ldapbaseauthenticationprovider.inc.php

来自「PHP 知识管理系统（基于树结构的知识管理系统）, 英文原版的PHP源码。」· PHP 代码 · 共 1,049 行 · 第 1/3 页

        $this->sLdapServer = $aConfig['servername'];
        $this->iLdapPort = $aConfig['serverport'];
        $this->sBaseDN = $aConfig['basedn'];
        $this->sSearchUser = $aConfig['searchuser'];
        $this->sSearchPassword = $aConfig['searchpassword'];
        $this->aObjectClasses = KTUtil::arrayGet($aConfig, 'objectclasses');
        if (empty($this->aObjectClasses)) {
            $this->aObjectClasses = array('user', 'inetOrgPerson', 'posixAccount');
        }
        $this->aSearchAttributes = KTUtil::arrayGet($aConfig, 'searchattributes');
        if (empty($this->aSearchAttributes)) {
            $this->aSearchAttributes = array('cn', 'samaccountname');
        }
        $this->bTls = KTUtil::arrayGet($aConfig, 'tls', false);

        if ($this->iLdapPort + 0 == 0) $this->iLdapPort=389; // some basic validation in case port is blank or 0

        require_once('Net/LDAP.php');
        $config = array(
            'dn' => $this->sSearchUser,
            'password' => $this->sSearchPassword,
            'host' => $this->sLdapServer,
            'base' => $this->sBaseDN,
            'options' => array('LDAP_OPT_REFERRALS' => 0),
            'tls' => $this->bTls,
            'port'=> $this->iLdapPort
        );

        $this->oLdap =& Net_LDAP::connect($config);
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }
    }

    /**
     * Authenticate the user against the LDAP directory
     *
     * @param string the user to authenticate
     * @param string the password to check
     * @return boolean true if the password is correct, else false
     */
    function checkPassword($oUser, $sPassword) {
        $dn = $oUser->getAuthenticationDetails();
        if (is_null($dn))
        {
            return new PEAR_Error(_kt('Please consult your system administrator. The authentication parameters are corrupt. (authentication_detail_s1 is null)'));
        }
        $config = array(
            'host' => $this->sLdapServer,
            'base' => $this->sBaseDN,
            'tls' => $this->bTls,
            'port'=> $this->iLdapPort
        );
        $this->oLdap =& Net_LDAP::connect($config);
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }
        $res = $this->oLdap->reBind($dn, $sPassword);

        if(PEAR::isError($res)){
            // If bind returns false, do a search on the user using the SAMAccountName which should be unique
            $res = $this->authenticateOnLDAPUsername($oUser, $sPassword);
        }
        return $res;
    }

    /**
     * Search for the user on the username / sAMAccountName and authenticate.
     * If authentication is successful then update the users authentication details (dn)
     *
     * @param object $oUser
     * @param string $sPassword
     * @return unknown
     */
    function authenticateOnLDAPUsername($oUser, $sPassword){

        // Reconnect for the search.
        $config = array(
            'dn' => $this->sSearchUser,
            'password' => $this->sSearchPassword,
            'host' => $this->sLdapServer,
            'base' => $this->sBaseDN,
            'options' => array('LDAP_OPT_REFERRALS' => 0),
            'tls' => $this->bTls,
            'port'=> $this->iLdapPort
        );

        $this->oLdap =& Net_LDAP::connect($config);
        if (PEAR::isError($this->oLdap)) {
            return $res;
        }

        // Get the users sAMAccountName and search LDAP
        $sName = $oUser->getAuthenticationDetails2();
        if(empty($sName)){
            return false;
        }
        $aResults = $this->searchUsers($sName);
        if(PEAR::isError($aResults) || empty($aResults)){
            return $aResults;
        }
        foreach($aResults as $aEntry){
            if (strcasecmp($aEntry['sAMAccountName'], $sName) == 0) {
                $newDn = $aEntry['dn'];
                break;
            }
        }
        if (empty($newDn))
        {
            return false;
        }

        $res = $this->oLdap->reBind($newDn, $sPassword);

        if(!PEAR::isError($res) && $res){
            // If the connection is successful, update the users authentication details with the new dn.
            $oUser->setAuthenticationDetails($newDn);
            $oUser->update();
        }
        return $res;
    }

    function checkSignupPassword($sUsername, $sPassword) {

        if(empty($sPassword) || empty($sUsername)) {
            return false;
        }

        $aUsers = $this->findUser($sUsername);
        if (empty($aUsers) || PEAR::isError($aUsers)) {
            return false;
        }
        if (count($aUsers) !== 1) {
            return false;
        }
        $dn = $aUsers[0]['dn'];
        $config = array(
            'host' => $this->sLdapServer,
            'base' => $this->sBaseDN,
            'tls' => $this->bTls,
            'port'=> $this->iLdapPort
        );
        $this->oLdap =& Net_LDAP::connect($config);
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }
        $res = $this->oLdap->reBind($dn, $sPassword);
        if ($res === true) {
            return $dn;
        }
        return $res;
    }

    function getGroups($dn) {
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }

        $oEntry = $this->oLdap->getEntry($dn, array('memberOf'));
        if (PEAR::isError($oEntry)) {
            return $oEntry;
        }
        $aAttr = $oEntry->attributes();
        return $aAttr['memberOf'];
    }


    /**
     * Searched the directory for a specific user
     *
     * @param string the username to search for
     * @param array the attributes to return from the search
     * @return array containing the users found
     */
    function getUser($dn) {
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }

        $oEntry = $this->oLdap->getEntry($dn, $this->aAttributes);
        if (PEAR::isError($oEntry)) {
            return $oEntry;
        }
        $aAttr = $oEntry->attributes();
        $aAttr['dn'] = $oEntry->dn();

        global $default;
        foreach ($aAttr as $k => $v) {
            $default->log->info(sprintf("LDAP: For DN %s, attribute %s value is %s", $dn, $k, print_r($v, true)));
            if (is_array($v)) {
                $v = array_shift($v);
            }
            $aRet[strtolower($k)] = $v;
        }
        return $aRet;
    }

    /**
     * Searches the LDAP directory for users matching the supplied search string.
     *
     * @param string the username to search for
     * @param array the attributes to return from the search
     * @return array containing the users found
     */
    function searchUsers($sSearch) {
        global $default;
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }

        $aParams = array(
            'scope' => 'sub',
            'attributes' => array('cn', 'dn', 'samaccountname'),
        );
        $rootDn = $this->sBaseDN;
        if (is_array($rootDn)) {
            $rootDn = join(",", $rootDn);
        }
        $sObjectClasses = "|";
        foreach ($this->aObjectClasses as $sObjectClass) {
            $sObjectClasses .= sprintf('(objectClass=%s)', trim($sObjectClass));
        }
        $sSearchAttributes = "|";
        foreach ($this->aSearchAttributes as $sSearchAttribute) {
            $sSearchAttributes .= sprintf('(%s=*%s*)', trim($sSearchAttribute), $sSearch);
        }
        $sFilter = !empty($sSearch) ? sprintf('(&(%s)(%s))', $sObjectClasses, $sSearchAttributes) : null;
        $default->log->debug("Search filter is: " . $sFilter);

        $oResult = $this->oLdap->search($rootDn, $sFilter, $aParams);
        if (PEAR::isError($oResult)) {
            return $oResult;
        }
        $aRet = array();
        foreach($oResult->entries() as $oEntry) {
            $aAttr = $oEntry->attributes();
            $aAttr['dn'] = $oEntry->dn();
            $aRet[] = $aAttr;
        }
        return $aRet;
    }

    function findUser($sUsername) {
        global $default;
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }

        $aParams = array(
            'scope' => 'sub',
            'attributes' => array('cn', 'dn', 'samaccountname'),
        );
        $rootDn = $this->sBaseDN;
        if (is_array($rootDn)) {
            $rootDn = join(",", $rootDn);
        }
        $sObjectClasses = "|";
        foreach ($this->aObjectClasses as $sObjectClass) {
            $sObjectClasses .= sprintf('(objectClass=%s)', trim($sObjectClass));
        }
        $sSearchAttributes = "|";
        foreach ($this->aSearchAttributes as $sSearchAttribute) {
            $sSearchAttributes .= sprintf('(%s=%s)', trim($sSearchAttribute), $sUsername);
        }
        $sFilter = sprintf('(&(%s)(%s))', $sObjectClasses, $sSearchAttributes);
        $default->log->debug("Search filter is: " . $sFilter);
        $oResult = $this->oLdap->search($rootDn, $sFilter, $aParams);
        if (PEAR::isError($oResult)) {
            return $oResult;
        }
        $aRet = array();
        foreach($oResult->entries() as $oEntry) {
            $aAttr = $oEntry->attributes();
            $aAttr['dn'] = $oEntry->dn();
            $aRet[] = $aAttr;
        }
        return $aRet;
    }

    function searchGroups($sSearch) {
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }

        $aParams = array(
            'scope' => 'sub',
            'attributes' => array('cn', 'dn', 'displayName'),
        );
        $rootDn = $oAuthenticator->sBaseDN;
        if (is_array($rootDn)) {
            $rootDn = join(",", $rootDn);
        }
        $sFilter = sprintf('(&(objectClass=group)(cn=*%s*))', $sSearch);
        $oResults = $this->oLdap->search($rootDn, $sFilter, $aParams);

        if(PEAR::isError($oResults)){
            return $oResults;
        }

        $aRet = array();
        foreach($oResults->entries() as $oEntry) {
            $aAttr = $oEntry->attributes();
            $aAttr['dn'] = $oEntry->dn();
            $aRet[] = $aAttr;
        }
        return $aRet;
    }

    function getGroup($dn, $aAttributes = null) {
        if (empty($aAttributes)) {
            $aAttributes = array('cn');
        }
        if (PEAR::isError($this->oLdap)) {
            return $this->oLdap;
        }

        $oEntry = $this->oLdap->getEntry($dn, $aAttributes);
        if (PEAR::isError($oEntry)) {
            return $oEntry;
        }
        $aAttr = $oEntry->attributes();
        $aAttr['dn'] = $oEntry->dn();
        return $aAttr;
    }

    function synchroniseGroup($oGroup) {
        $oGroup =& KTUtil::getObject('Group', $oGroup);
        $dn = $oGroup->getAuthenticationDetails();
        $aAttr = $this->getGroup($dn, array('member'));
        if (PEAR::isError($aAttr)) {
            return $aAttr;
        }
        $aMembers = KTUtil::arrayGet($aAttr, 'member', array());
        if (!is_array($aMembers)) {
            $aMembers = array($aMembers);
        }
        $aUserIds = array();
        foreach ($aMembers as $sMember) {
            $iUserId = User::getByAuthenticationSourceAndDetails($this->oSource, $sMember, array('ids' => true));
            if (PEAR::isError($iUserId)) {
                continue;
            }
            $aUserIds[] = $iUserId;
        }
        $oGroup->setMembers($aUserIds);
    }
}

?>