be an array."; } + + // Translate the schema + $add = $this->adldap->adldap_schema($attributes); + + // Additional stuff only used for adding contacts + $add["cn"][0] = $attributes["display_name"]; + $add["objectclass"][0] = "top"; + $add["objectclass"][1] = "person"; + $add["objectclass"][2] = "organizationalPerson"; + $add["objectclass"][3] = "contact"; + if (!isset($attributes['exchange_hidefromlists'])) { + $add["msExchHideFromAddressLists"][0] = "TRUE"; + } + + // Determine the container + $attributes["container"] = array_reverse($attributes["container"]); + $container= "OU=" . implode(",OU=", $attributes["container"]); + + // Add the entry + $result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $this->adldap->utilities()->escapeCharacters($add["cn"][0]) . ", " . $container . "," . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + + return true; + } + + /** + * Determine the list of groups a contact is a member of + * + * @param string $distinguisedname The full DN of a contact + * @param bool $recursive Recursively check groups + * @return array + */ + public function groups($distinguishedName, $recursive = NULL) + { + if ($distinguishedName === NULL) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + if (!$this->adldap->getLdapBind()){ return false; } + + // Search the directory for their information + $info = @$this->info($distinguishedName, array("memberof", "primarygroupid")); + $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our contact + + if ($recursive === true){ + foreach ($groups as $id => $groupName){ + $extraGroups = $this->adldap->group()->recursiveGroups($groupName); + $groups = array_merge($groups, $extraGroups); + } + } + + return $groups; + } + + /** + * Get contact information. Returned in a raw array format from AD + * + * @param string $distinguisedname The full DN of a contact + * @param array $fields Attributes to be returned + * @return array + */ + public function info($distinguishedName, $fields = NULL) + { + if ($distinguishedName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = "distinguishedName=" . $distinguishedName; + if ($fields === NULL) { + $fields = array("distinguishedname", "mail", "memberof", "department", "displayname", "telephonenumber", "primarygroupid", "objectsid"); + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if ($entries[0]['count'] >= 1) { + // AD does not return the primary group in the ldap query, we may need to fudge it + if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){ + //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]); + $entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]); + } else { + $entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn(); + } + } + + $entries[0]["memberof"]["count"]++; + return $entries; + } + + /** + * Find information about the contacts. Returned in a raw array format from AD + * + * @param string $distinguishedName The full DN of a contact + * @param array $fields Array of parameters to query + * @return mixed + */ + public function infoCollection($distinguishedName, $fields = NULL) + { + if ($distinguishedName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($distinguishedName, $fields); + + if ($info !== false) { + $collection = new adLDAPContactCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Determine if a contact is a member of a group + * + * @param string $distinguisedName The full DN of a contact + * @param string $group The group name to query + * @param bool $recursive Recursively check groups + * @return bool + */ + public function inGroup($distinguisedName, $group, $recursive = NULL) + { + if ($distinguisedName === NULL) { return false; } + if ($group === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + + // Get a list of the groups + $groups = $this->groups($distinguisedName, array("memberof"), $recursive); + + // Return true if the specified group is in the group list + if (in_array($group, $groups)){ + return true; + } + + return false; + } + + /** + * Modify a contact + * + * @param string $distinguishedName The contact to query + * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes + * @return bool + */ + public function modify($distinguishedName, $attributes) { + if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedname]"; } + + // Translate the update to the LDAP schema + $mod = $this->adldap->adldap_schema($attributes); + + // Check to see if this is an enabled status update + if (!$mod) { + return false; + } + + // Do the update + $result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod); + if ($result == false) { + return false; + } + + return true; + } + + /** + * Delete a contact + * + * @param string $distinguishedName The contact dn to delete (please be careful here!) + * @return array + */ + public function delete($distinguishedName) + { + $result = $this->folder()->delete($distinguishedName); + if ($result != true) { + return false; + } + return true; + } + + /** + * Return a list of all contacts + * + * @param bool $includeDescription Include a description of a contact + * @param string $search The search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function all($includeDescription = false, $search = "*", $sorted = true) { + if (!$this->adldap->getLdapBind()) { return false; } + + // Perform the search and grab all their details + $filter = "(&(objectClass=contact)(cn=" . $search . "))"; + $fields = array("displayname","distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $usersArray = array(); + for ($i=0; $i<$entries["count"]; $i++){ + if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){ + $usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["displayname"][0]; + } elseif ($includeDescription){ + $usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["distinguishedname"][0]; + } else { + array_push($usersArray, $entries[$i]["distinguishedname"][0]); + } + } + if ($sorted) { + asort($usersArray); + } + return $usersArray; + } + + /** + * Mail enable a contact + * Allows email to be sent to them through Exchange + * + * @param string $distinguishedname The contact to mail enable + * @param string $emailaddress The email address to allow emails to be sent through + * @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name + * @return bool + */ + public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL){ + return $this->adldap->exchange()->contactMailEnable($distinguishedName, $emailAddress, $mailNickname); + } + + +} +?> diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php b/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php index dd0c6de05..d70aac779 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php @@ -1,390 +1,390 @@ -adldap = $adldap; - } - - /** - * Create an Exchange account - * - * @param string $username The username of the user to add the Exchange account to - * @param array $storageGroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN - * If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn - * @param string $emailAddress The primary email address to add to this user - * @param string $mailNickname The mail nick name. If mail nickname is blank, the username will be used - * @param bool $mdbUseDefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota. - * @param string $baseDn Specify an alternative base_dn for the Exchange storage group - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function createMailbox($username, $storageGroup, $emailAddress, $mailNickname=NULL, $useDefaults=TRUE, $baseDn=NULL, $isGUID=false) - { - if ($username === NULL){ return "Missing compulsory field [username]"; } - if ($storageGroup === NULL) { return "Missing compulsory array [storagegroup]"; } - if (!is_array($storageGroup)) { return "[storagegroup] must be an array"; } - if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; } - - if ($baseDn === NULL) { - $baseDn = $this->adldap->getBaseDn(); - } - - $container = "CN=" . implode(",CN=", $storageGroup); - - if ($mailNickname === NULL) { - $mailNickname = $username; - } - $mdbUseDefaults = $this->adldap->utilities()->boolToString($useDefaults); - - $attributes = array( - 'exchange_homemdb'=>$container.",".$baseDn, - 'exchange_proxyaddress'=>'SMTP:' . $emailAddress, - 'exchange_mailnickname'=>$mailNickname, - 'exchange_usedefaults'=>$mdbUseDefaults - ); - $result = $this->adldap->user()->modify($username, $attributes, $isGUID); - if ($result == false) { - return false; - } - return true; - } - - /** - * Add an X400 address to Exchange - * See http://tools.ietf.org/html/rfc1685 for more information. - * An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John; - * - * @param string $username The username of the user to add the X400 to to - * @param string $country Country - * @param string $admd Administration Management Domain - * @param string $pdmd Private Management Domain (often your AD domain) - * @param string $org Organization - * @param string $surname Surname - * @param string $givenName Given name - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function addX400($username, $country, $admd, $pdmd, $org, $surname, $givenName, $isGUID=false) - { - if ($username === NULL){ return "Missing compulsory field [username]"; } - - $proxyValue = 'X400:'; - - // Find the dn of the user - $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); - if ($user[0]["dn"] === NULL) { return false; } - $userDn = $user[0]["dn"]; - - // We do not have to demote an email address from the default so we can just add the new proxy address - $attributes['exchange_proxyaddress'] = $proxyValue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenName . ';'; - - // Translate the update to the LDAP schema - $add = $this->adldap->adldap_schema($attributes); - - if (!$add) { return false; } - - // Do the update - // Take out the @ to see any errors, usually this error might occur because the address already - // exists in the list of proxyAddresses - $result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn, $add); - if ($result == false) { - return false; - } - - return true; - } - - /** - * Add an address to Exchange - * - * @param string $username The username of the user to add the Exchange account to - * @param string $emailAddress The email address to add to this user - * @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function addAddress($username, $emailAddress, $default = FALSE, $isGUID = false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } - - $proxyValue = 'smtp:'; - if ($default === true) { - $proxyValue = 'SMTP:'; - } - - // Find the dn of the user - $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); - if ($user[0]["dn"] === NULL){ return false; } - $userDn = $user[0]["dn"]; - - // We need to scan existing proxy addresses and demote the default one - if (is_array($user[0]["proxyaddresses"]) && $default === true) { - $modAddresses = array(); - for ($i=0;$iadldap->getLdapConnection(), $userDn, $modAddresses); - if ($result == false) { - return false; - } - - return true; - } - else { - // We do not have to demote an email address from the default so we can just add the new proxy address - $attributes['exchange_proxyaddress'] = $proxyValue . $emailAddress; - - // Translate the update to the LDAP schema - $add = $this->adldap->adldap_schema($attributes); - - if (!$add) { - return false; - } - - // Do the update - // Take out the @ to see any errors, usually this error might occur because the address already - // exists in the list of proxyAddresses - $result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn,$add); - if ($result == false) { - return false; - } - - return true; - } - } - - /** - * Remove an address to Exchange - * If you remove a default address the account will no longer have a default, - * we recommend changing the default address first - * - * @param string $username The username of the user to add the Exchange account to - * @param string $emailAddress The email address to add to this user - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function deleteAddress($username, $emailAddress, $isGUID=false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } - - // Find the dn of the user - $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); - if ($user[0]["dn"] === NULL) { return false; } - $userDn = $user[0]["dn"]; - - if (is_array($user[0]["proxyaddresses"])) { - $mod = array(); - for ($i=0;$iadldap->getLdapConnection(), $userDn,$mod); - if ($result == false) { - return false; - } - - return true; - } - else { - return false; - } - } - /** - * Change the default address - * - * @param string $username The username of the user to add the Exchange account to - * @param string $emailAddress The email address to make default - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function primaryAddress($username, $emailAddress, $isGUID = false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } - - // Find the dn of the user - $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); - if ($user[0]["dn"] === NULL){ return false; } - $userDn = $user[0]["dn"]; - - if (is_array($user[0]["proxyaddresses"])) { - $modAddresses = array(); - for ($i=0;$iadldap->getLdapConnection(), $userDn, $modAddresses); - if ($result == false) { - return false; - } - - return true; - } - - } - - /** - * Mail enable a contact - * Allows email to be sent to them through Exchange - * - * @param string $distinguishedName The contact to mail enable - * @param string $emailAddress The email address to allow emails to be sent through - * @param string $mailNickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name - * @return bool - */ - public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL) - { - if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedName]"; } - if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; } - - if ($mailNickname !== NULL) { - // Find the dn of the user - $user = $this->adldap->contact()->info($distinguishedName, array("cn","displayname")); - if ($user[0]["displayname"] === NULL) { return false; } - $mailNickname = $user[0]['displayname'][0]; - } - - $attributes = array("email"=>$emailAddress,"contact_email"=>"SMTP:" . $emailAddress,"exchange_proxyaddress"=>"SMTP:" . $emailAddress,"exchange_mailnickname" => $mailNickname); - - // Translate the update to the LDAP schema - $mod = $this->adldap->adldap_schema($attributes); - - // Check to see if this is an enabled status update - if (!$mod) { return false; } - - // Do the update - $result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod); - if ($result == false) { return false; } - - return true; - } - - /** - * Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain - * - * @param array $attributes An array of the AD attributes you wish to return - * @return array - */ - public function servers($attributes = array('cn','distinguishedname','serialnumber')) - { - if (!$this->adldap->getLdapBind()){ return false; } - - $configurationNamingContext = $this->adldap->getRootDse(array('configurationnamingcontext')); - $sr = @ldap_search($this->adldap->getLdapConnection(), $configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))', $attributes); - $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); - return $entries; - } - - /** - * Returns a list of Storage Groups in Exchange for a given mail server - * - * @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server - * @param array $attributes An array of the AD attributes you wish to return - * @param bool $recursive If enabled this will automatically query the databases within a storage group - * @return array - */ - public function storageGroups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL) - { - if (!$this->adldap->getLdapBind()){ return false; } - if ($exchangeServer === NULL) { return "Missing compulsory field [exchangeServer]"; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } - - $filter = '(&(objectCategory=msExchStorageGroup))'; - $sr = @ldap_search($this->adldap->getLdapConnection(), $exchangeServer, $filter, $attributes); - $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - if ($recursive === true) { - for ($i=0; $i<$entries['count']; $i++) { - $entries[$i]['msexchprivatemdb'] = $this->storageDatabases($entries[$i]['distinguishedname'][0]); - } - } - - return $entries; - } - - /** - * Returns a list of Databases within any given storage group in Exchange for a given mail server - * - * @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN - * @param array $attributes An array of the AD attributes you wish to return - * @return array - */ - public function storageDatabases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) { - if (!$this->adldap->getLdapBind()){ return false; } - if ($storageGroup === NULL) { return "Missing compulsory field [storageGroup]"; } - - $filter = '(&(objectCategory=msExchPrivateMDB))'; - $sr = @ldap_search($this->adldap->getLdapConnection(), $storageGroup, $filter, $attributes); - $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); - return $entries; - } -} +adldap = $adldap; + } + + /** + * Create an Exchange account + * + * @param string $username The username of the user to add the Exchange account to + * @param array $storageGroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN + * If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn + * @param string $emailAddress The primary email address to add to this user + * @param string $mailNickname The mail nick name. If mail nickname is blank, the username will be used + * @param bool $mdbUseDefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota. + * @param string $baseDn Specify an alternative base_dn for the Exchange storage group + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function createMailbox($username, $storageGroup, $emailAddress, $mailNickname=NULL, $useDefaults=TRUE, $baseDn=NULL, $isGUID=false) + { + if ($username === NULL){ return "Missing compulsory field [username]"; } + if ($storageGroup === NULL) { return "Missing compulsory array [storagegroup]"; } + if (!is_array($storageGroup)) { return "[storagegroup] must be an array"; } + if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; } + + if ($baseDn === NULL) { + $baseDn = $this->adldap->getBaseDn(); + } + + $container = "CN=" . implode(",CN=", $storageGroup); + + if ($mailNickname === NULL) { + $mailNickname = $username; + } + $mdbUseDefaults = $this->adldap->utilities()->boolToString($useDefaults); + + $attributes = array( + 'exchange_homemdb'=>$container.",".$baseDn, + 'exchange_proxyaddress'=>'SMTP:' . $emailAddress, + 'exchange_mailnickname'=>$mailNickname, + 'exchange_usedefaults'=>$mdbUseDefaults + ); + $result = $this->adldap->user()->modify($username, $attributes, $isGUID); + if ($result == false) { + return false; + } + return true; + } + + /** + * Add an X400 address to Exchange + * See http://tools.ietf.org/html/rfc1685 for more information. + * An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John; + * + * @param string $username The username of the user to add the X400 to to + * @param string $country Country + * @param string $admd Administration Management Domain + * @param string $pdmd Private Management Domain (often your AD domain) + * @param string $org Organization + * @param string $surname Surname + * @param string $givenName Given name + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function addX400($username, $country, $admd, $pdmd, $org, $surname, $givenName, $isGUID=false) + { + if ($username === NULL){ return "Missing compulsory field [username]"; } + + $proxyValue = 'X400:'; + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL) { return false; } + $userDn = $user[0]["dn"]; + + // We do not have to demote an email address from the default so we can just add the new proxy address + $attributes['exchange_proxyaddress'] = $proxyValue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenName . ';'; + + // Translate the update to the LDAP schema + $add = $this->adldap->adldap_schema($attributes); + + if (!$add) { return false; } + + // Do the update + // Take out the @ to see any errors, usually this error might occur because the address already + // exists in the list of proxyAddresses + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn, $add); + if ($result == false) { + return false; + } + + return true; + } + + /** + * Add an address to Exchange + * + * @param string $username The username of the user to add the Exchange account to + * @param string $emailAddress The email address to add to this user + * @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function addAddress($username, $emailAddress, $default = FALSE, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } + + $proxyValue = 'smtp:'; + if ($default === true) { + $proxyValue = 'SMTP:'; + } + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL){ return false; } + $userDn = $user[0]["dn"]; + + // We need to scan existing proxy addresses and demote the default one + if (is_array($user[0]["proxyaddresses"]) && $default === true) { + $modAddresses = array(); + for ($i=0;$iadldap->getLdapConnection(), $userDn, $modAddresses); + if ($result == false) { + return false; + } + + return true; + } + else { + // We do not have to demote an email address from the default so we can just add the new proxy address + $attributes['exchange_proxyaddress'] = $proxyValue . $emailAddress; + + // Translate the update to the LDAP schema + $add = $this->adldap->adldap_schema($attributes); + + if (!$add) { + return false; + } + + // Do the update + // Take out the @ to see any errors, usually this error might occur because the address already + // exists in the list of proxyAddresses + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn,$add); + if ($result == false) { + return false; + } + + return true; + } + } + + /** + * Remove an address to Exchange + * If you remove a default address the account will no longer have a default, + * we recommend changing the default address first + * + * @param string $username The username of the user to add the Exchange account to + * @param string $emailAddress The email address to add to this user + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function deleteAddress($username, $emailAddress, $isGUID=false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL) { return false; } + $userDn = $user[0]["dn"]; + + if (is_array($user[0]["proxyaddresses"])) { + $mod = array(); + for ($i=0;$iadldap->getLdapConnection(), $userDn,$mod); + if ($result == false) { + return false; + } + + return true; + } + else { + return false; + } + } + /** + * Change the default address + * + * @param string $username The username of the user to add the Exchange account to + * @param string $emailAddress The email address to make default + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function primaryAddress($username, $emailAddress, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; } + + // Find the dn of the user + $user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID); + if ($user[0]["dn"] === NULL){ return false; } + $userDn = $user[0]["dn"]; + + if (is_array($user[0]["proxyaddresses"])) { + $modAddresses = array(); + for ($i=0;$iadldap->getLdapConnection(), $userDn, $modAddresses); + if ($result == false) { + return false; + } + + return true; + } + + } + + /** + * Mail enable a contact + * Allows email to be sent to them through Exchange + * + * @param string $distinguishedName The contact to mail enable + * @param string $emailAddress The email address to allow emails to be sent through + * @param string $mailNickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name + * @return bool + */ + public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL) + { + if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedName]"; } + if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; } + + if ($mailNickname !== NULL) { + // Find the dn of the user + $user = $this->adldap->contact()->info($distinguishedName, array("cn","displayname")); + if ($user[0]["displayname"] === NULL) { return false; } + $mailNickname = $user[0]['displayname'][0]; + } + + $attributes = array("email"=>$emailAddress,"contact_email"=>"SMTP:" . $emailAddress,"exchange_proxyaddress"=>"SMTP:" . $emailAddress,"exchange_mailnickname" => $mailNickname); + + // Translate the update to the LDAP schema + $mod = $this->adldap->adldap_schema($attributes); + + // Check to see if this is an enabled status update + if (!$mod) { return false; } + + // Do the update + $result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod); + if ($result == false) { return false; } + + return true; + } + + /** + * Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain + * + * @param array $attributes An array of the AD attributes you wish to return + * @return array + */ + public function servers($attributes = array('cn','distinguishedname','serialnumber')) + { + if (!$this->adldap->getLdapBind()){ return false; } + + $configurationNamingContext = $this->adldap->getRootDse(array('configurationnamingcontext')); + $sr = @ldap_search($this->adldap->getLdapConnection(), $configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))', $attributes); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + return $entries; + } + + /** + * Returns a list of Storage Groups in Exchange for a given mail server + * + * @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server + * @param array $attributes An array of the AD attributes you wish to return + * @param bool $recursive If enabled this will automatically query the databases within a storage group + * @return array + */ + public function storageGroups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($exchangeServer === NULL) { return "Missing compulsory field [exchangeServer]"; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } + + $filter = '(&(objectCategory=msExchStorageGroup))'; + $sr = @ldap_search($this->adldap->getLdapConnection(), $exchangeServer, $filter, $attributes); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if ($recursive === true) { + for ($i=0; $i<$entries['count']; $i++) { + $entries[$i]['msexchprivatemdb'] = $this->storageDatabases($entries[$i]['distinguishedname'][0]); + } + } + + return $entries; + } + + /** + * Returns a list of Databases within any given storage group in Exchange for a given mail server + * + * @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN + * @param array $attributes An array of the AD attributes you wish to return + * @return array + */ + public function storageDatabases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) { + if (!$this->adldap->getLdapBind()){ return false; } + if ($storageGroup === NULL) { return "Missing compulsory field [storageGroup]"; } + + $filter = '(&(objectCategory=msExchPrivateMDB))'; + $sr = @ldap_search($this->adldap->getLdapConnection(), $storageGroup, $filter, $attributes); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + return $entries; + } +} ?> \ No newline at end of file diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php b/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php index 55120152d..67b1474db 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php @@ -1,179 +1,179 @@ -adldap = $adldap; - } - - /** - * Delete a distinguished name from Active Directory - * You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete - * - * @param string $dn The distinguished name to delete - * @return bool - */ - public function delete($dn){ - $result = ldap_delete($this->adldap->getLdapConnection(), $dn); - if ($result != true) { - return false; - } - return true; - } - - /** - * Returns a folder listing for a specific OU - * See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions - * - * @param array $folderName An array to the OU you wish to list. - * If set to NULL will list the root, strongly recommended to set - * $recursive to false in that instance! - * @param string $dnType The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER. - * @param bool $recursive Recursively search sub folders - * @param bool $type Specify a type of object to search for - * @return array - */ - public function listing($folderName = NULL, $dnType = adLDAP::ADLDAP_FOLDER, $recursive = NULL, $type = NULL) - { - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it - if (!$this->adldap->getLdapBind()) { return false; } - - $filter = '(&'; - if ($type !== NULL) { - switch ($type) { - case 'contact': - $filter .= '(objectClass=contact)'; - break; - case 'computer': - $filter .= '(objectClass=computer)'; - break; - case 'group': - $filter .= '(objectClass=group)'; - break; - case 'folder': - $filter .= '(objectClass=organizationalUnit)'; - break; - case 'container': - $filter .= '(objectClass=container)'; - break; - case 'domain': - $filter .= '(objectClass=builtinDomain)'; - break; - default: - $filter .= '(objectClass=user)'; - break; - } - } - else { - $filter .= '(objectClass=*)'; - } - // If the folder name is null then we will search the root level of AD - // This requires us to not have an OU= part, just the base_dn - $searchOu = $this->adldap->getBaseDn(); - if (is_array($folderName)) { - $ou = $dnType . "=" . implode("," . $dnType . "=", $folderName); - $filter .= '(!(distinguishedname=' . $ou . ',' . $this->adldap->getBaseDn() . ')))'; - $searchOu = $ou . ',' . $this->adldap->getBaseDn(); - } - else { - $filter .= '(!(distinguishedname=' . $this->adldap->getBaseDn() . ')))'; - } - - if ($recursive === true) { - $sr = ldap_search($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname')); - $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); - if (is_array($entries)) { - return $entries; - } - } - else { - $sr = ldap_list($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname')); - $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); - if (is_array($entries)) { - return $entries; - } - } - - return false; - } - - /** - * Create an organizational unit - * - * @param array $attributes Default attributes of the ou - * @return bool - */ - public function create($attributes) - { - if (!is_array($attributes)){ return "Attributes must be an array"; } - if (!is_array($attributes["container"])) { return "Container attribute must be an array."; } - if (!array_key_exists("ou_name",$attributes)) { return "Missing compulsory field [ou_name]"; } - if (!array_key_exists("container",$attributes)) { return "Missing compulsory field [container]"; } - - $attributes["container"] = array_reverse($attributes["container"]); - - $add=array(); - $add["objectClass"] = "organizationalUnit"; - $add["OU"] = $attributes['ou_name']; - $containers = ""; - if (count($attributes['container']) > 0) { - $containers = "OU=" . implode(",OU=", $attributes["container"]) . ","; - } - - $containers = "OU=" . implode(",OU=", $attributes["container"]); - $result = ldap_add($this->adldap->getLdapConnection(), "OU=" . $add["OU"] . ", " . $containers . $this->adldap->getBaseDn(), $add); - if ($result != true) { - return false; - } - - return true; - } - -} - +adldap = $adldap; + } + + /** + * Delete a distinguished name from Active Directory + * You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete + * + * @param string $dn The distinguished name to delete + * @return bool + */ + public function delete($dn){ + $result = ldap_delete($this->adldap->getLdapConnection(), $dn); + if ($result != true) { + return false; + } + return true; + } + + /** + * Returns a folder listing for a specific OU + * See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions + * + * @param array $folderName An array to the OU you wish to list. + * If set to NULL will list the root, strongly recommended to set + * $recursive to false in that instance! + * @param string $dnType The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER. + * @param bool $recursive Recursively search sub folders + * @param bool $type Specify a type of object to search for + * @return array + */ + public function listing($folderName = NULL, $dnType = adLDAP::ADLDAP_FOLDER, $recursive = NULL, $type = NULL) + { + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = '(&'; + if ($type !== NULL) { + switch ($type) { + case 'contact': + $filter .= '(objectClass=contact)'; + break; + case 'computer': + $filter .= '(objectClass=computer)'; + break; + case 'group': + $filter .= '(objectClass=group)'; + break; + case 'folder': + $filter .= '(objectClass=organizationalUnit)'; + break; + case 'container': + $filter .= '(objectClass=container)'; + break; + case 'domain': + $filter .= '(objectClass=builtinDomain)'; + break; + default: + $filter .= '(objectClass=user)'; + break; + } + } + else { + $filter .= '(objectClass=*)'; + } + // If the folder name is null then we will search the root level of AD + // This requires us to not have an OU= part, just the base_dn + $searchOu = $this->adldap->getBaseDn(); + if (is_array($folderName)) { + $ou = $dnType . "=" . implode("," . $dnType . "=", $folderName); + $filter .= '(!(distinguishedname=' . $ou . ',' . $this->adldap->getBaseDn() . ')))'; + $searchOu = $ou . ',' . $this->adldap->getBaseDn(); + } + else { + $filter .= '(!(distinguishedname=' . $this->adldap->getBaseDn() . ')))'; + } + + if ($recursive === true) { + $sr = ldap_search($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname')); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (is_array($entries)) { + return $entries; + } + } + else { + $sr = ldap_list($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname')); + $entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (is_array($entries)) { + return $entries; + } + } + + return false; + } + + /** + * Create an organizational unit + * + * @param array $attributes Default attributes of the ou + * @return bool + */ + public function create($attributes) + { + if (!is_array($attributes)){ return "Attributes must be an array"; } + if (!is_array($attributes["container"])) { return "Container attribute must be an array."; } + if (!array_key_exists("ou_name",$attributes)) { return "Missing compulsory field [ou_name]"; } + if (!array_key_exists("container",$attributes)) { return "Missing compulsory field [container]"; } + + $attributes["container"] = array_reverse($attributes["container"]); + + $add=array(); + $add["objectClass"] = "organizationalUnit"; + $add["OU"] = $attributes['ou_name']; + $containers = ""; + if (count($attributes['container']) > 0) { + $containers = "OU=" . implode(",OU=", $attributes["container"]) . ","; + } + + $containers = "OU=" . implode(",OU=", $attributes["container"]); + $result = ldap_add($this->adldap->getLdapConnection(), "OU=" . $add["OU"] . ", " . $containers . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + + return true; + } + +} + ?> \ No newline at end of file diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php b/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php index 05e4cc93b..94bc04853 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php @@ -1,631 +1,631 @@ -adldap = $adldap; - } - - /** - * Add a group to a group - * - * @param string $parent The parent group name - * @param string $child The child group name - * @return bool - */ - public function addGroup($parent,$child){ - - // Find the parent group's dn - $parentGroup = $this->ginfo($parent, array("cn")); - if ($parentGroup[0]["dn"] === NULL){ - return false; - } - $parentDn = $parentGroup[0]["dn"]; - - // Find the child group's dn - $childGroup = $this->info($child, array("cn")); - if ($childGroup[0]["dn"] === NULL){ - return false; - } - $childDn = $childGroup[0]["dn"]; - - $add = array(); - $add["member"] = $childDn; - - $result = @ldap_mod_add($this->adldap->getLdapConnection(), $parentDn, $add); - if ($result == false) { - return false; - } - return true; - } - - /** - * Add a user to a group - * - * @param string $group The group to add the user to - * @param string $user The user to add to the group - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function addUser($group, $user, $isGUID = false) - { - // Adding a user is a bit fiddly, we need to get the full DN of the user - // and add it using the full DN of the group - - // Find the user's dn - $userDn = $this->adldap->user()->dn($user, $isGUID); - if ($userDn === false) { - return false; - } - - // Find the group's dn - $groupInfo = $this->info($group, array("cn")); - if ($groupInfo[0]["dn"] === NULL) { - return false; - } - $groupDn = $groupInfo[0]["dn"]; - - $add = array(); - $add["member"] = $userDn; - - $result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add); - if ($result == false) { - return false; - } - return true; - } - - /** - * Add a contact to a group - * - * @param string $group The group to add the contact to - * @param string $contactDn The DN of the contact to add - * @return bool - */ - public function addContact($group, $contactDn) - { - // To add a contact we take the contact's DN - // and add it using the full DN of the group - - // Find the group's dn - $groupInfo = $this->info($group, array("cn")); - if ($groupInfo[0]["dn"] === NULL) { - return false; - } - $groupDn = $groupInfo[0]["dn"]; - - $add = array(); - $add["member"] = $contactDn; - - $result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add); - if ($result == false) { - return false; - } - return true; - } - - /** - * Create a group - * - * @param array $attributes Default attributes of the group - * @return bool - */ - public function create($attributes) - { - if (!is_array($attributes)){ return "Attributes must be an array"; } - if (!array_key_exists("group_name", $attributes)){ return "Missing compulsory field [group_name]"; } - if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; } - if (!array_key_exists("description", $attributes)){ return "Missing compulsory field [description]"; } - if (!is_array($attributes["container"])){ return "Container attribute must be an array."; } - $attributes["container"] = array_reverse($attributes["container"]); - - //$member_array = array(); - //$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com"; - //$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com"; - - $add = array(); - $add["cn"] = $attributes["group_name"]; - $add["samaccountname"] = $attributes["group_name"]; - $add["objectClass"] = "Group"; - $add["description"] = $attributes["description"]; - //$add["member"] = $member_array; UNTESTED - - $container = "OU=" . implode(",OU=", $attributes["container"]); - $result = ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"] . ", " . $container . "," . $this->adldap->getBaseDn(), $add); - if ($result != true) { - return false; - } - return true; - } - - /** - * Delete a group account - * - * @param string $group The group to delete (please be careful here!) - * - * @return array - */ - public function delete($group) { - if (!$this->adldap->getLdapBind()){ return false; } - if ($group === null){ return "Missing compulsory field [group]"; } - - $groupInfo = $this->info($group, array("*")); - $dn = $groupInfo[0]['distinguishedname'][0]; - $result = $this->adldap->folder()->delete($dn); - if ($result !== true) { - return false; - } return true; - } - - /** - * Remove a group from a group - * - * @param string $parent The parent group name - * @param string $child The child group name - * @return bool - */ - public function removeGroup($parent , $child) - { - - // Find the parent dn - $parentGroup = $this->info($parent, array("cn")); - if ($parentGroup[0]["dn"] === NULL) { - return false; - } - $parentDn = $parentGroup[0]["dn"]; - - // Find the child dn - $childGroup = $this->info($child, array("cn")); - if ($childGroup[0]["dn"] === NULL) { - return false; - } - $childDn = $childGroup[0]["dn"]; - - $del = array(); - $del["member"] = $childDn; - - $result = @ldap_mod_del($this->adldap->getLdapConnection(), $parentDn, $del); - if ($result == false) { - return false; - } - return true; - } - - /** - * Remove a user from a group - * - * @param string $group The group to remove a user from - * @param string $user The AD user to remove from the group - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function removeUser($group, $user, $isGUID = false) - { - - // Find the parent dn - $groupInfo = $this->info($group, array("cn")); - if ($groupInfo[0]["dn"] === NULL){ - return false; - } - $groupDn = $groupInfo[0]["dn"]; - - // Find the users dn - $userDn = $this->adldap->user()->dn($user, $isGUID); - if ($userDn === false) { - return false; - } - - $del = array(); - $del["member"] = $userDn; - - $result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del); - if ($result == false) { - return false; - } - return true; - } - - /** - * Remove a contact from a group - * - * @param string $group The group to remove a user from - * @param string $contactDn The DN of a contact to remove from the group - * @return bool - */ - public function removeContact($group, $contactDn) - { - - // Find the parent dn - $groupInfo = $this->info($group, array("cn")); - if ($groupInfo[0]["dn"] === NULL) { - return false; - } - $groupDn = $groupInfo[0]["dn"]; - - $del = array(); - $del["member"] = $contactDn; - - $result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del); - if ($result == false) { - return false; - } - return true; - } - - /** - * Return a list of groups in a group - * - * @param string $group The group to query - * @param bool $recursive Recursively get groups - * @return array - */ - public function inGroup($group, $recursive = NULL) - { - if (!$this->adldap->getLdapBind()){ return false; } - if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it - - // Search the directory for the members of a group - $info = $this->info($group, array("member","cn")); - $groups = $info[0]["member"]; - if (!is_array($groups)) { - return false; - } - - $groupArray = array(); - - for ($i=0; $i<$groups["count"]; $i++){ - $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))"; - $fields = array("samaccountname", "distinguishedname", "objectClass"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - // not a person, look for a group - if ($entries['count'] == 0 && $recursive == true) { - $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))"; - $fields = array("distinguishedname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - if (!isset($entries[0]['distinguishedname'][0])) { - continue; - } - $subGroups = $this->inGroup($entries[0]['distinguishedname'][0], $recursive); - if (is_array($subGroups)) { - $groupArray = array_merge($groupArray, $subGroups); - $groupArray = array_unique($groupArray); - } - continue; - } - - $groupArray[] = $entries[0]['distinguishedname'][0]; - } - return $groupArray; - } - - /** - * Return a list of members in a group - * - * @param string $group The group to query - * @param bool $recursive Recursively get group members - * @return array - */ - public function members($group, $recursive = NULL) - { - if (!$this->adldap->getLdapBind()){ return false; } - if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it - // Search the directory for the members of a group - $info = $this->info($group, array("member","cn")); - $users = $info[0]["member"]; - if (!is_array($users)) { - return false; - } - - $userArray = array(); - - for ($i=0; $i<$users["count"]; $i++){ - $filter = "(&(objectCategory=person)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))"; - $fields = array("samaccountname", "distinguishedname", "objectClass"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - // not a person, look for a group - if ($entries['count'] == 0 && $recursive == true) { - $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))"; - $fields = array("samaccountname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - if (!isset($entries[0]['samaccountname'][0])) { - continue; - } - $subUsers = $this->members($entries[0]['samaccountname'][0], $recursive); - if (is_array($subUsers)) { - $userArray = array_merge($userArray, $subUsers); - $userArray = array_unique($userArray); - } - continue; - } - else if ($entries['count'] == 0) { - continue; - } - - if ((!isset($entries[0]['samaccountname'][0]) || $entries[0]['samaccountname'][0] === NULL) && $entries[0]['distinguishedname'][0] !== NULL) { - $userArray[] = $entries[0]['distinguishedname'][0]; - } - else if ($entries[0]['samaccountname'][0] !== NULL) { - $userArray[] = $entries[0]['samaccountname'][0]; - } - } - return $userArray; - } - - /** - * Group Information. Returns an array of raw information about a group. - * The group name is case sensitive - * - * @param string $groupName The group name to retrieve info about - * @param array $fields Fields to retrieve - * @return array - */ - public function info($groupName, $fields = NULL) - { - if ($groupName === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - if (stristr($groupName, '+')) { - $groupName = stripslashes($groupName); - } - - $filter = "(&(objectCategory=group)(name=" . $this->adldap->utilities()->ldapSlashes($groupName) . "))"; - if ($fields === NULL) { - $fields = array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname"); - } - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - return $entries; - } - - /** - * Group Information. Returns an collection - * The group name is case sensitive - * - * @param string $groupName The group name to retrieve info about - * @param array $fields Fields to retrieve - * @return adLDAPGroupCollection - */ - public function infoCollection($groupName, $fields = NULL) - { - if ($groupName === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - $info = $this->info($groupName, $fields); - if ($info !== false) { - $collection = new adLDAPGroupCollection($info, $this->adldap); - return $collection; - } - return false; - } - - /** - * Return a complete list of "groups in groups" - * - * @param string $group The group to get the list from - * @return array - */ - public function recursiveGroups($group) - { - if ($group === NULL) { return false; } - - $stack = array(); - $processed = array(); - $retGroups = array(); - - array_push($stack, $group); // Initial Group to Start with - while (count($stack) > 0) { - $parent = array_pop($stack); - array_push($processed, $parent); - - $info = $this->info($parent, array("memberof")); - - if (isset($info[0]["memberof"]) && is_array($info[0]["memberof"])) { - $groups = $info[0]["memberof"]; - if ($groups) { - $groupNames = $this->adldap->utilities()->niceNames($groups); - $retGroups = array_merge($retGroups, $groupNames); //final groups to return - foreach ($groupNames as $id => $groupName) { - if (!in_array($groupName, $processed)) { - array_push($stack, $groupName); - } - } - } - } - } - - return $retGroups; - } - - /** - * Returns a complete list of the groups in AD based on a SAM Account Type - * - * @param string $sAMAaccountType The account type to return - * @param bool $includeDescription Whether to return a description - * @param string $search Search parameters - * @param bool $sorted Whether to sort the results - * @return array - */ - public function search($sAMAaccountType = adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription = false, $search = "*", $sorted = true) { - if (!$this->adldap->getLdapBind()) { return false; } - - $filter = '(&(objectCategory=group)'; - if ($sAMAaccountType !== null) { - $filter .= '(samaccounttype='. $sAMAaccountType .')'; - } - $filter .= '(cn=' . $search . '))'; - // Perform the search and grab all their details - $fields = array("samaccountname", "description"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - $groupsArray = array(); - for ($i=0; $i<$entries["count"]; $i++){ - if ($includeDescription && strlen($entries[$i]["description"][0]) > 0 ) { - $groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["description"][0]; - } - else if ($includeDescription){ - $groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; - } - else { - array_push($groupsArray, $entries[$i]["samaccountname"][0]); - } - } - if ($sorted) { - asort($groupsArray); - } - return $groupsArray; - } - - /** - * Returns a complete list of all groups in AD - * - * @param bool $includeDescription Whether to return a description - * @param string $search Search parameters - * @param bool $sorted Whether to sort the results - * @return array - */ - public function all($includeDescription = false, $search = "*", $sorted = true){ - $groupsArray = $this->search(null, $includeDescription, $search, $sorted); - return $groupsArray; - } - - /** - * Returns a complete list of security groups in AD - * - * @param bool $includeDescription Whether to return a description - * @param string $search Search parameters - * @param bool $sorted Whether to sort the results - * @return array - */ - public function allSecurity($includeDescription = false, $search = "*", $sorted = true){ - $groupsArray = $this->search(adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription, $search, $sorted); - return $groupsArray; - } - - /** - * Returns a complete list of distribution lists in AD - * - * @param bool $includeDescription Whether to return a description - * @param string $search Search parameters - * @param bool $sorted Whether to sort the results - * @return array - */ - public function allDistribution($includeDescription = false, $search = "*", $sorted = true){ - $groupsArray = $this->search(adLDAP::ADLDAP_DISTRIBUTION_GROUP, $includeDescription, $search, $sorted); - return $groupsArray; - } - - /** - * Coping with AD not returning the primary group - * http://support.microsoft.com/?kbid=321360 - * - * This is a re-write based on code submitted by Bruce which prevents the - * need to search each security group to find the true primary group - * - * @param string $gid Group ID - * @param string $usersid User's Object SID - * @return mixed - */ - public function getPrimaryGroup($gid, $usersid) - { - if ($gid === NULL || $usersid === NULL) { return false; } - $sr = false; - - $gsid = substr_replace($usersid, pack('V',$gid), strlen($usersid)-4,4); - $filter = '(objectsid=' . $this->adldap->utilities()->getTextSID($gsid).')'; - $fields = array("samaccountname","distinguishedname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - if (isset($entries[0]['distinguishedname'][0])) { - return $entries[0]['distinguishedname'][0]; - } - return false; - } - - /** - * Coping with AD not returning the primary group - * http://support.microsoft.com/?kbid=321360 - * - * For some reason it's not possible to search on primarygrouptoken=XXX - * If someone can show otherwise, I'd like to know about it :) - * this way is resource intensive and generally a pain in the @#%^ - * - * @deprecated deprecated since version 3.1, see get get_primary_group - * @param string $gid Group ID - * @return string - */ - public function cn($gid){ - if ($gid === NULL) { return false; } - $sr = false; - $r = ''; - - $filter = "(&(objectCategory=group)(samaccounttype=" . adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP . "))"; - $fields = array("primarygrouptoken", "samaccountname", "distinguishedname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - for ($i=0; $i<$entries["count"]; $i++){ - if ($entries[$i]["primarygrouptoken"][0] == $gid) { - $r = $entries[$i]["distinguishedname"][0]; - $i = $entries["count"]; - } - } - - return $r; - } -} -?> +adldap = $adldap; + } + + /** + * Add a group to a group + * + * @param string $parent The parent group name + * @param string $child The child group name + * @return bool + */ + public function addGroup($parent,$child){ + + // Find the parent group's dn + $parentGroup = $this->ginfo($parent, array("cn")); + if ($parentGroup[0]["dn"] === NULL){ + return false; + } + $parentDn = $parentGroup[0]["dn"]; + + // Find the child group's dn + $childGroup = $this->info($child, array("cn")); + if ($childGroup[0]["dn"] === NULL){ + return false; + } + $childDn = $childGroup[0]["dn"]; + + $add = array(); + $add["member"] = $childDn; + + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $parentDn, $add); + if ($result == false) { + return false; + } + return true; + } + + /** + * Add a user to a group + * + * @param string $group The group to add the user to + * @param string $user The user to add to the group + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function addUser($group, $user, $isGUID = false) + { + // Adding a user is a bit fiddly, we need to get the full DN of the user + // and add it using the full DN of the group + + // Find the user's dn + $userDn = $this->adldap->user()->dn($user, $isGUID); + if ($userDn === false) { + return false; + } + + // Find the group's dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL) { + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + $add = array(); + $add["member"] = $userDn; + + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add); + if ($result == false) { + return false; + } + return true; + } + + /** + * Add a contact to a group + * + * @param string $group The group to add the contact to + * @param string $contactDn The DN of the contact to add + * @return bool + */ + public function addContact($group, $contactDn) + { + // To add a contact we take the contact's DN + // and add it using the full DN of the group + + // Find the group's dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL) { + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + $add = array(); + $add["member"] = $contactDn; + + $result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add); + if ($result == false) { + return false; + } + return true; + } + + /** + * Create a group + * + * @param array $attributes Default attributes of the group + * @return bool + */ + public function create($attributes) + { + if (!is_array($attributes)){ return "Attributes must be an array"; } + if (!array_key_exists("group_name", $attributes)){ return "Missing compulsory field [group_name]"; } + if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; } + if (!array_key_exists("description", $attributes)){ return "Missing compulsory field [description]"; } + if (!is_array($attributes["container"])){ return "Container attribute must be an array."; } + $attributes["container"] = array_reverse($attributes["container"]); + + //$member_array = array(); + //$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com"; + //$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com"; + + $add = array(); + $add["cn"] = $attributes["group_name"]; + $add["samaccountname"] = $attributes["group_name"]; + $add["objectClass"] = "Group"; + $add["description"] = $attributes["description"]; + //$add["member"] = $member_array; UNTESTED + + $container = "OU=" . implode(",OU=", $attributes["container"]); + $result = ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"] . ", " . $container . "," . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + return true; + } + + /** + * Delete a group account + * + * @param string $group The group to delete (please be careful here!) + * + * @return array + */ + public function delete($group) { + if (!$this->adldap->getLdapBind()){ return false; } + if ($group === null){ return "Missing compulsory field [group]"; } + + $groupInfo = $this->info($group, array("*")); + $dn = $groupInfo[0]['distinguishedname'][0]; + $result = $this->adldap->folder()->delete($dn); + if ($result !== true) { + return false; + } return true; + } + + /** + * Remove a group from a group + * + * @param string $parent The parent group name + * @param string $child The child group name + * @return bool + */ + public function removeGroup($parent , $child) + { + + // Find the parent dn + $parentGroup = $this->info($parent, array("cn")); + if ($parentGroup[0]["dn"] === NULL) { + return false; + } + $parentDn = $parentGroup[0]["dn"]; + + // Find the child dn + $childGroup = $this->info($child, array("cn")); + if ($childGroup[0]["dn"] === NULL) { + return false; + } + $childDn = $childGroup[0]["dn"]; + + $del = array(); + $del["member"] = $childDn; + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $parentDn, $del); + if ($result == false) { + return false; + } + return true; + } + + /** + * Remove a user from a group + * + * @param string $group The group to remove a user from + * @param string $user The AD user to remove from the group + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function removeUser($group, $user, $isGUID = false) + { + + // Find the parent dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL){ + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + // Find the users dn + $userDn = $this->adldap->user()->dn($user, $isGUID); + if ($userDn === false) { + return false; + } + + $del = array(); + $del["member"] = $userDn; + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del); + if ($result == false) { + return false; + } + return true; + } + + /** + * Remove a contact from a group + * + * @param string $group The group to remove a user from + * @param string $contactDn The DN of a contact to remove from the group + * @return bool + */ + public function removeContact($group, $contactDn) + { + + // Find the parent dn + $groupInfo = $this->info($group, array("cn")); + if ($groupInfo[0]["dn"] === NULL) { + return false; + } + $groupDn = $groupInfo[0]["dn"]; + + $del = array(); + $del["member"] = $contactDn; + + $result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del); + if ($result == false) { + return false; + } + return true; + } + + /** + * Return a list of groups in a group + * + * @param string $group The group to query + * @param bool $recursive Recursively get groups + * @return array + */ + public function inGroup($group, $recursive = NULL) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + + // Search the directory for the members of a group + $info = $this->info($group, array("member","cn")); + $groups = $info[0]["member"]; + if (!is_array($groups)) { + return false; + } + + $groupArray = array(); + + for ($i=0; $i<$groups["count"]; $i++){ + $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))"; + $fields = array("samaccountname", "distinguishedname", "objectClass"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + // not a person, look for a group + if ($entries['count'] == 0 && $recursive == true) { + $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))"; + $fields = array("distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (!isset($entries[0]['distinguishedname'][0])) { + continue; + } + $subGroups = $this->inGroup($entries[0]['distinguishedname'][0], $recursive); + if (is_array($subGroups)) { + $groupArray = array_merge($groupArray, $subGroups); + $groupArray = array_unique($groupArray); + } + continue; + } + + $groupArray[] = $entries[0]['distinguishedname'][0]; + } + return $groupArray; + } + + /** + * Return a list of members in a group + * + * @param string $group The group to query + * @param bool $recursive Recursively get group members + * @return array + */ + public function members($group, $recursive = NULL) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + // Search the directory for the members of a group + $info = $this->info($group, array("member","cn")); + $users = $info[0]["member"]; + if (!is_array($users)) { + return false; + } + + $userArray = array(); + + for ($i=0; $i<$users["count"]; $i++){ + $filter = "(&(objectCategory=person)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))"; + $fields = array("samaccountname", "distinguishedname", "objectClass"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + // not a person, look for a group + if ($entries['count'] == 0 && $recursive == true) { + $filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))"; + $fields = array("samaccountname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + if (!isset($entries[0]['samaccountname'][0])) { + continue; + } + $subUsers = $this->members($entries[0]['samaccountname'][0], $recursive); + if (is_array($subUsers)) { + $userArray = array_merge($userArray, $subUsers); + $userArray = array_unique($userArray); + } + continue; + } + else if ($entries['count'] == 0) { + continue; + } + + if ((!isset($entries[0]['samaccountname'][0]) || $entries[0]['samaccountname'][0] === NULL) && $entries[0]['distinguishedname'][0] !== NULL) { + $userArray[] = $entries[0]['distinguishedname'][0]; + } + else if ($entries[0]['samaccountname'][0] !== NULL) { + $userArray[] = $entries[0]['samaccountname'][0]; + } + } + return $userArray; + } + + /** + * Group Information. Returns an array of raw information about a group. + * The group name is case sensitive + * + * @param string $groupName The group name to retrieve info about + * @param array $fields Fields to retrieve + * @return array + */ + public function info($groupName, $fields = NULL) + { + if ($groupName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + if (stristr($groupName, '+')) { + $groupName = stripslashes($groupName); + } + + $filter = "(&(objectCategory=group)(name=" . $this->adldap->utilities()->ldapSlashes($groupName) . "))"; + if ($fields === NULL) { + $fields = array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname"); + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + return $entries; + } + + /** + * Group Information. Returns an collection + * The group name is case sensitive + * + * @param string $groupName The group name to retrieve info about + * @param array $fields Fields to retrieve + * @return adLDAPGroupCollection + */ + public function infoCollection($groupName, $fields = NULL) + { + if ($groupName === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($groupName, $fields); + if ($info !== false) { + $collection = new adLDAPGroupCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Return a complete list of "groups in groups" + * + * @param string $group The group to get the list from + * @return array + */ + public function recursiveGroups($group) + { + if ($group === NULL) { return false; } + + $stack = array(); + $processed = array(); + $retGroups = array(); + + array_push($stack, $group); // Initial Group to Start with + while (count($stack) > 0) { + $parent = array_pop($stack); + array_push($processed, $parent); + + $info = $this->info($parent, array("memberof")); + + if (isset($info[0]["memberof"]) && is_array($info[0]["memberof"])) { + $groups = $info[0]["memberof"]; + if ($groups) { + $groupNames = $this->adldap->utilities()->niceNames($groups); + $retGroups = array_merge($retGroups, $groupNames); //final groups to return + foreach ($groupNames as $id => $groupName) { + if (!in_array($groupName, $processed)) { + array_push($stack, $groupName); + } + } + } + } + } + + return $retGroups; + } + + /** + * Returns a complete list of the groups in AD based on a SAM Account Type + * + * @param string $sAMAaccountType The account type to return + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function search($sAMAaccountType = adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription = false, $search = "*", $sorted = true) { + if (!$this->adldap->getLdapBind()) { return false; } + + $filter = '(&(objectCategory=group)'; + if ($sAMAaccountType !== null) { + $filter .= '(samaccounttype='. $sAMAaccountType .')'; + } + $filter .= '(cn=' . $search . '))'; + // Perform the search and grab all their details + $fields = array("samaccountname", "description"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $groupsArray = array(); + for ($i=0; $i<$entries["count"]; $i++){ + if ($includeDescription && strlen($entries[$i]["description"][0]) > 0 ) { + $groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["description"][0]; + } + else if ($includeDescription){ + $groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; + } + else { + array_push($groupsArray, $entries[$i]["samaccountname"][0]); + } + } + if ($sorted) { + asort($groupsArray); + } + return $groupsArray; + } + + /** + * Returns a complete list of all groups in AD + * + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function all($includeDescription = false, $search = "*", $sorted = true){ + $groupsArray = $this->search(null, $includeDescription, $search, $sorted); + return $groupsArray; + } + + /** + * Returns a complete list of security groups in AD + * + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function allSecurity($includeDescription = false, $search = "*", $sorted = true){ + $groupsArray = $this->search(adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription, $search, $sorted); + return $groupsArray; + } + + /** + * Returns a complete list of distribution lists in AD + * + * @param bool $includeDescription Whether to return a description + * @param string $search Search parameters + * @param bool $sorted Whether to sort the results + * @return array + */ + public function allDistribution($includeDescription = false, $search = "*", $sorted = true){ + $groupsArray = $this->search(adLDAP::ADLDAP_DISTRIBUTION_GROUP, $includeDescription, $search, $sorted); + return $groupsArray; + } + + /** + * Coping with AD not returning the primary group + * http://support.microsoft.com/?kbid=321360 + * + * This is a re-write based on code submitted by Bruce which prevents the + * need to search each security group to find the true primary group + * + * @param string $gid Group ID + * @param string $usersid User's Object SID + * @return mixed + */ + public function getPrimaryGroup($gid, $usersid) + { + if ($gid === NULL || $usersid === NULL) { return false; } + $sr = false; + + $gsid = substr_replace($usersid, pack('V',$gid), strlen($usersid)-4,4); + $filter = '(objectsid=' . $this->adldap->utilities()->getTextSID($gsid).')'; + $fields = array("samaccountname","distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if (isset($entries[0]['distinguishedname'][0])) { + return $entries[0]['distinguishedname'][0]; + } + return false; + } + + /** + * Coping with AD not returning the primary group + * http://support.microsoft.com/?kbid=321360 + * + * For some reason it's not possible to search on primarygrouptoken=XXX + * If someone can show otherwise, I'd like to know about it :) + * this way is resource intensive and generally a pain in the @#%^ + * + * @deprecated deprecated since version 3.1, see get get_primary_group + * @param string $gid Group ID + * @return string + */ + public function cn($gid){ + if ($gid === NULL) { return false; } + $sr = false; + $r = ''; + + $filter = "(&(objectCategory=group)(samaccounttype=" . adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP . "))"; + $fields = array("primarygrouptoken", "samaccountname", "distinguishedname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + for ($i=0; $i<$entries["count"]; $i++){ + if ($entries[$i]["primarygrouptoken"][0] == $gid) { + $r = $entries[$i]["distinguishedname"][0]; + $i = $entries["count"]; + } + } + + return $r; + } +} +?> diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php b/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php index 96a93b512..839fd592d 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php @@ -1,682 +1,682 @@ -adldap = $adldap; - } - - /** - * Validate a user's login credentials - * - * @param string $username A user's AD username - * @param string $password A user's AD password - * @param bool optional $prevent_rebind - * @return bool - */ - public function authenticate($username, $password, $preventRebind = false) { - return $this->adldap->authenticate($username, $password, $preventRebind); - } - - /** - * Create a user - * - * If you specify a password here, this can only be performed over SSL - * - * @param array $attributes The attributes to set to the user account - * @return bool - */ - public function create($attributes) - { - // Check for compulsory fields - if (!array_key_exists("username", $attributes)){ return "Missing compulsory field [username]"; } - if (!array_key_exists("firstname", $attributes)){ return "Missing compulsory field [firstname]"; } - if (!array_key_exists("surname", $attributes)){ return "Missing compulsory field [surname]"; } - if (!array_key_exists("email", $attributes)){ return "Missing compulsory field [email]"; } - if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; } - if (!is_array($attributes["container"])){ return "Container attribute must be an array."; } - - if (array_key_exists("password",$attributes) && (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS())){ - throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.'); - } - - if (!array_key_exists("display_name", $attributes)) { - $attributes["display_name"] = $attributes["firstname"] . " " . $attributes["surname"]; - } - - // Translate the schema - $add = $this->adldap->adldap_schema($attributes); - - // Additional stuff only used for adding accounts - $add["cn"][0] = $attributes["display_name"]; - $add["samaccountname"][0] = $attributes["username"]; - $add["objectclass"][0] = "top"; - $add["objectclass"][1] = "person"; - $add["objectclass"][2] = "organizationalPerson"; - $add["objectclass"][3] = "user"; //person? - //$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"]; - - // Set the account control attribute - $control_options = array("NORMAL_ACCOUNT"); - if (!$attributes["enabled"]) { - $control_options[] = "ACCOUNTDISABLE"; - } - $add["userAccountControl"][0] = $this->accountControl($control_options); - - // Determine the container - $attributes["container"] = array_reverse($attributes["container"]); - $container = "OU=" . implode(", OU=",$attributes["container"]); - - // Add the entry - $result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"][0] . ", " . $container . "," . $this->adldap->getBaseDn(), $add); - if ($result != true) { - return false; - } - - return true; - } - - /** - * Account control options - * - * @param array $options The options to convert to int - * @return int - */ - protected function accountControl($options) - { - $val=0; - - if (is_array($options)) { - if (in_array("SCRIPT",$options)){ $val=$val+1; } - if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; } - if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; } - if (in_array("LOCKOUT",$options)){ $val=$val+16; } - if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; } - //PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute. - //For information about how to set the permission programmatically, see the "Property flag descriptions" section. - if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; } - if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; } - if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; } - if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; } - if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; } - if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; } - if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; } - if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; } - if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; } - if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; } - if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; } - if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; } - if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; } - if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; } - if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; } - } - return $val; - } - - /** - * Delete a user account - * - * @param string $username The username to delete (please be careful here!) - * @param bool $isGUID Is the username a GUID or a samAccountName - * @return array - */ - public function delete($username, $isGUID = false) - { - $userinfo = $this->info($username, array("*"), $isGUID); - $dn = $userinfo[0]['distinguishedname'][0]; - $result = $this->adldap->folder()->delete($dn); - if ($result != true) { - return false; - } - return true; - } - - /** - * Groups the user is a member of - * - * @param string $username The username to query - * @param bool $recursive Recursive list of groups - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return array - */ - public function groups($username, $recursive = NULL, $isGUID = false) - { - if ($username === NULL) { return false; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it - if (!$this->adldap->getLdapBind()) { return false; } - - // Search the directory for their information - $info = @$this->info($username, array("memberof", "primarygroupid"), $isGUID); - $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames) - - if ($recursive === true){ - foreach ($groups as $id => $groupName){ - $extraGroups = $this->adldap->group()->recursiveGroups($groupName); - $groups = array_merge($groups, $extraGroups); - } - } - - return $groups; - } - - /** - * Find information about the users. Returned in a raw array format from AD - * - * @param string $username The username to query - * @param array $fields Array of parameters to query - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return array - */ - public function info($username, $fields = NULL, $isGUID = false) - { - if ($username === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - if ($isGUID === true) { - $username = $this->adldap->utilities()->strGuidToHex($username); - $filter = "objectguid=" . $username; - } - else if (strstr($username, "@")) { - $filter = "userPrincipalName=" . $username; - } - else { - $filter = "samaccountname=" . $username; - } - $filter = "(&(objectCategory=person)({$filter}))"; - if ($fields === NULL) { - $fields = array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); - } - if (!in_array("objectsid", $fields)) { - $fields[] = "objectsid"; - } - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - if (isset($entries[0])) { - if ($entries[0]['count'] >= 1) { - if (in_array("memberof", $fields)) { - // AD does not return the primary group in the ldap query, we may need to fudge it - if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])){ - //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]); - $entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]); - } else { - $entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn(); - } - if (!isset($entries[0]["memberof"]["count"])) { - $entries[0]["memberof"]["count"] = 0; - } - $entries[0]["memberof"]["count"]++; - } - } - - return $entries; - } - return false; - } - - /** - * Find information about the users. Returned in a raw array format from AD - * - * @param string $username The username to query - * @param array $fields Array of parameters to query - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return mixed - */ - public function infoCollection($username, $fields = NULL, $isGUID = false) - { - if ($username === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - - $info = $this->info($username, $fields, $isGUID); - - if ($info !== false) { - $collection = new adLDAPUserCollection($info, $this->adldap); - return $collection; - } - return false; - } - - /** - * Determine if a user is in a specific group - * - * @param string $username The username to query - * @param string $group The name of the group to check against - * @param bool $recursive Check groups recursively - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function inGroup($username, $group, $recursive = NULL, $isGUID = false) - { - if ($username === NULL) { return false; } - if ($group === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it - - // Get a list of the groups - $groups = $this->groups($username, $recursive, $isGUID); - - // Return true if the specified group is in the group list - if (in_array($group, $groups)) { - return true; - } - - return false; - } - - /** - * Determine a user's password expiry date - * - * @param string $username The username to query - * @param book $isGUID Is the username passed a GUID or a samAccountName - * @requires bcmath http://www.php.net/manual/en/book.bc.php - * @return array - */ - public function passwordExpiry($username, $isGUID = false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - if (!$this->adldap->getLdapBind()) { return false; } - if (!function_exists('bcmod')) { throw new adLDAPException("Missing function support [bcmod] http://www.php.net/manual/en/book.bc.php"); }; - - $userInfo = $this->info($username, array("pwdlastset", "useraccountcontrol"), $isGUID); - $pwdLastSet = $userInfo[0]['pwdlastset'][0]; - $status = array(); - - if ($userInfo[0]['useraccountcontrol'][0] == '66048') { - // Password does not expire - return "Does not expire"; - } - if ($pwdLastSet === '0') { - // Password has already expired - return "Password has expired"; - } - - // Password expiry in AD can be calculated from TWO values: - // - User's own pwdLastSet attribute: stores the last time the password was changed - // - Domain's maxPwdAge attribute: how long passwords last in the domain - // - // Although Microsoft chose to use a different base and unit for time measurements. - // This function will convert them to Unix timestamps - $sr = ldap_read($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), 'objectclass=*', array('maxPwdAge')); - if (!$sr) { - return false; - } - $info = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - $maxPwdAge = $info[0]['maxpwdage'][0]; - - - // See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx - // - // pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC), - // stored in a 64 bit integer. - // - // The number of seconds between this date and Unix epoch is 11644473600. - // - // maxPwdAge is stored as a large integer that represents the number of 100 nanosecond - // intervals from the time the password was set before the password expires. - // - // We also need to scale this to seconds but also this value is a _negative_ quantity! - // - // If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire - // - // Unfortunately the maths involved are too big for PHP integers, so I've had to require - // BCMath functions to work with arbitrary precision numbers. - if (bcmod($maxPwdAge, 4294967296) === '0') { - return "Domain does not expire passwords"; - } - - // Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's - // time units. Because maxpwd age is negative we need to subtract it. - $pwdExpire = bcsub($pwdLastSet, $maxPwdAge); - - // Convert MS's time to Unix time - $status['expiryts'] = bcsub(bcdiv($pwdExpire, '10000000'), '11644473600'); - $status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdExpire, '10000000'), '11644473600')); - - return $status; - } - - /** - * Modify a user - * - * @param string $username The username to query - * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function modify($username, $attributes, $isGUID = false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - if (array_key_exists("password", $attributes) && !$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) { - throw new adLDAPException('SSL/TLS must be configured on your webserver and enabled in the class to set passwords.'); - } - - // Find the dn of the user - $userDn = $this->dn($username, $isGUID); - if ($userDn === false) { - return false; - } - - // Translate the update to the LDAP schema - $mod = $this->adldap->adldap_schema($attributes); - - // Check to see if this is an enabled status update - if (!$mod && !array_key_exists("enabled", $attributes)){ - return false; - } - - // Set the account control attribute (only if specified) - if (array_key_exists("enabled", $attributes)){ - if ($attributes["enabled"]){ - $controlOptions = array("NORMAL_ACCOUNT"); - } - else { - $controlOptions = array("NORMAL_ACCOUNT", "ACCOUNTDISABLE"); - } - $mod["userAccountControl"][0] = $this->accountControl($controlOptions); - } - - // Do the update - $result = @ldap_modify($this->adldap->getLdapConnection(), $userDn, $mod); - if ($result == false) { - return false; - } - - return true; - } - - /** - * Disable a user account - * - * @param string $username The username to disable - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function disable($username, $isGUID = false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - $attributes = array("enabled" => 0); - $result = $this->modify($username, $attributes, $isGUID); - if ($result == false) { return false; } - - return true; - } - - /** - * Enable a user account - * - * @param string $username The username to enable - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function enable($username, $isGUID = false) - { - if ($username === NULL) { return "Missing compulsory field [username]"; } - $attributes = array("enabled" => 1); - $result = $this->modify($username, $attributes, $isGUID); - if ($result == false) { return false; } - - return true; - } - - /** - * Set the password of a user - This must be performed over SSL - * - * @param string $username The username to modify - * @param string $password The new password - * @param bool $isGUID Is the username passed a GUID or a samAccountName - * @return bool - */ - public function password($username, $password, $isGUID = false) - { - if ($username === NULL) { return false; } - if ($password === NULL) { return false; } - if (!$this->adldap->getLdapBind()) { return false; } - if (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) { - throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.'); - } - - $userDn = $this->dn($username, $isGUID); - if ($userDn === false) { - return false; - } - - $add=array(); - $add["unicodePwd"][0] = $this->encodePassword($password); - - $result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $add); - if ($result === false){ - $err = ldap_errno($this->adldap->getLdapConnection()); - if ($err) { - $msg = 'Error ' . $err . ': ' . ldap_err2str($err) . '.'; - if($err == 53) { - $msg .= ' Your password might not match the password policy.'; - } - throw new adLDAPException($msg); - } - else { - return false; - } - } - - return true; - } - - /** - * Encode a password for transmission over LDAP - * - * @param string $password The password to encode - * @return string - */ - public function encodePassword($password) - { - $password="\"".$password."\""; - $encoded=""; - for ($i=0; $i info($username, array("cn"), $isGUID); - if ($user[0]["dn"] === NULL) { - return false; - } - $userDn = $user[0]["dn"]; - return $userDn; - } - - /** - * Return a list of all users in AD - * - * @param bool $includeDescription Return a description of the user - * @param string $search Search parameter - * @param bool $sorted Sort the user accounts - * @return array - */ - public function all($includeDescription = false, $search = "*", $sorted = true) - { - if (!$this->adldap->getLdapBind()) { return false; } - - // Perform the search and grab all their details - $filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=" . $search . "))"; - $fields = array("samaccountname","displayname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - $usersArray = array(); - for ($i=0; $i<$entries["count"]; $i++){ - if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){ - $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0]; - } elseif ($includeDescription){ - $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; - } else { - array_push($usersArray, $entries[$i]["samaccountname"][0]); - } - } - if ($sorted) { - asort($usersArray); - } - return $usersArray; - } - - /** - * Converts a username (samAccountName) to a GUID - * - * @param string $username The username to query - * @return string - */ - public function usernameToGuid($username) - { - if (!$this->adldap->getLdapBind()){ return false; } - if ($username === null){ return "Missing compulsory field [username]"; } - - $filter = "samaccountname=" . $username; - $fields = array("objectGUID"); - $sr = @ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - if (ldap_count_entries($this->adldap->getLdapConnection(), $sr) > 0) { - $entry = @ldap_first_entry($this->adldap->getLdapConnection(), $sr); - $guid = @ldap_get_values_len($this->adldap->getLdapConnection(), $entry, 'objectGUID'); - $strGUID = $this->adldap->utilities()->binaryToText($guid[0]); - return $strGUID; - } - return false; - } - - /** - * Return a list of all users in AD that have a specific value in a field - * - * @param bool $includeDescription Return a description of the user - * @param string $searchField Field to search search for - * @param string $searchFilter Value to search for in the specified field - * @param bool $sorted Sort the user accounts - * @return array - */ - public function find($includeDescription = false, $searchField = false, $searchFilter = false, $sorted = true){ - if (!$this->adldap->getLdapBind()){ return false; } - - // Perform the search and grab all their details - $searchParams = ""; - if ($searchField) { - $searchParams = "(" . $searchField . "=" . $searchFilter . ")"; - } - $filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)" . $searchParams . ")"; - $fields = array("samaccountname","displayname"); - $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); - $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); - - $usersArray = array(); - for ($i=0; $i < $entries["count"]; $i++) { - if ($includeDescription && strlen($entries[$i]["displayname"][0]) > 0) { - $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0]; - } - else if ($includeDescription) { - $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; - } - else { - array_push($usersArray, $entries[$i]["samaccountname"][0]); - } - } - if ($sorted){ - asort($usersArray); - } - return ($usersArray); - } - - /** - * Move a user account to a different OU - * - * @param string $username The username to move (please be careful here!) - * @param array $container The container or containers to move the user to (please be careful here!). - * accepts containers in 1. parent 2. child order - * @return array - */ - public function move($username, $container) - { - if (!$this->adldap->getLdapBind()) { return false; } - if ($username === null) { return "Missing compulsory field [username]"; } - if ($container === null) { return "Missing compulsory field [container]"; } - if (!is_array($container)) { return "Container must be an array"; } - - $userInfo = $this->info($username, array("*")); - $dn = $userInfo[0]['distinguishedname'][0]; - $newRDn = "cn=" . $username; - $container = array_reverse($container); - $newContainer = "ou=" . implode(",ou=",$container); - $newBaseDn = strtolower($newContainer) . "," . $this->adldap->getBaseDn(); - $result = @ldap_rename($this->adldap->getLdapConnection(), $dn, $newRDn, $newBaseDn, true); - if ($result !== true) { - return false; - } - return true; - } - - /** - * Get the last logon time of any user as a Unix timestamp - * - * @param string $username - * @return long $unixTimestamp - */ - public function getLastLogon($username) { - if (!$this->adldap->getLdapBind()) { return false; } - if ($username === null) { return "Missing compulsory field [username]"; } - $userInfo = $this->info($username, array("lastLogonTimestamp")); - $lastLogon = adLDAPUtils::convertWindowsTimeToUnixTime($userInfo[0]['lastLogonTimestamp'][0]); - return $lastLogon; - } - -} -?> +adldap = $adldap; + } + + /** + * Validate a user's login credentials + * + * @param string $username A user's AD username + * @param string $password A user's AD password + * @param bool optional $prevent_rebind + * @return bool + */ + public function authenticate($username, $password, $preventRebind = false) { + return $this->adldap->authenticate($username, $password, $preventRebind); + } + + /** + * Create a user + * + * If you specify a password here, this can only be performed over SSL + * + * @param array $attributes The attributes to set to the user account + * @return bool + */ + public function create($attributes) + { + // Check for compulsory fields + if (!array_key_exists("username", $attributes)){ return "Missing compulsory field [username]"; } + if (!array_key_exists("firstname", $attributes)){ return "Missing compulsory field [firstname]"; } + if (!array_key_exists("surname", $attributes)){ return "Missing compulsory field [surname]"; } + if (!array_key_exists("email", $attributes)){ return "Missing compulsory field [email]"; } + if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; } + if (!is_array($attributes["container"])){ return "Container attribute must be an array."; } + + if (array_key_exists("password",$attributes) && (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS())){ + throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.'); + } + + if (!array_key_exists("display_name", $attributes)) { + $attributes["display_name"] = $attributes["firstname"] . " " . $attributes["surname"]; + } + + // Translate the schema + $add = $this->adldap->adldap_schema($attributes); + + // Additional stuff only used for adding accounts + $add["cn"][0] = $attributes["display_name"]; + $add["samaccountname"][0] = $attributes["username"]; + $add["objectclass"][0] = "top"; + $add["objectclass"][1] = "person"; + $add["objectclass"][2] = "organizationalPerson"; + $add["objectclass"][3] = "user"; //person? + //$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"]; + + // Set the account control attribute + $control_options = array("NORMAL_ACCOUNT"); + if (!$attributes["enabled"]) { + $control_options[] = "ACCOUNTDISABLE"; + } + $add["userAccountControl"][0] = $this->accountControl($control_options); + + // Determine the container + $attributes["container"] = array_reverse($attributes["container"]); + $container = "OU=" . implode(", OU=",$attributes["container"]); + + // Add the entry + $result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"][0] . ", " . $container . "," . $this->adldap->getBaseDn(), $add); + if ($result != true) { + return false; + } + + return true; + } + + /** + * Account control options + * + * @param array $options The options to convert to int + * @return int + */ + protected function accountControl($options) + { + $val=0; + + if (is_array($options)) { + if (in_array("SCRIPT",$options)){ $val=$val+1; } + if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; } + if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; } + if (in_array("LOCKOUT",$options)){ $val=$val+16; } + if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; } + //PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute. + //For information about how to set the permission programmatically, see the "Property flag descriptions" section. + if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; } + if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; } + if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; } + if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; } + if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; } + if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; } + if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; } + if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; } + if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; } + if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; } + if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; } + if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; } + if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; } + if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; } + if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; } + } + return $val; + } + + /** + * Delete a user account + * + * @param string $username The username to delete (please be careful here!) + * @param bool $isGUID Is the username a GUID or a samAccountName + * @return array + */ + public function delete($username, $isGUID = false) + { + $userinfo = $this->info($username, array("*"), $isGUID); + $dn = $userinfo[0]['distinguishedname'][0]; + $result = $this->adldap->folder()->delete($dn); + if ($result != true) { + return false; + } + return true; + } + + /** + * Groups the user is a member of + * + * @param string $username The username to query + * @param bool $recursive Recursive list of groups + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return array + */ + public function groups($username, $recursive = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + if (!$this->adldap->getLdapBind()) { return false; } + + // Search the directory for their information + $info = @$this->info($username, array("memberof", "primarygroupid"), $isGUID); + $groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames) + + if ($recursive === true){ + foreach ($groups as $id => $groupName){ + $extraGroups = $this->adldap->group()->recursiveGroups($groupName); + $groups = array_merge($groups, $extraGroups); + } + } + + return $groups; + } + + /** + * Find information about the users. Returned in a raw array format from AD + * + * @param string $username The username to query + * @param array $fields Array of parameters to query + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return array + */ + public function info($username, $fields = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + if ($isGUID === true) { + $username = $this->adldap->utilities()->strGuidToHex($username); + $filter = "objectguid=" . $username; + } + else if (strstr($username, "@")) { + $filter = "userPrincipalName=" . $username; + } + else { + $filter = "samaccountname=" . $username; + } + $filter = "(&(objectCategory=person)({$filter}))"; + if ($fields === NULL) { + $fields = array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); + } + if (!in_array("objectsid", $fields)) { + $fields[] = "objectsid"; + } + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + if (isset($entries[0])) { + if ($entries[0]['count'] >= 1) { + if (in_array("memberof", $fields)) { + // AD does not return the primary group in the ldap query, we may need to fudge it + if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])){ + //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]); + $entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]); + } else { + $entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn(); + } + if (!isset($entries[0]["memberof"]["count"])) { + $entries[0]["memberof"]["count"] = 0; + } + $entries[0]["memberof"]["count"]++; + } + } + + return $entries; + } + return false; + } + + /** + * Find information about the users. Returned in a raw array format from AD + * + * @param string $username The username to query + * @param array $fields Array of parameters to query + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return mixed + */ + public function infoCollection($username, $fields = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + + $info = $this->info($username, $fields, $isGUID); + + if ($info !== false) { + $collection = new adLDAPUserCollection($info, $this->adldap); + return $collection; + } + return false; + } + + /** + * Determine if a user is in a specific group + * + * @param string $username The username to query + * @param string $group The name of the group to check against + * @param bool $recursive Check groups recursively + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function inGroup($username, $group, $recursive = NULL, $isGUID = false) + { + if ($username === NULL) { return false; } + if ($group === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it + + // Get a list of the groups + $groups = $this->groups($username, $recursive, $isGUID); + + // Return true if the specified group is in the group list + if (in_array($group, $groups)) { + return true; + } + + return false; + } + + /** + * Determine a user's password expiry date + * + * @param string $username The username to query + * @param book $isGUID Is the username passed a GUID or a samAccountName + * @requires bcmath http://www.php.net/manual/en/book.bc.php + * @return array + */ + public function passwordExpiry($username, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if (!$this->adldap->getLdapBind()) { return false; } + if (!function_exists('bcmod')) { throw new adLDAPException("Missing function support [bcmod] http://www.php.net/manual/en/book.bc.php"); }; + + $userInfo = $this->info($username, array("pwdlastset", "useraccountcontrol"), $isGUID); + $pwdLastSet = $userInfo[0]['pwdlastset'][0]; + $status = array(); + + if ($userInfo[0]['useraccountcontrol'][0] == '66048') { + // Password does not expire + return "Does not expire"; + } + if ($pwdLastSet === '0') { + // Password has already expired + return "Password has expired"; + } + + // Password expiry in AD can be calculated from TWO values: + // - User's own pwdLastSet attribute: stores the last time the password was changed + // - Domain's maxPwdAge attribute: how long passwords last in the domain + // + // Although Microsoft chose to use a different base and unit for time measurements. + // This function will convert them to Unix timestamps + $sr = ldap_read($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), 'objectclass=*', array('maxPwdAge')); + if (!$sr) { + return false; + } + $info = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + $maxPwdAge = $info[0]['maxpwdage'][0]; + + + // See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx + // + // pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC), + // stored in a 64 bit integer. + // + // The number of seconds between this date and Unix epoch is 11644473600. + // + // maxPwdAge is stored as a large integer that represents the number of 100 nanosecond + // intervals from the time the password was set before the password expires. + // + // We also need to scale this to seconds but also this value is a _negative_ quantity! + // + // If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire + // + // Unfortunately the maths involved are too big for PHP integers, so I've had to require + // BCMath functions to work with arbitrary precision numbers. + if (bcmod($maxPwdAge, 4294967296) === '0') { + return "Domain does not expire passwords"; + } + + // Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's + // time units. Because maxpwd age is negative we need to subtract it. + $pwdExpire = bcsub($pwdLastSet, $maxPwdAge); + + // Convert MS's time to Unix time + $status['expiryts'] = bcsub(bcdiv($pwdExpire, '10000000'), '11644473600'); + $status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdExpire, '10000000'), '11644473600')); + + return $status; + } + + /** + * Modify a user + * + * @param string $username The username to query + * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function modify($username, $attributes, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + if (array_key_exists("password", $attributes) && !$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) { + throw new adLDAPException('SSL/TLS must be configured on your webserver and enabled in the class to set passwords.'); + } + + // Find the dn of the user + $userDn = $this->dn($username, $isGUID); + if ($userDn === false) { + return false; + } + + // Translate the update to the LDAP schema + $mod = $this->adldap->adldap_schema($attributes); + + // Check to see if this is an enabled status update + if (!$mod && !array_key_exists("enabled", $attributes)){ + return false; + } + + // Set the account control attribute (only if specified) + if (array_key_exists("enabled", $attributes)){ + if ($attributes["enabled"]){ + $controlOptions = array("NORMAL_ACCOUNT"); + } + else { + $controlOptions = array("NORMAL_ACCOUNT", "ACCOUNTDISABLE"); + } + $mod["userAccountControl"][0] = $this->accountControl($controlOptions); + } + + // Do the update + $result = @ldap_modify($this->adldap->getLdapConnection(), $userDn, $mod); + if ($result == false) { + return false; + } + + return true; + } + + /** + * Disable a user account + * + * @param string $username The username to disable + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function disable($username, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + $attributes = array("enabled" => 0); + $result = $this->modify($username, $attributes, $isGUID); + if ($result == false) { return false; } + + return true; + } + + /** + * Enable a user account + * + * @param string $username The username to enable + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function enable($username, $isGUID = false) + { + if ($username === NULL) { return "Missing compulsory field [username]"; } + $attributes = array("enabled" => 1); + $result = $this->modify($username, $attributes, $isGUID); + if ($result == false) { return false; } + + return true; + } + + /** + * Set the password of a user - This must be performed over SSL + * + * @param string $username The username to modify + * @param string $password The new password + * @param bool $isGUID Is the username passed a GUID or a samAccountName + * @return bool + */ + public function password($username, $password, $isGUID = false) + { + if ($username === NULL) { return false; } + if ($password === NULL) { return false; } + if (!$this->adldap->getLdapBind()) { return false; } + if (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) { + throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.'); + } + + $userDn = $this->dn($username, $isGUID); + if ($userDn === false) { + return false; + } + + $add=array(); + $add["unicodePwd"][0] = $this->encodePassword($password); + + $result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $add); + if ($result === false){ + $err = ldap_errno($this->adldap->getLdapConnection()); + if ($err) { + $msg = 'Error ' . $err . ': ' . ldap_err2str($err) . '.'; + if($err == 53) { + $msg .= ' Your password might not match the password policy.'; + } + throw new adLDAPException($msg); + } + else { + return false; + } + } + + return true; + } + + /** + * Encode a password for transmission over LDAP + * + * @param string $password The password to encode + * @return string + */ + public function encodePassword($password) + { + $password="\"".$password."\""; + $encoded=""; + for ($i=0; $i info($username, array("cn"), $isGUID); + if ($user[0]["dn"] === NULL) { + return false; + } + $userDn = $user[0]["dn"]; + return $userDn; + } + + /** + * Return a list of all users in AD + * + * @param bool $includeDescription Return a description of the user + * @param string $search Search parameter + * @param bool $sorted Sort the user accounts + * @return array + */ + public function all($includeDescription = false, $search = "*", $sorted = true) + { + if (!$this->adldap->getLdapBind()) { return false; } + + // Perform the search and grab all their details + $filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=" . $search . "))"; + $fields = array("samaccountname","displayname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $usersArray = array(); + for ($i=0; $i<$entries["count"]; $i++){ + if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){ + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0]; + } elseif ($includeDescription){ + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; + } else { + array_push($usersArray, $entries[$i]["samaccountname"][0]); + } + } + if ($sorted) { + asort($usersArray); + } + return $usersArray; + } + + /** + * Converts a username (samAccountName) to a GUID + * + * @param string $username The username to query + * @return string + */ + public function usernameToGuid($username) + { + if (!$this->adldap->getLdapBind()){ return false; } + if ($username === null){ return "Missing compulsory field [username]"; } + + $filter = "samaccountname=" . $username; + $fields = array("objectGUID"); + $sr = @ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + if (ldap_count_entries($this->adldap->getLdapConnection(), $sr) > 0) { + $entry = @ldap_first_entry($this->adldap->getLdapConnection(), $sr); + $guid = @ldap_get_values_len($this->adldap->getLdapConnection(), $entry, 'objectGUID'); + $strGUID = $this->adldap->utilities()->binaryToText($guid[0]); + return $strGUID; + } + return false; + } + + /** + * Return a list of all users in AD that have a specific value in a field + * + * @param bool $includeDescription Return a description of the user + * @param string $searchField Field to search search for + * @param string $searchFilter Value to search for in the specified field + * @param bool $sorted Sort the user accounts + * @return array + */ + public function find($includeDescription = false, $searchField = false, $searchFilter = false, $sorted = true){ + if (!$this->adldap->getLdapBind()){ return false; } + + // Perform the search and grab all their details + $searchParams = ""; + if ($searchField) { + $searchParams = "(" . $searchField . "=" . $searchFilter . ")"; + } + $filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)" . $searchParams . ")"; + $fields = array("samaccountname","displayname"); + $sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields); + $entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr); + + $usersArray = array(); + for ($i=0; $i < $entries["count"]; $i++) { + if ($includeDescription && strlen($entries[$i]["displayname"][0]) > 0) { + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0]; + } + else if ($includeDescription) { + $usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0]; + } + else { + array_push($usersArray, $entries[$i]["samaccountname"][0]); + } + } + if ($sorted){ + asort($usersArray); + } + return ($usersArray); + } + + /** + * Move a user account to a different OU + * + * @param string $username The username to move (please be careful here!) + * @param array $container The container or containers to move the user to (please be careful here!). + * accepts containers in 1. parent 2. child order + * @return array + */ + public function move($username, $container) + { + if (!$this->adldap->getLdapBind()) { return false; } + if ($username === null) { return "Missing compulsory field [username]"; } + if ($container === null) { return "Missing compulsory field [container]"; } + if (!is_array($container)) { return "Container must be an array"; } + + $userInfo = $this->info($username, array("*")); + $dn = $userInfo[0]['distinguishedname'][0]; + $newRDn = "cn=" . $username; + $container = array_reverse($container); + $newContainer = "ou=" . implode(",ou=",$container); + $newBaseDn = strtolower($newContainer) . "," . $this->adldap->getBaseDn(); + $result = @ldap_rename($this->adldap->getLdapConnection(), $dn, $newRDn, $newBaseDn, true); + if ($result !== true) { + return false; + } + return true; + } + + /** + * Get the last logon time of any user as a Unix timestamp + * + * @param string $username + * @return long $unixTimestamp + */ + public function getLastLogon($username) { + if (!$this->adldap->getLdapBind()) { return false; } + if ($username === null) { return "Missing compulsory field [username]"; } + $userInfo = $this->info($username, array("lastLogonTimestamp")); + $lastLogon = adLDAPUtils::convertWindowsTimeToUnixTime($userInfo[0]['lastLogonTimestamp'][0]); + return $lastLogon; + } + +} +?> diff --git a/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php b/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php index f039a4290..5e8644188 100644 --- a/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php +++ b/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php @@ -1,264 +1,264 @@ -adldap = $adldap; - } - - - /** - * Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN) - * - * @param array $groups - * @return array - */ - public function niceNames($groups) - { - - $groupArray = array(); - for ($i=0; $i<$groups["count"]; $i++){ // For each group - $line = $groups[$i]; - - if (strlen($line)>0) { - // More presumptions, they're all prefixed with CN= - // so we ditch the first three characters and the group - // name goes up to the first comma - $bits=explode(",", $line); - $groupArray[] = substr($bits[0], 3, (strlen($bits[0])-3)); - } - } - return $groupArray; - } - - /** - * Escape characters for use in an ldap_create function - * - * @param string $str - * @return string - */ - public function escapeCharacters($str) { - $str = str_replace(",", "\,", $str); - return $str; - } - - /** - * Escape strings for the use in LDAP filters - * - * DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT - * Ported from Perl's Net::LDAP::Util escape_filter_value - * - * @param string $str The string the parse - * @author Port by Andreas Gohr - * @return string - */ - public function ldapSlashes($str){ - return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e', - '"\\\\\".join("",unpack("H2","$1"))', - $str); - } - - /** - * Converts a string GUID to a hexdecimal value so it can be queried - * - * @param string $strGUID A string representation of a GUID - * @return string - */ - public function strGuidToHex($strGUID) - { - $strGUID = str_replace('-', '', $strGUID); - - $octet_str = '\\' . substr($strGUID, 6, 2); - $octet_str .= '\\' . substr($strGUID, 4, 2); - $octet_str .= '\\' . substr($strGUID, 2, 2); - $octet_str .= '\\' . substr($strGUID, 0, 2); - $octet_str .= '\\' . substr($strGUID, 10, 2); - $octet_str .= '\\' . substr($strGUID, 8, 2); - $octet_str .= '\\' . substr($strGUID, 14, 2); - $octet_str .= '\\' . substr($strGUID, 12, 2); - //$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID)); - for ($i=16; $i<=(strlen($strGUID)-2); $i++) { - if (($i % 2) == 0) { - $octet_str .= '\\' . substr($strGUID, $i, 2); - } - } - - return $octet_str; - } - - /** - * Convert a binary SID to a text SID - * - * @param string $binsid A Binary SID - * @return string - */ - public function getTextSID($binsid) { - $hex_sid = bin2hex($binsid); - $rev = hexdec(substr($hex_sid, 0, 2)); - $subcount = hexdec(substr($hex_sid, 2, 2)); - $auth = hexdec(substr($hex_sid, 4, 12)); - $result = "$rev-$auth"; - - for ($x=0;$x < $subcount; $x++) { - $subauth[$x] = - hexdec($this->littleEndian(substr($hex_sid, 16 + ($x * 8), 8))); - $result .= "-" . $subauth[$x]; - } - - // Cheat by tacking on the S- - return 'S-' . $result; - } - - /** - * Converts a little-endian hex number to one that hexdec() can convert - * - * @param string $hex A hex code - * @return string - */ - public function littleEndian($hex) - { - $result = ''; - for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) { - $result .= substr($hex, $x, 2); - } - return $result; - } - - /** - * Converts a binary attribute to a string - * - * @param string $bin A binary LDAP attribute - * @return string - */ - public function binaryToText($bin) - { - $hex_guid = bin2hex($bin); - $hex_guid_to_guid_str = ''; - for($k = 1; $k <= 4; ++$k) { - $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2); - } - $hex_guid_to_guid_str .= '-'; - for($k = 1; $k <= 2; ++$k) { - $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2); - } - $hex_guid_to_guid_str .= '-'; - for($k = 1; $k <= 2; ++$k) { - $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2); - } - $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4); - $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20); - return strtoupper($hex_guid_to_guid_str); - } - - /** - * Converts a binary GUID to a string GUID - * - * @param string $binaryGuid The binary GUID attribute to convert - * @return string - */ - public function decodeGuid($binaryGuid) - { - if ($binaryGuid === null){ return "Missing compulsory field [binaryGuid]"; } - - $strGUID = $this->binaryToText($binaryGuid); - return $strGUID; - } - - /** - * Convert a boolean value to a string - * You should never need to call this yourself - * - * @param bool $bool Boolean value - * @return string - */ - public function boolToStr($bool) - { - return ($bool) ? 'TRUE' : 'FALSE'; - } - - /** - * Convert 8bit characters e.g. accented characters to UTF8 encoded characters - */ - public function encode8Bit(&$item, $key) { - $encode = false; - if (is_string($item)) { - for ($i=0; $i> 7) { - $encode = true; - } - } - } - if ($encode === true && $key != 'password') { - $item = utf8_encode($item); - } - } - - /** - * Get the current class version number - * - * @return string - */ - public function getVersion() { - return self::ADLDAP_VERSION; - } - - /** - * Round a Windows timestamp down to seconds and remove the seconds between 1601-01-01 and 1970-01-01 - * - * @param long $windowsTime - * @return long $unixTime - */ - public static function convertWindowsTimeToUnixTime($windowsTime) { - $unixTime = round($windowsTime / 10000000) - 11644477200; - return $unixTime; - } -} - +adldap = $adldap; + } + + + /** + * Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN) + * + * @param array $groups + * @return array + */ + public function niceNames($groups) + { + + $groupArray = array(); + for ($i=0; $i<$groups["count"]; $i++){ // For each group + $line = $groups[$i]; + + if (strlen($line)>0) { + // More presumptions, they're all prefixed with CN= + // so we ditch the first three characters and the group + // name goes up to the first comma + $bits=explode(",", $line); + $groupArray[] = substr($bits[0], 3, (strlen($bits[0])-3)); + } + } + return $groupArray; + } + + /** + * Escape characters for use in an ldap_create function + * + * @param string $str + * @return string + */ + public function escapeCharacters($str) { + $str = str_replace(",", "\,", $str); + return $str; + } + + /** + * Escape strings for the use in LDAP filters + * + * DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT + * Ported from Perl's Net::LDAP::Util escape_filter_value + * + * @param string $str The string the parse + * @author Port by Andreas Gohr + * @return string + */ + public function ldapSlashes($str){ + return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e', + '"\\\\\".join("",unpack("H2","$1"))', + $str); + } + + /** + * Converts a string GUID to a hexdecimal value so it can be queried + * + * @param string $strGUID A string representation of a GUID + * @return string + */ + public function strGuidToHex($strGUID) + { + $strGUID = str_replace('-', '', $strGUID); + + $octet_str = '\\' . substr($strGUID, 6, 2); + $octet_str .= '\\' . substr($strGUID, 4, 2); + $octet_str .= '\\' . substr($strGUID, 2, 2); + $octet_str .= '\\' . substr($strGUID, 0, 2); + $octet_str .= '\\' . substr($strGUID, 10, 2); + $octet_str .= '\\' . substr($strGUID, 8, 2); + $octet_str .= '\\' . substr($strGUID, 14, 2); + $octet_str .= '\\' . substr($strGUID, 12, 2); + //$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID)); + for ($i=16; $i<=(strlen($strGUID)-2); $i++) { + if (($i % 2) == 0) { + $octet_str .= '\\' . substr($strGUID, $i, 2); + } + } + + return $octet_str; + } + + /** + * Convert a binary SID to a text SID + * + * @param string $binsid A Binary SID + * @return string + */ + public function getTextSID($binsid) { + $hex_sid = bin2hex($binsid); + $rev = hexdec(substr($hex_sid, 0, 2)); + $subcount = hexdec(substr($hex_sid, 2, 2)); + $auth = hexdec(substr($hex_sid, 4, 12)); + $result = "$rev-$auth"; + + for ($x=0;$x < $subcount; $x++) { + $subauth[$x] = + hexdec($this->littleEndian(substr($hex_sid, 16 + ($x * 8), 8))); + $result .= "-" . $subauth[$x]; + } + + // Cheat by tacking on the S- + return 'S-' . $result; + } + + /** + * Converts a little-endian hex number to one that hexdec() can convert + * + * @param string $hex A hex code + * @return string + */ + public function littleEndian($hex) + { + $result = ''; + for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) { + $result .= substr($hex, $x, 2); + } + return $result; + } + + /** + * Converts a binary attribute to a string + * + * @param string $bin A binary LDAP attribute + * @return string + */ + public function binaryToText($bin) + { + $hex_guid = bin2hex($bin); + $hex_guid_to_guid_str = ''; + for($k = 1; $k <= 4; ++$k) { + $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2); + } + $hex_guid_to_guid_str .= '-'; + for($k = 1; $k <= 2; ++$k) { + $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2); + } + $hex_guid_to_guid_str .= '-'; + for($k = 1; $k <= 2; ++$k) { + $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2); + } + $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4); + $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20); + return strtoupper($hex_guid_to_guid_str); + } + + /** + * Converts a binary GUID to a string GUID + * + * @param string $binaryGuid The binary GUID attribute to convert + * @return string + */ + public function decodeGuid($binaryGuid) + { + if ($binaryGuid === null){ return "Missing compulsory field [binaryGuid]"; } + + $strGUID = $this->binaryToText($binaryGuid); + return $strGUID; + } + + /** + * Convert a boolean value to a string + * You should never need to call this yourself + * + * @param bool $bool Boolean value + * @return string + */ + public function boolToStr($bool) + { + return ($bool) ? 'TRUE' : 'FALSE'; + } + + /** + * Convert 8bit characters e.g. accented characters to UTF8 encoded characters + */ + public function encode8Bit(&$item, $key) { + $encode = false; + if (is_string($item)) { + for ($i=0; $i> 7) { + $encode = true; + } + } + } + if ($encode === true && $key != 'password') { + $item = utf8_encode($item); + } + } + + /** + * Get the current class version number + * + * @return string + */ + public function getVersion() { + return self::ADLDAP_VERSION; + } + + /** + * Round a Windows timestamp down to seconds and remove the seconds between 1601-01-01 and 1970-01-01 + * + * @param long $windowsTime + * @return long $unixTime + */ + public static function convertWindowsTimeToUnixTime($windowsTime) { + $unixTime = round($windowsTime / 10000000) - 11644477200; + return $unixTime; + } +} + ?> \ No newline at end of file -- cgit v1.2.3