2013-06-03 17:02:08 +02:00
|
|
|
<?php
|
2015-02-04 10:46:36 +01:00
|
|
|
/* Icinga Web 2 | (c) 2013-2015 Icinga Development Team | GPLv2+ */
|
2013-10-22 14:25:56 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
namespace Icinga\Protocol\Ldap;
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2015-07-14 12:30:16 +02:00
|
|
|
use Exception;
|
2015-05-18 16:01:58 +02:00
|
|
|
use ArrayIterator;
|
2013-10-22 14:25:56 +02:00
|
|
|
use Icinga\Application\Config;
|
2014-10-31 10:27:17 +01:00
|
|
|
use Icinga\Application\Logger;
|
2015-05-04 11:15:20 +02:00
|
|
|
use Icinga\Application\Platform;
|
2014-11-18 13:11:52 +01:00
|
|
|
use Icinga\Data\ConfigObject;
|
2015-07-14 12:30:16 +02:00
|
|
|
use Icinga\Data\Inspectable;
|
2015-07-15 17:30:39 +02:00
|
|
|
use Icinga\Data\Inspection;
|
2015-05-04 11:15:20 +02:00
|
|
|
use Icinga\Data\Selectable;
|
2015-06-03 14:22:38 +02:00
|
|
|
use Icinga\Data\Sortable;
|
2015-07-15 17:30:39 +02:00
|
|
|
use Icinga\Exception\InspectionException;
|
2015-05-04 11:15:20 +02:00
|
|
|
use Icinga\Exception\ProgrammingError;
|
2015-06-24 09:19:41 +02:00
|
|
|
use Icinga\Protocol\Ldap\LdapException;
|
2013-06-03 17:02:08 +02:00
|
|
|
|
|
|
|
|
/**
|
2015-06-23 17:12:24 +02:00
|
|
|
* Encapsulate LDAP connections and query creation
|
2013-06-03 17:02:08 +02:00
|
|
|
*/
|
2015-07-14 12:30:16 +02:00
|
|
|
class LdapConnection implements Selectable, Inspectable
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Indicates that the target object cannot be found
|
|
|
|
|
*
|
|
|
|
|
* @var int
|
|
|
|
|
*/
|
2015-02-04 10:50:17 +01:00
|
|
|
const LDAP_NO_SUCH_OBJECT = 32;
|
2015-06-23 17:06:35 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Indicates that in a search operation, the size limit specified by the client or the server has been exceeded
|
|
|
|
|
*
|
|
|
|
|
* @var int
|
|
|
|
|
*/
|
2015-02-04 10:50:17 +01:00
|
|
|
const LDAP_SIZELIMIT_EXCEEDED = 4;
|
2015-06-23 17:06:35 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Indicates that an LDAP server limit set by an administrative authority has been exceeded
|
|
|
|
|
*
|
|
|
|
|
* @var int
|
|
|
|
|
*/
|
2015-02-06 16:37:35 +01:00
|
|
|
const LDAP_ADMINLIMIT_EXCEEDED = 11;
|
2015-06-23 17:06:35 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN
|
|
|
|
|
* or password, or the password is incorrect because it has expired, intruder detection has locked the account, or
|
|
|
|
|
* another similar reason.
|
|
|
|
|
*
|
|
|
|
|
* @var int
|
|
|
|
|
*/
|
2015-06-23 14:12:01 +02:00
|
|
|
const LDAP_INVALID_CREDENTIALS = 49;
|
2015-06-23 17:06:35 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The default page size to use for paged queries
|
|
|
|
|
*
|
|
|
|
|
* @var int
|
|
|
|
|
*/
|
2015-02-06 16:37:35 +01:00
|
|
|
const PAGE_SIZE = 1000;
|
2015-03-12 23:35:38 +01:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Encrypt connection using STARTTLS (upgrading a plain text connection)
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
2015-03-12 23:54:05 +01:00
|
|
|
const STARTTLS = 'starttls';
|
2015-03-12 23:35:38 +01:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Encrypt connection using LDAP over SSL (using a separate port)
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
2015-03-12 23:54:05 +01:00
|
|
|
const LDAPS = 'ldaps';
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2015-04-02 10:41:25 +02:00
|
|
|
/**
|
|
|
|
|
* Encryption for the connection if any
|
|
|
|
|
*
|
2015-06-23 17:12:24 +02:00
|
|
|
* @var string
|
2015-04-02 10:41:25 +02:00
|
|
|
*/
|
|
|
|
|
protected $encryption;
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* The LDAP link identifier being used
|
|
|
|
|
*
|
|
|
|
|
* @var resource
|
|
|
|
|
*/
|
2013-07-12 13:41:48 +02:00
|
|
|
protected $ds;
|
2015-06-23 17:06:35 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The ip address, hostname or ldap URI being used to connect with the LDAP server
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
protected $hostname;
|
2015-06-23 17:23:47 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The port being used to connect with the LDAP server
|
|
|
|
|
*
|
|
|
|
|
* @var int
|
|
|
|
|
*/
|
2015-06-23 17:22:26 +02:00
|
|
|
protected $port;
|
2015-06-23 17:23:47 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The distinguished name being used to bind to the LDAP server
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
2015-06-23 17:22:26 +02:00
|
|
|
protected $bindDn;
|
2015-06-23 17:23:47 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The password being used to bind to the LDAP server
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
2015-06-23 17:22:26 +02:00
|
|
|
protected $bindPw;
|
2015-06-23 17:23:47 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The distinguished name being used as the base path for queries which do not provide one theirselves
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
2015-06-23 17:22:26 +02:00
|
|
|
protected $rootDn;
|
2015-06-23 17:23:47 +02:00
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
2015-06-23 17:12:24 +02:00
|
|
|
* Whether the bind on this connection has already been performed
|
2014-06-16 14:16:18 +02:00
|
|
|
*
|
|
|
|
|
* @var bool
|
|
|
|
|
*/
|
2015-06-23 17:22:26 +02:00
|
|
|
protected $bound;
|
2014-06-16 14:16:18 +02:00
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* The current connection's root node
|
|
|
|
|
*
|
|
|
|
|
* @var Root
|
|
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
protected $root;
|
|
|
|
|
|
2015-02-27 09:51:44 +01:00
|
|
|
/**
|
2015-06-23 17:06:35 +02:00
|
|
|
* The properties and capabilities of the LDAP server
|
|
|
|
|
*
|
2015-07-14 12:30:16 +02:00
|
|
|
* @var LdapCapabilities
|
2015-02-27 09:51:44 +01:00
|
|
|
*/
|
2014-06-06 17:57:50 +02:00
|
|
|
protected $capabilities;
|
2015-02-27 09:51:44 +01:00
|
|
|
|
|
|
|
|
/**
|
2015-07-10 09:51:39 +02:00
|
|
|
* Whether discovery was successful
|
2015-06-23 17:06:35 +02:00
|
|
|
*
|
2015-02-27 09:51:44 +01:00
|
|
|
* @var bool
|
|
|
|
|
*/
|
2015-06-23 17:22:26 +02:00
|
|
|
protected $discoverySuccess;
|
2014-06-06 17:57:50 +02:00
|
|
|
|
2015-07-10 10:45:10 +02:00
|
|
|
/**
|
|
|
|
|
* Whether the current connection is encrypted
|
|
|
|
|
*
|
|
|
|
|
* @var bool
|
|
|
|
|
*/
|
2015-07-15 11:46:22 +02:00
|
|
|
protected $encrypted = null;
|
2015-07-10 10:45:10 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
/**
|
2015-06-23 17:12:24 +02:00
|
|
|
* Create a new connection object
|
2013-06-03 17:02:08 +02:00
|
|
|
*
|
2015-06-23 17:12:24 +02:00
|
|
|
* @param ConfigObject $config
|
2013-06-03 17:02:08 +02:00
|
|
|
*/
|
2014-11-18 13:11:52 +01:00
|
|
|
public function __construct(ConfigObject $config)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
|
|
|
|
$this->hostname = $config->hostname;
|
2015-06-23 17:22:26 +02:00
|
|
|
$this->bindDn = $config->bind_dn;
|
|
|
|
|
$this->bindPw = $config->bind_pw;
|
|
|
|
|
$this->rootDn = $config->root_dn;
|
|
|
|
|
$this->port = $config->get('port', 389);
|
|
|
|
|
|
|
|
|
|
$this->encryption = $config->encryption;
|
2015-04-02 10:41:25 +02:00
|
|
|
if ($this->encryption !== null) {
|
|
|
|
|
$this->encryption = strtolower($this->encryption);
|
|
|
|
|
}
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Return the ip address, hostname or ldap URI being used to connect with the LDAP server
|
|
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
2014-11-18 09:45:54 +01:00
|
|
|
public function getHostname()
|
|
|
|
|
{
|
|
|
|
|
return $this->hostname;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Return the port being used to connect with the LDAP server
|
|
|
|
|
*
|
|
|
|
|
* @return int
|
|
|
|
|
*/
|
2014-11-18 09:45:54 +01:00
|
|
|
public function getPort()
|
|
|
|
|
{
|
|
|
|
|
return $this->port;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Return the distinguished name being used as the base path for queries which do not provide one theirselves
|
|
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
2015-06-23 15:16:53 +02:00
|
|
|
public function getDn()
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2015-06-23 17:22:26 +02:00
|
|
|
return $this->rootDn;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Return the root node for this connection
|
|
|
|
|
*
|
|
|
|
|
* @return Root
|
|
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
public function root()
|
|
|
|
|
{
|
|
|
|
|
if ($this->root === null) {
|
|
|
|
|
$this->root = Root::forConnection($this);
|
|
|
|
|
}
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2013-06-03 17:02:08 +02:00
|
|
|
return $this->root;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
/**
|
|
|
|
|
* Return the LDAP link identifier being used
|
|
|
|
|
*
|
|
|
|
|
* Establishes a connection if necessary.
|
|
|
|
|
*
|
|
|
|
|
* @return resource
|
|
|
|
|
*/
|
|
|
|
|
public function getConnection()
|
|
|
|
|
{
|
|
|
|
|
if ($this->ds === null) {
|
|
|
|
|
$this->ds = $this->prepareNewConnection();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $this->ds;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
/**
|
|
|
|
|
* Return the capabilities of the current connection
|
|
|
|
|
*
|
2015-07-14 12:30:16 +02:00
|
|
|
* @return LdapCapabilities
|
2015-06-23 17:37:10 +02:00
|
|
|
*/
|
|
|
|
|
public function getCapabilities()
|
|
|
|
|
{
|
|
|
|
|
if ($this->capabilities === null) {
|
2015-07-10 10:45:10 +02:00
|
|
|
try {
|
2015-07-15 15:34:11 +02:00
|
|
|
$this->capabilities = LdapCapabilities::discoverCapabilities($this);
|
2015-07-10 10:45:10 +02:00
|
|
|
$this->discoverySuccess = true;
|
|
|
|
|
} catch (LdapException $e) {
|
|
|
|
|
Logger::debug($e);
|
|
|
|
|
Logger::warning('LADP discovery failed, assuming default LDAP capabilities.');
|
2015-07-14 12:30:16 +02:00
|
|
|
$this->capabilities = new LdapCapabilities(); // create empty default capabilities
|
2015-07-10 10:45:10 +02:00
|
|
|
$this->discoverySuccess = false;
|
|
|
|
|
}
|
2015-06-23 17:37:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $this->capabilities;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2015-07-10 09:51:39 +02:00
|
|
|
* Return whether discovery was successful
|
2015-06-23 17:37:10 +02:00
|
|
|
*
|
|
|
|
|
* @return bool true if the capabilities were successfully determined, false if the capabilities were guessed
|
|
|
|
|
*/
|
|
|
|
|
public function discoverySuccessful()
|
|
|
|
|
{
|
2015-07-10 09:51:39 +02:00
|
|
|
if ($this->discoverySuccess === null) {
|
|
|
|
|
$this->getCapabilities(); // Initializes self::$discoverySuccess
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
return $this->discoverySuccess;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-10 10:45:10 +02:00
|
|
|
/**
|
|
|
|
|
* Return whether the current connection is encrypted
|
|
|
|
|
*
|
|
|
|
|
* @return bool
|
|
|
|
|
*/
|
|
|
|
|
public function isEncrypted()
|
|
|
|
|
{
|
2015-07-15 11:46:22 +02:00
|
|
|
if ($this->encrypted === null) {
|
2015-07-10 10:45:10 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-15 11:46:22 +02:00
|
|
|
return $this->encrypted;
|
2015-07-10 10:45:10 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
/**
|
|
|
|
|
* Establish a connection
|
|
|
|
|
*
|
|
|
|
|
* @throws LdapException In case the connection could not be established
|
2015-07-10 09:51:39 +02:00
|
|
|
*
|
|
|
|
|
* @deprecated The connection is established lazily now
|
2015-06-23 17:37:10 +02:00
|
|
|
*/
|
|
|
|
|
public function connect()
|
|
|
|
|
{
|
2015-07-10 09:51:39 +02:00
|
|
|
$this->getConnection();
|
2015-06-23 17:37:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Perform a LDAP bind on the current connection
|
|
|
|
|
*
|
2015-07-10 10:45:10 +02:00
|
|
|
* @throws LdapException In case the LDAP bind was unsuccessful or insecure
|
2015-06-23 17:37:10 +02:00
|
|
|
*/
|
|
|
|
|
public function bind()
|
|
|
|
|
{
|
|
|
|
|
if ($this->bound) {
|
2015-07-23 17:34:09 +02:00
|
|
|
return $this;
|
2015-06-23 17:37:10 +02:00
|
|
|
}
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds = $this->getConnection();
|
|
|
|
|
|
|
|
|
|
$success = @ldap_bind($ds, $this->bindDn, $this->bindPw);
|
2015-06-23 17:37:10 +02:00
|
|
|
if (! $success) {
|
|
|
|
|
throw new LdapException(
|
|
|
|
|
'LDAP connection to %s:%s (%s / %s) failed: %s',
|
|
|
|
|
$this->hostname,
|
|
|
|
|
$this->port,
|
|
|
|
|
$this->bindDn,
|
|
|
|
|
'***' /* $this->bindPw */,
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_error($ds)
|
2015-06-23 17:37:10 +02:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$this->bound = true;
|
2015-07-23 17:34:09 +02:00
|
|
|
return $this;
|
2015-06-23 17:37:10 +02:00
|
|
|
}
|
|
|
|
|
|
2015-05-04 11:15:20 +02:00
|
|
|
/**
|
|
|
|
|
* Provide a query on this connection
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @return LdapQuery
|
2015-05-04 11:15:20 +02:00
|
|
|
*/
|
2013-06-03 17:02:08 +02:00
|
|
|
public function select()
|
|
|
|
|
{
|
2015-06-24 09:14:25 +02:00
|
|
|
return new LdapQuery($this);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Fetch and return all rows of the given query's result set using an iterator
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
2015-06-23 17:06:35 +02:00
|
|
|
*
|
|
|
|
|
* @return ArrayIterator
|
|
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function query(LdapQuery $query)
|
2015-05-18 16:01:58 +02:00
|
|
|
{
|
|
|
|
|
return new ArrayIterator($this->fetchAll($query));
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
/**
|
|
|
|
|
* Count all rows of the given query's result set
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
2015-06-23 17:37:10 +02:00
|
|
|
*
|
|
|
|
|
* @return int
|
|
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function count(LdapQuery $query)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2015-06-23 17:37:10 +02:00
|
|
|
$this->bind();
|
|
|
|
|
|
|
|
|
|
$res = $this->runQuery($query, array());
|
|
|
|
|
return count($res);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Retrieve an array containing all rows of the result set
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
2015-06-23 17:37:10 +02:00
|
|
|
*
|
|
|
|
|
* @return array
|
|
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function fetchAll(LdapQuery $query, array $fields = null)
|
2015-06-23 17:37:10 +02:00
|
|
|
{
|
|
|
|
|
$this->bind();
|
|
|
|
|
|
2015-07-15 10:32:54 +02:00
|
|
|
if ($query->getUsePagedResults()
|
2015-06-23 17:37:10 +02:00
|
|
|
&& version_compare(PHP_VERSION, '5.4.0') >= 0
|
|
|
|
|
&& $this->getCapabilities()->hasPagedResult()
|
|
|
|
|
) {
|
|
|
|
|
return $this->runPagedQuery($query, $fields);
|
|
|
|
|
} else {
|
|
|
|
|
return $this->runQuery($query, $fields);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Fetch the first row of the result set
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
2015-06-23 17:37:10 +02:00
|
|
|
*
|
|
|
|
|
* @return mixed
|
|
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function fetchRow(LdapQuery $query, array $fields = null)
|
2015-06-23 17:37:10 +02:00
|
|
|
{
|
|
|
|
|
$clonedQuery = clone $query;
|
|
|
|
|
$clonedQuery->limit(1);
|
|
|
|
|
$clonedQuery->setUsePagedResults(false);
|
|
|
|
|
$results = $this->fetchAll($clonedQuery, $fields);
|
|
|
|
|
return array_shift($results) ?: false;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2013-06-07 13:29:11 +02:00
|
|
|
|
2015-06-23 17:23:47 +02:00
|
|
|
/**
|
|
|
|
|
* Fetch the first column of all rows of the result set as an array
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
2015-06-23 17:23:47 +02:00
|
|
|
*
|
|
|
|
|
* @return array
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @throws ProgrammingError In case no attribute is being requested
|
2015-06-23 17:23:47 +02:00
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function fetchColumn(LdapQuery $query, array $fields = null)
|
2015-06-23 15:05:03 +02:00
|
|
|
{
|
|
|
|
|
if ($fields === null) {
|
|
|
|
|
$fields = $query->getColumns();
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-25 15:50:15 +02:00
|
|
|
if (empty($fields)) {
|
2015-06-23 15:05:03 +02:00
|
|
|
throw new ProgrammingError('You must request at least one attribute when fetching a single column');
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-25 15:50:15 +02:00
|
|
|
$alias = key($fields);
|
|
|
|
|
$results = $this->fetchAll($query, array($alias => current($fields)));
|
|
|
|
|
$column = is_int($alias) ? current($fields) : $alias;
|
2015-06-23 15:05:03 +02:00
|
|
|
$values = array();
|
|
|
|
|
foreach ($results as $row) {
|
|
|
|
|
if (isset($row->$column)) {
|
|
|
|
|
$values[] = $row->$column;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $values;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
/**
|
|
|
|
|
* Fetch the first column of the first row of the result set
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
2015-06-23 17:37:10 +02:00
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function fetchOne(LdapQuery $query, array $fields = null)
|
2015-06-23 17:37:10 +02:00
|
|
|
{
|
|
|
|
|
$row = (array) $this->fetchRow($query, $fields);
|
|
|
|
|
return array_shift($row) ?: false;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:23:47 +02:00
|
|
|
/**
|
|
|
|
|
* Fetch all rows of the result set as an array of key-value pairs
|
|
|
|
|
*
|
|
|
|
|
* The first column is the key, the second column is the value.
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
2015-06-23 17:23:47 +02:00
|
|
|
*
|
|
|
|
|
* @return array
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @throws ProgrammingError In case there are less than two attributes being requested
|
2015-06-23 17:23:47 +02:00
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function fetchPairs(LdapQuery $query, array $fields = null)
|
2015-06-23 15:05:47 +02:00
|
|
|
{
|
|
|
|
|
if ($fields === null) {
|
|
|
|
|
$fields = $query->getColumns();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (count($fields) < 2) {
|
|
|
|
|
throw new ProgrammingError('You are required to request at least two attributes');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$columns = $desiredColumnNames = array();
|
|
|
|
|
foreach ($fields as $alias => $column) {
|
|
|
|
|
if (is_int($alias)) {
|
|
|
|
|
$columns[] = $column;
|
|
|
|
|
$desiredColumnNames[] = $column;
|
|
|
|
|
} else {
|
|
|
|
|
$columns[$alias] = $column;
|
|
|
|
|
$desiredColumnNames[] = $alias;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (count($desiredColumnNames) === 2) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$results = $this->fetchAll($query, $columns);
|
|
|
|
|
$pairs = array();
|
|
|
|
|
foreach ($results as $row) {
|
|
|
|
|
$colOne = $desiredColumnNames[0];
|
|
|
|
|
$colTwo = $desiredColumnNames[1];
|
|
|
|
|
$pairs[$row->$colOne] = $row->$colTwo;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $pairs;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
/**
|
|
|
|
|
* Test the given LDAP credentials by establishing a connection and attempting a LDAP bind
|
|
|
|
|
*
|
|
|
|
|
* @param string $bindDn
|
|
|
|
|
* @param string $bindPw
|
|
|
|
|
*
|
|
|
|
|
* @return bool Whether the given credentials are valid
|
|
|
|
|
*
|
|
|
|
|
* @throws LdapException In case an error occured while establishing the connection or attempting the bind
|
|
|
|
|
*/
|
|
|
|
|
public function testCredentials($bindDn, $bindPw)
|
|
|
|
|
{
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds = $this->getConnection();
|
|
|
|
|
$success = @ldap_bind($ds, $bindDn, $bindPw);
|
2015-06-23 17:37:10 +02:00
|
|
|
if (! $success) {
|
2015-07-10 09:51:39 +02:00
|
|
|
if (ldap_errno($ds) === self::LDAP_INVALID_CREDENTIALS) {
|
2015-06-23 17:37:10 +02:00
|
|
|
Logger::debug(
|
|
|
|
|
'Testing LDAP credentials (%s / %s) failed: %s',
|
|
|
|
|
$bindDn,
|
|
|
|
|
'***',
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_error($ds)
|
2015-06-23 17:37:10 +02:00
|
|
|
);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
throw new LdapException(ldap_error($ds));
|
2015-06-23 17:37:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Return whether an entry identified by the given distinguished name exists
|
|
|
|
|
*
|
|
|
|
|
* @param string $dn
|
|
|
|
|
*
|
|
|
|
|
* @return bool
|
|
|
|
|
*/
|
2015-06-23 15:11:11 +02:00
|
|
|
public function hasDn($dn)
|
2014-03-20 16:46:10 +01:00
|
|
|
{
|
2015-09-03 17:11:56 +02:00
|
|
|
$ds = $this->getConnection();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$result = ldap_read($ds, $dn, '(objectClass=*)', array('objectClass'));
|
|
|
|
|
return ldap_count_entries($ds, $result) > 0;
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Delete a root entry and all of its children identified by the given distinguished name
|
|
|
|
|
*
|
|
|
|
|
* @param string $dn
|
|
|
|
|
*
|
|
|
|
|
* @return bool
|
|
|
|
|
*
|
|
|
|
|
* @throws LdapException In case an error occured while deleting an entry
|
|
|
|
|
*/
|
2014-03-20 16:46:10 +01:00
|
|
|
public function deleteRecursively($dn)
|
|
|
|
|
{
|
2015-09-03 17:11:56 +02:00
|
|
|
$ds = $this->getConnection();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$result = @ldap_list($ds, $dn, '(objectClass=*)', array('objectClass'));
|
2014-03-20 16:46:10 +01:00
|
|
|
if ($result === false) {
|
2015-07-10 09:51:39 +02:00
|
|
|
if (ldap_errno($ds) === self::LDAP_NO_SUCH_OBJECT) {
|
2014-03-20 16:46:10 +01:00
|
|
|
return false;
|
|
|
|
|
}
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
throw new LdapException('LDAP list for "%s" failed: %s', $dn, ldap_error($ds));
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$children = ldap_get_entries($ds, $result);
|
2014-06-16 14:16:18 +02:00
|
|
|
for ($i = 0; $i < $children['count']; $i++) {
|
2014-03-20 16:46:10 +01:00
|
|
|
$result = $this->deleteRecursively($children[$i]['dn']);
|
2015-06-23 17:27:30 +02:00
|
|
|
if (! $result) {
|
|
|
|
|
// TODO: return result code, if delete fails
|
2015-02-06 16:31:03 +01:00
|
|
|
throw new LdapException('Recursively deleting "%s" failed', $dn);
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
|
|
|
|
}
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2015-06-23 15:21:32 +02:00
|
|
|
return $this->deleteDn($dn);
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Delete a single entry identified by the given distinguished name
|
|
|
|
|
*
|
|
|
|
|
* @param string $dn
|
|
|
|
|
*
|
|
|
|
|
* @return bool
|
|
|
|
|
*
|
|
|
|
|
* @throws LdapException In case an error occured while deleting the entry
|
|
|
|
|
*/
|
2015-06-23 15:21:32 +02:00
|
|
|
public function deleteDn($dn)
|
2014-03-20 16:46:10 +01:00
|
|
|
{
|
2015-09-03 17:11:56 +02:00
|
|
|
$ds = $this->getConnection();
|
2014-06-16 14:16:18 +02:00
|
|
|
$this->bind();
|
2014-03-20 16:46:10 +01:00
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$result = @ldap_delete($ds, $dn);
|
2014-03-20 16:46:10 +01:00
|
|
|
if ($result === false) {
|
2015-07-10 09:51:39 +02:00
|
|
|
if (ldap_errno($ds) === self::LDAP_NO_SUCH_OBJECT) {
|
2015-06-23 17:27:30 +02:00
|
|
|
return false; // TODO: Isn't it a success if something i'd like to remove is not existing at all???
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
throw new LdapException('LDAP delete for "%s" failed: %s', $dn, ldap_error($ds));
|
2014-03-20 16:46:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2014-06-11 13:14:05 +02:00
|
|
|
/**
|
2015-06-23 17:12:24 +02:00
|
|
|
* Fetch the distinguished name of the result of the given query
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query returning the result set
|
2014-06-11 13:14:05 +02:00
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @return string The distinguished name, or false when the given query yields no results
|
2014-06-11 13:14:05 +02:00
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @throws LdapException In case the query yields multiple results
|
2014-06-11 13:14:05 +02:00
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
public function fetchDn(LdapQuery $query)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2015-06-23 15:56:29 +02:00
|
|
|
$rows = $this->fetchAll($query, array());
|
2015-04-21 13:15:40 +02:00
|
|
|
if (count($rows) > 1) {
|
2015-06-23 17:27:30 +02:00
|
|
|
throw new LdapException('Cannot fetch single DN for %s', $query);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
return key($rows);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
2015-06-23 17:38:19 +02:00
|
|
|
* Run the given LDAP query and return the resulting entries
|
2014-06-16 14:16:18 +02:00
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query to fetch results with
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
2015-02-24 12:22:29 +01:00
|
|
|
*
|
2015-06-23 17:38:19 +02:00
|
|
|
* @return array
|
2015-02-24 12:22:29 +01:00
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @throws LdapException In case an error occured while fetching the results
|
2015-02-24 12:22:29 +01:00
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
protected function runQuery(LdapQuery $query, array $fields = null)
|
2015-02-06 16:37:35 +01:00
|
|
|
{
|
|
|
|
|
$limit = $query->getLimit();
|
|
|
|
|
$offset = $query->hasOffset() ? $query->getOffset() - 1 : 0;
|
|
|
|
|
|
2015-06-23 17:27:30 +02:00
|
|
|
if ($fields === null) {
|
2015-05-04 11:26:27 +02:00
|
|
|
$fields = $query->getColumns();
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds = $this->getConnection();
|
|
|
|
|
|
2015-09-03 17:48:53 +02:00
|
|
|
$serverSorting = $this->capabilities->hasOid(LdapCapabilities::LDAP_SERVER_SORT_OID);
|
2015-06-03 14:22:38 +02:00
|
|
|
if ($serverSorting && $query->hasOrder()) {
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_set_option($ds, LDAP_OPT_SERVER_CONTROLS, array(
|
2015-06-03 14:22:38 +02:00
|
|
|
array(
|
2015-07-14 12:30:16 +02:00
|
|
|
'oid' => LdapCapabilities::LDAP_SERVER_SORT_OID,
|
2015-06-23 17:27:30 +02:00
|
|
|
'value' => $this->encodeSortRules($query->getOrder())
|
2015-06-03 14:22:38 +02:00
|
|
|
)
|
|
|
|
|
));
|
2015-06-25 15:51:19 +02:00
|
|
|
} elseif ($query->hasOrder()) {
|
|
|
|
|
foreach ($query->getOrder() as $rule) {
|
|
|
|
|
if (! in_array($rule[0], $fields)) {
|
|
|
|
|
$fields[] = $rule[0];
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-06-03 14:22:38 +02:00
|
|
|
}
|
|
|
|
|
|
2015-02-06 16:37:35 +01:00
|
|
|
$results = @ldap_search(
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds,
|
2015-06-23 17:22:26 +02:00
|
|
|
$query->getBase() ?: $this->rootDn,
|
2015-05-04 11:26:27 +02:00
|
|
|
(string) $query,
|
|
|
|
|
array_values($fields),
|
2015-02-06 16:37:35 +01:00
|
|
|
0, // Attributes and values
|
2015-06-03 14:22:38 +02:00
|
|
|
$serverSorting && $limit ? $offset + $limit : 0
|
2015-02-06 16:37:35 +01:00
|
|
|
);
|
|
|
|
|
if ($results === false) {
|
2015-07-10 09:51:39 +02:00
|
|
|
if (ldap_errno($ds) === self::LDAP_NO_SUCH_OBJECT) {
|
2015-02-06 16:37:35 +01:00
|
|
|
return array();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw new LdapException(
|
|
|
|
|
'LDAP query "%s" (base %s) failed. Error: %s',
|
2015-05-04 11:26:27 +02:00
|
|
|
$query,
|
2015-06-23 17:22:26 +02:00
|
|
|
$query->getBase() ?: $this->rootDn,
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_error($ds)
|
2015-02-06 16:37:35 +01:00
|
|
|
);
|
2015-07-10 09:51:39 +02:00
|
|
|
} elseif (ldap_count_entries($ds, $results) === 0) {
|
2015-02-06 16:37:35 +01:00
|
|
|
return array();
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-29 15:53:15 +01:00
|
|
|
$count = 0;
|
2013-06-03 17:02:08 +02:00
|
|
|
$entries = array();
|
2015-07-10 09:51:39 +02:00
|
|
|
$entry = ldap_first_entry($ds, $results);
|
2015-02-06 16:37:35 +01:00
|
|
|
do {
|
|
|
|
|
$count += 1;
|
2015-06-03 14:22:38 +02:00
|
|
|
if (! $serverSorting || $offset === 0 || $offset < $count) {
|
2015-07-10 09:51:39 +02:00
|
|
|
$entries[ldap_get_dn($ds, $entry)] = $this->cleanupAttributes(
|
2015-07-15 10:32:54 +02:00
|
|
|
ldap_get_attributes($ds, $entry),
|
|
|
|
|
array_flip($fields)
|
2015-02-06 16:37:35 +01:00
|
|
|
);
|
|
|
|
|
}
|
2015-07-16 13:51:35 +02:00
|
|
|
} while ((! $serverSorting || $limit === 0 || $limit !== count($entries))
|
2015-07-10 09:51:39 +02:00
|
|
|
&& ($entry = ldap_next_entry($ds, $entry))
|
2015-06-03 14:22:38 +02:00
|
|
|
);
|
2015-02-06 16:37:35 +01:00
|
|
|
|
2015-06-03 14:22:38 +02:00
|
|
|
if (! $serverSorting && $query->hasOrder()) {
|
2015-05-04 11:36:38 +02:00
|
|
|
uasort($entries, array($query, 'compare'));
|
2015-06-03 14:22:38 +02:00
|
|
|
if ($limit && $count > $limit) {
|
|
|
|
|
$entries = array_splice($entries, $query->hasOffset() ? $query->getOffset() : 0, $limit);
|
|
|
|
|
}
|
2015-05-04 11:36:38 +02:00
|
|
|
}
|
|
|
|
|
|
2015-02-06 16:37:35 +01:00
|
|
|
ldap_free_result($results);
|
|
|
|
|
return $entries;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-24 12:22:29 +01:00
|
|
|
/**
|
2015-06-23 17:12:24 +02:00
|
|
|
* Run the given LDAP query and return the resulting entries
|
2015-02-24 12:22:29 +01:00
|
|
|
*
|
2015-06-23 17:12:24 +02:00
|
|
|
* This utilizes paged search requests as defined in RFC 2696.
|
2015-02-24 12:22:29 +01:00
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @param LdapQuery $query The query to fetch results with
|
|
|
|
|
* @param array $fields Request these attributes instead of the ones registered in the given query
|
|
|
|
|
* @param int $pageSize The maximum page size, defaults to self::PAGE_SIZE
|
2015-06-23 17:12:24 +02:00
|
|
|
*
|
|
|
|
|
* @return array
|
|
|
|
|
*
|
2015-06-24 09:14:25 +02:00
|
|
|
* @throws LdapException In case an error occured while fetching the results
|
2015-02-24 12:22:29 +01:00
|
|
|
*/
|
2015-06-24 09:14:25 +02:00
|
|
|
protected function runPagedQuery(LdapQuery $query, array $fields = null, $pageSize = null)
|
2015-02-06 16:37:35 +01:00
|
|
|
{
|
2015-06-23 17:27:30 +02:00
|
|
|
if ($pageSize === null) {
|
2015-02-24 12:22:29 +01:00
|
|
|
$pageSize = static::PAGE_SIZE;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-06 16:37:35 +01:00
|
|
|
$limit = $query->getLimit();
|
|
|
|
|
$offset = $query->hasOffset() ? $query->getOffset() - 1 : 0;
|
2015-05-04 11:26:27 +02:00
|
|
|
$queryString = (string) $query;
|
2015-06-23 17:22:26 +02:00
|
|
|
$base = $query->getBase() ?: $this->rootDn;
|
2015-02-06 16:37:35 +01:00
|
|
|
|
2015-06-23 17:27:30 +02:00
|
|
|
if ($fields === null) {
|
2015-05-04 11:26:27 +02:00
|
|
|
$fields = $query->getColumns();
|
2015-02-06 16:37:35 +01:00
|
|
|
}
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds = $this->getConnection();
|
|
|
|
|
|
2015-09-03 17:48:53 +02:00
|
|
|
$serverSorting = $this->capabilities->hasOid(LdapCapabilities::LDAP_SERVER_SORT_OID);
|
2015-09-03 17:50:24 +02:00
|
|
|
if (! $serverSorting && $query->hasOrder()) {
|
2015-06-25 15:51:19 +02:00
|
|
|
foreach ($query->getOrder() as $rule) {
|
|
|
|
|
if (! in_array($rule[0], $fields)) {
|
|
|
|
|
$fields[] = $rule[0];
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-06-03 14:22:38 +02:00
|
|
|
}
|
|
|
|
|
|
2015-02-06 16:37:35 +01:00
|
|
|
$count = 0;
|
|
|
|
|
$cookie = '';
|
|
|
|
|
$entries = array();
|
|
|
|
|
do {
|
2015-06-23 17:27:30 +02:00
|
|
|
// Do not request the pagination control as a critical extension, as we want the
|
|
|
|
|
// server to return results even if the paged search request cannot be satisfied
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_control_paged_result($ds, $pageSize, false, $cookie);
|
2015-02-24 12:22:29 +01:00
|
|
|
|
2015-09-03 17:50:24 +02:00
|
|
|
if ($serverSorting) {
|
|
|
|
|
ldap_set_option($ds, LDAP_OPT_SERVER_CONTROLS, array(
|
|
|
|
|
array(
|
|
|
|
|
'oid' => LdapCapabilities::LDAP_SERVER_SORT_OID,
|
|
|
|
|
'value' => $this->encodeSortRules($query->getOrder())
|
|
|
|
|
)
|
|
|
|
|
));
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-04 11:26:27 +02:00
|
|
|
$results = @ldap_search(
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds,
|
2015-05-04 11:26:27 +02:00
|
|
|
$base,
|
|
|
|
|
$queryString,
|
|
|
|
|
array_values($fields),
|
|
|
|
|
0, // Attributes and values
|
2015-06-03 14:22:38 +02:00
|
|
|
$serverSorting && $limit ? $offset + $limit : 0
|
2015-05-04 11:26:27 +02:00
|
|
|
);
|
2015-02-06 16:37:35 +01:00
|
|
|
if ($results === false) {
|
2015-07-10 09:51:39 +02:00
|
|
|
if (ldap_errno($ds) === self::LDAP_NO_SUCH_OBJECT) {
|
2015-02-06 16:37:35 +01:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw new LdapException(
|
|
|
|
|
'LDAP query "%s" (base %s) failed. Error: %s',
|
|
|
|
|
$queryString,
|
|
|
|
|
$base,
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_error($ds)
|
2015-02-06 16:37:35 +01:00
|
|
|
);
|
2015-07-10 09:51:39 +02:00
|
|
|
} elseif (ldap_count_entries($ds, $results) === 0) {
|
2015-02-06 16:37:35 +01:00
|
|
|
if (in_array(
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_errno($ds),
|
2015-02-06 16:37:35 +01:00
|
|
|
array(static::LDAP_SIZELIMIT_EXCEEDED, static::LDAP_ADMINLIMIT_EXCEEDED)
|
|
|
|
|
)) {
|
|
|
|
|
Logger::warning(
|
|
|
|
|
'Unable to request more than %u results. Does the server allow paged search requests? (%s)',
|
|
|
|
|
$count,
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_error($ds)
|
2015-02-06 16:37:35 +01:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
$entry = ldap_first_entry($ds, $results);
|
2015-02-06 16:37:35 +01:00
|
|
|
do {
|
|
|
|
|
$count += 1;
|
2015-06-03 14:22:38 +02:00
|
|
|
if (! $serverSorting || $offset === 0 || $offset < $count) {
|
2015-07-10 09:51:39 +02:00
|
|
|
$entries[ldap_get_dn($ds, $entry)] = $this->cleanupAttributes(
|
2015-07-15 10:32:54 +02:00
|
|
|
ldap_get_attributes($ds, $entry),
|
|
|
|
|
array_flip($fields)
|
2015-01-29 15:53:15 +01:00
|
|
|
);
|
|
|
|
|
}
|
2015-06-03 14:22:38 +02:00
|
|
|
} while (
|
|
|
|
|
(! $serverSorting || $limit === 0 || $limit !== count($entries))
|
2015-07-10 09:51:39 +02:00
|
|
|
&& ($entry = ldap_next_entry($ds, $entry))
|
2015-06-03 14:22:38 +02:00
|
|
|
);
|
2015-02-06 16:37:35 +01:00
|
|
|
|
2015-07-10 09:51:39 +02:00
|
|
|
if (false === @ldap_control_paged_result_response($ds, $results, $cookie)) {
|
2015-02-06 16:37:35 +01:00
|
|
|
// If the page size is greater than or equal to the sizeLimit value, the server should ignore the
|
|
|
|
|
// control as the request can be satisfied in a single page: https://www.ietf.org/rfc/rfc2696.txt
|
|
|
|
|
// This applies no matter whether paged search requests are permitted or not. You're done once you
|
|
|
|
|
// got everything you were out for.
|
2015-06-03 14:22:38 +02:00
|
|
|
if ($serverSorting && count($entries) !== $limit) {
|
2015-02-24 12:22:29 +01:00
|
|
|
// The server does not support pagination, but still returned a response by ignoring the
|
|
|
|
|
// pagedResultsControl. We output a warning to indicate that the pagination control was ignored.
|
2015-06-23 17:27:30 +02:00
|
|
|
Logger::warning(
|
|
|
|
|
'Unable to request paged LDAP results. Does the server allow paged search requests?'
|
|
|
|
|
);
|
2015-02-06 16:37:35 +01:00
|
|
|
}
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2015-01-29 15:53:15 +01:00
|
|
|
|
2015-02-06 16:37:35 +01:00
|
|
|
ldap_free_result($results);
|
2015-06-03 14:22:38 +02:00
|
|
|
} while ($cookie && (! $serverSorting || $limit === 0 || count($entries) < $limit));
|
2015-02-06 16:37:35 +01:00
|
|
|
|
|
|
|
|
if ($cookie) {
|
|
|
|
|
// A sequence of paged search requests is abandoned by the client sending a search request containing a
|
|
|
|
|
// pagedResultsControl with the size set to zero (0) and the cookie set to the last cookie returned by
|
|
|
|
|
// the server: https://www.ietf.org/rfc/rfc2696.txt
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_control_paged_result($ds, 0, false, $cookie);
|
|
|
|
|
ldap_search($ds, $base, $queryString); // Returns no entries, due to the page size
|
2015-02-06 16:37:35 +01:00
|
|
|
} else {
|
|
|
|
|
// Reset the paged search request so that subsequent requests succeed
|
2015-07-10 09:51:39 +02:00
|
|
|
ldap_control_paged_result($ds, 0);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2015-01-29 15:53:15 +01:00
|
|
|
|
2015-06-03 14:22:38 +02:00
|
|
|
if (! $serverSorting && $query->hasOrder()) {
|
2015-05-04 11:36:38 +02:00
|
|
|
uasort($entries, array($query, 'compare'));
|
2015-06-03 14:22:38 +02:00
|
|
|
if ($limit && $count > $limit) {
|
|
|
|
|
$entries = array_splice($entries, $query->hasOffset() ? $query->getOffset() : 0, $limit);
|
|
|
|
|
}
|
2015-05-04 11:36:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $entries;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:06:35 +02:00
|
|
|
/**
|
|
|
|
|
* Clean up the given attributes and return them as simple object
|
|
|
|
|
*
|
|
|
|
|
* Applies column aliases, aggregates multi-value attributes as array and sets null for each missing attribute.
|
|
|
|
|
*
|
|
|
|
|
* @param array $attributes
|
|
|
|
|
* @param array $requestedFields
|
|
|
|
|
*
|
|
|
|
|
* @return object
|
|
|
|
|
*/
|
2015-07-14 18:32:44 +02:00
|
|
|
public function cleanupAttributes($attributes, array $requestedFields)
|
2013-06-03 17:02:08 +02:00
|
|
|
{
|
2015-05-04 11:32:03 +02:00
|
|
|
// In case the result contains attributes with a differing case than the requested fields, it is
|
|
|
|
|
// necessary to create another array to map attributes case insensitively to their requested counterparts.
|
|
|
|
|
// This does also apply the virtual alias handling. (Since an LDAP server does not handle such)
|
|
|
|
|
$loweredFieldMap = array();
|
|
|
|
|
foreach ($requestedFields as $name => $alias) {
|
|
|
|
|
$loweredFieldMap[strtolower($name)] = is_string($alias) ? $alias : $name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$cleanedAttributes = array();
|
|
|
|
|
for ($i = 0; $i < $attributes['count']; $i++) {
|
|
|
|
|
$attribute_name = $attributes[$i];
|
|
|
|
|
if ($attributes[$attribute_name]['count'] === 1) {
|
|
|
|
|
$attribute_value = $attributes[$attribute_name][0];
|
2013-06-03 17:02:08 +02:00
|
|
|
} else {
|
2015-05-04 11:32:03 +02:00
|
|
|
$attribute_value = array();
|
|
|
|
|
for ($j = 0; $j < $attributes[$attribute_name]['count']; $j++) {
|
|
|
|
|
$attribute_value[] = $attributes[$attribute_name][$j];
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
}
|
2015-05-04 11:32:03 +02:00
|
|
|
|
|
|
|
|
$requestedAttributeName = isset($loweredFieldMap[strtolower($attribute_name)])
|
|
|
|
|
? $loweredFieldMap[strtolower($attribute_name)]
|
|
|
|
|
: $attribute_name;
|
|
|
|
|
$cleanedAttributes[$requestedAttributeName] = $attribute_value;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2015-05-04 11:32:03 +02:00
|
|
|
|
|
|
|
|
// The result may not contain all requested fields, so populate the cleaned
|
|
|
|
|
// result with the missing fields and their value being set to null
|
|
|
|
|
foreach ($requestedFields as $name => $alias) {
|
|
|
|
|
if (! is_string($alias)) {
|
|
|
|
|
$alias = $name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (! array_key_exists($alias, $cleanedAttributes)) {
|
|
|
|
|
$cleanedAttributes[$alias] = null;
|
|
|
|
|
Logger::debug('LDAP query result does not provide the requested field "%s"', $name);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (object) $cleanedAttributes;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2015-06-03 14:22:38 +02:00
|
|
|
/**
|
|
|
|
|
* Encode the given array of sort rules as ASN.1 octet stream according to RFC 2891
|
|
|
|
|
*
|
|
|
|
|
* @param array $sortRules
|
|
|
|
|
*
|
2015-09-03 17:47:54 +02:00
|
|
|
* @return string Binary representation of the octet stream
|
2015-06-03 14:22:38 +02:00
|
|
|
*/
|
|
|
|
|
protected function encodeSortRules(array $sortRules)
|
|
|
|
|
{
|
2015-09-03 17:47:54 +02:00
|
|
|
// TODO(el): Indefinite form of length octet
|
|
|
|
|
$sequenceOf = '';
|
2015-06-03 14:22:38 +02:00
|
|
|
|
|
|
|
|
foreach ($sortRules as $rule) {
|
2015-09-03 17:47:54 +02:00
|
|
|
$reversed = '0101' . ($rule[1] === Sortable::SORT_DESC ? 'ff' : '00');
|
|
|
|
|
|
|
|
|
|
$attributeType = unpack('H*', $rule[0]);
|
|
|
|
|
$attributeType = $attributeType[1];
|
|
|
|
|
$attributeType = '04' . str_pad(dechex(strlen($attributeType) / 2), 2, '0', STR_PAD_LEFT) . $attributeType;
|
|
|
|
|
$sequence = '30'
|
|
|
|
|
. str_pad(dechex(strlen($attributeType . $reversed) / 2), 2, '0', STR_PAD_LEFT)
|
|
|
|
|
. $attributeType
|
|
|
|
|
. $reversed;
|
|
|
|
|
$sequenceOf .= $sequence;
|
|
|
|
|
}
|
|
|
|
|
$sequenceOf = '30'
|
|
|
|
|
. str_pad(dechex(strlen($sequenceOf) / 2), 2, '0', STR_PAD_LEFT)
|
|
|
|
|
. $sequenceOf;
|
|
|
|
|
return hex2bin($sequenceOf);
|
2015-06-03 14:22:38 +02:00
|
|
|
}
|
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
2015-06-23 17:38:19 +02:00
|
|
|
* Prepare and establish a connection with the LDAP server
|
2014-06-16 14:16:18 +02:00
|
|
|
*
|
2015-07-15 19:32:12 +02:00
|
|
|
* @param Inspection $info Optional inspection to fill with diagnostic info
|
2015-07-15 17:30:39 +02:00
|
|
|
*
|
|
|
|
|
* @return resource A LDAP link identifier
|
2014-06-16 14:16:18 +02:00
|
|
|
*
|
2015-07-15 17:30:39 +02:00
|
|
|
* @throws LdapException In case the connection is not possible
|
2014-06-16 14:16:18 +02:00
|
|
|
*/
|
2015-07-15 17:30:39 +02:00
|
|
|
protected function prepareNewConnection(Inspection $info = null)
|
2013-07-12 13:41:48 +02:00
|
|
|
{
|
2015-07-15 17:30:39 +02:00
|
|
|
if (! isset($info)) {
|
|
|
|
|
$info = new Inspection('');
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-12 15:17:19 +01:00
|
|
|
$hostname = $this->hostname;
|
2015-04-02 10:41:25 +02:00
|
|
|
if ($this->encryption === static::LDAPS) {
|
2015-07-15 17:30:39 +02:00
|
|
|
$info->write('Connect using LDAPS');
|
2015-03-12 15:17:19 +01:00
|
|
|
$hostname = 'ldaps://' . $hostname;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ds = ldap_connect($hostname, $this->port);
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2015-07-10 10:45:10 +02:00
|
|
|
// Usage of ldap_rename, setting LDAP_OPT_REFERRALS to 0 or using STARTTLS requires LDAPv3.
|
|
|
|
|
// If this does not work we're probably not in a PHP 5.3+ environment as it is VERY
|
|
|
|
|
// unlikely that the server complains about it by itself prior to a bind request
|
|
|
|
|
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
|
|
|
|
|
|
|
|
// Not setting this results in "Operations error" on AD when using the whole domain as search base
|
|
|
|
|
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
|
2015-06-23 17:27:30 +02:00
|
|
|
|
2015-04-02 10:41:25 +02:00
|
|
|
if ($this->encryption === static::STARTTLS) {
|
2015-07-14 18:29:58 +02:00
|
|
|
$this->encrypted = true;
|
2015-07-15 17:30:39 +02:00
|
|
|
$info->write('Connect using STARTTLS');
|
2015-07-15 11:14:59 +02:00
|
|
|
if (! ldap_start_tls($ds)) {
|
2015-07-14 18:29:58 +02:00
|
|
|
throw new LdapException('LDAP STARTTLS failed: %s', ldap_error($ds));
|
2013-07-12 13:41:48 +02:00
|
|
|
}
|
2015-07-14 18:29:58 +02:00
|
|
|
|
|
|
|
|
} elseif ($this->encryption !== static::LDAPS) {
|
|
|
|
|
$this->encrypted = false;
|
2015-07-15 17:30:39 +02:00
|
|
|
$info->write('Connect without encryption');
|
2013-07-12 13:41:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $ds;
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
|
|
|
|
|
2014-06-16 14:16:18 +02:00
|
|
|
/**
|
2015-06-23 17:37:10 +02:00
|
|
|
* Create an LDAP entry
|
2014-06-16 14:16:18 +02:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @param string $dn The distinguished name to use
|
|
|
|
|
* @param array $attributes The entry's attributes
|
2014-06-16 14:16:18 +02:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @return bool Whether the operation was successful
|
2014-06-16 14:16:18 +02:00
|
|
|
*/
|
2015-06-23 17:37:10 +02:00
|
|
|
public function addEntry($dn, array $attributes)
|
2014-06-16 14:16:18 +02:00
|
|
|
{
|
2015-07-10 09:51:39 +02:00
|
|
|
return ldap_add($this->getConnection(), $dn, $attributes);
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
2013-07-12 13:41:48 +02:00
|
|
|
|
2013-12-17 14:28:56 +01:00
|
|
|
/**
|
2015-06-23 17:37:10 +02:00
|
|
|
* Modify an LDAP entry
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @param string $dn The distinguished name to use
|
|
|
|
|
* @param array $attributes The attributes to update the entry with
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @return bool Whether the operation was successful
|
2013-12-17 14:28:56 +01:00
|
|
|
*/
|
2015-06-23 17:37:10 +02:00
|
|
|
public function modifyEntry($dn, array $attributes)
|
2013-12-17 14:28:56 +01:00
|
|
|
{
|
2015-07-10 09:51:39 +02:00
|
|
|
return ldap_modify($this->getConnection(), $dn, $attributes);
|
2013-12-17 14:28:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2015-06-23 17:37:10 +02:00
|
|
|
* Change the distinguished name of an LDAP entry
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @param string $dn The entry's current distinguished name
|
|
|
|
|
* @param string $newRdn The new relative distinguished name
|
|
|
|
|
* @param string $newParentDn The new parent or superior entry's distinguished name
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @return resource The resulting search result identifier
|
|
|
|
|
*
|
|
|
|
|
* @throws LdapException In case an error occured
|
2013-12-17 14:28:56 +01:00
|
|
|
*/
|
2015-06-23 17:37:10 +02:00
|
|
|
public function moveEntry($dn, $newRdn, $newParentDn)
|
2013-12-17 14:28:56 +01:00
|
|
|
{
|
2015-07-10 09:51:39 +02:00
|
|
|
$ds = $this->getConnection();
|
|
|
|
|
$result = ldap_rename($ds, $dn, $newRdn, $newParentDn, false);
|
2015-06-23 17:37:10 +02:00
|
|
|
if ($result === false) {
|
2015-07-10 09:51:39 +02:00
|
|
|
throw new LdapException('Could not move entry "%s" to "%s": %s', $dn, $newRdn, ldap_error($ds));
|
2015-06-23 17:37:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $result;
|
2013-12-17 14:28:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2015-06-23 17:37:10 +02:00
|
|
|
* Return the LDAP specific configuration directory with the given relative path being appended
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @param string $sub
|
2013-12-17 14:28:56 +01:00
|
|
|
*
|
2015-06-23 17:37:10 +02:00
|
|
|
* @return string
|
2013-12-17 14:28:56 +01:00
|
|
|
*/
|
2015-06-23 17:37:10 +02:00
|
|
|
protected function getConfigDir($sub = null)
|
2013-12-17 14:28:56 +01:00
|
|
|
{
|
2015-06-23 17:37:10 +02:00
|
|
|
$dir = Config::$configDir . '/ldap';
|
|
|
|
|
if ($sub !== null) {
|
|
|
|
|
$dir .= '/' . $sub;
|
2013-12-17 14:28:56 +01:00
|
|
|
}
|
|
|
|
|
|
2015-06-23 17:37:10 +02:00
|
|
|
return $dir;
|
2013-12-17 14:28:56 +01:00
|
|
|
}
|
|
|
|
|
|
2015-07-14 12:30:16 +02:00
|
|
|
/**
|
2015-07-15 18:36:19 +02:00
|
|
|
* Inspect if this LDAP Connection is working as expected
|
2015-07-15 17:30:39 +02:00
|
|
|
*
|
2015-07-15 19:32:12 +02:00
|
|
|
* Check if connection, bind and encryption is working as expected and get additional
|
|
|
|
|
* information about the used
|
|
|
|
|
*
|
2015-07-15 18:36:19 +02:00
|
|
|
* @return Inspection Inspection result
|
2015-07-14 12:30:16 +02:00
|
|
|
*/
|
2015-07-15 17:30:39 +02:00
|
|
|
public function inspect()
|
2015-07-14 12:30:16 +02:00
|
|
|
{
|
2015-07-15 17:30:39 +02:00
|
|
|
$insp = new Inspection('Ldap Connection');
|
|
|
|
|
|
|
|
|
|
// Try to connect to the server with the given connection parameters
|
|
|
|
|
try {
|
|
|
|
|
$ds = $this->prepareNewConnection($insp);
|
|
|
|
|
} catch (Exception $e) {
|
2015-08-19 16:09:42 +02:00
|
|
|
if ($this->encryption === 'starttls') {
|
|
|
|
|
// The Exception does not return any proper error messages in case of certificate errors. Connecting
|
|
|
|
|
// by STARTTLS will usually fail at this point when the certificate is unknown,
|
|
|
|
|
// so at least try to give some hints.
|
|
|
|
|
$insp->write('NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server ' .
|
|
|
|
|
'supports STARTTLS and that the LDAP-Client is configured to accept its certificate.');
|
|
|
|
|
}
|
2015-07-15 18:36:19 +02:00
|
|
|
return $insp->error($e->getMessage());
|
2015-07-14 12:30:16 +02:00
|
|
|
}
|
|
|
|
|
|
2015-07-15 17:30:39 +02:00
|
|
|
// Try a bind-command with the given user credentials, this must not fail
|
|
|
|
|
$success = @ldap_bind($ds, $this->bindDn, $this->bindPw);
|
|
|
|
|
$msg = sprintf(
|
|
|
|
|
'LDAP bind to %s:%s (%s / %s)',
|
|
|
|
|
$this->hostname,
|
|
|
|
|
$this->port,
|
|
|
|
|
$this->bindDn,
|
|
|
|
|
'***' /* $this->bindPw */
|
|
|
|
|
);
|
|
|
|
|
if (! $success) {
|
2015-08-19 16:09:42 +02:00
|
|
|
// ldap_error does not return any proper error messages in case of certificate errors. Connecting
|
|
|
|
|
// by LDAPS will usually fail at this point when the certificate is unknown, so at least try to give
|
|
|
|
|
// some hints.
|
|
|
|
|
if ($this->encryption === 'ldaps') {
|
|
|
|
|
$insp->write('NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server ' .
|
|
|
|
|
' supports LDAPS and that the LDAP-Client is configured to accept its certificate.');
|
|
|
|
|
}
|
2015-07-15 18:36:19 +02:00
|
|
|
return $insp->error(sprintf('%s failed: %s', $msg, ldap_error($ds)));
|
2015-07-15 17:30:39 +02:00
|
|
|
}
|
|
|
|
|
$insp->write(sprintf($msg . ' successful'));
|
|
|
|
|
|
|
|
|
|
// Try to execute a schema discovery this may fail if schema discovery is not supported
|
|
|
|
|
try {
|
|
|
|
|
$cap = LdapCapabilities::discoverCapabilities($this);
|
|
|
|
|
$discovery = new Inspection('Discovery Results');
|
|
|
|
|
$discovery->write($cap->getVendor());
|
|
|
|
|
$version = $cap->getVersion();
|
|
|
|
|
if (isset($version)) {
|
|
|
|
|
$discovery->write($version);
|
2015-07-14 12:30:16 +02:00
|
|
|
}
|
2015-07-15 17:30:39 +02:00
|
|
|
$discovery->write('Supports STARTTLS: ' . ($cap->hasStartTls() ? 'True' : 'False'));
|
|
|
|
|
$discovery->write('Default naming context: ' . $cap->getDefaultNamingContext());
|
|
|
|
|
$insp->write($discovery);
|
|
|
|
|
} catch (Exception $e) {
|
|
|
|
|
$insp->write('Schema discovery not possible: ' . $e->getMessage());
|
2015-07-14 12:30:16 +02:00
|
|
|
}
|
2015-07-15 17:30:39 +02:00
|
|
|
return $insp;
|
2015-07-14 12:30:16 +02:00
|
|
|
}
|
2013-06-03 17:02:08 +02:00
|
|
|
}
|
