1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/hubzilla_ynh.git synced 2024-09-03 19:26:21 +02:00
hubzilla_ynh/sources/addon/ldapauth/ldapauth.php
2016-04-17 22:42:29 +05:30

182 lines
5.8 KiB
PHP
Executable file

<?php
/**
* Name: LDAP Authenticate
* Description: Authenticate an account against an LDAP directory
* Version: 1.0
* Author: Mike Macgirvin <zot:mike@zothub.com>
* Maintainer: Mike Macgirvin <mike@macgirvin.com>
*/
/**
*
* Module: LDAP Authenticate
*
* Authenticate a user against an LDAP directory
* Useful for Windows Active Directory and other LDAP-based organisations
* to maintain a single password across the organisation.
*
* Optionally authenticates only if a member of a given group in the directory.
*
* The person must have registered with Friendica using the normal registration
* procedures in order to have a Friendica user record, contact, and profile.
*
* Note when using with Windows Active Directory: you may need to set TLS_CACERT in your site
* ldap.conf file to the signing cert for your LDAP server.
*
* The required configuration options for this module may be set in the .htconfig.php file
* e.g.:
*
* App::$config['ldapauth']['ldap_server'] = 'host.example.com';
*
* Parameters:
* ldap_server = DNS hostname of LDAP service, or URL e.g. ldaps://example.com
* ldap_binddn = LDAP DN of an account to bind with to search LDAP
* ldap_bindpw = password for LDAP bind DN
* ldap_searchdn = base DN for the search root of the LDAP directory
* ldap_userattr = the name of the attribute containing the username, e.g. SAMAccountName
* ldap_group = (optional) DN of group to check membership
* create_account = (optional) 1 or 0 (default), automatically create Hubzilla accounts based on the LDAP 'mail' attribute
*
*/
function ldapauth_load() {
register_hook('authenticate', 'addon/ldapauth/ldapauth.php', 'ldapauth_hook_authenticate');
}
function ldapauth_unload() {
unregister_hook('authenticate', 'addon/ldapauth/ldapauth.php', 'ldapauth_hook_authenticate');
}
function ldapauth_hook_authenticate($a,&$b) {
$mail = '';
if(ldapauth_authenticate($b['username'],$b['password'],$mail)) {
$results = q("SELECT * FROM account where account_email = '%s' OR account_email = '%s' AND account_flags in (0,1) limit 1",
dbesc($b['username']), dbesc($mail)
);
if((! $results) && ($mail) && intval(get_config('ldapauth','create_account')) == 1) {
require_once('include/account.php');
$acct = create_account(array('email' => $mail, 'password' => random_string()));
if($acct['success']) {
logger('ldapauth: Created account for ' . $b['username'] . ' using ' . $mail);
info(t('An account has been created for you.'));
$b['user_record'] = $acct['account'];
$b['authenticated'] = 1;
}
} elseif(intval(get_config('ldapauth','create_account')) != 1 && (! $results)) {
logger('ldapauth: User '.$b['username'].' authenticated but no db-record and. Rejecting auth.');
notice( t('Authentication successful but rejected: account creation is disabled.'));
return;
}
if($results) {
logger('ldapauth: Login success for ' . $b['username']);
$b['user_record'] = $results[0];
$b['authenticated'] = 1;
}
}
return;
}
function ldapauth_authenticate($username,$password,&$mail) {
logger('ldapauth: Searching user '.$username.'.');
$ldap_server = get_config('ldapauth','ldap_server');
$ldap_binddn = get_config('ldapauth','ldap_binddn');
$ldap_bindpw = get_config('ldapauth','ldap_bindpw');
$ldap_searchdn = get_config('ldapauth','ldap_searchdn');
$ldap_userattr = get_config('ldapauth','ldap_userattr');
$ldap_group = get_config('ldapauth','ldap_group');
if(empty($password)) {
logger('ldapauth: Empty Password not allowed.');
return false;
}
if(!function_exists('ldap_connect')
|| empty($ldap_server)) {
logger('ldapauth: PHP-LDAP fail or no server set.');
return false;
}
$connect = @ldap_connect($ldap_server);
if(! $connect) {
logger('ldapauth: Unable to connect to server');
return false;
}
@ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION,3);
@ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
if((@ldap_bind($connect,$ldap_binddn,$ldap_bindpw)) === false) {
logger('ldapauth: Unable to bind to server. Check credentials of binddn.');
return false;
}
$res = @ldap_search($connect,$ldap_searchdn, $ldap_userattr . '=' . $username, array('mail'));
if(! $res) {
logger('ldapauth: User '.$username.' not found.');
return false;
}
$id = @ldap_first_entry($connect,$res);
if(! $id) {
logger('ldapauth: User '.$username.' found but unable to load data.');
return false;
}
// get primary email
$mail = '';
$attrs = @ldap_get_attributes($connect,$id);
if($attrs['count'] && $attrs['mail']) {
if(is_array($attrs['mail']))
$mail = $attrs['mail'][0];
else
$mail = $attrs['mail'];
}
$dn = @ldap_get_dn($connect,$id);
if(! @ldap_bind($connect,$dn,$password)) {
logger('ldapauth: User '.$username.' provided wrong credentials.');
return false;
}
if(empty($ldap_group)) {
logger('ldapauth: User '.$username.' authenticated.');
return true;
}
$r = @ldap_compare($connect,$ldap_group,'member',$dn);
if ($r === -1) {
$err = @ldap_error($connect);
$eno = @ldap_errno($connect);
@ldap_close($connect);
if ($eno === 32) {
logger('ldapauth: access control group Does Not Exist');
return false;
}
elseif ($eno === 16) {
logger('ldapauth: membership attribute does not exist in access control group');
return false;
}
else {
logger('ldapauth: error: ' . $err);
return false;
}
}
elseif ($r === false) {
logger('ldapauth: User '.$username.' is not in the allowed group.');
@ldap_close($connect);
return false;
}
// logger('ldapauth: User '.$username.' authenticated and in allowed group.');
return true;
}