2 rcs_id('$Id: LDAP.php,v 1.7 2007-05-30 21:56:17 rurban Exp $');
3 /* Copyright (C) 2004 $ThePhpWikiProgrammingTeam
4 * This file is part of PhpWiki. Terms and Conditions see LICENSE. (GPL2)
10 * Define the vars LDAP_AUTH_HOST and LDAP_BASE_DN in config/config.ini
12 * Preferences are handled in _PassUser
16 if ($this->_ldap = ldap_connect(LDAP_AUTH_HOST)) { // must be a valid LDAP server!
17 global $LDAP_SET_OPTION;
18 if (!empty($LDAP_SET_OPTION)) {
19 foreach ($LDAP_SET_OPTION as $key => $value) {
20 //if (is_string($key) and defined($key))
21 // $key = constant($key);
22 ldap_set_option($this->_ldap, $key, $value);
26 if (LDAP_AUTH_PASSWORD)
27 // Windows Active Directory Server is strict
28 $r = ldap_bind($this->_ldap, LDAP_AUTH_USER, LDAP_AUTH_PASSWORD);
30 $r = ldap_bind($this->_ldap, LDAP_AUTH_USER);
32 $r = true; // anonymous bind allowed
35 trigger_error(sprintf(_("Unable to bind LDAP server %s using %s %s"),
36 LDAP_AUTH_HOST, LDAP_AUTH_USER, LDAP_AUTH_PASSWORD),
47 if (isset($this->_sr) and is_resource($this->_sr)) ldap_free_result($this->_sr);
48 if (isset($this->_ldap) and is_resource($this->_ldap)) ldap_close($this->_ldap);
53 function checkPass($submitted_password) {
55 $this->_authmethod = 'LDAP';
56 $userid = $this->_userid;
57 if (!$this->isValidName()) {
58 trigger_error(_("Invalid username."), E_USER_WARNING);
59 return $this->_tryNextPass($submitted_password);
61 if (!$this->_checkPassLength($submitted_password)) {
62 return WIKIAUTH_FORBIDDEN;
64 if (strstr($userid,'*')) {
65 trigger_error(fmt("Invalid username '%s' for LDAP Auth", $userid),
67 return WIKIAUTH_FORBIDDEN;
70 if ($ldap = $this->_init()) {
71 // Need to set the right root search information. See config/config.ini
72 $st_search = LDAP_SEARCH_FIELD
73 ? LDAP_SEARCH_FIELD."=$userid"
75 if (!$this->_sr = ldap_search($ldap, LDAP_BASE_DN, $st_search)) {
77 return $this->_tryNextPass($submitted_password);
79 $info = ldap_get_entries($ldap, $this->_sr);
80 if (empty($info["count"])) {
82 return $this->_tryNextPass($submitted_password);
84 // There may be more hits with this userid.
85 // Of course it would be better to narrow down the BASE_DN
86 for ($i = 0; $i < $info["count"]; $i++) {
87 $dn = $info[$i]["dn"];
88 // The password is still plain text.
89 // LDAP allows all chars but *, (, ), \, NUL
90 // Quoting is done by \xx (two-digit hexcode). * <=> \2a
91 // Handling '?' is unspecified
92 $password = preg_replace(array("/\*/","/\(/","/\)/","/\\/","/\0/"),
93 array('\2a', '\28','\29', '\5c', '\00'),
95 // On wrong password the ldap server will return:
96 // "Unable to bind to server: Server is unwilling to perform"
97 // The @ catches this error message.
98 if ($r = @ldap_bind($ldap, $dn, $password)) {
99 // ldap_bind will return TRUE if everything matches
100 // Get the mail from ldap
101 if (!empty($info[$i]["mail"][0])) {
102 $this->_prefs->_prefs['email']->default_value = $info[$i]["mail"][0];
105 $this->_level = WIKIAUTH_USER;
106 return $this->_level;
112 return $this->_tryNextPass($submitted_password);
116 function isValidName ($userid = false) {
117 if (!$userid) $userid = $this->_userid;
118 // LDAP allows all chars but *, (, ), \, NUL
119 // Quoting is done by \xx (two-digit hexcode). * <=> \2a
120 // We are more restrictive here, but must allow explitly utf-8
121 return preg_match("/^[\-\w_\.@ ]+$/u", $userid) and strlen($userid) < 64;
124 function userExists() {
125 $userid = $this->_userid;
126 if (strstr($userid, '*')) {
127 trigger_error(fmt("Invalid username '%s' for LDAP Auth", $userid),
131 if ($ldap = $this->_init()) {
132 // Need to set the right root search information. see ../index.php
133 $st_search = LDAP_SEARCH_FIELD
134 ? LDAP_SEARCH_FIELD."=$userid"
136 if (!$this->_sr = ldap_search($ldap, LDAP_BASE_DN, $st_search)) {
138 return $this->_tryNextUser();
140 $info = ldap_get_entries($ldap, $this->_sr);
142 if ($info["count"] > 0) {
148 return $this->_tryNextUser();
151 function mayChangePass() {
157 // $Log: not supported by cvs2svn $
158 // Revision 1.6 2007/05/29 16:56:15 rurban
159 // Allow more password und userid chars. uid => cn: default for certain testusers
161 // Revision 1.5 2005/10/10 19:43:49 rurban
162 // add DBAUTH_PREF_INSERT: self-creating users. by John Stevens
164 // Revision 1.4 2004/12/26 17:11:17 rurban
167 // Revision 1.3 2004/12/20 16:05:01 rurban
168 // gettext msg unification
170 // Revision 1.2 2004/12/19 00:58:02 rurban
171 // Enforce PASSWORD_LENGTH_MINIMUM in almost all PassUser checks,
172 // Provide an errormessage if so. Just PersonalPage and BogoLogin not.
173 // Simplify httpauth logout handling and set sessions for all methods.
174 // fix main.php unknown index "x" getLevelDescription() warning.
176 // Revision 1.1 2004/11/01 10:43:58 rurban
177 // seperate PassUser methods into seperate dir (memory usage)
178 // fix WikiUser (old) overlarge data session
179 // remove wikidb arg from various page class methods, use global ->_dbi instead
187 // c-hanging-comment-ender-p: nil
188 // indent-tabs-mode: nil