Merge branch '1684-Autenticacion-por-LDAP-con-mas-de-1000-usuarios-dev' into 'develop'

Added ldapsearch system command

See merge request artica/pandorafms!1173
This commit is contained in:
vgilc 2017-12-12 14:20:22 +01:00
commit 6a0acb05f1
1 changed files with 158 additions and 84 deletions

View File

@ -709,35 +709,51 @@ function ldap_process_user_login ($login, $password) {
$filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($login) . ")";
$justthese = array("objectclass=group");
$sr = ldap_search($ds, $dc, $filter, $justthese);
$sr=local_ldap_search($config["ldap_server"], $config["ldap_port"], $config["ldap_version"], $dc, $config['ldap_login_attr'], io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'], io_safe_output($login));
$memberof = ldap_get_entries($ds, $sr);
if (!$sr == false){
$user_dn=$sr["dn"];
if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) {
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password) ) {
$correct = true;
}
} else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
}
}
@ldap_close ($ds);
return false;
}
else {
$memberof = $memberof[0];
}
unset($memberof["count"]);
} else {
$sr = ldap_search($ds, $dc, $filter, $justthese);
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
$memberof = ldap_get_entries($ds, $sr);
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password) ) {
$correct = true;
if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) {
@ldap_close ($ds);
return false;
} else {
$memberof = $memberof[0];
}
}
else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
}
}
unset($memberof["count"]);
@ldap_close ($ds);
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password) ) {
$correct = true;
}
} else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
}
}
@ldap_close ($ds);
}
if ($correct) {
return true;
@ -802,21 +818,25 @@ function get_ldap_login_attr ($login) {
$filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($id_user) . ")";
$justthese = array("mail");
$sr = ldap_search($ds, $dc, $filter, $justthese);
$sr=local_ldap_search($config["ldap_server"], $config["ldap_port"], $config["ldap_version"], $dc, $config['ldap_login_attr'],io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'], io_safe_output($login));
$info = ldap_get_entries($ds, $sr);
if ($info["count"] == 0 && !isset($info[0]["mail"])) {
if (!$sr == false){
$id_user=$sr["mail"];
@ldap_close ($ds);
return $id_user;
}
else {
$info = $info[0];
}
} else {
$sr = ldap_search($ds, $dc, $filter, $justthese, 0, 0 ,2);
$id_user = $info['mail'][0];
$info = ldap_get_entries($ds, $sr);
if ($info["count"] == 0 && !isset($info[0]["mail"])) {
@ldap_close ($ds);
return $id_user;
} else {
$info = $info[0];
}
@ldap_close ($ds);
$id_user = $info['mail'][0];
@ldap_close ($ds);
}
break;
}
@ -905,38 +925,57 @@ function prepare_permissions_groups_of_user_ldap ($id_user, $password,
$filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($id_user) . ")";
$justthese = array("objectclass=group");
$sr = ldap_search($ds, $dc, $filter, $justthese);
$sr=local_ldap_search($config["ldap_server"], $config["ldap_port"], $config["ldap_version"], $dc, $config['ldap_login_attr'], io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'], io_safe_output($id_user));
$memberof = ldap_get_entries($ds, $sr);
if (!$sr == false) {
$user_dn=$sr["dn"];
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) {
@ldap_close ($ds);
return false;
}
else {
$memberof = $memberof[0];
}
unset($memberof["count"]);
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, $memberof['dn'], $password) ) {
$correct = true;
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password) ) {
$correct = true;
}
} else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
}
}
}
else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
if (!$correct) {
@ldap_close ($ds);
return false;
}
}
} else {
$sr = ldap_search($ds, $dc, $filter, $justthese, 0, 0, 2);
if (!$correct) {
@ldap_close ($ds);
$memberof = ldap_get_entries($ds, $sr);
return false;
if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) {
@ldap_close ($ds);
return false;
} else {
$memberof = $memberof[0];
}
unset($memberof["count"]);
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, $memberof['dn'], $password) ) {
$correct = true;
}
} else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
}
}
if (!$correct) {
@ldap_close ($ds);
return false;
}
}
$permissions = array();
@ -1014,20 +1053,26 @@ function prepare_permissions_groups_of_user_ldap ($id_user, $password,
$filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($id_user) . ")";
$justthese = array("mail");
$sr = ldap_search($ds, $dc, $filter, $justthese);
$sr=local_ldap_search($config["ldap_server"], $config["ldap_port"], $config["ldap_version"], $dc, $config['ldap_login_attr'], io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'], io_safe_output($id_user));
$info = ldap_get_entries($ds, $sr);
if (!$sr == false){
$id_user=$sr["mail"];
$user_info['fullname']=$sr["mail"];
} else {
$sr = ldap_search($ds, $dc, $filter, $justthese, 0, 0, 2);
$info = ldap_get_entries($ds, $sr);
if ($info["count"] == 0 && !isset($info[0]["mail"])) {
@ldap_close ($ds);
return false;
} else {
$info = $info[0];
}
$id_user = $info['mail'][0];
$user_info['fullname'] = $id_user;
if ($info["count"] == 0 && !isset($info[0]["mail"])) {
@ldap_close ($ds);
return false;
}
else {
$info = $info[0];
}
$id_user = $info['mail'][0];
$user_info['fullname'] = $id_user;
break;
}
@ -1341,6 +1386,35 @@ function delete_user_pass_ldap ($id_user) {
return;
}
function local_ldap_search($ldap_host, $ldap_port=389, $ldap_version=3, $dn, $access_attr, $ldap_admin_user, $ldap_admin_pass, $user) {
$filter="(" . $access_attr . "=" . $user . ")";
$shell_ldap_search = explode("\n", shell_exec('ldapsearch -LLL -o ldif-wrap=no -x -h ' . $ldap_host . ' -p ' . $ldap_port . ' -P ' . $ldap_version . ' -E pr=10000/noprompt -D "' . $ldap_admin_user . '" -w ' . $ldap_admin_pass . ' -b "' . $dn . '" -s sub "' . $filter . '" | grep -v "^#\|^$" | sed "s/:\+ /=>/g"'));
foreach($shell_ldap_search as $line) {
$values = explode("=>", $line);
if(!empty($values[0]) && !empty($values[1])) {
$user_attr[$values[0]] = $values[1];
}
}
if (empty($user_attr)) {
return false;
}
$user_dn = safe_output_accute(base64_decode($user_attr["dn"]));
if(strlen($user_dn) > 0) {
$user_attr["dn"]=$user_dn;
}
return $user_attr;
}
function safe_output_accute($string) {
$no_allowed= array ("á","é","í","ó","ú","Á","É","Í","Ó","Ú","ñ","Ñ");
$allowed= array ("a","e","i","o","u","A","E","I","O","U","n","N");
$result = str_replace($no_allowed, $allowed ,$string);
return $result;
}
//Reference the global use authorization error to last auth error.
$config["auth_error"] = &$mysql_cache["auth_error"];
?>