diff options
author | Hugues Hiegel <root@paranoid> | 2015-04-21 12:49:44 +0200 |
---|---|---|
committer | Hugues Hiegel <root@paranoid> | 2015-04-21 12:49:44 +0200 |
commit | 733f8e8d0ce6217d906d06dc4fb08e36d48ed794 (patch) | |
tree | cff28366ff63ea6596f8026e1698090bd0b9405c /plugins/password/drivers/ldap_simple.php | |
parent | ef2e7b3f9d264ec146d4dae257b1e295ab3b462a (diff) | |
parent | a4ba3df54834ee90fb2c9930669f1229dc80261a (diff) |
Conflicts:
composer.json-dist
config/defaults.inc.php
plugins
plugins/acl/acl.js
plugins/acl/acl.php
plugins/acl/skins/classic/templates/table.html
plugins/acl/skins/larry/templates/table.html
plugins/enigma/README
plugins/enigma/config.inc.php.dist
plugins/enigma/enigma.js
plugins/enigma/enigma.php
plugins/enigma/lib/enigma_driver.php
plugins/enigma/lib/enigma_driver_gnupg.php
plugins/enigma/lib/enigma_driver_phpssl.php
plugins/enigma/lib/enigma_engine.php
plugins/enigma/lib/enigma_error.php
plugins/enigma/lib/enigma_key.php
plugins/enigma/lib/enigma_signature.php
plugins/enigma/lib/enigma_subkey.php
plugins/enigma/lib/enigma_ui.php
plugins/enigma/lib/enigma_userid.php
plugins/enigma/localization/en_US.inc
plugins/enigma/localization/ja_JP.inc
plugins/enigma/localization/ru_RU.inc
plugins/enigma/skins/classic/enigma.css
plugins/enigma/skins/classic/templates/keys.html
plugins/help/config.inc.php.dist
plugins/help/help.php
plugins/help/localization/en_US.inc
plugins/jqueryui/jqueryui.php
plugins/managesieve/Changelog
plugins/managesieve/composer.json
plugins/managesieve/config.inc.php.dist
plugins/managesieve/lib/Roundcube/rcube_sieve.php
plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
plugins/managesieve/localization/en_US.inc
plugins/managesieve/managesieve.js
plugins/managesieve/skins/classic/managesieve.css
plugins/managesieve/skins/larry/managesieve.css
plugins/password/README
plugins/password/config.inc.php.dist
plugins/password/drivers/ldap.php
plugins/password/drivers/poppassd.php
plugins/password/drivers/vpopmaild.php
plugins/vcard_attachments/vcardattach.js
plugins/zipdownload/zipdownload.php
Diffstat (limited to 'plugins/password/drivers/ldap_simple.php')
-rw-r--r-- | plugins/password/drivers/ldap_simple.php | 238 |
1 files changed, 238 insertions, 0 deletions
diff --git a/plugins/password/drivers/ldap_simple.php b/plugins/password/drivers/ldap_simple.php new file mode 100644 index 000000000..9123ea81f --- /dev/null +++ b/plugins/password/drivers/ldap_simple.php @@ -0,0 +1,238 @@ +<?php + +/** + * Simple LDAP Password Driver + * + * Driver for passwords stored in LDAP + * This driver is based on Edouard's LDAP Password Driver, but does not + * require PEAR's Net_LDAP2 to be installed + * + * @version 2.0 + * @author Wout Decre <wout@canodus.be> + * @author Aleksander Machniak <machniak@kolabsys.com> + * + * Copyright (C) 2005-2014, The Roundcube Dev Team + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see http://www.gnu.org/licenses/. + */ + +class rcube_ldap_simple_password +{ + private $debug = false; + + function save($curpass, $passwd) + { + $rcmail = rcmail::get_instance(); + + $this->debug = $rcmail->config->get('ldap_debug'); + + $ldap_host = $rcmail->config->get('password_ldap_host'); + $ldap_port = $rcmail->config->get('password_ldap_port'); + + $this->_debug("C: Connect to $ldap_host:$ldap_port"); + + // Connect + if (!$ds = ldap_connect($ldap_host, $ldap_port)) { + $this->_debug("S: NOT OK"); + + rcube::raise_error(array( + 'code' => 100, 'type' => 'ldap', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Could not connect to LDAP server" + ), + true); + + return PASSWORD_CONNECT_ERROR; + } + + $this->_debug("S: OK"); + + // Set protocol version + ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $rcmail->config->get('password_ldap_version')); + + // Start TLS + if ($rcmail->config->get('password_ldap_starttls')) { + if (!ldap_start_tls($ds)) { + ldap_unbind($ds); + return PASSWORD_CONNECT_ERROR; + } + } + + // include 'ldap' driver, we share some static methods with it + require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php'; + + // other plugins might want to modify user DN + $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array( + 'user_dn' => '', 'conn' => $ds)); + + // Build user DN + if (!empty($plugin['user_dn'])) { + $user_dn = $plugin['user_dn']; + } + else if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) { + $user_dn = rcube_ldap_password::substitute_vars($user_dn); + } + else { + $user_dn = $this->search_userdn($rcmail, $ds); + } + + if (empty($user_dn)) { + ldap_unbind($ds); + return PASSWORD_CONNECT_ERROR; + } + + // Connection method + switch ($rcmail->config->get('password_ldap_method')) { + case 'admin': + $binddn = $rcmail->config->get('password_ldap_adminDN'); + $bindpw = $rcmail->config->get('password_ldap_adminPW'); + break; + case 'user': + default: + $binddn = $user_dn; + $bindpw = $curpass; + break; + } + + $lchattr = $rcmail->config->get('password_ldap_lchattr'); + $pwattr = $rcmail->config->get('password_ldap_pwattr'); + $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr'); + $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); + $samba = $rcmail->config->get('password_ldap_samba'); + $pass_mode = $rcmail->config->get('password_ldap_encodage'); + $crypted_pass = rcube_ldap_password::hash_password($passwd, $pass_mode); + + // Support password_ldap_samba option for backward compat. + if ($samba && !$smbpwattr) { + $smbpwattr = 'sambaNTPassword'; + $smblchattr = 'sambaPwdLastSet'; + } + + // Crypt new password + if (!$crypted_pass) { + return PASSWORD_CRYPT_ERROR; + } + + // Crypt new Samba password + if ($smbpwattr && !($samba_pass = rcube_ldap_password::hash_password($passwd, 'samba'))) { + return PASSWORD_CRYPT_ERROR; + } + + $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]"); + + // Bind + if (!ldap_bind($ds, $binddn, $bindpw)) { + $this->_debug("S: ".ldap_error($ds)); + + ldap_unbind($ds); + + return PASSWORD_CONNECT_ERROR; + } + + $this->_debug("S: OK"); + + $entry[$pwattr] = $crypted_pass; + + // Update PasswordLastChange Attribute if desired + if ($lchattr) { + $entry[$lchattr] = (int)(time() / 86400); + } + + // Update Samba password + if ($smbpwattr) { + $entry[$smbpwattr] = $samba_pass; + } + + // Update Samba password last change + if ($smblchattr) { + $entry[$smblchattr] = time(); + } + + $this->_debug("C: Modify $user_dn: " . print_r($entry, true)); + + if (!ldap_modify($ds, $user_dn, $entry)) { + $this->_debug("S: ".ldap_error($ds)); + + ldap_unbind($ds); + + return PASSWORD_CONNECT_ERROR; + } + + $this->_debug("S: OK"); + + // All done, no error + ldap_unbind($ds); + + return PASSWORD_SUCCESS; + } + + /** + * Bind with searchDN and searchPW and search for the user's DN + * Use search_base and search_filter defined in config file + * Return the found DN + */ + function search_userdn($rcmail, $ds) + { + $search_user = $rcmail->config->get('password_ldap_searchDN'); + $search_pass = $rcmail->config->get('password_ldap_searchPW'); + $search_base = $rcmail->config->get('password_ldap_search_base'); + $search_filter = $rcmail->config->get('password_ldap_search_filter'); + + if (empty($search_filter)) { + return false; + } + + $this->_debug("C: Bind " . ($search_user ? $search_user : '[anonymous]')); + + // Bind + if (!ldap_bind($ds, $search_user, $search_pass)) { + $this->_debug("S: ".ldap_error($ds)); + return false; + } + + $this->_debug("S: OK"); + + $search_base = rcube_ldap_password::substitute_vars($search_base); + $search_filter = rcube_ldap_password::substitute_vars($search_filter); + + $this->_debug("C: Search $search_base for $search_filter"); + + // Search for the DN + if (!$sr = ldap_search($ds, $search_base, $search_filter)) { + $this->_debug("S: ".ldap_error($ds)); + return false; + } + + $found = ldap_count_entries($ds, $sr); + + $this->_debug("S: OK [found $found records]"); + + // If no or more entries were found, return false + if ($found != 1) { + return false; + } + + return ldap_get_dn($ds, ldap_first_entry($ds, $sr)); + } + + /** + * Prints debug info to the log + */ + private function _debug($str) + { + if ($this->debug) { + rcube::write_log('ldap', $str); + } + } +} |