<?php

/**

 * simple class for LDAP authentification

 *

 Copyright (C) 2013 Petr Palas

This program is free software; you can redistribute it and/or

modify it under the terms of the GNU General Public License

as published by the Free Software Foundation; either version 2

of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software

Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

 * inspired by http://samjlevy.com/2010/09/php-login-script-using-ldap-verify-group-membership/

 */ 

namespace LDAP;

use Exception;

class auth {

    /**

     * url or ip of ldap server

     * @var type string

     */

    protected $ldap_host;

    /**

     * active directory DN

     * @var type string

     */

    protected $ldap_dn;

    /**

     * target user group

     * @var type string

     */

    protected $ldap_user_group;

    /**

     * manager group (shud contain users with management access)

     * @var type string

     */

    protected $ldap_manager_group;

    /**

     * contains email domain like "@somedomain.com"

     * @var type string

     */

    protected $ldap_usr_dom;

    /**

     * countains connection resource

     * @var type resource

     */

    protected $ldap;

    /**

     * contains status text

     * if exeption is thrown msg contains this string

     * @var type string

     */

    public $status;

    /**

     * contains result array if ldap_search is succesfull

     * @var type array

     */

    public $result;

    /**

     * contains auth state 0=unathrized 1=authorized

     * @var type int

     */

    public $auth=0;

    /**

     * contains access level 0=none or unathorized 1=user 2=managment acc

     * @var type int

     */

    public $access=0;

    /**

     * contains username after user init

     * @var type string

     */

    public $user;

    /**

     * contain user password after user init

     * @var type string

     */

    protected $password;

    /**

     * Exeptions code constants

     */

    const ERROR_WRONG_USER_GROUP=2;

    const ERROR_CANT_AUTH=1;

    const ERROR_CANT_SEARCH=3;

    const ERROR_IMG_DECODE=4;

    const ERROR_CANT_CONNECT=5;

    /**

     * loads passed configuration in case of the ldap_usr_dom it makes sure that this strings begins with '@'

     * @param type $ldap_host

     * @param type $ldap_dn

     * @param type $ldap_user_group

     * @param type $ldap_manager_group

     * @param type $ldap_usr_dom

     */

    function __construct($ldap_host,$ldap_dn,$ldap_user_group,$ldap_manager_group,$ldap_usr_dom) {

        $this->ldap_host=$ldap_host;

        $this->ldap_dn=$ldap_dn;

        $this->ldap_user_group=$ldap_user_group;

        $this->ldap_manager_group=$ldap_manager_group;

        $this->ldap_usr_dom=  '@'.trim($ldap_usr_dom,'@');

    }

    /**

     * well destructor :P

     * just in case there is opened connection to LDAP while destructing this class

     */

    public function __destruct() {

        @ldap_unbind($this->ldap);

    }

    /**

     * dumps result array for debug enclosed in pre tag

     * Wont terminate script!

     */

    public function dump_resut() {

        echo '<pre>';

        print_r($this->result,FALSE);

        echo '</pre>';

    }

    /**

     * Inits connection to LDAP server throws exeption on failure

     * @return boolean

     * @throws Exception

     */

    protected function init_connection(){

        $this->ldap=ldap_connect($this->ldap_host,3268);

        if($this->ldap){

            $this->status='connected :)';

            ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION,3);

            ldap_set_option($this->ldap, LDAP_OPT_REFERRALS,0);

        }

        else {

            //TODO: PHP actualy dont check if there is LDAP present on the other end nor it will fail if target host is unreachable. So I need some work around that :(

            $this->status='Cant connect to LDAP';

            throw new Exception($this->status,  self::ERROR_CANT_CONNECT);

        }

        return TRUE;

    }

    public function userInit($user,$password) {

        $this->user=$user;

        $this->password=$password;

        return TRUE;

    }

    /**

     * Converts Binary string (like thumbnail from LDAP to base64 datastring for display

     * @param type $file

     * @param type $mime

     * @return type base64 datastring

     */

    protected function data_uri($file, $mime) {

      $base64   = base64_encode($file);

      return ('data:' . $mime . ';base64,' . $base64);

    }

    /**

     * Gets LDAP thumbnail img

     * @param type $user

     * @param type $password

     * @param type $raw if TRUE method will return raw binary string instead of base64 encoded with mime

     * @return type base64 datatring of the thumbnail

     * @throws Exception

     */

    public function getLDAPimg($user=null,$password=null,$raw=FALSE) {

        $this->refreshCredentials($user, $password);

        //since conection is one off we need to get it

        $this->init_connection();

        $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);//ldap_bind($this->ldap, $this->ldap_dn, $password);

        if($bind){

            $filter = "(sAMAccountName=" . $user . ")";

            $attr = array("thumbnailphoto");

            $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);

            if($result==FALSE){

                throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);

            }

            $entry= ldap_first_entry($this->ldap, $result);

            if ($entry) {

                $info = @ldap_get_values_len($this->ldap, $entry, "thumbnailphoto");

                if(!$info){

                   throw new Exception("Unable to decode thumbnail. Error: ".  ldap_error($this->ldap),  self::ERROR_IMG_DECODE);

                }

                //echo '<img src="'.$this->data_uri($info[0], 'image/png').'">';

            }

            if(!$raw){

                return $this->data_uri($info[0], 'image/png');

            }

            else{

                return $info[0];

            }

        }

        else {

            // invalid name or password

            $this->status='Cant authenticate for search on LDAP';

            throw new Exception($this->status.' '.  ldap_error($this->ldap), self::ERROR_CANT_AUTH);

        }

        ldap_unbind($this->ldap);

    }

    /**

     * Tries to authenticate suplied user with suplied pass

     * @param type $user

     * @param type $password

     * @return boolean

     * @throws Exception

     */

    public function authenticate($user=null, $password=null) {

       $this->refreshCredentials($user, $password);

        //since conection is one off we need to get it

        $this->init_connection();

        // verify user and password

        $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);

        if($bind) {

            // valid

            // check presence in groups

            $filter = "(sAMAccountName=" . $user . ")";

            $attr = array("memberof");

            $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);

            if($result==FALSE){

                 throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);

            }

            $entries = ldap_get_entries($this->ldap, $result);

            //save result for future use

            $this->result=$entries;

            $access = 0;

            // check groups

            foreach($entries[0]['memberof'] as $grps) {

                // is manager, break loop

                if (strpos($grps, $this->ldap_manager_group)) { $access = 2; break; }

                // is user

                if (strpos($grps, $this->ldap_user_group)) $access = 1;

            }

            if ($access != 0) {

                // establish result vars

                $this->status='Authenticated';

                $this->access=$access;

                $this->user= $user;

                $this->auth=1;

                return true;

            } else {

                // user has no rights

                $this->access=$access;

                $this->user= $user;

                $this->auth=1;

                $this->status='User exists but not part of the target group';

                throw new Exception($this->status.' '.  ldap_error($this->ldap),  self::ERROR_WRONG_USER_GROUP);

            }

        } else {

            // invalid name or password

            $this->status='Cant authenticate for search on LDAP';

            throw new Exception($this->status.' '.  ldap_error($this->ldap),  self::ERROR_CANT_AUTH);

        }

        ldap_unbind($this->ldap);

    }

    /**

     * Saves new credentials if we got new or sets the old ones into referenced vars

     * @param type $user Reference to var that shuld contain username or null

     * @param type $password Reference to var that shuld contain password or null

     */

    private function refreshCredentials(&$user,&$password) {

        $newCredentials=TRUE;

        //since we cant set those in param def

        if($password===null){$password=  $this->password;$newCredentials=FALSE;}

        if($user===null){$user=  $this->user;$newCredentials=FALSE;}

        //store user pass and name for future use

        if($newCredentials){$this->userInit($user, $password);}

    }

}

simple-LDAP-auth / ldap_auth.php的更多相关文章

  1. opennebula extend(expending) auth module ldap

    LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively cent ...

  2. LDAP Authentication for openNebula3.2

    LDAP Authentication 3.2 The LDAP Authentication addon permits users to have the same credentials as ...

  3. 《Linux菜鸟入门2》Ldap

    ldap网络帐号1.ldap是什么ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式 2.ldap客户端所需软件yum install sssd krb-workstation ...

  4. ldap 集成harbor

    harbor: 1.6 默认配置文件在harbor.cfg,我们可以先不添加配置,直接在harbor web界面进行配置(harbor 1.6 如果db 启动失败提示postgresql 数据目录已存 ...

  5. ldap集成grafana

    grafana版本: 5.0.3 grafana通过k8s方式安装,所以需将配置文件挂载过去. cat grafana-configmap.yaml apiVersion: v1 kind: Conf ...

  6. LDAP落地实战(二):SVN集成OpenLDAP认证

    上一篇文章我们介绍了LDAP的部署以及管理维护,那么如何接入LDAP实现账号统一认证呢?这篇文章将带你完成svn的接入验证 subversion集成OpenLDAP认证 系统环境:debian8.4 ...

  7. Mantis集成 LDAP 认证

    mantis的用户认证函数Authentication中相关有 $g_login_method MD5 LDAP PLAIN CRYPT CRYPT_FULL_SALT BASIC_AUTH Some ...

  8. LDAP方式连接AD获取用户信息

    LDAP资料介绍可以参考:http://wenku.baidu.com/view/262742f9f705cc17552709f9.html ldap访问AD域的的错误一般会如下格式: Ldap lo ...

  9. python实现ldap接入

    需要提前安装python-ldap模块 python接入ldap其实分了几个步骤: 1.使用一个管理员账户登陆到ldap 2.使用一个字段值是唯一的字段,去搜索到要验证用户的DN值(ldap搜索到的单 ...

  10. JAVA中使用LDAP登录的三种方式

    搜索中关于java 登录ldap,大部分会采用  cn=xxx,ou=xxx,dc=xxx的方式,此处的cn是用户的Display Name,而不是account,而且如果ou有多层,比如我们的OU就 ...

随机推荐

  1. EntityFramework6 快速入门教程

    EntityFramework6 快速入门教程 不得不说EF在国内实在是太小众,相关的技术文章真实屈指可数,而且很多文章都很旧了,里面使用的版本跟如今的EF6差别还是比较大.我刚开始弄这个的时候真是绕 ...

  2. 如何用ZBrush快速雕刻LOL中的Lissandra

    话说<魔兽>还有1天就上映了,热爱这款游戏的你想必早已按耐不住了吧,别急,再耐心等一下.不过今天我们要讲的,不是魔兽,而是另一款很多人为 之疯狂的游戏—英雄联盟,也就是你们熟悉的LOL啦, ...

  3. PHP基本知识

    PHP是以一种嵌入在HTML代码中的脚本语言,它由服务器负责解释,可以用于管理动态内容.支持数据库.处理会话跟踪.甚至构建整个电子商务站点. PHP支持许多流行.非流行的数据库,包括MySQL.Pos ...

  4. Flash Builder 找不到所需的 Adobe Flash Player

    经测试该方法可用! http://bbs.9ria.com/thread-108472-1-1.html 最近重装了系统,flash开发工具也由flex换成了flash builder.调试时就出现了 ...

  5. C# 延迟处理类 Lazy

    using System; using System.Collections.Generic; using System.Linq; using System.Text; namespace Lazy ...

  6. &10 基本数据结构——指针和对象的实现,有根树的表示

    #1,指针和对象的实现 如果所用的语言或者环境不支持指针和对象,那我们该怎么用数组来将其转化呢?实质上可以将这个问题的本质转化为数组和链表这两种数据结构的转换,准确来说,是将链表表示的数据用数组表示. ...

  7. LINUX SSH显示中文乱码

    ssh登陆后,执行: export LANG=zh_CN.gb2312就可以显示中文了.编辑/etc/sysconfig/i18n 将LANG="zh_CN.UTF-8" 改为 L ...

  8. 北京联想招聘-IOS高级 加入qq 群:220486180 或者直接在此 留言咨询

    ios 高级开发 Job ID #: 47980 Position Title: 高级iOS development engineer Location: CHN-Beijing Functional ...

  9. 从0开始学Java——JSP&Servlet——如何部署web应用程序

    web容器要求应用程序部署时,需要像下面这样组织其目录结构: 手动去创建这样的目录结构还是挺麻烦的,所幸我们有开发工具,所以可以像下面这样来部署一个web项目. 1)确认程序代码已经完成: 2)在ec ...

  10. Jenkins进阶系列之——05FTP publisher plugin插件

    说明:这个插件可以将构建的产物(例如:Jar)发布到FTP中去. 官方说明:FTP publisher plugin 安装步骤: 系统管理→管理插件→可选插件→Artifact Uploaders→F ...