| 712 |
712 |
$ldapserver = $config['system']['webgui']['ldapserver'];
|
| 713 |
713 |
$ldapbindun = $config['system']['webgui']['ldapbindun'];
|
| 714 |
714 |
$ldapbindpw = $config['system']['webgui']['ldapbindpw'];
|
| 715 |
|
$ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
|
|
715 |
$ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
|
| 716 |
716 |
|
| 717 |
717 |
$ldapfilter = "(ou=*)";
|
| 718 |
718 |
|
| ... | ... | |
| 774 |
774 |
|
| 775 |
775 |
log_error("Getting LDAP groups for {$username}.");
|
| 776 |
776 |
|
| 777 |
|
$ldapserver = $config['system']['webgui']['ldapserver'];
|
| 778 |
|
$ldapbindun = $config['system']['webgui']['ldapbindun'];
|
| 779 |
|
$ldapbindpw = $config['system']['webgui']['ldapbindpw'];
|
| 780 |
|
$ldapfilter = $config['system']['webgui']['ldapfilter'];
|
| 781 |
|
$ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}";
|
| 782 |
|
$ldapfilter = str_replace("\$username", $username, $ldapfilter);
|
| 783 |
|
$ldapauthcontainers = $config['system']['webgui']['ldapauthcontainers'];
|
|
777 |
$ldapserver = $config['system']['webgui']['ldapserver'];
|
|
778 |
$ldapbindun = $config['system']['webgui']['ldapbindun'];
|
|
779 |
$ldapbindpw = $config['system']['webgui']['ldapbindpw'];
|
|
780 |
$ldapfilter = $config['system']['webgui']['ldapfilter'];
|
|
781 |
$ldapfilter = str_replace("\$username", $username, $ldapfilter);
|
| 784 |
782 |
$ldapgroupattribute = $config['system']['webgui']['ldapgroupattribute'];
|
| 785 |
|
|
|
783 |
$ldapdn = $_SESSION['ldapdn'];
|
|
784 |
|
| 786 |
785 |
/*Convert attribute to lowercase. php ldap arrays put everything in lowercase */
|
| 787 |
786 |
$ldapgroupattribute = strtolower($ldapgroupattribute);
|
| 788 |
787 |
|
|
788 |
/* connect and see if server is up */
|
| 789 |
789 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| 790 |
790 |
log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
|
| 791 |
791 |
$status = htpasswd_backed($username, $passwd);
|
| 792 |
792 |
return $status;
|
| 793 |
793 |
}
|
| 794 |
|
|
| 795 |
|
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
|
| 796 |
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
794 |
|
|
795 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
|
|
796 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
| 797 |
797 |
|
|
798 |
/* bind as user that has rights to read group attributes */
|
| 798 |
799 |
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
|
| 799 |
800 |
log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
|
| 800 |
801 |
$status = htpasswd_backed($username, $passwd);
|
| 801 |
802 |
return $status;
|
| 802 |
803 |
}
|
| 803 |
804 |
|
| 804 |
|
/* user specified login containers */
|
| 805 |
|
$ldac_split = split(";", $ldapauthcontainers);
|
| 806 |
|
$search = ldap_search($ldap, $ldapsearchbase, $ldapfilter);
|
| 807 |
|
|
| 808 |
|
if(!$search) {
|
| 809 |
|
log_error("ERROR! Could not locate User group container for username {$username}.");
|
| 810 |
|
log_error(" Please ensure that the needed container is defined in the ldap auth containers setting feature.");
|
| 811 |
|
$status = htpasswd_backed($username, $passwd);
|
| 812 |
|
return $status;
|
| 813 |
|
}
|
| 814 |
|
|
| 815 |
|
$info = ldap_get_entries($ldap, $search);
|
| 816 |
|
|
| 817 |
|
/* find home container */
|
| 818 |
|
if($info) {
|
| 819 |
|
foreach($info as $inf) {
|
| 820 |
|
$inf_split = split(",", $inf['dn']);
|
| 821 |
|
$ou = $inf_split[1];
|
| 822 |
|
}
|
| 823 |
|
}
|
|
805 |
/* get groups from DN found */
|
|
806 |
/* use ldap_read instead of search so we don't have to do a bunch of extra work */
|
|
807 |
/* since we know the DN is in $_SESSION['ldapdn'] */
|
|
808 |
$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute));
|
|
809 |
$info = ldap_get_entries($ldap, $search);
|
| 824 |
810 |
|
| 825 |
|
if(!$ou) {
|
| 826 |
|
log_error("Could not resolve users home container for {$username}");
|
| 827 |
|
$status = htpasswd_backed($username, $passwd);
|
| 828 |
|
return $status;
|
| 829 |
|
}
|
| 830 |
|
|
| 831 |
|
log_error("LDAPGroupAttribute ===== {$ldapgroupattribute}");
|
| 832 |
|
$search = ldap_search($ldap, $ldapauthcontainers, $ldapfilter, array($ldapgroupattribute));
|
| 833 |
|
|
| 834 |
|
if($search) {
|
| 835 |
|
$info = ldap_get_entries($ldap, $search);
|
| 836 |
|
$countem = $info["count"];
|
| 837 |
|
}
|
| 838 |
|
$memberof = array();
|
|
811 |
$countem = $info["count"];
|
|
812 |
$memberof = array();
|
| 839 |
813 |
|
| 840 |
|
log_error("USER HAS {$countem} LDAP Groups it is {$info[0][$ldapgroupattribute][0]}");
|
| 841 |
|
|
| 842 |
814 |
if(is_array($info[0][$ldapgroupattribute])) {
|
|
815 |
|
|
816 |
/* Iterate through the groups and throw them into an array */
|
| 843 |
817 |
foreach($info[0][$ldapgroupattribute] as $member) {
|
| 844 |
|
//$member = strtoupper($member);
|
| 845 |
|
log_error("MEMBER===={$member}");
|
| 846 |
818 |
if(stristr($member, "CN=") !== false) {
|
| 847 |
819 |
$membersplit = split(",", $member);
|
| 848 |
820 |
$memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
|
| ... | ... | |
| 868 |
840 |
|
| 869 |
841 |
if(!function_exists("ldap_connect"))
|
| 870 |
842 |
return;
|
| 871 |
|
|
| 872 |
|
$ldapserver = $config['system']['webgui']['ldapserver'];
|
| 873 |
|
$ldapbindun = $config['system']['webgui']['ldapbindun'];
|
| 874 |
|
$ldapbindpw = $config['system']['webgui']['ldapbindpw'];
|
| 875 |
|
$ldapauthcont = $config['system']['webgui']['ldapauthcontainers'];
|
| 876 |
|
$ldapnameattribute = $config['system']['webgui']['ldapnameattribute'];
|
| 877 |
|
/* NEED TO FIGURE OUT LDAP TYPE */
|
| 878 |
|
$ldaptype = $config['system']['webgui']['backend'];
|
| 879 |
|
/********************************/
|
| 880 |
|
|
| 881 |
|
if(!$ldapserver) {
|
|
843 |
$adbindas = $username;
|
|
844 |
|
|
845 |
if(stristr($username, "@")) {
|
|
846 |
$username_split=split("\@", $username);
|
|
847 |
$username = $username_split[0];
|
|
848 |
}
|
|
849 |
$ldapserver = $config['system']['webgui']['ldapserver'];
|
|
850 |
$ldapbindun = $config['system']['webgui']['ldapbindun'];
|
|
851 |
$ldapbindpw = $config['system']['webgui']['ldapbindpw'];
|
|
852 |
$ldapauthcont = $config['system']['webgui']['ldapauthcontainers'];
|
|
853 |
$ldapnameattribute = $config['system']['webgui']['ldapnameattribute'];
|
|
854 |
$ldapfilter = $config['system']['webgui']['ldapfilter'];
|
|
855 |
$ldaptype = $config['system']['webgui']['backend'];
|
|
856 |
$ldapfilter = str_replace("\$username", $username, $ldapfilter);
|
|
857 |
|
|
858 |
/* first check if there is even an LDAP server populated */
|
|
859 |
if(!$ldapserver) {
|
| 882 |
860 |
log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
|
| 883 |
861 |
$status = htpasswd_backed($username, $passwd);
|
| 884 |
862 |
return $status;
|
| 885 |
863 |
}
|
| 886 |
864 |
|
|
865 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
|
|
866 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
867 |
|
|
868 |
/* Make sure we can connect to LDAP */
|
| 887 |
869 |
if (!($ldap = ldap_connect($ldapserver))) {
|
| 888 |
870 |
log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
|
| 889 |
|
$status = htpasswd_backed($username, $passwd);
|
|
871 |
$status = htpasswd_backed($username, $passwd);
|
| 890 |
872 |
return $status;
|
| 891 |
873 |
}
|
| 892 |
|
/* TAKE AD INTO ACCOUNT */
|
| 893 |
|
if ($ldaptype == 'ldap'){
|
| 894 |
|
$binduser = $username;
|
| 895 |
|
}
|
| 896 |
|
if ($ldaptype == 'ldapother'){
|
| 897 |
|
$binduser = $ldapnameattribute.'='.$username.','.$ldapauthcont;
|
| 898 |
|
}
|
| 899 |
|
log_error("BINDUSER ==== {$binduser}");
|
| 900 |
|
/************************/
|
| 901 |
|
|
| 902 |
|
if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
|
| 903 |
|
log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
|
|
874 |
/* ok, its up. now, lets bind as the bind user so we can search it */
|
|
875 |
if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
|
|
876 |
log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
|
| 904 |
877 |
$status = htpasswd_backed($username, $passwd);
|
| 905 |
878 |
return $status;
|
| 906 |
879 |
}
|
| 907 |
|
|
|
880 |
|
|
881 |
/* Get LDAP Authcontainers and split em up. */
|
|
882 |
$ldac_split = split(";", $ldapauthcont);
|
|
883 |
|
|
884 |
/* now count how many there are */
|
|
885 |
$containers = count($ldac_split);
|
|
886 |
log_error("Number of Containers to search is {$containers}");
|
|
887 |
|
|
888 |
/* setup the usercount so we think we havn't found anyone yet */
|
|
889 |
$usercount = 0;
|
|
890 |
|
|
891 |
/******************************/
|
|
892 |
/* Currently LDAP Types are */
|
|
893 |
/* LDAP = Active Directory */
|
|
894 |
/* LDAPOTHER = eDir/Openldap */
|
|
895 |
/******************************/
|
|
896 |
|
|
897 |
/*****************************************************************/
|
|
898 |
/* Now Active Directory We keep this seperate for future addons. */
|
|
899 |
/*****************************************************************/
|
|
900 |
/* Now LDAP other. eDirectory or Netscape or Sunone or OpenLDAP */
|
|
901 |
/*****************************************************************/
|
|
902 |
/* We First find the user based on username and filter */
|
|
903 |
/* Then, once we find the first occurance of that person */
|
|
904 |
/* We set seesion variables to ponit to the OU and DN of the */
|
|
905 |
/* Person. To later be used by ldap_get_groups. */
|
|
906 |
/* that way we don't have to search twice. */
|
|
907 |
/*****************************************************************/
|
|
908 |
if ($ldaptype == 'ldap'){
|
|
909 |
log_error("Now Searching for {$username} in Active directory.");
|
|
910 |
/* Iterate through the user containers for search */
|
|
911 |
for ($i=0;$i<$containers;$i++){
|
|
912 |
/* Make sure we just use the first user we find */
|
|
913 |
log_error("Start searching in {$ldac_split[$i]} for {$ldapfilter}.");
|
|
914 |
$search = ldap_search($ldap,$ldac_split[$i],$ldapfilter);
|
|
915 |
$info = ldap_get_entries($ldap,$search);
|
|
916 |
$matches = $info['count'];
|
|
917 |
log_error("Matches Found = {$matches}");
|
|
918 |
if ($matches == 1){
|
|
919 |
$_SESSION['ldapdn'] = $info[0]['dn'];
|
|
920 |
$_SESSION['ldapou'] = $ldac_split[$i];
|
|
921 |
$ldapdn = $_SESSION['ldapdn'];
|
|
922 |
$userou = $_SESSION['ldapou'];
|
|
923 |
break;
|
|
924 |
}
|
|
925 |
}
|
|
926 |
if($matches = 1){
|
|
927 |
$binduser = $adbindas;
|
|
928 |
log_error("Going to login as {$username} - DN = {$_SESSION['ldapdn']} - OU is {$_SESSION['ldapou']}");
|
|
929 |
} else {
|
|
930 |
log_error("ERROR! Either LDAP search failed, or multiple users were found");
|
|
931 |
log_error("ERROR! {$matches} Users Found");
|
|
932 |
$status = htpasswd_backed($username, $passwd);
|
|
933 |
return $status;
|
|
934 |
}
|
|
935 |
}
|
|
936 |
|
|
937 |
/*****************************************************************/
|
|
938 |
/* Now LDAP other. eDirectory or Netscape or Sunone or OpenLDAP */
|
|
939 |
/*****************************************************************/
|
|
940 |
/* We First find the user based on username and filter */
|
|
941 |
/* Then, once we find the first occurance of that person */
|
|
942 |
/* We set seesion variables to ponit to the OU and DN of the */
|
|
943 |
/* Person. To later be used by ldap_get_groups. */
|
|
944 |
/* that way we don't have to search twice. */
|
|
945 |
/*****************************************************************/
|
|
946 |
if ($ldaptype == 'ldapother'){
|
|
947 |
log_error("Now Searching for {$username} in LDAP.");
|
|
948 |
/* Iterate through the user containers for search */
|
|
949 |
for ($i=0;$i<$containers;$i++){
|
|
950 |
/* Make sure we just use the first user we find */
|
|
951 |
log_error("Start searching in {$ldac_split[$i]} for {$ldapfilter}.");
|
|
952 |
$search = ldap_search($ldap,$ldac_split[$i],$ldapfilter);
|
|
953 |
$info = ldap_get_entries($ldap,$search);
|
|
954 |
$matches = $info['count'];
|
|
955 |
log_error("Matches Found = {$matches}.");
|
|
956 |
|
|
957 |
if ($matches == 1){
|
|
958 |
$_SESSION['ldapdn'] = $info[0]['dn'];
|
|
959 |
$_SESSION['ldapou'] = $ldac_split[$i];
|
|
960 |
$ldapdn = $_SESSION['ldapdn'];
|
|
961 |
$userou = $_SESSION['ldapou'];
|
|
962 |
break;
|
|
963 |
}
|
|
964 |
}
|
|
965 |
if($matches == 1){
|
|
966 |
$binduser = $ldapnameattribute."=".$username.",".$userou;
|
|
967 |
log_error("Going to attemp LDAP login as {$username} - DN = {$_SESSION['ldapdn']}");
|
|
968 |
} else {
|
|
969 |
log_error("ERROR! Either LDAP search failed, or multiple users were found");
|
|
970 |
log_error("ERROR! {$matches} Users Found");
|
|
971 |
$status = htpasswd_backed($username, $passwd);
|
|
972 |
return $status;
|
|
973 |
}
|
|
974 |
}
|
|
975 |
|
|
976 |
|
|
977 |
/* Now lets bind as the user we found */
|
|
978 |
if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
|
|
979 |
log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
|
|
980 |
$status = htpasswd_backed($username, $passwd);
|
|
981 |
return $status;
|
|
982 |
}
|
|
983 |
|
|
984 |
|
| 908 |
985 |
log_error("$username logged in via LDAP.");
|
| 909 |
986 |
log_error("$binduser ldap name logged in via LDAP.");
|
| 910 |
987 |
/* At this point we are binded to LDAP so the user was auth'd okay. */
|
| ... | ... | |
| 1007 |
1084 |
return ($userindex);
|
| 1008 |
1085 |
}
|
| 1009 |
1086 |
|
| 1010 |
|
?>
|
|
1087 |
?>
|
Latest LDAP changes from Mark Batchelor