Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-06-06 09:06:15 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

add Active Directory LDAP auth for operators

Browse Source
This commit is contained in:
Silron88 2015-08-19 03:30:33 +03:00
parent 95427ae340
commit 900d24752e
18 changed files with 4320 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/mibew/configs/default_config.yml
View File

@ -1,6 +1,21 @@
# IMPORTANT: Before install mibew copy this file to config.yml and fill it with
# your own settings!
# Active Directory LDAP parameters
adldap:
### required
domain: "some.domain.com"
search_username: "username"
search_password: "password"
operator_group: "domain users"
admin_group: "domain admins"
### optional
# account_suffix: "@some.domain.com"
# base_dn: "DC=some,DC=domain,DC=com"
# domain_controllers: ["dc1.some.domain.com", "dc2.some.domain.com"]
# port: 389
# useSSL: false # strongly recommended use one of SSL or TLS
# useTLS: false # cannot be true simultaneously with SSL
# MySQL Database parameters
database:

993
src/mibew/libs/adldap/adLDAP.php Normal file
View File

@ -0,0 +1,993 @@
<?php
namespace adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
/**
* Main adLDAP class
*
* Can be initialised using $adldap = new adLDAP();
*
* Something to keep in mind is that Active Directory is a permissions
* based directory. If you bind as a domain user, you can't fetch as
* much information on other users as you could as a domain admin.
*
* Before asking questions, please read the Documentation at
* http://adldap.sourceforge.net/wiki/doku.php?id=api
*/
require_once(dirname(__FILE__) . '/collections/adLDAPCollection.php');
require_once(dirname(__FILE__) . '/classes/adLDAPGroups.php');
require_once(dirname(__FILE__) . '/classes/adLDAPUsers.php');
require_once(dirname(__FILE__) . '/classes/adLDAPFolders.php');
require_once(dirname(__FILE__) . '/classes/adLDAPUtils.php');
require_once(dirname(__FILE__) . '/classes/adLDAPContacts.php');
require_once(dirname(__FILE__) . '/classes/adLDAPExchange.php');
require_once(dirname(__FILE__) . '/classes/adLDAPComputers.php');
class adLDAP {
/**
* Define the different types of account in AD
*/
const ADLDAP_NORMAL_ACCOUNT = 805306368;
const ADLDAP_WORKSTATION_TRUST = 805306369;
const ADLDAP_INTERDOMAIN_TRUST = 805306370;
const ADLDAP_SECURITY_GLOBAL_GROUP = 268435456;
const ADLDAP_DISTRIBUTION_GROUP = 268435457;
const ADLDAP_SECURITY_LOCAL_GROUP = 536870912;
const ADLDAP_DISTRIBUTION_LOCAL_GROUP = 536870913;
const ADLDAP_FOLDER = 'OU';
const ADLDAP_CONTAINER = 'CN';
/**
* The default port for LDAP non-SSL connections
*/
const ADLDAP_LDAP_PORT = '389';
/**
* The default port for LDAPS SSL connections
*/
const ADLDAP_LDAPS_PORT = '636';
/**
* The account suffix for your domain, can be set when the class is invoked
*
* @var string
*/
protected $accountSuffix = "@mydomain.local";
/**
* The base dn for your domain
*
* If this is set to null then adLDAP will attempt to obtain this automatically from the rootDSE
*
* @var string
*/
protected $baseDn = "DC=mydomain,DC=local";
/**
* Port used to talk to the domain controllers.
*
* @var int
*/
protected $adPort = self::ADLDAP_LDAP_PORT;
/**
* Array of domain controllers. Specifiy multiple controllers if you
* would like the class to balance the LDAP queries amongst multiple servers
*
* @var array
*/
protected $domainControllers = array("dc01.mydomain.local");
/**
* Optional account with higher privileges for searching
* This should be set to a domain admin account
*
* @var string
* @var string
*/
protected $adminUsername = NULL;
protected $adminPassword = NULL;
/**
* AD does not return the primary group. http://support.microsoft.com/?kbid=321360
* This tweak will resolve the real primary group.
* Setting to false will fudge "Domain Users" and is much faster. Keep in mind though that if
* someone's primary group is NOT domain users, this is obviously going to mess up the results
*
* @var bool
*/
protected $realPrimaryGroup = true;
/**
* Use SSL (LDAPS), your server needs to be setup, please see
* http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
*
* @var bool
*/
protected $useSSL = false;
/**
* Use TLS
* If you wish to use TLS you should ensure that $useSSL is set to false and vice-versa
*
* @var bool
*/
protected $useTLS = false;
/**
* Use SSO
* To indicate to adLDAP to reuse password set by the browser through NTLM or Kerberos
*
* @var bool
*/
protected $useSSO = false;
/**
* When querying group memberships, do it recursively
* eg. User Fred is a member of Group A, which is a member of Group B, which is a member of Group C
* user_ingroup("Fred","C") will returns true with this option turned on, false if turned off
*
* @var bool
*/
protected $recursiveGroups = true;
// You should not need to edit anything below this line
//******************************************************************************************
/**
* Connection and bind default variables
*
* @var mixed
* @var mixed
*/
protected $ldapConnection;
protected $ldapBind;
/**
* Get the active LDAP Connection
*
* @return resource
*/
public function getLdapConnection() {
if ($this->ldapConnection) {
return $this->ldapConnection;
}
return false;
}
/**
* Get the bind status
*
* @return bool
*/
public function getLdapBind() {
return $this->ldapBind;
}
/**
* Get the current base DN
*
* @return string
*/
public function getBaseDn() {
return $this->baseDn;
}
/**
* Set the current base DN
*
* @param string $baseDn
*/
public function setBaseDn($baseDn) {
$this->baseDn = $baseDn;
}
/**
* The group class
*
* @var \adLDAP\classes\adLDAPGroups
*/
protected $groupClass;
/**
* Get the group class interface
*
* @return \adLDAP\classes\adLDAPGroups
*/
public function group() {
if (!$this->groupClass) {
$this->groupClass = new \adLDAP\classes\adLDAPGroups($this);
}
return $this->groupClass;
}
/**
* The user class
*
* @var \adLDAP\classes\adLDAPUsers
*/
protected $userClass;
/**
* Get the userclass interface
*
* @return \adLDAP\classes\adLDAPUsers
*/
public function user() {
if (!$this->userClass) {
$this->userClass = new \adLDAP\classes\adLDAPUsers($this);
}
return $this->userClass;
}
/**
* The folders class
*
* @var \adLDAP\classes\adLDAPFolders
*/
protected $folderClass;
/**
* Get the folder class interface
*
* @return \adLDAP\classes\adLDAPFolders
*/
public function folder() {
if (!$this->folderClass) {
$this->folderClass = new \adLDAP\classes\adLDAPFolders($this);
}
return $this->folderClass;
}
/**
* The utils class
*
* @var \adLDAP\classes\adLDAPUtils
*/
protected $utilClass;
/**
* Get the utils class interface
*
* @return \adLDAP\classes\adLDAPUtils
*/
public function utilities() {
if (!$this->utilClass) {
$this->utilClass = new \adLDAP\classes\adLDAPUtils($this);
}
return $this->utilClass;
}
/**
* The contacts class
*
* @var \adLDAP\classes\adLDAPContacts
*/
protected $contactClass;
/**
* Get the contacts class interface
*
* @return \adLDAP\classes\adLDAPContacts
*/
public function contact() {
if (!$this->contactClass) {
$this->contactClass = new \adLDAP\classes\adLDAPContacts($this);
}
return $this->contactClass;
}
/**
* The exchange class
*
* @var \adLDAP\classes\adLDAPExchange
*/
protected $exchangeClass;
/**
* Get the exchange class interface
*
* @return \adLDAP\classes\adLDAPExchange
*/
public function exchange() {
if (!$this->exchangeClass) {
$this->exchangeClass = new \adLDAP\classes\adLDAPExchange($this);
}
return $this->exchangeClass;
}
/**
* The computers class
*
* @var \adLDAP\classes\adLDAPComputers
*/
protected $computersClass;
/**
* Get the computers class interface
*
* @return \adLDAP\classes\adLDAPComputers
*/
public function computer() {
if (!$this->computerClass) {
$this->computerClass = new \adLDAP\classes\adLDAPComputers($this);
}
return $this->computerClass;
}
/**
* Getters and Setters
*/
/**
* Set the account suffix
*
* @param string $accountSuffix
* @return void
*/
public function setAccountSuffix($accountSuffix) {
$this->accountSuffix = $accountSuffix;
}
/**
* Get the account suffix
*
* @return string
*/
public function getAccountSuffix() {
return $this->accountSuffix;
}
/**
* Set the domain controllers array
*
* @param array $domainControllers
* @return void
*/
public function setDomainControllers(array $domainControllers) {
$this->domainControllers = $domainControllers;
}
/**
* Get the list of domain controllers
*
* @return void
*/
public function getDomainControllers() {
return $this->domainControllers;
}
/**
* Sets the port number your domain controller communicates over
*
* @param int $adPort
*/
public function setPort($adPort) {
$this->adPort = $adPort;
}
/**
* Gets the port number your domain controller communicates over
*
* @return int
*/
public function getPort() {
return $this->adPort;
}
/**
* Set the username of an account with higher priviledges
*
* @param string $adminUsername
* @return void
*/
public function setAdminUsername($adminUsername) {
$this->adminUsername = $adminUsername;
}
/**
* Get the username of the account with higher priviledges
*
* This will throw an exception for security reasons
*/
public function getAdminUsername() {
throw new adLDAPException('For security reasons you cannot access the domain administrator account details');
}
/**
* Set the password of an account with higher priviledges
*
* @param string $adminPassword
* @return void
*/
public function setAdminPassword($adminPassword) {
$this->adminPassword = $adminPassword;
}
/**
* Get the password of the account with higher priviledges
*
* This will throw an exception for security reasons
*/
public function getAdminPassword() {
throw new adLDAPException('For security reasons you cannot access the domain administrator account details');
}
/**
* Set whether to detect the true primary group
*
* @param bool $realPrimaryGroup
* @return void
*/
public function setRealPrimaryGroup($realPrimaryGroup) {
$this->realPrimaryGroup = $realPrimaryGroup;
}
/**
* Get the real primary group setting
*
* @return bool
*/
public function getRealPrimaryGroup() {
return $this->realPrimaryGroup;
}
/**
* Set whether to use SSL
*
* @param bool $useSSL
* @return void
*/
public function setUseSSL($useSSL) {
$this->useSSL = $useSSL;
// Set the default port correctly
if($this->useSSL) {
$this->setPort(self::ADLDAP_LDAPS_PORT);
}
else {
$this->setPort(self::ADLDAP_LDAP_PORT);
}
}
/**
* Get the SSL setting
*
* @return bool
*/
public function getUseSSL() {
return $this->useSSL;
}
/**
* Set whether to use TLS
*
* @param bool $useTLS
* @return void
*/
public function setUseTLS($useTLS) {
$this->useTLS = $useTLS;
}
/**
* Get the TLS setting
*
* @return bool
*/
public function getUseTLS() {
return $this->useTLS;
}
/**
* Set whether to use SSO
* Requires ldap_sasl_bind support. Be sure --with-ldap-sasl is used when configuring PHP otherwise this function will be undefined.
*
* @param bool $useSSO
* @return void
*/
public function setUseSSO($useSSO) {
if ($useSSO === true && !$this->ldapSaslSupported()) {
throw new adLDAPException('No LDAP SASL support for PHP. See: http://www.php.net/ldap_sasl_bind');
}
$this->useSSO = $useSSO;
}
/**
* Get the SSO setting
*
* @return bool
*/
public function getUseSSO() {
return $this->useSSO;
}
/**
* Set whether to lookup recursive groups
*
* @param bool $recursiveGroups
* @return void
*/
public function setRecursiveGroups($recursiveGroups) {
$this->recursiveGroups = $recursiveGroups;
}
/**
* Get the recursive groups setting
*
* @return bool
*/
public function getRecursiveGroups() {
return $this->recursiveGroups;
}
/**
* Default Constructor
*
* Tries to bind to the AD domain over LDAP or LDAPs
*
* @param array $options Array of options to pass to the constructor
* @throws \Exception - if unable to bind to Domain Controller
* @return bool
*/
function __construct($options = array()) {
// You can specifically overide any of the default configuration options setup above
if (count($options)>0) {
if (array_key_exists("account_suffix",$options)) { $this->accountSuffix = $options["account_suffix"]; }
if (array_key_exists("base_dn",$options)) { $this->baseDn = $options["base_dn"]; }
if (array_key_exists("domain_controllers",$options)) {
if (!is_array($options["domain_controllers"])) {
throw new adLDAPException('[domain_controllers] option must be an array');
}
$this->domainControllers = $options["domain_controllers"];
}
if (array_key_exists("admin_username",$options)) { $this->adminUsername = $options["admin_username"]; }
if (array_key_exists("admin_password",$options)) { $this->adminPassword = $options["admin_password"]; }
if (array_key_exists("real_primarygroup",$options)) { $this->realPrimaryGroup = $options["real_primarygroup"]; }
if (array_key_exists("use_ssl",$options)) { $this->setUseSSL($options["use_ssl"]); }
if (array_key_exists("use_tls",$options)) { $this->useTLS = $options["use_tls"]; }
if (array_key_exists("recursive_groups",$options)) { $this->recursiveGroups = $options["recursive_groups"]; }
if (array_key_exists("ad_port",$options)) { $this->setPort($options["ad_port"]); }
if (array_key_exists("sso",$options)) {
$this->setUseSSO($options["sso"]);
if (!$this->ldapSaslSupported()) {
$this->setUseSSO(false);
}
}
}
if ($this->ldapSupported() === false) {
throw new adLDAPException('No LDAP support for PHP. See: http://www.php.net/ldap');
}
return $this->connect();
}
/**
* Default Destructor
*
* Closes the LDAP connection
*
* @return void
*/
function __destruct() {
$this->close();
}
/**
* Connects and Binds to the Domain Controller
*
* @return bool
*/
public function connect() {
// Connect to the AD/LDAP server as the username/password
$domainController = $this->randomController();
if ($this->useSSL) {
$this->ldapConnection = ldap_connect("ldaps://" . $domainController, $this->adPort);
} else {
$this->ldapConnection = ldap_connect($domainController, $this->adPort);
}
// Set some ldap options for talking to AD
ldap_set_option($this->ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->ldapConnection, LDAP_OPT_REFERRALS, 0);
if ($this->useTLS) {
ldap_start_tls($this->ldapConnection);
}
// Bind as a domain admin if they've set it up
if ($this->adminUsername !== NULL && $this->adminPassword !== NULL) {
$this->ldapBind = @ldap_bind($this->ldapConnection, $this->adminUsername . $this->accountSuffix, $this->adminPassword);
if (!$this->ldapBind) {
if ($this->useSSL && !$this->useTLS) {
// If you have problems troubleshooting, remove the @ character from the ldapldapBind command above to get the actual error message
throw new adLDAPException('Bind to Active Directory failed. Either the LDAPs connection failed or the login credentials are incorrect. AD said: ' . $this->getLastError());
}
else {
throw new adLDAPException('Bind to Active Directory failed. Check the login credentials and/or server details. AD said: ' . $this->getLastError());
}
}
}
if ($this->useSSO && $_SERVER['REMOTE_USER'] && $this->adminUsername === null && $_SERVER['KRB5CCNAME']) {
putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
$this->ldapBind = @ldap_sasl_bind($this->ldapConnection, NULL, NULL, "GSSAPI");
if (!$this->ldapBind) {
throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError());
}
else {
return true;
}
}
if ($this->baseDn == NULL) {
$this->baseDn = $this->findBaseDn();
}
return true;
}
/**
* Closes the LDAP connection
*
* @return void
*/
public function close() {
if ($this->ldapConnection) {
@ldap_close($this->ldapConnection);
}
}
/**
* Validate a user's login credentials
*
* @param string $username A user's AD username
* @param string $password A user's AD password
* @param bool optional $preventRebind
* @return bool
*/
public function authenticate($username, $password, $preventRebind = false) {
// Prevent null binding
if ($username === NULL || $password === NULL) { return false; }
if (empty($username) || empty($password)) { return false; }
// Allow binding over SSO for Kerberos
if ($this->useSSO && $_SERVER['REMOTE_USER'] && $_SERVER['REMOTE_USER'] == $username && $this->adminUsername === NULL && $_SERVER['KRB5CCNAME']) {
putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
$this->ldapBind = @ldap_sasl_bind($this->ldapConnection, NULL, NULL, "GSSAPI");
if (!$this->ldapBind) {
throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError());
}
else {
return true;
}
}
// Bind as the user
$ret = true;
$this->ldapBind = @ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);
if (!$this->ldapBind) {
$ret = false;
}
// Cnce we've checked their details, kick back into admin mode if we have it
if ($this->adminUsername !== NULL && !$preventRebind) {
$this->ldapBind = @ldap_bind($this->ldapConnection, $this->adminUsername . $this->accountSuffix , $this->adminPassword);
if (!$this->ldapBind) {
// This should never happen in theory
throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError());
}
}
return $ret;
}
/**
* Return a list of all found objects (except computer) in AD
* $search has to match either cn, displayname, samaccountname or sn
*
* @param bool $includeDescription Return a description,cn, displayname and distinguishedname of the user
* @param string $search Search parameter
* @param bool $sorted Sort the user accounts
* @return array, if $includeDescription=true then a multi-dimensional array
*/
public function search($includeDescription = false, $search = "*", $sorted = true) {
if (!$this->getLdapBind()) { return false; }
// Perform the search and grab all their details
//$filter = "(|(cn=" . $search . ")(displayname=" . $search . ")(samaccountname=" . $search . "))";
$filter = "(&(!(objectClass=computer))(|(anr=" . $search . ")))";
$fields = array("cn","description","displayname","distinguishedname","samaccountname");
$sr = ldap_search($this->getLdapConnection(), $this->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->getLdapConnection(), $sr);
$objectArray = array();
for ($i=0; $i<$entries["count"]; $i++) {
if ($includeDescription && strlen($entries[$i]["description"][0])>0) {
$objectArray[$entries[$i]["samaccountname"][0]] = array($entries[$i]["cn"][0],$entries[$i]["description"][0],$entries[$i]["displayname"][0],$entries[$i]["distinguishedname"][0]);
} elseif ($includeDescription) {
// description is set to displayname if no description is present
$objectArray[$entries[$i]["samaccountname"][0]] = array($entries[$i]["cn"][0],$entries[$i]["displayname"][0],$entries[$i]["displayname"][0],$entries[$i]["distinguishedname"][0]);
} else {
if (in_array("samaccountname", $entries[$i], true)) {
array_push($objectArray, $entries[$i]["samaccountname"][0]);
}
}
}
if ($sorted) {
asort($objectArray);
}
return $objectArray;
}
/**
* Returns objectClass in an array
*
* @param string $distinguisedName The full DN of a contact
* @return array
*/
public function getObjectClass($distinguishedName) {
if ($distinguishedName === NULL) { return false; }
if (!$this->getLdapBind()) { return false; }
$filter = "distinguishedName=" . $this->utilities()->ldapSlashes($distinguishedName);
$fields = array("objectclass");
$sr = ldap_search($this->getLdapConnection(), $this->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->getLdapConnection(), $sr);
$objects = array();
for ($i=0; $i<$entries[0]["objectclass"]["count"]; $i++) {
array_push($objects, $entries[0]["objectclass"][$i]);
}
return $objects;
}
/**
* Find the Base DN of your domain controller
*
* @return string
*/
public function findBaseDn() {
$namingContext = $this->getRootDse(array('defaultnamingcontext'));
return $namingContext[0]['defaultnamingcontext'][0];
}
/**
* Get the RootDSE properties from a domain controller
*
* @param array $attributes The attributes you wish to query e.g. defaultnamingcontext
* @return array
*/
public function getRootDse($attributes = array("*", "+")) {
if (!$this->ldapBind) { return (false); }
$sr = @ldap_read($this->ldapConnection, NULL, 'objectClass=*', $attributes);
$entries = @ldap_get_entries($this->ldapConnection, $sr);
return $entries;
}
/**
* Get last error from Active Directory
*
* This function gets the last message from Active Directory
* This may indeed be a 'Success' message but if you get an unknown error
* it might be worth calling this function to see what errors were raised
*
* return string
*/
public function getLastError() {
return @ldap_error($this->ldapConnection);
}
/**
* Detect LDAP support in php
*
* @return bool
*/
protected function ldapSupported() {
if (!function_exists('ldap_connect')) {
return false;
}
return true;
}
/**
* Detect ldap_sasl_bind support in PHP
*
* @return bool
*/
protected function ldapSaslSupported() {
if (!function_exists('ldap_sasl_bind')) {
return false;
}
return true;
}
/**
* Schema
*
* @param array $attributes Attributes to be queried
* @return array
*/
public function adldap_schema($attributes) {
// LDAP doesn't like NULL attributes, only set them if they have values
// If you wish to remove an attribute you should set it to a space
// TO DO: Adapt user_modify to use ldap_mod_delete to remove a NULL attribute
$mod=array();
// Check every attribute to see if it contains 8bit characters and then UTF8 encode them
array_walk($attributes, array($this, 'encode8bit'));
if (isset($attributes["address_city"])){ $mod["l"][0]=$attributes["address_city"]; }
if (isset($attributes["address_code"])){ $mod["postalCode"][0]=$attributes["address_code"]; }
//if ($attributes["address_country"]){ $mod["countryCode"][0]=$attributes["address_country"]; } // use country codes?
if (isset($attributes["address_country"])){ $mod["c"][0]=$attributes["address_country"]; }
if (isset($attributes["address_pobox"])){ $mod["postOfficeBox"][0]=$attributes["address_pobox"]; }
if (isset($attributes["address_state"])){ $mod["st"][0]=$attributes["address_state"]; }
if (isset($attributes["address_street"])){ $mod["streetAddress"][0]=$attributes["address_street"]; }
if (isset($attributes["company"])){ $mod["company"][0]=$attributes["company"]; }
if (isset($attributes["change_password"])){ $mod["pwdLastSet"][0]=0; }
if (isset($attributes["department"])){ $mod["department"][0]=$attributes["department"]; }
if (isset($attributes["description"])){ $mod["description"][0]=$attributes["description"]; }
if (isset($attributes["display_name"])){ $mod["displayName"][0]=$attributes["display_name"]; }
if (isset($attributes["email"])){ $mod["mail"][0]=$attributes["email"]; }
if (isset($attributes["expires"])){ $mod["accountExpires"][0]=$attributes["expires"]; } //unix epoch format?
if (isset($attributes["firstname"])){ $mod["givenName"][0]=$attributes["firstname"]; }
if (isset($attributes["home_directory"])){ $mod["homeDirectory"][0]=$attributes["home_directory"]; }
if (isset($attributes["home_drive"])){ $mod["homeDrive"][0]=$attributes["home_drive"]; }
if (isset($attributes["initials"])){ $mod["initials"][0]=$attributes["initials"]; }
if (isset($attributes["logon_name"])){ $mod["userPrincipalName"][0]=$attributes["logon_name"]; }
if (isset($attributes["manager"])){ $mod["manager"][0]=$attributes["manager"]; } //UNTESTED ***Use DistinguishedName***
if (isset($attributes["office"])){ $mod["physicalDeliveryOfficeName"][0]=$attributes["office"]; }
if (isset($attributes["password"])){ $mod["unicodePwd"][0]=$this->user()->encodePassword($attributes["password"]); }
if (isset($attributes["profile_path"])){ $mod["profilepath"][0]=$attributes["profile_path"]; }
if (isset($attributes["script_path"])){ $mod["scriptPath"][0]=$attributes["script_path"]; }
if (isset($attributes["surname"])){ $mod["sn"][0]=$attributes["surname"]; }
if (isset($attributes["title"])){ $mod["title"][0]=$attributes["title"]; }
if (isset($attributes["telephone"])){ $mod["telephoneNumber"][0]=$attributes["telephone"]; }
if (isset($attributes["mobile"])){ $mod["mobile"][0]=$attributes["mobile"]; }
if (isset($attributes["pager"])){ $mod["pager"][0]=$attributes["pager"]; }
if (isset($attributes["ipphone"])){ $mod["ipphone"][0]=$attributes["ipphone"]; }
if (isset($attributes["web_page"])){ $mod["wWWHomePage"][0]=$attributes["web_page"]; }
if (isset($attributes["fax"])){ $mod["facsimileTelephoneNumber"][0]=$attributes["fax"]; }
if (isset($attributes["enabled"])){ $mod["userAccountControl"][0]=$attributes["enabled"]; }
if (isset($attributes["homephone"])){ $mod["homephone"][0]=$attributes["homephone"]; }
// Distribution List specific schema
if (isset($attributes["group_sendpermission"])){ $mod["dlMemSubmitPerms"][0]=$attributes["group_sendpermission"]; }
if (isset($attributes["group_rejectpermission"])){ $mod["dlMemRejectPerms"][0]=$attributes["group_rejectpermission"]; }
// Exchange Schema
if (isset($attributes["exchange_homemdb"])){ $mod["homeMDB"][0]=$attributes["exchange_homemdb"]; }
if (isset($attributes["exchange_mailnickname"])){ $mod["mailNickname"][0]=$attributes["exchange_mailnickname"]; }
if (isset($attributes["exchange_proxyaddress"])){ $mod["proxyAddresses"][0]=$attributes["exchange_proxyaddress"]; }
if (isset($attributes["exchange_usedefaults"])){ $mod["mDBUseDefaults"][0]=$attributes["exchange_usedefaults"]; }
if (isset($attributes["exchange_policyexclude"])){ $mod["msExchPoliciesExcluded"][0]=$attributes["exchange_policyexclude"]; }
if (isset($attributes["exchange_policyinclude"])){ $mod["msExchPoliciesIncluded"][0]=$attributes["exchange_policyinclude"]; }
if (isset($attributes["exchange_addressbook"])){ $mod["showInAddressBook"][0]=$attributes["exchange_addressbook"]; }
if (isset($attributes["exchange_altrecipient"])){ $mod["altRecipient"][0]=$attributes["exchange_altrecipient"]; }
if (isset($attributes["exchange_deliverandredirect"])){ $mod["deliverAndRedirect"][0]=$attributes["exchange_deliverandredirect"]; }
// This schema is designed for contacts
if (isset($attributes["exchange_hidefromlists"])){ $mod["msExchHideFromAddressLists"][0]=$attributes["exchange_hidefromlists"]; }
if (isset($attributes["contact_email"])){ $mod["targetAddress"][0]=$attributes["contact_email"]; }
//echo ("<pre>"); print_r($mod);
/*
// modifying a name is a bit fiddly
if ($attributes["firstname"] && $attributes["surname"]){
$mod["cn"][0]=$attributes["firstname"]." ".$attributes["surname"];
$mod["displayname"][0]=$attributes["firstname"]." ".$attributes["surname"];
$mod["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
}
*/
if (count($mod)==0) { return (false); }
return ($mod);
}
/**
* Convert 8bit characters e.g. accented characters to UTF8 encoded characters
*/
protected function encode8Bit(&$item, $key) {
$encode = false;
if (is_string($item)) {
for ($i=0; $i<strlen($item); $i++) {
if (ord($item[$i]) >> 7) {
$encode = true;
}
}
}
if ($encode === true && $key != 'password') {
$item = utf8_encode($item);
}
}
/**
* Select a random domain controller from your domain controller array
*
* @return string
*/
protected function randomController() {
mt_srand(doubleval(microtime()) * 100000000); // For older PHP versions
/*if (sizeof($this->domainControllers) > 1) {
$adController = $this->domainControllers[array_rand($this->domainControllers)];
// Test if the controller is responding to pings
$ping = $this->pingController($adController);
if ($ping === false) {
// Find the current key in the domain controllers array
$key = array_search($adController, $this->domainControllers);
// Remove it so that we don't end up in a recursive loop
unset($this->domainControllers[$key]);
// Select a new controller
return $this->randomController();
}
else {
return ($adController);
}
} */
return $this->domainControllers[array_rand($this->domainControllers)];
}
/**
* Test basic connectivity to controller
*
* @return bool
*/
protected function pingController($host) {
$port = $this->adPort;
fsockopen($host, $port, $errno, $errstr, 10);
if ($errno > 0) {
return false;
}
return true;
}
}
/**
* adLDAP Exception Handler
*
* Exceptions of this type are thrown on bind failure or when SSL is required but not configured
* Example:
* try {
* $adldap = new adLDAP();
* }
* catch (adLDAPException $e) {
* echo $e;
* exit();
* }
*/
class adLDAPException extends \Exception {}
?>

147
src/mibew/libs/adldap/classes/adLDAPComputers.php Normal file
View File

@ -0,0 +1,147 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Computers
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPComputerCollection.php');
/**
* COMPUTER MANAGEMENT FUNCTIONS
*/
class adLDAPComputers {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Get information about a specific computer. Returned in a raw array format from AD
*
* @param string $computerName The name of the computer
* @param array $fields Attributes to return
* @return array
*/
public function info($computerName, $fields = NULL) {
if ($computerName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$filter = "(&(objectClass=computer)(cn=" . $computerName . "))";
if ($fields === NULL) {
$fields = array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion");
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
/**
* Find information about the computers. Returned in a raw array format from AD
*
* @param string $computerName The name of the computer
* @param array $fields Array of parameters to query
* @return mixed
*/
public function infoCollection($computerName, $fields = NULL) {
if ($computerName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($computerName, $fields);
if ($info !== false) {
$collection = new \adLDAP\collections\adLDAPComputerCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Check if a computer is in a group
*
* @param string $computerName The name of the computer
* @param string $group The group to check
* @param bool $recursive Whether to check recursively
* @return array
*/
public function inGroup($computerName, $group, $recursive = NULL) {
if ($computerName === NULL) { return false; }
if ($group === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // use the default option if they haven't set it
//get a list of the groups
$groups = $this->groups($computerName, array("memberof"), $recursive);
//return true if the specified group is in the group list
if (in_array($group, $groups)) {
return true;
}
return false;
}
/**
* Get the groups a computer is in
*
* @param string $computerName The name of the computer
* @param bool $recursive Whether to check recursively
* @return array
*/
public function groups($computerName, $recursive = NULL) {
if ($computerName === NULL) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
if (!$this->adldap->getLdapBind()){ return false; }
//search the directory for their information
$info = @$this->info($computerName, array("memberof", "primarygroupid"));
$groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames)
if ($recursive === true) {
foreach ($groups as $id => $groupName){
$extraGroups = $this->adldap->group()->recursiveGroups($groupName);
$groups = array_merge($groups, $extraGroups);
}
}
return $groups;
}
}
?>

283
src/mibew/libs/adldap/classes/adLDAPContacts.php Normal file
View File

@ -0,0 +1,283 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Contacts
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPContactCollection.php');
class adLDAPContacts {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
//*****************************************************************************************************************
// CONTACT FUNCTIONS
// * Still work to do in this area, and new functions to write
/**
* Create a contact
*
* @param array $attributes The attributes to set to the contact
* @return bool
*/
public function create($attributes) {
// Check for compulsory fields
if (!array_key_exists("display_name", $attributes)) { return "Missing compulsory field [display_name]"; }
if (!array_key_exists("email", $attributes)) { return "Missing compulsory field [email]"; }
if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; }
if (!is_array($attributes["container"])) { return "Container attribute must be an array."; }
// Translate the schema
$add = $this->adldap->adldap_schema($attributes);
// Additional stuff only used for adding contacts
$add["cn"][0] = $attributes["display_name"];
$add["objectclass"][0] = "top";
$add["objectclass"][1] = "person";
$add["objectclass"][2] = "organizationalPerson";
$add["objectclass"][3] = "contact";
if (!isset($attributes['exchange_hidefromlists'])) {
$add["msExchHideFromAddressLists"][0] = "TRUE";
}
// Determine the container
$attributes["container"] = array_reverse($attributes["container"]);
$container= "OU=" . implode(",OU=", $attributes["container"]);
// Add the entry
$result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $this->adldap->utilities()->escapeCharacters($add["cn"][0]) . ", " . $container . "," . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
/**
* Determine the list of groups a contact is a member of
*
* @param string $distinguisedname The full DN of a contact
* @param bool $recursive Recursively check groups
* @return array
*/
public function groups($distinguishedName, $recursive = NULL) {
if ($distinguishedName === NULL) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
if (!$this->adldap->getLdapBind()){ return false; }
// Search the directory for their information
$info = @$this->info($distinguishedName, array("memberof", "primarygroupid"));
$groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our contact
if ($recursive === true) {
foreach ($groups as $id => $groupName) {
$extraGroups = $this->adldap->group()->recursiveGroups($groupName);
$groups = array_merge($groups, $extraGroups);
}
}
return $groups;
}
/**
* Get contact information. Returned in a raw array format from AD
*
* @param string $distinguisedname The full DN of a contact
* @param array $fields Attributes to be returned
* @return array
*/
public function info($distinguishedName, $fields = NULL)
{
if ($distinguishedName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$filter = "distinguishedName=" . $this->adldap->utilities()->ldapSlashes($distinguishedName);
if ($fields === NULL) {
$fields = array("distinguishedname", "mail", "memberof", "department", "displayname", "telephonenumber", "primarygroupid", "objectsid");
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if ($entries[0]['count'] >= 1) {
// AD does not return the primary group in the ldap query, we may need to fudge it
if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])) {
//$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
$entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
} else {
$entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn();
}
}
$entries[0]["memberof"]["count"]++;
return $entries;
}
/**
* Find information about the contacts. Returned in a raw array format from AD
*
* @param string $distinguishedName The full DN of a contact
* @param array $fields Array of parameters to query
* @return mixed
*/
public function infoCollection($distinguishedName, $fields = NULL) {
if ($distinguishedName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($distinguishedName, $fields);
if ($info !== false) {
$collection = new \adLDAP\collections\adLDAPContactCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Determine if a contact is a member of a group
*
* @param string $distinguisedName The full DN of a contact
* @param string $group The group name to query
* @param bool $recursive Recursively check groups
* @return bool
*/
public function inGroup($distinguisedName, $group, $recursive = NULL) {
if ($distinguisedName === NULL) { return false; }
if ($group === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
// Get a list of the groups
$groups = $this->groups($distinguisedName, array("memberof"), $recursive);
// Return true if the specified group is in the group list
if (in_array($group, $groups)) {
return true;
}
return false;
}
/**
* Modify a contact
*
* @param string $distinguishedName The contact to query
* @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
* @return bool
*/
public function modify($distinguishedName, $attributes) {
if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedname]"; }
// Translate the update to the LDAP schema
$mod = $this->adldap->adldap_schema($attributes);
// Check to see if this is an enabled status update
if (!$mod) {
return false;
}
// Do the update
$result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod);
if ($result == false) {
return false;
}
return true;
}
/**
* Delete a contact
*
* @param string $distinguishedName The contact dn to delete (please be careful here!)
* @return array
*/
public function delete($distinguishedName) {
$result = $this->folder()->delete($distinguishedName);
if ($result != true) {
return false;
}
return true;
}
/**
* Return a list of all contacts
*
* @param bool $includeDescription Include a description of a contact
* @param string $search The search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function all($includeDescription = false, $search = "*", $sorted = true) {
if (!$this->adldap->getLdapBind()) { return false; }
// Perform the search and grab all their details
$filter = "(&(objectClass=contact)(cn=" . $search . "))";
$fields = array("displayname","distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$usersArray = array();
for ($i=0; $i<$entries["count"]; $i++) {
if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){
$usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["displayname"][0];
} elseif ($includeDescription){
$usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["distinguishedname"][0];
} else {
array_push($usersArray, $entries[$i]["distinguishedname"][0]);
}
}
if ($sorted) {
asort($usersArray);
}
return $usersArray;
}
/**
* Mail enable a contact
* Allows email to be sent to them through Exchange
*
* @param string $distinguishedname The contact to mail enable
* @param string $emailaddress The email address to allow emails to be sent through
* @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name
* @return bool
*/
public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL) {
return $this->adldap->exchange()->contactMailEnable($distinguishedName, $emailAddress, $mailNickname);
}
}
?>

376
src/mibew/libs/adldap/classes/adLDAPExchange.php Normal file
View File

@ -0,0 +1,376 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Exchange
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
/**
* MICROSOFT EXCHANGE FUNCTIONS
*/
class adLDAPExchange {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Create an Exchange account
*
* @param string $username The username of the user to add the Exchange account to
* @param array $storageGroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN
* If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn
* @param string $emailAddress The primary email address to add to this user
* @param string $mailNickname The mail nick name. If mail nickname is blank, the username will be used
* @param bool $mdbUseDefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota.
* @param string $baseDn Specify an alternative base_dn for the Exchange storage group
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function createMailbox($username, $storageGroup, $emailAddress, $mailNickname=NULL, $useDefaults=TRUE, $baseDn=NULL, $isGUID=false) {
if ($username === NULL){ return "Missing compulsory field [username]"; }
if ($storageGroup === NULL) { return "Missing compulsory array [storagegroup]"; }
if (!is_array($storageGroup)) { return "[storagegroup] must be an array"; }
if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; }
if ($baseDn === NULL) {
$baseDn = $this->adldap->getBaseDn();
}
$container = "CN=" . implode(",CN=", $storageGroup);
if ($mailNickname === NULL) {
$mailNickname = $username;
}
$mdbUseDefaults = $this->adldap->utilities()->boolToString($useDefaults);
$attributes = array(
'exchange_homemdb'=>$container.",".$baseDn,
'exchange_proxyaddress'=>'SMTP:' . $emailAddress,
'exchange_mailnickname'=>$mailNickname,
'exchange_usedefaults'=>$mdbUseDefaults
);
$result = $this->adldap->user()->modify($username, $attributes, $isGUID);
if ($result == false) {
return false;
}
return true;
}
/**
* Add an X400 address to Exchange
* See http://tools.ietf.org/html/rfc1685 for more information.
* An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John;
*
* @param string $username The username of the user to add the X400 to to
* @param string $country Country
* @param string $admd Administration Management Domain
* @param string $pdmd Private Management Domain (often your AD domain)
* @param string $org Organization
* @param string $surname Surname
* @param string $givenName Given name
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function addX400($username, $country, $admd, $pdmd, $org, $surname, $givenName, $isGUID=false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
$proxyValue = 'X400:';
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL) { return false; }
$userDn = $user[0]["dn"];
// We do not have to demote an email address from the default so we can just add the new proxy address
$attributes['exchange_proxyaddress'] = $proxyValue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenName . ';';
// Translate the update to the LDAP schema
$add = $this->adldap->adldap_schema($attributes);
if (!$add) { return false; }
// Do the update
// Take out the @ to see any errors, usually this error might occur because the address already
// exists in the list of proxyAddresses
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Add an address to Exchange
*
* @param string $username The username of the user to add the Exchange account to
* @param string $emailAddress The email address to add to this user
* @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function addAddress($username, $emailAddress, $default = FALSE, $isGUID = false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; }
$proxyValue = 'smtp:';
if ($default === true) {
$proxyValue = 'SMTP:';
}
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL){ return false; }
$userDn = $user[0]["dn"];
// We need to scan existing proxy addresses and demote the default one
if (is_array($user[0]["proxyaddresses"]) && $default === true) {
$modAddresses = array();
for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
$user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
}
if ($user[0]['proxyaddresses'][$i] != '') {
$modAddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
}
}
$modAddresses['proxyAddresses'][(sizeof($user[0]['proxyaddresses'])-1)] = 'SMTP:' . $emailAddress;
$result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $modAddresses);
if ($result == false) {
return false;
}
return true;
}
else {
// We do not have to demote an email address from the default so we can just add the new proxy address
$attributes['exchange_proxyaddress'] = $proxyValue . $emailAddress;
// Translate the update to the LDAP schema
$add = $this->adldap->adldap_schema($attributes);
if (!$add) {
return false;
}
// Do the update
// Take out the @ to see any errors, usually this error might occur because the address already
// exists in the list of proxyAddresses
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn,$add);
if ($result == false) {
return false;
}
return true;
}
}
/**
* Remove an address to Exchange
* If you remove a default address the account will no longer have a default,
* we recommend changing the default address first
*
* @param string $username The username of the user to add the Exchange account to
* @param string $emailAddress The email address to add to this user
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function deleteAddress($username, $emailAddress, $isGUID=false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; }
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL) { return false; }
$userDn = $user[0]["dn"];
if (is_array($user[0]["proxyaddresses"])) {
$mod = array();
for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false && $user[0]['proxyaddresses'][$i] == 'SMTP:' . $emailAddress) {
$mod['proxyAddresses'][0] = 'SMTP:' . $emailAddress;
}
elseif (strstr($user[0]['proxyaddresses'][$i], 'smtp:') !== false && $user[0]['proxyaddresses'][$i] == 'smtp:' . $emailAddress) {
$mod['proxyAddresses'][0] = 'smtp:' . $emailAddress;
}
}
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $userDn,$mod);
if ($result == false) {
return false;
}
return true;
}
else {
return false;
}
}
/**
* Change the default address
*
* @param string $username The username of the user to add the Exchange account to
* @param string $emailAddress The email address to make default
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function primaryAddress($username, $emailAddress, $isGUID = false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; }
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL) { return false; }
$userDn = $user[0]["dn"];
if (is_array($user[0]["proxyaddresses"])) {
$modAddresses = array();
for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
$user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
}
if ($user[0]['proxyaddresses'][$i] == 'smtp:' . $emailAddress) {
$user[0]['proxyaddresses'][$i] = str_replace('smtp:', 'SMTP:', $user[0]['proxyaddresses'][$i]);
}
if ($user[0]['proxyaddresses'][$i] != '') {
$modAddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
}
}
$result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $modAddresses);
if ($result == false) {
return false;
}
return true;
}
}
/**
* Mail enable a contact
* Allows email to be sent to them through Exchange
*
* @param string $distinguishedName The contact to mail enable
* @param string $emailAddress The email address to allow emails to be sent through
* @param string $mailNickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name
* @return bool
*/
public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL) {
if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedName]"; }
if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; }
if ($mailNickname !== NULL) {
// Find the dn of the user
$user = $this->adldap->contact()->info($distinguishedName, array("cn","displayname"));
if ($user[0]["displayname"] === NULL) { return false; }
$mailNickname = $user[0]['displayname'][0];
}
$attributes = array("email"=>$emailAddress,"contact_email"=>"SMTP:" . $emailAddress,"exchange_proxyaddress"=>"SMTP:" . $emailAddress,"exchange_mailnickname" => $mailNickname);
// Translate the update to the LDAP schema
$mod = $this->adldap->adldap_schema($attributes);
// Check to see if this is an enabled status update
if (!$mod) { return false; }
// Do the update
$result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod);
if ($result == false) { return false; }
return true;
}
/**
* Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain
*
* @param array $attributes An array of the AD attributes you wish to return
* @return array
*/
public function servers($attributes = array('cn','distinguishedname','serialnumber')) {
if (!$this->adldap->getLdapBind()) { return false; }
$configurationNamingContext = $this->adldap->getRootDse(array('configurationnamingcontext'));
$sr = @ldap_search($this->adldap->getLdapConnection(), $configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))', $attributes);
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
/**
* Returns a list of Storage Groups in Exchange for a given mail server
*
* @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server
* @param array $attributes An array of the AD attributes you wish to return
* @param bool $recursive If enabled this will automatically query the databases within a storage group
* @return array
*/
public function storageGroups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($exchangeServer === NULL) { return "Missing compulsory field [exchangeServer]"; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); }
$filter = '(&(objectCategory=msExchStorageGroup))';
$sr = @ldap_search($this->adldap->getLdapConnection(), $exchangeServer, $filter, $attributes);
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if ($recursive === true) {
for ($i=0; $i<$entries['count']; $i++) {
$entries[$i]['msexchprivatemdb'] = $this->storageDatabases($entries[$i]['distinguishedname'][0]);
}
}
return $entries;
}
/**
* Returns a list of Databases within any given storage group in Exchange for a given mail server
*
* @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN
* @param array $attributes An array of the AD attributes you wish to return
* @return array
*/
public function storageDatabases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($storageGroup === NULL) { return "Missing compulsory field [storageGroup]"; }
$filter = '(&(objectCategory=msExchPrivateMDB))';
$sr = @ldap_search($this->adldap->getLdapConnection(), $storageGroup, $filter, $attributes);
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
}
?>

175
src/mibew/libs/adldap/classes/adLDAPFolders.php Normal file
View File

@ -0,0 +1,175 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Folders
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
/**
* FOLDER / OU MANAGEMENT FUNCTIONS
*/
class adLDAPFolders {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Delete a distinguished name from Active Directory
* You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete
*
* @param string $dn The distinguished name to delete
* @return bool
*/
public function delete($dn) {
$result = ldap_delete($this->adldap->getLdapConnection(), $dn);
if ($result != true) {
return false;
}
return true;
}
/**
* Returns a folder listing for a specific OU
* See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions
*
* @param array $folderName An array to the OU you wish to list.
* If set to NULL will list the root, strongly recommended to set
* $recursive to false in that instance!
* @param string $dnType The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER.
* @param bool $recursive Recursively search sub folders
* @param bool $type Specify a type of object to search for
* @return array
*/
public function listing($folderName = NULL, $dnType = adLDAP::ADLDAP_FOLDER, $recursive = NULL, $type = NULL) {
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
if (!$this->adldap->getLdapBind()) { return false; }
$filter = '(&';
if ($type !== NULL) {
switch ($type) {
case 'contact':
$filter .= '(objectClass=contact)';
break;
case 'computer':
$filter .= '(objectClass=computer)';
break;
case 'group':
$filter .= '(objectClass=group)';
break;
case 'folder':
$filter .= '(objectClass=organizationalUnit)';
break;
case 'container':
$filter .= '(objectClass=container)';
break;
case 'domain':
$filter .= '(objectClass=builtinDomain)';
break;
default:
$filter .= '(objectClass=user)';
break;
}
}
else {
$filter .= '(objectClass=*)';
}
// If the folder name is null then we will search the root level of AD
// This requires us to not have an OU= part, just the base_dn
$searchOu = $this->adldap->getBaseDn();
if (is_array($folderName)) {
$ou = $dnType . "=" . implode("," . $dnType . "=", $folderName);
$filter .= '(!(distinguishedname=' . $ou . ',' . $this->adldap->getBaseDn() . ')))';
$searchOu = $ou . ',' . $this->adldap->getBaseDn();
}
else {
$filter .= '(!(distinguishedname=' . $this->adldap->getBaseDn() . ')))';
}
if ($recursive === true) {
$sr = ldap_search($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (is_array($entries)) {
return $entries;
}
}
else {
$sr = ldap_list($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (is_array($entries)) {
return $entries;
}
}
return false;
}
/**
* Create an organizational unit
*
* @param array $attributes Default attributes of the ou
* @return bool
*/
public function create($attributes) {
if (!is_array($attributes)) { return "Attributes must be an array"; }
if (!is_array($attributes["container"])) { return "Container attribute must be an array."; }
if (!array_key_exists("ou_name",$attributes)) { return "Missing compulsory field [ou_name]"; }
if (!array_key_exists("container",$attributes)) { return "Missing compulsory field [container]"; }
$attributes["container"] = array_reverse($attributes["container"]);
$add=array();
$add["objectClass"] = "organizationalUnit";
$add["OU"] = $attributes['ou_name'];
$containers = "";
if (count($attributes['container']) > 0) {
$containers = "OU=" . implode(",OU=", $attributes["container"]) . ",";
}
$containers = "OU=" . implode(",OU=", $attributes["container"]);
$result = ldap_add($this->adldap->getLdapConnection(), "OU=" . $add["OU"] . ", " . $containers . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
}
?>

656
src/mibew/libs/adldap/classes/adLDAPGroups.php Normal file
View File

@ -0,0 +1,656 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Groups
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPGroupCollection.php');
/**
* GROUP FUNCTIONS
*/
class adLDAPGroups {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Add a group to a group
*
* @param string $parent The parent group name
* @param string $child The child group name
* @return bool
*/
public function addGroup($parent,$child) {
// Find the parent group's dn
$parentGroup = $this->ginfo($parent, array("cn"));
if ($parentGroup[0]["dn"] === NULL) {
return false;
}
$parentDn = $parentGroup[0]["dn"];
// Find the child group's dn
$childGroup = $this->info($child, array("cn"));
if ($childGroup[0]["dn"] === NULL) {
return false;
}
$childDn = $childGroup[0]["dn"];
$add = array();
$add["member"] = $childDn;
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $parentDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Add a user to a group
*
* @param string $group The group to add the user to
* @param string $user The user to add to the group
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function addUser($group, $user, $isGUID = false) {
// Adding a user is a bit fiddly, we need to get the full DN of the user
// and add it using the full DN of the group
// Find the user's dn
$userDn = $this->adldap->user()->dn($user, $isGUID);
if ($userDn === false) {
return false;
}
// Find the group's dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
$add = array();
$add["member"] = $userDn;
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Add a contact to a group
*
* @param string $group The group to add the contact to
* @param string $contactDn The DN of the contact to add
* @return bool
*/
public function addContact($group, $contactDn)
{
// To add a contact we take the contact's DN
// and add it using the full DN of the group
// Find the group's dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
$add = array();
$add["member"] = $contactDn;
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Create a group
*
* @param array $attributes Default attributes of the group
* @return bool
*/
public function create($attributes) {
if (!is_array($attributes)) { return "Attributes must be an array"; }
if (!array_key_exists("group_name", $attributes)) { return "Missing compulsory field [group_name]"; }
if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; }
if (!array_key_exists("description", $attributes)) { return "Missing compulsory field [description]"; }
if (!is_array($attributes["container"])) { return "Container attribute must be an array."; }
$attributes["container"] = array_reverse($attributes["container"]);
//$member_array = array();
//$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
//$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
$add = array();
$add["cn"] = $attributes["group_name"];
$add["samaccountname"] = $attributes["group_name"];
$add["objectClass"] = "Group";
$add["description"] = $attributes["description"];
//$add["member"] = $member_array; UNTESTED
$container = "OU=" . implode(",OU=", $attributes["container"]);
$result = ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"] . ", " . $container . "," . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
/**
* Delete a group account
*
* @param string $group The group to delete (please be careful here!)
*
* @return array
*/
public function delete($group) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($group === null) { return "Missing compulsory field [group]"; }
$groupInfo = $this->info($group, array("*"));
$dn = $groupInfo[0]['distinguishedname'][0];
$result = $this->adldap->folder()->delete($dn);
if ($result !== true) {
return false;
}
return true;
}
/**
* Remove a group from a group
*
* @param string $parent The parent group name
* @param string $child The child group name
* @return bool
*/
public function removeGroup($parent , $child) {
// Find the parent dn
$parentGroup = $this->info($parent, array("cn"));
if ($parentGroup[0]["dn"] === NULL) {
return false;
}
$parentDn = $parentGroup[0]["dn"];
// Find the child dn
$childGroup = $this->info($child, array("cn"));
if ($childGroup[0]["dn"] === NULL) {
return false;
}
$childDn = $childGroup[0]["dn"];
$del = array();
$del["member"] = $childDn;
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $parentDn, $del);
if ($result == false) {
return false;
}
return true;
}
/**
* Remove a user from a group
*
* @param string $group The group to remove a user from
* @param string $user The AD user to remove from the group
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function removeUser($group, $user, $isGUID = false) {
// Find the parent dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
// Find the users dn
$userDn = $this->adldap->user()->dn($user, $isGUID);
if ($userDn === false) {
return false;
}
$del = array();
$del["member"] = $userDn;
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del);
if ($result == false) {
return false;
}
return true;
}
/**
* Remove a contact from a group
*
* @param string $group The group to remove a user from
* @param string $contactDn The DN of a contact to remove from the group
* @return bool
*/
public function removeContact($group, $contactDn) {
// Find the parent dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
$del = array();
$del["member"] = $contactDn;
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del);
if ($result == false) {
return false;
}
return true;
}
/**
* Return a list of groups in a group
*
* @param string $group The group to query
* @param bool $recursive Recursively get groups
* @return array
*/
public function inGroup($group, $recursive = NULL) {
if (!$this->adldap->getLdapBind()){ return false; }
if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
// Search the directory for the members of a group
$info = $this->info($group, array("member","cn"));
$groups = $info[0]["member"];
if (!is_array($groups)) {
return false;
}
$groupArray = array();
for ($i=0; $i<$groups["count"]; $i++) {
$filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))";
$fields = array("samaccountname", "distinguishedname", "objectClass");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
// not a person, look for a group
if ($entries['count'] == 0 && $recursive == true) {
$filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))";
$fields = array("distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (!isset($entries[0]['distinguishedname'][0])) {
continue;
}
$subGroups = $this->inGroup($entries[0]['distinguishedname'][0], $recursive);
if (is_array($subGroups)) {
$groupArray = array_merge($groupArray, $subGroups);
$groupArray = array_unique($groupArray);
}
continue;
}
$groupArray[] = $entries[0]['distinguishedname'][0];
}
return $groupArray;
}
/**
* Return a list of members in a group
*
* @param string $group The group to query
* @param bool $recursive Recursively get group members
* @return array
*/
public function members($group, $recursive = NULL) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
// Search the directory for the members of a group
$info = $this->info($group, array("member","cn"));
$users = $info[0]["member"];
if (!is_array($users)) {
return false;
}
$userArray = array();
for ($i=0; $i<$users["count"]; $i++) {
$filter = "(&(objectCategory=person)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))";
$fields = array("samaccountname", "distinguishedname", "objectClass");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
// not a person, look for a group
if ($entries['count'] == 0 && $recursive == true) {
$filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))";
$fields = array("samaccountname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (!isset($entries[0]['samaccountname'][0])) {
continue;
}
$subUsers = $this->members($entries[0]['samaccountname'][0], $recursive);
if (is_array($subUsers)) {
$userArray = array_merge($userArray, $subUsers);
$userArray = array_unique($userArray);
}
continue;
}
else if ($entries['count'] == 0) {
continue;
}
if ((!isset($entries[0]['samaccountname'][0]) || $entries[0]['samaccountname'][0] === NULL) && $entries[0]['distinguishedname'][0] !== NULL) {
$userArray[] = $entries[0]['distinguishedname'][0];
}
else if ($entries[0]['samaccountname'][0] !== NULL) {
$userArray[] = $entries[0]['samaccountname'][0];
}
}
return $userArray;
}
/**
* Group Information. Returns an array of raw information about a group.
* The group name is case sensitive
*
* @param string $groupName The group name to retrieve info about
* @param array $fields Fields to retrieve
* @return array
*/
public function info($groupName, $fields = NULL) {
if ($groupName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if (stristr($groupName, '+')) {
$groupName = stripslashes($groupName);
}
$filter = "(&(objectCategory=group)(name=" . $this->adldap->utilities()->ldapSlashes($groupName) . "))";
if ($fields === NULL) {
$fields = array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname");
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
// Windows 2003: Returns up to 1500 values (Windows 2000 only 1000 is not supported).
if (isset($entries[0]['member;range=0-1499']) && $entries[0]['member;range=0-1499']['count'] == 1500) {
$entries[0]['member']['count'] = "0";
$rangestep = 1499; // Step site
$rangelow = 0; // Initial low range
$rangehigh = $rangelow + $rangestep; // Initial high range
// do until array_keys($members[0])[0] ends with a '*', e. g. member;range=1499-*. It indicates end of the range
do {
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, array("member;range=" . $rangelow . "-" . $rangehigh));
$members = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$memberrange = array_keys($members[0]);
$membercount = $members[0][$memberrange[0]]['count'];
// Copy range entries to member
for ($i = 0; $i <= $membercount -1; $i++) {
$entries[0]['member'][] = $members[0][$memberrange[0]][$i];
}
$entries[0]['member']['count'] += $membercount;
$rangelow += $rangestep +1;
$rangehigh += $rangestep +1;
} while (substr($memberrange[0], -1) != '*');
}
return $entries;
}
/**
* Group Information. Returns an collection
* The group name is case sensitive
*
* @param string $groupName The group name to retrieve info about
* @param array $fields Fields to retrieve
* @return \adLDAP\collections\adLDAPGroupCollection
*/
public function infoCollection($groupName, $fields = NULL) {
if ($groupName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($groupName, $fields);
if ($info !== false) {
$collection = new \adLDAP\collections\adLDAPGroupCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Return a complete list of "groups in groups"
*
* @param string $group The group to get the list from
* @return array
*/
public function recursiveGroups($group) {
if ($group === NULL) { return false; }
$stack = array();
$processed = array();
$retGroups = array();
array_push($stack, $group); // Initial Group to Start with
while (count($stack) > 0) {
$parent = array_pop($stack);
array_push($processed, $parent);
$info = $this->info($parent, array("memberof"));
if (isset($info[0]["memberof"]) && is_array($info[0]["memberof"])) {
$groups = $info[0]["memberof"];
if ($groups) {
$groupNames = $this->adldap->utilities()->niceNames($groups);
$retGroups = array_merge($retGroups, $groupNames); //final groups to return
foreach ($groupNames as $id => $groupName) {
if (!in_array($groupName, $processed)) {
array_push($stack, $groupName);
}
}
}
}
}
return $retGroups;
}
/**
* Returns a complete list of the groups in AD based on a SAM Account Type
*
* @param string $sAMAaccountType The account type to return
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function search($sAMAaccountType = adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription = false, $search = "*", $sorted = true) {
if (!$this->adldap->getLdapBind()) { return false; }
$filter = '(&(objectCategory=group)';
if ($sAMAaccountType !== null) {
$filter .= '(samaccounttype='. $sAMAaccountType .')';
}
$filter .= '(cn=' . $search . '))';
// Perform the search and grab all their details
$fields = array("samaccountname", "description");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$groupsArray = array();
for ($i=0; $i<$entries["count"]; $i++) {
if ($includeDescription && strlen($entries[$i]["description"][0]) > 0 ) {
$groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["description"][0];
}
else if ($includeDescription) {
$groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0];
}
else {
array_push($groupsArray, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted) {
asort($groupsArray);
}
return $groupsArray;
}
/**
* Obtain the group's distinguished name based on their groupid
*
*
* @param string $groupname The groupname
* @return string
*/
public function dn($groupname) {
$group = $this->info($groupname, array("cn"));
if ($group[0]["dn"] === NULL) {
return false;
}
$groupDn = $group[0]["dn"];
return $groupDn;
}
/**
* Returns a complete list of all groups in AD
*
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function all($includeDescription = false, $search = "*", $sorted = true) {
$groupsArray = $this->search(null, $includeDescription, $search, $sorted);
return $groupsArray;
}
/**
* Returns a complete list of security groups in AD
*
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function allSecurity($includeDescription = false, $search = "*", $sorted = true) {
$groupsArray = $this->search(adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription, $search, $sorted);
return $groupsArray;
}
/**
* Returns a complete list of distribution lists in AD
*
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function allDistribution($includeDescription = false, $search = "*", $sorted = true) {
$groupsArray = $this->search(adLDAP::ADLDAP_DISTRIBUTION_GROUP, $includeDescription, $search, $sorted);
return $groupsArray;
}
/**
* Coping with AD not returning the primary group
* http://support.microsoft.com/?kbid=321360
*
* This is a re-write based on code submitted by Bruce which prevents the
* need to search each security group to find the true primary group
*
* @param string $gid Group ID
* @param string $usersid User's Object SID
* @return mixed
*/
public function getPrimaryGroup($gid, $usersid) {
if ($gid === NULL || $usersid === NULL) { return false; }
$sr = false;
$gsid = substr_replace($usersid, pack('V',$gid), strlen($usersid)-4,4);
$filter = '(objectsid=' . $this->adldap->utilities()->getTextSID($gsid).')';
$fields = array("samaccountname","distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (isset($entries[0]['distinguishedname'][0])) {
return $entries[0]['distinguishedname'][0];
}
return false;
}
/**
* Coping with AD not returning the primary group
* http://support.microsoft.com/?kbid=321360
*
* For some reason it's not possible to search on primarygrouptoken=XXX
* If someone can show otherwise, I'd like to know about it :)
* this way is resource intensive and generally a pain in the @#%^
*
* @deprecated deprecated since version 3.1, see get get_primary_group
* @param string $gid Group ID
* @return string
*/
public function cn($gid) {
if ($gid === NULL) { return false; }
$sr = false;
$r = '';
$filter = "(&(objectCategory=group)(samaccounttype=" . adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP . "))";
$fields = array("primarygrouptoken", "samaccountname", "distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
for ($i=0; $i<$entries["count"]; $i++) {
if ($entries[$i]["primarygrouptoken"][0] == $gid) {
$r = $entries[$i]["distinguishedname"][0];
$i = $entries["count"];
}
}
return $r;
}
}
?>

656
src/mibew/libs/adldap/classes/adLDAPUsers.php Normal file
View File

@ -0,0 +1,656 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Users
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPUserCollection.php');
/**
* USER FUNCTIONS
*/
class adLDAPUsers {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Validate a user's login credentials
*
* @param string $username A user's AD username
* @param string $password A user's AD password
* @param bool optional $prevent_rebind
* @return bool
*/
public function authenticate($username, $password, $preventRebind = false) {
return $this->adldap->authenticate($username, $password, $preventRebind);
}
/**
* Create a user
*
* If you specify a password here, this can only be performed over SSL
*
* @param array $attributes The attributes to set to the user account
* @return bool
*/
public function create($attributes) {
// Check for compulsory fields
if (!array_key_exists("username", $attributes)) { return "Missing compulsory field [username]"; }
if (!array_key_exists("firstname", $attributes)) { return "Missing compulsory field [firstname]"; }
if (!array_key_exists("surname", $attributes)) { return "Missing compulsory field [surname]"; }
if (!array_key_exists("email", $attributes)) { return "Missing compulsory field [email]"; }
if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; }
if (!is_array($attributes["container"])) { return "Container attribute must be an array."; }
if (array_key_exists("password",$attributes) && (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS())) {
throw new \adLDAP\adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
}
if (!array_key_exists("display_name", $attributes)) {
$attributes["display_name"] = $attributes["firstname"] . " " . $attributes["surname"];
}
// Translate the schema
$add = $this->adldap->adldap_schema($attributes);
// Additional stuff only used for adding accounts
$add["cn"][0] = $attributes["display_name"];
$add["samaccountname"][0] = $attributes["username"];
$add["objectclass"][0] = "top";
$add["objectclass"][1] = "person";
$add["objectclass"][2] = "organizationalPerson";
$add["objectclass"][3] = "user"; //person?
//$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
// Set the account control attribute
$control_options = array("NORMAL_ACCOUNT");
if (!$attributes["enabled"]) {
$control_options[] = "ACCOUNTDISABLE";
}
$add["userAccountControl"][0] = $this->accountControl($control_options);
// Determine the container
$attributes["container"] = array_reverse($attributes["container"]);
$container = "OU=" . implode(", OU=",$attributes["container"]);
// Add the entry
$result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"][0] . ", " . $container . "," . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
/**
* Account control options
*
* @param array $options The options to convert to int
* @return int
*/
protected function accountControl($options) {
$val=0;
if (is_array($options)) {
if (in_array("SCRIPT",$options)) { $val=$val+1; }
if (in_array("ACCOUNTDISABLE",$options)) { $val=$val+2; }
if (in_array("HOMEDIR_REQUIRED",$options)) { $val=$val+8; }
if (in_array("LOCKOUT",$options)) { $val=$val+16; }
if (in_array("PASSWD_NOTREQD",$options)) { $val=$val+32; }
//PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute.
//For information about how to set the permission programmatically, see the "Property flag descriptions" section.
if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)) { $val=$val+128; }
if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)) { $val=$val+256; }
if (in_array("NORMAL_ACCOUNT",$options)) { $val=$val+512; }
if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)) { $val=$val+2048; }
if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)) { $val=$val+4096; }
if (in_array("SERVER_TRUST_ACCOUNT",$options)) { $val=$val+8192; }
if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; }
if (in_array("MNS_LOGON_ACCOUNT",$options)) { $val=$val+131072; }
if (in_array("SMARTCARD_REQUIRED",$options)) { $val=$val+262144; }
if (in_array("TRUSTED_FOR_DELEGATION",$options)) { $val=$val+524288; }
if (in_array("NOT_DELEGATED",$options)) { $val=$val+1048576; }
if (in_array("USE_DES_KEY_ONLY",$options)) { $val=$val+2097152; }
if (in_array("DONT_REQ_PREAUTH",$options)) { $val=$val+4194304; }
if (in_array("PASSWORD_EXPIRED",$options)) { $val=$val+8388608; }
if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)) { $val=$val+16777216; }
}
return $val;
}
/**
* Delete a user account
*
* @param string $username The username to delete (please be careful here!)
* @param bool $isGUID Is the username a GUID or a samAccountName
* @return array
*/
public function delete($username, $isGUID = false) {
$userinfo = $this->info($username, array("*"), $isGUID);
$dn = $userinfo[0]['distinguishedname'][0];
$result = $this->adldap->folder()->delete($dn);
if ($result != true) {
return false;
}
return true;
}
/**
* Groups the user is a member of
*
* @param string $username The username to query
* @param bool $recursive Recursive list of groups
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return array
*/
public function groups($username, $recursive = NULL, $isGUID = false) {
if ($username === NULL) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
if (!$this->adldap->getLdapBind()) { return false; }
// Search the directory for their information
$info = @$this->info($username, array("memberof", "primarygroupid"), $isGUID);
$groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames)
if ($recursive === true) {
foreach ($groups as $id => $groupName) {
$extraGroups = $this->adldap->group()->recursiveGroups($groupName);
$groups = array_merge($groups, $extraGroups);
}
}
return $groups;
}
/**
* Find information about the users. Returned in a raw array format from AD
*
* @param string $username The username to query
* @param array $fields Array of parameters to query
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return array
*/
public function info($username, $fields = NULL, $isGUID = false) {
if ($username === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($isGUID === true) {
$username = $this->adldap->utilities()->strGuidToHex($username);
$filter = "objectguid=" . $username;
}
else if (strstr($username, "@")) {
$filter = "userPrincipalName=" . $username;
}
else {
$filter = "samaccountname=" . $username;
}
$filter = "(&(objectCategory=person)({$filter}))";
if ($fields === NULL) {
$fields = array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid");
}
if (!in_array("objectsid", $fields)) {
$fields[] = "objectsid";
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (isset($entries[0])) {
if ($entries[0]['count'] >= 1) {
if (in_array("memberof", $fields)) {
// AD does not return the primary group in the ldap query, we may need to fudge it
if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])) {
//$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
$entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
} else {
$entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn();
}
if (!isset($entries[0]["memberof"]["count"])) {
$entries[0]["memberof"]["count"] = 0;
}
$entries[0]["memberof"]["count"]++;
}
}
return $entries;
}
return false;
}
/**
* Find information about the users. Returned in a raw array format from AD
*
* @param string $username The username to query
* @param array $fields Array of parameters to query
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return mixed
*/
public function infoCollection($username, $fields = NULL, $isGUID = false) {
if ($username === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($username, $fields, $isGUID);
if ($info !== false) {
$collection = new \adLDAP\collections\adLDAPUserCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Determine if a user is in a specific group
*
* @param string $username The username to query
* @param string $group The name of the group to check against
* @param bool $recursive Check groups recursively
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function inGroup($username, $group, $recursive = NULL, $isGUID = false) {
if ($username === NULL) { return false; }
if ($group === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
// Get a list of the groups
$groups = $this->groups($username, $recursive, $isGUID);
$search_array = array_combine(array_map('strtolower',$groups),$groups);
// Return true if the specified group is in the group list
return !is_null($search_array[strtolower($group)]);
}
/**
* Determine a user's password expiry date
*
* @param string $username The username to query
* @param book $isGUID Is the username passed a GUID or a samAccountName
* @requires bcmath http://www.php.net/manual/en/book.bc.php
* @return array
*/
public function passwordExpiry($username, $isGUID = false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
if (!$this->adldap->getLdapBind()) { return false; }
if (!function_exists('bcmod')) { throw new \adLDAP\adLDAPException("Missing function support [bcmod] http://www.php.net/manual/en/book.bc.php"); };
$userInfo = $this->info($username, array("pwdlastset", "useraccountcontrol"), $isGUID);
$pwdLastSet = $userInfo[0]['pwdlastset'][0];
$status = array();
if ($userInfo[0]['useraccountcontrol'][0] == '66048') {
// Password does not expire
return "Does not expire";
}
if ($pwdLastSet === '0') {
// Password has already expired
return "Password has expired";
}
// Password expiry in AD can be calculated from TWO values:
// - User's own pwdLastSet attribute: stores the last time the password was changed
// - Domain's maxPwdAge attribute: how long passwords last in the domain
//
// Although Microsoft chose to use a different base and unit for time measurements.
// This function will convert them to Unix timestamps
$sr = ldap_read($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), 'objectclass=*', array('maxPwdAge'));
if (!$sr) {
return false;
}
$info = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$maxPwdAge = $info[0]['maxpwdage'][0];
// See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx
//
// pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC),
// stored in a 64 bit integer.
//
// The number of seconds between this date and Unix epoch is 11644473600.
//
// maxPwdAge is stored as a large integer that represents the number of 100 nanosecond
// intervals from the time the password was set before the password expires.
//
// We also need to scale this to seconds but also this value is a _negative_ quantity!
//
// If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire
//
// Unfortunately the maths involved are too big for PHP integers, so I've had to require
// BCMath functions to work with arbitrary precision numbers.
if (bcmod($maxPwdAge, 4294967296) === '0') {
return "Domain does not expire passwords";
}
// Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's
// time units. Because maxpwd age is negative we need to subtract it.
$pwdExpire = bcsub($pwdLastSet, $maxPwdAge);
// Convert MS's time to Unix time
$status['expiryts'] = bcsub(bcdiv($pwdExpire, '10000000'), '11644473600');
$status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdExpire, '10000000'), '11644473600'));
return $status;
}
/**
* Modify a user
*
* @param string $username The username to query
* @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function modify($username, $attributes, $isGUID = false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
if (array_key_exists("password", $attributes) && !$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) {
throw new \adLDAP\adLDAPException('SSL/TLS must be configured on your webserver and enabled in the class to set passwords.');
}
// Find the dn of the user
$userDn = $this->dn($username, $isGUID);
if ($userDn === false) {
return false;
}
// Translate the update to the LDAP schema
$mod = $this->adldap->adldap_schema($attributes);
// Check to see if this is an enabled status update
if (!$mod && !array_key_exists("enabled", $attributes)) {
return false;
}
// Set the account control attribute (only if specified)
if (array_key_exists("enabled", $attributes)) {
if ($attributes["enabled"]) {
$controlOptions = array("NORMAL_ACCOUNT");
}
else {
$controlOptions = array("NORMAL_ACCOUNT", "ACCOUNTDISABLE");
}
$mod["userAccountControl"][0] = $this->accountControl($controlOptions);
}
// Do the update
$result = @ldap_modify($this->adldap->getLdapConnection(), $userDn, $mod);
if ($result == false) {
return false;
}
return true;
}
/**
* Disable a user account
*
* @param string $username The username to disable
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function disable($username, $isGUID = false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
$attributes = array("enabled" => 0);
$result = $this->modify($username, $attributes, $isGUID);
if ($result == false) { return false; }
return true;
}
/**
* Enable a user account
*
* @param string $username The username to enable
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function enable($username, $isGUID = false) {
if ($username === NULL) { return "Missing compulsory field [username]"; }
$attributes = array("enabled" => 1);
$result = $this->modify($username, $attributes, $isGUID);
if ($result == false) { return false; }
return true;
}
/**
* Set the password of a user - This must be performed over SSL
*
* @param string $username The username to modify
* @param string $password The new password
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function password($username, $password, $isGUID = false) {
if ($username === NULL) { return false; }
if ($password === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) {
throw new \adLDAP\adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
}
$userDn = $this->dn($username, $isGUID);
if ($userDn === false) {
return false;
}
$add=array();
$add["unicodePwd"][0] = $this->encodePassword($password);
$result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $add);
if ($result === false) {
$err = ldap_errno($this->adldap->getLdapConnection());
if ($err) {
$msg = 'Error ' . $err . ': ' . ldap_err2str($err) . '.';
if($err == 53) {
$msg .= ' Your password might not match the password policy.';
}
throw new \adLDAP\adLDAPException($msg);
}
else {
return false;
}
}
return true;
}
/**
* Encode a password for transmission over LDAP
*
* @param string $password The password to encode
* @return string
*/
public function encodePassword($password) {
$password="\"".$password."\"";
$encoded="";
for ($i=0; $i <strlen($password); $i++) { $encoded.="{$password{$i}}\000"; }
return $encoded;
}
/**
* Obtain the user's distinguished name based on their userid
*
*
* @param string $username The username
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return string
*/
public function dn($username, $isGUID=false) {
$user = $this->info($username, array("cn"), $isGUID);
if ($user[0]["dn"] === NULL) {
return false;
}
$userDn = $user[0]["dn"];
return $userDn;
}
/**
* Return a list of all users in AD
*
* @param bool $includeDescription Return a description of the user
* @param string $search Search parameter
* @param bool $sorted Sort the user accounts
* @return array
*/
public function all($includeDescription = false, $search = "*", $sorted = true) {
if (!$this->adldap->getLdapBind()) { return false; }
// Perform the search and grab all their details
$filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=" . $search . "))";
$fields = array("samaccountname","displayname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$usersArray = array();
for ($i=0; $i<$entries["count"]; $i++) {
if ($includeDescription && strlen($entries[$i]["displayname"][0])>0) {
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0];
} elseif ($includeDescription) {
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0];
} else {
array_push($usersArray, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted) {
asort($usersArray);
}
return $usersArray;
}
/**
* Converts a username (samAccountName) to a GUID
*
* @param string $username The username to query
* @return string
*/
public function usernameToGuid($username) {
if (!$this->adldap->getLdapBind()){ return false; }
if ($username === null){ return "Missing compulsory field [username]"; }
$filter = "samaccountname=" . $username;
$fields = array("objectGUID");
$sr = @ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
if (ldap_count_entries($this->adldap->getLdapConnection(), $sr) > 0) {
$entry = @ldap_first_entry($this->adldap->getLdapConnection(), $sr);
$guid = @ldap_get_values_len($this->adldap->getLdapConnection(), $entry, 'objectGUID');
$strGUID = $this->adldap->utilities()->binaryToText($guid[0]);
return $strGUID;
}
return false;
}
/**
* Return a list of all users in AD that have a specific value in a field
*
* @param bool $includeDescription Return a description of the user
* @param string $searchField Field to search search for
* @param string $searchFilter Value to search for in the specified field
* @param bool $sorted Sort the user accounts
* @return array
*/
public function find($includeDescription = false, $searchField = false, $searchFilter = false, $sorted = true) {
if (!$this->adldap->getLdapBind()) { return false; }
// Perform the search and grab all their details
$searchParams = "";
if ($searchField) {
$searchParams = "(" . $searchField . "=" . $searchFilter . ")";
}
$filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)" . $searchParams . ")";
$fields = array("samaccountname","displayname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$usersArray = array();
for ($i=0; $i < $entries["count"]; $i++) {
if ($includeDescription && strlen($entries[$i]["displayname"][0]) > 0) {
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0];
}
else if ($includeDescription) {
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0];
}
else {
array_push($usersArray, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted) {
asort($usersArray);
}
return ($usersArray);
}
/**
* Move a user account to a different OU
*
* @param string $username The username to move (please be careful here!)
* @param array $container The container or containers to move the user to (please be careful here!).
* accepts containers in 1. parent 2. child order
* @return array
*/
public function move($username, $container) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($username === null) { return "Missing compulsory field [username]"; }
if ($container === null) { return "Missing compulsory field [container]"; }
if (!is_array($container)) { return "Container must be an array"; }
$userInfo = $this->info($username, array("*"));
$dn = $userInfo[0]['distinguishedname'][0];
$newRDn = "cn=" . $username;
$container = array_reverse($container);
$newContainer = "ou=" . implode(",ou=",$container);
$newBaseDn = strtolower($newContainer) . "," . $this->adldap->getBaseDn();
$result = @ldap_rename($this->adldap->getLdapConnection(), $dn, $newRDn, $newBaseDn, true);
if ($result !== true) {
return false;
}
return true;
}
/**
* Get the last logon time of any user as a Unix timestamp
*
* @param string $username
* @return long $unixTimestamp
*/
public function getLastLogon($username) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($username === null) { return "Missing compulsory field [username]"; }
$userInfo = $this->info($username, array("lastLogonTimestamp"));
$lastLogon = adLDAPUtils::convertWindowsTimeToUnixTime($userInfo[0]['lastLogonTimestamp'][0]);
return $lastLogon;
}
}
?>

264
src/mibew/libs/adldap/classes/adLDAPUtils.php Normal file
View File

@ -0,0 +1,264 @@
<?php
namespace adLDAP\classes;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Utils
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
/**
* UTILITY FUNCTIONS
*/
class adLDAPUtils {
const ADLDAP_VERSION = '5.0.0';
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN)
*
* @param array $groups
* @return array
*/
public function niceNames($groups) {
$groupArray = array();
for ($i=0; $i<$groups["count"]; $i++) { // For each group
$line = $groups[$i];
if (strlen($line)>0) {
// More presumptions, they're all prefixed with CN=
// so we ditch the first three characters and the group
// name goes up to the first comma
$bits=explode(",", $line);
$groupArray[] = substr($bits[0], 3, (strlen($bits[0])-3));
}
}
return $groupArray;
}
/**
* Escape characters for use in an ldap_create function
*
* @param string $str
* @return string
*/
public function escapeCharacters($str) {
$str = str_replace(",", "\,", $str);
return $str;
}
/**
* Escape strings for the use in LDAP filters
*
* DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT
* Ported from Perl's Net::LDAP::Util escape_filter_value
*
* @param string $str The string the parse
* @author Port by Andreas Gohr <andi@splitbrain.org>
* @author Modified for PHP55 by Esteban Santana Santana <MentalPower@GMail.com>
* @return string
*/
public function ldapSlashes($str) {
return preg_replace_callback(
'/([\x00-\x1F\*\(\)\\\\])/',
function ($matches) {
return "\\".join("", unpack("H2", $matches[1]));
},
$str
);
}
/**
* Converts a string GUID to a hexdecimal value so it can be queried
*
* @param string $strGUID A string representation of a GUID
* @return string
*/
public function strGuidToHex($strGUID) {
$strGUID = str_replace('-', '', $strGUID);
$octet_str = '\\' . substr($strGUID, 6, 2);
$octet_str .= '\\' . substr($strGUID, 4, 2);
$octet_str .= '\\' . substr($strGUID, 2, 2);
$octet_str .= '\\' . substr($strGUID, 0, 2);
$octet_str .= '\\' . substr($strGUID, 10, 2);
$octet_str .= '\\' . substr($strGUID, 8, 2);
$octet_str .= '\\' . substr($strGUID, 14, 2);
$octet_str .= '\\' . substr($strGUID, 12, 2);
//$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID));
for ($i=16; $i<=(strlen($strGUID)-2); $i++) {
if (($i % 2) == 0) {
$octet_str .= '\\' . substr($strGUID, $i, 2);
}
}
return $octet_str;
}
/**
* Convert a binary SID to a text SID
*
* @param string $binsid A Binary SID
* @return string
*/
public function getTextSID($binsid) {
$hex_sid = bin2hex($binsid);
$rev = hexdec(substr($hex_sid, 0, 2));
$subcount = hexdec(substr($hex_sid, 2, 2));
$auth = hexdec(substr($hex_sid, 4, 12));
$result = "$rev-$auth";
for ($x=0;$x < $subcount; $x++) {
$subauth[$x] =
hexdec($this->littleEndian(substr($hex_sid, 16 + ($x * 8), 8)));
$result .= "-" . $subauth[$x];
}
// Cheat by tacking on the S-
return 'S-' . $result;
}
/**
* Converts a little-endian hex number to one that hexdec() can convert
*
* @param string $hex A hex code
* @return string
*/
public function littleEndian($hex) {
$result = '';
for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) {
$result .= substr($hex, $x, 2);
}
return $result;
}
/**
* Converts a binary attribute to a string
*
* @param string $bin A binary LDAP attribute
* @return string
*/
public function binaryToText($bin) {
$hex_guid = bin2hex($bin);
$hex_guid_to_guid_str = '';
for($k = 1; $k <= 4; ++$k) {
$hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
}
$hex_guid_to_guid_str .= '-';
for($k = 1; $k <= 2; ++$k) {
$hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
}
$hex_guid_to_guid_str .= '-';
for($k = 1; $k <= 2; ++$k) {
$hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
}
$hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
$hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
return strtoupper($hex_guid_to_guid_str);
}
/**
* Converts a binary GUID to a string GUID
*
* @param string $binaryGuid The binary GUID attribute to convert
* @return string
*/
public function decodeGuid($binaryGuid) {
if ($binaryGuid === null){ return "Missing compulsory field [binaryGuid]"; }
$strGUID = $this->binaryToText($binaryGuid);
return $strGUID;
}
/**
* Convert a boolean value to a string
* You should never need to call this yourself
*
* @param bool $bool Boolean value
* @return string
*/
public function boolToStr($bool) {
return ($bool) ? 'TRUE' : 'FALSE';
}
/**
* Convert 8bit characters e.g. accented characters to UTF8 encoded characters
*/
public function encode8Bit(&$item, $key) {
$encode = false;
if (is_string($item)) {
for ($i=0; $i<strlen($item); $i++) {
if (ord($item[$i]) >> 7) {
$encode = true;
}
}
}
if ($encode === true && $key != 'password') {
$item = utf8_encode($item);
}
}
/**
* Get the current class version number
*
* @return string
*/
public function getVersion() {
return self::ADLDAP_VERSION;
}
/**
* Round a Windows timestamp down to seconds and remove the seconds between 1601-01-01 and 1970-01-01
*
* @param long $windowsTime
* @return long $unixTime
*/
public static function convertWindowsTimeToUnixTime($windowsTime) {
$unixTime = round($windowsTime / 10000000) - 11644477200;
return $unixTime;
}
}
?>

134
src/mibew/libs/adldap/collections/adLDAPCollection.php Normal file
View File

@ -0,0 +1,134 @@
<?php
namespace adLDAP\collections;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Collection
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
abstract class adLDAPCollection
{
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
/**
* The current object being modifed / called
*
* @var mixed
*/
protected $currentObject;
/**
* The raw info array from Active Directory
*
* @var array
*/
protected $info;
public function __construct($info, adLDAP $adldap) {
$this->setInfo($info);
$this->adldap = $adldap;
}
/**
* Set the raw info array from Active Directory
*
* @param array $info
*/
public function setInfo(array $info) {
if ($this->info && sizeof($info) >= 1) {
unset($this->info);
}
$this->info = $info;
}
/**
* Magic get method to retrieve data from the raw array in a formatted way
*
* @param string $attribute
* @return mixed
*/
public function __get($attribute) {
if (isset($this->info[0]) && is_array($this->info[0])) {
foreach ($this->info[0] as $keyAttr => $valueAttr) {
if (strtolower($keyAttr) == strtolower($attribute)) {
if ($this->info[0][strtolower($attribute)]['count'] == 1) {
return $this->info[0][strtolower($attribute)][0];
}
else {
$array = array();
foreach ($this->info[0][strtolower($attribute)] as $key => $value) {
if ((string)$key != 'count') {
$array[$key] = $value;
}
}
return $array;
}
}
}
}
else {
return NULL;
}
}
/**
* Magic set method to update an attribute
*
* @param string $attribute
* @param string $value
* @return bool
*/
abstract public function __set($attribute, $value);
/**
* Magic isset method to check for the existence of an attribute
*
* @param string $attribute
* @return bool
*/
public function __isset($attribute) {
if (isset($this->info[0]) && is_array($this->info[0])) {
foreach ($this->info[0] as $keyAttr => $valueAttr) {
if (strtolower($keyAttr) == strtolower($attribute)) {
return true;
}
}
}
return false;
}
}
?>

45
src/mibew/libs/adldap/collections/adLDAPComputerCollection.php Normal file
View File

@ -0,0 +1,45 @@
<?php
namespace adLDAP\collections;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage ComputerCollection
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
class adLDAPComputerCollection extends adLDAPCollection
{
public function __set($attribute, $value) {
}
}
?>

45
src/mibew/libs/adldap/collections/adLDAPContactCollection.php Normal file
View File

@ -0,0 +1,45 @@
<?php
namespace adLDAP\collections;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage ContactCollection
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
class adLDAPContactCollection extends adLDAPCollection
{
public function __set($attribute, $value) {
}
}
?>

45
src/mibew/libs/adldap/collections/adLDAPGroupCollection.php Normal file
View File

@ -0,0 +1,45 @@
<?php
namespace adLDAP\collections;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage GroupCollection
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
class adLDAPGroupCollection extends adLDAPCollection
{
public function __set($attribute, $value) {
}
}
?>

45
src/mibew/libs/adldap/collections/adLDAPUserCollection.php Normal file
View File

@ -0,0 +1,45 @@
<?php
namespace adLDAP\collections;
use adLDAP\adLDAP;
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 5.0.0
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://github.com/adldap/adLDAP
*
* Copyright (c) 2006-2014 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage UserCollection
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2014 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @version 5.0.0
* @link http://github.com/adldap/adLDAP
*/
class adLDAPUserCollection extends adLDAPCollection
{
public function __set($attribute, $value) {
}
}
?>

3
src/mibew/libs/classes/Mibew/Controller/LoginController.php
View File

@ -92,7 +92,8 @@ class LoginController extends AbstractController
$operator = operator_by_login($login);
$operator_can_login = $operator
&& isset($operator['vcpassword'])
&& check_password_hash($operator['vclogin'], $password, $operator['vcpassword'])
&& ( authenticate_operator_in_ad($operator['vclogin'], $password)
|| check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) )
&& !operator_is_disabled($operator);
if ($operator_can_login) {

300
src/mibew/libs/classes/Mibew/Ldap.php Normal file
View File

@ -0,0 +1,300 @@
<?php
/**
* Date: 05.07.2015
* Time: 11:25
*/
namespace Mibew;
use adLDAP\adLDAP;
/**
* Encapsulates work with Active Directory by the LDAP. Implements singleton pattern to provide only
* one instance.
*/
class Ldap {
/**
* An instance of Ldap class
* @var Ldap
*/
protected static $instance = null;
/**
* Account suffix by default ("@mydomain.local")
* @var string
*/
protected $account_suffix = null;
/**
* Base DN ("DC=mydomain,DC=local")
* @var string
*/
protected $base_dn = null;
/**
* Array of domain controllers names (["dc1.mydomain.local"])
* @var Array
*/
protected $domain_controllers = null;
/**
* Name of AD group with operators
* @var string
*/
protected $operator_group = null;
/**
* Name of AD group with administrators
* @var string
*/
protected $admin_group = null;
/**
* User login for search
* @var string
*/
protected $admin_username = null;
/**
* User password for search
* @var string
*/
protected $admin_password = null;
/**
* Port for connect
* @var integer
*/
protected $port = null;
/**
* @var bool
*/
protected $useSSL = false;
/**
* @var bool
*/
protected $useTLS = false;
/**
* Object adLDAP
* @var adLDAP
*/
protected $adLDAP = null;
/**
* Controls if exception must be processed into class or thrown
* @var boolean
*/
protected $useExceptions = false;
/**
* Get instance of Ldap class.
*
* If no instance exists, creates new instance.
* Use Ldap::initialize() before try to get an instance. If LDAP
* was not initilized coorectly, triggers an error with E_USER_ERROR level.
*
* @return Ldap
* @see Ldap::initialize()
*/
public static function getInstance()
{
if (is_null(self::$instance)) {
trigger_error('LDAP was not initialized correctly', E_USER_ERROR);
}
return self::$instance;
}
/**
* Destroy internal Ldap object
*/
public static function destroy()
{
if (!is_null(self::$instance)) {
self::$instance->__destruct();
self::$instance = null;
}
}
/**
* Initialize Ldap
*
* Set internal LDAP connection and properties. Create Ldap object.
*
* @param string $account_suffix Account suffix by default ("@mydomain.local")
* @param string $base_dn Base DN ("DC=mydomain,DC=local")
* @param array $domain_controllers Array of domain controllers names (["dc1.mydomain.local"])
* @param string $operator_group Name of AD group, which belongs operators
* @param string $admin_group Name of AD group, which belongs administrators
* @param string $admin_username Name of admin user for search
* @param string $admin_password Password of admin user for search
* @param integer $port Port number to connect. Use default if null
* @param bool $useSSL
* @param bool $useTLS
*/
public static function initialize($domain, $account_suffix, $base_dn, $domain_controllers, $operator_group, $admin_group,
$admin_username, $admin_password, $port, $useSSL, $useTLS)
{
// Check if initialization
if (!is_null(self::$instance)) {
throw new \Exception('LDAP already initialized');
}
// Create LDAP instance
$instance = new Ldap();
// Set database and connection properties
$instance->account_suffix = $account_suffix ?: "@" . $domain;
$instance->domain_controllers = $domain_controllers ?: [$domain];
$instance->base_dn = $base_dn;
if (is_null($base_dn)) {
$arr = explode(".", $domain);
for($i = 0; $i < count($arr); $i++) {
$arr[$i] = "DC=" . $arr[$i];
}
$instance->base_dn = implode(",", $arr);
}
$instance->operator_group = $operator_group;
$instance->admin_group = $admin_group;
$instance->admin_username = $admin_username;
$instance->admin_password = $admin_password;
$instance->port = $port;
$instance->useSSL = $useSSL ?: false;
$instance->useTLS = $useTLS ?: false;
$ldap_params = [
"account_suffix" => $instance->account_suffix,
"base_dn" => $instance->base_dn,
"domain_controllers" => $instance->domain_controllers,
"admin_username" => $instance->admin_username,
"admin_password" => $instance->admin_password,
"use_ssl" => $instance->useSSL,
"use_tls" => $instance->useTLS
];
if (!is_null($port)) {
$ldap_params['ad_port'] = $port;
}
// Create adLDAP object
$instance->adLDAP = new adLDAP($ldap_params);
// Store instance
self::$instance = $instance;
// Check groups
if (is_null($operator_group)) {
throw new \Exception('Operator group is not specified');
}
if (is_null($admin_group)) {
throw new \Exception('Admin group is not specified');
}
if (!$instance->adLDAP->group()->info($operator_group,["name"])) {
throw new \Exception('Operator group ' . $operator_group . ' was not found in AD');
}
if (!$instance->adLDAP->group()->info($admin_group,["name"])) {
throw new \Exception('Admin group ' . $admin_group . ' was not found in AD');
}
}
/**
* Checks if the LDAP was initialized correctly.
*
* @return boolean True if the LDAP was initialized correctly and false
* otherwise.
*/
public static function isInitialized()
{
return !is_null(self::$instance);
}
/**
* Database class destructor.
*/
public function __destruct()
{
$this->adLDAP = null;
self::$instance = null;
}
/**
* Forbid external object creation
*/
protected function __construct()
{
}
/**
* Forbid clone objects
*/
final private function __clone()
{
}
/**
* Handles errors
* @param \Exception $e
*/
protected function handleError(\Exception $e)
{
if ($this->useExceptions) {
throw $e;
}
die($e->getMessage());
}
/**
* Authenticate user with password in the Active Direcory by the LDAP
*
* @param string $username login of user in AD
* @param string $password user password
* @return bool authenticate result
*/
public function authenticate($username, $password) {
try {
return $this->adLDAP->authenticate($username, $password);
} catch (\Exception $e) {
$this->handleError($e);
return null;
}
}
public function searchForOperator($username) {
$users = $this->adLDAP->search(false, $username);
foreach ($users as $userNameFound) {
if ( (strcasecmp($userNameFound, $username) == 0)
&& ( $this->adLDAP->user()->inGroup($userNameFound,$this->operator_group,true)
|| $this->adLDAP->user()->inGroup($userNameFound,$this->admin_group,true) )) {
return $userNameFound;
}
}
return false;
}
public function userIsAdmin($username) {
return $this->adLDAP->user()->inGroup($username,$this->admin_group,true);
}
public function getOperatorData($username) {
$infoList = $this->adLDAP->user()->info($username, ["samaccountname", "displayname", "mail", "thumbnailPhoto", "jpegPhoto"]);
if (!$infoList) return false;
if ($infoList['count'] < 1 ) return false;
foreach ($infoList as $idx => $info) {
if (strcasecmp($info['samaccountname'][0], $username) == 0) {
$commonname = in_array("displayname", $info, true) ? $info["displayname"][0] : null;
$email = in_array("mail", $info, true) ? $info["mail"][0] : null;
$avatar = in_array("jpegphoto", $info, true) ? $info["jpegphoto"][0] : null;
$avatar = is_null($avatar) && in_array("thumbnailphoto", $info, true) ? $info["thumbnailphoto"][0] : $avatar;
return array(
'commonname' => $commonname,
'email' => $email,
'avatar' => $avatar
);
}
}
return false;
}
}

17
src/mibew/libs/init.php
View File

@ -44,6 +44,9 @@ require_once(MIBEW_FS_ROOT . '/libs/common/request.php');
require_once(MIBEW_FS_ROOT . '/libs/common/response.php');
require_once(MIBEW_FS_ROOT . '/libs/common/string.php');
// Include adLDAP lib
require_once(MIBEW_FS_ROOT . '/libs/adldap/adLDAP.php');
// We need to get some info from the request. Use symfony wrapper because it's
// the simplest way.
$tmp_request = \Symfony\Component\HttpFoundation\Request::createFromGlobals();
@ -80,6 +83,20 @@ if (get_maintenance_mode() === false) {
$configs['database']['db'],
$configs['database']['tables_prefix']
);
// Initialize the LDAP
\Mibew\Ldap::initialize(
$configs['adldap']['domain'],
$configs['adldap']['account_suffix'],
$configs['adldap']['base_dn'],
$configs['adldap']['domain_controllers'],
$configs['adldap']['operator_group'],
$configs['adldap']['admin_group'],
$configs['adldap']['search_username'],
$configs['adldap']['search_password'],
$configs['adldap']['port'],
$configs['adldap']['useSSL'],
$configs['adldap']['useTLS']
);
}
// Load all other libraries

122
src/mibew/libs/operator.php
View File

@ -21,6 +21,7 @@
use Mibew\Database;
use Mibew\EventDispatcher\EventDispatcher;
use Mibew\EventDispatcher\Events;
use Mibew\Ldap;
use Mibew\Settings;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
@ -99,6 +100,14 @@ function update_operator_permissions($operator_id, $perm)
}
function operator_by_login($login)
{
if (operator_can_login_by_ad($login)) {
auto_update_operator_from_ad($login);
}
return operator_by_login_from_db($login);
}
function operator_by_login_from_db($login)
{
$db = Database::getInstance();
@ -109,6 +118,119 @@ function operator_by_login($login)
);
}
function operator_can_login_by_ad($login)
{
$ldap = Ldap::getInstance();
return $ldap->searchForOperator($login);
}
function authenticate_operator_in_ad($login, $password) {
$ldap = Ldap::getInstance();
return $ldap->authenticate($login, $password);
}
function auto_update_operator_from_ad($login) {
$operatorDb = operator_by_login_from_db($login);
$ldap = Ldap::getInstance();
$operatorData = $ldap->getOperatorData($login);
$userperm = 6;
if ($ldap->userIsAdmin($login)) {
$userperm += 1;
}
if ($operatorDb) {
if ($operatorDb['vclocalename'] == null) {
$operatorDb['vclocalename'] = $operatorData['commonname'];
}
if ($operatorDb['vccommonname'] == null) {
$operatorDb['vccommonname'] = $operatorData['commonname'];
}
$operatorDb['vcemail'] = $operatorData['email'];
} else {
$operatorDb = create_operator($login, $operatorData['email'], generateStrongPassword(), $operatorData['commonname'],
$operatorData['commonname'], null, null);
}
if ($operatorDb['vclogin'] != 'admin') {
$operatorDb['iperm'] = $userperm;
}
$operatorDb = save_operator_avatar($operatorDb, $operatorData['avatar']);
update_operator($operatorDb);
return $operatorDb;
}
function save_operator_avatar($operator, $avatar_data) {
$avatar = $operator['vcavatar'];
if (!is_null($avatar_data)) {
$ext = "." . getImgType($avatar_data);
$new_avatar = 'files/avatar/' . intval($operator['operatorid']) . $ext;
$full_file_path = MIBEW_FS_ROOT . "/" . $new_avatar;
$file = fopen($full_file_path, "wb");
fwrite($file,$avatar_data);
fclose($file);
} else {
$new_avatar = null;
}
if (!is_null($avatar) && $avatar != $new_avatar) {
unlink(MIBEW_FS_ROOT . "/" . $avatar);
}
$operator['vcavatar'] = $new_avatar;
return $operator;
}
function getImgType($filedata) {
$types = array('jpeg' => "\xFF\xD8\xFF", 'gif' => 'GIF', 'png' => "\x89\x50\x4e\x47\x0d\x0a", 'bmp' => 'BM', 'psd' => '8BPS', 'swf' => 'FWS');
$bytes = substr($filedata, 0, 8);
$found = 'other';
foreach ($types as $type => $header) {
if (strpos($bytes, $header) === 0) {
$found = $type;
break;
}
}
return $found;
}
function generateStrongPassword($length = 9, $add_dashes = false, $available_sets = 'luds')
{
$sets = array();
if(strpos($available_sets, 'l') !== false)
$sets[] = 'abcdefghjkmnpqrstuvwxyz';
if(strpos($available_sets, 'u') !== false)
$sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
if(strpos($available_sets, 'd') !== false)
$sets[] = '23456789';
if(strpos($available_sets, 's') !== false)
$sets[] = '!@#$%&*?';
$all = '';
$password = '';
foreach($sets as $set)
{
$password .= $set[array_rand(str_split($set))];
$all .= $set;
}
$all = str_split($all);
for($i = 0; $i < $length - count($sets); $i++)
$password .= $all[array_rand($all)];
$password = str_shuffle($password);
if(!$add_dashes)
return $password;
$dash_len = floor(sqrt($length));
$dash_str = '';
while(strlen($password) > $dash_len)
{
$dash_str .= substr($password, 0, $dash_len) . '-';
$password = substr($password, $dash_len);
}
$dash_str .= $password;
return $dash_str;
}
function operator_by_email($mail)
{
$db = Database::getInstance();