2013-06-03 17:02:08 +02:00
|
|
|
<?php
|
2013-10-22 14:25:56 +02:00
|
|
|
// {{{ICINGA_LICENSE_HEADER}}}
|
|
|
|
// {{{ICINGA_LICENSE_HEADER}}}
|
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
namespace Icinga\Protocol\Ldap;
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2014-06-25 12:38:31 +02:00
|
|
|
use Icinga\Protocol\Ldap\Exception as LdapException;
|
2013-06-03 17:02:08 +02:00
|
|
|
use Icinga\Application\Platform;
|
2013-10-22 14:25:56 +02:00
|
|
|
use Icinga\Application\Config;
|
2014-10-31 10:27:17 +01:00
|
|
|
use Icinga\Application\Logger;
|
2014-11-18 13:11:52 +01:00
|
|
|
use Icinga\Data\ConfigObject;
|
2013-06-03 17:02:08 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Backend class managing all the LDAP stuff for you.
|
|
|
|
*
|
|
|
|
* Usage example:
|
|
|
|
*
|
|
|
|
* <code>
|
|
|
|
* $lconf = new Connection((object) array(
|
|
|
|
* 'hostname' => 'localhost',
|
|
|
|
* 'root_dn' => 'dc=monitoring,dc=...',
|
|
|
|
* 'bind_dn' => 'cn=Mangager,dc=monitoring,dc=...',
|
|
|
|
* 'bind_pw' => '***'
|
|
|
|
* ));
|
|
|
|
* </code>
|
|
|
|
*
|
|
|
|
* @copyright Copyright (c) 2013 Icinga-Web Team <info@icinga.org>
|
|
|
|
* @author Icinga-Web Team <info@icinga.org>
|
|
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU General Public License
|
|
|
|
*/
|
|
|
|
class Connection
|
|
|
|
{
|
2013-07-12 13:41:48 +02:00
|
|
|
const LDAP_NO_SUCH_OBJECT = 0x20;
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2013-07-12 13:41:48 +02:00
|
|
|
protected $ds;
|
2013-06-03 17:02:08 +02:00
|
|
|
protected $hostname;
|
2013-07-12 13:41:48 +02:00
|
|
|
protected $port = 389;
|
2013-06-03 17:02:08 +02:00
|
|
|
protected $bind_dn;
|
|
|
|
protected $bind_pw;
|
|
|
|
protected $root_dn;
|
|
|
|
protected $count;
|
2014-06-06 17:57:50 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
protected $ldap_extension = array(
|
2013-07-12 13:41:48 +02:00
|
|
|
'1.3.6.1.4.1.1466.20037' => 'STARTTLS',
|
2013-06-03 17:02:08 +02:00
|
|
|
// '1.3.6.1.4.1.4203.1.11.1' => '11.1', // PASSWORD_MODIFY
|
|
|
|
// '1.3.6.1.4.1.4203.1.11.3' => '11.3', // Whoami
|
|
|
|
// '1.3.6.1.1.8' => '8', // Cancel Extended Request
|
|
|
|
);
|
|
|
|
|
|
|
|
protected $ms_capability = array(
|
|
|
|
// Prefix LDAP_CAP_
|
|
|
|
// Source: http://msdn.microsoft.com/en-us/library/cc223359.aspx
|
|
|
|
|
|
|
|
// Running Active Directory as AD DS:
|
2013-07-12 13:41:48 +02:00
|
|
|
'1.2.840.113556.1.4.800' => 'ACTIVE_DIRECTORY_OID',
|
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// Capable of signing and sealing on an NTLM authenticated connection
|
|
|
|
// and of performing subsequent binds on a signed or sealed connection.
|
|
|
|
'1.2.840.113556.1.4.1791' => 'ACTIVE_DIRECTORY_LDAP_INTEG_OID',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// If AD DS: running at least W2K3, if AD LDS running at least W2K8
|
|
|
|
'1.2.840.113556.1.4.1670' => 'ACTIVE_DIRECTORY_V51_OID',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// If AD LDS: accepts DIGEST-MD5 binds for AD LDSsecurity principals
|
|
|
|
'1.2.840.113556.1.4.1880' => 'ACTIVE_DIRECTORY_ADAM_DIGEST',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// Running Active Directory as AD LDS
|
|
|
|
'1.2.840.113556.1.4.1851' => 'ACTIVE_DIRECTORY_ADAM_OID',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// If AD DS: it's a Read Only DC (RODC)
|
|
|
|
'1.2.840.113556.1.4.1920' => 'ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// Running at least W2K8
|
|
|
|
'1.2.840.113556.1.4.1935' => 'ACTIVE_DIRECTORY_V60_OID',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// Running at least W2K8r2
|
|
|
|
'1.2.840.113556.1.4.2080' => 'ACTIVE_DIRECTORY_V61_R2_OID',
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
// Running at least W2K12
|
|
|
|
'1.2.840.113556.1.4.2237' => 'ACTIVE_DIRECTORY_W8_OID',
|
|
|
|
|
|
|
|
);
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Whether the bind on this connection was already performed
|
|
|
|
*
|
|
|
|
* @var bool
|
|
|
|
*/
|
2014-06-25 12:38:31 +02:00
|
|
|
protected $bound = false;
|
2014-06-16 14:16:18 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
protected $root;
|
|
|
|
|
2013-07-12 13:41:48 +02:00
|
|
|
protected $supports_v3 = false;
|
|
|
|
protected $supports_tls = false;
|
|
|
|
|
2014-06-06 17:57:50 +02:00
|
|
|
protected $capabilities;
|
2014-06-16 14:16:18 +02:00
|
|
|
protected $namingContexts;
|
2014-11-18 09:45:54 +01:00
|
|
|
protected $discoverySuccess = false;
|
2014-06-06 17:57:50 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
|
|
|
* TODO: Allow to pass port and SSL options
|
|
|
|
*
|
2014-11-18 13:11:52 +01:00
|
|
|
* @param ConfigObject $config
|
2013-06-03 17:02:08 +02:00
|
|
|
*/
|
2014-11-18 13:11:52 +01:00
|
|
|
public function __construct(ConfigObject $config)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
|
|
|
$this->hostname = $config->hostname;
|
2013-07-12 13:41:48 +02:00
|
|
|
$this->bind_dn = $config->bind_dn;
|
|
|
|
$this->bind_pw = $config->bind_pw;
|
|
|
|
$this->root_dn = $config->root_dn;
|
2013-10-22 14:25:56 +02:00
|
|
|
$this->port = $config->get('port', $this->port);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
2014-11-18 09:45:54 +01:00
|
|
|
public function getHostname()
|
|
|
|
{
|
|
|
|
return $this->hostname;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getPort()
|
|
|
|
{
|
|
|
|
return $this->port;
|
|
|
|
}
|
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
public function getDN()
|
|
|
|
{
|
|
|
|
return $this->root_dn;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function root()
|
|
|
|
{
|
|
|
|
if ($this->root === null) {
|
|
|
|
$this->root = Root::forConnection($this);
|
|
|
|
}
|
|
|
|
return $this->root;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function select()
|
|
|
|
{
|
|
|
|
return new Query($this);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function fetchOne($query, $fields = array())
|
|
|
|
{
|
2013-07-12 13:41:48 +02:00
|
|
|
$row = (array) $this->fetchRow($query, $fields);
|
2013-06-03 17:02:08 +02:00
|
|
|
return array_shift($row);
|
|
|
|
}
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2014-03-20 16:46:10 +01:00
|
|
|
public function hasDN($dn)
|
|
|
|
{
|
|
|
|
$this->connect();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
|
|
|
|
2014-03-20 16:46:10 +01:00
|
|
|
$result = ldap_read($this->ds, $dn, '(objectClass=*)', array('objectClass'));
|
|
|
|
return ldap_count_entries($this->ds, $result) > 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function deleteRecursively($dn)
|
|
|
|
{
|
|
|
|
$this->connect();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
|
|
|
|
2014-03-20 16:46:10 +01:00
|
|
|
$result = @ldap_list($this->ds, $dn, '(objectClass=*)', array('objectClass'));
|
|
|
|
if ($result === false) {
|
|
|
|
if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
|
|
|
|
return false;
|
|
|
|
}
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2014-03-20 16:46:10 +01:00
|
|
|
sprintf(
|
|
|
|
'LDAP list for "%s" failed: %s',
|
|
|
|
$dn,
|
|
|
|
ldap_error($this->ds)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
$children = ldap_get_entries($this->ds, $result);
|
2014-06-16 14:16:18 +02:00
|
|
|
for ($i = 0; $i < $children['count']; $i++) {
|
2014-03-20 16:46:10 +01:00
|
|
|
$result = $this->deleteRecursively($children[$i]['dn']);
|
|
|
|
if (!$result) {
|
|
|
|
//return result code, if delete fails
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(sprintf('Recursively deleting "%s" failed', $dn));
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return $this->deleteDN($dn);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function deleteDN($dn)
|
|
|
|
{
|
|
|
|
$this->connect();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
2014-03-20 16:46:10 +01:00
|
|
|
|
|
|
|
$result = @ldap_delete($this->ds, $dn);
|
|
|
|
if ($result === false) {
|
|
|
|
if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
|
|
|
|
return false;
|
|
|
|
}
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2014-03-20 16:46:10 +01:00
|
|
|
sprintf(
|
|
|
|
'LDAP delete for "%s" failed: %s',
|
|
|
|
$dn,
|
|
|
|
ldap_error($this->ds)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2014-06-11 13:14:05 +02:00
|
|
|
/**
|
|
|
|
* Fetch the distinguished name of the first result of the given query
|
|
|
|
*
|
2014-06-23 13:57:41 +02:00
|
|
|
* @param $query The query returning the result set
|
|
|
|
* @param array $fields The fields to fetch
|
2014-06-11 13:14:05 +02:00
|
|
|
*
|
2014-06-23 13:57:41 +02:00
|
|
|
* @return string Returns the distinguished name, or false when the given query yields no results
|
2014-06-25 12:38:31 +02:00
|
|
|
* @throws LdapException When the query result is empty and contains no DN to fetch
|
2014-06-11 13:14:05 +02:00
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
public function fetchDN($query, $fields = array())
|
|
|
|
{
|
|
|
|
$rows = $this->fetchAll($query, $fields);
|
|
|
|
if (count($rows) !== 1) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2014-06-23 13:57:41 +02:00
|
|
|
sprintf(
|
|
|
|
'Cannot fetch single DN for %s',
|
|
|
|
$query
|
|
|
|
)
|
|
|
|
);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
return key($rows);
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* @param $query
|
|
|
|
* @param array $fields
|
|
|
|
*
|
|
|
|
* @return mixed
|
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
public function fetchRow($query, $fields = array())
|
|
|
|
{
|
|
|
|
// TODO: This is ugly, make it better!
|
|
|
|
$results = $this->fetchAll($query, $fields);
|
|
|
|
return array_shift($results);
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* @param Query $query
|
|
|
|
*
|
|
|
|
* @return int
|
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
public function count(Query $query)
|
|
|
|
{
|
|
|
|
$results = $this->runQuery($query, '+');
|
2013-07-12 13:41:48 +02:00
|
|
|
if (! $results) {
|
|
|
|
return 0;
|
|
|
|
}
|
2013-06-03 17:02:08 +02:00
|
|
|
return ldap_count_entries($this->ds, $results);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function fetchAll($query, $fields = array())
|
|
|
|
{
|
|
|
|
$offset = null;
|
|
|
|
$limit = null;
|
|
|
|
if ($query->hasLimit()) {
|
|
|
|
$offset = $query->getOffset();
|
2013-07-12 13:41:48 +02:00
|
|
|
$limit = $query->getLimit();
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
$entries = array();
|
|
|
|
$results = $this->runQuery($query, $fields);
|
2013-07-12 13:41:48 +02:00
|
|
|
if (! $results) {
|
|
|
|
return array();
|
|
|
|
}
|
2013-06-03 17:02:08 +02:00
|
|
|
$entry = ldap_first_entry($this->ds, $results);
|
|
|
|
$count = 0;
|
|
|
|
while ($entry) {
|
|
|
|
if (($offset === null || $offset <= $count)
|
|
|
|
&& ($limit === null || ($offset + $limit) >= $count)
|
|
|
|
) {
|
|
|
|
$attrs = ldap_get_attributes($this->ds, $entry);
|
2013-07-12 13:41:48 +02:00
|
|
|
$entries[ldap_get_dn($this->ds, $entry)]
|
|
|
|
= $this->cleanupAttributes($attrs);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
$count++;
|
|
|
|
$entry = ldap_next_entry($this->ds, $entry);
|
|
|
|
}
|
|
|
|
ldap_free_result($results);
|
|
|
|
return $entries;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function cleanupAttributes(& $attrs)
|
|
|
|
{
|
2013-07-12 13:41:48 +02:00
|
|
|
$clean = (object) array();
|
2013-06-03 17:02:08 +02:00
|
|
|
for ($i = 0; $i < $attrs['count']; $i++) {
|
|
|
|
$attr_name = $attrs[$i];
|
|
|
|
if ($attrs[$attr_name]['count'] === 1) {
|
|
|
|
$clean->$attr_name = $attrs[$attr_name][0];
|
|
|
|
} else {
|
|
|
|
for ($j = 0; $j < $attrs[$attr_name]['count']; $j++) {
|
|
|
|
$clean->{$attr_name}[] = $attrs[$attr_name][$j];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return $clean;
|
|
|
|
}
|
|
|
|
|
|
|
|
protected function runQuery($query, $fields)
|
|
|
|
{
|
|
|
|
$this->connect();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
2013-06-03 17:02:08 +02:00
|
|
|
if ($query instanceof Query) {
|
|
|
|
$fields = $query->listFields();
|
|
|
|
}
|
|
|
|
// WARNING:
|
|
|
|
// We do not support pagination right now, and there is no chance to
|
|
|
|
// do so for PHP < 5.4. Warnings about "Sizelimit exceeded" will
|
|
|
|
// therefore not be hidden right now.
|
2014-02-14 15:38:52 +01:00
|
|
|
$base = $query->hasBase() ? $query->getBase() : $this->root_dn;
|
2013-07-12 13:41:48 +02:00
|
|
|
$results = @ldap_search(
|
2013-06-03 17:02:08 +02:00
|
|
|
$this->ds,
|
2014-02-14 15:38:52 +01:00
|
|
|
$base,
|
2014-09-02 10:17:01 +02:00
|
|
|
$query->create(),
|
2013-06-03 17:02:08 +02:00
|
|
|
$fields,
|
|
|
|
0, // Attributes and values
|
2013-07-12 13:41:48 +02:00
|
|
|
0 // No limit - at least where possible
|
2013-06-03 17:02:08 +02:00
|
|
|
);
|
2013-07-12 13:41:48 +02:00
|
|
|
if ($results === false) {
|
|
|
|
if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
|
|
|
|
return false;
|
|
|
|
}
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2013-06-07 13:29:11 +02:00
|
|
|
sprintf(
|
|
|
|
'LDAP query "%s" (root %s) failed: %s',
|
|
|
|
$query,
|
|
|
|
$this->root_dn,
|
|
|
|
ldap_error($this->ds)
|
|
|
|
)
|
|
|
|
);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
$list = array();
|
|
|
|
if ($query instanceof Query) {
|
|
|
|
foreach ($query->getSortColumns() as $col) {
|
2013-06-07 13:29:11 +02:00
|
|
|
ldap_sort($this->ds, $results, $col[0]);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return $results;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function testCredentials($username, $password)
|
|
|
|
{
|
2014-11-06 17:04:56 +01:00
|
|
|
$this->connect();
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2014-11-06 17:04:56 +01:00
|
|
|
$r = @ldap_bind($this->ds, $username, $password);
|
2013-06-03 17:02:08 +02:00
|
|
|
if ($r) {
|
2014-02-26 11:19:52 +01:00
|
|
|
Logger::debug(
|
2013-07-12 13:41:48 +02:00
|
|
|
'Successfully tested LDAP credentials (%s / %s)',
|
|
|
|
$username,
|
|
|
|
'***'
|
|
|
|
);
|
2013-06-03 17:02:08 +02:00
|
|
|
return true;
|
|
|
|
} else {
|
2014-02-26 11:19:52 +01:00
|
|
|
Logger::debug(
|
2013-07-12 13:41:48 +02:00
|
|
|
'Testing LDAP credentials (%s / %s) failed: %s',
|
2013-06-03 17:02:08 +02:00
|
|
|
$username,
|
|
|
|
'***',
|
2014-11-06 17:04:56 +01:00
|
|
|
ldap_error($this->ds)
|
2013-06-07 13:29:11 +02:00
|
|
|
);
|
2013-06-03 17:02:08 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* @param null $sub
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
2013-07-12 13:41:48 +02:00
|
|
|
protected function getConfigDir($sub = null)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2014-11-07 13:53:03 +01:00
|
|
|
$dir = Config::$configDir . '/ldap';
|
2013-07-12 13:41:48 +02:00
|
|
|
if ($sub !== null) {
|
|
|
|
$dir .= '/' . $sub;
|
|
|
|
}
|
|
|
|
return $dir;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Connect to the given ldap server and apply settings depending on the discovered capabilities
|
|
|
|
*
|
|
|
|
* @return resource A positive LDAP link identifier
|
2014-06-25 12:38:31 +02:00
|
|
|
* @throws LdapException When the connection is not possible
|
2014-06-16 14:16:18 +02:00
|
|
|
*/
|
2013-07-12 13:41:48 +02:00
|
|
|
protected function prepareNewConnection()
|
|
|
|
{
|
|
|
|
$use_tls = false;
|
|
|
|
$force_tls = true;
|
|
|
|
$force_tls = false;
|
|
|
|
|
|
|
|
if ($use_tls) {
|
|
|
|
$this->prepareTlsEnvironment();
|
|
|
|
}
|
|
|
|
|
|
|
|
$ds = ldap_connect($this->hostname, $this->port);
|
2014-11-06 17:04:56 +01:00
|
|
|
try {
|
|
|
|
$capabilities = $this->discoverCapabilities($ds);
|
|
|
|
list($cap, $namingContexts) = $capabilities;
|
2014-11-18 09:45:54 +01:00
|
|
|
$this->discoverySuccess = true;
|
2014-11-06 17:04:56 +01:00
|
|
|
} catch (LdapException $e) {
|
|
|
|
|
|
|
|
// discovery failed, guess defaults
|
|
|
|
$cap = (object) array(
|
|
|
|
'supports_ldapv3' => true,
|
|
|
|
'supports_starttls' => false,
|
|
|
|
'msCapabilities' => array()
|
|
|
|
);
|
|
|
|
$namingContexts = null;
|
|
|
|
}
|
2014-06-06 17:57:50 +02:00
|
|
|
$this->capabilities = $cap;
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->namingContexts = $namingContexts;
|
2013-07-12 13:41:48 +02:00
|
|
|
|
|
|
|
if ($use_tls) {
|
2014-06-16 14:16:18 +02:00
|
|
|
if ($cap->supports_starttls) {
|
2013-07-12 13:41:48 +02:00
|
|
|
if (@ldap_start_tls($ds)) {
|
2014-02-26 11:19:52 +01:00
|
|
|
Logger::debug('LDAP STARTTLS succeeded');
|
2013-07-12 13:41:48 +02:00
|
|
|
} else {
|
2014-02-26 11:19:52 +01:00
|
|
|
Logger::debug('LDAP STARTTLS failed: %s', ldap_error($ds));
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2013-07-12 13:41:48 +02:00
|
|
|
sprintf(
|
|
|
|
'LDAP STARTTLS failed: %s',
|
|
|
|
ldap_error($ds)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
} elseif ($force_tls) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2013-07-12 13:41:48 +02:00
|
|
|
sprintf(
|
|
|
|
'TLS is required but not announced by %s',
|
|
|
|
$this->host_name
|
|
|
|
)
|
|
|
|
);
|
|
|
|
} else {
|
|
|
|
// TODO: Log noticy -> TLS enabled but not announced
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// ldap_rename requires LDAPv3:
|
2014-06-16 14:16:18 +02:00
|
|
|
if ($cap->supports_ldapv3) {
|
2013-07-12 13:41:48 +02:00
|
|
|
if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException('LDAPv3 is required');
|
2013-07-12 13:41:48 +02:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
|
|
|
|
// TODO: remove this -> FORCING v3 for now
|
|
|
|
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
|
2014-03-17 17:18:33 +01:00
|
|
|
Logger::warning('No LDAPv3 support detected');
|
2013-07-12 13:41:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Not setting this results in "Operations error" on AD when using the
|
|
|
|
// whole domain as search base:
|
|
|
|
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
|
|
|
|
// ldap_set_option($ds, LDAP_OPT_DEREF, LDAP_DEREF_NEVER);
|
|
|
|
return $ds;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
protected function prepareTlsEnvironment()
|
|
|
|
{
|
2013-07-12 13:41:48 +02:00
|
|
|
$strict_tls = true;
|
|
|
|
// TODO: allow variable known CA location (system VS Icinga)
|
2013-06-03 17:02:08 +02:00
|
|
|
if (Platform::isWindows()) {
|
2013-07-12 13:41:48 +02:00
|
|
|
// putenv('LDAP...')
|
2013-06-03 17:02:08 +02:00
|
|
|
} else {
|
|
|
|
if ($strict_tls) {
|
2013-07-12 13:41:48 +02:00
|
|
|
$ldap_conf = $this->getConfigDir('ldap_ca.conf');
|
2013-06-03 17:02:08 +02:00
|
|
|
} else {
|
2013-07-12 13:41:48 +02:00
|
|
|
$ldap_conf = $this->getConfigDir('ldap_nocert.conf');
|
|
|
|
}
|
|
|
|
putenv('LDAPRC=' . $ldap_conf);
|
|
|
|
if (getenv('LDAPRC') !== $ldap_conf) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException('putenv failed');
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Return if the capability object contains support for StartTLS
|
|
|
|
*
|
|
|
|
* @param $cap The object containing the capabilities
|
|
|
|
*
|
|
|
|
* @return bool Whether StartTLS is supported
|
|
|
|
*/
|
|
|
|
protected function hasCapabilityStartTLS($cap)
|
2014-06-06 17:57:50 +02:00
|
|
|
{
|
|
|
|
$cap = $this->getExtensionCapabilities($cap);
|
|
|
|
return isset($cap['1.3.6.1.4.1.1466.20037']);
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Return if the capability objects contains support for LdapV3
|
|
|
|
*
|
|
|
|
* @param $cap
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
2014-06-06 17:57:50 +02:00
|
|
|
protected function hasCapabilityLdapV3($cap)
|
|
|
|
{
|
|
|
|
if ((is_string($cap->supportedLDAPVersion)
|
|
|
|
&& (int) $cap->supportedLDAPVersion === 3)
|
|
|
|
|| (is_array($cap->supportedLDAPVersion)
|
|
|
|
&& in_array(3, $cap->supportedLDAPVersion)
|
|
|
|
)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Extract an array of all extension capabilities from the given ldap response
|
|
|
|
*
|
|
|
|
* @param $cap object The response returned by a ldap_search discovery query
|
|
|
|
*
|
|
|
|
* @return object The extracted capabilities.
|
|
|
|
*/
|
2014-06-06 17:57:50 +02:00
|
|
|
protected function getExtensionCapabilities($cap)
|
|
|
|
{
|
|
|
|
$extensions = array();
|
|
|
|
if (isset($cap->supportedExtension)) {
|
|
|
|
foreach ($cap->supportedExtension as $oid) {
|
|
|
|
if (array_key_exists($oid, $this->ldap_extension)) {
|
|
|
|
if ($this->ldap_extension[$oid] === 'STARTTLS') {
|
|
|
|
$extensions['1.3.6.1.4.1.1466.20037'] = $this->ldap_extension['1.3.6.1.4.1.1466.20037'];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return $extensions;
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Extract an array of all MSAD capabilities from the given ldap response
|
|
|
|
*
|
|
|
|
* @param $cap object The response returned by a ldap_search discovery query
|
|
|
|
*
|
|
|
|
* @return object The extracted capabilities.
|
|
|
|
*/
|
2014-06-06 17:57:50 +02:00
|
|
|
protected function getMsCapabilities($cap)
|
|
|
|
{
|
|
|
|
$ms = array();
|
|
|
|
foreach ($this->ms_capability as $name) {
|
|
|
|
$ms[$this->convName($name)] = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (isset($cap->supportedCapabilities)) {
|
|
|
|
foreach ($cap->supportedCapabilities as $oid) {
|
|
|
|
if (array_key_exists($oid, $this->ms_capability)) {
|
|
|
|
$ms[$this->convName($this->ms_capability[$oid])] = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (object)$ms;
|
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Convert a single capability name entry into camel-case
|
|
|
|
*
|
|
|
|
* @param $name string The name to convert
|
|
|
|
*
|
|
|
|
* @return string The name in camel-case
|
|
|
|
*/
|
2014-06-06 17:57:50 +02:00
|
|
|
private function convName($name)
|
|
|
|
{
|
|
|
|
$parts = explode('_', $name);
|
|
|
|
foreach ($parts as $i => $part) {
|
|
|
|
$parts[$i] = ucfirst(strtolower($part));
|
|
|
|
}
|
|
|
|
return implode('', $parts);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the capabilities of this ldap server
|
|
|
|
*
|
|
|
|
* @return stdClass An object, providing the flags 'ldapv3' and 'starttls' to indicate LdapV3 and StartTLS
|
|
|
|
* support and an additional property 'msCapabilities', containing all supported active directory capabilities.
|
|
|
|
*/
|
|
|
|
public function getCapabilities()
|
|
|
|
{
|
|
|
|
return $this->capabilities;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the default naming context of this ldap connection
|
|
|
|
*
|
2014-06-16 14:16:18 +02:00
|
|
|
* @return string|null the default naming context, or null when no contexts are available
|
2014-06-06 17:57:50 +02:00
|
|
|
*/
|
|
|
|
public function getDefaultNamingContext()
|
|
|
|
{
|
|
|
|
$cap = $this->capabilities;
|
|
|
|
if (isset($cap->defaultNamingContext)) {
|
|
|
|
return $cap->defaultNamingContext;
|
|
|
|
}
|
|
|
|
$namingContexts = $this->namingContexts($cap);
|
|
|
|
return empty($namingContexts) ? null : $namingContexts[0];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Fetch the namingContexts for this Ldap-Connection
|
|
|
|
*
|
|
|
|
* @return array the available naming contexts
|
|
|
|
*/
|
|
|
|
public function namingContexts()
|
|
|
|
{
|
2014-06-16 14:16:18 +02:00
|
|
|
if (!isset($this->namingContexts)) {
|
2014-06-06 17:57:50 +02:00
|
|
|
return array();
|
|
|
|
}
|
2014-06-16 14:16:18 +02:00
|
|
|
if (!is_array($this->namingContexts)) {
|
|
|
|
return array($this->namingContexts);
|
2014-06-06 17:57:50 +02:00
|
|
|
}
|
2014-06-16 14:16:18 +02:00
|
|
|
return $this->namingContexts;
|
2014-06-06 17:57:50 +02:00
|
|
|
}
|
|
|
|
|
2014-11-18 09:45:54 +01:00
|
|
|
/**
|
|
|
|
* Whether service discovery was successful
|
|
|
|
*
|
|
|
|
* @return boolean True when ldap settings were discovered, false when
|
|
|
|
* settings were guessed
|
|
|
|
*/
|
|
|
|
public function discoverySuccessful()
|
|
|
|
{
|
|
|
|
return $this->discoverySuccess;
|
|
|
|
}
|
|
|
|
|
2014-06-06 17:57:50 +02:00
|
|
|
/**
|
|
|
|
* Discover the capabilities of the given ldap-server
|
|
|
|
*
|
2014-06-16 14:16:18 +02:00
|
|
|
* @param resource $ds The link identifier of the current ldap connection
|
2014-06-06 17:57:50 +02:00
|
|
|
*
|
2014-06-16 14:16:18 +02:00
|
|
|
* @return array The capabilities and naming-contexts
|
2014-06-25 12:38:31 +02:00
|
|
|
* @throws LdapException When the capability query fails
|
2014-06-06 17:57:50 +02:00
|
|
|
*/
|
2013-07-12 13:41:48 +02:00
|
|
|
protected function discoverCapabilities($ds)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2013-07-12 13:41:48 +02:00
|
|
|
$query = $this->select()->from(
|
|
|
|
'*',
|
|
|
|
array(
|
|
|
|
'defaultNamingContext',
|
|
|
|
'namingContexts',
|
|
|
|
'vendorName',
|
|
|
|
'vendorVersion',
|
|
|
|
'supportedSaslMechanisms',
|
|
|
|
'dnsHostName',
|
|
|
|
'schemaNamingContext',
|
|
|
|
'supportedLDAPVersion', // => array(3, 2)
|
|
|
|
'supportedCapabilities',
|
|
|
|
'supportedExtension',
|
|
|
|
'+'
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$result = @ldap_read(
|
|
|
|
$ds,
|
2013-06-03 17:02:08 +02:00
|
|
|
'',
|
2014-09-02 10:17:01 +02:00
|
|
|
$query->create(),
|
2013-07-12 13:41:48 +02:00
|
|
|
$query->listFields()
|
2013-06-03 17:02:08 +02:00
|
|
|
);
|
|
|
|
|
2013-07-12 13:41:48 +02:00
|
|
|
if (! $result) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2013-07-12 13:41:48 +02:00
|
|
|
sprintf(
|
2014-11-06 17:04:56 +01:00
|
|
|
'Capability query failed (%s:%d): %s. Check if hostname and port of the ldap resource are correct '
|
|
|
|
. ' and if anonymous access is permitted.',
|
2014-01-22 13:30:02 +01:00
|
|
|
$this->hostname,
|
|
|
|
$this->port,
|
2013-07-12 13:41:48 +02:00
|
|
|
ldap_error($ds)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
$entry = ldap_first_entry($ds, $result);
|
2014-11-06 17:04:56 +01:00
|
|
|
if ($entry === false) {
|
|
|
|
throw new LdapException(
|
|
|
|
sprintf(
|
|
|
|
'Capabilities not available (%s:%d): %s. Discovery of root DSE probably not permitted.',
|
|
|
|
$this->hostname,
|
|
|
|
$this->port,
|
|
|
|
ldap_error($ds)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
2013-07-12 13:41:48 +02:00
|
|
|
|
|
|
|
$cap = (object) array(
|
2014-06-16 14:16:18 +02:00
|
|
|
'supports_ldapv3' => false,
|
|
|
|
'supports_starttls' => false,
|
2014-06-06 17:57:50 +02:00
|
|
|
'msCapabilities' => array()
|
2013-07-12 13:41:48 +02:00
|
|
|
);
|
|
|
|
|
2013-07-26 15:29:13 +02:00
|
|
|
$ldapAttributes = ldap_get_attributes($ds, $entry);
|
2014-06-06 17:57:50 +02:00
|
|
|
$result = $this->cleanupAttributes($ldapAttributes);
|
2014-06-16 14:16:18 +02:00
|
|
|
$cap->supports_ldapv3 = $this->hasCapabilityLdapV3($result);
|
|
|
|
$cap->supports_starttls = $this->hasCapabilityStartTLS($result);
|
2014-06-06 17:57:50 +02:00
|
|
|
$cap->msCapabilities = $this->getMsCapabilities($result);
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
return array($cap, $result->namingContexts);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Try to connect to the given ldap server
|
|
|
|
*
|
2014-06-25 12:38:31 +02:00
|
|
|
* @throws LdapException When connecting is not possible
|
2014-06-16 14:16:18 +02:00
|
|
|
*/
|
|
|
|
public function connect()
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2013-06-07 13:29:11 +02:00
|
|
|
if ($this->ds !== null) {
|
|
|
|
return;
|
|
|
|
}
|
2013-07-12 13:41:48 +02:00
|
|
|
$this->ds = $this->prepareNewConnection();
|
2014-06-16 14:16:18 +02:00
|
|
|
}
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
|
|
|
* Try to bind to the current ldap domain using the provided bind_dn and bind_pw
|
|
|
|
*
|
2014-06-25 12:38:31 +02:00
|
|
|
* @throws LdapException When binding is not possible
|
2014-06-16 14:16:18 +02:00
|
|
|
*/
|
|
|
|
public function bind()
|
|
|
|
{
|
2014-06-25 12:38:31 +02:00
|
|
|
if ($this->bound) {
|
2014-06-16 14:16:18 +02:00
|
|
|
return;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2014-06-16 14:16:18 +02:00
|
|
|
|
|
|
|
$r = @ldap_bind($this->ds, $this->bind_dn, $this->bind_pw);
|
|
|
|
if (! $r) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException(
|
2014-06-16 14:16:18 +02:00
|
|
|
sprintf(
|
|
|
|
'LDAP connection to %s:%s (%s / %s) failed: %s',
|
|
|
|
$this->hostname,
|
|
|
|
$this->port,
|
|
|
|
$this->bind_dn,
|
|
|
|
'***' /* $this->bind_pw */,
|
|
|
|
ldap_error($this->ds)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
2014-06-25 12:38:31 +02:00
|
|
|
$this->bound = true;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-12-17 14:28:56 +01:00
|
|
|
/**
|
|
|
|
* Create an ldap entry
|
|
|
|
*
|
|
|
|
* @param string $dn DN to add
|
|
|
|
* @param array $entry Entry description
|
|
|
|
*
|
|
|
|
* @return bool True on success
|
|
|
|
*/
|
|
|
|
public function addEntry($dn, array $entry)
|
|
|
|
{
|
|
|
|
return ldap_add($this->ds, $dn, $entry);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Modify a ldap entry
|
|
|
|
*
|
2014-06-16 14:16:18 +02:00
|
|
|
* @param string $dn DN of the entry to change
|
|
|
|
* @param array $entry Change values
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2014-06-16 14:16:18 +02:00
|
|
|
* @return bool True on success
|
2013-12-17 14:28:56 +01:00
|
|
|
*/
|
|
|
|
public function modifyEntry($dn, array $entry)
|
|
|
|
{
|
|
|
|
return ldap_modify($this->ds, $dn, $entry);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Move entry to a new DN
|
|
|
|
*
|
|
|
|
* @param string $dn DN of the object
|
|
|
|
* @param string $newRdn Relative DN identifier
|
|
|
|
* @param string $newParentDn Parent or superior entry
|
2014-06-25 12:38:31 +02:00
|
|
|
* @throws LdapException Thrown then rename failed
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
|
|
|
* @return bool True on success
|
|
|
|
*/
|
|
|
|
public function moveEntry($dn, $newRdn, $newParentDn)
|
|
|
|
{
|
|
|
|
$returnValue = ldap_rename($this->ds, $dn, $newRdn, $newParentDn, false);
|
|
|
|
|
|
|
|
if ($returnValue === false) {
|
2014-06-25 12:38:31 +02:00
|
|
|
throw new LdapException('Could not move entry: ' . ldap_error($this->ds));
|
2013-12-17 14:28:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return $returnValue;
|
|
|
|
}
|
|
|
|
|
2013-07-12 13:41:48 +02:00
|
|
|
public function __destruct()
|
|
|
|
{
|
|
|
|
putenv('LDAPRC');
|
|
|
|
}
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|