2018-06-01 17:10:45 +01:00
< ? php
$log_prefix = date ( 'Y-m-d H:i:s' ) . " - LDAP manager - $USER_ID - " ;
###################################
function open_ldap_connection () {
2018-06-04 15:20:53 +01:00
global $log_prefix , $LDAP , $LDAP_CONNECTION_WARNING ;
2018-06-01 17:10:45 +01:00
$ldap_connection = ldap_connect ( $LDAP [ 'uri' ]);
if ( ! $ldap_connection ) {
print " Problem: Can't connect to the LDAP server at ${ LDAP['uri'] } " ;
die ( " Can't connect to the LDAP server at ${ LDAP['uri'] } " );
exit ( 1 );
}
ldap_set_option ( $ldap_connection , LDAP_OPT_PROTOCOL_VERSION , 3 );
2018-06-04 15:20:53 +01:00
if ( ! preg_match ( " /^ldaps:/ " , $LDAP [ 'uri' ])) {
$tls_result = ldap_start_tls ( $ldap_connection );
if ( $tls_result != TRUE ) {
error_log ( " $log_prefix Failed to start STARTTLS connection to ${ LDAP['uri'] } " , 0 );
if ( $LDAP [ " require_starttls " ] == TRUE ) {
print " <div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal: Couldn't create a secure connection to ${ LDAP['uri'] } and LDAP_REQUIRE_STARTTLS is TRUE.</div> " ;
exit ( 0 );
}
else {
print " <div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-warning'>WARNING: Insecure LDAP connection to ${ LDAP['uri'] } </div> " ;
ldap_close ( $ldap_connection );
$ldap_connection = ldap_connect ( $LDAP [ 'uri' ]);
ldap_set_option ( $ldap_connection , LDAP_OPT_PROTOCOL_VERSION , 3 );
}
}
}
2018-06-01 17:10:45 +01:00
$bind_result = ldap_bind ( $ldap_connection , $LDAP [ 'admin_bind_dn' ], $LDAP [ 'admin_bind_pwd' ]);
if ( $bind_result != TRUE ) {
print " Problem: Failed to bind as ${ LDAP['admin_bind_dn'] } " ;
error_log ( " $log_prefix Failed to bind as ${ LDAP['admin_bind_dn'] } " , 0 );
exit ( 1 );
}
return $ldap_connection ;
}
###################################
function ldap_auth_username ( $ldap_connection , $username , $password ) {
# Search for the DN for the given username. If found, try binding with the DN and user's password.
# If the binding succeeds, return the DN.
global $log_prefix , $LDAP ;
$ldap_search = ldap_search ( $ldap_connection , $LDAP [ 'base_dn' ], " ${ LDAP['account_attribute']}=${username } " );
if ( ! $ldap_search ) {
error_log ( " $log_prefix Couldn't search for $username " , 0 );
return FALSE ;
}
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
if ( $result [ " count " ] == 1 ) {
$auth_ldap_connection = open_ldap_connection ();
$can_bind = @ ldap_bind ( $auth_ldap_connection , $result [ 0 ][ 'dn' ], $password );
ldap_close ( $auth_ldap_connection );
if ( $can_bind ) {
preg_match ( " / { $LDAP [ 'account_attribute' ] } =(.*?),/ " , $result [ 0 ][ 'dn' ], $dn_match );
return $dn_match [ 1 ];
ldap_unbind ( $auth_ldap_connection );
}
else {
return FALSE ;
}
}
}
###################################
function ldap_setup_auth ( $ldap_connection , $password ) {
#For the initial setup we need to make sure that whoever's running it has the default admin user
#credentials as passed in ADMIN_BIND_*
global $log_prefix , $LDAP ;
$auth_ldap_connection = open_ldap_connection ();
$can_bind = @ ldap_bind ( $auth_ldap_connection , $LDAP [ 'admin_bind_dn' ], $password );
ldap_close ( $auth_ldap_connection );
if ( $can_bind ) { return TRUE ; } else { return FALSE ; }
}
##################################
function ldap_hashed_password ( $password ) {
$hashed_pwd = '{MD5}' . base64_encode ( md5 ( $password , TRUE ));
return $hashed_pwd ;
}
##################################
function ldap_get_user_list ( $ldap_connection , $start = 0 , $entries = NULL , $sort = " asc " , $sort_key = NULL , $filters = NULL , $fields = NULL ) {
global $log_prefix , $LDAP ;
if ( ! isset ( $fields )) { $fields = array ( " uid " , " givenname " , " sn " ); }
if ( ! isset ( $sort_key )) { $sort_key = $LDAP [ 'account_attribute' ]; }
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['user_dn'] } " , " (&( ${ LDAP['account_attribute'] } =*) $filters ) " , $fields );
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
$records = array ();
foreach ( $result as $record ) {
if ( isset ( $record [ $sort_key ][ 0 ])) {
$add_these = array ();
foreach ( $fields as $this_attr ) {
if ( $this_attr != $sort_key ) { $add_these [ $this_attr ] = $record [ $this_attr ][ 0 ]; }
}
$records [ $record [ $sort_key ][ 0 ]] = $add_these ;
}
}
if ( $sort == " asc " ) { ksort ( $records ); } else { krsort ( $records ); }
return ( array_slice ( $records , $start , $entries ));
}
##################################
function ldap_get_highest_id ( $ldap_connection , $type = " uid " ) {
global $log_prefix , $LDAP , $min_uid , $min_gid ;
if ( $type == " uid " ) {
$this_id = $min_uid ;
$record_base_dn = $LDAP [ 'user_dn' ];
$record_filter = " ( ${ LDAP['account_attribute'] } =*) " ;
$record_attribute = array ( " uidNumber " );
}
else {
$type = " gid " ;
$this_id = $min_gid ;
$record_base_dn = $LDAP [ 'group_dn' ];
$record_filter = " (objectClass=posixGroup) " ;
$record_attribute = array ( " gidNumber " );
}
$filter = " (&(objectclass=device)(cn=last ${ type } )) " ;
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['base_dn'] } " , $filter , array ( 'serialNumber' ));
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
$fetched_id = $result [ 0 ][ 'serialnumber' ][ 0 ];
if ( isset ( $fetched_id ) and is_numeric ( $fetched_id )){
$this_id = $fetched_id ;
}
else {
$ldap_search = ldap_search ( $ldap_connection , $record_base_dn , $record_filter , $record_attribute );
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
foreach ( $result as $record ) {
if ( isset ( $record [ $record_attribute ][ 0 ])) {
if ( $record [ $record_attribute ][ 0 ] > $this_id ) { $this_id = $record [ $record_attribute ][ 0 ]; }
}
}
}
return ( $this_id );
}
##################################
function ldap_get_group_list ( $ldap_connection , $start = 0 , $entries = NULL , $sort = " asc " , $filters = NULL ) {
global $log_prefix , $LDAP ;
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['group_dn'] } " , " (&(objectclass=*) $filters ) " );
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
$records = array ();
foreach ( $result as $record ) {
if ( isset ( $record [ 'cn' ][ 0 ])) {
array_push ( $records , $record [ 'cn' ][ 0 ]);
}
}
if ( $sort == " asc " ) { sort ( $records ); } else { rsort ( $records ); }
return ( array_slice ( $records , $start , $entries ));
}
##################################
function ldap_get_group_members ( $ldap_connection , $group_name , $start = 0 , $entries = NULL , $sort = " asc " ) {
global $log_prefix , $LDAP ;
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['group_dn'] } " , " (cn= $group_name ) " , array ( $LDAP [ 'group_membership_attribute' ]));
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
$records = array ();
foreach ( $result [ 0 ][ $LDAP [ 'group_membership_attribute' ]] as $record => $value ) {
if ( $record != 'count' and isset ( $value )) {
array_push ( $records , $value );
}
}
if ( $sort == " asc " ) { sort ( $records ); } else { rsort ( $records ); }
return ( array_slice ( $records , $start , $entries ));
}
##################################
function ldap_is_group_member ( $ldap_connection , $group_name , $username ) {
global $log_prefix , $LDAP ;
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['group_dn'] } " , " (cn= $group_name ) " );
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
if ( $LDAP [ 'group_membership_uses_uid' ] == FALSE ) {
$username = " ${ LDAP['account_attribute']}=$username,${LDAP['user_dn'] } " ;
}
if ( preg_grep ( " /^ ${ username } $ /i " , $result [ 0 ][ $LDAP [ 'group_membership_attribute' ]])) {
return TRUE ;
}
else {
return FALSE ;
}
}
##################################
function ldap_new_group ( $ldap_connection , $group_name ) {
global $log_prefix , $LDAP ;
if ( isset ( $group_name )) {
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['group_dn'] } " , " (cn= $group_name , ${ LDAP['group_dn'] } ) " );
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
if ( $result [ 'count' ] == 0 ) {
$highest_gid = ldap_get_highest_id ( $ldap_connection , 'gid' );
$new_gid = $highest_gid + 1 ;
$add_group = ldap_add ( $ldap_connection ,
" cn= $group_name , ${ LDAP['group_dn'] } " ,
array ( 'objectClass' => array ( 'top' , 'groupOfUniqueNames' , 'posixGroup' ),
'cn' => $group_name ,
'gidNumber' => $new_gid ,
$LDAP [ 'group_membership_attribute' ] => ''
)
);
if ( $add_group ) {
error_log ( " $log_prefix Added new group $group_name " , 0 );
$update_gid = ldap_mod_replace ( $ldap_connection , " cn=lastGID, ${ LDAP['base_dn'] } " , array ( 'serialNumber' => $new_gid ));
if ( $update_gid ) {
error_log ( " $log_prefix Updated cn=lastGID with $new_gid " , 0 );
return TRUE ;
}
else {
error_log ( " $log_prefix Failed to update cn=lastGID " , 0 );
}
}
}
else {
error_log ( " $log_prefix Create group; group $group_name already exists. " , 0 );
}
}
else {
error_log ( " $log_prefix Create group; group name wasn't set. " , 0 );
}
return FALSE ;
}
##################################
function ldap_delete_group ( $ldap_connection , $group_name ) {
global $log_prefix , $LDAP ;
if ( isset ( $group_name )) {
$delete = ldap_delete ( $ldap_connection , " cn= $group_name , ${ LDAP['group_dn'] } " );
if ( $delete ) {
error_log ( " $log_prefix Deleted group $group_name " , 0 );
return TRUE ;
}
else {
error_log ( " $log_prefix Couldn't delete group $group_name " , 0 );
return FALSE ;
}
}
}
##################################
function ldap_get_gid_of_group ( $ldap_connection , $group_name ) {
global $log_prefix , $LDAP ;
if ( isset ( $group_name )) {
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['group_dn'] } " , " (cn= $group_name ) " , array ( " gidNumber " ));
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
if ( isset ( $result [ 0 ][ 'gidnumber' ][ 0 ]) and is_numeric ( $result [ 0 ][ 'gidnumber' ][ 0 ])) {
return $result [ 0 ][ 'gidnumber' ][ 0 ];
}
}
return FALSE ;
}
##################################
function ldap_new_account ( $ldap_connection , $first_name , $last_name , $username , $password ) {
global $log_prefix , $LDAP , $DEFAULT_USER_SHELL , $DEFAULT_USER_GROUP , $EMAIL_DOMAIN ;
if ( isset ( $first_name ) and isset ( $last_name ) and isset ( $username ) and isset ( $password )) {
$ldap_search = ldap_search ( $ldap_connection , " ${ LDAP['user_dn'] } " , " ( ${ LDAP['account_attribute']}=$username,${LDAP['user_dn'] } ) " );
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
if ( $result [ 'count' ] == 0 ) {
$highest_uid = ldap_get_highest_id ( $ldap_connection , 'uid' );
$new_uid = $highest_uid + 1 ;
$default_gid = ldap_get_gid_of_group ( $ldap_connection , $DEFAULT_USER_GROUP );
if ( ! is_numeric ( $default_gid )) {
$group_add = ldap_new_group ( $ldap_connection , $username );
$gid = ldap_get_gid_of_group ( $ldap_connection , $username );
$add_to_group = $username ;
}
else {
$gid = $default_gid ;
$add_to_group = $DEFAULT_USER_GROUP ;
}
$hashed_pass = ldap_hashed_password ( $password );
$user_info = array ( 'objectClass' => array ( 'person' , 'inetOrgPerson' , 'posixAccount' ),
'uid' => $username ,
'givenName' => $first_name ,
'sn' => $last_name ,
'cn' => " $first_name $last_name " ,
'displayName' => " $first_name $last_name " ,
'uidNumber' => $new_uid ,
'gidNumber' => $gid ,
'loginShell' => $DEFAULT_USER_SHELL ,
'homeDirectory' => " /home/ $username " ,
'userPassword' => $hashed_pass
);
if ( isset ( $EMAIL_DOMAIN )) {
array_push ( $user_info , [ 'mail' => " $username @ $EMAIL_DOMAIN " ]);
}
$add_account = ldap_add ( $ldap_connection ,
" ${ LDAP['account_attribute']}=$username,${LDAP['user_dn'] } " ,
$user_info
);
if ( $add_account ) {
error_log ( " $log_prefix Created new account: $username " , 0 );
ldap_add_member_to_group ( $ldap_connection , $add_to_group , $username );
$update_uid = ldap_mod_replace ( $ldap_connection , " cn=lastUID, ${ LDAP['base_dn'] } " , array ( 'serialNumber' => $new_uid ));
if ( $update_uid ) {
error_log ( " $log_prefix Create account; Updated cn=lastUID with $new_uid " , 0 );
return TRUE ;
}
else {
error_log ( " $log_prefix Create account; Failed to update cn=lastUID " , 0 );
}
}
else {
error_log ( " $log_prefix Create account; couldn't create the account for $username " , 0 );
}
}
else {
error_log ( " $log_prefix Create account; Account for $username already exists " , 0 );
}
}
else {
error_log ( " $log_prefix Create account; missing parameters " , 0 );
}
return FALSE ;
}
##################################
function ldap_delete_account ( $ldap_connection , $username ) {
global $log_prefix , $LDAP ;
if ( isset ( $username )) {
$delete = ldap_delete ( $ldap_connection , " ${ LDAP['account_attribute']}=$username,${LDAP['user_dn'] } " );
if ( $delete ) {
error_log ( " $log_prefix Deleted account for $username " , 0 );
return TRUE ;
}
else {
error_log ( " $log_prefix Couldn't delete account for $username " , 0 );
return FALSE ;
}
}
}
##################################
function ldap_add_member_to_group ( $ldap_connection , $group_name , $username ) {
global $log_prefix , $LDAP ;
$group_dn = " cn= ${ group_name},${LDAP['group_dn'] } " ;
if ( $LDAP [ 'group_membership_uses_uid' ] == FALSE ) {
$username = " ${ LDAP['account_attribute']}=$username,${LDAP['user_dn'] } " ;
}
$group_update = array ( $LDAP [ 'group_membership_attribute' ] => $username );
$update = ldap_mod_add ( $ldap_connection , $group_dn , $group_update );
if ( $update ) {
error_log ( " $log_prefix Added $username to $group_name " , 0 );
return TRUE ;
}
else {
error_log ( " $log_prefix Couldn't add $username to $group_name " , 0 );
return FALSE ;
}
}
##################################
function ldap_delete_member_from_group ( $ldap_connection , $group_name , $username ) {
global $log_prefix , $LDAP ;
$group_dn = " cn= ${ group_name},${LDAP['group_dn'] } " ;
if ( $LDAP [ 'group_membership_uses_uid' ] == FALSE ) {
$username = " ${ LDAP['account_attribute']}=$username,${LDAP['user_dn'] } " ;
}
$group_update = array ( $LDAP [ 'group_membership_attribute' ] => $username );
$update = ldap_mod_del ( $ldap_connection , $group_dn , $group_update );
if ( $update ) {
error_log ( " $log_prefix Removed $username from $group_name " , 0 );
return TRUE ;
}
else {
error_log ( " $log_prefix Couldn't remove $username from $group_name " , 0 );
return FALSE ;
}
}
##################################
function ldap_change_password ( $ldap_connection , $username , $new_password ) {
global $log_prefix , $LDAP ;
#Find DN of user
$ldap_search = ldap_search ( $ldap_connection , $LDAP [ 'base_dn' ], " ${ LDAP['account_attribute']}=${username } " );
if ( $ldap_search ) {
$result = ldap_get_entries ( $ldap_connection , $ldap_search );
if ( $result [ " count " ] == 1 ) {
$this_dn = $result [ 0 ][ 'dn' ];
}
else {
error_log ( " $log_prefix Couldn't find the DN for user $username " );
return FALSE ;
}
}
else {
error_log ( " $log_prefix Couldn't perform an LDAP search for ${ LDAP['account_attribute']}=${username } " , 0 );
return FALSE ;
}
#Hash password
$hashed_pass = ldap_hashed_password ( $new_password );
$entries [ " userPassword " ] = $new_password ;
$update = ldap_mod_replace ( $ldap_connection , $this_dn , $entries );
if ( $update ) {
error_log ( " $log_prefix Updated the password for $username " );
return TRUE ;
}
else {
error_log ( " $log_prefix Couldn't update the password for $username " );
return TRUE ;
}
}
?>