robin.thoni
/
docker-roundcube-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 10 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 Commits
2 Branches
Tree: ad3f0fe5b1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ad3f0fe5b1'
${ noResults }
docker-roundcube-server/roundcube/roundcubemail-1.3.6/plugins/password/drivers/ldap_simple.php

ldap_simple.php 7.4KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245 
  1. <?php

  2. 

  3. /**

  4.  * Simple LDAP Password Driver

  5.  *

  6.  * Driver for passwords stored in LDAP

  7.  * This driver is based on Edouard's LDAP Password Driver, but does not

  8.  * require PEAR's Net_LDAP2 to be installed

  9.  *

  10.  * @version 2.0

  11.  * @author Wout Decre <wout@canodus.be>

  12.  * @author Aleksander Machniak <machniak@kolabsys.com>

  13.  *

  14.  * Copyright (C) 2005-2014, The Roundcube Dev Team

  15.  *

  16.  * This program is free software: you can redistribute it and/or modify

  17.  * it under the terms of the GNU General Public License as published by

  18.  * the Free Software Foundation, either version 3 of the License, or

  19.  * (at your option) any later version.

  20.  *

  21.  * This program is distributed in the hope that it will be useful,

  22.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  23.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  24.  * GNU General Public License for more details.

  25.  *

  26.  * You should have received a copy of the GNU General Public License

  27.  * along with this program. If not, see http://www.gnu.org/licenses/.

  28.  */

  29. 

  30. class rcube_ldap_simple_password

  31. {

  32.     private $debug = false;

  33. 

  34.     function save($curpass, $passwd)

  35.     {

  36.         $rcmail = rcmail::get_instance();

  37. 

  38.         $this->debug = $rcmail->config->get('ldap_debug');

  39. 

  40.         $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost');

  41.         $ldap_port = $rcmail->config->get('password_ldap_port', '389');

  42. 

  43.         $this->_debug("C: Connect to $ldap_host:$ldap_port");

  44. 

  45.         // Connect

  46.         if (!$ds = ldap_connect($ldap_host, $ldap_port)) {

  47.             $this->_debug("S: NOT OK");

  48. 

  49.             rcube::raise_error(array(

  50.                     'code' => 100, 'type' => 'ldap',

  51.                     'file' => __FILE__, 'line' => __LINE__,

  52.                     'message' => "Could not connect to LDAP server"

  53.                 ),

  54.                 true);

  55. 

  56.             return PASSWORD_CONNECT_ERROR;

  57.         }

  58. 

  59.         $this->_debug("S: OK");

  60. 

  61.         // Set protocol version

  62.         ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,

  63.             $rcmail->config->get('password_ldap_version', '3'));

  64. 

  65.         // Start TLS

  66.         if ($rcmail->config->get('password_ldap_starttls')) {

  67.             if (!ldap_start_tls($ds)) {

  68.                 ldap_unbind($ds);

  69.                 return PASSWORD_CONNECT_ERROR;

  70.             }

  71.         }

  72. 

  73.         // include 'ldap' driver, we share some static methods with it

  74.         require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php';

  75. 

  76.         // other plugins might want to modify user DN

  77.         $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array(

  78.             'user_dn' => '', 'conn' => $ds));

  79. 

  80.         // Build user DN

  81.         if (!empty($plugin['user_dn'])) {

  82.             $user_dn = $plugin['user_dn'];

  83.         }

  84.         else if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) {

  85.             $user_dn = rcube_ldap_password::substitute_vars($user_dn);

  86.         }

  87.         else {

  88.             $user_dn = $this->search_userdn($rcmail, $ds);

  89.         }

  90. 

  91.         if (empty($user_dn)) {

  92.             ldap_unbind($ds);

  93.             return PASSWORD_CONNECT_ERROR;

  94.         }

  95. 

  96.         // Connection method

  97.         switch ($rcmail->config->get('password_ldap_method')) {

  98.         case 'admin':

  99.             $binddn = $rcmail->config->get('password_ldap_adminDN');

  100.             $bindpw = $rcmail->config->get('password_ldap_adminPW');

  101.             break;

  102.         case 'user':

  103.         default:

  104.             $binddn = $user_dn;

  105.             $bindpw = $curpass;

  106.             break;

  107.         }

  108. 

  109.         $lchattr      = $rcmail->config->get('password_ldap_lchattr');

  110.         $pwattr       = $rcmail->config->get('password_ldap_pwattr', 'userPassword');

  111.         $smbpwattr    = $rcmail->config->get('password_ldap_samba_pwattr');

  112.         $smblchattr   = $rcmail->config->get('password_ldap_samba_lchattr');

  113.         $samba        = $rcmail->config->get('password_ldap_samba');

  114.         $pass_mode    = $rcmail->config->get('password_ldap_encodage', 'crypt');

  115.         $crypted_pass = password::hash_password($passwd, $pass_mode);

  116. 

  117.         // Support password_ldap_samba option for backward compat.

  118.         if ($samba && !$smbpwattr) {

  119.             $smbpwattr  = 'sambaNTPassword';

  120.             $smblchattr = 'sambaPwdLastSet';

  121.         }

  122. 

  123.         // Crypt new password

  124.         if (!$crypted_pass) {

  125.             return PASSWORD_CRYPT_ERROR;

  126.         }

  127. 

  128.         // Crypt new Samba password

  129.         if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) {

  130.             return PASSWORD_CRYPT_ERROR;

  131.         }

  132. 

  133.         $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]");

  134. 

  135.         // Bind

  136.         if (!ldap_bind($ds, $binddn, $bindpw)) {

  137.             $this->_debug("S: ".ldap_error($ds));

  138. 

  139.             ldap_unbind($ds);

  140. 

  141.             return PASSWORD_CONNECT_ERROR;

  142.         }

  143. 

  144.         $this->_debug("S: OK");

  145. 

  146.         $entry[$pwattr] = $crypted_pass;

  147. 

  148.         // Update PasswordLastChange Attribute if desired

  149.         if ($lchattr) {

  150.             $entry[$lchattr] = (int)(time() / 86400);

  151.         }

  152. 

  153.         // Update Samba password

  154.         if ($smbpwattr) {

  155.             $entry[$smbpwattr] = $samba_pass;

  156.         }

  157. 

  158.         // Update Samba password last change

  159.         if ($smblchattr) {

  160.             $entry[$smblchattr] = time();

  161.         }

  162. 

  163.         $this->_debug("C: Modify $user_dn: " . print_r($entry, true));

  164. 

  165.         if (!ldap_modify($ds, $user_dn, $entry)) {

  166.             $this->_debug("S: ".ldap_error($ds));

  167. 

  168.             $errno = ldap_errno($ds);

  169. 

  170.             ldap_unbind($ds);

  171. 

  172.             if ($errno == 0x13) {   // LDAP_CONSTRAINT_VIOLATION

  173.                 return PASSWORD_CONSTRAINT_VIOLATION;

  174.             }

  175. 

  176.             return PASSWORD_CONNECT_ERROR;

  177.         }

  178. 

  179.         $this->_debug("S: OK");

  180. 

  181.         // All done, no error

  182.         ldap_unbind($ds);

  183. 

  184.         return PASSWORD_SUCCESS;

  185.     }

  186. 

  187.     /**

  188.      * Bind with searchDN and searchPW and search for the user's DN

  189.      * Use search_base and search_filter defined in config file

  190.      * Return the found DN

  191.      */

  192.     function search_userdn($rcmail, $ds)

  193.     {

  194.         $search_user   = $rcmail->config->get('password_ldap_searchDN');

  195.         $search_pass   = $rcmail->config->get('password_ldap_searchPW');

  196.         $search_base   = $rcmail->config->get('password_ldap_search_base');

  197.         $search_filter = $rcmail->config->get('password_ldap_search_filter');

  198. 

  199.         if (empty($search_filter)) {

  200.             return false;

  201.         }

  202. 

  203.         $this->_debug("C: Bind " . ($search_user ? $search_user : '[anonymous]'));

  204. 

  205.         // Bind

  206.         if (!ldap_bind($ds, $search_user, $search_pass)) {

  207.             $this->_debug("S: ".ldap_error($ds));

  208.             return false;

  209.         }

  210. 

  211.         $this->_debug("S: OK");

  212. 

  213.         $search_base   = rcube_ldap_password::substitute_vars($search_base);

  214.         $search_filter = rcube_ldap_password::substitute_vars($search_filter);

  215. 

  216.         $this->_debug("C: Search $search_base for $search_filter");

  217. 

  218.         // Search for the DN

  219.         if (!$sr = ldap_search($ds, $search_base, $search_filter)) {

  220.             $this->_debug("S: ".ldap_error($ds));

  221.             return false;

  222.         }

  223. 

  224.         $found = ldap_count_entries($ds, $sr);

  225. 

  226.         $this->_debug("S: OK [found $found records]");

  227. 

  228.         // If no or more entries were found, return false

  229.         if ($found != 1) {

  230.             return false;

  231.         }

  232. 

  233.         return ldap_get_dn($ds, ldap_first_entry($ds, $sr));

  234.     }

  235. 

  236.     /**

  237.      * Prints debug info to the log

  238.      */

  239.     private function _debug($str)

  240.     {

  241.         if ($this->debug) {

  242.             rcube::write_log('ldap', $str);

  243.         }

  244.     }

  245. }