0) { ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["auth"]["ldap_version"]); } if ($config["auth"]["ldap_start_tls"] && !@ldap_start_tls ($ds)) { $ldap_cache["error"] .= 'Could not start TLS for LDAP connection'; return $ret; } if (ldap_search_user ($login)) { $r = @ldap_bind ($ds, $config["auth"]["ldap_login_attr"]."=".$login.",".$config["auth"]["ldap_base_dn"], $password); if (!$r) { $ldap_cache["error"] .= 'Invalid login'; //$ldap_cache["error"] .= ': incorrect password'; // uncomment for debugging } else { $ret = true; } } else { $ldap_cache["error"] .= 'Invalid login'; //$ldap_cache["error"] .= ': no such user'; } @ldap_close ($ds); } else { $ldap_cache["error"] .= 'Error connecting to LDAP server'; } return $ret; } /** * Function to load user information according to PandoraFMS structure. Error messages in $ldap_cache["error"]; * * @param string User login * * @return mixed Array with the information, false in other case */ function ldap_load_user ($login) { global $ldap_cache, $config; $ret = false; if (ldap_connect_bind ()) { $sr = ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], "(&(".$config["auth"]["ldap_login_attr"]."=".$login.")".$config["auth"]["ldap_user_filter"].")", array_values ($config["auth"]["ldap_user_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server (load_user): ' . ldap_error( $ldap_cache["ds"] ); } else { $info = @ldap_get_entries ($ldap_cache["ds"], $sr); if ($info['count'] != 1) { $ldap_cache["error"] .= 'Invalid login'; //$ldap_cache["error"] .= ', could not load user'; //Uncomment for debugging } else { $ret = array (); foreach ($config["auth"]["ldap_user_attr"] as $internal_key => $ldap_key) { $ret["last_connect"] = get_system_time (); $ret["registered"] = get_system_time (); $ret["is_admin"] = is_user_admin ($info[0][$config["auth"]["ldap_user_attr"]["id_user"]][0]); if (isset ($info[0][$ldap_key])) { $ret[$internal_key] = $info[0][$ldap_key][0]; } else { $ret[$internal_key] = ''; } } } @ldap_free_result ($sr); } @ldap_close ( $ldap_cache["ds"] ); } else { $ldap_cache["error"] .= 'Could not connect to LDAP server'; } return $ret; } /** * Function to create a new user. We don't do LDAP admin in Pandora, so not implemented. * * @return bool false */ function create_user () { global $ldap_cache; $ldap_cache["error"] = 'Not yet supported.'; return false; } /** * Function to update a user. We don't do LDAP admin in Pandora, so not implemented. * * @return bool false */ function process_user () { global $ldap_cache; $ldap_cache["error"] = 'Not yet supported.'; return false; } /** * Function to update a user password. We don't do LDAP admin in Pandora, so not implemented. * * @return bool false */ function process_user_password ( $user, $password_old, $password_new ) { global $ldap_cache; $ldap_cache["error"] = 'Not yet supported'; return false; } /** * Delete a user (preferences etc.) from the pandora database (NOT from LDAP) * * @param string $user User to delete * * @return bool True if successfully deleted, false otherwise */ function delete_user ($user) { global $ldap_cache; $ldap_cache["error"] = 'Not yet supported'; return false; } /** * Function to get all users (for LDAP this also includes the admin users which you have to get separate) * * @param string Order currently not done for LDAP * * @return array List if successful, empty array otherwise */ function get_users ($order = false) { global $ldap_cache, $config; if (!empty ($ldap_cache["cached_users"])) { return $ldap_cache["cached_users"]; } $ldap_cache["cached_users"] = array (); if (ldap_connect_bind ()) { $sr = @ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], $config["auth"]["ldap_user_filter"], array_values ($config["auth"]["ldap_user_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server (get_users): ' . ldap_error( $ldap_cache["ds"] ); } else { ldap_sort ($ldap_cache["ds"], $sr, $config["auth"]["ldap_user_attr"]["fullname"]); $info = @ldap_get_entries( $ldap_cache["ds"], $sr ); for ( $i = 0; $i < $info['count']; $i++ ) { foreach ($config["auth"]["ldap_user_attr"] as $internal_key => $ldap_key) { $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]]["last_connect"] = get_system_time (); if (isset ($info[$i][$ldap_key])) { $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]][$internal_key] = $info[$i][$ldap_key][0]; } else { $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]][$internal_key] = ''; } $ret[$info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]]["is_admin"] = is_user_admin ($info[$i][$config["auth"]["ldap_user_attr"]["id_user"]][0]); } } @ldap_free_result($sr); } @ldap_close ( $ldap_cache["ds"] ); } //Admins are also users and since they can be in separate channels in LDAP, we merge them $ldap_cache["cached_users"] = $ret; return $ldap_cache["cached_users"]; } // Strip everything but the username (uid) from a dn. // params: // $dn - the dn you want to strip the uid from. // returns: string - userid // // ex: stripdn(uid=jeffh,ou=people,dc=example,dc=com) returns jeffh function stripdn ($dn) { list ($uid, $trash) = split (',', $dn, 2); list ($trash, $user) = split ('=', $uid); return ($user); } // Connects and binds to the LDAP server // Tries to connect as $config["auth"]["ldap_admin_dn"] if we set it. // returns: bind result or false function ldap_connect_bind () { global $ldap_cache, $config; if (! function_exists ('ldap_connect')) { die ('Your installation of PHP does not support LDAP'); } $ret = false; if (!empty ($config["auth"]["ldap_port"]) && !is_resource ($ldap_cache["ds"])) { $ldap_cache["ds"] = @ldap_connect ($config["auth"]["ldap_server"], $config["auth"]["ldap_port"]); } elseif (!is_resource ($ldap_cache["ds"])) { $ldap_cache["ds"] = @ldap_connect ($config["auth"]["ldap_server"]); } else { return true; } if ($ldap_cache["ds"]) { if (!empty ($config["auth"]["ldap_version"])) { ldap_set_option($ldap_cache["ds"], LDAP_OPT_PROTOCOL_VERSION, $config["auth"]["ldap_version"]); } if (!empty ($config["auth"]["ldap_start_tls"])) { if (!ldap_start_tls ($ldap_cache["ds"])) { $ldap_cache["error"] .= 'Could not start TLS for LDAP connection'; return $ret; } } if (!empty ($config["auth"]["ldap_admin_dn"])) { $r = @ldap_bind ($ldap_cache["ds"], $config["auth"]["ldap_admin_dn"], $config["auth"]["ldap_admin_pwd"]); } else { $r = @ldap_bind ($ldap_cache["ds"]); } if (!$r) { $ldap_cache["error"] .= 'Invalid bind login for LDAP Server or (in case of OpenLDAP 2.x) could not connect'; return $ret; } return true; } else { $ldap_cache["error"] .= 'Error connecting to LDAP server'; return $ret; } } $ldap_cache = array (); $ldap_cache["error"] = ""; $ldap_cache["ds"] = ""; //Put each required key in a variable. foreach ($req_keys as $key) { if (!isset ($config["auth"][$key])) { user_error ("Required key ".$key." not set", E_USER_ERROR); } } // Convert group name to lower case to prevent problems $config["auth"]["ldap_admin_group_attr"] = strtolower ($config["auth"]["ldap_admin_group_attr"]); $config["auth"]["ldap_admin_group_type"] = strtolower ($config["auth"]["ldap_admin_group_type"]); foreach ($opt_keys as $key) { if (!isset ($config["auth"][$key])) { switch ($key) { case "ldap_start_tls": $config["auth"][$key] = false; continue; case "ldap_version": $config["auth"][$key] = 0; continue; case "ldap_admin_dn": case "ldap_admin_pwd": $config["auth"][$key] = ""; continue; default: //Key not implemented continue; } } } //Reference the global use authorization error to last ldap error. $config["auth_error"] = &$ldap_cache["error"]; unset ($req_keys, $opt_keys); ?>