simple-LDAP-auth / ldap_auth.php

<?php
/**
 * simple class for LDAP authentification
 *
 Copyright (C) 2013 Petr Palas

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * inspired by http://samjlevy.com/2010/09/php-login-script-using-ldap-verify-group-membership/
 */ 

namespace LDAP;

use Exception;

class auth {
    /**
     * url or ip of ldap server
     * @var type string
     */
    protected $ldap_host;
    /**
     * active directory DN
     * @var type string
     */
    protected $ldap_dn;
    /**
     * target user group
     * @var type string
     */
    protected $ldap_user_group;
    /**
     * manager group (shud contain users with management access)
     * @var type string
     */
    protected $ldap_manager_group;
    /**
     * contains email domain like "@somedomain.com"
     * @var type string
     */
    protected $ldap_usr_dom;

    /**
     * countains connection resource
     * @var type resource
     */
    protected $ldap;

    /**
     * contains status text
     * if exeption is thrown msg contains this string
     * @var type string
     */
    public $status;
    /**
     * contains result array if ldap_search is succesfull
     * @var type array
     */
    public $result;
    /**
     * contains auth state 0=unathrized 1=authorized
     * @var type int
     */
    public $auth=0;
    /**
     * contains access level 0=none or unathorized 1=user 2=managment acc
     * @var type int
     */
    public $access=0;

    /**
     * contains username after user init
     * @var type string
     */
    public $user;

    /**
     * contain user password after user init
     * @var type string
     */
    protected $password;

    /**
     * Exeptions code constants
     */
    const ERROR_WRONG_USER_GROUP=2;
    const ERROR_CANT_AUTH=1;
    const ERROR_CANT_SEARCH=3;
    const ERROR_IMG_DECODE=4;
    const ERROR_CANT_CONNECT=5;

    /**
     * loads passed configuration in case of the ldap_usr_dom it makes sure that this strings begins with '@'
     * @param type $ldap_host
     * @param type $ldap_dn
     * @param type $ldap_user_group
     * @param type $ldap_manager_group
     * @param type $ldap_usr_dom
     */
    function __construct($ldap_host,$ldap_dn,$ldap_user_group,$ldap_manager_group,$ldap_usr_dom) {
        $this->ldap_host=$ldap_host;
        $this->ldap_dn=$ldap_dn;
        $this->ldap_user_group=$ldap_user_group;
        $this->ldap_manager_group=$ldap_manager_group;
        $this->ldap_usr_dom=  '@'.trim($ldap_usr_dom,'@');
    }

    /**
     * well destructor :P
     * just in case there is opened connection to LDAP while destructing this class
     */
    public function __destruct() {
        @ldap_unbind($this->ldap);
    }

    /**
     * dumps result array for debug enclosed in pre tag
     * Wont terminate script!
     */
    public function dump_resut() {
        echo '<pre>';
        print_r($this->result,FALSE);
        echo '</pre>';
    }

    /**
     * Inits connection to LDAP server throws exeption on failure
     * @return boolean
     * @throws Exception
     */
    protected function init_connection(){
        $this->ldap=ldap_connect($this->ldap_host,3268);
        if($this->ldap){
            $this->status='connected :)';
            ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION,3);
            ldap_set_option($this->ldap, LDAP_OPT_REFERRALS,0);
        }
        else {
            //TODO: PHP actualy dont check if there is LDAP present on the other end nor it will fail if target host is unreachable. So I need some work around that :(
            $this->status='Cant connect to LDAP';
            throw new Exception($this->status,  self::ERROR_CANT_CONNECT);
        }
        return TRUE;
    }

    public function userInit($user,$password) {
        $this->user=$user;
        $this->password=$password;

        return TRUE;
    }

    /**
     * Converts Binary string (like thumbnail from LDAP to base64 datastring for display
     * @param type $file
     * @param type $mime
     * @return type base64 datastring
     */
    protected function data_uri($file, $mime) {
      $base64   = base64_encode($file);
      return ('data:' . $mime . ';base64,' . $base64);
    }

    /**
     * Gets LDAP thumbnail img
     * @param type $user
     * @param type $password
     * @param type $raw if TRUE method will return raw binary string instead of base64 encoded with mime
     * @return type base64 datatring of the thumbnail
     * @throws Exception
     */
    public function getLDAPimg($user=null,$password=null,$raw=FALSE) {
        $this->refreshCredentials($user, $password);
        //since conection is one off we need to get it
        $this->init_connection();

        $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);//ldap_bind($this->ldap, $this->ldap_dn, $password);

        if($bind){
            $filter = "(sAMAccountName=" . $user . ")";
            $attr = array("thumbnailphoto");
            $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);
            if($result==FALSE){
                throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);
            }
            $entry= ldap_first_entry($this->ldap, $result);

            if ($entry) {
                $info = @ldap_get_values_len($this->ldap, $entry, "thumbnailphoto");
                if(!$info){
                   throw new Exception("Unable to decode thumbnail. Error: ".  ldap_error($this->ldap),  self::ERROR_IMG_DECODE);
                }
                //echo '<img src="'.$this->data_uri($info[0], 'image/png').'">';
            }

            if(!$raw){
                return $this->data_uri($info[0], 'image/png');
            }
            else{
                return $info[0];
            }
        }
        else {
            // invalid name or password
            $this->status='Cant authenticate for search on LDAP';
            throw new Exception($this->status.' '.  ldap_error($this->ldap), self::ERROR_CANT_AUTH);
        }
        ldap_unbind($this->ldap);
    }

    /**
     * Tries to authenticate suplied user with suplied pass
     * @param type $user
     * @param type $password
     * @return boolean
     * @throws Exception
     */
    public function authenticate($user=null, $password=null) {
       $this->refreshCredentials($user, $password);
        //since conection is one off we need to get it
        $this->init_connection();

        // verify user and password
        $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);

        if($bind) {
            // valid
            // check presence in groups
            $filter = "(sAMAccountName=" . $user . ")";
            $attr = array("memberof");
            $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);
            if($result==FALSE){
                 throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);
            }
            $entries = ldap_get_entries($this->ldap, $result);

            //save result for future use
            $this->result=$entries;

            $access = 0;

            // check groups
            foreach($entries[0]['memberof'] as $grps) {
                // is manager, break loop
                if (strpos($grps, $this->ldap_manager_group)) { $access = 2; break; }

                // is user
                if (strpos($grps, $this->ldap_user_group)) $access = 1;
            }

            if ($access != 0) {
                // establish result vars

                $this->status='Authenticated';
                $this->access=$access;
                $this->user= $user;
                $this->auth=1;
                return true;
            } else {
                // user has no rights
                $this->access=$access;
                $this->user= $user;
                $this->auth=1;
                $this->status='User exists but not part of the target group';
                throw new Exception($this->status.' '.  ldap_error($this->ldap),  self::ERROR_WRONG_USER_GROUP);
            }

        } else {
            // invalid name or password
            $this->status='Cant authenticate for search on LDAP';
            throw new Exception($this->status.' '.  ldap_error($this->ldap),  self::ERROR_CANT_AUTH);
        }
        ldap_unbind($this->ldap);
    }

    /**
     * Saves new credentials if we got new or sets the old ones into referenced vars
     * @param type $user Reference to var that shuld contain username or null
     * @param type $password Reference to var that shuld contain password or null
     */
    private function refreshCredentials(&$user,&$password) {
        $newCredentials=TRUE;
        //since we cant set those in param def
        if($password===null){$password=  $this->password;$newCredentials=FALSE;}
        if($user===null){$user=  $this->user;$newCredentials=FALSE;}
        //store user pass and name for future use
        if($newCredentials){$this->userInit($user, $password);}
    }

}