You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ActiveDirectory.php 5.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203
  1. <?php
  2. /*
  3. * $Id: ActiveDirectory.php 501 2013-07-11 17:44:37Z imooreyahoo@gmail.com $
  4. * Experimental!
  5. */
  6. class phpvbAuthActiveDirectory implements phpvbAuth {
  7. var $capabilities = array(
  8. 'canChangePassword' => false,
  9. 'canLogout' => true
  10. );
  11. var $config = array(
  12. 'host' => '127.0.0.1',
  13. 'admin_group' => null,
  14. 'adminUser' => null,
  15. 'user_group' => null,
  16. 'container' => 'CN=Users',
  17. 'domain' => 'internal.local',
  18. 'filter' => '(&(objectclass=User)(objectCategory=Person))'
  19. );
  20. /**
  21. * Constructor
  22. * @param array $userConfig - user configuration for this module
  23. */
  24. function phpvbAuthActiveDirectory($userConfig = null) {
  25. // Merge user config
  26. if($userConfig) {
  27. $this->config = array_merge($this->config,$userConfig);
  28. }
  29. }
  30. /**
  31. * Test log in and set $_SESSION vars
  32. * @param string $username
  33. * @param string $password
  34. * @see phpvbAuth::login()
  35. */
  36. function login($username, $password)
  37. {
  38. global $_SESSION;
  39. /*
  40. * Check for LDAP functionality and provide some direction
  41. */
  42. if(!function_exists('ldap_connect')) {
  43. $ex = 'LDAP support is not enabled in your PHP configuration.';
  44. if(strtolower(substr(PHP_OS, 0, 3)) == 'win') {
  45. ob_start();
  46. phpinfo(INFO_GENERAL);
  47. $phpinfo = ob_get_contents();
  48. ob_end_clean();
  49. preg_match('/Loaded Configuration File <\/td><td.*?>(.*?)\s*</', $phpinfo, $phpinfo);
  50. $ex .= ' You probably just need to uncomment the line ;extension=php_ldap.dll in php.ini'.
  51. (count($phpinfo) > 1 ? ' (' .trim($phpinfo[1]).')' : '') . ' by removing the ";" and restart your web server.';
  52. } else if(strtolower(substr(PHP_OS, 0, 5)) == 'Linux') {
  53. $ex .= ' You probably need to install the php5-ldap (or similar depending on your distribution) package and restart your web server.';
  54. }
  55. throw new Exception($ex);
  56. }
  57. $_SESSION['valid'] = false;
  58. // Connect to server
  59. if(!($auth = ldap_connect($this->config['host']))) {
  60. throw new Exception('Active Directory error ('.ldap_errno($auth).') ' . ldap_error($auth));
  61. }
  62. // Set relevant LDAP options
  63. ldap_set_option($auth,LDAP_OPT_PROTOCOL_VERSION, 3);
  64. // Main login /bind
  65. if(!($bind = @ldap_bind($auth, $username . "@" .$this->config['domain'], $password))) {
  66. if(ldap_errno($auth) == 49) return false;
  67. throw new Exception('Active Directory error ('.ldap_errno($auth).') ' . ldap_error($auth));
  68. }
  69. // Get user information from AD
  70. ////////////////////////////////////
  71. // Set filter and sanitize username before sending it to AD
  72. $filter = "(sAMAccountName=" .
  73. str_replace(array(',','=','+','<','>',';','\\','"','#','(',')','*',chr(0)), '', $username) . ")";
  74. if($this->config['filter'] && false) {
  75. $filter = '(&'. $this->config['filter'] .' ('. $filter .'))';
  76. }
  77. $result = @ldap_search($auth,
  78. $this->config['container'] . ',DC=' . join(',DC=', explode('.', $this->config['domain'])),
  79. $filter, array("memberof","useraccountcontrol"));
  80. if(!result) throw new Exception ("Unable to search Active Directory server: " . ldap_error($auth));
  81. @list($entries) = @ldap_get_entries($auth, $result);
  82. @ldap_unbind($auth);
  83. if(!$entries) {
  84. throw new Exception("Permission denied");
  85. }
  86. // Check for disabled user
  87. if((intval($entries['useraccountcontrol'][0]) & 2)) {
  88. throw new Exception('This account is disabled in Active Directory.');
  89. }
  90. // check for valid admin group
  91. if($this->config['admin_group']) {
  92. foreach($entries['memberof'] as $group) {
  93. list($group) = explode(',', $group);
  94. if(strtolower($group) == strtolower('cn='.$this->config['admin_group'])) {
  95. $_SESSION['admin'] = $_SESSION['valid'] = true;
  96. break;
  97. }
  98. }
  99. }
  100. // Admin user explicitly set?
  101. if(!$_SESSION['admin'] && $this->config['adminUser']) {
  102. $_SESSION['admin'] = (strtolower($this->config['adminUser']) == strtolower($username));
  103. // Admin is ok
  104. $_SESSION['valid'] = ($_SESSION['admin'] || $_SESSION['valid']);
  105. }
  106. // check for valid user group
  107. if($this->config['user_group'] && !$_SESSION['valid']) {
  108. foreach($entries['memberof'] as $group) {
  109. list($group) = explode(',', $group);
  110. if(strtolower($group) == strtolower('cn='.$this->config['user_group'])) {
  111. $_SESSION['valid'] = true;
  112. break;
  113. }
  114. }
  115. } else {
  116. $_SESSION['valid'] = true;
  117. }
  118. if(!$_SESSION['valid'])
  119. throw new Exception("Permission denied");
  120. // Admin user explicitly set?
  121. if(!$_SESSION['admin'] && $this->config['adminUser']) {
  122. $_SESSION['admin'] = (strtolower($this->config['adminUser']) == strtolower($username));
  123. }
  124. // No admin information specified makes everyone an admin
  125. if(!$this->config['adminUser'] && !$this->config['admin_group'])
  126. $_SESSION['admin'] = true;
  127. // user has permission. establish session variables
  128. $_SESSION['user'] = $username;
  129. $_SESSION['authCheckHeartbeat'] = time();
  130. return true;
  131. }
  132. function heartbeat($vbox)
  133. {
  134. global $_SESSION;
  135. $_SESSION['valid'] = true;
  136. $_SESSION['authCheckHeartbeat'] = time();
  137. }
  138. function changePassword($old, $new)
  139. {
  140. }
  141. function logout(&$response)
  142. {
  143. global $_SESSION;
  144. if(function_exists('session_destroy')) session_destroy();
  145. else unset($_SESSION['valid']);
  146. $response['data']['result'] = 1;
  147. }
  148. function listUsers()
  149. {
  150. }
  151. function updateUser($vboxRequest, $skipExistCheck)
  152. {
  153. }
  154. function deleteUser($user)
  155. {
  156. }
  157. }