|
1
|
<?php
|
|
2
|
|
|
3
|
|
|
4
|
|
|
5
|
|
|
6
|
|
|
7
|
|
|
8
|
|
|
9
|
|
|
10
|
|
|
11
|
|
|
12
|
|
|
13
|
|
|
14
|
|
|
15
|
function pretty_print_ldap_entry($ldap_entry) {
|
|
16
|
$m = array();
|
|
17
|
for ($i = 0; $i < $ldap_entry['count']; $i++) {
|
|
18
|
$k = $ldap_entry[$i];
|
|
19
|
$v = $ldap_entry[$k];
|
|
20
|
if(is_array($v)) {
|
|
21
|
$m2 = array();
|
|
22
|
$max = $v['count'] > 3 ? 3 : $v['count'];
|
|
23
|
for ($j = 0; $j < $max; $j++) {
|
|
24
|
$m2[] = $v[$j];
|
|
25
|
}
|
|
26
|
$v = "(".join(", ", $m2).")";
|
|
27
|
}
|
|
28
|
$m[] = $k . ": " . $v;
|
|
29
|
}
|
|
30
|
return join(", ", $m);
|
|
31
|
}
|
|
32
|
|
|
33
|
|
|
34
|
|
|
35
|
|
|
36
|
|
|
37
|
|
|
38
|
|
|
39
|
|
|
40
|
|
|
41
|
class LdapServer {
|
|
42
|
|
|
43
|
|
|
44
|
const LDAP_CONNECT_ERROR = 0x5b;
|
|
45
|
const LDAP_SUCCESS = 0x00;
|
|
46
|
const LDAP_OPERATIONS_ERROR = 0x01;
|
|
47
|
const LDAP_PROTOCOL_ERROR = 0x02;
|
|
48
|
|
|
49
|
public $sid;
|
|
50
|
public $numericSid;
|
|
51
|
public $name;
|
|
52
|
public $status;
|
|
53
|
public $ldap_type;
|
|
54
|
public $address;
|
|
55
|
public $port = 389;
|
|
56
|
public $tls = FALSE;
|
|
57
|
public $followrefs = FALSE;
|
|
58
|
public $bind_method = 0;
|
|
59
|
public $basedn = array();
|
|
60
|
public $binddn = FALSE;
|
|
61
|
public $bindpw = FALSE;
|
|
62
|
public $user_dn_expression;
|
|
63
|
public $user_attr;
|
|
64
|
public $account_name_attr;
|
|
65
|
public $mail_attr;
|
|
66
|
public $mail_template;
|
|
67
|
public $picture_attr;
|
|
68
|
public $unique_persistent_attr;
|
|
69
|
public $unique_persistent_attr_binary = FALSE;
|
|
70
|
public $ldapToDrupalUserPhp;
|
|
71
|
public $testingDrupalUsername;
|
|
72
|
public $testingDrupalUserDn;
|
|
73
|
public $detailed_watchdog_log;
|
|
74
|
public $editPath;
|
|
75
|
public $queriableWithoutUserCredentials = FALSE;
|
|
76
|
public $userAttributeNeededCache = array();
|
|
77
|
|
|
78
|
public $groupFunctionalityUnused = 0;
|
|
79
|
public $groupObjectClass;
|
|
80
|
public $groupNested = 0;
|
|
81
|
public $groupDeriveFromDn = FALSE;
|
|
82
|
public $groupDeriveFromDnAttr = NULL;
|
|
83
|
public $groupUserMembershipsAttrExists = FALSE;
|
|
84
|
public $groupUserMembershipsAttr = NULL;
|
|
85
|
public $groupUserMembershipsConfigured = FALSE;
|
|
86
|
|
|
87
|
public $groupMembershipsAttr = NULL;
|
|
88
|
public $groupMembershipsAttrMatchingUserAttr = NULL;
|
|
89
|
public $groupGroupEntryMembershipsConfigured = FALSE;
|
|
90
|
|
|
91
|
public $groupTestGroupDn = NULL;
|
|
92
|
public $groupTestGroupDnWriteable = NULL;
|
|
93
|
|
|
94
|
private $group_properties = array(
|
|
95
|
'groupObjectClass', 'groupNested', 'groupDeriveFromDn', 'groupDeriveFromDnAttr', 'groupUserMembershipsAttrExists',
|
|
96
|
'groupUserMembershipsAttr', 'groupMembershipsAttrMatchingUserAttr', 'groupTestGroupDn', 'groupTestGroupDnWriteable'
|
|
97
|
);
|
|
98
|
|
|
99
|
public $paginationEnabled = FALSE;
|
|
100
|
public $searchPagination = FALSE;
|
|
101
|
public $searchPageSize = 1000;
|
|
102
|
public $searchPageStart = 0;
|
|
103
|
public $searchPageEnd = NULL;
|
|
104
|
|
|
105
|
public $inDatabase = FALSE;
|
|
106
|
public $connection;
|
|
107
|
|
|
108
|
|
|
109
|
|
|
110
|
|
|
111
|
|
|
112
|
|
|
113
|
|
|
114
|
public static function field_to_properties_map() {
|
|
115
|
return array(
|
|
116
|
'sid' => 'sid',
|
|
117
|
'numeric_sid' => 'numericSid',
|
|
118
|
'name' => 'name' ,
|
|
119
|
'status' => 'status',
|
|
120
|
'ldap_type' => 'ldap_type',
|
|
121
|
'address' => 'address',
|
|
122
|
'port' => 'port',
|
|
123
|
'tls' => 'tls',
|
|
124
|
'followrefs' => 'followrefs',
|
|
125
|
'bind_method' => 'bind_method',
|
|
126
|
'basedn' => 'basedn',
|
|
127
|
'binddn' => 'binddn',
|
|
128
|
'user_dn_expression' => 'user_dn_expression',
|
|
129
|
'user_attr' => 'user_attr',
|
|
130
|
'account_name_attr' => 'account_name_attr',
|
|
131
|
'mail_attr' => 'mail_attr',
|
|
132
|
'mail_template' => 'mail_template',
|
|
133
|
'picture_attr' => 'picture_attr',
|
|
134
|
'unique_persistent_attr' => 'unique_persistent_attr',
|
|
135
|
'unique_persistent_attr_binary' => 'unique_persistent_attr_binary',
|
|
136
|
'ldap_to_drupal_user' => 'ldapToDrupalUserPhp',
|
|
137
|
'testing_drupal_username' => 'testingDrupalUsername',
|
|
138
|
'testing_drupal_user_dn' => 'testingDrupalUserDn',
|
|
139
|
|
|
140
|
'grp_unused' => 'groupFunctionalityUnused',
|
|
141
|
'grp_object_cat' => 'groupObjectClass',
|
|
142
|
'grp_nested' => 'groupNested',
|
|
143
|
'grp_user_memb_attr_exists' => 'groupUserMembershipsAttrExists',
|
|
144
|
'grp_user_memb_attr' => 'groupUserMembershipsAttr',
|
|
145
|
'grp_memb_attr' => 'groupMembershipsAttr',
|
|
146
|
'grp_memb_attr_match_user_attr' => 'groupMembershipsAttrMatchingUserAttr',
|
|
147
|
'grp_derive_from_dn' => 'groupDeriveFromDn',
|
|
148
|
'grp_derive_from_dn_attr' => 'groupDeriveFromDnAttr',
|
|
149
|
'grp_test_grp_dn' => 'groupTestGroupDn',
|
|
150
|
'grp_test_grp_dn_writeable' => 'groupTestGroupDnWriteable',
|
|
151
|
|
|
152
|
'search_pagination' => 'searchPagination',
|
|
153
|
'search_page_size' => 'searchPageSize',
|
|
154
|
|
|
155
|
);
|
|
156
|
|
|
157
|
}
|
|
158
|
|
|
159
|
|
|
160
|
|
|
161
|
|
|
162
|
|
|
163
|
|
|
164
|
public function __construct($sid) {
|
|
165
|
if (!is_scalar($sid)) {
|
|
166
|
return;
|
|
167
|
}
|
|
168
|
$this->detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
|
169
|
$server_record = FALSE;
|
|
170
|
if (module_exists('ctools')) {
|
|
171
|
ctools_include('export');
|
|
172
|
$result = ctools_export_load_object('ldap_servers', 'names', array($sid));
|
|
173
|
if (isset($result[$sid])) {
|
|
174
|
$server_record = new stdClass();
|
|
175
|
foreach ($result[$sid] as $db_field_name => $value) {
|
|
176
|
$server_record->{$db_field_name} = $value;
|
|
177
|
}
|
|
178
|
}
|
|
179
|
}
|
|
180
|
else {
|
|
181
|
$select = db_select('ldap_servers')
|
|
182
|
->fields('ldap_servers')
|
|
183
|
->condition('ldap_servers.sid', $sid)
|
|
184
|
->execute();
|
|
185
|
foreach ($select as $record) {
|
|
186
|
if ($record->sid == $sid) {
|
|
187
|
$server_record = $record;
|
|
188
|
}
|
|
189
|
}
|
|
190
|
}
|
|
191
|
|
|
192
|
$server_record_bindpw = NULL;
|
|
193
|
if (!$server_record) {
|
|
194
|
$this->inDatabase = FALSE;
|
|
195
|
}
|
|
196
|
else {
|
|
197
|
$this->inDatabase = TRUE;
|
|
198
|
$this->sid = $sid;
|
|
199
|
$this->detailedWatchdogLog = variable_get('ldap_help_watchdog_detail', 0);
|
|
200
|
foreach ($this->field_to_properties_map() as $db_field_name => $property_name ) {
|
|
201
|
if (isset($server_record->$db_field_name)) {
|
|
202
|
$this->{$property_name} = $server_record->$db_field_name;
|
|
203
|
}
|
|
204
|
}
|
|
205
|
$server_record_bindpw = property_exists($server_record, 'bindpw') ? $server_record->bindpw : '';
|
|
206
|
}
|
|
207
|
$this->initDerivedProperties($server_record_bindpw);
|
|
208
|
}
|
|
209
|
|
|
210
|
|
|
211
|
|
|
212
|
|
|
213
|
|
|
214
|
|
|
215
|
|
|
216
|
|
|
217
|
protected function initDerivedProperties($bindpw) {
|
|
218
|
|
|
219
|
|
|
220
|
if (!$this->basedn) {
|
|
221
|
$this->basedn = array();
|
|
222
|
}
|
|
223
|
elseif (is_array($this->basedn)) {
|
|
224
|
}
|
|
225
|
else {
|
|
226
|
$basedn_unserialized = @unserialize($this->basedn);
|
|
227
|
if (is_array($basedn_unserialized)) {
|
|
228
|
$this->basedn = $basedn_unserialized;
|
|
229
|
}
|
|
230
|
else {
|
|
231
|
$this->basedn = array();
|
|
232
|
$token = is_scalar($basedn_unserialized) ? $basedn_unserialized : print_r($basedn_unserialized, TRUE);
|
|
233
|
debug("basednb desearialization error". $token);
|
|
234
|
watchdog('ldap_servers', 'Failed to deserialize LdapServer::basedn of !basedn', array('!basedn' => $token), WATCHDOG_ERROR);
|
|
235
|
}
|
|
236
|
|
|
237
|
}
|
|
238
|
|
|
239
|
if ($this->followrefs && !function_exists('ldap_set_rebind_proc')) {
|
|
240
|
$this->followrefs = FALSE;
|
|
241
|
}
|
|
242
|
|
|
243
|
if ($bindpw) {
|
|
244
|
$this->bindpw = ($bindpw == '') ? '' : ldap_servers_decrypt($bindpw);
|
|
245
|
}
|
|
246
|
|
|
247
|
$bind_overrides = variable_get('ldap_servers_overrides', []);
|
|
248
|
if (isset($bind_overrides[$this->sid])) {
|
|
249
|
if (isset($bind_overrides[$this->sid]['binddn'])) {
|
|
250
|
$this->binddn = $bind_overrides[$this->sid]['binddn'];
|
|
251
|
}
|
|
252
|
if (isset($bind_overrides[$this->sid]['bindpw'])) {
|
|
253
|
$this->bindpw = $bind_overrides[$this->sid]['bindpw'];
|
|
254
|
}
|
|
255
|
}
|
|
256
|
|
|
257
|
$this->paginationEnabled = (boolean)(ldap_servers_php_supports_pagination() && $this->searchPagination);
|
|
258
|
|
|
259
|
$this->queriableWithoutUserCredentials = (boolean)(
|
|
260
|
$this->bind_method == LDAP_SERVERS_BIND_METHOD_SERVICE_ACCT ||
|
|
261
|
$this->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER
|
|
262
|
);
|
|
263
|
$this->editPath = (!$this->sid) ? '' : 'admin/config/people/ldap/servers/edit/' . $this->sid;
|
|
264
|
|
|
265
|
$this->groupGroupEntryMembershipsConfigured = ($this->groupMembershipsAttrMatchingUserAttr && $this->groupMembershipsAttr);
|
|
266
|
$this->groupUserMembershipsConfigured = ($this->groupUserMembershipsAttrExists && $this->groupUserMembershipsAttr);
|
|
267
|
}
|
|
268
|
|
|
269
|
|
|
270
|
|
|
271
|
|
|
272
|
public function __destruct() {
|
|
273
|
|
|
274
|
$this->disconnect();
|
|
275
|
}
|
|
276
|
|
|
277
|
|
|
278
|
|
|
279
|
|
|
280
|
public function __invoke() {
|
|
281
|
$this->connect();
|
|
282
|
$this->bind();
|
|
283
|
}
|
|
284
|
|
|
285
|
|
|
286
|
|
|
287
|
|
|
288
|
public function connect() {
|
|
289
|
if (!function_exists('ldap_connect')) {
|
|
290
|
watchdog('ldap_servers', 'PHP LDAP extension not found, aborting.');
|
|
291
|
return LDAP_NOT_SUPPORTED;
|
|
292
|
}
|
|
293
|
|
|
294
|
if (!$con = ldap_connect($this->address, $this->port)) {
|
|
295
|
watchdog('ldap_servers', 'LDAP Connect failure to ' . $this->address . ':' . $this->port);
|
|
296
|
return LDAP_CONNECT_ERROR;
|
|
297
|
}
|
|
298
|
|
|
299
|
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
300
|
ldap_set_option($con, LDAP_OPT_REFERRALS, (int)$this->followrefs);
|
|
301
|
|
|
302
|
|
|
303
|
if ($this->tls) {
|
|
304
|
ldap_get_option($con, LDAP_OPT_PROTOCOL_VERSION, $vers);
|
|
305
|
if ($vers == -1) {
|
|
306
|
watchdog('ldap_servers', 'Could not get LDAP protocol version.');
|
|
307
|
return LDAP_PROTOCOL_ERROR;
|
|
308
|
}
|
|
309
|
if ($vers != 3) {
|
|
310
|
watchdog('ldap_servers', 'Could not start TLS, only supported by LDAP v3.');
|
|
311
|
return LDAP_CONNECT_ERROR;
|
|
312
|
}
|
|
313
|
elseif (!function_exists('ldap_start_tls')) {
|
|
314
|
watchdog('ldap_servers', 'Could not start TLS. It does not seem to be supported by this PHP setup.');
|
|
315
|
return LDAP_CONNECT_ERROR;
|
|
316
|
}
|
|
317
|
elseif (!ldap_start_tls($con)) {
|
|
318
|
$msg = t("Could not start TLS. (Error %errno: %error).", array('%errno' => ldap_errno($con), '%error' => ldap_error($con)));
|
|
319
|
watchdog('ldap_servers', $msg);
|
|
320
|
return LDAP_CONNECT_ERROR;
|
|
321
|
}
|
|
322
|
}
|
|
323
|
|
|
324
|
|
|
325
|
$this->connection = $con;
|
|
326
|
return LDAP_SUCCESS;
|
|
327
|
}
|
|
328
|
|
|
329
|
|
|
330
|
|
|
331
|
|
|
332
|
|
|
333
|
|
|
334
|
|
|
335
|
|
|
336
|
|
|
337
|
|
|
338
|
|
|
339
|
|
|
340
|
|
|
341
|
public function bind($userdn = NULL, $pass = NULL, $anon_bind = FALSE) {
|
|
342
|
|
|
343
|
|
|
344
|
if (!$this->connection) {
|
|
345
|
watchdog('ldap_servers', "LDAP bind failure for user %user. Not connected to LDAP server.", array('%user' => $userdn));
|
|
346
|
return LDAP_CONNECT_ERROR;
|
|
347
|
}
|
|
348
|
|
|
349
|
if ($anon_bind === FALSE && $userdn === NULL && $pass === NULL && $this->bind_method == LDAP_SERVERS_BIND_METHOD_ANON) {
|
|
350
|
$anon_bind = TRUE;
|
|
351
|
}
|
|
352
|
if ($anon_bind === TRUE) {
|
|
353
|
if (@!ldap_bind($this->connection)) {
|
|
354
|
if ($this->detailedWatchdogLog) {
|
|
355
|
watchdog('ldap_servers', "LDAP anonymous bind error. Error %errno: %error", array('%errno' => ldap_errno($this->connection), '%error' => ldap_error($this->connection)));
|
|
356
|
}
|
|
357
|
return ldap_errno($this->connection);
|
|
358
|
}
|
|
359
|
}
|
|
360
|
else {
|
|
361
|
$userdn = ($userdn != NULL) ? $userdn : $this->binddn;
|
|
362
|
$pass = ($pass != NULL) ? $pass : $this->bindpw;
|
|
363
|
|
|
364
|
if ($this->followrefs) {
|
|
365
|
$rebHandler = new LdapServersRebindHandler($userdn, $pass);
|
|
366
|
ldap_set_rebind_proc($this->connection, array($rebHandler, 'rebind_callback'));
|
|
367
|
}
|
|
368
|
|
|
369
|
if (drupal_strlen($pass) == 0 || drupal_strlen($userdn) == 0) {
|
|
370
|
watchdog('ldap_servers', "LDAP bind failure for user userdn=%userdn, pass=%pass.", array('%userdn' => $userdn, '%pass' => $pass));
|
|
371
|
return LDAP_LOCAL_ERROR;
|
|
372
|
}
|
|
373
|
if (@!ldap_bind($this->connection, $userdn, $pass)) {
|
|
374
|
if ($this->detailedWatchdogLog) {
|
|
375
|
watchdog('ldap_servers', "LDAP bind failure for user %user. Error %errno: %error", array('%user' => $userdn, '%errno' => ldap_errno($this->connection), '%error' => ldap_error($this->connection)));
|
|
376
|
}
|
|
377
|
return ldap_errno($this->connection);
|
|
378
|
}
|
|
379
|
}
|
|
380
|
|
|
381
|
return LDAP_SUCCESS;
|
|
382
|
}
|
|
383
|
|
|
384
|
|
|
385
|
|
|
386
|
|
|
387
|
public function disconnect() {
|
|
388
|
if (!$this->connection) {
|
|
389
|
|
|
390
|
|
|
391
|
}
|
|
392
|
else {
|
|
393
|
ldap_unbind($this->connection);
|
|
394
|
$this->connection = NULL;
|
|
395
|
}
|
|
396
|
}
|
|
397
|
|
|
398
|
|
|
399
|
|
|
400
|
|
|
401
|
public function connectAndBindIfNotAlready() {
|
|
402
|
if (! $this->connection) {
|
|
403
|
$this->connect();
|
|
404
|
$this->bind();
|
|
405
|
}
|
|
406
|
}
|
|
407
|
|
|
408
|
|
|
409
|
|
|
410
|
|
|
411
|
|
|
412
|
|
|
413
|
|
|
414
|
|
|
415
|
|
|
416
|
|
|
417
|
|
|
418
|
public function dnExists($dn, $return = 'boolean', $attributes = NULL) {
|
|
419
|
|
|
420
|
$params = array(
|
|
421
|
'base_dn' => $dn,
|
|
422
|
'attributes' => $attributes,
|
|
423
|
'attrsonly' => FALSE,
|
|
424
|
'filter' => '(objectclass=*)',
|
|
425
|
'sizelimit' => 0,
|
|
426
|
'timelimit' => 0,
|
|
427
|
'deref' => NULL,
|
|
428
|
);
|
|
429
|
|
|
430
|
if ($return == 'boolean' || !is_array($attributes)) {
|
|
431
|
$params['attributes'] = array('objectclass');
|
|
432
|
}
|
|
433
|
else {
|
|
434
|
$params['attributes'] = $attributes;
|
|
435
|
}
|
|
436
|
|
|
437
|
$result = $this->ldapQuery(LDAP_SCOPE_BASE, $params);
|
|
438
|
if ($result !== FALSE) {
|
|
439
|
$entries = @ldap_get_entries($this->connection, $result);
|
|
440
|
if ($entries !== FALSE && $entries['count'] > 0) {
|
|
441
|
return ($return == 'boolean') ? TRUE : $entries[0];
|
|
442
|
}
|
|
443
|
}
|
|
444
|
|
|
445
|
return FALSE;
|
|
446
|
|
|
447
|
}
|
|
448
|
|
|
449
|
|
|
450
|
|
|
451
|
|
|
452
|
|
|
453
|
|
|
454
|
|
|
455
|
public function countEntries($ldap_result) {
|
|
456
|
return ldap_count_entries($this->connection, $ldap_result);
|
|
457
|
}
|
|
458
|
|
|
459
|
|
|
460
|
|
|
461
|
|
|
462
|
|
|
463
|
|
|
464
|
|
|
465
|
|
|
466
|
|
|
467
|
|
|
468
|
|
|
469
|
public function createLdapEntry($attributes, $dn = NULL) {
|
|
470
|
|
|
471
|
if (!$this->connection) {
|
|
472
|
$this->connect();
|
|
473
|
$this->bind();
|
|
474
|
}
|
|
475
|
if (isset($attributes['dn'])) {
|
|
476
|
$dn = $attributes['dn'];
|
|
477
|
unset($attributes['dn']);
|
|
478
|
}
|
|
479
|
elseif (!$dn) {
|
|
480
|
return FALSE;
|
|
481
|
}
|
|
482
|
|
|
483
|
if (!empty($attributes['unicodePwd']) && ($this->ldap_type == 'ad')) {
|
|
484
|
$attributes['unicodePwd'] = ldap_servers_convert_password_for_active_directory_unicodePwd($attributes['unicodePwd']);
|
|
485
|
}
|
|
486
|
|
|
487
|
$result = @ldap_add($this->connection, $dn, $attributes);
|
|
488
|
if (!$result) {
|
|
489
|
$error = "LDAP Server ldap_add(%dn) Error Server ID = %sid, LDAP Err No: %ldap_errno LDAP Err Message: %ldap_err2str ";
|
|
490
|
$tokens = array('%dn' => $dn, '%sid' => $this->sid, '%ldap_errno' => ldap_errno($this->connection), '%ldap_err2str' => ldap_err2str(ldap_errno($this->connection)));
|
|
491
|
watchdog('ldap_servers', $error, $tokens, WATCHDOG_ERROR);
|
|
492
|
}
|
|
493
|
|
|
494
|
return $result;
|
|
495
|
}
|
|
496
|
|
|
497
|
|
|
498
|
|
|
499
|
|
|
500
|
|
|
501
|
|
|
502
|
|
|
503
|
|
|
504
|
|
|
505
|
|
|
506
|
|
|
507
|
|
|
508
|
|
|
509
|
|
|
510
|
|
|
511
|
|
|
512
|
|
|
513
|
|
|
514
|
|
|
515
|
public static function removeUnchangedAttributes($new_entry, $old_entry) {
|
|
516
|
|
|
517
|
foreach ($new_entry as $key => $new_val) {
|
|
518
|
$old_value = FALSE;
|
|
519
|
$old_value_is_scalar = FALSE;
|
|
520
|
$key_lcase = drupal_strtolower($key);
|
|
521
|
if (isset($old_entry[$key_lcase])) {
|
|
522
|
if ($old_entry[$key_lcase]['count'] == 1) {
|
|
523
|
$old_value = $old_entry[$key_lcase][0];
|
|
524
|
$old_value_is_scalar = TRUE;
|
|
525
|
}
|
|
526
|
else {
|
|
527
|
unset($old_entry[$key_lcase]['count']);
|
|
528
|
$old_value = $old_entry[$key_lcase];
|
|
529
|
$old_value_is_scalar = FALSE;
|
|
530
|
}
|
|
531
|
}
|
|
532
|
|
|
533
|
|
|
534
|
if (is_array($new_val) && is_array($old_value) && count(array_diff($new_val, $old_value)) == 0) {
|
|
535
|
unset($new_entry[$key]);
|
|
536
|
}
|
|
537
|
elseif ($old_value_is_scalar && !is_array($new_val) && drupal_strtolower($old_value) == drupal_strtolower($new_val)) {
|
|
538
|
unset($new_entry[$key]);
|
|
539
|
}
|
|
540
|
}
|
|
541
|
|
|
542
|
return $new_entry;
|
|
543
|
}
|
|
544
|
|
|
545
|
|
|
546
|
|
|
547
|
|
|
548
|
|
|
549
|
|
|
550
|
|
|
551
|
|
|
552
|
|
|
553
|
|
|
554
|
|
|
555
|
|
|
556
|
|
|
557
|
public function modifyLdapEntry($dn, $attributes = array(), $old_attributes = FALSE) {
|
|
558
|
|
|
559
|
$this->connectAndBindIfNotAlready();
|
|
560
|
|
|
561
|
if (!$old_attributes) {
|
|
562
|
$result = @ldap_read($this->connection, $dn, 'objectClass=*');
|
|
563
|
if (!$result) {
|
|
564
|
$error = "LDAP Server ldap_read(%dn) in LdapServer::modifyLdapEntry() Error Server ID = %sid, LDAP Err No: %ldap_errno LDAP Err Message: %ldap_err2str ";
|
|
565
|
$tokens = array('%dn' => $dn, '%sid' => $this->sid, '%ldap_errno' => ldap_errno($this->connection), '%ldap_err2str' => ldap_err2str(ldap_errno($this->connection)));
|
|
566
|
watchdog('ldap_servers', $error, $tokens, WATCHDOG_ERROR);
|
|
567
|
return FALSE;
|
|
568
|
}
|
|
569
|
|
|
570
|
$entries = ldap_get_entries($this->connection, $result);
|
|
571
|
if (is_array($entries) && $entries['count'] == 1) {
|
|
572
|
$old_attributes = $entries[0];
|
|
573
|
}
|
|
574
|
}
|
|
575
|
|
|
576
|
if (!empty($attributes['unicodePwd']) && ($this->ldap_type == 'ad')) {
|
|
577
|
$attributes['unicodePwd'] = ldap_servers_convert_password_for_active_directory_unicodePwd($attributes['unicodePwd']);
|
|
578
|
}
|
|
579
|
|
|
580
|
$attributes = $this->removeUnchangedAttributes($attributes, $old_attributes);
|
|
581
|
|
|
582
|
foreach ($attributes as $key => $cur_val) {
|
|
583
|
$old_value = FALSE;
|
|
584
|
$key_lcase = drupal_strtolower($key);
|
|
585
|
if (isset($old_attributes[$key_lcase])) {
|
|
586
|
if ($old_attributes[$key_lcase]['count'] == 1) {
|
|
587
|
$old_value = $old_attributes[$key_lcase][0];
|
|
588
|
}
|
|
589
|
else {
|
|
590
|
unset($old_attributes[$key_lcase]['count']);
|
|
591
|
$old_value = $old_attributes[$key_lcase];
|
|
592
|
}
|
|
593
|
}
|
|
594
|
|
|
595
|
if ($cur_val == '' && $old_value != '') {
|
|
596
|
unset($attributes[$key]);
|
|
597
|
$result = @ldap_mod_del($this->connection, $dn, array($key_lcase => $old_value));
|
|
598
|
if (!$result) {
|
|
599
|
$error = "LDAP Server ldap_mod_del(%dn) in LdapServer::modifyLdapEntry() Error Server ID = %sid, LDAP Err No: %ldap_errno LDAP Err Message: %ldap_err2str ";
|
|
600
|
$tokens = array('%dn' => $dn, '%sid' => $this->sid, '%ldap_errno' => ldap_errno($this->connection), '%ldap_err2str' => ldap_err2str(ldap_errno($this->connection)));
|
|
601
|
watchdog('ldap_servers', $error, $tokens, WATCHDOG_ERROR);
|
|
602
|
return FALSE;
|
|
603
|
}
|
|
604
|
}
|
|
605
|
elseif (is_array($cur_val)) {
|
|
606
|
foreach ($cur_val as $mv_key => $mv_cur_val) {
|
|
607
|
if ($mv_cur_val == '') {
|
|
608
|
unset($attributes[$key][$mv_key]);
|
|
609
|
}
|
|
610
|
else {
|
|
611
|
$attributes[$key][$mv_key] = $mv_cur_val;
|
|
612
|
}
|
|
613
|
}
|
|
614
|
}
|
|
615
|
}
|
|
616
|
|
|
617
|
if (count($attributes) > 0) {
|
|
618
|
$result = @ldap_modify($this->connection, $dn, $attributes);
|
|
619
|
if (!$result) {
|
|
620
|
$error = "LDAP Server ldap_modify(%dn) in LdapServer::modifyLdapEntry() Error Server ID = %sid, LDAP Err No: %ldap_errno LDAP Err Message: %ldap_err2str ";
|
|
621
|
$tokens = array('%dn' => $dn, '%sid' => $this->sid, '%ldap_errno' => ldap_errno($this->connection), '%ldap_err2str' => ldap_err2str(ldap_errno($this->connection)));
|
|
622
|
watchdog('ldap_servers', $error, $tokens, WATCHDOG_ERROR);
|
|
623
|
return FALSE;
|
|
624
|
}
|
|
625
|
}
|
|
626
|
|
|
627
|
return TRUE;
|
|
628
|
|
|
629
|
}
|
|
630
|
|
|
631
|
|
|
632
|
|
|
633
|
|
|
634
|
|
|
635
|
|
|
636
|
|
|
637
|
|
|
638
|
public function delete($dn) {
|
|
639
|
if (!$this->connection) {
|
|
640
|
$this->connect();
|
|
641
|
$this->bind();
|
|
642
|
}
|
|
643
|
$result = @ldap_delete($this->connection, $dn);
|
|
644
|
if (!$result) {
|
|
645
|
$error = "LDAP Server delete(%dn) in LdapServer::delete() Error Server ID = %sid, LDAP Err No: %ldap_errno LDAP Err Message: %ldap_err2str ";
|
|
646
|
$tokens = array('%dn' => $dn, '%sid' => $this->sid, '%ldap_errno' => ldap_errno($this->connection), '%ldap_err2str' => ldap_err2str(ldap_errno($this->connection)));
|
|
647
|
watchdog('ldap_servers', $error, $tokens, WATCHDOG_ERROR);
|
|
648
|
}
|
|
649
|
return $result;
|
|
650
|
}
|
|
651
|
|
|
652
|
|
|
653
|
|
|
654
|
|
|
655
|
|
|
656
|
|
|
657
|
|
|
658
|
|
|
659
|
|
|
660
|
|
|
661
|
|
|
662
|
|
|
663
|
|
|
664
|
|
|
665
|
|
|
666
|
|
|
667
|
public function searchAllBaseDns(
|
|
668
|
$filter,
|
|
669
|
$attributes = array(),
|
|
670
|
$attrsonly = 0,
|
|
671
|
$sizelimit = 0,
|
|
672
|
$timelimit = 0,
|
|
673
|
$deref = NULL,
|
|
674
|
$scope = LDAP_SCOPE_SUBTREE
|
|
675
|
) {
|
|
676
|
$all_entries = array();
|
|
677
|
foreach ($this->basedn as $base_dn) {
|
|
678
|
$entries = $this->search($base_dn, $filter, $attributes, $attrsonly, $sizelimit, $timelimit, $deref, $scope);
|
|
679
|
if ($entries === FALSE) {
|
|
680
|
return FALSE;
|
|
681
|
}
|
|
682
|
if (count($all_entries) == 0) {
|
|
683
|
$all_entries = $entries;
|
|
684
|
unset($all_entries['count']);
|
|
685
|
}
|
|
686
|
else {
|
|
687
|
$existing_count = count($all_entries);
|
|
688
|
unset($entries['count']);
|
|
689
|
foreach ($entries as $i => $entry) {
|
|
690
|
$all_entries[$existing_count + $i] = $entry;
|
|
691
|
}
|
|
692
|
}
|
|
693
|
}
|
|
694
|
$all_entries['count'] = count($all_entries);
|
|
695
|
return $all_entries;
|
|
696
|
|
|
697
|
}
|
|
698
|
|
|
699
|
|
|
700
|
|
|
701
|
|
|
702
|
|
|
703
|
|
|
704
|
|
|
705
|
|
|
706
|
|
|
707
|
|
|
708
|
|
|
709
|
|
|
710
|
|
|
711
|
|
|
712
|
|
|
713
|
|
|
714
|
|
|
715
|
|
|
716
|
|
|
717
|
|
|
718
|
public function search($base_dn = NULL, $filter, $attributes = array(),
|
|
719
|
$attrsonly = 0, $sizelimit = 0, $timelimit = 0, $deref = NULL, $scope = LDAP_SCOPE_SUBTREE) {
|
|
720
|
|
|
721
|
|
|
722
|
|
|
723
|
|
|
724
|
|
|
725
|
|
|
726
|
|
|
727
|
|
|
728
|
if ($base_dn == NULL) {
|
|
729
|
if (count($this->basedn) == 1) {
|
|
730
|
$base_dn = $this->basedn[0];
|
|
731
|
}
|
|
732
|
else {
|
|
733
|
return FALSE;
|
|
734
|
}
|
|
735
|
}
|
|
736
|
|
|
737
|
$attr_display = is_array($attributes) ? join(',', $attributes) : 'none';
|
|
738
|
$query = 'ldap_search() call: ' . join(",\n", array(
|
|
739
|
'base_dn: ' . $base_dn,
|
|
740
|
'filter = ' . $filter,
|
|
741
|
'attributes: ' . $attr_display,
|
|
742
|
'attrsonly = ' . $attrsonly,
|
|
743
|
'sizelimit = ' . $sizelimit,
|
|
744
|
'timelimit = ' . $timelimit,
|
|
745
|
'deref = ' . $deref,
|
|
746
|
'scope = ' . $scope,
|
|
747
|
)
|
|
748
|
);
|
|
749
|
if ($this->detailed_watchdog_log) {
|
|
750
|
watchdog('ldap_servers', $query, array());
|
|
751
|
}
|
|
752
|
|
|
753
|
|
|
754
|
if (! $this->connection) {
|
|
755
|
$this->connect();
|
|
756
|
$this->bind();
|
|
757
|
}
|
|
758
|
|
|
759
|
$ldap_query_params = array(
|
|
760
|
'connection' => $this->connection,
|
|
761
|
'base_dn' => $base_dn,
|
|
762
|
'filter' => $filter,
|
|
763
|
'attributes' => $attributes,
|
|
764
|
'attrsonly' => $attrsonly,
|
|
765
|
'sizelimit' => $sizelimit,
|
|
766
|
'timelimit' => $timelimit,
|
|
767
|
'deref' => $deref,
|
|
768
|
'query_display' => $query,
|
|
769
|
'scope' => $scope,
|
|
770
|
);
|
|
771
|
|
|
772
|
if ($this->searchPagination && $this->paginationEnabled) {
|
|
773
|
$aggregated_entries = $this->pagedLdapQuery($ldap_query_params);
|
|
774
|
return $aggregated_entries;
|
|
775
|
}
|
|
776
|
else {
|
|
777
|
$result = $this->ldapQuery($scope, $ldap_query_params);
|
|
778
|
if ($result && ($this->countEntries($result) !== FALSE) ) {
|
|
779
|
$entries = ldap_get_entries($this->connection, $result);
|
|
780
|
drupal_alter('ldap_server_search_results', $entries, $ldap_query_params);
|
|
781
|
return (is_array($entries)) ? $entries : FALSE;
|
|
782
|
}
|
|
783
|
elseif ($this->ldapErrorNumber()) {
|
|
784
|
$watchdog_tokens = array('%basedn' => $ldap_query_params['base_dn'], '%filter' => $ldap_query_params['filter'],
|
|
785
|
'%attributes' => print_r($ldap_query_params['attributes'], TRUE), '%errmsg' => $this->errorMsg('ldap'),
|
|
786
|
'%errno' => $this->ldapErrorNumber());
|
|
787
|
watchdog('ldap_servers', "LDAP ldap_search error. basedn: %basedn| filter: %filter| attributes:
|
|
788
|
%attributes| errmsg: %errmsg| ldap err no: %errno|", $watchdog_tokens);
|
|
789
|
return FALSE;
|
|
790
|
}
|
|
791
|
else {
|
|
792
|
return FALSE;
|
|
793
|
}
|
|
794
|
}
|
|
795
|
}
|
|
796
|
|
|
797
|
|
|
798
|
|
|
799
|
|
|
800
|
|
|
801
|
|
|
802
|
|
|
803
|
|
|
804
|
|
|
805
|
|
|
806
|
|
|
807
|
|
|
808
|
|
|
809
|
|
|
810
|
|
|
811
|
|
|
812
|
|
|
813
|
|
|
814
|
|
|
815
|
|
|
816
|
|
|
817
|
|
|
818
|
public function pagedLdapQuery($ldap_query_params) {
|
|
819
|
|
|
820
|
if (!($this->searchPagination && $this->paginationEnabled)) {
|
|
821
|
watchdog('ldap_servers', "LDAP server pagedLdapQuery() called when functionality not available in php install or
|
|
822
|
not enabled in ldap server configuration. error. basedn: %basedn| filter: %filter| attributes:
|
|
823
|
%attributes| errmsg: %errmsg| ldap err no: %errno|", $watchdog_tokens);
|
|
824
|
RETURN FALSE;
|
|
825
|
}
|
|
826
|
|
|
827
|
$page_token = '';
|
|
828
|
$page = 0;
|
|
829
|
$estimated_entries = 0;
|
|
830
|
$aggregated_entries = array();
|
|
831
|
$aggregated_entries_count = 0;
|
|
832
|
$has_page_results = FALSE;
|
|
833
|
|
|
834
|
do {
|
|
835
|
ldap_control_paged_result($this->connection, $this->searchPageSize, TRUE, $page_token);
|
|
836
|
$result = $this->ldapQuery($ldap_query_params['scope'], $ldap_query_params);
|
|
837
|
|
|
838
|
if ($page >= $this->searchPageStart) {
|
|
839
|
$skipped_page = FALSE;
|
|
840
|
if ($result && ($this->countEntries($result) !== FALSE) ) {
|
|
841
|
$page_entries = ldap_get_entries($this->connection, $result);
|
|
842
|
unset($page_entries['count']);
|
|
843
|
$has_page_results = (is_array($page_entries) && count($page_entries) > 0);
|
|
844
|
$aggregated_entries = array_merge($aggregated_entries, $page_entries);
|
|
845
|
$aggregated_entries_count = count($aggregated_entries);
|
|
846
|
}
|
|
847
|
elseif ($this->ldapErrorNumber()) {
|
|
848
|
$watchdog_tokens = array('%basedn' => $ldap_query_params['base_dn'], '%filter' => $ldap_query_params['filter'],
|
|
849
|
'%attributes' => print_r($ldap_query_params['attributes'], TRUE), '%errmsg' => $this->errorMsg('ldap'),
|
|
850
|
'%errno' => $this->ldapErrorNumber());
|
|
851
|
watchdog('ldap_servers', "LDAP ldap_search error. basedn: %basedn| filter: %filter| attributes:
|
|
852
|
%attributes| errmsg: %errmsg| ldap err no: %errno|", $watchdog_tokens);
|
|
853
|
RETURN FALSE;
|
|
854
|
}
|
|
855
|
else {
|
|
856
|
return FALSE;
|
|
857
|
}
|
|
858
|
}
|
|
859
|
else {
|
|
860
|
$skipped_page = TRUE;
|
|
861
|
}
|
|
862
|
@ldap_control_paged_result_response($this->connection, $result, $page_token, $estimated_entries);
|
|
863
|
if ($ldap_query_params['sizelimit'] && $this->ldapErrorNumber() == LDAP_SIZELIMIT_EXCEEDED) {
|
|
864
|
|
|
865
|
}
|
|
866
|
elseif ($this->hasError()) {
|
|
867
|
watchdog('ldap_servers', 'ldap_control_paged_result_response() function error. LDAP Error: %message, ldap_list() parameters: %query',
|
|
868
|
array('%message' => $this->errorMsg('ldap'), '%query' => $ldap_query_params['query_display']),
|
|
869
|
WATCHDOG_ERROR);
|
|
870
|
}
|
|
871
|
|
|
872
|
if (isset($ldap_query_params['sizelimit']) && $ldap_query_params['sizelimit'] && $aggregated_entries_count >= $ldap_query_params['sizelimit']) {
|
|
873
|
$discarded_entries = array_splice($aggregated_entries, $ldap_query_params['sizelimit']);
|
|
874
|
break;
|
|
875
|
}
|
|
876
|
elseif ($this->searchPageEnd !== NULL && $page >= $this->searchPageEnd) {
|
|
877
|
break;
|
|
878
|
}
|
|
879
|
elseif ($page_token === NULL || $page_token == '') {
|
|
880
|
break;
|
|
881
|
}
|
|
882
|
$page++;
|
|
883
|
} while ($skipped_page || $has_page_results);
|
|
884
|
|
|
885
|
$aggregated_entries['count'] = count($aggregated_entries);
|
|
886
|
return $aggregated_entries;
|
|
887
|
}
|
|
888
|
|
|
889
|
|
|
890
|
|
|
891
|
|
|
892
|
|
|
893
|
|
|
894
|
|
|
895
|
|
|
896
|
|
|
897
|
public function ldapQuery($scope, $params) {
|
|
898
|
|
|
899
|
$this->connectAndBindIfNotAlready();
|
|
900
|
|
|
901
|
switch ($scope) {
|
|
902
|
case LDAP_SCOPE_SUBTREE:
|
|
903
|
$result = @ldap_search($this->connection, $params['base_dn'], $params['filter'], $params['attributes'], $params['attrsonly'],
|
|
904
|
$params['sizelimit'], $params['timelimit'], $params['deref']);
|
|
905
|
if ($params['sizelimit'] && $this->ldapErrorNumber() == LDAP_SIZELIMIT_EXCEEDED) {
|
|
906
|
|
|
907
|
}
|
|
908
|
elseif ($this->hasError()) {
|
|
909
|
watchdog('ldap_servers', 'ldap_search() function error. LDAP Error: %message, ldap_search() parameters: %query',
|
|
910
|
array('%message' => $this->errorMsg('ldap'), '%query' => $params['query_display']),
|
|
911
|
WATCHDOG_ERROR);
|
|
912
|
}
|
|
913
|
break;
|
|
914
|
|
|
915
|
case LDAP_SCOPE_BASE:
|
|
916
|
$result = @ldap_read($this->connection, $params['base_dn'], $params['filter'], $params['attributes'], $params['attrsonly'],
|
|
917
|
$params['sizelimit'], $params['timelimit'], $params['deref']);
|
|
918
|
if ($params['sizelimit'] && $this->ldapErrorNumber() == LDAP_SIZELIMIT_EXCEEDED) {
|
|
919
|
|
|
920
|
}
|
|
921
|
elseif ($this->hasError()) {
|
|
922
|
watchdog('ldap_servers', 'ldap_read() function error. LDAP Error: %message, ldap_read() parameters: %query',
|
|
923
|
array('%message' => $this->errorMsg('ldap'), '%query' => @$params['query_display']),
|
|
924
|
WATCHDOG_ERROR);
|
|
925
|
}
|
|
926
|
break;
|
|
927
|
|
|
928
|
case LDAP_SCOPE_ONELEVEL:
|
|
929
|
$result = @ldap_list($this->connection, $params['base_dn'], $params['filter'], $params['attributes'], $params['attrsonly'],
|
|
930
|
$params['sizelimit'], $params['timelimit'], $params['deref']);
|
|
931
|
if ($params['sizelimit'] && $this->ldapErrorNumber() == LDAP_SIZELIMIT_EXCEEDED) {
|
|
932
|
|
|
933
|
}
|
|
934
|
elseif ($this->hasError()) {
|
|
935
|
watchdog('ldap_servers', 'ldap_list() function error. LDAP Error: %message, ldap_list() parameters: %query',
|
|
936
|
array('%message' => $this->errorMsg('ldap'), '%query' => $params['query_display']),
|
|
937
|
WATCHDOG_ERROR);
|
|
938
|
}
|
|
939
|
break;
|
|
940
|
}
|
|
941
|
return $result;
|
|
942
|
}
|
|
943
|
|
|
944
|
|
|
945
|
|
|
946
|
|
|
947
|
|
|
948
|
public function dnArrayToLowerCase($dns) {
|
|
949
|
return array_keys(array_change_key_case(array_flip($dns), CASE_LOWER));
|
|
950
|
}
|
|
951
|
|
|
952
|
|
|
953
|
|
|
954
|
|
|
955
|
|
|
956
|
|
|
957
|
|
|
958
|
|
|
959
|
|
|
960
|
public function userUserEntityFromPuid($puid) {
|
|
961
|
|
|
962
|
$query = new EntityFieldQuery();
|
|
963
|
$query->entityCondition('entity_type', 'user')
|
|
964
|
->fieldCondition('ldap_user_puid_sid', 'value', $this->sid, '=')
|
|
965
|
->fieldCondition('ldap_user_puid', 'value', $puid, '=')
|
|
966
|
->fieldCondition('ldap_user_puid_property', 'value', $this->unique_persistent_attr, '=')
|
|
967
|
->addMetaData('account', user_load(1));
|
|
968
|
|
|
969
|
$result = $query->execute();
|
|
970
|
|
|
971
|
if (isset($result['user'])) {
|
|
972
|
$uids = array_keys($result['user']);
|
|
973
|
if (count($uids) == 1) {
|
|
974
|
$user = entity_load('user', array_keys($result['user']));
|
|
975
|
return $user[$uids[0]];
|
|
976
|
}
|
|
977
|
else {
|
|
978
|
$uids = join(',', $uids);
|
|
979
|
$tokens = array('%uids' => $uids, '%puid' => $puid, '%sid' => $this->sid, '%ldap_user_puid_property' => $this->unique_persistent_attr);
|
|
980
|
watchdog('ldap_servers', 'multiple users (uids: %uids) with same puid (puid=%puid, sid=%sid, ldap_user_puid_property=%ldap_user_puid_property)', $tokens, WATCHDOG_ERROR);
|
|
981
|
return FALSE;
|
|
982
|
}
|
|
983
|
}
|
|
984
|
else {
|
|
985
|
return FALSE;
|
|
986
|
}
|
|
987
|
|
|
988
|
}
|
|
989
|
|
|
990
|
|
|
991
|
|
|
992
|
|
|
993
|
|
|
994
|
|
|
995
|
|
|
996
|
public function userUsernameToLdapNameTransform($drupal_username, &$watchdog_tokens) {
|
|
997
|
if ($this->ldapToDrupalUserPhp && module_exists('php')) {
|
|
998
|
global $name;
|
|
999
|
$old_name_value = $name;
|
|
1000
|
$name = $drupal_username;
|
|
1001
|
$code = "<?php global \$name; \n" . $this->ldapToDrupalUserPhp . "; \n ?>";
|
|
1002
|
$watchdog_tokens['%code'] = $this->ldapToDrupalUserPhp;
|
|
1003
|
$code_result = php_eval($code);
|
|
1004
|
$watchdog_tokens['%code_result'] = $code_result;
|
|
1005
|
$ldap_username = $code_result;
|
|
1006
|
$watchdog_tokens['%ldap_username'] = $ldap_username;
|
|
1007
|
$name = $old_name_value;
|
|
1008
|
if ($this->detailedWatchdogLog) {
|
|
1009
|
watchdog('ldap_servers', '%drupal_user_name tansformed to %ldap_username by applying code <code>%code</code>', $watchdog_tokens, WATCHDOG_DEBUG);
|
|
1010
|
}
|
|
1011
|
}
|
|
1012
|
else {
|
|
1013
|
$ldap_username = $drupal_username;
|
|
1014
|
}
|
|
1015
|
|
|
1016
|
|
|
1017
|
$context = array(
|
|
1018
|
'ldap_server' => $this,
|
|
1019
|
);
|
|
1020
|
drupal_alter('ldap_servers_username_to_ldapname', $ldap_username, $drupal_username, $context);
|
|
1021
|
|
|
1022
|
return $ldap_username;
|
|
1023
|
|
|
1024
|
}
|
|
1025
|
|
|
1026
|
|
|
1027
|
|
|
1028
|
|
|
1029
|
|
|
1030
|
|
|
1031
|
|
|
1032
|
|
|
1033
|
|
|
1034
|
|
|
1035
|
public function userUsernameFromLdapEntry($ldap_entry) {
|
|
1036
|
|
|
1037
|
|
|
1038
|
if ($this->account_name_attr) {
|
|
1039
|
$accountname = (empty($ldap_entry[$this->account_name_attr][0])) ? FALSE : $ldap_entry[$this->account_name_attr][0];
|
|
1040
|
}
|
|
1041
|
elseif ($this->user_attr) {
|
|
1042
|
$accountname = (empty($ldap_entry[$this->user_attr][0])) ? FALSE : $ldap_entry[$this->user_attr][0];
|
|
1043
|
}
|
|
1044
|
else {
|
|
1045
|
$accountname = FALSE;
|
|
1046
|
}
|
|
1047
|
|
|
1048
|
return $accountname;
|
|
1049
|
}
|
|
1050
|
|
|
1051
|
|
|
1052
|
|
|
1053
|
|
|
1054
|
|
|
1055
|
|
|
1056
|
|
|
1057
|
|
|
1058
|
|
|
1059
|
public function userUsernameFromDn($dn) {
|
|
1060
|
|
|
1061
|
$ldap_entry = @$this->dnExists($dn, 'ldap_entry', array());
|
|
1062
|
if (!$ldap_entry || !is_array($ldap_entry)) {
|
|
1063
|
return FALSE;
|
|
1064
|
}
|
|
1065
|
else {
|
|
1066
|
return $this->userUsernameFromLdapEntry($ldap_entry);
|
|
1067
|
}
|
|
1068
|
|
|
1069
|
}
|
|
1070
|
|
|
1071
|
|
|
1072
|
|
|
1073
|
|
|
1074
|
|
|
1075
|
|
|
1076
|
public function userEmailFromLdapEntry($ldap_entry) {
|
|
1077
|
|
|
1078
|
if ($ldap_entry && $this->mail_attr) {
|
|
1079
|
$mail = isset($ldap_entry[$this->mail_attr][0]) ? $ldap_entry[$this->mail_attr][0] : FALSE;
|
|
1080
|
return $mail;
|
|
1081
|
}
|
|
1082
|
elseif ($ldap_entry && $this->mail_template) {
|
|
1083
|
ldap_servers_module_load_include('inc', 'ldap_servers', 'ldap_servers.functions');
|
|
1084
|
return ldap_servers_token_replace($ldap_entry, $this->mail_template, 'ldap_entry');
|
|
1085
|
}
|
|
1086
|
else {
|
|
1087
|
return FALSE;
|
|
1088
|
}
|
|
1089
|
}
|
|
1090
|
|
|
1091
|
|
|
1092
|
|
|
1093
|
|
|
1094
|
|
|
1095
|
|
|
1096
|
|
|
1097
|
|
|
1098
|
public function userPictureFromLdapEntry($ldap_entry, $drupal_username = FALSE) {
|
|
1099
|
if ($ldap_entry && $this->picture_attr) {
|
|
1100
|
|
|
1101
|
|
|
1102
|
$image_data = isset($ldap_entry[$this->picture_attr][0]) ? $ldap_entry[$this->picture_attr][0] : FALSE;
|
|
1103
|
if (!$image_data) {
|
|
1104
|
return FALSE;
|
|
1105
|
}
|
|
1106
|
|
|
1107
|
$md5thumb = md5($image_data);
|
|
1108
|
|
|
1109
|
|
|
1110
|
|
|
1111
|
|
|
1112
|
|
|
1113
|
|
|
1114
|
if ($drupal_username && $account = user_load_by_name($drupal_username)) {
|
|
1115
|
if ($account->uid == 0 || $account->uid == 1) {
|
|
1116
|
return FALSE;
|
|
1117
|
}
|
|
1118
|
if (isset($account->picture)) {
|
|
1119
|
|
|
1120
|
if (isset($account->data['ldap_user']['init']['thumb5md']) && $md5thumb === $account->data['ldap_user']['init']['thumb5md']) {
|
|
1121
|
|
|
1122
|
$account->picture->md5Sum = $md5thumb;
|
|
1123
|
return $account->picture;
|
|
1124
|
}
|
|
1125
|
else {
|
|
1126
|
|
|
1127
|
if (is_object($account->picture)) {
|
|
1128
|
file_delete($account->picture, TRUE);
|
|
1129
|
}
|
|
1130
|
elseif (is_string($account->picture)) {
|
|
1131
|
$file = file_load(intval($account->picture));
|
|
1132
|
file_delete($file, TRUE);
|
|
1133
|
}
|
|
1134
|
}
|
|
1135
|
}
|
|
1136
|
elseif (isset($account->data['ldap_user']['init']['thumb5md'])) {
|
|
1137
|
watchdog('ldap_servers', "Some error happened during thumbnailPhoto sync.");
|
|
1138
|
return FALSE;
|
|
1139
|
}
|
|
1140
|
}
|
|
1141
|
return $this->savePictureData($image_data, $md5thumb);
|
|
1142
|
}
|
|
1143
|
return FALSE;
|
|
1144
|
}
|
|
1145
|
|
|
1146
|
|
|
1147
|
|
|
1148
|
|
|
1149
|
|
|
1150
|
|
|
1151
|
private function savePictureData($image_data, $md5thumb) {
|
|
1152
|
|
|
1153
|
$filename = uniqid();
|
|
1154
|
$fileuri = file_directory_temp() . '/' . $filename;
|
|
1155
|
$size = file_put_contents($fileuri, $image_data);
|
|
1156
|
$info = image_get_info($fileuri);
|
|
1157
|
unlink($fileuri);
|
|
1158
|
|
|
1159
|
$file = file_save_data($image_data, file_default_scheme() . '://' . variable_get('user_picture_path') . '/' . $filename . '.' . $info['extension']);
|
|
1160
|
$file->md5Sum = $md5thumb;
|
|
1161
|
|
|
1162
|
$validators = [
|
|
1163
|
'file_validate_is_image' => [],
|
|
1164
|
'file_validate_image_resolution' => [variable_get('user_picture_dimensions', '85x85')],
|
|
1165
|
'file_validate_size' => [variable_get('user_picture_file_size', '30') * 1024],
|
|
1166
|
];
|
|
1167
|
$errors = file_validate($file, $validators);
|
|
1168
|
if (empty($errors)) {
|
|
1169
|
return $file;
|
|
1170
|
}
|
|
1171
|
else {
|
|
1172
|
foreach ($errors as $err => $err_val) {
|
|
1173
|
watchdog('ldap_servers', "Error storing picture: %error", ["%error" => $err_val], WATCHDOG_ERROR);
|
|
1174
|
}
|
|
1175
|
return FALSE;
|
|
1176
|
}
|
|
1177
|
}
|
|
1178
|
|
|
1179
|
|
|
1180
|
|
|
1181
|
|
|
1182
|
|
|
1183
|
|
|
1184
|
|
|
1185
|
public function userPuidFromLdapEntry($ldap_entry) {
|
|
1186
|
|
|
1187
|
if ($this->unique_persistent_attr
|
|
1188
|
&& isset($ldap_entry[$this->unique_persistent_attr][0])
|
|
1189
|
&& is_scalar($ldap_entry[$this->unique_persistent_attr][0])
|
|
1190
|
) {
|
|
1191
|
if (is_array($ldap_entry[$this->unique_persistent_attr])) {
|
|
1192
|
$puid = $ldap_entry[$this->unique_persistent_attr][0];
|
|
1193
|
}
|
|
1194
|
else {
|
|
1195
|
$puid = $ldap_entry[$this->unique_persistent_attr];
|
|
1196
|
}
|
|
1197
|
return ($this->unique_persistent_attr_binary) ? ldap_servers_binary($puid) : $puid;
|
|
1198
|
}
|
|
1199
|
else {
|
|
1200
|
return FALSE;
|
|
1201
|
}
|
|
1202
|
}
|
|
1203
|
|
|
1204
|
|
|
1205
|
|
|
1206
|
|
|
1207
|
|
|
1208
|
|
|
1209
|
|
|
1210
|
|
|
1211
|
|
|
1212
|
|
|
1213
|
public function user_lookup($user) {
|
|
1214
|
return $this->userUserToExistingLdapEntry($user);
|
|
1215
|
}
|
|
1216
|
public function userUserToExistingLdapEntry($user) {
|
|
1217
|
|
|
1218
|
if (is_object($user)) {
|
|
1219
|
$user_ldap_entry = $this->userUserNameToExistingLdapEntry($user->name);
|
|
1220
|
}
|
|
1221
|
elseif (is_array($user)) {
|
|
1222
|
$user_ldap_entry = $user;
|
|
1223
|
}
|
|
1224
|
elseif (is_scalar($user)) {
|
|
1225
|
if (strpos($user, '=') === FALSE) {
|
|
1226
|
$user_ldap_entry = $this->userUserNameToExistingLdapEntry($user);
|
|
1227
|
}
|
|
1228
|
else {
|
|
1229
|
$user_ldap_entry = $this->dnExists($user, 'ldap_entry');
|
|
1230
|
}
|
|
1231
|
}
|
|
1232
|
return $user_ldap_entry;
|
|
1233
|
}
|
|
1234
|
|
|
1235
|
|
|
1236
|
|
|
1237
|
|
|
1238
|
|
|
1239
|
|
|
1240
|
|
|
1241
|
|
|
1242
|
|
|
1243
|
|
|
1244
|
|
|
1245
|
|
|
1246
|
|
|
1247
|
|
|
1248
|
|
|
1249
|
|
|
1250
|
|
|
1251
|
public function userUserNameToExistingLdapEntry($drupal_user_name, $ldap_context = NULL) {
|
|
1252
|
|
|
1253
|
$watchdog_tokens = array('%drupal_user_name' => $drupal_user_name);
|
|
1254
|
$ldap_username = $this->userUsernameToLdapNameTransform($drupal_user_name, $watchdog_tokens);
|
|
1255
|
if (!$ldap_username) {
|
|
1256
|
return FALSE;
|
|
1257
|
}
|
|
1258
|
if (!$ldap_context) {
|
|
1259
|
$attributes = array();
|
|
1260
|
}
|
|
1261
|
else {
|
|
1262
|
$attribute_maps = ldap_servers_attributes_needed($this->sid, $ldap_context);
|
|
1263
|
$attributes = array_keys($attribute_maps);
|
|
1264
|
}
|
|
1265
|
|
|
1266
|
foreach ($this->basedn as $basedn) {
|
|
1267
|
if (empty($basedn)) continue;
|
|
1268
|
$filter = '(' . $this->user_attr . '=' . ldap_server_massage_text($ldap_username, 'attr_value', LDAP_SERVER_MASSAGE_QUERY_LDAP) . ')';
|
|
1269
|
$result = $this->search($basedn, $filter, $attributes);
|
|
1270
|
if (!$result || !isset($result['count']) || !$result['count']) continue;
|
|
1271
|
|
|
1272
|
|
|
1273
|
|
|
1274
|
if ($result['count'] != 1) {
|
|
1275
|
$count = $result['count'];
|
|
1276
|
watchdog('ldap_servers', "Error: !count users found with $filter under $basedn.", array('!count' => $count), WATCHDOG_ERROR);
|
|
1277
|
continue;
|
|
1278
|
}
|
|
1279
|
$match = $result[0];
|
|
1280
|
|
|
1281
|
|
|
1282
|
|
|
1283
|
|
|
1284
|
|
|
1285
|
$name_attr = $this->user_attr;
|
|
1286
|
|
|
1287
|
if (isset($match[$name_attr][0])) {
|
|
1288
|
|
|
1289
|
}
|
|
1290
|
elseif (isset($match[drupal_strtolower($name_attr)][0])) {
|
|
1291
|
$name_attr = drupal_strtolower($name_attr);
|
|
1292
|
|
|
1293
|
}
|
|
1294
|
else {
|
|
1295
|
if ($this->bind_method == LDAP_SERVERS_BIND_METHOD_ANON_USER) {
|
|
1296
|
$result = array(
|
|
1297
|
'dn' => $match['dn'],
|
|
1298
|
'mail' => $this->userEmailFromLdapEntry($match),
|
|
1299
|
'attr' => $match,
|
|
1300
|
'sid' => $this->sid,
|
|
1301
|
);
|
|
1302
|
return $result;
|
|
1303
|
}
|
|
1304
|
else {
|
|
1305
|
continue;
|
|
1306
|
}
|
|
1307
|
}
|
|
1308
|
|
|
1309
|
|
|
1310
|
|
|
1311
|
|
|
1312
|
|
|
1313
|
|
|
1314
|
|
|
1315
|
|
|
1316
|
|
|
1317
|
foreach ($match[$name_attr] as $value) {
|
|
1318
|
if (drupal_strtolower(trim($value)) == drupal_strtolower($ldap_username)) {
|
|
1319
|
$result = array(
|
|
1320
|
'dn' => $match['dn'],
|
|
1321
|
'mail' => $this->userEmailFromLdapEntry($match),
|
|
1322
|
'attr' => $match,
|
|
1323
|
'sid' => $this->sid,
|
|
1324
|
);
|
|
1325
|
return $result;
|
|
1326
|
}
|
|
1327
|
}
|
|
1328
|
}
|
|
1329
|
}
|
|
1330
|
|
|
1331
|
|
|
1332
|
|
|
1333
|
|
|
1334
|
|
|
1335
|
|
|
1336
|
|
|
1337
|
|
|
1338
|
|
|
1339
|
|
|
1340
|
|
|
1341
|
|
|
1342
|
public function groupIsMember($group_dn, $user, $nested = NULL) {
|
|
1343
|
|
|
1344
|
$nested = ($nested === TRUE || $nested === FALSE) ? $nested : $this->groupNested;
|
|
1345
|
$group_dns = $this->groupMembershipsFromUser($user, 'group_dns', $nested);
|
|
1346
|
|
|
1347
|
|
|
1348
|
return (is_array($group_dns) && in_array(drupal_strtolower($group_dn), $this->dnArrayToLowerCase($group_dns)));
|
|
1349
|
}
|
|
1350
|
|
|
1351
|
|
|
1352
|
|
|
1353
|
|
|
1354
|
|
|
1355
|
|
|
1356
|
|
|
1357
|
|
|
1358
|
|
|
1359
|
|
|
1360
|
|
|
1361
|
|
|
1362
|
|
|
1363
|
public function groupAddGroup($group_dn, $attributes = array()) {
|
|
1364
|
|
|
1365
|
if ($this->dnExists($group_dn, 'boolean')) {
|
|
1366
|
return FALSE;
|
|
1367
|
}
|
|
1368
|
|
|
1369
|
$attributes = array_change_key_case($attributes, CASE_LOWER);
|
|
1370
|
$objectclass = (empty($attributes['objectclass'])) ? $this->groupObjectClass : $attributes['objectclass'];
|
|
1371
|
$attributes['objectclass'] = $objectclass;
|
|
1372
|
|
|
1373
|
|
|
1374
|
|
|
1375
|
|
|
1376
|
$context = array(
|
|
1377
|
'action' => 'add',
|
|
1378
|
'corresponding_drupal_data' => array($group_dn => $attributes),
|
|
1379
|
'corresponding_drupal_data_type' => 'group',
|
|
1380
|
);
|
|
1381
|
$ldap_entries = array($group_dn => $attributes);
|
|
1382
|
drupal_alter('ldap_entry_pre_provision', $ldap_entries, $this, $context);
|
|
1383
|
$attributes = $ldap_entries[$group_dn];
|
|
1384
|
|
|
1385
|
|
|
1386
|
|
|
1387
|
|
|
1388
|
|
|
1389
|
|
|
1390
|
$ldap_entry_created = $this->createLdapEntry($attributes, $group_dn);
|
|
1391
|
|
|
1392
|
|
|
1393
|
|
|
1394
|
|
|
1395
|
|
|
1396
|
|
|
1397
|
if ($ldap_entry_created) {
|
|
1398
|
module_invoke_all('ldap_entry_post_provision', $ldap_entries, $this, $context);
|
|
1399
|
return TRUE;
|
|
1400
|
}
|
|
1401
|
else {
|
|
1402
|
return FALSE;
|
|
1403
|
}
|
|
1404
|
|
|
1405
|
}
|
|
1406
|
|
|
1407
|
|
|
1408
|
|
|
1409
|
|
|
1410
|
|
|
1411
|
|
|
1412
|
|
|
1413
|
|
|
1414
|
|
|
1415
|
|
|
1416
|
public function groupRemoveGroup($group_dn, $only_if_group_empty = TRUE) {
|
|
1417
|
|
|
1418
|
if ($only_if_group_empty) {
|
|
1419
|
$members = $this->groupAllMembers($group_dn);
|
|
1420
|
if (is_array($members) && count($members) > 0) {
|
|
1421
|
return FALSE;
|
|
1422
|
}
|
|
1423
|
}
|
|
1424
|
|
|
1425
|
return $this->delete($group_dn);
|
|
1426
|
|
|
1427
|
}
|
|
1428
|
|
|
1429
|
|
|
1430
|
|
|
1431
|
|
|
1432
|
|
|
1433
|
|
|
1434
|
|
|
1435
|
|
|
1436
|
|
|
1437
|
|
|
1438
|
|
|
1439
|
|
|
1440
|
public function groupAddMember($group_dn, $user) {
|
|
1441
|
|
|
1442
|
$user_ldap_entry = $this->userUserToExistingLdapEntry($user);
|
|
1443
|
$result = FALSE;
|
|
1444
|
if ($user_ldap_entry && $this->groupGroupEntryMembershipsConfigured) {
|
|
1445
|
$add = array();
|
|
1446
|
$add[$this->groupMembershipsAttr] = $user_ldap_entry['dn'];
|
|
1447
|
$this->connectAndBindIfNotAlready();
|
|
1448
|
$result = @ldap_mod_add($this->connection, $group_dn, $add);
|
|
1449
|
}
|
|
1450
|
|
|
1451
|
return $result;
|
|
1452
|
}
|
|
1453
|
|
|
1454
|
|
|
1455
|
|
|
1456
|
|
|
1457
|
|
|
1458
|
|
|
1459
|
|
|
1460
|
|
|
1461
|
|
|
1462
|
|
|
1463
|
|
|
1464
|
|
|
1465
|
public function groupRemoveMember($group_dn, $user) {
|
|
1466
|
|
|
1467
|
$user_ldap_entry = $this->userUserToExistingLdapEntry($user);
|
|
1468
|
$result = FALSE;
|
|
1469
|
if ($user_ldap_entry && $this->groupGroupEntryMembershipsConfigured) {
|
|
1470
|
$del = array();
|
|
1471
|
$del[$this->groupMembershipsAttr] = $user_ldap_entry['dn'];
|
|
1472
|
$this->connectAndBindIfNotAlready();
|
|
1473
|
$result = @ldap_mod_del($this->connection, $group_dn, $del);
|
|
1474
|
}
|
|
1475
|
return $result;
|
|
1476
|
}
|
|
1477
|
|
|
1478
|
|
|
1479
|
|
|
1480
|
|
|
1481
|
|
|
1482
|
|
|
1483
|
|
|
1484
|
|
|
1485
|
|
|
1486
|
|
|
1487
|
|
|
1488
|
|
|
1489
|
public function groupAllMembers($group_dn) {
|
|
1490
|
if (!$this->groupGroupEntryMembershipsConfigured) {
|
|
1491
|
return FALSE;
|
|
1492
|
}
|
|
1493
|
$attributes = array($this->groupMembershipsAttr, 'cn');
|
|
1494
|
$group_entry = $this->dnExists($group_dn, 'ldap_entry', $attributes);
|
|
1495
|
if (!$group_entry) {
|
|
1496
|
return FALSE;
|
|
1497
|
}
|
|
1498
|
else {
|
|
1499
|
if (empty($group_entry['cn'])) {
|
|
1500
|
return FALSE;
|
|
1501
|
}
|
|
1502
|
if (empty($group_entry[$this->groupMembershipsAttr])) {
|
|
1503
|
return array();
|
|
1504
|
}
|
|
1505
|
$members = $group_entry[$this->groupMembershipsAttr];
|
|
1506
|
if (isset($members['count'])) {
|
|
1507
|
unset($members['count']);
|
|
1508
|
}
|
|
1509
|
return $members;
|
|
1510
|
}
|
|
1511
|
|
|
1512
|
$this->groupMembersResursive($current_group_entries, $all_group_dns, $tested_group_ids, 0, $max_levels, $object_classes);
|
|
1513
|
|
|
1514
|
return $all_group_dns;
|
|
1515
|
|
|
1516
|
}
|
|
1517
|
|
|
1518
|
|
|
1519
|
|
|
1520
|
|
|
1521
|
|
|
1522
|
|
|
1523
|
|
|
1524
|
|
|
1525
|
|
|
1526
|
|
|
1527
|
|
|
1528
|
|
|
1529
|
|
|
1530
|
|
|
1531
|
public function groupMembersResursive($current_member_entries, &$all_member_dns, &$tested_group_ids, $level, $max_levels, $object_classes = FALSE) {
|
|
1532
|
|
|
1533
|
if (!$this->groupGroupEntryMembershipsConfigured || !is_array($current_member_entries) || count($current_member_entries) == 0) {
|
|
1534
|
return FALSE;
|
|
1535
|
}
|
|
1536
|
if (isset($current_member_entries['count'])) {
|
|
1537
|
unset($current_member_entries['count']);
|
|
1538
|
};
|
|
1539
|
|
|
1540
|
foreach ($current_member_entries as $i => $member_entry) {
|
|
1541
|
|
|
1542
|
$objectClassMatch = (!$object_classes || (count(array_intersect(array_values($member_entry['objectclass']), $object_classes)) > 0));
|
|
1543
|
$objectIsGroup = in_array($this->groupObjectClass, array_values($member_entry['objectclass']));
|
|
1544
|
if ($objectClassMatch && !in_array($member_entry['dn'], $all_member_dns)) {
|
|
1545
|
$all_member_dns[] = $member_entry['dn'];
|
|
1546
|
}
|
|
1547
|
|
|
1548
|
|
|
1549
|
if ($objectIsGroup && $level < $max_levels) {
|
|
1550
|
if ($this->groupMembershipsAttrMatchingUserAttr == 'dn') {
|
|
1551
|
$group_id = $member_entry['dn'];
|
|
1552
|
}
|
|
1553
|
else {
|
|
1554
|
$group_id = $member_entry[$this->groupMembershipsAttrMatchingUserAttr][0];
|
|
1555
|
}
|
|
1556
|
|
|
1557
|
if (!in_array($group_id, $tested_group_ids)) {
|
|
1558
|
$tested_group_ids[] = $group_id;
|
|
1559
|
$member_ids = $member_entry[$this->groupMembershipsAttr];
|
|
1560
|
if (isset($member_ids['count'])) {
|
|
1561
|
unset($member_ids['count']);
|
|
1562
|
};
|
|
1563
|
$ors = array();
|
|
1564
|
foreach ($member_ids as $i => $member_id) {
|
|
1565
|
$ors[] = $this->groupMembershipsAttr . '=' . ldap_pear_escape_filter_value($member_id);
|
|
1566
|
}
|
|
1567
|
|
|
1568
|
if (count($ors)) {
|
|
1569
|
$query_for_child_members = '(|(' . join(")(", $ors) . '))';
|
|
1570
|
if (count($object_classes)) {
|
|
1571
|
$object_classes_ors = array('(objectClass=' . $this->groupObjectClass . ')');
|
|
1572
|
foreach ($object_classes as $object_class) {
|
|
1573
|
$object_classes_ors[] = '(objectClass=' . $object_class . ')';
|
|
1574
|
}
|
|
1575
|
$query_for_child_members = '&(|' . join($object_classes_ors) . ')(' . $query_for_child_members . ')';
|
|
1576
|
}
|
|
1577
|
foreach ($this->basedn as $base_dn) {
|
|
1578
|
$child_member_entries = $this->search($base_dn, $query_for_child_members, array('objectclass', $this->groupMembershipsAttr, $this->groupMembershipsAttrMatchingUserAttr));
|
|
1579
|
if ($child_member_entries !== FALSE) {
|
|
1580
|
$this->groupMembersResursive($child_member_entries, $all_member_dns, $tested_group_ids, $level + 1, $max_levels, $object_classes);
|
|
1581
|
}
|
|
1582
|
}
|
|
1583
|
}
|
|
1584
|
}
|
|
1585
|
}
|
|
1586
|
}
|
|
1587
|
}
|
|
1588
|
|
|
1589
|
|
|
1590
|
|
|
1591
|
|
|
1592
|
|
|
1593
|
|
|
1594
|
|
|
1595
|
|
|
1596
|
|
|
1597
|
|
|
1598
|
|
|
1599
|
|
|
1600
|
|
|
1601
|
|
|
1602
|
|
|
1603
|
|
|
1604
|
|
|
1605
|
|
|
1606
|
|
|
1607
|
|
|
1608
|
|
|
1609
|
|
|
1610
|
public function groupMembershipsFromUser($user, $return = 'group_dns', $nested = NULL) {
|
|
1611
|
|
|
1612
|
$group_dns = FALSE;
|
|
1613
|
$user_ldap_entry = @$this->userUserToExistingLdapEntry($user);
|
|
1614
|
if (!$user_ldap_entry || $this->groupFunctionalityUnused) {
|
|
1615
|
return FALSE;
|
|
1616
|
}
|
|
1617
|
if ($nested === NULL) {
|
|
1618
|
$nested = $this->groupNested;
|
|
1619
|
}
|
|
1620
|
|
|
1621
|
if ($this->groupUserMembershipsConfigured) {
|
|
1622
|
$group_dns = $this->groupUserMembershipsFromUserAttr($user_ldap_entry, $nested);
|
|
1623
|
}
|
|
1624
|
elseif ($this->groupGroupEntryMembershipsConfigured) {
|
|
1625
|
$group_dns = $this->groupUserMembershipsFromEntry($user_ldap_entry, $nested);
|
|
1626
|
}
|
|
1627
|
else {
|
|
1628
|
watchdog('ldap_servers', 'groupMembershipsFromUser: Group memberships for server have not been configured.', array(), WATCHDOG_WARNING);
|
|
1629
|
return FALSE;
|
|
1630
|
}
|
|
1631
|
if ($return == 'group_dns') {
|
|
1632
|
return $group_dns;
|
|
1633
|
}
|
|
1634
|
|
|
1635
|
}
|
|
1636
|
|
|
1637
|
|
|
1638
|
|
|
1639
|
|
|
1640
|
|
|
1641
|
|
|
1642
|
|
|
1643
|
|
|
1644
|
|
|
1645
|
|
|
1646
|
|
|
1647
|
|
|
1648
|
|
|
1649
|
|
|
1650
|
|
|
1651
|
|
|
1652
|
|
|
1653
|
|
|
1654
|
|
|
1655
|
|
|
1656
|
|
|
1657
|
|
|
1658
|
public function groupUserMembershipsFromUserAttr($user, $nested = NULL) {
|
|
1659
|
|
|
1660
|
if (!$this->groupUserMembershipsConfigured) {
|
|
1661
|
return FALSE;
|
|
1662
|
}
|
|
1663
|
if ($nested === NULL) {
|
|
1664
|
$nested = $this->groupNested;
|
|
1665
|
}
|
|
1666
|
|
|
1667
|
$not_user_ldap_entry = empty($user['attr'][$this->groupUserMembershipsAttr]);
|
|
1668
|
if ($not_user_ldap_entry) {
|
|
1669
|
$user = $this->userUserToExistingLdapEntry($user);
|
|
1670
|
$not_user_ldap_entry = empty($user['attr'][$this->groupUserMembershipsAttr]);
|
|
1671
|
if ($not_user_ldap_entry) {
|
|
1672
|
return FALSE;
|
|
1673
|
}
|
|
1674
|
}
|
|
1675
|
|
|
1676
|
$user_ldap_entry = $user;
|
|
1677
|
$all_group_dns = array();
|
|
1678
|
$tested_group_ids = array();
|
|
1679
|
$level = 0;
|
|
1680
|
|
|
1681
|
$member_group_dns = $user_ldap_entry['attr'][$this->groupUserMembershipsAttr];
|
|
1682
|
if (isset($member_group_dns['count'])) {
|
|
1683
|
unset($member_group_dns['count']);
|
|
1684
|
}
|
|
1685
|
$ors = array();
|
|
1686
|
foreach ($member_group_dns as $i => $member_group_dn) {
|
|
1687
|
$all_group_dns[] = $member_group_dn;
|
|
1688
|
if ($nested) {
|
|
1689
|
if ($this->groupMembershipsAttrMatchingUserAttr == 'dn') {
|
|
1690
|
$member_value = $member_group_dn;
|
|
1691
|
}
|
|
1692
|
else {
|
|
1693
|
$member_value = ldap_servers_get_first_rdn_value_from_dn($member_group_dn, $this->groupMembershipsAttrMatchingUserAttr);
|
|
1694
|
}
|
|
1695
|
$ors[] = $this->groupMembershipsAttr . '=' . ldap_pear_escape_filter_value($member_value);
|
|
1696
|
}
|
|
1697
|
}
|
|
1698
|
|
|
1699
|
if ($nested && count($ors)) {
|
|
1700
|
$count = count($ors);
|
|
1701
|
for ($i = 0; $i < $count; $i = $i + LDAP_SERVER_LDAP_QUERY_CHUNK) {
|
|
1702
|
$current_ors = array_slice($ors, $i, LDAP_SERVER_LDAP_QUERY_CHUNK);
|
|
1703
|
$or = '(|(' . join(")(", $current_ors) . '))';
|
|
1704
|
$query_for_parent_groups = '(&(objectClass=' . $this->groupObjectClass . ')' . $or . ')';
|
|
1705
|
|
|
1706
|
foreach ($this->basedn as $base_dn) {
|
|
1707
|
$group_entries = $this->search($base_dn, $query_for_parent_groups);
|
|
1708
|
if ($group_entries !== FALSE && $level < LDAP_SERVER_LDAP_QUERY_RECURSION_LIMIT) {
|
|
1709
|
$this->groupMembershipsFromEntryRecursive($group_entries, $all_group_dns, $tested_group_ids, $level + 1, LDAP_SERVER_LDAP_QUERY_RECURSION_LIMIT);
|
|
1710
|
}
|
|
1711
|
}
|
|
1712
|
}
|
|
1713
|
}
|
|
1714
|
|
|
1715
|
return $all_group_dns;
|
|
1716
|
}
|
|
1717
|
|
|
1718
|
|
|
1719
|
|
|
1720
|
|
|
1721
|
|
|
1722
|
|
|
1723
|
|
|
1724
|
|
|
1725
|
|
|
1726
|
|
|
1727
|
|
|
1728
|
|
|
1729
|
|
|
1730
|
|
|
1731
|
|
|
1732
|
|
|
1733
|
|
|
1734
|
|
|
1735
|
|
|
1736
|
|
|
1737
|
|
|
1738
|
|
|
1739
|
public function groupUserMembershipsFromEntry($user, $nested = NULL) {
|
|
1740
|
|
|
1741
|
if (!$this->groupGroupEntryMembershipsConfigured) {
|
|
1742
|
return FALSE;
|
|
1743
|
}
|
|
1744
|
if ($nested === NULL) {
|
|
1745
|
$nested = $this->groupNested;
|
|
1746
|
}
|
|
1747
|
|
|
1748
|
$user_ldap_entry = $this->userUserToExistingLdapEntry($user);
|
|
1749
|
|
|
1750
|
$all_group_dns = array();
|
|
1751
|
$tested_group_ids = array();
|
|
1752
|
$level = 0;
|
|
1753
|
|
|
1754
|
if ($this->groupMembershipsAttrMatchingUserAttr == 'dn') {
|
|
1755
|
$member_value = $user_ldap_entry['dn'];
|
|
1756
|
}
|
|
1757
|
else {
|
|
1758
|
$member_value = $user_ldap_entry['attr'][$this->groupMembershipsAttrMatchingUserAttr][0];
|
|
1759
|
}
|
|
1760
|
$member_value = ldap_pear_escape_filter_value($member_value);
|
|
1761
|
if ($this->groupObjectClass == '') {
|
|
1762
|
$group_query = '(' . $this->groupMembershipsAttr . "=$member_value)";
|
|
1763
|
}
|
|
1764
|
else {
|
|
1765
|
$group_query = '(&(objectClass=' . $this->groupObjectClass . ')(' . $this->groupMembershipsAttr . "=$member_value))";
|
|
1766
|
}
|
|
1767
|
|
|
1768
|
foreach ($this->basedn as $base_dn) {
|
|
1769
|
$group_entries = $this->search($base_dn, $group_query, array());
|
|
1770
|
if ($group_entries !== FALSE) {
|
|
1771
|
$max_levels = ($nested) ? LDAP_SERVER_LDAP_QUERY_RECURSION_LIMIT : 0;
|
|
1772
|
$this->groupMembershipsFromEntryRecursive($group_entries, $all_group_dns, $tested_group_ids, $level, $max_levels);
|
|
1773
|
}
|
|
1774
|
}
|
|
1775
|
|
|
1776
|
return $all_group_dns;
|
|
1777
|
}
|
|
1778
|
|
|
1779
|
|
|
1780
|
|
|
1781
|
|
|
1782
|
|
|
1783
|
|
|
1784
|
|
|
1785
|
|
|
1786
|
|
|
1787
|
|
|
1788
|
|
|
1789
|
|
|
1790
|
|
|
1791
|
|
|
1792
|
|
|
1793
|
|
|
1794
|
|
|
1795
|
|
|
1796
|
|
|
1797
|
public function groupMembershipsFromEntryRecursive($current_group_entries, &$all_group_dns, &$tested_group_ids, $level, $max_levels) {
|
|
1798
|
|
|
1799
|
if (!$this->groupGroupEntryMembershipsConfigured || !is_array($current_group_entries) || count($current_group_entries) == 0) {
|
|
1800
|
return FALSE;
|
|
1801
|
}
|
|
1802
|
if (isset($current_group_entries['count'])) {
|
|
1803
|
unset($current_group_entries['count']);
|
|
1804
|
};
|
|
1805
|
|
|
1806
|
$ors = array();
|
|
1807
|
foreach ($current_group_entries as $i => $group_entry) {
|
|
1808
|
if ($this->groupMembershipsAttrMatchingUserAttr == 'dn') {
|
|
1809
|
$member_id = $group_entry['dn'];
|
|
1810
|
}
|
|
1811
|
else {
|
|
1812
|
$member_id = ldap_servers_get_first_rdn_value_from_dn($group_entry['dn'], $this->groupMembershipsAttrMatchingUserAttr);
|
|
1813
|
if(!$member_id) {
|
|
1814
|
if ($this->detailed_watchdog_log) {
|
|
1815
|
watchdog('ldap_servers', 'group_entry: %ge', array('%ge' => pretty_print_ldap_entry($group_entry)));
|
|
1816
|
}
|
|
1817
|
|
|
1818
|
|
|
1819
|
|
|
1820
|
$goc = $group_entry['objectclass'];
|
|
1821
|
if(is_array($goc)) {
|
|
1822
|
foreach($goc as $g) {
|
|
1823
|
$g = drupal_strtolower($g);
|
|
1824
|
if($g == $this->groupObjectClass) {
|
|
1825
|
|
|
1826
|
if ($this->detailed_watchdog_log) {
|
|
1827
|
watchdog('ldap_servers', 'adding %mi', array('%mi' => $member_id));
|
|
1828
|
}
|
|
1829
|
$member_id = $group_entry['dn'];
|
|
1830
|
break;
|
|
1831
|
}
|
|
1832
|
}
|
|
1833
|
}
|
|
1834
|
}
|
|
1835
|
}
|
|
1836
|
|
|
1837
|
if ($member_id && !in_array($member_id, $tested_group_ids)) {
|
|
1838
|
$tested_group_ids[] = $member_id;
|
|
1839
|
$all_group_dns[] = $group_entry['dn'];
|
|
1840
|
|
|
1841
|
$ors[] = $this->groupMembershipsAttr . '=' . ldap_pear_escape_filter_value($member_id);
|
|
1842
|
}
|
|
1843
|
}
|
|
1844
|
|
|
1845
|
if ($level < $max_levels && count($ors)) {
|
|
1846
|
$count = count($ors);
|
|
1847
|
for ($i = 0; $i < $count; $i = $i + LDAP_SERVER_LDAP_QUERY_CHUNK) {
|
|
1848
|
$current_ors = array_slice($ors, $i, LDAP_SERVER_LDAP_QUERY_CHUNK);
|
|
1849
|
$or = '(|(' . join(")(", $current_ors) . '))';
|
|
1850
|
$query_for_parent_groups = '(&(objectClass=' . $this->groupObjectClass . ')' . $or . ')';
|
|
1851
|
|
|
1852
|
foreach ($this->basedn as $base_dn) {
|
|
1853
|
$group_entries = $this->search($base_dn, $query_for_parent_groups);
|
|
1854
|
if ($group_entries !== FALSE) {
|
|
1855
|
$this->groupMembershipsFromEntryRecursive($group_entries, $all_group_dns, $tested_group_ids, $level + 1, $max_levels);
|
|
1856
|
}
|
|
1857
|
}
|
|
1858
|
}
|
|
1859
|
}
|
|
1860
|
|
|
1861
|
return TRUE;
|
|
1862
|
}
|
|
1863
|
|
|
1864
|
|
|
1865
|
|
|
1866
|
|
|
1867
|
|
|
1868
|
|
|
1869
|
|
|
1870
|
|
|
1871
|
|
|
1872
|
|
|
1873
|
|
|
1874
|
|
|
1875
|
|
|
1876
|
public function groupUserMembershipsFromDn($user) {
|
|
1877
|
|
|
1878
|
if (!$this->groupDeriveFromDn || !$this->groupDeriveFromDnAttr) {
|
|
1879
|
return FALSE;
|
|
1880
|
}
|
|
1881
|
elseif ($user_ldap_entry = $this->userUserToExistingLdapEntry($user)) {
|
|
1882
|
return ldap_servers_get_all_rdn_values_from_dn($user_ldap_entry['dn'], $this->groupDeriveFromDnAttr);
|
|
1883
|
}
|
|
1884
|
else {
|
|
1885
|
return FALSE;
|
|
1886
|
}
|
|
1887
|
|
|
1888
|
}
|
|
1889
|
|
|
1890
|
|
|
1891
|
|
|
1892
|
|
|
1893
|
public $detailedWatchdogLog = FALSE;
|
|
1894
|
protected $_errorMsg = NULL;
|
|
1895
|
protected $_hasError = FALSE;
|
|
1896
|
protected $_errorName = NULL;
|
|
1897
|
|
|
1898
|
public function setError($_errorName, $_errorMsgText = NULL) {
|
|
1899
|
$this->_errorMsgText = $_errorMsgText;
|
|
1900
|
$this->_errorName = $_errorName;
|
|
1901
|
$this->_hasError = TRUE;
|
|
1902
|
}
|
|
1903
|
|
|
1904
|
public function clearError() {
|
|
1905
|
$this->_hasError = FALSE;
|
|
1906
|
$this->_errorMsg = NULL;
|
|
1907
|
$this->_errorName = NULL;
|
|
1908
|
}
|
|
1909
|
|
|
1910
|
public function hasError() {
|
|
1911
|
return ($this->_hasError || $this->ldapErrorNumber());
|
|
1912
|
}
|
|
1913
|
|
|
1914
|
public function errorMsg($type = NULL) {
|
|
1915
|
if ($type == 'ldap' && $this->connection) {
|
|
1916
|
return ldap_err2str(ldap_errno($this->connection));
|
|
1917
|
}
|
|
1918
|
elseif ($type == NULL) {
|
|
1919
|
return $this->_errorMsg;
|
|
1920
|
}
|
|
1921
|
else {
|
|
1922
|
return NULL;
|
|
1923
|
}
|
|
1924
|
}
|
|
1925
|
|
|
1926
|
public function errorName($type = NULL) {
|
|
1927
|
if ($type == 'ldap' && $this->connection) {
|
|
1928
|
return "LDAP Error: " . ldap_error($this->connection);
|
|
1929
|
}
|
|
1930
|
elseif ($type == NULL) {
|
|
1931
|
return $this->_errorName;
|
|
1932
|
}
|
|
1933
|
else {
|
|
1934
|
return NULL;
|
|
1935
|
}
|
|
1936
|
}
|
|
1937
|
|
|
1938
|
public function ldapErrorNumber() {
|
|
1939
|
if ($this->connection && ldap_errno($this->connection)) {
|
|
1940
|
return ldap_errno($this->connection);
|
|
1941
|
}
|
|
1942
|
else {
|
|
1943
|
return FALSE;
|
|
1944
|
}
|
|
1945
|
}
|
|
1946
|
|
|
1947
|
}
|
|
1948
|
|
|
1949
|
|
|
1950
|
|
|
1951
|
|
|
1952
|
class LdapServersRebindHandler {
|
|
1953
|
|
|
1954
|
private $bind_dn = 'Anonymous';
|
|
1955
|
private $bind_passwd = '';
|
|
1956
|
|
|
1957
|
public function __construct($bind_user_dn, $bind_user_passwd){
|
|
1958
|
$this->bind_dn = $bind_user_dn;
|
|
1959
|
$this->bind_passwd = $bind_user_passwd;
|
|
1960
|
}
|
|
1961
|
|
|
1962
|
public function rebind_callback($ldap, $referral){
|
|
1963
|
|
|
1964
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
1965
|
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 1);
|
|
1966
|
ldap_set_rebind_proc($ldap, array($this, 'rebind_callback'));
|
|
1967
|
|
|
1968
|
|
|
1969
|
if (!ldap_bind($ldap, $this->bind_dn, $this->bind_passwd)) {
|
|
1970
|
echo "Could not bind to referral server: $referral";
|
|
1971
|
return 1;
|
|
1972
|
}
|
|
1973
|
return 0;
|
|
1974
|
}
|
|
1975
|
}
|
