File: ldap.php

package info (click to toggle)
ocsinventory-server 2.5%2Bdfsg1-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 7,088 kB
  • sloc: php: 27,462; perl: 8,241; sh: 1,680; sql: 1,355; xml: 1,041; makefile: 34
file content (141 lines) | stat: -rwxr-xr-x 5,121 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
 
<?php
/*
 * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
 * See the Contributors file for more details about them.
 *
 * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
 *
 * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
 * it and/or modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, either version 2 of the License,
 * or (at your option) any later version.
 *
 * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
 * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02110-1301, USA.
 */
/*
 * LDAP custom authentication module
 *
 * This module will check and report if a LDAP user is valid based on the configuration supplied.
 * Adapted by Erico Mendonca <emendonca@novell.com> from original OCS code.
 *
 * I'm fetching a few LDAP attributes to fill in the user record, namely sn,cn,givenname and mail.
 * */

connexion_local_read();
$sql = "select substr(NAME,7) as NAME,TVALUE from config where NAME like '%s'";
$arg = array('%CONEX%');
$res = mysql2_query_secure($sql, $_SESSION['OCS']["readServer"], $arg);

while ($item = mysqli_fetch_object($res)) {
    $config[$item->NAME] = $item->TVALUE;
    define($item->NAME, $item->TVALUE);
}

// copies the config values to the session area
$_SESSION['OCS']['config'] = $config;

$login_successful = verif_pw_ldap($login, $mdp);
$cnx_origine = "LDAP";
$user_group = "LDAP";

function verif_pw_ldap($login, $pw) {
    $info = search_on_loginnt($login);
    if ($info["nbResultats"] != 1) {
        // login doesn't exist
        return ("BAD LOGIN OR PASSWORD");
    }
    return (ldap_test_pw($info[0]["dn"], $pw) ? "OK" : "BAD LOGIN OR PASSWORD");
}

function search_on_loginnt($login) {
    $f1_name = $_SESSION['OCS']['config']['LDAP_CHECK_FIELD1_NAME'];
    $f2_name = $_SESSION['OCS']['config']['LDAP_CHECK_FIELD2_NAME'];

    // default attributes for query
    $attributs = array("dn", "cn", "givenname", "sn", "mail", "title");

    // search for the custom user level attributes if they're defined
    if ($f1_name != '') {
        array_push($attributs, strtolower($f1_name));
    }

    if ($f2_name != '') {
        array_push($attributs, strtolower($f2_name));
    }

    $ds = ldap_connection();
    $filtre = "(" . LOGIN_FIELD . "={$login})";
    $sr = ldap_search($ds, DN_BASE_LDAP, $filtre, $attributs);
    $lce = ldap_count_entries($ds, $sr);
    $info = ldap_get_entries($ds, $sr);
    ldap_close($ds);
    $info["nbResultats"] = $lce;

    // save user fields in session
    $_SESSION['OCS']['details']['givenname'] = $info[0]['givenname'][0];
    $_SESSION['OCS']['details']['sn'] = $info[0]['sn'][0];
    $_SESSION['OCS']['details']['cn'] = $info[0]['cn'][0];
    $_SESSION['OCS']['details']['mail'] = $info[0]['mail'][0];
    $_SESSION['OCS']['details']['title'] = $info[0]['title'][0];

    // if the extra attributes are there, save them as well
    if ($info[0][$f1_name][0] != '') {
        //attribute name 'memberof' is for group searching
        //FIXME: casing? -> 'memberOf'
        if ($f1_name == "memberof") {    //this is to store the entire array instead of just the first string
            //may be redundant and could be simplified, but it works.
            $_SESSION['OCS']['details'][$f1_name] = $info[0][strtolower($f1_name)];
        } else {
            $_SESSION['OCS']['details'][$f1_name] = $info[0][strtolower($f1_name)][0];
        }
    }

    if ($info[0][strtolower($f2_name)][0] != '') {
        if ($f2_name == "memberof") {
            $_SESSION['OCS']['details'][$f2_name] = $info[0][strtolower($f2_name)];
        } else {
            $_SESSION['OCS']['details'][$f2_name] = $info[0][strtolower($f2_name)][0];
        }
    }
    return $info;
}

function ldap_test_pw($dn, $pw) {
    $ds = ldap_connection();
    if (!$ds || !$pw) { // avec ldap 2.x.x, ldap_connect est tjrs ok. La connection n'est ouverte qu'au bind
        return false;
    } else {
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, LDAP_PROTOCOL_VERSION);
        $r = ldap_bind($ds, $dn, $pw);
        ldap_close($ds);
        return $r;
    }
}

function ldap_connection() {
    $ds = ldap_connect(LDAP_SERVEUR, LDAP_PORT);
    // Set the LDAP version
    // add by acop http://forums.ocsinventory-ng.org/viewtopic.php?pid=35261
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, LDAP_PROTOCOL_VERSION);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    if (ROOT_DN != '' && defined('ROOT_DN')) {
        $b = ldap_bind($ds, ROOT_DN, ROOT_PW);
    } else { //Anonymous bind
        $b = ldap_bind($ds);
    }
    if (!$b) {
        return false;
    } else {
        return $ds;
    }
}

?>