srchub

srchub Git Source Tree


Root/pluf/src/Pluf/Auth/LdapBackend.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
<?php
/* -*- tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
# ***** BEGIN LICENSE BLOCK *****
# This file is part of Plume Framework, a simple PHP Application Framework.
# Copyright (C) 2001-2007 Loic d'Anterroches and contributors.
#
# Plume Framework is free software; you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Plume Framework is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# ***** END LICENSE BLOCK ***** */
 
/**
 * Backend to authenticate against a LDAP server.
 *
 * Configuration is done with the 'auth_ldap_*' keys.
 */
class Pluf_Auth_LdapBackend
{
    /**
     * Given a user id, retrieve it.
     *
     * Here we get the against the model database.
     */
    public static function getUser($user_id)
    {
        $user_model = Pluf::f('pluf_custom_user','Pluf_User');
        $sql = new Pluf_SQL('login=%s', array($user_id));
        return Pluf::factory($user_model)->getOne($sql->gen());
    }
 
    /**
     * Given an array with the authentication data, auth the user and return it.
     */
    public static function authenticate($auth_data)
    {
        $password = $auth_data['password'];
        $login = $auth_data['login'];
 
        // Small security check against the login
        if (preg_match('/[^A-Za-z0-9\-\_]/', $login)) {
            return false;
        }
         
        // We check the user against the LDAP server, if it works we
        // are happy, if not return false.
 
 
        $ldap_dn = Pluf::f('auth_ldap_dn', 'ou=users,dc=example,dc=com');
        $ldap_user = Pluf::f('auth_ldap_user', null);
        $ldap_password = Pluf::f('auth_ldap_password', null);
        $ldap_version = Pluf::f('auth_ldap_version', 3);
        $ldap_user_key = Pluf::f('auth_ldap_user_key', 'uid');
        // If auth_ldap_password_key, it will use crypt hash control
        // to test the login password, else it will bind.
        $ldap_password_key = Pluf::f('auth_ldap_password_key', null);
        $ldap_surname_key = Pluf::f('auth_ldap_surname_key', 'sn');
        $ldap_givenname_key = Pluf::f('auth_ldap_givenname_key', 'cn');
        $ldap_email_key = Pluf::f('auth_ldap_email_key', 'mail');
 
 
        $ldap = ldap_connect(Pluf::f('auth_ldap_host', 'localhost'));
        ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION,
                               Pluf::f('auth_ldap_version', 3));
        if (!ldap_bind($ldap, $ldap_user, $ldap_password)) {
            Pluf_Log::warn(sprintf('Cannot bind to the ldap server, user:%s, password:***', $ldap_user));
            ldap_close($ldap);
            return false;
        }
        // Go for a search
        $search = ldap_search($ldap, $ldap_dn,
                              '('.$ldap_user_key.'='.$login.')',
                              array($ldap_user_key, $ldap_surname_key,
                                    $ldap_givenname_key, $ldap_email_key));
        $n = ldap_get_entries($ldap, $search);
        if ($n['count'] != 1) {
            ldap_close($ldap);
            return false;
        }
        $entry = ldap_first_entry($ldap, $search);
        // We get all the data first, the bind or hash control is done
        // later. If we control with bind now, we need to search again
        // to have an $entry resource to get the values.
        list($family_name,) = @ldap_get_values($ldap, $entry, $ldap_surname_key);
        list($first_name,) = @ldap_get_values($ldap, $entry, $ldap_givenname_key);
        list($email,) = @ldap_get_values($ldap, $entry, $ldap_email_key);
        $user_dn = ldap_get_dn($ldap, $entry);
 
         
        if ($ldap_password_key) {
            // Password authentication.
            list($ldap_hash,) = ldap_get_values($ldap, $entry, $ldap_password_key);
            $ldap_hash = substr($ldap_hash, 7);
            $salt = substr($ldap_hash, 0, 12);
            $hash = crypt($password, $salt);
            if ($ldap_hash != $hash) {
                ldap_close($ldap);
                return false;
            }
        } else {
            // Bind authentication
            if (!@ldap_bind($ldap, $user_dn, $password)) {
                ldap_close($ldap);
                return false;
            }
        }               
        // We get the user values as the
        // Now we get the user and we create it if not available
        $user = self::getUser($login);
        if ($user) {
            ldap_close($ldap);
            return $user;
        }
        // Need to create it
        ldap_close($ldap);
        $user_model = Pluf::f('pluf_custom_user','Pluf_User');
        $user = new $user_model();
        $user->active = true;
        $user->login = $login;
        $user->password = $password;
        $user->last_name = $family_name;
        $user->first_name = $first_name;
        $user->email = $email;
        $user->create();
        return $user;
    }
}

Archive Download this file

Branches

Number of commits:
Page rendered in 0.10597s using 11 queries.