2022-01-05 11:20:22 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Tiny Tiny RSS plugin for LDAP authentication
|
|
|
|
* @author tsmgeek (tsmgeek@gmail.com)
|
|
|
|
* @author hydrian (ben.tyger@tygerclan.net)
|
|
|
|
* @copyright GPL2
|
|
|
|
* Requires php-ldap
|
|
|
|
* @version 2.00
|
|
|
|
*/
|
|
|
|
/**
|
|
|
|
* Configuration
|
|
|
|
* Put the following options in config.php and customize them for your environment
|
|
|
|
*
|
2022-02-23 16:04:01 +01:00
|
|
|
* define('LDAP_AUTH_SERVER_URI', 'ldaps://LDAPServerHostname:port/');
|
|
|
|
* define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
|
|
|
|
* define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
|
|
|
|
* define('LDAP_AUTH_BASEDN', 'dc=example,dc=com');
|
|
|
|
* define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
|
|
|
|
* // ??? will be replaced with the entered username(escaped) at login
|
|
|
|
* define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=person)(uid=???))');
|
|
|
|
* // Optional configuration
|
2022-01-05 11:20:22 +01:00
|
|
|
* define('LDAP_AUTH_BINDDN', 'cn=serviceaccount,dc=example,dc=com');
|
|
|
|
* define('LDAP_AUTH_BINDPW', 'ServiceAccountsPassword');
|
|
|
|
* define('LDAP_AUTH_LOGIN_ATTRIB', 'uid');
|
|
|
|
* define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
|
|
|
|
* Enable Debug Logging
|
|
|
|
* define('LDAP_AUTH_DEBUG', FALSE);
|
|
|
|
*
|
|
|
|
*
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
2022-02-23 16:04:01 +01:00
|
|
|
* Notes -
|
|
|
|
* LDAP search does not support follow ldap referals. Referals are disabled to
|
|
|
|
* allow proper login. This is particular to Active Directory.
|
2022-01-05 11:20:22 +01:00
|
|
|
*
|
2022-02-23 16:04:01 +01:00
|
|
|
* Also group membership can be supported if the user object contains the
|
|
|
|
* the group membership via attributes. The following LDAP servers can
|
|
|
|
* support this.
|
|
|
|
* * Active Directory
|
2022-01-05 11:20:22 +01:00
|
|
|
* * OpenLDAP support with MemberOf Overlay
|
|
|
|
*
|
|
|
|
*/
|
2022-02-23 16:04:01 +01:00
|
|
|
class Auth_Ldap extends Auth_Base {
|
2022-01-05 11:20:22 +01:00
|
|
|
|
|
|
|
private $link;
|
|
|
|
private $host;
|
|
|
|
private $base;
|
|
|
|
private $logClass;
|
|
|
|
private $ldapObj = NULL;
|
|
|
|
private $_debugMode;
|
|
|
|
private $_serviceBindDN;
|
|
|
|
private $_serviceBindPass;
|
|
|
|
private $_baseDN;
|
|
|
|
private $_useTLS;
|
|
|
|
private $_host;
|
|
|
|
private $_port;
|
|
|
|
private $_scheme;
|
|
|
|
private $_schemaCacheEnabled;
|
|
|
|
private $_anonBeforeBind;
|
|
|
|
private $_allowUntrustedCerts;
|
|
|
|
private $_ldapLoginAttrib;
|
|
|
|
|
|
|
|
function about() {
|
|
|
|
return array(0.05,
|
|
|
|
"Authenticates against an LDAP server (configured in config.php)",
|
|
|
|
"hydrian",
|
|
|
|
true);
|
|
|
|
}
|
|
|
|
|
|
|
|
function init($host) {
|
|
|
|
$this->link = $host->get_link();
|
|
|
|
$this->host = $host;
|
2022-02-23 16:04:01 +01:00
|
|
|
//$this->base = new Auth_Base($this->link);
|
2022-01-05 11:20:22 +01:00
|
|
|
|
|
|
|
$host->add_hook($host::HOOK_AUTH_USER, $this);
|
|
|
|
}
|
|
|
|
|
|
|
|
private function _log($msg, $level = E_USER_NOTICE, $file = '', $line = 0, $context = '') {
|
|
|
|
$loggerFunction = Logger::get();
|
|
|
|
if (is_object($loggerFunction)) {
|
|
|
|
$loggerFunction->log_error($level, $msg, $file, $line, $context);
|
|
|
|
} else {
|
|
|
|
trigger_error($msg, $level);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Logs login attempts
|
|
|
|
* @param string $username Given username that attempts to log in to TTRSS
|
|
|
|
* @param string $result "Logging message for type of result. (Success / Fail)"
|
|
|
|
* @return boolean
|
|
|
|
* @deprecated
|
|
|
|
*
|
|
|
|
* Now that _log support syslog and log levels and graceful fallback user.
|
|
|
|
*/
|
|
|
|
private function _logAttempt($username, $result) {
|
|
|
|
|
|
|
|
|
|
|
|
return trigger_error('TT-RSS Login Attempt: user ' . (string) $username .
|
|
|
|
' attempted to login (' . (string) $result . ') from ' . (string) $ip, E_USER_NOTICE
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param string $subject The subject string
|
|
|
|
* @param string $ignore Set of characters to leave untouched
|
|
|
|
* @param int $flags Any combination of LDAP_ESCAPE_* flags to indicate the
|
|
|
|
* set(s) of characters to escape.
|
|
|
|
* @return string
|
|
|
|
**/
|
|
|
|
function ldap_escape($subject, $ignore = '', $flags = 0)
|
|
|
|
{
|
|
|
|
if (!function_exists('ldap_escape')) {
|
|
|
|
define('LDAP_ESCAPE_FILTER', 0x01);
|
|
|
|
define('LDAP_ESCAPE_DN', 0x02);
|
|
|
|
|
|
|
|
static $charMaps = array(
|
|
|
|
LDAP_ESCAPE_FILTER => array('\\', '*', '(', ')', "\x00"),
|
|
|
|
LDAP_ESCAPE_DN => array('\\', ',', '=', '+', '<', '>', ';', '"', '#'),
|
|
|
|
);
|
|
|
|
|
|
|
|
// Pre-process the char maps on first call
|
|
|
|
if (!isset($charMaps[0])) {
|
|
|
|
$charMaps[0] = array();
|
|
|
|
for ($i = 0; $i < 256; $i++) {
|
|
|
|
$charMaps[0][chr($i)] = sprintf('\\%02x', $i);;
|
|
|
|
}
|
|
|
|
|
|
|
|
for ($i = 0, $l = count($charMaps[LDAP_ESCAPE_FILTER]); $i < $l; $i++) {
|
|
|
|
$chr = $charMaps[LDAP_ESCAPE_FILTER][$i];
|
|
|
|
unset($charMaps[LDAP_ESCAPE_FILTER][$i]);
|
|
|
|
$charMaps[LDAP_ESCAPE_FILTER][$chr] = $charMaps[0][$chr];
|
|
|
|
}
|
|
|
|
|
|
|
|
for ($i = 0, $l = count($charMaps[LDAP_ESCAPE_DN]); $i < $l; $i++) {
|
|
|
|
$chr = $charMaps[LDAP_ESCAPE_DN][$i];
|
|
|
|
unset($charMaps[LDAP_ESCAPE_DN][$i]);
|
|
|
|
$charMaps[LDAP_ESCAPE_DN][$chr] = $charMaps[0][$chr];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create the base char map to escape
|
|
|
|
$flags = (int)$flags;
|
|
|
|
$charMap = array();
|
|
|
|
if ($flags & LDAP_ESCAPE_FILTER) {
|
|
|
|
$charMap += $charMaps[LDAP_ESCAPE_FILTER];
|
|
|
|
}
|
|
|
|
if ($flags & LDAP_ESCAPE_DN) {
|
|
|
|
$charMap += $charMaps[LDAP_ESCAPE_DN];
|
|
|
|
}
|
|
|
|
if (!$charMap) {
|
|
|
|
$charMap = $charMaps[0];
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove any chars to ignore from the list
|
|
|
|
$ignore = (string)$ignore;
|
|
|
|
for ($i = 0, $l = strlen($ignore); $i < $l; $i++) {
|
|
|
|
unset($charMap[$ignore[$i]]);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Do the main replacement
|
|
|
|
$result = strtr($subject, $charMap);
|
|
|
|
|
|
|
|
// Encode leading/trailing spaces if LDAP_ESCAPE_DN is passed
|
|
|
|
if ($flags & LDAP_ESCAPE_DN) {
|
|
|
|
if ($result[0] === ' ') {
|
|
|
|
$result = '\\20' . substr($result, 1);
|
|
|
|
}
|
|
|
|
if ($result[strlen($result) - 1] === ' ') {
|
|
|
|
$result = substr($result, 0, -1) . '\\20';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return $result;
|
|
|
|
}else{
|
|
|
|
return ldap_escape($subject, $ignore, $flags);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Finds client's IP address
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
private function _getClientIP() {
|
|
|
|
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
|
|
|
|
//check ip from share internet
|
|
|
|
|
|
|
|
$ip = $_SERVER['HTTP_CLIENT_IP'];
|
|
|
|
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
|
|
|
//to check ip is pass from proxy
|
|
|
|
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
|
|
|
|
} else {
|
|
|
|
$ip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
}
|
|
|
|
|
|
|
|
return $ip;
|
|
|
|
}
|
|
|
|
|
|
|
|
private function _getBindDNWord() {
|
|
|
|
return (strlen($this->_serviceBindDN) > 0 ) ? $this->_serviceBindDN : 'anonymous DN';
|
|
|
|
}
|
|
|
|
|
|
|
|
private function _getTempDir() {
|
|
|
|
if (!sys_get_temp_dir()) {
|
|
|
|
$tmpFile = tempnam();
|
|
|
|
$tmpDir = dirname($tmpFile);
|
|
|
|
unlink($tmpFile);
|
|
|
|
unset($tmpFile);
|
|
|
|
return $tmpDir;
|
|
|
|
} else {
|
|
|
|
return sys_get_temp_dir();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Main Authentication method
|
|
|
|
* Required for plugin interface
|
|
|
|
* @param string $login User's username
|
|
|
|
* @param string $password User's password
|
|
|
|
* @return boolean
|
|
|
|
*/
|
2022-02-23 16:00:22 +01:00
|
|
|
function authenticate($login, $password, $service='') {
|
2022-01-05 11:20:22 +01:00
|
|
|
if ($login && $password) {
|
|
|
|
|
|
|
|
if (!function_exists('ldap_connect')) {
|
|
|
|
trigger_error('auth_ldap requires PHP\'s PECL LDAP package installed.');
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
//Loading configuration
|
|
|
|
$this->_debugMode = defined('LDAP_AUTH_DEBUG') ?
|
|
|
|
LDAP_AUTH_DEBUG : FALSE;
|
|
|
|
|
|
|
|
$this->_anonBeforeBind = defined('LDAP_AUTH_ANONYMOUSBEFOREBIND') ?
|
|
|
|
LDAP_AUTH_ANONYMOUSBEFOREBIND : FALSE;
|
|
|
|
|
|
|
|
$this->_serviceBindDN = defined('LDAP_AUTH_BINDDN') ? LDAP_AUTH_BINDDN : null;
|
|
|
|
$this->_serviceBindPass = defined('LDAP_AUTH_BINDPW') ? LDAP_AUTH_BINDPW : null;
|
|
|
|
$this->_baseDN = defined('LDAP_AUTH_BASEDN') ? LDAP_AUTH_BASEDN : null;
|
|
|
|
if (!defined('LDAP_AUTH_BASEDN')) {
|
|
|
|
$this->_log('LDAP_AUTH_BASEDN is required and not defined.', E_USER_ERROR);
|
|
|
|
return FALSE;
|
|
|
|
} else {
|
|
|
|
$this->_baseDN = LDAP_AUTH_BASEDN;
|
|
|
|
}
|
|
|
|
|
|
|
|
$parsedURI = parse_url(LDAP_AUTH_SERVER_URI);
|
|
|
|
if ($parsedURI === FALSE) {
|
|
|
|
$this->_log('Could not parse LDAP_AUTH_SERVER_URI in config.php', E_USER_ERROR);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
$this->_host = $parsedURI['host'];
|
|
|
|
$this->_scheme = $parsedURI['scheme'];
|
|
|
|
|
|
|
|
if (is_int($parsedURI['port'])) {
|
|
|
|
$this->_port = $parsedURI['port'];
|
|
|
|
} else {
|
|
|
|
$this->_port = ($this->_scheme === 'ldaps') ? 636 : 389;
|
|
|
|
}
|
|
|
|
|
|
|
|
$this->_useTLS = defined('LDAP_AUTH_USETLS') ? LDAP_AUTH_USETLS : FALSE;
|
|
|
|
|
|
|
|
$this->_logAttempts = defined('LDAP_AUTH_LOG_ATTEMPTS') ?
|
|
|
|
LDAP_AUTH_LOG_ATTEMPTS : FALSE;
|
|
|
|
|
|
|
|
$this->_ldapLoginAttrib = defined('LDAP_AUTH_LOGIN_ATTRIB') ?
|
|
|
|
LDAP_AUTH_LOGIN_ATTRIB : null;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
Building LDAP connection
|
|
|
|
* */
|
|
|
|
$ldapConnParams = array(
|
|
|
|
'host' => $this->_host,
|
|
|
|
'basedn' => $this->_baseDN,
|
|
|
|
'port' => $this->_port,
|
|
|
|
'starttls' => $this->_useTLS
|
|
|
|
);
|
|
|
|
|
|
|
|
if ($this->_debugMode)
|
|
|
|
$this->_log(print_r($ldapConnParams, TRUE), E_USER_NOTICE);
|
|
|
|
$ldapConn = @ldap_connect($this->_host, $this->_port);
|
|
|
|
if ($ldapConn === FALSE) {
|
|
|
|
$this->_log('Could not connect to LDAP Server: \'' . $this->_host . '\'', E_USER_ERROR);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Enable LDAP protocol version 3. */
|
|
|
|
if (!@ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
|
|
|
|
$this->_log('Failed to set LDAP Protocol version (LDAP_OPT_PROTOCOL_VERSION) to 3', E_USER_ERROR);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set referral option */
|
|
|
|
if (!@ldap_set_option($ldapConn, LDAP_OPT_REFERRALS, FALSE)) {
|
|
|
|
$this->_log('Failed to set LDAP Referrals (LDAP_OPT_REFERRALS) to TRUE', E_USER_ERROR);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (stripos($this->_host, "ldaps:") === FALSE and $this->_useTLS) {
|
|
|
|
if (!@ldap_start_tls($ldapConn)) {
|
|
|
|
$this->_log('Unable to force TLS', E_USER_ERROR);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$error = @ldap_bind($ldapConn, $this->_serviceBindDN, $this->_serviceBindPass);
|
|
|
|
if ($error === FALSE) {
|
|
|
|
$this->_log(
|
|
|
|
'LDAP bind(): Bind failed (' . $error . ')with DN ' . $this->_serviceBindDN, E_USER_ERROR
|
|
|
|
);
|
|
|
|
return FALSE;
|
|
|
|
} else {
|
|
|
|
$this->_log(
|
|
|
|
'Connected to LDAP Server: ' . LDAP_AUTH_SERVER_URI . ' with ' . $this->_getBindDNWord());
|
|
|
|
}
|
|
|
|
|
|
|
|
// Bind with service account if orignal connexion was anonymous
|
|
|
|
/* if (($this->_anonBeforeBind) && (strlen($this->_bindDN > 0))) {
|
|
|
|
$binding=$this->ldapObj->bind($this->_serviceBindDN, $this->_serviceBindPass);
|
|
|
|
if (get_class($binding) !== 'Net_LDAP2') {
|
|
|
|
$this->_log(
|
|
|
|
'Cound not bind service account: '.$binding->getMessage(),E_USER_ERROR);
|
|
|
|
return FALSE;
|
|
|
|
} else {
|
|
|
|
$this->_log('Bind with '.$this->_serviceBindDN.' successful.',E_USER_NOTICE);
|
|
|
|
}
|
|
|
|
} */
|
|
|
|
|
|
|
|
//Searching for user
|
|
|
|
$filterObj = str_replace('???', $this->ldap_escape($login), LDAP_AUTH_SEARCHFILTER);
|
|
|
|
$searchResults = @ldap_search($ldapConn, $this->_baseDN, $filterObj, array('displayName', 'title', 'sAMAccountName', $this->_ldapLoginAttrib), 0, 0, 0);
|
|
|
|
if ($searchResults === FALSE) {
|
|
|
|
$this->_log('LDAP Search Failed on base \'' . $this->_baseDN . '\' for \'' . $filterObj . '\'', E_USER_ERROR);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
$count = @ldap_count_entries($ldapConn, $searchResults);
|
|
|
|
if ($count === FALSE) {
|
|
|
|
|
|
|
|
} elseif ($count > 1) {
|
|
|
|
$this->_log('Multiple DNs found for username ' . (string) $login, E_USER_WARNING);
|
|
|
|
return FALSE;
|
|
|
|
} elseif ($count === 0) {
|
|
|
|
$this->_log('Unknown User ' . (string) $login, E_USER_NOTICE);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
//Getting user's DN from search
|
|
|
|
$userEntry = @ldap_first_entry($ldapConn, $searchResults);
|
|
|
|
if ($userEntry === FALSE) {
|
|
|
|
$this->_log('LDAP search(): Unable to retrieve result after searching base \'' . $this->_baseDN . '\' for \'' . $filterObj . '\'', E_USER_WARNING);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
$userAttributes = @ldap_get_attributes($ldapConn, $userEntry);
|
|
|
|
$userDN = @ldap_get_dn($ldapConn, $userEntry);
|
|
|
|
if ($userDN == FALSE) {
|
|
|
|
$this->_log('LDAP search(): Unable to get DN after searching base \'' . $this->_baseDN . '\' for \'' . $filterObj . '\'', E_USER_WARNING);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
//Binding with user's DN.
|
|
|
|
if ($this->_debugMode)
|
|
|
|
$this->_log('Try to bind with user\'s DN: ' . $userDN);
|
|
|
|
$loginAttempt = @ldap_bind($ldapConn, $userDN, $password);
|
|
|
|
if ($loginAttempt === TRUE) {
|
|
|
|
$this->_log('User: ' . (string) $login . ' authentication successful');
|
|
|
|
if (strlen($this->_ldapLoginAttrib) > 0) {
|
|
|
|
if ($this->_debugMode)
|
|
|
|
$this->_log('Looking up TT-RSS username attribute in ' . $this->_ldapLoginAttrib);
|
|
|
|
$ttrssUsername = $userAttributes[$this->_ldapLoginAttrib][0];
|
|
|
|
;
|
|
|
|
@ldap_close($ldapConn);
|
|
|
|
if (!is_string($ttrssUsername)) {
|
|
|
|
$this->_log('Could not find user name attribute ' . $this->_ldapLoginAttrib . ' in LDAP entry', E_USER_WARNING);
|
|
|
|
return FALSE;
|
|
|
|
}
|
2022-02-23 16:04:01 +01:00
|
|
|
return $this->auto_create_user($ttrssUsername);
|
2022-01-05 11:20:22 +01:00
|
|
|
} else {
|
|
|
|
@ldap_close($ldapConn);
|
2022-02-23 16:04:01 +01:00
|
|
|
return $this->auto_create_user($login);
|
2022-01-05 11:20:22 +01:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
@ldap_close($ldapConn);
|
|
|
|
$this->_log('User: ' . (string) $login . ' authentication failed');
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns plugin API version
|
|
|
|
* Required for plugin interface
|
|
|
|
* @return number
|
|
|
|
*/
|
|
|
|
function api_version() {
|
|
|
|
return 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
?>
|