dolibarr 21.0.0-alpha
functions_ldap.php
Go to the documentation of this file.
1<?php
2/* Copyright (C) 2007-2011 Laurent Destailleur <eldy@users.sourceforge.net>
3 * Copyright (C) 2008-2021 Regis Houssin <regis.houssin@inodbox.com>
4 * Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
5 * Copyright (C) 2024 William Mead <william.mead@manchenumerique.fr>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <https://www.gnu.org/licenses/>.
19 *
20 */
21
38function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
39{
40 global $db, $conf, $langs;
41 global $dolibarr_main_auth_ldap_host, $dolibarr_main_auth_ldap_port;
42 global $dolibarr_main_auth_ldap_version, $dolibarr_main_auth_ldap_servertype;
43 global $dolibarr_main_auth_ldap_login_attribute, $dolibarr_main_auth_ldap_dn;
44 global $dolibarr_main_auth_ldap_admin_login, $dolibarr_main_auth_ldap_admin_pass;
45 global $dolibarr_main_auth_ldap_filter;
46 global $dolibarr_main_auth_ldap_debug;
47
48 // Force master entity in transversal mode
49 $entity = $entitytotest;
50 if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) {
51 $entity = 1;
52 }
53
54 $login = '';
55 $resultFetchUser = '';
56
57 if (!function_exists("ldap_connect")) {
58 dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP. LDAP functions are disabled on this PHP", LOG_ERR);
59 sleep(1);
60
61 // Load translation files required by the page
62 $langs->loadLangs(array('main', 'other'));
63
64 $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->transnoentitiesnoconv("TryAnotherConnectionMode");
65 return '';
66 }
67
68 if ($usertotest) {
69 dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." passwordtotest=".preg_replace('/./', '*', $passwordtotest)." entitytotest=".$entitytotest);
70
71 // If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
72 $ldaphost = $dolibarr_main_auth_ldap_host;
73 $ldapport = $dolibarr_main_auth_ldap_port;
74 $ldapversion = $dolibarr_main_auth_ldap_version;
75 $ldapservertype = (empty($dolibarr_main_auth_ldap_servertype) ? 'openldap' : $dolibarr_main_auth_ldap_servertype);
76
77 $ldapuserattr = $dolibarr_main_auth_ldap_login_attribute;
78 $ldapdn = $dolibarr_main_auth_ldap_dn;
79 $ldapadminlogin = $dolibarr_main_auth_ldap_admin_login;
80 $ldapadminpass = $dolibarr_main_auth_ldap_admin_pass;
81 $ldapdebug = !(empty($dolibarr_main_auth_ldap_debug) || $dolibarr_main_auth_ldap_debug == "false");
82
83 if ($ldapdebug) {
84 print "DEBUG: Logging LDAP steps<br>\n";
85 }
86
87 require_once DOL_DOCUMENT_ROOT.'/core/class/ldap.class.php';
88 $ldap = new Ldap();
89 $ldap->server = explode(',', $ldaphost);
90 $ldap->serverPort = $ldapport;
91 $ldap->ldapProtocolVersion = $ldapversion;
92 $ldap->serverType = $ldapservertype;
93 $ldap->searchUser = $ldapadminlogin;
94 $ldap->searchPassword = $ldapadminpass;
95
96 if ($ldapdebug) {
97 dol_syslog("functions_ldap::check_user_password_ldap Server:".implode(',', $ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
98 dol_syslog("functions_ldap::check_user_password_ldap uid/samaccountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".dol_trunc($ldap->searchPassword, 3));
99 print "DEBUG: Server:".implode(',', $ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType."<br>\n";
100 print "DEBUG: uid/samaccountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".dol_trunc($ldap->searchPassword, 3)."<br>\n";
101 }
102
103 $resultFetchLdapUser = 0;
104
105 // Define $userSearchFilter
106 $userSearchFilter = "";
107 if (empty($dolibarr_main_auth_ldap_filter)) {
108 $userSearchFilter = "(".$ldapuserattr."=".$usertotest.")";
109 } else {
110 // @phan-suppress-next-line PhanPluginSuspiciousParamOrderInternal
111 $userSearchFilter = str_replace('%1%', $usertotest, $dolibarr_main_auth_ldap_filter);
112 }
113
114 // If admin login or ldap auth filter provided
115 // Code to get user in LDAP from an admin connection (may differ from user connection, done later)
116 if ($ldapadminlogin || $dolibarr_main_auth_ldap_filter) {
117 $result = $ldap->connectBind();
118 if ($result > 0) {
119 $resultFetchLdapUser = $ldap->fetch($usertotest, $userSearchFilter);
120 //dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
121 if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) { // If ok but password need to be reset
122 dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
123 if ($ldapdebug) {
124 print "DEBUG: User ".$usertotest." must change password<br>\n";
125 }
126 $ldap->unbind();
127 sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
128 $langs->load('ldap');
129 $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("YouMustChangePassNextLogon", $usertotest, $ldap->domainFQDN);
130 return '';
131 }
132 } else {
133 if ($ldapdebug) {
134 print "DEBUG: ".$ldap->error."<br>\n";
135 }
136 }
137 $ldap->unbind();
138 }
139
140 // Forge LDAP user and password to test with them
141 // If LDAP need a dn with login like "uid=jbloggs,ou=People,dc=foo,dc=com", default dn may work even if previous code with
142 // admin login no executed.
143 $ldap->searchUser = $ldapuserattr."=".$usertotest.",".$ldapdn; // Default dn (will work if LDAP accept a dn with login value inside)
144 // But if LDAP need a dn with name like "cn=Jhon Bloggs,ou=People,dc=foo,dc=com", previous part must have been executed to have
145 // dn detected into ldapUserDN.
146 if ($resultFetchLdapUser && !empty($ldap->ldapUserDN)) {
147 $ldap->searchUser = $ldap->ldapUserDN;
148 }
149 $ldap->searchPassword = $passwordtotest;
150
151 // Test with this->seachUser and this->searchPassword
152 //print $resultFetchLdapUser."-".$ldap->ldapUserDN."-".$ldap->searchUser.'-'.$ldap->searchPassword;exit;
153 $result = $ldap->connectBind();
154 if ($result > 0) {
155 if ($result == 2) { // Connection is ok for user/pass into LDAP
156 $login = $usertotest;
157 dol_syslog("functions_ldap::check_user_password_ldap $login authentication ok");
158 // For the case, we search the user id using a search key without the login (but using other fields like id),
159 // we need to get the real login to use in the ldap answer.
160 if (getDolGlobalString('LDAP_FIELD_LOGIN') && !empty($ldap->login)) {
161 $login = $ldap->login;
162 dol_syslog("functions_ldap::check_user_password_ldap login is now $login (LDAP_FIELD_LOGIN=".getDolGlobalString('LDAP_FIELD_LOGIN').")");
163 }
164
165 require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
166
167 // Note: Test on date validity is done later natively with isNotIntoValidityDateRange() by core after calling checkLoginPassEntity() that call this method
168
169 // ldap2dolibarr synchronisation
170 if ($login && !empty($conf->ldap->enabled) && getDolGlobalInt('LDAP_SYNCHRO_ACTIVE') == Ldap::SYNCHRO_LDAP_TO_DOLIBARR) { // ldap2dolibarr synchronization
171 dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
172
173 // On charge les attributes du user ldap
174 if ($ldapdebug) {
175 print "DEBUG: login ldap = ".$login."<br>\n";
176 }
177 $resultFetchLdapUser = $ldap->fetch($login, $userSearchFilter);
178
179 if ($ldapdebug) {
180 print "DEBUG: UACF = ".implode(',', $ldap->uacf)."<br>\n";
181 }
182 if ($ldapdebug) {
183 print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset, 'day')."<br>\n";
184 }
185 if ($ldapdebug) {
186 print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime, 'day')."<br>\n";
187 }
188
189 // On recherche le user dolibarr en fonction de son SID ldap (only for Active Directory)
190 $sid = null;
191 if (getDolGlobalString('LDAP_SERVER_TYPE') == "activedirectory") {
192 $sid = $ldap->getObjectSid($login);
193 if ($ldapdebug) {
194 print "DEBUG: sid = ".$sid."<br>\n";
195 }
196 }
197
198 $usertmp = new User($db);
199 $resultFetchUser = $usertmp->fetch(0, $login, $sid, 1, ($entitytotest > 0 ? $entitytotest : -1));
200 if ($resultFetchUser > 0) {
201 dol_syslog("functions_ldap::check_user_password_ldap Sync user found user id=".$usertmp->id);
202 // Verify if the login changed and update the Dolibarr attributes
203
204 if ($usertmp->login != $ldap->login && $ldap->login) {
205 $usertmp->login = $ldap->login;
206 $usertmp->update($usertmp);
207 // TODO What to do if the update fails because the login already exists for another account.
208 }
209
210 //$resultUpdate = $usertmp->update_ldap2dolibarr($ldap);
211 }
212
213 unset($usertmp);
214 }
215
216 if (isModEnabled('multicompany')) { // We must check entity (even if sync is not active)
217 global $mc;
218
219 $usertmp = new User($db);
220 $usertmp->fetch(0, $login);
221 if (is_object($mc)) {
222 $ret = $mc->checkRight($usertmp->id, $entitytotest);
223 if ($ret < 0) {
224 dol_syslog("functions_ldap::check_user_password_ldap Authentication KO entity '".$entitytotest."' not allowed for user id '".$usertmp->id."'", LOG_NOTICE);
225 $login = ''; // force authentication failure
226 }
227 unset($usertmp);
228 }
229 }
230 }
231 if ($result == 1) {
232 dol_syslog("functions_ldap::check_user_password_ldap Authentication KO bad user/password for '".$usertotest."'", LOG_NOTICE);
233 sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
234
235 // Load translation files required by the page
236 $langs->loadLangs(array('main', 'other'));
237
238 $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadLoginPassword");
239 }
240 } else {
241 /* Login failed. Return false, together with the error code and text from
242 ** the LDAP server. The common error codes and reasons are listed below :
243 ** (for iPlanet, other servers may differ)
244 ** 19 - Account locked out (too many invalid login attempts)
245 ** 32 - User does not exist
246 ** 49 - Wrong password
247 ** 53 - Account inactive (manually locked out by administrator)
248 */
249 dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP for '".$usertotest."'", LOG_NOTICE);
250 if (is_resource($ldap->connection) || is_object($ldap->connection)) { // If connection ok but bind ko
251 try {
252 // @phan-suppress-next-line PhanTypeMismatchArgumentInternal Expects LDAP\Connection, not 'resource'
253 $ldap->ldapErrorCode = ldap_errno($ldap->connection);
254 // @phan-suppress-next-line PhanTypeMismatchArgumentInternal Expects LDAP\Connection, not 'resource'
255 $ldap->ldapErrorText = ldap_error($ldap->connection);
256 dol_syslog("functions_ldap::check_user_password_ldap ".$ldap->ldapErrorCode." ".$ldap->ldapErrorText);
257 } catch (Throwable $exception) {
258 $ldap->ldapErrorCode = 0;
259 $ldap->ldapErrorText = '';
260 dol_syslog('functions_ldap::check_user_password_ldap '.$exception, LOG_WARNING);
261 }
262 }
263 sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
264 // Load translation files required by the page
265 $langs->loadLangs(array('main', 'other', 'errors'));
266 $_SESSION["dol_loginmesg"] = ($ldap->error ? $ldap->error : $langs->transnoentitiesnoconv("ErrorBadLoginPassword"));
267 }
268 $ldap->unbind();
269 }
270
271 return $login;
272}
Class to manage LDAP features.
Class to manage Dolibarr users.
getDolGlobalInt($key, $default=0)
Return a Dolibarr global constant int value.
dol_trunc($string, $size=40, $trunc='right', $stringencoding='UTF-8', $nodot=0, $display=0)
Truncate a string to a particular length adding '…' if string larger than length.
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
Check validity of user/password/entity If test is ko, reason must be filled into $_SESSION["dol_login...