Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.

ldap_simple.php 7.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245
  1. <?php
  2. /**
  3. * Simple LDAP Password Driver
  4. *
  5. * Driver for passwords stored in LDAP
  6. * This driver is based on Edouard's LDAP Password Driver, but does not
  7. * require PEAR's Net_LDAP2 to be installed
  8. *
  9. * @version 2.0
  10. * @author Wout Decre <wout@canodus.be>
  11. * @author Aleksander Machniak <machniak@kolabsys.com>
  12. *
  13. * Copyright (C) 2005-2014, The Roundcube Dev Team
  14. *
  15. * This program is free software: you can redistribute it and/or modify
  16. * it under the terms of the GNU General Public License as published by
  17. * the Free Software Foundation, either version 3 of the License, or
  18. * (at your option) any later version.
  19. *
  20. * This program is distributed in the hope that it will be useful,
  21. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  22. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  23. * GNU General Public License for more details.
  24. *
  25. * You should have received a copy of the GNU General Public License
  26. * along with this program. If not, see http://www.gnu.org/licenses/.
  27. */
  28. class rcube_ldap_simple_password
  29. {
  30. private $debug = false;
  31. function save($curpass, $passwd)
  32. {
  33. $rcmail = rcmail::get_instance();
  34. $this->debug = $rcmail->config->get('ldap_debug');
  35. $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost');
  36. $ldap_port = $rcmail->config->get('password_ldap_port', '389');
  37. $this->_debug("C: Connect to $ldap_host:$ldap_port");
  38. // Connect
  39. if (!$ds = ldap_connect($ldap_host, $ldap_port)) {
  40. $this->_debug("S: NOT OK");
  41. rcube::raise_error(array(
  42. 'code' => 100, 'type' => 'ldap',
  43. 'file' => __FILE__, 'line' => __LINE__,
  44. 'message' => "Could not connect to LDAP server"
  45. ),
  46. true);
  47. return PASSWORD_CONNECT_ERROR;
  48. }
  49. $this->_debug("S: OK");
  50. // Set protocol version
  51. ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,
  52. $rcmail->config->get('password_ldap_version', '3'));
  53. // Start TLS
  54. if ($rcmail->config->get('password_ldap_starttls')) {
  55. if (!ldap_start_tls($ds)) {
  56. ldap_unbind($ds);
  57. return PASSWORD_CONNECT_ERROR;
  58. }
  59. }
  60. // include 'ldap' driver, we share some static methods with it
  61. require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php';
  62. // other plugins might want to modify user DN
  63. $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array(
  64. 'user_dn' => '', 'conn' => $ds));
  65. // Build user DN
  66. if (!empty($plugin['user_dn'])) {
  67. $user_dn = $plugin['user_dn'];
  68. }
  69. else if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) {
  70. $user_dn = rcube_ldap_password::substitute_vars($user_dn);
  71. }
  72. else {
  73. $user_dn = $this->search_userdn($rcmail, $ds);
  74. }
  75. if (empty($user_dn)) {
  76. ldap_unbind($ds);
  77. return PASSWORD_CONNECT_ERROR;
  78. }
  79. // Connection method
  80. switch ($rcmail->config->get('password_ldap_method')) {
  81. case 'admin':
  82. $binddn = $rcmail->config->get('password_ldap_adminDN');
  83. $bindpw = $rcmail->config->get('password_ldap_adminPW');
  84. break;
  85. case 'user':
  86. default:
  87. $binddn = $user_dn;
  88. $bindpw = $curpass;
  89. break;
  90. }
  91. $lchattr = $rcmail->config->get('password_ldap_lchattr');
  92. $pwattr = $rcmail->config->get('password_ldap_pwattr', 'userPassword');
  93. $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr');
  94. $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr');
  95. $samba = $rcmail->config->get('password_ldap_samba');
  96. $pass_mode = $rcmail->config->get('password_ldap_encodage', 'crypt');
  97. $crypted_pass = password::hash_password($passwd, $pass_mode);
  98. // Support password_ldap_samba option for backward compat.
  99. if ($samba && !$smbpwattr) {
  100. $smbpwattr = 'sambaNTPassword';
  101. $smblchattr = 'sambaPwdLastSet';
  102. }
  103. // Crypt new password
  104. if (!$crypted_pass) {
  105. return PASSWORD_CRYPT_ERROR;
  106. }
  107. // Crypt new Samba password
  108. if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) {
  109. return PASSWORD_CRYPT_ERROR;
  110. }
  111. $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]");
  112. // Bind
  113. if (!ldap_bind($ds, $binddn, $bindpw)) {
  114. $this->_debug("S: ".ldap_error($ds));
  115. ldap_unbind($ds);
  116. return PASSWORD_CONNECT_ERROR;
  117. }
  118. $this->_debug("S: OK");
  119. $entry[$pwattr] = $crypted_pass;
  120. // Update PasswordLastChange Attribute if desired
  121. if ($lchattr) {
  122. $entry[$lchattr] = (int)(time() / 86400);
  123. }
  124. // Update Samba password
  125. if ($smbpwattr) {
  126. $entry[$smbpwattr] = $samba_pass;
  127. }
  128. // Update Samba password last change
  129. if ($smblchattr) {
  130. $entry[$smblchattr] = time();
  131. }
  132. $this->_debug("C: Modify $user_dn: " . print_r($entry, true));
  133. if (!ldap_modify($ds, $user_dn, $entry)) {
  134. $this->_debug("S: ".ldap_error($ds));
  135. $errno = ldap_errno($ds);
  136. ldap_unbind($ds);
  137. if ($errno == 0x13) { // LDAP_CONSTRAINT_VIOLATION
  138. return PASSWORD_CONSTRAINT_VIOLATION;
  139. }
  140. return PASSWORD_CONNECT_ERROR;
  141. }
  142. $this->_debug("S: OK");
  143. // All done, no error
  144. ldap_unbind($ds);
  145. return PASSWORD_SUCCESS;
  146. }
  147. /**
  148. * Bind with searchDN and searchPW and search for the user's DN
  149. * Use search_base and search_filter defined in config file
  150. * Return the found DN
  151. */
  152. function search_userdn($rcmail, $ds)
  153. {
  154. $search_user = $rcmail->config->get('password_ldap_searchDN');
  155. $search_pass = $rcmail->config->get('password_ldap_searchPW');
  156. $search_base = $rcmail->config->get('password_ldap_search_base');
  157. $search_filter = $rcmail->config->get('password_ldap_search_filter');
  158. if (empty($search_filter)) {
  159. return false;
  160. }
  161. $this->_debug("C: Bind " . ($search_user ? $search_user : '[anonymous]'));
  162. // Bind
  163. if (!ldap_bind($ds, $search_user, $search_pass)) {
  164. $this->_debug("S: ".ldap_error($ds));
  165. return false;
  166. }
  167. $this->_debug("S: OK");
  168. $search_base = rcube_ldap_password::substitute_vars($search_base);
  169. $search_filter = rcube_ldap_password::substitute_vars($search_filter);
  170. $this->_debug("C: Search $search_base for $search_filter");
  171. // Search for the DN
  172. if (!$sr = ldap_search($ds, $search_base, $search_filter)) {
  173. $this->_debug("S: ".ldap_error($ds));
  174. return false;
  175. }
  176. $found = ldap_count_entries($ds, $sr);
  177. $this->_debug("S: OK [found $found records]");
  178. // If no or more entries were found, return false
  179. if ($found != 1) {
  180. return false;
  181. }
  182. return ldap_get_dn($ds, ldap_first_entry($ds, $sr));
  183. }
  184. /**
  185. * Prints debug info to the log
  186. */
  187. private function _debug($str)
  188. {
  189. if ($this->debug) {
  190. rcube::write_log('ldap', $str);
  191. }
  192. }
  193. }