diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Simple-LDAP-Login-Admin.php | 251 | ||||
-rw-r--r-- | Simple-LDAP-Login.php | 315 | ||||
-rw-r--r-- | Simple-UM-Login-Admin.php | 190 | ||||
-rw-r--r-- | Simple-UM-Login.php | 166 | ||||
-rw-r--r-- | adLDAP.php | 2413 | ||||
-rw-r--r-- | readme.txt | 310 | ||||
-rw-r--r-- | umClient.php | 40 |
8 files changed, 552 insertions, 3134 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a9a5aec --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +tmp diff --git a/Simple-LDAP-Login-Admin.php b/Simple-LDAP-Login-Admin.php deleted file mode 100644 index 873c973..0000000 --- a/Simple-LDAP-Login-Admin.php +++ /dev/null @@ -1,251 +0,0 @@ -<html>
-<head>
-<style>
-div.container{
- width: 950px;
-}
-div.simpleldap_style{
- padding: 5px;
- background: #EBEBEB;
- margin: 10px;
- width:450px;
- height:375px;
- font-family: Calibri,Helvetica,Arial,sans-serif;
- float: left;
-}
-div.simpleldap_style_test{
- padding: 5px;
- margin: 0px 10px 10px 10px;
- background: #EBEBEB;
- width: 450px;
- height: 280px;
- font-family: Calibri,Helvetica,Arial,sans-serif;
- float: left;
-}
-div.information_pane{
- height:280px;
- width: 450px;
- padding: 5px;
- background: #EBEBEB;
- margin: 0px 10px 10px 0;
- font-family: Calibri,Helvetica,Arial,sans-serif;
- float:left;
-}
-div.advanced{
- padding: 5px;
- background: #EBEBEB;
- margin: 10px 10px 10px 0px;
- width:450px;
- height:375px;
- font-family: Calibri,Helvetica,Arial,sans-serif;
- float: left;
-}
-div.banner{
- padding 5px;
- margin-left: 10px;
- margin-top: 15px;
- font-family: Calibri,Helvetica,Arial,sans-serif;
-}
-h1{
- margin: 0;
-}
-h2{
- margin: 0;
-}
-h3{
- margin: 0;
-}
-h4{
- margin: 0;
-}
-p{
- margin-bottom: 0;
-}
-</style>
-</head>
-<?php
-//Debug
-$debug = "false";
-
-//Where are we?
-$this_page = $_SERVER['PHP_SELF'].'?page='.$_GET['page'];
-
-//If this is a test, we will use this variable
-$bool_test = 0;
-
-//If admin options updated (uses hidden field)
-if ($_POST['stage'] == 'process')
-{
- update_option('simpleldap_account_suffix', $_POST['account_suffix']);
- update_option('simpleldap_base_dn', $_POST['base_dn']);
- update_option('simpleldap_domain_controllers', $_POST['domain_controller']);
-
- //Version 1.3
- update_option('simpleldap_directory_type',$_POST['LDAP']);
- update_option('simpleldap_login_mode',$_POST['mode']);
- update_option('simpleldap_group',$_POST['group_name']);
- update_option('simpleldap_account_type',$_POST['create_type']);
-
- //Version 1.3.0.2
- update_option('simpleldap_security_mode',$_POST['security_mode']);
-
- //Version 1.4
- update_option('simpleldap_ol_login', $_POST['ol_login']);
-
- if(isset($_POST['use_tls']))
- {
- update_option("simpleldap_use_tls", $_POST['use_tls']);
- }
- else
- {
- update_option("simpleldap_use_tls", "no");
- }
-
-}
-//Test credentials
-elseif ($_POST['stage'] == 'test')
-{
- global $bool_test;
-
- //Temporarily change security mode for test. Store old setting.
- $temp_holder = get_option("simpleldap_security_mode");
- update_option("simpleldap_security_mode", "security_high");
-
- $test_user = wp_authenticate($_POST['test_username'],$_POST['test_password']);
-
- //Restore security mode setting.
- update_option("simpleldap_security_mode", $temp_holder);
-
- if ($test_user->ID > 0)
- {
- $bool_test = 1;
- }
- else
- {
- $bool_test = 2;
- }
-}
-//Load settings, etc
-$simpleldap_account_suffix = get_option("simpleldap_account_suffix");
-$simpleldap_base_dn = get_option("simpleldap_base_dn");
-$simpleldap_domain_controllers = get_option("simpleldap_domain_controllers");
-
-//Version 1.3
-$simpleldap_directory_type = get_option("simpleldap_directory_type");
-$simpleldap_login_mode = get_option("simpleldap_login_mode");
-$simpleldap_group = get_option("simpleldap_group");
-$simpleldap_account_type = get_option("simpleldap_account_type");
-
-//Version 1.3.0.2
-$simpleldap_security_mode = get_option("simpleldap_security_mode");
-
-//Version 1.4
-$simpleldap_ol_login = get_option("simpleldap_ol_login");
-$simpleldap_use_tls = get_option("simpleldap_use_tls");
-
-?>
-<body>
-<div class="container">
-<div class="banner"><h1>Simple LDAP Login 1.4.0.5.1</h1></div>
-<form style="display::inline;" method="post" action="<?php echo str_replace( '%7E', '~', $_SERVER['REQUEST_URI']); ?>&updated=true">
-<div class="simpleldap_style">
-<h2>Settings</h2>
-<h3>These are rather important.</h3>
-<p><strong>LDAP Directory:</strong><br/>
-<input name="LDAP" type="radio" value="directory_ad" onClick="enable('advanced');" <?php if($simpleldap_directory_type=="directory_ad"){echo "checked";}?>> <label for="directory_ad">Active Directory. (default)</label><br/>
-<input name="LDAP" type="radio" value="directory_ol" onClick="disable('advanced');"<?php if($simpleldap_directory_type=="directory_ol"){echo "checked";}?>> <label for="directory_ol">OpenLDAP (BETA, may support other LDAP directories)</label><br/>
-</p>
-<div style="float: left; width: 235px;"><p><strong>Account Suffix:</strong><br />
-<input name="account_suffix" type="text" value="<?php echo $simpleldap_account_suffix; ?>" size="20" /><br />
-*Probably the suffix of your e-mail addresses. Example: @domain.com
- </p></div>
-<div style="float:left; width: 200px;"><p><strong>LDAP Login Attribute (OpenLDAP only):</strong><br />
-<input name="ol_login" type="text" value="<?php echo $simpleldap_ol_login; ?>" size="15" /><br />
-*In case your installation uses something other than <em>uid</em>.
- </p></div>
-<p><strong>Base DN:</strong><br />
-<input name="base_dn" type="text" value="<?php echo $simpleldap_base_dn; ?>" size="35" /><br />
-*Example: For subdomain.domain.sufix use DC=subdomain,DC=domain,DC=suffix
- </p>
- <p><strong>Domain Controller(s):</strong><br />
-<input name="domain_controller" type="text" value="<?php echo $simpleldap_domain_controllers; ?>" size="50" /><br />
-*Separate with semi-colons.
- </p>
-<input type="hidden" name="stage" value="process" />
-<input type="submit" name="button_submit" value="<?php _e('Update Options', 'simple-ldap-login') ?> »" />
-</div>
-<div class="advanced">
-<h2>Advanced</h2>
-<h3>For the intrepid and daring among you.</h3>
-<p style="margin-bottom:0px;"><strong>Login mode:</strong><br>
-<input name="mode" type="radio" value="mode_normal" <?php if($simpleldap_login_mode=="mode_normal"){echo "checked";}?> > <label for="mode_normal">Authenticate Wordpress users against LDAP. I will create the accounts in wordpress myself. (default)</label><br/>
-<input name="mode" type="radio" value="mode_create_all" <?php if($simpleldap_login_mode=="mode_create_all"){echo "checked";}?> > <label for="mode_create_all">Create Wordpress account for anyone who successfully authenticates against LDAP.</label><br/>
-<input name="mode" type="radio" value="mode_create_group" <?php if($simpleldap_login_mode=="mode_create_group"){echo "checked";}?>> <label for="mode_create_group">Create Wordpress account for users in specified AD group:</label> <input name="group_name" type="text" value="<?php echo $simpleldap_group; ?>" size="12"/></p>
-<p style="margin-left:15px; margin-top:0px;"><strong>For latter two options, create account as:</strong><br/>
-<select name="create_type">
-<option value="Administrator" <?php if($simpleldap_account_type=="Administrator"){echo 'selected="selected"';}?> >Administrator</option>
-<option value="Editor" <?php if($simpleldap_account_type=="Editor"){echo 'selected="selected"';}?> >Editor</option>
-<option value="Author" <?php if($simpleldap_account_type=="Author"){echo 'selected="selected"';}?> >Author</option>
-<option value="Contributor" <?php if($simpleldap_account_type=="Contributor"){echo 'selected="selected"';}?> >Contributor</option>
-<option value="Subscriber" <?php if($simpleldap_account_type=="Subscriber"){echo 'selected="selected"';}?> >Subscriber</option>
-</select>
-</p>
-<p>
-<strong>Security mode:</strong><br>
-<input name="security_mode" type="radio" id="security_low" value="security_low" <?php if($simpleldap_security_mode=="security_low"){echo "checked";}?> > <label for="security_low"><strong>Low.</strong> Default mode. First attempts to login with LDAP password, failing that, it attempts to login using the local wordpress password. If you intend to use a mixture of local and LDAP accounts, leave this mode enabled.</label><br/>
-<input name="security_mode" type="radio" id="security_high" value="security_high" <?php if($simpleldap_security_mode=="security_high"){echo "checked";}?> > <label for="security_high"><strong>High.</strong> Restrict login to only LDAP passwords. If a wordpress username fails to authenticate against LDAP, login will fail. More secure.</label><br/>
-</p>
-<p>
-<strong>TLS:</strong><br />
-<input name="use_tls" type="checkbox" value="yes" id="use_tls" <?php if($simpleldap_use_tls=="yes"){echo "checked";}?>> <label for="use_tls">Use TLS? (Beta. Very beta.)</label>
-</p>
-</div>
-</form>
-<div class="simpleldap_style_test">
-<h2>Test Settings</h2>
-<h3>Use this form as a limited test for those settings you saved.* This <em>will</em> test user creation and group membership. If settings don't work, use another browser to try actually logging in. (unless you'd rather get locked out)</h3>
-<h4>*You did save them, right?</h4>
-<form method="post" action="<?php echo str_replace( '%7E', '~', $_SERVER['REQUEST_URI']); ?>">
- <p>Username:<br />
-<input name="test_username" type="text" size="35" />
- </p><p>Password:<br />
-<input name="test_password" type="password" size="35" />
- </p>
-<input type="hidden" name="stage" value="test" />
-<input type="submit" name="button_submit" value="<?php _e('Test Settings', 'simple-ldap-login') ?> »" />
-</form>
-<p>
-<h4>Test Results:</h4>
-<?php
-if($bool_test == 0)
-{
- echo "Nothing to report yet, Mr. Fahrenheit.";
-}
-if($bool_test == 1)
-{
- echo "Congratulations! The test succeeded. This account is able to login.";
-}
-elseif($bool_test == 2)
-{
- echo "Failure. Your settings do not seem to work yet or the credentials are either wrong or have insufficient group membership.";
-}
-?>
-</p>
-</div>
-<div class="information_pane">
-<? echo "<iframe src =\"http://clifgriffin.com/plugins/simple-ldap-login/news.htm\" width=\"98%\" height=\"280px\" border=\"0\"><p>Oddly, your version of PHP doesn't allow file_get_contents to use URLs. But even more oddly, your browser doesn't allow frames! I think it's time for you to consider leaving 1998 in the past.</p></iframe>"; ?>
-</div>
-</div>
-<?php
-//Echo settings
-if($debug == "true")
-{
-echo "<p style=\"clear:both;\">Debug Info:<br/>";
-echo "simpleldap_directory_type: ".get_option("simpleldap_directory_type")."/".$_POST['LDAP']."<br/>";
-echo "simpleldap_login_mode: ".get_option("simpleldap_login_mode")."/".$_POST['mode']."<br/>";
-echo "simpleldap_group: ".get_option("simpleldap_group")."/".$_POST['group_name']."<br/>";
-echo "simpleldap_account_type: ".get_option("simpleldap_account_type")."/".$_POST['create_type']."<br/></p>";
-}
-?>
-</body>
-</html>
\ No newline at end of file diff --git a/Simple-LDAP-Login.php b/Simple-LDAP-Login.php deleted file mode 100644 index fc62473..0000000 --- a/Simple-LDAP-Login.php +++ /dev/null @@ -1,315 +0,0 @@ -<?php -/* -Plugin Name: Simple LDAP Login -Plugin URI: http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/ -Description: Authenticates Wordpress usernames against LDAP. -Version: 1.4.0.5.1 -Author: Clifton H. Griffin II -Author URI: http://clifgriffin.com -*/ -require_once( WP_PLUGIN_DIR."/simple-ldap-login/adLDAP.php"); -require_once( ABSPATH . WPINC . '/registration.php'); - -//Admin -function simpleldap_menu() -{ - include 'Simple-LDAP-Login-Admin.php'; -} - -function simpleldap_admin_actions() -{ - add_options_page("Simple LDAP Login", "Simple LDAP Login", 10, "simple-ldap-login", "simpleldap_menu"); -} -function simpleldap_activation_hook() -{ - //Store settings - add_option("simpleldap_account_suffix", "@mydomain.local"); - add_option("simpleldap_base_dn", "DC=mydomain,DC=local"); - add_option("simpleldap_domain_controllers", "dc01.mydomain.local"); - - //Version 1.3 - add_option("simpleldap_directory_type", "directory_ad"); - add_option("simpleldap_login_mode", "mode_normal"); - add_option("simpleldap_group", ""); - add_option("simpleldap_account_type", "Contributor"); - - //Version 1.3.0.2 - add_option("simpleldap_security_mode", "security_low"); - - //Version 1.4 - add_option("simpleldap_ol_login", "uid"); - add_option("simpleldap_use_tls", "no"); -} - -//For adLDAP -$sll_use_tls = false; -if(get_option("simpleldap_use_tls") == "yes") { - $sll_use_tls = true; -} -$sll_options=array( - "account_suffix"=>get_option("simpleldap_account_suffix"), - "use_tls"=>$sll_use_tls, - "base_dn"=>get_option("simpleldap_base_dn"), - "domain_controllers"=>explode(";",get_option("simpleldap_domain_controllers")), -); - -//For OpenLDAP -$ar_ldaphosts = explode(";",get_option("simpleldap_domain_controllers")); -$ldaphosts = ""; //string to hold each host separated by space -$ldap = null; -$adldap = new adLDAP($sll_options); -foreach ($ar_ldaphosts as $host) -{ - $ldaphosts .= $host." "; -} -define ('LDAP_HOST', $ldaphosts); -define ('LDAP_PORT', 389); -define ('LDAP_VERSION', 3); -define ('BASE_DN', get_option('simpleldap_base_dn')); -define ('LOGIN', get_option("simpleldap_ol_login")); - -//Add the menu -add_action('admin_menu', 'simpleldap_admin_actions'); - -//Add filter -add_filter('authenticate', 'sll_authenticate', 1, 3); - -//Authenticate function -function sll_authenticate($user, $username, $password) { - if ( is_a($user, 'WP_User') ) { return $user; } - - //Failed, should we let it continue to lower priority authenticate methods? - if(get_option("simpleldap_security_mode") == "security_high") - { - remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3); - } - - if ( empty($username) || empty($password) ) { - $error = new WP_Error(); - - if ( empty($username) ) - $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); - - if ( empty($password) ) - $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); - - return $error; - } - - $auth_result = sll_can_authenticate($username, $password); - if($auth_result == true && !is_a($auth_result, 'WP_Error')) - { - $user = get_userdatabylogin($username); - - if ( !$user || (strtolower($user->user_login) != strtolower($username)) ) - { - //No user, can we create? - switch(get_option('simpleldap_login_mode')) - { - case "mode_create_all": - $new_user_id = sll_create_wp_user($username); - if(!is_a($new_user_id, 'WP_Error')) - { - //It worked - return new WP_User($new_user_id); - } - else - { - do_action( 'wp_login_failed', $username ); - return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: LDAP credentials are correct and user creation is allowed but an error occurred creating the user in Wordpress. Actual WordPress error: '.$new_user_id->get_error_message())); - } - break; - - case "mode_create_group": - if(sll_is_in_group($username)) - { - $new_user_id = sll_create_wp_user($username); - if(!is_a($new_user_id, 'WP_Error')) - { - //It worked - return new WP_User($new_user_id); - } - else - { - do_action( 'wp_login_failed', $username ); - return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: LDAP credentials are correct and user creation is allowed and you are in the correct group but an error occurred creating the user in Wordpress. Actual WordPress error: '.$new_user_id->get_error_message())); - } - } - else - { - do_action( 'wp_login_failed', $username ); - return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: LDAP Login credentials are correct and user creation is allowed but LDAP user was not in correct LDAP group.')); - } - break; - - default: - do_action( 'wp_login_failed', $username ); - return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: Simple LDAP Login mode does not permit account creation.')); - } - } - else - { - //Wordpress user exists, should we check group membership? - if(get_option('simpleldap_login_mode') == "mode_create_group") - { - if(sll_is_in_group($username)) - { - return new WP_User($user->ID); - } - else - { - do_action( 'wp_login_failed', $username ); - return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: LDAP credentials were correct but user is not in the correct group.')); - } - } - else - { - //Otherwise, we're ready to return the user - return new WP_User($user->ID); - } - } - } - else - { - if(is_a($auth_result, 'WP_Error')) - { - return $auth_result; - } - else - { - return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: Simple LDAP Login could not authenticate your credentials. The security settings do not permit trying the Wordpress user database as a fallback.')); - } - } -} - -function sll_can_authenticate($username, $password) -{ - global $ldap, $adldap; - - $result = false; - switch(get_option('simpleldap_directory_type')) - { - case "directory_ad": - $result = $adldap->authenticate($username,$password); - if($result == false) - { - return new WP_Error('adldap_error', __('<strong>Simple LDAP Login Error</strong>: adLDAP may have errored. Message: '.$adldap->get_last_error())); - } - break; - - case "directory_ol": - $ldap = ldap_connect(LDAP_HOST, LDAP_PORT) or die("Can't connect to LDAP server."); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION); - if (get_option("simpleldap_use_tls") == "yes") { - ldap_start_tls($ldap); - } - $ldapbind = @ldap_bind($ldap, LOGIN .'=' . $username . ',' . BASE_DN, $password); - $result = $ldapbind; - break; - } - - return $result; -} -function sll_is_in_group($username) -{ - global $ldap, $adldap; - $result = false; - - switch(get_option('simpleldap_directory_type')) - { - case "directory_ad": - $result = $adldap->user_ingroup($username,get_option('simpleldap_group')); - break; - - case "directory_ol": - if($ldap == null) {return false;} - $result = ldap_search($ldap, BASE_DN, '(' . LOGIN . '=' . $username . ')', array('cn')); - $ldapgroups = ldap_get_entries($ldap, $result); - - //Ok, we should have the user, all the info, including which groups he is a member of. - //Now let's make sure he's in the right group before proceeding. - $groups = array(); - for ($i=0; $i<$ldapgroups['count']; $i++) { - $groups[] .= $ldapgroups[$i]['cn'][0]; - } - $result = in_array(get_option('simpleldap_group'),$groups); - break; - } - return $result; -} -function sll_create_wp_user($username) -{ - global $ldap, $adldap; - $result = 0; - - switch(get_option('simpleldap_directory_type')) - { - case "directory_ad": - $userinfo = $adldap->user_info($username, array("samaccountname","givenname","sn","mail")); - //Create WP account - $userData = array( - 'user_pass' => microtime(), - 'user_login' => $userinfo[0][samaccountname][0], - 'user_nicename' => sanitize_title($userinfo[0][givenname][0] .' '.$userinfo[0][sn][0]), - 'user_email' => $userinfo[0][mail][0], - 'display_name' => $userinfo[0][givenname][0] .' '.$userinfo[0][sn][0], - 'first_name' => $userinfo[0][givenname][0], - 'last_name' => $userinfo[0][sn][0], - 'role' => strtolower(get_option('simpleldap_account_type')) - ); - - $result = wp_insert_user($userData); - break; - - case "directory_ol": - if($ldap == null) {return false;} - $result = ldap_search($ldap, BASE_DN, '(' . LOGIN . '=' . $username . ')', array(LOGIN, 'sn', 'givenname', 'mail')); - $ldapuser = ldap_get_entries($ldap, $result); - - if ($ldapuser['count'] == 1) { - //Create user using wp standard include - $userData = array( - 'user_pass' => microtime(), - 'user_login' => $ldapuser[0][LOGIN][0], - 'user_nicename' => sanitize_title($ldapuser[0]['givenname'][0].' '.$ldapuser[0]['sn'][0]), - 'user_email' => $ldapuser[0]['mail'][0], - 'display_name' => $ldapuser[0]['givenname'][0].' '.$ldapuser[0]['sn'][0], - 'first_name' => $ldapuser[0]['givenname'][0], - 'last_name' => $ldapuser[0]['sn'][0], - 'role' => strtolower(get_option('simpleldap_account_type')) - ); - - //Get ID of new user - - $result = wp_insert_user($userData); - } - break; - } - - return $result; -} - -//Temporary fix for e-mail exists bug -if ( !function_exists('get_user_by_email') ) : -/** - * Retrieve user info by email. - * - * @since 2.5 - * - * @param string $email User's email address - * @return bool|object False on failure, User DB row object - */ -function get_user_by_email($email) { - if(strlen($email) == 0 || empty($email) || $email == "" || strpos($email, "@") == false) - { - return false; - } - else - { - return get_user_by('email', $email); - } -} -endif; - -register_activation_hook( __FILE__, 'simpleldap_activation_hook' ); -?> diff --git a/Simple-UM-Login-Admin.php b/Simple-UM-Login-Admin.php new file mode 100644 index 0000000..4ca94dd --- /dev/null +++ b/Simple-UM-Login-Admin.php @@ -0,0 +1,190 @@ +<html> +<head> +<style> +div.simpleum_style { + padding: 5px; + background: #EBEBEB; + margin: 10px; + font-family: Calibri,Helvetica,Arial,sans-serif; + float: left; +} +div.simpleum_style_test { + padding: 5px; + margin: 0px 10px 10px 10px; + background: #EBEBEB; + font-family: Calibri,Helvetica,Arial,sans-serif; + float: left; +} +h1.banner { + padding 5px; + margin-left: 10px; + margin-top: 15px; + font-family: Calibri,Helvetica,Arial,sans-serif; +} +h2, h3, h4 { + margin: 0; +} +p { + margin-bottom: 0; +} +</style> +</head> +<?php +//Debug +$debug = false; + +//Where are we? +$this_page = $_SERVER['PHP_SELF'].'?page='.$_GET['page']; + +//If this is a test, we will use this variable +$bool_test = 0; + +//If admin options updated (uses hidden field) +if ($_POST['stage'] == 'process') { + // Store settings + update_option('simpleum_url', $_POST['um_url']); + + // Version 1.3 + update_option('simpleum_login_mode',$_POST['mode']); + update_option('simpleum_group',$_POST['group_name']); + update_option('simpleum_account_type',$_POST['create_type']); + + // Version 1.3.0.2 + update_option('simpleum_security_mode',$_POST['security_mode']); +} +// Test credentials +if ($_POST['stage'] == 'test') { + //Temporarily change security mode for test. Store old setting. + $temp_holder = get_option("simpleum_security_mode"); + update_option("simpleum_security_mode", "security_high"); + + $test_user = wp_authenticate($_POST['test_username'],$_POST['test_password']); + + // Restore security mode setting. + update_option("simpleum_security_mode", $temp_holder); + + if ($test_user->ID > 0) { + $bool_test = 1; + } else { + $bool_test = 2; + } +} +// Load settings, etc +$simpleum_url = get_option("simpleum_url"); + +// Version 1.3 +$simpleum_login_mode = get_option("simpleum_login_mode"); +$simpleum_group = get_option("simpleum_group"); +$simpleum_account_type = get_option("simpleum_account_type"); + +// Version 1.3.0.2 +$simpleum_security_mode = get_option("simpleum_security_mode"); + +?> +<body> + <div class="container"> + <div class="banner"><h1 class="banner">Simple UM Login 1.4.0.5.1</h1></div> + <form method="post" action="<?php echo str_replace( '%7E', '~', $_SERVER['REQUEST_URI']); ?>&updated=true"> + <div class="simpleum_style"> + <h2>Settings</h2> + <h3>These are rather important.</h3> + <label for="um_url">URL of UM installation:</label> + <input name="um_url" id="um_url" type="text" value="<?php echo $simpleum_url; ?>" /> + <br /> + <h2>Advanced</h2> + <h3>For the intrepid and daring among you.</h3> + <h4>Login mode:</h4> + <ul> + <li> + <input name="mode" type="radio" value="mode_normal" <?php if($simpleum_login_mode=="mode_normal"){echo "checked";}?> /> + <label for="mode_normal">Authenticate Wordpress users against UM. I will create the accounts in wordpress myself. (default)</label> + </li> + <li> + <input name="mode" type="radio" value="mode_create_all" <?php if($simpleum_login_mode=="mode_create_all"){echo "checked";}?> /> + <label for="mode_create_all">Create Wordpress account for anyone who successfully authenticates against UM.</label> + </li> + <li> + <input name="mode" type="radio" value="mode_create_group" <?php if($simpleul_login_mode=="mode_create_group"){echo "checked";}?> /> + <label for="mode_create_group">Create Wordpress account for users in specified UM group:</label> + <input name="group_name" type="text" value="<?php echo $simpleum_group; ?>" /> + </li> + </ul> + <h4>For latter two options, create account as:</h4> + <select name="create_type"> + <option value="Administrator" <?php if($simpleum_account_type=="Administrator"){echo 'selected="selected"';}?> >Administrator</option> + <option value="Editor" <?php if($simpleum_account_type=="Editor"){echo 'selected="selected"';}?> >Editor</option> + <option value="Author" <?php if($simpleum_account_type=="Author"){echo 'selected="selected"';}?> >Author</option> + <option value="Contributor" <?php if($simpleum_account_type=="Contributor"){echo 'selected="selected"';}?> >Contributor</option> + <option value="Subscriber" <?php if($simpleum_account_type=="Subscriber"){echo 'selected="selected"';}?> >Subscriber</option> + </select> + <h4>Security mode:</h4> + <ul> + <li> + <input name="security_mode" type="radio" id="security_low" value="security_low" <?php if($simpleum_security_mode=="security_low"){echo "checked";}?> /> + <label for="security_low"><strong>Low.</strong> Default mode. First attempts to login with UM password, failing that, it attempts to login using the local wordpress password. If you intend to use a mixture of local and UM accounts, leave this mode enabled.</label> + </li> + <li> + <input name="security_mode" type="radio" id="security_high" value="security_high" <?php if($simpleum_security_mode=="security_high"){echo "checked";}?> /> + <label for="security_high"><strong>High.</strong>Restrict login to only UM passwords. If a wordpress username fails to authenticate against UM, login will fail. More secure.</label> + </li> + </ul> + <input type="hidden" name="stage" value="process" /> + <input type="submit" name="button_submit" value="<?php _e('Update Options', 'simple-um-login') ?> »" /> + </div> + </form> + <div class="simpleum_style_test"> + <h2>Test Settings</h2> + <h3>Use this form as a limited test for those settings you saved.* This <em>will</em> test user creation and group membership. If settings don't work, use another browser to try actually logging in. (unless you'd rather get locked out)</h3> + <h4>*You did save them, right?</h4> + <form method="post" action="<?php echo str_replace( '%7E', '~', $_SERVER['REQUEST_URI']); ?>"> + <ul> + <li> + <label for="test_username">Username:</label> + <input name="test_username" id="test_username"type="text" /> + </li> + <li> + <label for="test_password">Password:</label> + <input name="test_password" id="test_password" type="password" /> + </li> + </ul> + <input type="hidden" name="stage" value="test" /> + <input type="submit" name="button_submit" value="<?php _e('Test Settings', 'simple-um-login') ?> »" /> + </form> + <div> + <h4>Test Results:</h4> + <p><?php +if ($bool_test == 0) { + echo "Nothing to report yet, Mr. Fahrenheit."; +} if ($bool_test == 1) { + echo "Congratulations! The test succeeded. This account is able to login."; +} elseif ($bool_test == 2) { + echo "Failure. Your settings do not seem to work yet or the credentials are either wrong or have insufficient group membership."; + if (is_a($test_user, 'WP_Error')) { + echo '</p><p>'.$test_user->get_error_message(); + } +} +?></p> + </div> + </div> + </div> +<?php +//Echo settings +if($debug) { ?> + <div> + <h4>Debug Info:</h4> + <ul> + <li>simpleum_login_mode: + <?php echo get_option("simpleum_login_mode")."/".$_POST['mode']; ?> + </li> + <li>simpleum_group: + <?php echo get_option("simpleum_group")."/".$_POST['group_name']; ?> + </li> + <li>simpleum_account_type: + <?php echo get_option("simpleum_account_type")."/".$_POST['create_type']; ?> + </li> + </ul> + </div> +<?php } +?> +</body> +</html> diff --git a/Simple-UM-Login.php b/Simple-UM-Login.php new file mode 100644 index 0000000..bd73711 --- /dev/null +++ b/Simple-UM-Login.php @@ -0,0 +1,166 @@ +<?php +/* Plugin Name: Simple UM Login + * Plugin URI: http://mckenzierobotics.org + * Description: Authenticates Wordpress usernames against UM. + * Version: 1.4.0.5.1 + * Author: Luke Shumaker, based on work by Clifton H. Griffin II + * Author URI: http://lukeshu.ath.cx + */ +require_once(dirname(__FILE__).'/umClient.php'); +require_once( ABSPATH . WPINC . '/registration.php'); + +// Admin +function simpleum_menu() { + include 'Simple-UM-Login-Admin.php'; +} + +function simpleum_admin_actions() { + add_options_page("Simple UM Login", "Simple UM Login", 10, "simple-um-login", "simpleum_menu"); +} + +function simpleum_activation_hook() { + // Store settings + add_option("simpleum_url", "http://um.mydomain.local"); + + // Version 1.3 + add_option("simpleum_login_mode", "mode_normal"); + add_option("simpleum_group", ""); + add_option("simpleum_account_type", "Contributor"); + + // Version 1.3.0.2 + add_option("simpleum_security_mode", "security_low"); +} + +// Add the menu +add_action('admin_menu', 'simpleum_admin_actions'); + +// Add filter +add_filter('authenticate', 'sul_authenticate', 1, 3); + +// Authenticate function +function sul_authenticate($user, $username, $password) { + if ( is_a($user, 'WP_User') ) { return $user; } + + // Failed, should we let it continue to lower priority authenticate methods? + if(get_option("simpleum_security_mode") == "security_high") { + remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3); + } + + if ( empty($username) || empty($password) ) { + $error = new WP_Error(); + + if ( empty($username) ) + $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); + + if ( empty($password) ) + $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); + + return $error; + } + + $uminfo = sul_get_user($username, $password); + if (is_array($uminfo)) { + $user = get_userdatabylogin($username); + if ( !$user || (strtolower($user->user_login) != strtolower($username)) ) { + // No existing WP user, can we create? + switch(get_option('simpleum_login_mode')) { + case "mode_create_all": + $new_user_id = sul_create_wp_user($uminfo); + if (!is_a($new_user_id, 'WP_Error')) { + //It worked + return new WP_User($new_user_id); + } else { + do_action( 'wp_login_failed', $username ); + return new WP_Error('invalid_username', __('<strong>Simple UM Login Error</strong>: UM credentials are correct and user creation is allowed but an error occurred creating the user in Wordpress. Actual WordPress error: '.$new_user_id->get_error_message())); + } + break; + case "mode_create_group": + if (sul_is_in_group($uminfo)) { + $new_user_id = sul_create_wp_user($uminfo); + if(!is_a($new_user_id, 'WP_Error')) { + //It worked + return new WP_User($new_user_id); + } else { + do_action( 'wp_login_failed', $username ); + return new WP_Error('invalid_username', __('<strong>Simple UM Login Error</strong>: UM credentials are correct and user creation is allowed and you are in the correct group but an error occurred creating the user in Wordpress. Actual WordPress error: '.$new_user_id->get_error_message())); + } + } else { + do_action( 'wp_login_failed', $username ); + return new WP_Error('invalid_username', __('<strong>Simple UM Login Error</strong>: UM Login credentials are correct and user creation is allowed but UM user was not in correct UM group.')); + } + break; + default: + do_action( 'wp_login_failed', $username ); + return new WP_Error('invalid_username', __('<strong>Simple UM Login Error</strong>: Simple UM Login mode does not permit account creation.')); + } + } else { + // Wordpress user exists, should we check group membership? + if (get_option('simpleum_login_mode') == "mode_create_group") { + if (sul_is_in_group($uminfo)) { + return new WP_User($user->ID); + } else { + do_action( 'wp_login_failed', $username ); + return new WP_Error('invalid_username', __('<strong>Simple UM Login Error</strong>: UM credentials were correct but user is not in the correct group.')); + } + } else { + // Otherwise, we're ready to return the user + return new WP_User($user->ID); + } + } + } else { + return new WP_Error('invalid_username', __('<strong>Simple UM Login Error</strong>: Simple UM Login could not authenticate your credentials. The security settings do not permit trying the Wordpress user database as a fallback.')); + } +} + +function sul_get_user($username, $password) { + $cookiejar = tempnam(dirname(__FILE__).'/tmp', 'jar'); + $umclient = new umClient(get_option('simpleum_url'), $cookiejar); + $result = $umclient->get_userinfo($username, $password); + unlink($cookiejar); + return $result; +} + +function sul_is_in_group($userinfo) { + // TODO + return true; +} + +function sul_create_wp_user($userinfo) { + $result = 0; + + $userData = array( + 'user_pass' => microtime(), + 'user_login' => $userinfo['username'], + 'user_nicename' => sanitize_title($userinfo['firstname'].' '.$userinfo['lastname']), + 'user_email' => $userinfo['email'], + 'display_name' => $userinfo['firstname'].' '.$userinfo['lastname'], + 'first_name' => $userinfo['firstname'], + 'last_name' => $userinfo['lastname'], + 'role' => strtolower(get_option('simpleum_account_type')) + ); + + $result = wp_insert_user($userData); + return $result; +} + +//Temporary fix for e-mail exists bug +if ( !function_exists('get_user_by_email') ) : +/** + * Retrieve user info by email. + * + * @since 2.5 + * + * @param string $email User's email address + * @return bool|object False on failure, User DB row object + */ +function get_user_by_email($email) { + if(strlen($email) == 0 || empty($email) || $email == "" || strpos($email, "@") == false) { + return false; + } else { + return get_user_by('email', $email); + } +} +endif; + +register_activation_hook( __FILE__, 'simpleum_activation_hook' ); +?> diff --git a/adLDAP.php b/adLDAP.php deleted file mode 100644 index 1485a0f..0000000 --- a/adLDAP.php +++ /dev/null @@ -1,2413 +0,0 @@ -<?php
-/**
- * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
- * Version 3.3.2
- *
- * PHP Version 5 with SSL and LDAP support
- *
- * Written by Scott Barnett, Richard Hyland
- * email: scott@wiggumworld.com, adldap@richardhyland.com
- * http://adldap.sourceforge.net/
- *
- * Copyright (c) 2006-2010 Scott Barnett, Richard Hyland
- *
- * We'd appreciate any improvements or additions to be submitted back
- * to benefit the entire community :)
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * @category ToolsAndUtilities
- * @package adLDAP
- * @author Scott Barnett, Richard Hyland
- * @copyright (c) 2006-2010 Scott Barnett, Richard Hyland
- * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
- * @revision $Revision: 91 $
- * @version 3.3.2
- * @link http://adldap.sourceforge.net/
- */
-
-/**
- * Define the different types of account in AD
- */
-define ('ADLDAP_NORMAL_ACCOUNT', 805306368);
-define ('ADLDAP_WORKSTATION_TRUST', 805306369);
-define ('ADLDAP_INTERDOMAIN_TRUST', 805306370);
-define ('ADLDAP_SECURITY_GLOBAL_GROUP', 268435456);
-define ('ADLDAP_DISTRIBUTION_GROUP', 268435457);
-define ('ADLDAP_SECURITY_LOCAL_GROUP', 536870912);
-define ('ADLDAP_DISTRIBUTION_LOCAL_GROUP', 536870913);
-define ('ADLDAP_FOLDER', 'OU');
-define ('ADLDAP_CONTAINER', 'CN');
-
-/**
-* Main adLDAP class
-*
-* Can be initialised using $adldap = new adLDAP();
-*
-* Something to keep in mind is that Active Directory is a permissions
-* based directory. If you bind as a domain user, you can't fetch as
-* much information on other users as you could as a domain admin.
-*
-* Before asking questions, please read the Documentation at
-* http://adldap.sourceforge.net/wiki/doku.php?id=api
-*/
-class adLDAP {
- /**
- * The account suffix for your domain, can be set when the class is invoked
- *
- * @var string
- */
- protected $_account_suffix = "@mydomain.local";
-
- /**
- * The base dn for your domain
- *
- * @var string
- */
- protected $_base_dn = "DC=mydomain,DC=local";
-
- /**
- * Array of domain controllers. Specifiy multiple controllers if you
- * would like the class to balance the LDAP queries amongst multiple servers
- *
- * @var array
- */
- protected $_domain_controllers = array ("dc01.mydomain.local");
-
- /**
- * Optional account with higher privileges for searching
- * This should be set to a domain admin account
- *
- * @var string
- * @var string
- */
- protected $_ad_username=NULL;
- protected $_ad_password=NULL;
-
- /**
- * AD does not return the primary group. http://support.microsoft.com/?kbid=321360
- * This tweak will resolve the real primary group.
- * Setting to false will fudge "Domain Users" and is much faster. Keep in mind though that if
- * someone's primary group is NOT domain users, this is obviously going to mess up the results
- *
- * @var bool
- */
- protected $_real_primarygroup=true;
-
- /**
- * Use SSL (LDAPS), your server needs to be setup, please see
- * http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
- *
- * @var bool
- */
- protected $_use_ssl=false;
-
- /**
- * Use TLS
- * If you wish to use TLS you should ensure that $_use_ssl is set to false and vice-versa
- *
- * @var bool
- */
- protected $_use_tls=false;
-
- /**
- * When querying group memberships, do it recursively
- * eg. User Fred is a member of Group A, which is a member of Group B, which is a member of Group C
- * user_ingroup("Fred","C") will returns true with this option turned on, false if turned off
- *
- * @var bool
- */
- protected $_recursive_groups=true;
-
- // You should not need to edit anything below this line
- //******************************************************************************************
-
- /**
- * Connection and bind default variables
- *
- * @var mixed
- * @var mixed
- */
- protected $_conn;
- protected $_bind;
-
- /**
- * Getters and Setters
- */
-
- /**
- * Set the account suffix
- *
- * @param string $_account_suffix
- * @return void
- */
- public function set_account_suffix($_account_suffix)
- {
- $this->_account_suffix = $_account_suffix;
- }
-
- /**
- * Get the account suffix
- *
- * @return string
- */
- public function get_account_suffix()
- {
- return $this->_account_suffix;
- }
-
- /**
- * Set the domain controllers array
- *
- * @param array $_domain_controllers
- * @return void
- */
- public function set_domain_controllers(array $_domain_controllers)
- {
- $this->_domain_controllers = $_domain_controllers;
- }
-
- /**
- * Get the list of domain controllers
- *
- * @return void
- */
- public function get_domain_controllers()
- {
- return $this->_domain_controllers;
- }
-
- /**
- * Set the username of an account with higher priviledges
- *
- * @param string $_ad_username
- * @return void
- */
- public function set_ad_username($_ad_username)
- {
- $this->_ad_username = $_ad_username;
- }
-
- /**
- * Get the username of the account with higher priviledges
- *
- * This will throw an exception for security reasons
- */
- public function get_ad_username()
- {
- throw new adLDAPException('For security reasons you cannot access the domain administrator account details');
- }
-
- /**
- * Set the password of an account with higher priviledges
- *
- * @param string $_ad_password
- * @return void
- */
- public function set_ad_password($_ad_password)
- {
- $this->_ad_password = $_ad_password;
- }
-
- /**
- * Get the password of the account with higher priviledges
- *
- * This will throw an exception for security reasons
- */
- public function get_ad_password()
- {
- throw new adLDAPException('For security reasons you cannot access the domain administrator account details');
- }
-
- /**
- * Set whether to detect the true primary group
- *
- * @param bool $_real_primary_group
- * @return void
- */
- public function set_real_primarygroup($_real_primarygroup)
- {
- $this->_real_primarygroup = $_real_primarygroup;
- }
-
- /**
- * Get the real primary group setting
- *
- * @return bool
- */
- public function get_real_primarygroup()
- {
- return $this->_real_primarygroup;
- }
-
- /**
- * Set whether to use SSL
- *
- * @param bool $_use_ssl
- * @return void
- */
- public function set_use_ssl($_use_ssl)
- {
- $this->_use_ssl = $_use_ssl;
- }
-
- /**
- * Get the SSL setting
- *
- * @return bool
- */
- public function get_use_ssl()
- {
- return $this->_use_ssl;
- }
-
- /**
- * Set whether to use TLS
- *
- * @param bool $_use_tls
- * @return void
- */
- public function set_use_tls($_use_tls)
- {
- $this->_use_tls = $_use_tls;
- }
-
- /**
- * Get the TLS setting
- *
- * @return bool
- */
- public function get_use_tls()
- {
- return $this->_use_tls;
- }
-
- /**
- * Set whether to lookup recursive groups
- *
- * @param bool $_recursive_groups
- * @return void
- */
- public function set_recursive_groups($_recursive_groups)
- {
- $this->_recursive_groups = $_recursive_groups;
- }
-
- /**
- * Get the recursive groups setting
- *
- * @return bool
- */
- public function get_recursive_groups()
- {
- return $this->_recursive_groups;
- }
-
- /**
- * Default Constructor
- *
- * Tries to bind to the AD domain over LDAP or LDAPs
- *
- * @param array $options Array of options to pass to the constructor
- * @throws Exception - if unable to bind to Domain Controller
- * @return bool
- */
- function __construct($options=array()){
- // You can specifically overide any of the default configuration options setup above
- if (count($options)>0){
- if (array_key_exists("account_suffix",$options)){ $this->_account_suffix=$options["account_suffix"]; }
- if (array_key_exists("base_dn",$options)){ $this->_base_dn=$options["base_dn"]; }
- if (array_key_exists("domain_controllers",$options)){ $this->_domain_controllers=$options["domain_controllers"]; }
- if (array_key_exists("ad_username",$options)){ $this->_ad_username=$options["ad_username"]; }
- if (array_key_exists("ad_password",$options)){ $this->_ad_password=$options["ad_password"]; }
- if (array_key_exists("real_primarygroup",$options)){ $this->_real_primarygroup=$options["real_primarygroup"]; }
- if (array_key_exists("use_ssl",$options)){ $this->_use_ssl=$options["use_ssl"]; }
- if (array_key_exists("use_tls",$options)){ $this->_use_tls=$options["use_tls"]; }
- if (array_key_exists("recursive_groups",$options)){ $this->_recursive_groups=$options["recursive_groups"]; }
- }
-
- if ($this->ldap_supported() === false) {
- throw new adLDAPException('No LDAP support for PHP. See: http://www.php.net/ldap');
- }
-
- return $this->connect();
- }
-
- /**
- * Default Destructor
- *
- * Closes the LDAP connection
- *
- * @return void
- */
- function __destruct(){ $this->close(); }
-
- /**
- * Connects and Binds to the Domain Controller
- *
- * @return bool
- */
- public function connect() {
- // Connect to the AD/LDAP server as the username/password
- $dc=$this->random_controller();
- if ($this->_use_ssl){
- $this->_conn = ldap_connect("ldaps://".$dc, 636);
- } else {
- $this->_conn = ldap_connect($dc);
- }
-
- // Set some ldap options for talking to AD
- ldap_set_option($this->_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
- ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);
-
- if ($this->_use_tls) {
- ldap_start_tls($this->_conn);
- }
-
- // Bind as a domain admin if they've set it up
- if ($this->_ad_username!=NULL && $this->_ad_password!=NULL){
- $this->_bind = @ldap_bind($this->_conn,$this->_ad_username.$this->_account_suffix,$this->_ad_password);
- if (!$this->_bind){
- if ($this->_use_ssl && !$this->_use_tls){
- // If you have problems troubleshooting, remove the @ character from the ldap_bind command above to get the actual error message
- throw new adLDAPException('Bind to Active Directory failed. Either the LDAPs connection failed or the login credentials are incorrect. AD said: ' . $this->get_last_error());
- } else {
- throw new adLDAPException('Bind to Active Directory failed. Check the login credentials and/or server details. AD said: ' . $this->get_last_error());
- }
- }
- }
-
- if ($this->_base_dn == NULL) {
- $this->_base_dn = $this->find_base_dn();
- }
-
- return (true);
- }
-
- /**
- * Closes the LDAP connection
- *
- * @return void
- */
- public function close() {
- ldap_close ($this->_conn);
- }
-
- /**
- * Validate a user's login credentials
- *
- * @param string $username A user's AD username
- * @param string $password A user's AD password
- * @param bool optional $prevent_rebind
- * @return bool
- */
- public function authenticate($username, $password, $prevent_rebind = false) {
- // Prevent null binding
- if ($username === NULL || $password === NULL) { return false; }
- if (empty($username) || empty($password)) { return false; }
-
- // Bind as the user
- $ret = true;
- $this->_bind = @ldap_bind($this->_conn, $username . $this->_account_suffix, $password);
- if (!$this->_bind){ $ret = false; }
-
- // Cnce we've checked their details, kick back into admin mode if we have it
- if ($this->_ad_username !== NULL && !$prevent_rebind) {
- $this->_bind = @ldap_bind($this->_conn, $this->_ad_username . $this->_account_suffix , $this->_ad_password);
- if (!$this->_bind){
- // This should never happen in theory
- throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->get_last_error());
- }
- }
-
- return $ret;
- }
-
- //*****************************************************************************************************************
- // GROUP FUNCTIONS
-
- /**
- * Add a group to a group
- *
- * @param string $parent The parent group name
- * @param string $child The child group name
- * @return bool
- */
- public function group_add_group($parent,$child){
-
- // Find the parent group's dn
- $parent_group=$this->group_info($parent,array("cn"));
- if ($parent_group[0]["dn"]===NULL){ return (false); }
- $parent_dn=$parent_group[0]["dn"];
-
- // Find the child group's dn
- $child_group=$this->group_info($child,array("cn"));
- if ($child_group[0]["dn"]===NULL){ return (false); }
- $child_dn=$child_group[0]["dn"];
-
- $add=array();
- $add["member"] = $child_dn;
-
- $result=@ldap_mod_add($this->_conn,$parent_dn,$add);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Add a user to a group
- *
- * @param string $group The group to add the user to
- * @param string $user The user to add to the group
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function group_add_user($group,$user,$isGUID=false){
- // Adding a user is a bit fiddly, we need to get the full DN of the user
- // and add it using the full DN of the group
-
- // Find the user's dn
- $user_dn=$this->user_dn($user,$isGUID);
- if ($user_dn===false){ return (false); }
-
- // Find the group's dn
- $group_info=$this->group_info($group,array("cn"));
- if ($group_info[0]["dn"]===NULL){ return (false); }
- $group_dn=$group_info[0]["dn"];
-
- $add=array();
- $add["member"] = $user_dn;
-
- $result=@ldap_mod_add($this->_conn,$group_dn,$add);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Add a contact to a group
- *
- * @param string $group The group to add the contact to
- * @param string $contact_dn The DN of the contact to add
- * @return bool
- */
- public function group_add_contact($group,$contact_dn){
- // To add a contact we take the contact's DN
- // and add it using the full DN of the group
-
- // Find the group's dn
- $group_info=$this->group_info($group,array("cn"));
- if ($group_info[0]["dn"]===NULL){ return (false); }
- $group_dn=$group_info[0]["dn"];
-
- $add=array();
- $add["member"] = $contact_dn;
-
- $result=@ldap_mod_add($this->_conn,$group_dn,$add);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Create a group
- *
- * @param array $attributes Default attributes of the group
- * @return bool
- */
- public function group_create($attributes){
- if (!is_array($attributes)){ return ("Attributes must be an array"); }
- if (!array_key_exists("group_name",$attributes)){ return ("Missing compulsory field [group_name]"); }
- if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
- if (!array_key_exists("description",$attributes)){ return ("Missing compulsory field [description]"); }
- if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
- $attributes["container"]=array_reverse($attributes["container"]);
-
- //$member_array = array();
- //$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
- //$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
-
- $add=array();
- $add["cn"] = $attributes["group_name"];
- $add["samaccountname"] = $attributes["group_name"];
- $add["objectClass"] = "Group";
- $add["description"] = $attributes["description"];
- //$add["member"] = $member_array; UNTESTED
-
- $container="OU=".implode(",OU=",$attributes["container"]);
- $result=ldap_add($this->_conn,"CN=".$add["cn"].", ".$container.",".$this->_base_dn,$add);
- if ($result!=true){ return (false); }
-
- return (true);
- }
-
- /**
- * Remove a group from a group
- *
- * @param string $parent The parent group name
- * @param string $child The child group name
- * @return bool
- */
- public function group_del_group($parent,$child){
-
- // Find the parent dn
- $parent_group=$this->group_info($parent,array("cn"));
- if ($parent_group[0]["dn"]===NULL){ return (false); }
- $parent_dn=$parent_group[0]["dn"];
-
- // Find the child dn
- $child_group=$this->group_info($child,array("cn"));
- if ($child_group[0]["dn"]===NULL){ return (false); }
- $child_dn=$child_group[0]["dn"];
-
- $del=array();
- $del["member"] = $child_dn;
-
- $result=@ldap_mod_del($this->_conn,$parent_dn,$del);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Remove a user from a group
- *
- * @param string $group The group to remove a user from
- * @param string $user The AD user to remove from the group
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function group_del_user($group,$user,$isGUID=false){
-
- // Find the parent dn
- $group_info=$this->group_info($group,array("cn"));
- if ($group_info[0]["dn"]===NULL){ return (false); }
- $group_dn=$group_info[0]["dn"];
-
- // Find the users dn
- $user_dn=$this->user_dn($user,$isGUID);
- if ($user_dn===false){ return (false); }
-
- $del=array();
- $del["member"] = $user_dn;
-
- $result=@ldap_mod_del($this->_conn,$group_dn,$del);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Remove a contact from a group
- *
- * @param string $group The group to remove a user from
- * @param string $contact_dn The DN of a contact to remove from the group
- * @return bool
- */
- public function group_del_contact($group,$contact_dn){
-
- // Find the parent dn
- $group_info=$this->group_info($group,array("cn"));
- if ($group_info[0]["dn"]===NULL){ return (false); }
- $group_dn=$group_info[0]["dn"];
-
- $del=array();
- $del["member"] = $contact_dn;
-
- $result=@ldap_mod_del($this->_conn,$group_dn,$del);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Return a list of groups in a group
- *
- * @param string $group The group to query
- * @param bool $recursive Recursively get groups
- * @return array
- */
- public function groups_in_group($group, $recursive = NULL){
- if (!$this->_bind){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
-
- // Search the directory for the members of a group
- $info=$this->group_info($group,array("member","cn"));
- $groups=$info[0]["member"];
- if (!is_array($groups)) {
- return (false);
- }
-
- $group_array=array();
-
- for ($i=0; $i<$groups["count"]; $i++){
- $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($groups[$i])."))";
- $fields = array("samaccountname", "distinguishedname", "objectClass");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- // not a person, look for a group
- if ($entries['count'] == 0 && $recursive == true) {
- $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($groups[$i])."))";
- $fields = array("distinguishedname");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
- if (!isset($entries[0]['distinguishedname'][0])) {
- continue;
- }
- $sub_groups = $this->groups_in_group($entries[0]['distinguishedname'][0], $recursive);
- if (is_array($sub_groups)) {
- $group_array = array_merge($group_array, $sub_groups);
- $group_array = array_unique($group_array);
- }
- continue;
- }
-
- $group_array[] = $entries[0]['distinguishedname'][0];
- }
- return ($group_array);
- }
-
- /**
- * Return a list of members in a group
- *
- * @param string $group The group to query
- * @param bool $recursive Recursively get group members
- * @return array
- */
- public function group_members($group, $recursive = NULL){
- if (!$this->_bind){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
- // Search the directory for the members of a group
- $info=$this->group_info($group,array("member","cn"));
- $users=$info[0]["member"];
- if (!is_array($users)) {
- return (false);
- }
-
- $user_array=array();
-
- for ($i=0; $i<$users["count"]; $i++){
- $filter="(&(objectCategory=person)(distinguishedName=".$this->ldap_slashes($users[$i])."))";
- $fields = array("samaccountname", "distinguishedname", "objectClass");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- // not a person, look for a group
- if ($entries['count'] == 0 && $recursive == true) {
- $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($users[$i])."))";
- $fields = array("samaccountname");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
- if (!isset($entries[0]['samaccountname'][0])) {
- continue;
- }
- $sub_users = $this->group_members($entries[0]['samaccountname'][0], $recursive);
- if (is_array($sub_users)) {
- $user_array = array_merge($user_array, $sub_users);
- $user_array = array_unique($user_array);
- }
- continue;
- }
-
- if ($entries[0]['samaccountname'][0] === NULL && $entries[0]['distinguishedname'][0] !== NULL) {
- $user_array[] = $entries[0]['distinguishedname'][0];
- }
- elseif ($entries[0]['samaccountname'][0] !== NULL) {
- $user_array[] = $entries[0]['samaccountname'][0];
- }
- }
- return ($user_array);
- }
-
- /**
- * Group Information. Returns an array of information about a group.
- * The group name is case sensitive
- *
- * @param string $group_name The group name to retrieve info about
- * @param array $fields Fields to retrieve
- * @return array
- */
- public function group_info($group_name,$fields=NULL){
- if ($group_name===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
-
- if (stristr($group_name, '+')) {
- $group_name=stripslashes($group_name);
- }
-
- $filter="(&(objectCategory=group)(name=".$this->ldap_slashes($group_name)."))";
- //echo ($filter."!!!<br>");
- if ($fields===NULL){ $fields=array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname"); }
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
- //print_r($entries);
- return ($entries);
- }
-
- /**
- * Return a complete list of "groups in groups"
- *
- * @param string $group The group to get the list from
- * @return array
- */
- public function recursive_groups($group){
- if ($group===NULL){ return (false); }
-
- $ret_groups=array();
-
- $groups=$this->group_info($group,array("memberof"));
- if (isset($groups[0]["memberof"]) && is_array($groups[0]["memberof"])) {
- $groups=$groups[0]["memberof"];
-
- if ($groups){
- $group_names=$this->nice_names($groups);
- $ret_groups=array_merge($ret_groups,$group_names); //final groups to return
-
- foreach ($group_names as $id => $group_name){
- $child_groups=$this->recursive_groups($group_name);
- $ret_groups=array_merge($ret_groups,$child_groups);
- }
- }
- }
-
- return ($ret_groups);
- }
-
- /**
- * Returns a complete list of the groups in AD based on a SAM Account Type
- *
- * @param string $samaccounttype The account type to return
- * @param bool $include_desc Whether to return a description
- * @param string $search Search parameters
- * @param bool $sorted Whether to sort the results
- * @return array
- */
- public function search_groups($samaccounttype = ADLDAP_SECURITY_GLOBAL_GROUP, $include_desc = false, $search = "*", $sorted = true) {
- if (!$this->_bind){ return (false); }
-
- $filter = '(&(objectCategory=group)';
- if ($samaccounttype !== null) {
- $filter .= '(samaccounttype='. $samaccounttype .')';
- }
- $filter .= '(cn='.$search.'))';
- // Perform the search and grab all their details
- $fields=array("samaccountname","description");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- $groups_array = array();
- for ($i=0; $i<$entries["count"]; $i++){
- if ($include_desc && strlen($entries[$i]["description"][0]) > 0 ){
- $groups_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["description"][0];
- } elseif ($include_desc){
- $groups_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["samaccountname"][0];
- } else {
- array_push($groups_array, $entries[$i]["samaccountname"][0]);
- }
- }
- if( $sorted ){ asort($groups_array); }
- return ($groups_array);
- }
-
- /**
- * Returns a complete list of all groups in AD
- *
- * @param bool $include_desc Whether to return a description
- * @param string $search Search parameters
- * @param bool $sorted Whether to sort the results
- * @return array
- */
- public function all_groups($include_desc = false, $search = "*", $sorted = true){
- $groups_array = $this->search_groups(null, $include_desc, $search, $sorted);
- return ($groups_array);
- }
-
- /**
- * Returns a complete list of security groups in AD
- *
- * @param bool $include_desc Whether to return a description
- * @param string $search Search parameters
- * @param bool $sorted Whether to sort the results
- * @return array
- */
- public function all_security_groups($include_desc = false, $search = "*", $sorted = true){
- $groups_array = $this->search_groups(ADLDAP_SECURITY_GLOBAL_GROUP, $include_desc, $search, $sorted);
- return ($groups_array);
- }
-
- /**
- * Returns a complete list of distribution lists in AD
- *
- * @param bool $include_desc Whether to return a description
- * @param string $search Search parameters
- * @param bool $sorted Whether to sort the results
- * @return array
- */
- public function all_distribution_groups($include_desc = false, $search = "*", $sorted = true){
- $groups_array = $this->search_groups(ADLDAP_DISTRIBUTION_GROUP, $include_desc, $search, $sorted);
- return ($groups_array);
- }
-
- //*****************************************************************************************************************
- // USER FUNCTIONS
-
- /**
- * Create a user
- *
- * If you specify a password here, this can only be performed over SSL
- *
- * @param array $attributes The attributes to set to the user account
- * @return bool
- */
- public function user_create($attributes){
- // Check for compulsory fields
- if (!array_key_exists("username",$attributes)){ return ("Missing compulsory field [username]"); }
- if (!array_key_exists("firstname",$attributes)){ return ("Missing compulsory field [firstname]"); }
- if (!array_key_exists("surname",$attributes)){ return ("Missing compulsory field [surname]"); }
- if (!array_key_exists("email",$attributes)){ return ("Missing compulsory field [email]"); }
- if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
- if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
-
- if (array_key_exists("password",$attributes) && (!$this->_use_ssl && !$this->_use_tls)){
- throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
- }
-
- if (!array_key_exists("display_name",$attributes)){ $attributes["display_name"]=$attributes["firstname"]." ".$attributes["surname"]; }
-
- // Translate the schema
- $add=$this->adldap_schema($attributes);
-
- // Additional stuff only used for adding accounts
- $add["cn"][0]=$attributes["display_name"];
- $add["samaccountname"][0]=$attributes["username"];
- $add["objectclass"][0]="top";
- $add["objectclass"][1]="person";
- $add["objectclass"][2]="organizationalPerson";
- $add["objectclass"][3]="user"; //person?
- //$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
-
- // Set the account control attribute
- $control_options=array("NORMAL_ACCOUNT");
- if (!$attributes["enabled"]){ $control_options[]="ACCOUNTDISABLE"; }
- $add["userAccountControl"][0]=$this->account_control($control_options);
- //echo ("<pre>"); print_r($add);
-
- // Determine the container
- $attributes["container"]=array_reverse($attributes["container"]);
- $container="OU=".implode(",OU=",$attributes["container"]);
-
- // Add the entry
- $result=@ldap_add($this->_conn, "CN=".$add["cn"][0].", ".$container.",".$this->_base_dn, $add);
- if ($result!=true){ return (false); }
-
- return (true);
- }
-
- /**
- * Delete a user account
- *
- * @param string $username The username to delete (please be careful here!)
- * @param bool $isGUID Is the username a GUID or a samAccountName
- * @return array
- */
- public function user_delete($username,$isGUID=false) {
- $userinfo = $this->user_info($username, array("*"),$isGUID);
- $dn = $userinfo[0]['distinguishedname'][0];
- $result=$this->dn_delete($dn);
- if ($result!=true){ return (false); }
- return (true);
- }
-
- /**
- * Groups the user is a member of
- *
- * @param string $username The username to query
- * @param bool $recursive Recursive list of groups
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return array
- */
- public function user_groups($username,$recursive=NULL,$isGUID=false){
- if ($username===NULL){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
- if (!$this->_bind){ return (false); }
-
- // Search the directory for their information
- $info=@$this->user_info($username,array("memberof","primarygroupid"),$isGUID);
- $groups=$this->nice_names($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames)
-
- if ($recursive === true){
- foreach ($groups as $id => $group_name){
- $extra_groups=$this->recursive_groups($group_name);
- $groups=array_merge($groups,$extra_groups);
- }
- }
-
- return ($groups);
- }
-
- /**
- * Find information about the users
- *
- * @param string $username The username to query
- * @param array $fields Array of parameters to query
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return array
- */
- public function user_info($username,$fields=NULL,$isGUID=false){
- if ($username===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
-
- if ($isGUID === true) {
- $username = $this->strguid2hex($username);
- $filter="objectguid=".$username;
- }
- else if (strstr($username, "@")) {
- $filter="userPrincipalName=".$username;
- }
- else {
- $filter="samaccountname=".$username;
- }
- $filter = "(&(objectCategory=person)({$filter}))";
- if ($fields===NULL){ $fields=array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); }
- if (!in_array("objectsid",$fields)){
- $fields[] = "objectsid";
- }
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- if (isset($entries[0])) {
- if ($entries[0]['count'] >= 1) {
- if (in_array("memberof", $fields)) {
- // AD does not return the primary group in the ldap query, we may need to fudge it
- if ($this->_real_primarygroup && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])){
- //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
- $entries[0]["memberof"][]=$this->get_primary_group($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
- } else {
- $entries[0]["memberof"][]="CN=Domain Users,CN=Users,".$this->_base_dn;
- }
- $entries[0]["memberof"]["count"]++;
- }
- }
- return $entries;
- }
- return false;
- }
-
- /**
- * Determine if a user is in a specific group
- *
- * @param string $username The username to query
- * @param string $group The name of the group to check against
- * @param bool $recursive Check groups recursively
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function user_ingroup($username,$group,$recursive=NULL,$isGUID=false){
- if ($username===NULL){ return (false); }
- if ($group===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
-
- // Get a list of the groups
- $groups=$this->user_groups($username,$recursive,$isGUID);
-
- // Return true if the specified group is in the group list
- if (in_array($group,$groups)){ return (true); }
-
- return (false);
- }
-
- /**
- * Determine a user's password expiry date
- *
- * @param string $username The username to query
- * @param book $isGUID Is the username passed a GUID or a samAccountName
- * @requires bcmath http://www.php.net/manual/en/book.bc.php
- * @return array
- */
- public function user_password_expiry($username,$isGUID=false) {
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- if (!$this->_bind){ return (false); }
- if (!function_exists('bcmod')) { return ("Missing function support [bcmod] http://www.php.net/manual/en/book.bc.php"); };
-
- $userinfo = $this->user_info($username, array("pwdlastset", "useraccountcontrol"), $isGUID);
- $pwdlastset = $userinfo[0]['pwdlastset'][0];
- $status = array();
-
- if ($userinfo[0]['useraccountcontrol'][0] == '66048') {
- // Password does not expire
- return "Does not expire";
- }
- if ($pwdlastset === '0') {
- // Password has already expired
- return "Password has expired";
- }
-
- // Password expiry in AD can be calculated from TWO values:
- // - User's own pwdLastSet attribute: stores the last time the password was changed
- // - Domain's maxPwdAge attribute: how long passwords last in the domain
- //
- // Although Microsoft chose to use a different base and unit for time measurements.
- // This function will convert them to Unix timestamps
- $sr = ldap_read($this->_conn, $this->_base_dn, 'objectclass=*', array('maxPwdAge'));
- if (!$sr) {
- return false;
- }
- $info = ldap_get_entries($this->_conn, $sr);
- $maxpwdage = $info[0]['maxpwdage'][0];
-
-
- // See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx
- //
- // pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC),
- // stored in a 64 bit integer.
- //
- // The number of seconds between this date and Unix epoch is 11644473600.
- //
- // maxPwdAge is stored as a large integer that represents the number of 100 nanosecond
- // intervals from the time the password was set before the password expires.
- //
- // We also need to scale this to seconds but also this value is a _negative_ quantity!
- //
- // If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire
- //
- // Unfortunately the maths involved are too big for PHP integers, so I've had to require
- // BCMath functions to work with arbitrary precision numbers.
- if (bcmod($maxpwdage, 4294967296) === '0') {
- return "Domain does not expire passwords";
- }
-
- // Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's
- // time units. Because maxpwd age is negative we need to subtract it.
- $pwdexpire = bcsub($pwdlastset, $maxpwdage);
-
- // Convert MS's time to Unix time
- $status['expiryts'] = bcsub(bcdiv($pwdexpire, '10000000'), '11644473600');
- $status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdexpire, '10000000'), '11644473600'));
-
- return $status;
- }
-
- /**
- * Modify a user
- *
- * @param string $username The username to query
- * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function user_modify($username,$attributes,$isGUID=false){
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- if (array_key_exists("password",$attributes) && !$this->_use_ssl){
- throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
- }
-
- // Find the dn of the user
- $user_dn=$this->user_dn($username,$isGUID);
- if ($user_dn===false){ return (false); }
-
- // Translate the update to the LDAP schema
- $mod=$this->adldap_schema($attributes);
-
- // Check to see if this is an enabled status update
- if (!$mod && !array_key_exists("enabled", $attributes)){ return (false); }
-
- // Set the account control attribute (only if specified)
- if (array_key_exists("enabled",$attributes)){
- if ($attributes["enabled"]){ $control_options=array("NORMAL_ACCOUNT"); }
- else { $control_options=array("NORMAL_ACCOUNT","ACCOUNTDISABLE"); }
- $mod["userAccountControl"][0]=$this->account_control($control_options);
- }
-
- // Do the update
- $result=@ldap_modify($this->_conn,$user_dn,$mod);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Disable a user account
- *
- * @param string $username The username to disable
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function user_disable($username,$isGUID=false){
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- $attributes=array("enabled"=>0);
- $result = $this->user_modify($username, $attributes, $isGUID);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Enable a user account
- *
- * @param string $username The username to enable
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function user_enable($username,$isGUID=false){
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- $attributes=array("enabled"=>1);
- $result = $this->user_modify($username, $attributes, $isGUID);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Set the password of a user - This must be performed over SSL
- *
- * @param string $username The username to modify
- * @param string $password The new password
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function user_password($username,$password,$isGUID=false){
- if ($username===NULL){ return (false); }
- if ($password===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
- if (!$this->_use_ssl && !$this->_use_tls){
- throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
- }
-
- $user_dn=$this->user_dn($username,$isGUID);
- if ($user_dn===false){ return (false); }
-
- $add=array();
- $add["unicodePwd"][0]=$this->encode_password($password);
-
- $result=ldap_mod_replace($this->_conn,$user_dn,$add);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Return a list of all users in AD
- *
- * @param bool $include_desc Return a description of the user
- * @param string $search Search parameter
- * @param bool $sorted Sort the user accounts
- * @return array
- */
- public function all_users($include_desc = false, $search = "*", $sorted = true){
- if (!$this->_bind){ return (false); }
-
- // Perform the search and grab all their details
- $filter = "(&(objectClass=user)(samaccounttype=". ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=".$search."))";
- $fields=array("samaccountname","displayname");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- $users_array = array();
- for ($i=0; $i<$entries["count"]; $i++){
- if ($include_desc && strlen($entries[$i]["displayname"][0])>0){
- $users_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["displayname"][0];
- } elseif ($include_desc){
- $users_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["samaccountname"][0];
- } else {
- array_push($users_array, $entries[$i]["samaccountname"][0]);
- }
- }
- if ($sorted){ asort($users_array); }
- return ($users_array);
- }
-
- /**
- * Converts a username (samAccountName) to a GUID
- *
- * @param string $username The username to query
- * @return string
- */
- public function username2guid($username) {
- if (!$this->_bind){ return (false); }
- if ($username === null){ return ("Missing compulsory field [username]"); }
-
- $filter = "samaccountname=" . $username;
- $fields = array("objectGUID");
- $sr = @ldap_search($this->_conn, $this->_base_dn, $filter, $fields);
- if (ldap_count_entries($this->_conn, $sr) > 0) {
- $entry = @ldap_first_entry($this->_conn, $sr);
- $guid = @ldap_get_values_len($this->_conn, $entry, 'objectGUID');
- $strGUID = $this->binary2text($guid[0]);
- return ($strGUID);
- }
- else {
- return (false);
- }
- }
-
- /**
- * Move a user account to a different OU
- *
- * @param string $username The username to move (please be careful here!)
- * @param array $container The container or containers to move the user to (please be careful here!).
- * accepts containers in 1. parent 2. child order
- * @return array
- */
- public function user_move($username, $container) {
- if (!$this->_bind){ return (false); }
- if ($username === null){ return ("Missing compulsory field [username]"); }
- if ($container === null){ return ("Missing compulsory field [container]"); }
- if (!is_array($container)){ return ("Container must be an array"); }
-
- $userinfo = $this->user_info($username, array("*"));
- $dn = $userinfo[0]['distinguishedname'][0];
- $newrdn = "cn=" . $username;
- $container = array_reverse($container);
- $newcontainer = "ou=" . implode(",ou=",$container);
- $newbasedn = strtolower($newcontainer) . "," . $this->_base_dn;
- $result=@ldap_rename($this->_conn,$dn,$newrdn,$newbasedn,true);
- if ($result !== true) {
- return (false);
- }
- return (true);
- }
-
- //*****************************************************************************************************************
- // CONTACT FUNCTIONS
- // * Still work to do in this area, and new functions to write
-
- /**
- * Create a contact
- *
- * @param array $attributes The attributes to set to the contact
- * @return bool
- */
- public function contact_create($attributes){
- // Check for compulsory fields
- if (!array_key_exists("display_name",$attributes)){ return ("Missing compulsory field [display_name]"); }
- if (!array_key_exists("email",$attributes)){ return ("Missing compulsory field [email]"); }
- if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
- if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
-
- // Translate the schema
- $add=$this->adldap_schema($attributes);
-
- // Additional stuff only used for adding contacts
- $add["cn"][0]=$attributes["display_name"];
- $add["objectclass"][0]="top";
- $add["objectclass"][1]="person";
- $add["objectclass"][2]="organizationalPerson";
- $add["objectclass"][3]="contact";
- if (!isset($attributes['exchange_hidefromlists'])) {
- $add["msExchHideFromAddressLists"][0]="TRUE";
- }
-
- // Determine the container
- $attributes["container"]=array_reverse($attributes["container"]);
- $container="OU=".implode(",OU=",$attributes["container"]);
-
- // Add the entry
- $result=@ldap_add($this->_conn, "CN=".$add["cn"][0].", ".$container.",".$this->_base_dn, $add);
- if ($result!=true){ return (false); }
-
- return (true);
- }
-
- /**
- * Determine the list of groups a contact is a member of
- *
- * @param string $distinguisedname The full DN of a contact
- * @param bool $recursive Recursively check groups
- * @return array
- */
- public function contact_groups($distinguishedname,$recursive=NULL){
- if ($distinguishedname===NULL){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
- if (!$this->_bind){ return (false); }
-
- // Search the directory for their information
- $info=@$this->contact_info($distinguishedname,array("memberof","primarygroupid"));
- $groups=$this->nice_names($info[0]["memberof"]); //presuming the entry returned is our contact
-
- if ($recursive === true){
- foreach ($groups as $id => $group_name){
- $extra_groups=$this->recursive_groups($group_name);
- $groups=array_merge($groups,$extra_groups);
- }
- }
-
- return ($groups);
- }
-
- /**
- * Get contact information
- *
- * @param string $distinguisedname The full DN of a contact
- * @param array $fields Attributes to be returned
- * @return array
- */
- public function contact_info($distinguishedname,$fields=NULL){
- if ($distinguishedname===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
-
- $filter="distinguishedName=".$distinguishedname;
- if ($fields===NULL){ $fields=array("distinguishedname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); }
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- if ($entries[0]['count'] >= 1) {
- // AD does not return the primary group in the ldap query, we may need to fudge it
- if ($this->_real_primarygroup && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){
- //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
- $entries[0]["memberof"][]=$this->get_primary_group($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
- } else {
- $entries[0]["memberof"][]="CN=Domain Users,CN=Users,".$this->_base_dn;
- }
- }
-
- $entries[0]["memberof"]["count"]++;
- return ($entries);
- }
-
- /**
- * Determine if a contact is a member of a group
- *
- * @param string $distinguisedname The full DN of a contact
- * @param string $group The group name to query
- * @param bool $recursive Recursively check groups
- * @return bool
- */
- public function contact_ingroup($distinguisedname,$group,$recursive=NULL){
- if ($distinguisedname===NULL){ return (false); }
- if ($group===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
-
- // Get a list of the groups
- $groups=$this->contact_groups($distinguisedname,array("memberof"),$recursive);
-
- // Return true if the specified group is in the group list
- if (in_array($group,$groups)){ return (true); }
-
- return (false);
- }
-
- /**
- * Modify a contact
- *
- * @param string $distinguishedname The contact to query
- * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
- * @return bool
- */
- public function contact_modify($distinguishedname,$attributes){
- if ($distinguishedname===NULL){ return ("Missing compulsory field [distinguishedname]"); }
-
- // Translate the update to the LDAP schema
- $mod=$this->adldap_schema($attributes);
-
- // Check to see if this is an enabled status update
- if (!$mod){ return (false); }
-
- // Do the update
- $result=ldap_modify($this->_conn,$distinguishedname,$mod);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Delete a contact
- *
- * @param string $distinguishedname The contact dn to delete (please be careful here!)
- * @return array
- */
- public function contact_delete($distinguishedname) {
- $result = $this->dn_delete($distinguishedname);
- if ($result!=true){ return (false); }
- return (true);
- }
-
- /**
- * Return a list of all contacts
- *
- * @param bool $include_desc Include a description of a contact
- * @param string $search The search parameters
- * @param bool $sorted Whether to sort the results
- * @return array
- */
- public function all_contacts($include_desc = false, $search = "*", $sorted = true){
- if (!$this->_bind){ return (false); }
-
- // Perform the search and grab all their details
- $filter = "(&(objectClass=contact)(cn=".$search."))";
- $fields=array("displayname","distinguishedname");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- $users_array = array();
- for ($i=0; $i<$entries["count"]; $i++){
- if ($include_desc && strlen($entries[$i]["displayname"][0])>0){
- $users_array[ $entries[$i]["distinguishedname"][0] ] = $entries[$i]["displayname"][0];
- } elseif ($include_desc){
- $users_array[ $entries[$i]["distinguishedname"][0] ] = $entries[$i]["distinguishedname"][0];
- } else {
- array_push($users_array, $entries[$i]["distinguishedname"][0]);
- }
- }
- if ($sorted){ asort($users_array); }
- return ($users_array);
- }
-
- //*****************************************************************************************************************
- // FOLDER FUNCTIONS
-
- /**
- * Returns a folder listing for a specific OU
- * See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions
- *
- * @param array $folder_name An array to the OU you wish to list.
- * If set to NULL will list the root, strongly recommended to set
- * $recursive to false in that instance!
- * @param string $dn_type The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER.
- * @param bool $recursive Recursively search sub folders
- * @param bool $type Specify a type of object to search for
- * @return array
- */
- public function folder_list($folder_name = NULL, $dn_type = ADLDAP_FOLDER, $recursive = NULL, $type = NULL) {
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
- if (!$this->_bind){ return (false); }
-
- $filter = '(&';
- if ($type !== NULL) {
- switch ($type) {
- case 'contact':
- $filter .= '(objectClass=contact)';
- break;
- case 'computer':
- $filter .= '(objectClass=computer)';
- break;
- case 'group':
- $filter .= '(objectClass=group)';
- break;
- case 'folder':
- $filter .= '(objectClass=organizationalUnit)';
- break;
- case 'container':
- $filter .= '(objectClass=container)';
- break;
- case 'domain':
- $filter .= '(objectClass=builtinDomain)';
- break;
- default:
- $filter .= '(objectClass=user)';
- break;
- }
- }
- else {
- $filter .= '(objectClass=*)';
- }
- // If the folder name is null then we will search the root level of AD
- // This requires us to not have an OU= part, just the base_dn
- $searchou = $this->_base_dn;
- if (is_array($folder_name)) {
- $ou = $dn_type . "=".implode("," . $dn_type . "=",$folder_name);
- $filter .= '(!(distinguishedname=' . $ou . ',' . $this->_base_dn . ')))';
- $searchou = $ou . ',' . $this->_base_dn;
- }
- else {
- $filter .= '(!(distinguishedname=' . $this->_base_dn . ')))';
- }
-
- if ($recursive === true) {
- $sr=ldap_search($this->_conn, $searchou, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
- $entries = @ldap_get_entries($this->_conn, $sr);
- if (is_array($entries)) {
- return $entries;
- }
- }
- else {
- $sr=ldap_list($this->_conn, $searchou, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
- $entries = @ldap_get_entries($this->_conn, $sr);
- if (is_array($entries)) {
- return $entries;
- }
- }
-
- return false;
- }
-
- //*****************************************************************************************************************
- // COMPUTER FUNCTIONS
-
- /**
- * Get information about a specific computer
- *
- * @param string $computer_name The name of the computer
- * @param array $fields Attributes to return
- * @return array
- */
- public function computer_info($computer_name,$fields=NULL){
- if ($computer_name===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
-
- $filter="(&(objectClass=computer)(cn=".$computer_name."))";
- if ($fields===NULL){ $fields=array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion"); }
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- return ($entries);
- }
-
- /**
- * Check if a computer is in a group
- *
- * @param string $computer_name The name of the computer
- * @param string $group The group to check
- * @param bool $recursive Whether to check recursively
- * @return array
- */
- public function computer_ingroup($computer_name,$group,$recursive=NULL){
- if ($computer_name===NULL){ return (false); }
- if ($group===NULL){ return (false); }
- if (!$this->_bind){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // use the default option if they haven't set it
-
- //get a list of the groups
- $groups=$this->computer_groups($computer_name,array("memberof"),$recursive);
-
- //return true if the specified group is in the group list
- if (in_array($group,$groups)){ return (true); }
-
- return (false);
- }
-
- /**
- * Get the groups a computer is in
- *
- * @param string $computer_name The name of the computer
- * @param bool $recursive Whether to check recursively
- * @return array
- */
- public function computer_groups($computer_name,$recursive=NULL){
- if ($computer_name===NULL){ return (false); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
- if (!$this->_bind){ return (false); }
-
- //search the directory for their information
- $info=@$this->computer_info($computer_name,array("memberof","primarygroupid"));
- $groups=$this->nice_names($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames)
-
- if ($recursive === true){
- foreach ($groups as $id => $group_name){
- $extra_groups=$this->recursive_groups($group_name);
- $groups=array_merge($groups,$extra_groups);
- }
- }
-
- return ($groups);
- }
-
- //************************************************************************************************************
- // ORGANIZATIONAL UNIT FUNCTIONS
-
- /**
- * Create an organizational unit
- *
- * @param array $attributes Default attributes of the ou
- * @return bool
- */
- public function ou_create($attributes){
- if (!is_array($attributes)){ return ("Attributes must be an array"); }
- if (!array_key_exists("ou_name",$attributes)){ return ("Missing compulsory field [ou_name]"); }
- if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
- if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
- $attributes["container"]=array_reverse($attributes["container"]);
-
- $add=array();
- $add["objectClass"] = "organizationalUnit";
-
- $container="OU=".implode(",OU=",$attributes["container"]);
- $result=ldap_add($this->_conn,"CN=".$add["cn"].", ".$container.",".$this->_base_dn,$add);
- if ($result!=true){ return (false); }
-
- return (true);
- }
-
- //************************************************************************************************************
- // EXCHANGE FUNCTIONS
-
- /**
- * Create an Exchange account
- *
- * @param string $username The username of the user to add the Exchange account to
- * @param array $storagegroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN
- * If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn
- * @param string $emailaddress The primary email address to add to this user
- * @param string $mailnickname The mail nick name. If mail nickname is blank, the username will be used
- * @param bool $usedefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota.
- * @param string $base_dn Specify an alternative base_dn for the Exchange storage group
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function exchange_create_mailbox($username, $storagegroup, $emailaddress, $mailnickname=NULL, $usedefaults=TRUE, $base_dn=NULL, $isGUID=false){
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- if ($storagegroup===NULL){ return ("Missing compulsory array [storagegroup]"); }
- if (!is_array($storagegroup)){ return ("[storagegroup] must be an array"); }
- if ($emailaddress===NULL){ return ("Missing compulsory field [emailaddress]"); }
-
- if ($base_dn===NULL) {
- $base_dn = $this->_base_dn;
- }
-
- $container="CN=".implode(",CN=",$storagegroup);
-
- if ($mailnickname===NULL) { $mailnickname=$username; }
- $mdbUseDefaults = $this->bool2str($usedefaults);
-
- $attributes = array(
- 'exchange_homemdb'=>$container.",".$base_dn,
- 'exchange_proxyaddress'=>'SMTP:' . $emailaddress,
- 'exchange_mailnickname'=>$mailnickname,
- 'exchange_usedefaults'=>$mdbUseDefaults
- );
- $result = $this->user_modify($username,$attributes,$isGUID);
- if ($result==false){ return (false); }
- return (true);
- }
-
- /**
- * Add an X400 address to Exchange
- * See http://tools.ietf.org/html/rfc1685 for more information.
- * An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John;
- *
- * @param string $username The username of the user to add the X400 to to
- * @param string $country Country
- * @param string $admd Administration Management Domain
- * @param string $pdmd Private Management Domain (often your AD domain)
- * @param string $org Organization
- * @param string $surname Surname
- * @param string $givenName Given name
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function exchange_add_X400($username, $country, $admd, $pdmd, $org, $surname, $givenname, $isGUID=false) {
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
-
- $proxyvalue = 'X400:';
-
- // Find the dn of the user
- $user=$this->user_info($username,array("cn","proxyaddresses"), $isGUID);
- if ($user[0]["dn"]===NULL){ return (false); }
- $user_dn=$user[0]["dn"];
-
- // We do not have to demote an email address from the default so we can just add the new proxy address
- $attributes['exchange_proxyaddress'] = $proxyvalue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenname . ';';
-
- // Translate the update to the LDAP schema
- $add=$this->adldap_schema($attributes);
-
- if (!$add){ return (false); }
-
- // Do the update
- // Take out the @ to see any errors, usually this error might occur because the address already
- // exists in the list of proxyAddresses
- $result=@ldap_mod_add($this->_conn,$user_dn,$add);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Add an address to Exchange
- *
- * @param string $username The username of the user to add the Exchange account to
- * @param string $emailaddress The email address to add to this user
- * @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function exchange_add_address($username, $emailaddress, $default=FALSE, $isGUID=false) {
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- if ($emailaddress===NULL) { return ("Missing compulsory fields [emailaddress]"); }
-
- $proxyvalue = 'smtp:';
- if ($default === true) {
- $proxyvalue = 'SMTP:';
- }
-
- // Find the dn of the user
- $user=$this->user_info($username,array("cn","proxyaddresses"),$isGUID);
- if ($user[0]["dn"]===NULL){ return (false); }
- $user_dn=$user[0]["dn"];
-
- // We need to scan existing proxy addresses and demote the default one
- if (is_array($user[0]["proxyaddresses"]) && $default===true) {
- $modaddresses = array();
- for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
- if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
- $user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
- }
- if ($user[0]['proxyaddresses'][$i] != '') {
- $modaddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
- }
- }
- $modaddresses['proxyAddresses'][(sizeof($user[0]['proxyaddresses'])-1)] = 'SMTP:' . $emailaddress;
-
- $result=@ldap_mod_replace($this->_conn,$user_dn,$modaddresses);
- if ($result==false){ return (false); }
-
- return (true);
- }
- else {
- // We do not have to demote an email address from the default so we can just add the new proxy address
- $attributes['exchange_proxyaddress'] = $proxyvalue . $emailaddress;
-
- // Translate the update to the LDAP schema
- $add=$this->adldap_schema($attributes);
-
- if (!$add){ return (false); }
-
- // Do the update
- // Take out the @ to see any errors, usually this error might occur because the address already
- // exists in the list of proxyAddresses
- $result=@ldap_mod_add($this->_conn,$user_dn,$add);
- if ($result==false){ return (false); }
-
- return (true);
- }
- }
-
- /**
- * Remove an address to Exchange
- * If you remove a default address the account will no longer have a default,
- * we recommend changing the default address first
- *
- * @param string $username The username of the user to add the Exchange account to
- * @param string $emailaddress The email address to add to this user
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function exchange_del_address($username, $emailaddress, $isGUID=false) {
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- if ($emailaddress===NULL) { return ("Missing compulsory fields [emailaddress]"); }
-
- // Find the dn of the user
- $user=$this->user_info($username,array("cn","proxyaddresses"),$isGUID);
- if ($user[0]["dn"]===NULL){ return (false); }
- $user_dn=$user[0]["dn"];
-
- if (is_array($user[0]["proxyaddresses"])) {
- $mod = array();
- for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
- if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false && $user[0]['proxyaddresses'][$i] == 'SMTP:' . $emailaddress) {
- $mod['proxyAddresses'][0] = 'SMTP:' . $emailaddress;
- }
- elseif (strstr($user[0]['proxyaddresses'][$i], 'smtp:') !== false && $user[0]['proxyaddresses'][$i] == 'smtp:' . $emailaddress) {
- $mod['proxyAddresses'][0] = 'smtp:' . $emailaddress;
- }
- }
-
- $result=@ldap_mod_del($this->_conn,$user_dn,$mod);
- if ($result==false){ return (false); }
-
- return (true);
- }
- else {
- return (false);
- }
- }
- /**
- * Change the default address
- *
- * @param string $username The username of the user to add the Exchange account to
- * @param string $emailaddress The email address to make default
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return bool
- */
- public function exchange_primary_address($username, $emailaddress, $isGUID=false) {
- if ($username===NULL){ return ("Missing compulsory field [username]"); }
- if ($emailaddress===NULL) { return ("Missing compulsory fields [emailaddress]"); }
-
- // Find the dn of the user
- $user=$this->user_info($username,array("cn","proxyaddresses"), $isGUID);
- if ($user[0]["dn"]===NULL){ return (false); }
- $user_dn=$user[0]["dn"];
-
- if (is_array($user[0]["proxyaddresses"])) {
- $modaddresses = array();
- for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
- if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
- $user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
- }
- if ($user[0]['proxyaddresses'][$i] == 'smtp:' . $emailaddress) {
- $user[0]['proxyaddresses'][$i] = str_replace('smtp:', 'SMTP:', $user[0]['proxyaddresses'][$i]);
- }
- if ($user[0]['proxyaddresses'][$i] != '') {
- $modaddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
- }
- }
-
- $result=@ldap_mod_replace($this->_conn,$user_dn,$modaddresses);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- }
-
- /**
- * Mail enable a contact
- * Allows email to be sent to them through Exchange
- *
- * @param string $distinguishedname The contact to mail enable
- * @param string $emailaddress The email address to allow emails to be sent through
- * @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name
- * @return bool
- */
- public function exchange_contact_mailenable($distinguishedname, $emailaddress, $mailnickname=NULL){
- if ($distinguishedname===NULL){ return ("Missing compulsory field [distinguishedname]"); }
- if ($emailaddress===NULL){ return ("Missing compulsory field [emailaddress]"); }
-
- if ($mailnickname !== NULL) {
- // Find the dn of the user
- $user=$this->contact_info($distinguishedname,array("cn","displayname"));
- if ($user[0]["displayname"]===NULL){ return (false); }
- $mailnickname = $user[0]['displayname'][0];
- }
-
- $attributes = array("email"=>$emailaddress,"contact_email"=>"SMTP:" . $emailaddress,"exchange_proxyaddress"=>"SMTP:" . $emailaddress,"exchange_mailnickname"=>$mailnickname);
-
- // Translate the update to the LDAP schema
- $mod=$this->adldap_schema($attributes);
-
- // Check to see if this is an enabled status update
- if (!$mod){ return (false); }
-
- // Do the update
- $result=ldap_modify($this->_conn,$distinguishedname,$mod);
- if ($result==false){ return (false); }
-
- return (true);
- }
-
- /**
- * Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain
- *
- * @param array $attributes An array of the AD attributes you wish to return
- * @return array
- */
- public function exchange_servers($attributes = array('cn','distinguishedname','serialnumber')) {
- if (!$this->_bind){ return (false); }
-
- $configurationNamingContext = $this->get_root_dse(array('configurationnamingcontext'));
- $sr = @ldap_search($this->_conn,$configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))',$attributes);
- $entries = @ldap_get_entries($this->_conn, $sr);
- return $entries;
- }
-
- /**
- * Returns a list of Storage Groups in Exchange for a given mail server
- *
- * @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server
- * @param array $attributes An array of the AD attributes you wish to return
- * @param bool $recursive If enabled this will automatically query the databases within a storage group
- * @return array
- */
- public function exchange_storage_groups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL) {
- if (!$this->_bind){ return (false); }
- if ($exchangeServer===NULL){ return ("Missing compulsory field [exchangeServer]"); }
- if ($recursive===NULL){ $recursive=$this->_recursive_groups; }
-
- $filter = '(&(objectCategory=msExchStorageGroup))';
- $sr=@ldap_search($this->_conn, $exchangeServer, $filter, $attributes);
- $entries = @ldap_get_entries($this->_conn, $sr);
-
- if ($recursive === true) {
- for ($i=0; $i<$entries['count']; $i++) {
- $entries[$i]['msexchprivatemdb'] = $this->exchange_storage_databases($entries[$i]['distinguishedname'][0]);
- }
- }
-
- return $entries;
- }
-
- /**
- * Returns a list of Databases within any given storage group in Exchange for a given mail server
- *
- * @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN
- * @param array $attributes An array of the AD attributes you wish to return
- * @return array
- */
- public function exchange_storage_databases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) {
- if (!$this->_bind){ return (false); }
- if ($storageGroup===NULL){ return ("Missing compulsory field [storageGroup]"); }
-
- $filter = '(&(objectCategory=msExchPrivateMDB))';
- $sr=@ldap_search($this->_conn, $storageGroup, $filter, $attributes);
- $entries = @ldap_get_entries($this->_conn, $sr);
- return $entries;
- }
-
- //************************************************************************************************************
- // SERVER FUNCTIONS
-
- /**
- * Find the Base DN of your domain controller
- *
- * @return string
- */
- public function find_base_dn() {
- $namingContext = $this->get_root_dse(array('defaultnamingcontext'));
- return $namingContext[0]['defaultnamingcontext'][0];
- }
-
- /**
- * Get the RootDSE properties from a domain controller
- *
- * @param array $attributes The attributes you wish to query e.g. defaultnamingcontext
- * @return array
- */
- public function get_root_dse($attributes = array("*", "+")) {
- if (!$this->_bind){ return (false); }
-
- $sr = @ldap_read($this->_conn, NULL, 'objectClass=*', $attributes);
- $entries = @ldap_get_entries($this->_conn, $sr);
- return $entries;
- }
-
- //************************************************************************************************************
- // UTILITY FUNCTIONS (Many of these functions are protected and can only be called from within the class)
-
- /**
- * Get last error from Active Directory
- *
- * This function gets the last message from Active Directory
- * This may indeed be a 'Success' message but if you get an unknown error
- * it might be worth calling this function to see what errors were raised
- *
- * return string
- */
- public function get_last_error() {
- return @ldap_error($this->_conn);
- }
-
- /**
- * Detect LDAP support in php
- *
- * @return bool
- */
- protected function ldap_supported() {
- if (!function_exists('ldap_connect')) {
- return (false);
- }
- return (true);
- }
-
- /**
- * Schema
- *
- * @param array $attributes Attributes to be queried
- * @return array
- */
- protected function adldap_schema($attributes){
-
- // LDAP doesn't like NULL attributes, only set them if they have values
- // If you wish to remove an attribute you should set it to a space
- // TO DO: Adapt user_modify to use ldap_mod_delete to remove a NULL attribute
- $mod=array();
-
- // Check every attribute to see if it contains 8bit characters and then UTF8 encode them
- array_walk($attributes, array($this, 'encode8bit'));
-
- if ($attributes["address_city"]){ $mod["l"][0]=$attributes["address_city"]; }
- if ($attributes["address_code"]){ $mod["postalCode"][0]=$attributes["address_code"]; }
- //if ($attributes["address_country"]){ $mod["countryCode"][0]=$attributes["address_country"]; } // use country codes?
- if ($attributes["address_country"]){ $mod["c"][0]=$attributes["address_country"]; }
- if ($attributes["address_pobox"]){ $mod["postOfficeBox"][0]=$attributes["address_pobox"]; }
- if ($attributes["address_state"]){ $mod["st"][0]=$attributes["address_state"]; }
- if ($attributes["address_street"]){ $mod["streetAddress"][0]=$attributes["address_street"]; }
- if ($attributes["company"]){ $mod["company"][0]=$attributes["company"]; }
- if ($attributes["change_password"]){ $mod["pwdLastSet"][0]=0; }
- if ($attributes["department"]){ $mod["department"][0]=$attributes["department"]; }
- if ($attributes["description"]){ $mod["description"][0]=$attributes["description"]; }
- if ($attributes["display_name"]){ $mod["displayName"][0]=$attributes["display_name"]; }
- if ($attributes["email"]){ $mod["mail"][0]=$attributes["email"]; }
- if ($attributes["expires"]){ $mod["accountExpires"][0]=$attributes["expires"]; } //unix epoch format?
- if ($attributes["firstname"]){ $mod["givenName"][0]=$attributes["firstname"]; }
- if ($attributes["home_directory"]){ $mod["homeDirectory"][0]=$attributes["home_directory"]; }
- if ($attributes["home_drive"]){ $mod["homeDrive"][0]=$attributes["home_drive"]; }
- if ($attributes["initials"]){ $mod["initials"][0]=$attributes["initials"]; }
- if ($attributes["logon_name"]){ $mod["userPrincipalName"][0]=$attributes["logon_name"]; }
- if ($attributes["manager"]){ $mod["manager"][0]=$attributes["manager"]; } //UNTESTED ***Use DistinguishedName***
- if ($attributes["office"]){ $mod["physicalDeliveryOfficeName"][0]=$attributes["office"]; }
- if ($attributes["password"]){ $mod["unicodePwd"][0]=$this->encode_password($attributes["password"]); }
- if ($attributes["profile_path"]){ $mod["profilepath"][0]=$attributes["profile_path"]; }
- if ($attributes["script_path"]){ $mod["scriptPath"][0]=$attributes["script_path"]; }
- if ($attributes["surname"]){ $mod["sn"][0]=$attributes["surname"]; }
- if ($attributes["title"]){ $mod["title"][0]=$attributes["title"]; }
- if ($attributes["telephone"]){ $mod["telephoneNumber"][0]=$attributes["telephone"]; }
- if ($attributes["mobile"]){ $mod["mobile"][0]=$attributes["mobile"]; }
- if ($attributes["pager"]){ $mod["pager"][0]=$attributes["pager"]; }
- if ($attributes["ipphone"]){ $mod["ipphone"][0]=$attributes["ipphone"]; }
- if ($attributes["web_page"]){ $mod["wWWHomePage"][0]=$attributes["web_page"]; }
- if ($attributes["fax"]){ $mod["facsimileTelephoneNumber"][0]=$attributes["fax"]; }
- if ($attributes["enabled"]){ $mod["userAccountControl"][0]=$attributes["enabled"]; }
-
- // Distribution List specific schema
- if ($attributes["group_sendpermission"]){ $mod["dlMemSubmitPerms"][0]=$attributes["group_sendpermission"]; }
- if ($attributes["group_rejectpermission"]){ $mod["dlMemRejectPerms"][0]=$attributes["group_rejectpermission"]; }
-
- // Exchange Schema
- if ($attributes["exchange_homemdb"]){ $mod["homeMDB"][0]=$attributes["exchange_homemdb"]; }
- if ($attributes["exchange_mailnickname"]){ $mod["mailNickname"][0]=$attributes["exchange_mailnickname"]; }
- if ($attributes["exchange_proxyaddress"]){ $mod["proxyAddresses"][0]=$attributes["exchange_proxyaddress"]; }
- if ($attributes["exchange_usedefaults"]){ $mod["mDBUseDefaults"][0]=$attributes["exchange_usedefaults"]; }
- if ($attributes["exchange_policyexclude"]){ $mod["msExchPoliciesExcluded"][0]=$attributes["exchange_policyexclude"]; }
- if ($attributes["exchange_policyinclude"]){ $mod["msExchPoliciesIncluded"][0]=$attributes["exchange_policyinclude"]; }
- if ($attributes["exchange_addressbook"]){ $mod["showInAddressBook"][0]=$attributes["exchange_addressbook"]; }
-
- // This schema is designed for contacts
- if ($attributes["exchange_hidefromlists"]){ $mod["msExchHideFromAddressLists"][0]=$attributes["exchange_hidefromlists"]; }
- if ($attributes["contact_email"]){ $mod["targetAddress"][0]=$attributes["contact_email"]; }
-
- //echo ("<pre>"); print_r($mod);
- /*
- // modifying a name is a bit fiddly
- if ($attributes["firstname"] && $attributes["surname"]){
- $mod["cn"][0]=$attributes["firstname"]." ".$attributes["surname"];
- $mod["displayname"][0]=$attributes["firstname"]." ".$attributes["surname"];
- $mod["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
- }
- */
-
- if (count($mod)==0){ return (false); }
- return ($mod);
- }
-
- /**
- * Coping with AD not returning the primary group
- * http://support.microsoft.com/?kbid=321360
- *
- * For some reason it's not possible to search on primarygrouptoken=XXX
- * If someone can show otherwise, I'd like to know about it :)
- * this way is resource intensive and generally a pain in the @#%^
- *
- * @deprecated deprecated since version 3.1, see get get_primary_group
- * @param string $gid Group ID
- * @return string
- */
- protected function group_cn($gid){
- if ($gid===NULL){ return (false); }
- $r=false;
-
- $filter="(&(objectCategory=group)(samaccounttype=". ADLDAP_SECURITY_GLOBAL_GROUP ."))";
- $fields=array("primarygrouptoken","samaccountname","distinguishedname");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- for ($i=0; $i<$entries["count"]; $i++){
- if ($entries[$i]["primarygrouptoken"][0]==$gid){
- $r=$entries[$i]["distinguishedname"][0];
- $i=$entries["count"];
- }
- }
-
- return ($r);
- }
-
- /**
- * Coping with AD not returning the primary group
- * http://support.microsoft.com/?kbid=321360
- *
- * This is a re-write based on code submitted by Bruce which prevents the
- * need to search each security group to find the true primary group
- *
- * @param string $gid Group ID
- * @param string $usersid User's Object SID
- * @return string
- */
- protected function get_primary_group($gid, $usersid){
- if ($gid===NULL || $usersid===NULL){ return (false); }
- $r=false;
-
- $gsid = substr_replace($usersid,pack('V',$gid),strlen($usersid)-4,4);
- $filter='(objectsid='.$this->getTextSID($gsid).')';
- $fields=array("samaccountname","distinguishedname");
- $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
- $entries = ldap_get_entries($this->_conn, $sr);
-
- return $entries[0]['distinguishedname'][0];
- }
-
- /**
- * Convert a binary SID to a text SID
- *
- * @param string $binsid A Binary SID
- * @return string
- */
- protected function getTextSID($binsid) {
- $hex_sid = bin2hex($binsid);
- $rev = hexdec(substr($hex_sid, 0, 2));
- $subcount = hexdec(substr($hex_sid, 2, 2));
- $auth = hexdec(substr($hex_sid, 4, 12));
- $result = "$rev-$auth";
-
- for ($x=0;$x < $subcount; $x++) {
- $subauth[$x] =
- hexdec($this->little_endian(substr($hex_sid, 16 + ($x * 8), 8)));
- $result .= "-" . $subauth[$x];
- }
-
- // Cheat by tacking on the S-
- return 'S-' . $result;
- }
-
- /**
- * Converts a little-endian hex number to one that hexdec() can convert
- *
- * @param string $hex A hex code
- * @return string
- */
- protected function little_endian($hex) {
- $result = '';
- for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) {
- $result .= substr($hex, $x, 2);
- }
- return $result;
- }
-
- /**
- * Converts a binary attribute to a string
- *
- * @param string $bin A binary LDAP attribute
- * @return string
- */
- protected function binary2text($bin) {
- $hex_guid = bin2hex($bin);
- $hex_guid_to_guid_str = '';
- for($k = 1; $k <= 4; ++$k) {
- $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
- }
- $hex_guid_to_guid_str .= '-';
- for($k = 1; $k <= 2; ++$k) {
- $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
- }
- $hex_guid_to_guid_str .= '-';
- for($k = 1; $k <= 2; ++$k) {
- $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
- }
- $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
- $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
- return strtoupper($hex_guid_to_guid_str);
- }
-
- /**
- * Converts a binary GUID to a string GUID
- *
- * @param string $binaryGuid The binary GUID attribute to convert
- * @return string
- */
- public function decodeGuid($binaryGuid) {
- if ($binaryGuid === null){ return ("Missing compulsory field [binaryGuid]"); }
-
- $strGUID = $this->binary2text($binaryGuid);
- return ($strGUID);
- }
-
- /**
- * Converts a string GUID to a hexdecimal value so it can be queried
- *
- * @param string $strGUID A string representation of a GUID
- * @return string
- */
- protected function strguid2hex($strGUID) {
- $strGUID = str_replace('-', '', $strGUID);
-
- $octet_str = '\\' . substr($strGUID, 6, 2);
- $octet_str .= '\\' . substr($strGUID, 4, 2);
- $octet_str .= '\\' . substr($strGUID, 2, 2);
- $octet_str .= '\\' . substr($strGUID, 0, 2);
- $octet_str .= '\\' . substr($strGUID, 10, 2);
- $octet_str .= '\\' . substr($strGUID, 8, 2);
- $octet_str .= '\\' . substr($strGUID, 14, 2);
- $octet_str .= '\\' . substr($strGUID, 12, 2);
- //$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID));
- for ($i=16; $i<=(strlen($strGUID)-2); $i++) {
- if (($i % 2) == 0) {
- $octet_str .= '\\' . substr($strGUID, $i, 2);
- }
- }
-
- return $octet_str;
- }
-
- /**
- * Obtain the user's distinguished name based on their userid
- *
- *
- * @param string $username The username
- * @param bool $isGUID Is the username passed a GUID or a samAccountName
- * @return string
- */
- protected function user_dn($username,$isGUID=false){
- $user=$this->user_info($username,array("cn"),$isGUID);
- if ($user[0]["dn"]===NULL){ return (false); }
- $user_dn=$user[0]["dn"];
- return ($user_dn);
- }
-
- /**
- * Encode a password for transmission over LDAP
- *
- * @param string $password The password to encode
- * @return string
- */
- protected function encode_password($password){
- $password="\"".$password."\"";
- $encoded="";
- for ($i=0; $i <strlen($password); $i++){ $encoded.="{$password{$i}}\000"; }
- return ($encoded);
- }
-
- /**
- * Escape strings for the use in LDAP filters
- *
- * DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT
- * Ported from Perl's Net::LDAP::Util escape_filter_value
- *
- * @param string $str The string the parse
- * @author Port by Andreas Gohr <andi@splitbrain.org>
- * @return string
- */
- protected function ldap_slashes($str){
- return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e',
- '"\\\\\".join("",unpack("H2","$1"))',
- $str);
- }
-
- /**
- * Select a random domain controller from your domain controller array
- *
- * @return string
- */
- protected function random_controller(){
- mt_srand(doubleval(microtime()) * 100000000); // For older PHP versions
- return ($this->_domain_controllers[array_rand($this->_domain_controllers)]);
- }
-
- /**
- * Account control options
- *
- * @param array $options The options to convert to int
- * @return int
- */
- protected function account_control($options){
- $val=0;
-
- if (is_array($options)){
- if (in_array("SCRIPT",$options)){ $val=$val+1; }
- if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; }
- if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; }
- if (in_array("LOCKOUT",$options)){ $val=$val+16; }
- if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; }
- //PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute.
- //For information about how to set the permission programmatically, see the "Property flag descriptions" section.
- if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; }
- if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; }
- if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; }
- if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; }
- if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; }
- if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; }
- if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; }
- if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; }
- if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; }
- if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; }
- if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; }
- if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; }
- if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; }
- if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; }
- if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; }
- }
- return ($val);
- }
-
- /**
- * Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN)
- *
- * @param array $groups
- * @return array
- */
- protected function nice_names($groups){
-
- $group_array=array();
- for ($i=0; $i<$groups["count"]; $i++){ // For each group
- $line=$groups[$i];
-
- if (strlen($line)>0){
- // More presumptions, they're all prefixed with CN=
- // so we ditch the first three characters and the group
- // name goes up to the first comma
- $bits=explode(",",$line);
- $group_array[]=substr($bits[0],3,(strlen($bits[0])-3));
- }
- }
- return ($group_array);
- }
-
- /**
- * Delete a distinguished name from Active Directory
- * You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete
- *
- * @param string $dn The distinguished name to delete
- * @return bool
- */
- protected function dn_delete($dn){
- $result=ldap_delete($this->_conn, $dn);
- if ($result!=true){ return (false); }
- return (true);
- }
-
- /**
- * Convert a boolean value to a string
- * You should never need to call this yourself
- *
- * @param bool $bool Boolean value
- * @return string
- */
- protected function bool2str($bool) {
- return ($bool) ? 'TRUE' : 'FALSE';
- }
-
- /**
- * Convert 8bit characters e.g. accented characters to UTF8 encoded characters
- */
- protected function encode8bit(&$item, $key) {
- $encode = false;
- if (is_string($item)) {
- for ($i=0; $i<strlen($item); $i++) {
- if (ord($item[$i]) >> 7) {
- $encode = true;
- }
- }
- }
- if ($encode === true && $key != 'password') {
- $item = utf8_encode($item);
- }
- }
-}
-
-/**
-* adLDAP Exception Handler
-*
-* Exceptions of this type are thrown on bind failure or when SSL is required but not configured
-* Example:
-* try {
-* $adldap = new adLDAP();
-* }
-* catch (adLDAPException $e) {
-* echo $e;
-* exit();
-* }
-*/
-class adLDAPException extends Exception {}
-
-?>
\ No newline at end of file @@ -1,171 +1,171 @@ -=== Plugin Name ===
-Contributors: clifgriffin
-Donate link: http://clifgriffin.com/donate/
-Tags: LDAP, authentication, login, active directory, adLDAP
-Requires at least: 2.8
-Tested up to: 3.2.1
-Stable tag: 1.4.0.5.1
-
-Integrating Wordpress with LDAP shouldn't be difficult. Now it isn't. Simple LDAP Login provides all of the features, none of the hassles.
-
-== Description ==
-Having a single login for every service is a must in large organizations. This plugin allows you to integrate Wordpress with LDAP quickly and easily. Like, really really easy.
-
-**Donate?**
-
-If you use this plugin, and find that it serves your organization's needs, please consider a donation. I have spent many unpaid hours supporting and updating this plugin. A plugin like this would easily retail for $200 or more. I offer it for free, with only the request that you consider giving back if you are financially capable of doing so.
-
-**Support**
-
-If you need support, I recommend you leave a comment on the appropriate post on my blog:
-http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/
-
-**Special Requests**
-
-If you need a customization or change specific to your install, I am available for hire. Shoot me an e-mail: clifgriffin[at]gmail.com
-
-= Features =
-
+=== Plugin Name === +Contributors: clifgriffin +Donate link: http://clifgriffin.com/donate/ +Tags: LDAP, authentication, login, active directory, adLDAP +Requires at least: 2.8 +Tested up to: 3.2.1 +Stable tag: 1.4.0.5.1 + +Integrating Wordpress with LDAP shouldn't be difficult. Now it isn't. Simple LDAP Login provides all of the features, none of the hassles. + +== Description == +Having a single login for every service is a must in large organizations. This plugin allows you to integrate Wordpress with LDAP quickly and easily. Like, really really easy. + +**Donate?** + +If you use this plugin, and find that it serves your organization's needs, please consider a donation. I have spent many unpaid hours supporting and updating this plugin. A plugin like this would easily retail for $200 or more. I offer it for free, with only the request that you consider giving back if you are financially capable of doing so. + +**Support** + +If you need support, I recommend you leave a comment on the appropriate post on my blog: +http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/ + +**Special Requests** + +If you need a customization or change specific to your install, I am available for hire. Shoot me an e-mail: clifgriffin[at]gmail.com + += Features = + * Supports Active Directory and OpenLDAP (and other directory systems which comply to the LDAP standard, such as OpenDS) * Supports TLS -* Uses up-to-date methods for Wordpress authentication routines.
-* Includes three login modes:
-* * Normal Mode: Authenticates existing wordpress usernames against LDAP. This requires you to create all Wordpress accounts manually using the same user names as those in your LDAP directory.
-* * Account Creation Mode 1: Creates Wordpress accounts automatically for any LDAP user.
-* * Account Creation Mode 2: Creates Wordpress accounts automatically for LDAP users in a specific Group you specify.
-* Intuitive control panel.
-
-= Architecture =
-Simple LDAP Login adds an authentication filter to Wordpress that authentication requests must pass. In doing so, it makes several decisions.
-
-* Can the provided credentials be authenticated against LDAP?
-* * If so, is the username a valid WP username?
-* * * If not, can we create a WP user?
-* * * * If we can, does the user belong to the right (if any) group?
-* * * * * If the user does, create the Wordpress user and log the user in.
-* * If the username is already valid wordpress user, are they in the right group?
-* * * Is so, log the user in.
-
-This is simply a high level overview. The actual logic the plugin employs is more complex, but hopefully this gives you an idea, philosophically, about how the plugin accomplishes what it does. If the plugin is unable to authenticate the user, it passes it down the chain to Wordpress. (Unless security mode is set to high, which will disable this functionality.)
-
+* Uses up-to-date methods for Wordpress authentication routines. +* Includes three login modes: +* * Normal Mode: Authenticates existing wordpress usernames against LDAP. This requires you to create all Wordpress accounts manually using the same user names as those in your LDAP directory. +* * Account Creation Mode 1: Creates Wordpress accounts automatically for any LDAP user. +* * Account Creation Mode 2: Creates Wordpress accounts automatically for LDAP users in a specific Group you specify. +* Intuitive control panel. + += Architecture = +Simple LDAP Login adds an authentication filter to Wordpress that authentication requests must pass. In doing so, it makes several decisions. + +* Can the provided credentials be authenticated against LDAP? +* * If so, is the username a valid WP username? +* * * If not, can we create a WP user? +* * * * If we can, does the user belong to the right (if any) group? +* * * * * If the user does, create the Wordpress user and log the user in. +* * If the username is already valid wordpress user, are they in the right group? +* * * Is so, log the user in. + +This is simply a high level overview. The actual logic the plugin employs is more complex, but hopefully this gives you an idea, philosophically, about how the plugin accomplishes what it does. If the plugin is unable to authenticate the user, it passes it down the chain to Wordpress. (Unless security mode is set to high, which will disable this functionality.) + == Changelog == -**Version 1.4.0.5.1** +**Version 1.4.0.5.1** * I broke it. Sorry guys! :( -* Downgraded adLDAP as some referenced functions no longer exist. +* Downgraded adLDAP as some referenced functions no longer exist. **Version 1.4.0.5** * Updated adLDAP to version 4.x * Fixed error in OpenLDAP group membership check -* As always TEST this first. Don't assume it worksÉI don't have a testing environment to ensure it will work correctly. +* As always TEST this first. Don't assume it worksÉI don't have a testing environment to ensure it will work correctly. -**Version 1.4.0.4**
+**Version 1.4.0.4** * Fixes nickname bug accidentally put back in in last version. (My bad!) -
-**Version 1.4.0.3**
-* Reverts bug introduced in 1.4.0.2
-* If you installed 1.4.0.2 and use OpenLDAP, please update as soon as possible and verify users cannot login with incorrect passwords (and vice versa).
-
-**Version 1.4.0.2 - Patches submitted by Jonas Genannt and Ilya Kozlov**
-* Updates adLDAP to 3.3.2
-* Fixes issue with users in recursive OUs not being found.
-* Fixes issues with different Base DN formats.
-* NOTE: Please be catious in updating. As I don't have an OpenLDAP install, I am unable to independently confirm these fix the problems. If you have issues, revert to 1.4.0.1 and e-mail me: clifgriffin[at]gmail.com. Likewise, If you can confirm these changes are effective, also let me know. :)
-
-**Version 1.4.0.1**
-
-* Fix for e-mail exists issue with WP 3.0+ for LDAP installations that don't populate the e-mail address attribute.
+ +**Version 1.4.0.3** +* Reverts bug introduced in 1.4.0.2 +* If you installed 1.4.0.2 and use OpenLDAP, please update as soon as possible and verify users cannot login with incorrect passwords (and vice versa). + +**Version 1.4.0.2 - Patches submitted by Jonas Genannt and Ilya Kozlov** +* Updates adLDAP to 3.3.2 +* Fixes issue with users in recursive OUs not being found. +* Fixes issues with different Base DN formats. +* NOTE: Please be catious in updating. As I don't have an OpenLDAP install, I am unable to independently confirm these fix the problems. If you have issues, revert to 1.4.0.1 and e-mail me: clifgriffin[at]gmail.com. Likewise, If you can confirm these changes are effective, also let me know. :) + +**Version 1.4.0.1** + +* Fix for e-mail exists issue with WP 3.0+ for LDAP installations that don't populate the e-mail address attribute. * Shows actual error message from Wordpress upon failure. -
+ **Version 1.4** -* First update in about a year. Thanks for your patience. +* First update in about a year. Thanks for your patience. * Completely rewritten to support changes in Wordpress 2.8+. Now fully supports Wordpress 3.0. * Much more manageable and efficient code structure. Less code repetition. -* Includes TLS support. +* Includes TLS support. * Allows OpenLDAP users to specify an alternate LDAP attribute to use for logins for those not using UID. -
-**Version 1.3.0.3**
-
-* Test form now implements wp_authenticate and uses the same routines as the actual login. This also means account creation and group membership are tested.
-* Implemented stripslashes() to correct issue with some special characters such as a single quote and backslash.
-* Wordpress account "admin" is now allowed to login using local password even when security mode is set to high. For safety.
-* Made some minor wording changes to the admin panel.
-
-**Version 1.3.0.2.1**
-
-* Fixed case sensitivity issue that could result in multiple accounts. There may be lingering case insensitivity issues due to the get_userdatabylogin function being case-sensitive. We'll figure this out in due time.
-* Sorry for posting two updates on the same day!
-
-**Version 1.3.0.2**
-
-* Fixes several tickets including role assignment, case sensitivity, and potential compatibility issues with other themes/plugins.
-* Added security mode setting to allow security to be tightened.
-* Changed auto created accounts to use a random password rather than the LDAP password given.
-* Fixed error with the way announcements are displayed in the admin panel.
-* More code clean up.
-
-**Version 1.3.0.1**
-
-* Never officially released.
-* Contained code cleanup and some attempted fixes.
-
-**Version 1.3 Beta**
-
-* Support for both Active Directory and OpenLDAP.
-* The ability to create wordpress users automatically upon login based on LDAP group membership OR by LDAP authentication alone.
-* The ability to test domain settings straight from admin panel.
-* Announcements pane that allows me to update you with fixes, cautions, new beta versions, or other important information.
-
-**Version 1.2.0.1**
-
-* Changed required user level for admin page to 10, Administrators only.
-
-**Version 1.2**
-
-* Implemented multiple domain controllers.
-* Changed field sizes on admin page to be more user friendly.
-
-**Version 1.1**
-
-* Moved settings to administration pages under settings.
-* Upgraded to latest version of adLDAP 2.1.
-* Got rid of credentials. (They are not neccessary for the authenticate function in adLDAP!)
-* Plugin is now upgrade proof. Settings are stored using Wordpress's setting functions.
-
-**Version 1.0**
-
-* Original release.
-
-== Installation ==
-
-1. Use the WordPress plugin directory to install the plugin or upload the directory “simple-ldap-login” to the `/wp-content/plugins/` directory.
-1. Activate the plugin through the 'Plugins' menu in WordPress
-1. Immediately update the settings to those that best match your environment by going to Settings -> Simple LDAP Login
-1. If you don’t get the settings right the first time…don’t fret! Just use your wordpress credentials…they will always work in low security mode.
-1. Once you have the settings correct, you can change the security mode to High Security (if you so desire).
-1. To make your life easier, consider using two different browsers (e.g., IE and Firefox) to do testing. Change settings in one. Test in the other. This will prevent any chance of being locked out.
-
-== Frequently Asked Questions ==
-
-= Other than Wordpress, what does my system require? =
-
-If you are using Active Directory, you will probably need PHP 5. This is because I'm using adLDAP 3.0 to do my Active Directory integration. As far as I know, the rest of the code should work with PHP 4. If you are unable to upgrade to PHP 5, find an older version of adLDAP (on sourceforge) and replace adLDAP.php with it. This should bypass the PHP 5 requirement. - -Additionally, PHP must be configured/compiled with ldap support!
-
-= How do I know what the correct settings are? =
-
-I have tried to make the settings as self-explanatory as possible. If you are struggling figuring them out, you may need to speak with your LDAP administrator. I realize this is an obnoxious response, but there is no good, fail proof way to help you discover these settings. A good place to start, if you're feeling daring, might be to use ADSIEdit for Windows and Active Directory, or GQ for Linux and OpenLDAP.
-
-= It's still not working, what other things can I try? =
-
-If you are confident your settings are correct and it still does not work, it may be time to check for port or firewall issues. If your LDAP server is running on a non-standard port or an obsolete version of the LDAP protocol you are going to have issues. Port 389 is the port this plugin, and nearly every other LDAP enabled software expects. They are also expecting protocol version 3. If you are using an old version of LDAP or running a non-standard port you may need to modify the code that the plugin runs or update your LDAP installation.
-
-Unfortunately I can't be relied upon to assist with these types of requests. I chose not to support these scenarios because they are infrequent and because they confuse everyone else.
-
-= It's still not working! How can I get help? =
-There are two ways. You can post a comment on my blog (http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/) or you can e-mail me: me[at]clifgriffin.com. I'll do my best to get you up and running!
-
-== Screenshots ==
-
-1. Easy to use admin panel.
\ No newline at end of file + +**Version 1.3.0.3** + +* Test form now implements wp_authenticate and uses the same routines as the actual login. This also means account creation and group membership are tested. +* Implemented stripslashes() to correct issue with some special characters such as a single quote and backslash. +* Wordpress account "admin" is now allowed to login using local password even when security mode is set to high. For safety. +* Made some minor wording changes to the admin panel. + +**Version 1.3.0.2.1** + +* Fixed case sensitivity issue that could result in multiple accounts. There may be lingering case insensitivity issues due to the get_userdatabylogin function being case-sensitive. We'll figure this out in due time. +* Sorry for posting two updates on the same day! + +**Version 1.3.0.2** + +* Fixes several tickets including role assignment, case sensitivity, and potential compatibility issues with other themes/plugins. +* Added security mode setting to allow security to be tightened. +* Changed auto created accounts to use a random password rather than the LDAP password given. +* Fixed error with the way announcements are displayed in the admin panel. +* More code clean up. + +**Version 1.3.0.1** + +* Never officially released. +* Contained code cleanup and some attempted fixes. + +**Version 1.3 Beta** + +* Support for both Active Directory and OpenLDAP. +* The ability to create wordpress users automatically upon login based on LDAP group membership OR by LDAP authentication alone. +* The ability to test domain settings straight from admin panel. +* Announcements pane that allows me to update you with fixes, cautions, new beta versions, or other important information. + +**Version 1.2.0.1** + +* Changed required user level for admin page to 10, Administrators only. + +**Version 1.2** + +* Implemented multiple domain controllers. +* Changed field sizes on admin page to be more user friendly. + +**Version 1.1** + +* Moved settings to administration pages under settings. +* Upgraded to latest version of adLDAP 2.1. +* Got rid of credentials. (They are not neccessary for the authenticate function in adLDAP!) +* Plugin is now upgrade proof. Settings are stored using Wordpress's setting functions. + +**Version 1.0** + +* Original release. + +== Installation == + +1. Use the WordPress plugin directory to install the plugin or upload the directory “simple-ldap-login” to the `/wp-content/plugins/` directory. +1. Activate the plugin through the 'Plugins' menu in WordPress +1. Immediately update the settings to those that best match your environment by going to Settings -> Simple LDAP Login +1. If you don’t get the settings right the first time…don’t fret! Just use your wordpress credentials…they will always work in low security mode. +1. Once you have the settings correct, you can change the security mode to High Security (if you so desire). +1. To make your life easier, consider using two different browsers (e.g., IE and Firefox) to do testing. Change settings in one. Test in the other. This will prevent any chance of being locked out. + +== Frequently Asked Questions == + += Other than Wordpress, what does my system require? = + +If you are using Active Directory, you will probably need PHP 5. This is because I'm using adLDAP 3.0 to do my Active Directory integration. As far as I know, the rest of the code should work with PHP 4. If you are unable to upgrade to PHP 5, find an older version of adLDAP (on sourceforge) and replace adLDAP.php with it. This should bypass the PHP 5 requirement. + +Additionally, PHP must be configured/compiled with ldap support! + += How do I know what the correct settings are? = + +I have tried to make the settings as self-explanatory as possible. If you are struggling figuring them out, you may need to speak with your LDAP administrator. I realize this is an obnoxious response, but there is no good, fail proof way to help you discover these settings. A good place to start, if you're feeling daring, might be to use ADSIEdit for Windows and Active Directory, or GQ for Linux and OpenLDAP. + += It's still not working, what other things can I try? = + +If you are confident your settings are correct and it still does not work, it may be time to check for port or firewall issues. If your LDAP server is running on a non-standard port or an obsolete version of the LDAP protocol you are going to have issues. Port 389 is the port this plugin, and nearly every other LDAP enabled software expects. They are also expecting protocol version 3. If you are using an old version of LDAP or running a non-standard port you may need to modify the code that the plugin runs or update your LDAP installation. + +Unfortunately I can't be relied upon to assist with these types of requests. I chose not to support these scenarios because they are infrequent and because they confuse everyone else. + += It's still not working! How can I get help? = +There are two ways. You can post a comment on my blog (http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/) or you can e-mail me: me[at]clifgriffin.com. I'll do my best to get you up and running! + +== Screenshots == + +1. Easy to use admin panel.
\ No newline at end of file diff --git a/umClient.php b/umClient.php new file mode 100644 index 0000000..c94ed94 --- /dev/null +++ b/umClient.php @@ -0,0 +1,40 @@ +<?php + +class umClient { + private $um_url = ''; + private $cookiejar = ''; + + public function __construct($um_url, $cookiejar) { + $this->um_url = $um_url; + $this->cookiejar = $cookiejar; + } + + public function get_userinfo($username, $password) { + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $this->um_url.'/auth'); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookiejar); + curl_setopt($ch, CURLOPT_POST, true); + curl_setopt($ch, CURLOPT_POSTFIELDS, array( + 'action'=>'login', + 'username'=>$username, + 'password'=>$password)); + curl_exec($ch); + $auth_status=curl_getinfo($ch, CURLINFO_HTTP_CODE); + curl_close($ch); + + if ($auth_status!==200) { + // couldn't log in + return $auth_status; + } + + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $this->um_url.'/users/'.$username.'.json'); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookiejar); + curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookiejar); + $json_str = curl_exec($ch); + $json_arr = json_decode($json_str, true); + return $json_arr[0]; + } +} |