-
Notifications
You must be signed in to change notification settings - Fork 4
/
ldap.php
216 lines (158 loc) · 7.58 KB
/
ldap.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
<?php
/*
* Codiad LDAP External Authentication Bridge
*
* Copyright (C) 2015 Matt Schultz (Korynkai) & QuantuMatriX Technologies (qmxtech.com)
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
///////////////////
// CONFIGURATION //
///////////////////
// The LDAP connection URI of the server.
$server = "ldap://ldap.example.com:389";
// The DN to search under on the server.
$basedn = "ou=people,dc=example,dc=com";
// Use anonymous bind
// This does not work by default on Active Directory, however this is the
// default method for most servers based on the LDAP standard.
// Optionally one can bind to a user for search on any LDAP server or
// enable anonymous binds for search on Active Directory, however this
// allows for any search option.
$anonbind = true;
// LDAP User for bind (if anonymous bind is set to "false").
$binddn = "cn=binduser,cn=Users,dc=example,dc=com";
$bindpass = "";
// The LDAP search filter. If you aren't sure what this is, the official
// IETF RFC definition (quite technical) is here:
// http://tools.ietf.org/search/rfc4515
// and you can find another good (easier to follow) reference here
// (shortened CentOS documentation link):
// http://goo.gl/FOdGp7
// The default will allow a CN or an email to log in (however, the user
// environments between the CN and email logins would differ).
// Default is: '(&(objectClass=*)(|(cn=$1)(email=$1)))'.
// A couple alternatives for simple set-ups:
// CN only: '(&(objectClass=*)(cn=$1))'
// email only: '(&(objectClass=*)(email=$1))'
$filter = "(&(objectClass=*)(|(cn=$1)(email=$1)))";
// Optionally create Codiad user if it doesn't already exist. This can be set
// to 'false' if the administrator would like to manually control access to
// Codiad from within Codiad itself, rather than let the search filter fully
// dictate user access control.
// Default is 'true'.
$createuser = true;
// The LDAP protocol version to use. Changing this is probably a very bad
// idea unless you're absolutely positive you are using some completely
// non-standard or obsolete (pre-2003) version of LDAP.
// Default is '3'. Developer heavily discourages changing this.
$version = 3;
/////////////////////////////////////////////////////////////////////////////
// DO NOT EDIT ANYTHING UNDER THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING! //
/////////////////////////////////////////////////////////////////////////////
// Ensure we have class.user.php so we may use this class.
require_once( COMPONENTS . "/user/class.user.php" );
// Check if our session is not logged in.
if ( !isset( $_SESSION['user'] ) ) {
// Check if a username and password were posted.
if ( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {
// Create user object.
$User = new User();
// Initialize values of user object.
$User->username = $_POST['username'];
$User->password = $_POST['password'];
// Replace user name token in search filter.
$tfilter = str_replace( "$1", $User->username, $filter );
// Create LDAP connection socket.
$socket = ldap_connect( $server );
// Set initial LDAP values.
ldap_set_option( $socket, LDAP_OPT_PROTOCOL_VERSION, $version );
ldap_set_option( $socket, LDAP_OPT_REFERRALS, 0 );
// Check if we are using anonymous bind.
if ( $anonbind == true ) {
// Set preauth flag to value of socket on anonymous bind.
$preauth = $socket;
} else {
// Set preauth flag using call to ldap_bind on authenticated bind.
$preauth = ldap_bind( $socket, $binddn, $bindpass );
}
// Check if LDAP pre-authentication (or socket creation) was a success.
if ( $preauth == true ) {
// Search through basedn based on the filter, and count entries.
$result = ldap_search( $socket, $basedn, $tfilter );
$count = ldap_count_entries( $socket, $result );
// Ensure count is definitely equal to 1
if ( $count === 1 ) {
// Get the entry from the search result, and bind using its DN.
$data = ldap_get_entries( $socket, $result );
$auth = ldap_bind( $socket, $data[0]['dn'], $User->password );
// Check the return value of the bind action.
if ( $auth === -1 ) {
// Deny login and send message, An LDAP error occurred.
die( formatJSEND( "error", "An LDAP error has occurred: " . ldap_error($socket) ) );
} elseif ( $auth == false ) {
// Invalid login.
die( formatJSEND( "error", "Invalid user name or password." ) );
} elseif ( $auth == true ) {
// Check if user already exists within users.php.
if ( $User->CheckDuplicate() ) {
// Check if we can create a user within users.php.
if ( $createuser == true ) {
// Save array back to JSON and set the session username.
$User->users[] = array( 'username' => $User->username, 'password' => null, 'project' => "" );
saveJSON( "users.php", $User->users );
$_SESSION['user'] = $User->username;
} else {
// Deny login and send message, the user doesn't exist within users.php.
die( formatJSEND( "error", "User " . $User->username . " does not exist within Codiad." ) );
}
} else {
// Set the session username.
$_SESSION['user'] = $User->username;
}
// Set the session language, if given, or set it to english as default.
if ( isset( $_POST['language'] ) ) {
$_SESSION['lang'] = $_POST['language'];
} else {
$_SESSION['lang'] = "en";
}
// Set the session theme and project.
$_SESSION['theme'] = $_POST['theme'];
$_SESSION['project'] = $_POST['project'];
// Respond by sending verification tokens on success.
echo formatJSEND( "success", array( 'username' => $User->username ) );
header( "Location: " . $_SERVER['PHP_SELF'] . "?action=verify" );
}
} elseif ( $count > 1 ) {
// We returned too many results. Error as such.
die( formatJSEND( "error", "A server error occurred: LDAP filter result is non-unique. Please ensure this is a unique identifier within its context.
If the problem persists, please contact the webmaster. If you are the webmaster, please check the LDAP filter used." ) );
} else {
// Invalid login.
die( formatJSEND( "error", "Incorrect user name or password." ) );
}
} else {
// The server is having issues connecting to the LDAP server. Error as such.
die( formatJSEND( "error", "An error occurred: Cannot connect to LDAP server. Please contact the webmaster.
If you are the webmaster, please contact your LDAP server administrator or check if your LDAP server is running." ) );
}
}
}
?>