dolibarr  7.0.0-beta
functions_ldap.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2007-2011 Laurent Destailleur <eldy@users.sourceforge.net>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 3 of the License, or
7  * (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program. If not, see <http://www.gnu.org/licenses/>.
16  *
17  */
18 
35 function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
36 {
37  global $db,$conf,$langs;
38  global $_POST;
39  global $dolibarr_main_auth_ldap_host,$dolibarr_main_auth_ldap_port;
40  global $dolibarr_main_auth_ldap_version,$dolibarr_main_auth_ldap_servertype;
41  global $dolibarr_main_auth_ldap_login_attribute,$dolibarr_main_auth_ldap_dn;
42  global $dolibarr_main_auth_ldap_admin_login,$dolibarr_main_auth_ldap_admin_pass;
43  global $dolibarr_main_auth_ldap_filter;
44  global $dolibarr_main_auth_ldap_debug;
45 
46  // Force master entity in transversal mode
47  $entity=$entitytotest;
48  if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) $entity=1;
49 
50  $login='';
51  $resultFetchUser='';
52 
53  if (! function_exists("ldap_connect"))
54  {
55  dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP");
56  sleep(1);
57  $langs->load('main');
58  $langs->load('other');
59  $_SESSION["dol_loginmesg"]=$langs->trans("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->trans("TryAnotherConnectionMode");
60  return;
61  }
62 
63  if ($usertotest)
64  {
65  dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." passwordtotest=".preg_replace('/./','*',$passwordtotest)." entitytotest=".$entitytotest);
66 
67  // If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
68  $ldaphost=$dolibarr_main_auth_ldap_host;
69  $ldapport=$dolibarr_main_auth_ldap_port;
70  $ldapversion=$dolibarr_main_auth_ldap_version;
71  $ldapservertype=(empty($dolibarr_main_auth_ldap_servertype) ? 'openldap' : $dolibarr_main_auth_ldap_servertype);
72 
73  $ldapuserattr=$dolibarr_main_auth_ldap_login_attribute;
74  $ldapdn=$dolibarr_main_auth_ldap_dn;
75  $ldapadminlogin=$dolibarr_main_auth_ldap_admin_login;
76  $ldapadminpass=$dolibarr_main_auth_ldap_admin_pass;
77  $ldapdebug=(empty($dolibarr_main_auth_ldap_debug) || $dolibarr_main_auth_ldap_debug=="false" ? false : true);
78 
79  if ($ldapdebug) print "DEBUG: Logging LDAP steps<br>\n";
80 
81  require_once DOL_DOCUMENT_ROOT.'/core/class/ldap.class.php';
82  $ldap=new Ldap();
83  $ldap->server=explode(',',$ldaphost);
84  $ldap->serverPort=$ldapport;
85  $ldap->ldapProtocolVersion=$ldapversion;
86  $ldap->serverType=$ldapservertype;
87  $ldap->searchUser=$ldapadminlogin;
88  $ldap->searchPassword=$ldapadminpass;
89 
90  if ($ldapdebug)
91  {
92  dol_syslog("functions_ldap::check_user_password_ldap Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
93  dol_syslog("functions_ldap::check_user_password_ldap uid/samacountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
94  print "DEBUG: Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType."<br>\n";
95  print "DEBUG: uid/samacountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword."<br>\n";
96  }
97 
98  $resultFetchLdapUser=0;
99 
100  // Define $userSearchFilter
101  $userSearchFilter = "";
102  if (empty($dolibarr_main_auth_ldap_filter)) {
103  $userSearchFilter = "(" . $ldapuserattr . "=" . $usertotest . ")";
104  } else {
105  $userSearchFilter = str_replace('%1%', $usertotest, $dolibarr_main_auth_ldap_filter);
106  }
107 
108  // If admin login provided
109  // Code to get user in LDAP from an admin connection (may differ from user connection, done later)
110  if ($ldapadminlogin)
111  {
112  $result=$ldap->connect_bind();
113  if ($result > 0)
114  {
115  $resultFetchLdapUser = $ldap->fetch($usertotest,$userSearchFilter);
116  //dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
117  if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) // If ok but password need to be reset
118  {
119  dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
120  if ($ldapdebug) print "DEBUG: User ".$usertotest." must change password<br>\n";
121  $ldap->close();
122  sleep(1);
123  $langs->load('ldap');
124  $_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$usertotest,$ldap->domainFQDN);
125  return '';
126  }
127  }
128  else
129  {
130  if ($ldapdebug) print "DEBUG: ".$ldap->error."<br>\n";
131  }
132  $ldap->close();
133  }
134 
135  // Forge LDAP user and password to test with them
136  // If LDAP need a dn with login like "uid=jbloggs,ou=People,dc=foo,dc=com", default dn may work even if previous code with
137  // admin login no exectued.
138  $ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn; // Default dn (will work if LDAP accept a dn with login value inside)
139  // But if LDAP need a dn with name like "cn=Jhon Bloggs,ou=People,dc=foo,dc=com", previous part must have been executed to have
140  // dn detected into ldapUserDN.
141  if ($resultFetchLdapUser && !empty($ldap->ldapUserDN)) $ldap->searchUser = $ldap->ldapUserDN;
142  $ldap->searchPassword=$passwordtotest;
143 
144  // Test with this->seachUser and this->searchPassword
145  //print $resultFetchLdapUser."-".$ldap->ldapUserDN."-".$ldap->searchUser.'-'.$ldap->searchPassword;exit;
146  $result=$ldap->connect_bind();
147  if ($result > 0)
148  {
149  if ($result == 2) // Connection is ok for user/pass into LDAP
150  {
151  dol_syslog("functions_ldap::check_user_password_ldap Authentification ok");
152  $login=$usertotest;
153 
154  // ldap2dolibarr synchronisation
155  if ($login && ! empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr') // ldap2dolibarr synchronisation
156  {
157  dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
158 
159  // On charge les attributs du user ldap
160  if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
161  $resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
162 
163  if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
164  if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
165  if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime,'day')."<br>\n";
166 
167  // On recherche le user dolibarr en fonction de son SID ldap
168  $sid = $ldap->getObjectSid($login);
169  if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
170 
171  $usertmp=new User($db);
172  $resultFetchUser=$usertmp->fetch('',$login,$sid);
173  if ($resultFetchUser > 0)
174  {
175  dol_syslog("functions_ldap::check_user_password_ldap Sync user found user id=".$usertmp->id);
176  // On verifie si le login a change et on met a jour les attributs dolibarr
177 
178  if ($usertmp->login != $ldap->login && $ldap->login)
179  {
180  $usertmp->login = $ldap->login;
181  $usertmp->update($usertmp);
182  // TODO Que faire si update echoue car on update avec un login deja existant.
183  }
184 
185  //$resultUpdate = $usertmp->update_ldap2dolibarr($ldap);
186  }
187  unset($usertmp);
188  }
189 
190  if (! empty($conf->multicompany->enabled)) // We must check entity (even if sync is not active)
191  {
192  global $mc;
193 
194  $usertmp=new User($db);
195  $usertmp->fetch('',$login);
196  $ret=$mc->checkRight($usertmp->id, $entitytotest);
197  if ($ret < 0)
198  {
199  dol_syslog("functions_ldap::check_user_password_ldap Authentification ko entity '".$entitytotest."' not allowed for user '".$usertmp->id."'");
200  $login=''; // force authentication failure
201  }
202  unset($usertmp);
203  }
204 
205  }
206  if ($result == 1)
207  {
208  dol_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password for '".$usertotest."'");
209  sleep(1);
210  $langs->load('main');
211  $langs->load('other');
212  $_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
213  }
214  }
215  else
216  {
217  /* Login failed. Return false, together with the error code and text from
218  ** the LDAP server. The common error codes and reasons are listed below :
219  ** (for iPlanet, other servers may differ)
220  ** 19 - Account locked out (too many invalid login attempts)
221  ** 32 - User does not exist
222  ** 49 - Wrong password
223  ** 53 - Account inactive (manually locked out by administrator)
224  */
225  dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'");
226  if (is_resource($ldap->connection)) // If connection ok but bind ko
227  {
228  $ldap->ldapErrorCode = ldap_errno($ldap->connection);
229  $ldap->ldapErrorText = ldap_error($ldap->connection);
230  dol_syslog("functions_ldap::check_user_password_ldap ".$ldap->ldapErrorCode." ".$ldap->ldapErrorText);
231  }
232  sleep(2); // Anti brut force protection
233  $langs->load('main');
234  $langs->load('other');
235  $langs->load('errors');
236  $_SESSION["dol_loginmesg"]=($ldap->error?$ldap->error:$langs->trans("ErrorBadLoginPassword"));
237  }
238 
239  $ldap->close();
240  }
241 
242  return $login;
243 }
244 
check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
Check validity of user/password/entity If test is ko, reason must be filled into $_SESSION["dol_login...
Class to manage Dolibarr users.
Definition: user.class.php:39
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='')
Write log message into outputs.
Class to manage LDAP features.
Definition: ldap.class.php:30
print
Draft customers invoices.
Definition: index.php:91