Merged in bugfix/HOR-4203 (pull request #6242)
Bugfix/HOR-4203 Approved-by: Julio Cesar Laura Avendaño <contact@julio-laura.com>
This commit is contained in:
David Callizaya
committed by
Julio Cesar Laura Avendaño
Julio Cesar Laura Avendaño
commit
4c63633189
@@ -1,62 +1,31 @@
|
|||||||
<?php
|
<?php
|
||||||
/**
|
|
||||||
* class.ldap.php
|
|
||||||
*
|
|
||||||
* ProcessMaker Open Source Edition
|
|
||||||
* Copyright (C) 2004 - 2008 Colosa Inc.
|
|
||||||
*
|
|
||||||
* This program is free software: you can redistribute it and/or modify
|
|
||||||
* it under the terms of the GNU Affero General Public License as
|
|
||||||
* published by the Free Software Foundation, either version 3 of the
|
|
||||||
* License, or (at your option) any later version.
|
|
||||||
*
|
|
||||||
* This program is distributed in the hope that it will be useful,
|
|
||||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
* GNU Affero General Public License for more details.
|
|
||||||
*
|
|
||||||
* You should have received a copy of the GNU Affero General Public License
|
|
||||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
*
|
|
||||||
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
|
|
||||||
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
/**
|
|
||||||
*
|
|
||||||
* LDAP plugin for RBAC class
|
|
||||||
*
|
|
||||||
* @author Fernando Ontiveros
|
|
||||||
* @package rbac-classes-model
|
|
||||||
* @access public
|
|
||||||
|
|
||||||
*/
|
|
||||||
|
|
||||||
class LDAP
|
class LDAP
|
||||||
{
|
{
|
||||||
var $sAuthSource = '';
|
public $sAuthSource = '';
|
||||||
|
public $aUserInfo = array();
|
||||||
|
public $sSystem = '';
|
||||||
|
public $sLdapLog = '';
|
||||||
|
private static $instance = null;
|
||||||
|
|
||||||
var $aUserInfo = array();
|
public function __construct()
|
||||||
var $sSystem = '';
|
{
|
||||||
var $sLdapLog = '';
|
|
||||||
|
|
||||||
static private $instance = NULL;
|
|
||||||
|
|
||||||
function __construct() {
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function &getSingleton() {
|
public function &getSingleton()
|
||||||
if (self::$instance == NULL) {
|
{
|
||||||
|
if (self::$instance == null) {
|
||||||
self::$instance = new RBAC();
|
self::$instance = new RBAC();
|
||||||
}
|
}
|
||||||
return self::$instance;
|
return self::$instance;
|
||||||
}
|
}
|
||||||
|
|
||||||
function log ( $_link , $text ) {
|
public function log($_link, $text)
|
||||||
$this->sLdapLog .= $text . ": ". @ldap_errno($_link) . ','. @ldap_error($_link) . "\n";
|
{
|
||||||
|
$this->sLdapLog .= $text . ": " . @ldap_errno($_link) . ',' . @ldap_error($_link) . "\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Autentificacion de un usuario a traves de la clase RBAC_user
|
* Autentificacion de un usuario a traves de la clase RBAC_user
|
||||||
*
|
*
|
||||||
@@ -74,11 +43,14 @@ class LDAP
|
|||||||
* -4: usuario vencido
|
* -4: usuario vencido
|
||||||
* n : uid de usuario
|
* n : uid de usuario
|
||||||
*/
|
*/
|
||||||
function VerifyLogin( $strUser, $strPass) {
|
public function VerifyLogin($strUser, $strPass)
|
||||||
|
{
|
||||||
//get the AuthSource properties
|
//get the AuthSource properties
|
||||||
if ( strlen($strPass) == 0) return -2;
|
if (strlen($strPass) == 0) {
|
||||||
|
return -2;
|
||||||
|
}
|
||||||
$RBAC = RBAC::getSingleton();
|
$RBAC = RBAC::getSingleton();
|
||||||
$aAuthSource = $RBAC->authSourcesObj->load($this->sAuthSource );
|
$aAuthSource = $RBAC->authSourcesObj->load($this->sAuthSource);
|
||||||
|
|
||||||
$sAuthHost = $aAuthSource['AUTH_SOURCE_SERVER_NAME'];
|
$sAuthHost = $aAuthSource['AUTH_SOURCE_SERVER_NAME'];
|
||||||
$sAuthPort = $aAuthSource['AUTH_SOURCE_PORT'];
|
$sAuthPort = $aAuthSource['AUTH_SOURCE_PORT'];
|
||||||
@@ -87,102 +59,115 @@ class LDAP
|
|||||||
$sAuthFilter = $aAuthSource['AUTH_SOURCE_OBJECT_CLASSES'];
|
$sAuthFilter = $aAuthSource['AUTH_SOURCE_OBJECT_CLASSES'];
|
||||||
$sAuthType = 'AD';
|
$sAuthType = 'AD';
|
||||||
$sAuthVersion = $aAuthSource['AUTH_SOURCE_VERSION'];
|
$sAuthVersion = $aAuthSource['AUTH_SOURCE_VERSION'];
|
||||||
$aAttributes = $aAuthSource['AUTH_SOURCE_ATTRIBUTES'];//array ('dn',"cn", "samaccountname", "givenname", "sn", "mail");
|
$aAttributes = $aAuthSource['AUTH_SOURCE_ATTRIBUTES']; //array ('dn',"cn", "samaccountname", "givenname", "sn", "mail");
|
||||||
$sAuthUser = $aAuthSource['AUTH_SOURCE_SEARCH_USER'];
|
$sAuthUser = $aAuthSource['AUTH_SOURCE_SEARCH_USER'];
|
||||||
$sAuthPass = $aAuthSource['AUTH_SOURCE_PASSWORD'];
|
$sAuthPass = $aAuthSource['AUTH_SOURCE_PASSWORD'];
|
||||||
|
|
||||||
$_link = @ldap_connect( $sAuthHost, $sAuthPort );
|
$_link = @ldap_connect($sAuthHost, $sAuthPort);
|
||||||
$this->log ( $_link, "ldap connect" );
|
$this->log($_link, "ldap connect");
|
||||||
|
|
||||||
ldap_set_option($_link, LDAP_OPT_PROTOCOL_VERSION, $sAuthVersion);
|
ldap_set_option($_link, LDAP_OPT_PROTOCOL_VERSION, $sAuthVersion);
|
||||||
$this->log ( $_link, "ldap set Protocol Version $sAuthVersion" );
|
$this->log($_link, "ldap set Protocol Version $sAuthVersion");
|
||||||
|
|
||||||
ldap_set_option($_link, LDAP_OPT_REFERRALS, 0);
|
ldap_set_option($_link, LDAP_OPT_REFERRALS, 0);
|
||||||
$this->log ( $_link, "ldap set option Referrals" );
|
$this->log($_link, "ldap set option Referrals");
|
||||||
|
|
||||||
if ( isset($sAuthTls) && $sAuthTls ) {
|
if (isset($sAuthTls) && $sAuthTls) {
|
||||||
@ldap_start_tls($_link);
|
@ldap_start_tls($_link);
|
||||||
$this->log ( $_link, "start tls" );
|
$this->log($_link, "start tls");
|
||||||
}
|
}
|
||||||
|
|
||||||
$bind = @ldap_bind($_link);
|
$bind = @ldap_bind($_link);
|
||||||
$this->log ( $_link, "ldap bind anonymous" );
|
$this->log($_link, "ldap bind anonymous");
|
||||||
|
|
||||||
$validUserPass = @ldap_bind($_link, $strUser,$strPass );
|
$validUserPass = @ldap_bind($_link, $strUser, $strPass);
|
||||||
$this->log ( $_link, "ldap binding with user $strUser" );
|
$this->log($_link, "ldap binding with user $strUser");
|
||||||
|
|
||||||
return $validUserPass ;
|
return $validUserPass;
|
||||||
}
|
}
|
||||||
|
|
||||||
function searchUsers($sKeyword) {
|
public function searchUsers($sKeyword)
|
||||||
|
{
|
||||||
$sKeyword = trim($sKeyword);
|
$sKeyword = trim($sKeyword);
|
||||||
$RBAC = RBAC::getSingleton();
|
$RBAC = RBAC::getSingleton();
|
||||||
$aAuthSource = $RBAC->authSourcesObj->load($this->sAuthSource);
|
$aAuthSource = $RBAC->authSourcesObj->load($this->sAuthSource);
|
||||||
$pass =explode("_",$aAuthSource['AUTH_SOURCE_PASSWORD']);
|
$pass = explode("_", $aAuthSource['AUTH_SOURCE_PASSWORD']);
|
||||||
foreach($pass as $index => $value) {
|
foreach ($pass as $index => $value) {
|
||||||
if($value == '2NnV3ujj3w'){
|
if ($value == '2NnV3ujj3w') {
|
||||||
$aAuthSource['AUTH_SOURCE_PASSWORD'] = G::decrypt($pass[0],$aAuthSource['AUTH_SOURCE_SERVER_NAME']);
|
$aAuthSource['AUTH_SOURCE_PASSWORD'] = G::decrypt($pass[0],
|
||||||
|
$aAuthSource['AUTH_SOURCE_SERVER_NAME']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$oLink = @ldap_connect($aAuthSource['AUTH_SOURCE_SERVER_NAME'], $aAuthSource['AUTH_SOURCE_PORT']);
|
$oLink = @ldap_connect($aAuthSource['AUTH_SOURCE_SERVER_NAME'],
|
||||||
@ldap_set_option($oLink, LDAP_OPT_PROTOCOL_VERSION, $aAuthSource['AUTH_SOURCE_VERSION']);
|
$aAuthSource['AUTH_SOURCE_PORT']);
|
||||||
|
@ldap_set_option($oLink, LDAP_OPT_PROTOCOL_VERSION,
|
||||||
|
$aAuthSource['AUTH_SOURCE_VERSION']);
|
||||||
@ldap_set_option($oLink, LDAP_OPT_REFERRALS, 0);
|
@ldap_set_option($oLink, LDAP_OPT_REFERRALS, 0);
|
||||||
if (isset($aAuthSource['AUTH_SOURCE_ENABLED_TLS']) && $aAuthSource['AUTH_SOURCE_ENABLED_TLS']) {
|
if (isset($aAuthSource['AUTH_SOURCE_ENABLED_TLS']) && $aAuthSource['AUTH_SOURCE_ENABLED_TLS']) {
|
||||||
@ldap_start_tls($oLink);
|
@ldap_start_tls($oLink);
|
||||||
}
|
}
|
||||||
if ($aAuthSource['AUTH_ANONYMOUS'] == '1') {
|
if ($aAuthSource['AUTH_ANONYMOUS'] == '1') {
|
||||||
$bBind = @ldap_bind($oLink);
|
$bBind = @ldap_bind($oLink);
|
||||||
|
} else {
|
||||||
|
$bBind = @ldap_bind($oLink, $aAuthSource['AUTH_SOURCE_SEARCH_USER'],
|
||||||
|
$aAuthSource['AUTH_SOURCE_PASSWORD']);
|
||||||
}
|
}
|
||||||
else {
|
if (!$bBind) {
|
||||||
$bBind = @ldap_bind($oLink, $aAuthSource['AUTH_SOURCE_SEARCH_USER'], $aAuthSource['AUTH_SOURCE_PASSWORD']);
|
|
||||||
}
|
|
||||||
if ( !$bBind ) {
|
|
||||||
throw new Exception('Unable to bind to server : ' . $aAuthSource['AUTH_SOURCE_SERVER_NAME'] . ' in port ' . $aAuthSource['AUTH_SOURCE_PORT']);
|
throw new Exception('Unable to bind to server : ' . $aAuthSource['AUTH_SOURCE_SERVER_NAME'] . ' in port ' . $aAuthSource['AUTH_SOURCE_PORT']);
|
||||||
}
|
}
|
||||||
if (substr($sKeyword , -1) != '*') {
|
if (substr($sKeyword, -1) != '*') {
|
||||||
if ($sKeyword != '') {
|
if ($sKeyword != '') {
|
||||||
$sKeyword = '*' . $sKeyword . '*';
|
$sKeyword = '*' . $sKeyword . '*';
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
$sKeyword .= '*';
|
$sKeyword .= '*';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$additionalFilter = isset($aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_ADDITIONAL_FILTER']) ? trim($aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_ADDITIONAL_FILTER']) : '';
|
$additionalFilter = isset($aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_ADDITIONAL_FILTER'])
|
||||||
|
? trim($aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_ADDITIONAL_FILTER'])
|
||||||
|
: '';
|
||||||
|
|
||||||
$sFilter = '(&(|(objectClass=*))';
|
$sFilter = '(&(|(objectClass=*))';
|
||||||
|
|
||||||
if ( isset( $aAuthSource['AUTH_SOURCE_DATA']['LDAP_TYPE']) && $aAuthSource['AUTH_SOURCE_DATA']['LDAP_TYPE'] == 'ad' ) {
|
if (isset($aAuthSource['AUTH_SOURCE_DATA']['LDAP_TYPE']) && $aAuthSource['AUTH_SOURCE_DATA']['LDAP_TYPE']
|
||||||
|
== 'ad') {
|
||||||
$sFilter = "(&(|(objectClass=*))(|(samaccountname=$sKeyword)(userprincipalname=$sKeyword))$additionalFilter)";
|
$sFilter = "(&(|(objectClass=*))(|(samaccountname=$sKeyword)(userprincipalname=$sKeyword))$additionalFilter)";
|
||||||
}
|
} else {
|
||||||
else
|
|
||||||
$sFilter = "(&(|(objectClass=*))(|(uid=$sKeyword)(cn=$sKeyword))$additionalFilter)";
|
$sFilter = "(&(|(objectClass=*))(|(uid=$sKeyword)(cn=$sKeyword))$additionalFilter)";
|
||||||
|
}
|
||||||
|
|
||||||
//G::pr($sFilter);
|
|
||||||
$aUsers = array();
|
$aUsers = array();
|
||||||
$oSearch = @ldap_search($oLink, $aAuthSource['AUTH_SOURCE_BASE_DN'], $sFilter, array('dn','uid','samaccountname', 'cn','givenname','sn','mail','userprincipalname','objectcategory', 'manager'));
|
$oSearch = @ldap_search($oLink, $aAuthSource['AUTH_SOURCE_BASE_DN'],
|
||||||
|
$sFilter,
|
||||||
|
array('dn', 'uid', 'samaccountname', 'cn', 'givenname',
|
||||||
|
'sn', 'mail', 'userprincipalname', 'objectcategory', 'manager'));
|
||||||
|
|
||||||
if ($oError = @ldap_errno($oLink)) {
|
if ($oError = @ldap_errno($oLink)) {
|
||||||
return $aUsers;
|
return $aUsers;
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
if ($oSearch) {
|
if ($oSearch) {
|
||||||
if (@ldap_count_entries($oLink, $oSearch) > 0) {
|
if (@ldap_count_entries($oLink, $oSearch) > 0) {
|
||||||
$sUsername = '';
|
$sUsername = '';
|
||||||
$oEntry = @ldap_first_entry($oLink, $oSearch);
|
$oEntry = @ldap_first_entry($oLink, $oSearch);
|
||||||
$uidUser = isset ( $aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_IDENTIFIER_FOR_USER'] ) ? $aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_IDENTIFIER_FOR_USER'] : 'uid';
|
$uidUser = isset($aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_IDENTIFIER_FOR_USER'])
|
||||||
|
? $aAuthSource['AUTH_SOURCE_DATA']['AUTH_SOURCE_IDENTIFIER_FOR_USER']
|
||||||
|
: 'uid';
|
||||||
do {
|
do {
|
||||||
$aAttr = $this->getLdapAttributes ( $oLink, $oEntry );
|
$aAttr = $this->getLdapAttributes($oLink, $oEntry);
|
||||||
$sUsername = isset($aAttr[ $uidUser ]) ? $aAttr[ $uidUser ] : '';
|
$sUsername = isset($aAttr[$uidUser]) ? $aAttr[$uidUser] : '';
|
||||||
if ($sUsername != '') {
|
if ($sUsername != '') {
|
||||||
// note added by gustavo cruz gustavo-at-colosa.com
|
// note added by gustavo cruz gustavo-at-colosa.com
|
||||||
// assign the givenname and sn fields if these are set
|
// assign the givenname and sn fields if these are set
|
||||||
$aUsers[] = array('sUsername' => $sUsername,
|
$aUsers[] = [
|
||||||
'sFullname' => $aAttr['cn'],
|
'sUsername' => $sUsername,
|
||||||
|
'sFullname' => isset($aAttr['cn']) ? $aAttr['cn'] : '',
|
||||||
'sFirstname' => isset($aAttr['givenname']) ? $aAttr['givenname'] : '',
|
'sFirstname' => isset($aAttr['givenname']) ? $aAttr['givenname'] : '',
|
||||||
'sLastname' => isset($aAttr['sn']) ? $aAttr['sn'] : '',
|
'sLastname' => isset($aAttr['sn']) ? $aAttr['sn'] : '',
|
||||||
'sEmail' => isset($aAttr['mail']) ? $aAttr['mail'] : ( isset($aAttr['userprincipalname'])?$aAttr['userprincipalname'] : '') ,
|
'sEmail' => isset($aAttr['mail'])
|
||||||
'sDN' => $aAttr['dn'] );
|
? $aAttr['mail']
|
||||||
|
: (isset($aAttr['userprincipalname']) ? $aAttr['userprincipalname'] : ''),
|
||||||
|
'sDN' => $aAttr['dn']
|
||||||
|
];
|
||||||
}
|
}
|
||||||
} while ($oEntry = @ldap_next_entry($oLink, $oEntry));
|
} while ($oEntry = @ldap_next_entry($oLink, $oEntry));
|
||||||
}
|
}
|
||||||
@@ -191,18 +176,19 @@ class LDAP
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function getLdapAttributes ( $oLink, $oEntry ) {
|
public function getLdapAttributes($oLink, $oEntry)
|
||||||
|
{
|
||||||
$aAttrib['dn'] = @ldap_get_dn($oLink, $oEntry);
|
$aAttrib['dn'] = @ldap_get_dn($oLink, $oEntry);
|
||||||
$aAttr = @ldap_get_attributes($oLink, $oEntry);
|
$aAttr = @ldap_get_attributes($oLink, $oEntry);
|
||||||
for ( $iAtt = 0 ; $iAtt < $aAttr['count']; $iAtt++ ) {
|
for ($iAtt = 0; $iAtt < $aAttr['count']; $iAtt++) {
|
||||||
switch ( $aAttr[ $aAttr[$iAtt] ]['count'] ) {
|
switch ($aAttr[$aAttr[$iAtt]]['count']) {
|
||||||
case 0: $aAttrib[ strtolower($aAttr[$iAtt]) ]= '';
|
case 0: $aAttrib[strtolower($aAttr[$iAtt])] = '';
|
||||||
break;
|
break;
|
||||||
case 1: $aAttrib[ strtolower($aAttr[$iAtt]) ]= $aAttr[ $aAttr[$iAtt] ][0];
|
case 1: $aAttrib[strtolower($aAttr[$iAtt])] = $aAttr[$aAttr[$iAtt]][0];
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
$aAttrib[ strtolower($aAttr[$iAtt]) ]= $aAttr[ $aAttr[$iAtt] ];
|
$aAttrib[strtolower($aAttr[$iAtt])] = $aAttr[$aAttr[$iAtt]];
|
||||||
unset( $aAttrib[ $aAttr[$iAtt] ]['count'] );
|
unset($aAttrib[$aAttr[$iAtt]]['count']);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user