Skip to content

Jeff Balicki / st_joseph

Go to a project
Toggle navigation
Toggle navigation pinning
Switch branch/tag
Ldap.php 4.4 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 
<?php

/**
 * $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
 *
 * authLdap - Authenticate Wordpress against an LDAP-Backend.
 * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 * This file handles the basic LDAP-Tasks
 *
 * @author Andreas Heigl<andreas@heigl.org>
 * @package authLdap
 * @category authLdap
 * @since 2008
 */

namespace Org_Heigl\AuthLdap\Manager;

use Org_Heigl\AuthLdap\Exception\Error;
use Org_Heigl\AuthLdap\Exception\MissingValidLdapConnection;
use Org_Heigl\AuthLdap\LdapUri;
use Org_Heigl\AuthLdap\Wrapper\LdapFactory;
use Org_Heigl\AuthLdap\Wrapper\LdapInterface;

class Ldap
{
	/**
	 * This property contains the connection handle to the ldap-server
	 *
	 * @var LdapInterface|null
	 */
	private ?LdapInterface $connection;

	private LdapUri $uri;

	private LdapFactory $factory;

	private $starttls;

	public function __construct(LdapFactory $factory, LdapUri $uri, $starttls = false)
	{
		$this->starttls = $starttls;
		$this->uri = $uri;
		$this->factory = $factory;
		$this->connection = null;
	}

	/**
	 * Connect to the given LDAP-Server
	 */
	public function connect(): self
	{
		$this->disconnect();

		$this->connection = $this->factory->createFromLdapUri($this->uri->toString());
		$this->connection->setOption(LDAP_OPT_PROTOCOL_VERSION, 3);
		$this->connection->setOption(LDAP_OPT_REFERRALS, 0);
		//if configured try to upgrade encryption to tls for ldap connections
		if ($this->starttls) {
			$this->connection->startTls();
		}
		return $this;
	}

	/**
	 * Disconnect from a resource if one is available
	 */
	public function disconnect(): self
	{
		if (null !== $this->connection) {
			$this->connection->unbind();
		}
		$this->connection = null;
		return $this;
	}

	/**
	 * Bind to an LDAP-Server with the given credentials
	 *
	 * @throws Error
	 */
	public function bind(): self
	{
		if (!$this->connection) {
			$this->connect();
		}
		if (null === $this->connection) {
			throw MissingValidLdapConnection::get();
		}
		if ($this->uri->isAnonymous()) {
			$bind = $this->connection->bind();
		} else {
			$bind = $this->connection->bind($this->uri->getUsername(), $this->uri->getPassword());
		}
		if (!$bind) {
			throw new Error('bind was not successfull: ' . $this->connection->error());
		}
		return $this;
	}

	/**
	 * This method does the actual ldap-serch.
	 *
	 * This is using the filter <var>$filter</var> for retrieving the attributes
	 * <var>$attributes</var>
	 *
	 * @return array<string|int, mixed>
	 * @throws Error
	 */
	public function search(string $filter, array $attributes = ['uid'], ?string $base = ''): array
	{
		if (null === $this->connection) {
			throw new Error('No resource handle available');
		}
		if (!$base) {
			$base = $this->uri->getBaseDn();
		}
		$result = $this->connection->search($base, $filter, $attributes);
		if ($result === false) {
			throw new Error('no result found');
		}
		$info = $this->connection->getEntries($result);
		if ($info === false) {
			throw new Error('invalid results found');
		}
		return $info;
	}

	/**
	 * This method authenticates the user <var>$username</var> using the
	 * password <var>$password</var>
	 *
	 * @param string $filter OPTIONAL This parameter defines the Filter to be used
	 * when searchin for the username. This MUST contain the string '%s' which
	 * will be replaced by the vaue given in <var>$username</var>
	 * @throws Error
	 */
	public function authenticate(string $username, string $password, string $filter = '(uid=%s)'): bool
	{
		$this->connect();
		$this->bind();
		$res = $this->search(sprintf($filter, $this->factory->escape($username, '', LDAP_ESCAPE_FILTER)));
		if ($res ['count'] !== 1) {
			return false;
		}

		$dn = $res[0]['dn'];
		return $username && $password && $this->connection->bind($dn, $password);
	}
}