array( 'columns' => array( 'is_active desc', 'user_name' ) ) ); protected $groupOptions; /** * Normed attribute names based on known LDAP environments * * @var array */ protected $normedAttributes = array( 'uid' => 'uid', 'user' => 'user', 'inetorgperson' => 'inetOrgPerson', 'samaccountname' => 'sAMAccountName' ); /** * Set the base DN to use for a query * * @param string $baseDn * * @return $this */ public function setBaseDn($baseDn) { if (($baseDn = trim($baseDn))) { $this->baseDn = $baseDn; } return $this; } /** * Return the base DN to use for a query * * @return string */ public function getBaseDn() { return $this->baseDn; } /** * Set the objectClass where to look for users * * Sets also the base table name for the underlying repository. * * @param string $userClass * * @return $this */ public function setUserClass($userClass) { $this->baseTable = $this->userClass = $this->getNormedAttribute($userClass); return $this; } /** * Return the objectClass where to look for users * * @return string */ public function getUserClass() { return $this->userClass; } /** * Set the attribute name where to find a user's name * * @param string $userNameAttribute * * @return $this */ public function setUserNameAttribute($userNameAttribute) { $this->userNameAttribute = $this->getNormedAttribute($userNameAttribute); return $this; } /** * Return the attribute name where to find a user's name * * @return string */ public function getUserNameAttribute() { return $this->userNameAttribute; } /** * Set the custom LDAP filter to apply on search queries * * @param string $filter * * @return $this */ public function setFilter($filter) { if (($filter = trim($filter))) { $this->filter = $filter; } return $this; } /** * Return the custom LDAP filter to apply on search queries * * @return string */ public function getFilter() { return $this->filter; } public function setGroupOptions(array $options) { $this->groupOptions = $options; return $this; } public function getGroupOptions() { return $this->groupOptions; } /** * Return the given attribute name normed to known LDAP enviroments, if possible * * @param string $name * * @return string */ protected function getNormedAttribute($name) { $loweredName = strtolower($name); if (array_key_exists($loweredName, $this->normedAttributes)) { return $this->normedAttributes[$loweredName]; } return $name; } /** * Apply the given configuration to this backend * * @param ConfigObject $config * * @return $this */ public function setConfig(ConfigObject $config) { return $this ->setBaseDn($config->base_dn) ->setUserClass($config->user_class) ->setUserNameAttribute($config->user_name_attribute) ->setFilter($config->filter); } /** * Return a new query for the given columns * * @param array $columns The desired columns, if null all columns will be queried * * @return RepositoryQuery */ public function select(array $columns = null) { $query = parent::select($columns); $query->getQuery()->setBase($this->baseDn); if ($this->filter) { $query->getQuery()->where(new Expression($this->filter)); } return $query; } /** * Initialize this repository's query columns * * @return array * * @throws ProgrammingError In case either $this->userNameAttribute or $this->userClass has not been set yet */ protected function initializeQueryColumns() { if ($this->userClass === null) { throw new ProgrammingError('It is required to set the objectClass where to look for users first'); } if ($this->userNameAttribute === null) { throw new ProgrammingError('It is required to set a attribute name where to find a user\'s name first'); } if ($this->ds->getCapabilities()->hasAdOid()) { $isActiveAttribute = 'userAccountControl'; $createdAtAttribute = 'whenCreated'; $lastModifiedAttribute = 'whenChanged'; } else { $isActiveAttribute = 'unknown'; $createdAtAttribute = 'unknown'; $lastModifiedAttribute = 'unknown'; } return array( $this->userClass => array( 'user' => $this->userNameAttribute, 'user_name' => $this->userNameAttribute, 'is_active' => $isActiveAttribute, 'created_at' => $createdAtAttribute, 'last_modified' => $lastModifiedAttribute ) ); } /** * Initialize this repository's conversion rules * * @return array * * @throws ProgrammingError In case $this->userClass has not been set yet */ protected function initializeConversionRules() { if ($this->userClass === null) { throw new ProgrammingError('It is required to set the objectClass where to look for users first'); } if ($this->ds->getCapabilities()->hasAdOid()) { $stateConverter = 'user_account_control'; $timeConverter = 'generalized_time'; } else { $timeConverter = null; $stateConverter = null; } return array( $this->userClass => array( 'is_active' => $stateConverter, 'created_at' => $timeConverter, 'last_modified' => $timeConverter ) ); } /** * Return whether the given userAccountControl value defines that a user is permitted to login * * @param string|null $value * * @return bool */ protected function retrieveUserAccountControl($value) { if ($value === null) { return $value; } $ADS_UF_ACCOUNTDISABLE = 2; return ((int) $value & $ADS_UF_ACCOUNTDISABLE) === 0; } /** * Parse the given value based on the ASN.1 standard (GeneralizedTime) and return its timestamp representation * * @param string|null $value * * @return int */ protected function retrieveGeneralizedTime($value) { if ($value === null) { return $value; } if ( ($dateTime = DateTime::createFromFormat('YmdHis.uO', $value)) !== false || ($dateTime = DateTime::createFromFormat('YmdHis.uZ', $value)) !== false || ($dateTime = DateTime::createFromFormat('YmdHis.u', $value)) !== false ) { return $dateTime->getTimeStamp(); } else { Logger::debug(sprintf( 'Failed to parse "%s" based on the ASN.1 standard (GeneralizedTime) for user backend "%s".', $value, $this->getName() )); } } /** * Probe the backend to test if authentication is possible * * Try to bind to the backend and fetch a single user to check if: * * * @throws AuthenticationException When authentication is not possible */ public function assertAuthenticationPossible() { try { $result = $this->select()->fetchRow(); } catch (LdapException $e) { throw new AuthenticationException('Connection not possible.', $e); } if ($result === null) { throw new AuthenticationException( 'No objects with objectClass "%s" in DN "%s" found. (Filter: %s)', $this->userClass, $this->baseDn ?: $this->ds->getDn(), $this->filter ?: 'None' ); } if (! isset($result->user_name)) { throw new AuthenticationException( 'UserNameAttribute "%s" not existing in objectClass "%s"', $this->userNameAttribute, $this->userClass ); } } /** * Retrieve the user groups * * @TODO: Subject to change, see #7343 * * @param string $dn * * @return array */ public function getGroups($dn) { if (empty($this->groupOptions) || ! isset($this->groupOptions['group_base_dn'])) { return array(); } $result = $this->ds->select() ->setBase($this->groupOptions['group_base_dn']) ->from( $this->groupOptions['group_class'], array($this->groupOptions['group_attribute']) ) ->where( $this->groupOptions['group_member_attribute'], $dn ) ->fetchAll(); $groups = array(); foreach ($result as $group) { $groups[] = $group->{$this->groupOptions['group_attribute']}; } return $groups; } /** * Authenticate the given user * * @param User $user * @param string $password * * @return bool True on success, false on failure * * @throws AuthenticationException In case authentication is not possible due to an error */ public function authenticate(User $user, $password) { try { $userDn = $this ->select() ->where('user_name', str_replace('*', '', $user->getUsername())) ->getQuery() ->setUsePagedResults(false) ->fetchDn(); if ($userDn === null) { return false; } $authenticated = $this->ds->testCredentials($userDn, $password); if ($authenticated) { $groups = $this->getGroups($userDn); if ($groups !== null) { $user->setGroups($groups); } } return $authenticated; } catch (LdapException $e) { throw new AuthenticationException( 'Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName(), $e ); } } }