<?php

 /**

  * simple class for LDAP authentification

  *

  Copyright (C) 2013 Petr Palas

 This program is free software; you can redistribute it and/or

 modify it under the terms of the GNU General Public License

 as published by the Free Software Foundation; either version 2

 of the License, or (at your option) any later version.

 This program is distributed in the hope that it will be useful,

 but WITHOUT ANY WARRANTY; without even the implied warranty of

 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 GNU General Public License for more details.

 You should have received a copy of the GNU General Public License

 along with this program; if not, write to the Free Software

 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

  * inspired by http://samjlevy.com/2010/09/php-login-script-using-ldap-verify-group-membership/

  */ 

 namespace LDAP;

 use Exception;

 class auth {

     /**

      * url or ip of ldap server

      * @var type string

      */

     protected $ldap_host;

     /**

      * active directory DN

      * @var type string

      */

     protected $ldap_dn;

     /**

      * target user group

      * @var type string

      */

     protected $ldap_user_group;

     /**

      * manager group (shud contain users with management access)

      * @var type string

      */

     protected $ldap_manager_group;

     /**

      * contains email domain like "@somedomain.com"

      * @var type string

      */

     protected $ldap_usr_dom;

     /**

      * countains connection resource

      * @var type resource

      */

     protected $ldap;

     /**

      * contains status text

      * if exeption is thrown msg contains this string

      * @var type string

      */

     public $status;

     /**

      * contains result array if ldap_search is succesfull

      * @var type array

      */

     public $result;

     /**

      * contains auth state 0=unathrized 1=authorized

      * @var type int

      */

     public $auth=0;

     /**

      * contains access level 0=none or unathorized 1=user 2=managment acc

      * @var type int

      */

     public $access=0;

     /**

      * contains username after user init

      * @var type string

      */

     public $user;

     /**

      * contain user password after user init

      * @var type string

      */

     protected $password;

     /**

      * Exeptions code constants

      */

     const ERROR_WRONG_USER_GROUP=2;

     const ERROR_CANT_AUTH=1;

     const ERROR_CANT_SEARCH=3;

     const ERROR_IMG_DECODE=4;

     const ERROR_CANT_CONNECT=5;

     /**

      * loads passed configuration in case of the ldap_usr_dom it makes sure that this strings begins with '@'

      * @param type $ldap_host

      * @param type $ldap_dn

      * @param type $ldap_user_group

      * @param type $ldap_manager_group

      * @param type $ldap_usr_dom

      */

     function __construct($ldap_host,$ldap_dn,$ldap_user_group,$ldap_manager_group,$ldap_usr_dom) {

         $this->ldap_host=$ldap_host;

         $this->ldap_dn=$ldap_dn;

         $this->ldap_user_group=$ldap_user_group;

         $this->ldap_manager_group=$ldap_manager_group;

         $this->ldap_usr_dom=  '@'.trim($ldap_usr_dom,'@');

     }

     /**

      * well destructor :P

      * just in case there is opened connection to LDAP while destructing this class

      */

     public function __destruct() {

         @ldap_unbind($this->ldap);

     }

     /**

      * dumps result array for debug enclosed in pre tag

      * Wont terminate script!

      */

     public function dump_resut() {

         echo '<pre>';

         print_r($this->result,FALSE);

         echo '</pre>';

     }

     /**

      * Inits connection to LDAP server throws exeption on failure

      * @return boolean

      * @throws Exception

      */

     protected function init_connection(){

         $this->ldap=ldap_connect($this->ldap_host,3268);

         if($this->ldap){

             $this->status='connected :)';

             ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION,3);

             ldap_set_option($this->ldap, LDAP_OPT_REFERRALS,0);

         }

         else {

             //TODO: PHP actualy dont check if there is LDAP present on the other end nor it will fail if target host is unreachable. So I need some work around that :(

             $this->status='Cant connect to LDAP';

             throw new Exception($this->status,  self::ERROR_CANT_CONNECT);

         }

         return TRUE;

     }

     public function userInit($user,$password) {

         $this->user=$user;

         $this->password=$password;

         return TRUE;

     }

     /**

      * Converts Binary string (like thumbnail from LDAP to base64 datastring for display

      * @param type $file

      * @param type $mime

      * @return type base64 datastring

      */

     protected function data_uri($file, $mime) {

       $base64   = base64_encode($file);

       return ('data:' . $mime . ';base64,' . $base64);

     }

     /**

      * Gets LDAP thumbnail img

      * @param type $user

      * @param type $password

      * @param type $raw if TRUE method will return raw binary string instead of base64 encoded with mime

      * @return type base64 datatring of the thumbnail

      * @throws Exception

      */

     public function getLDAPimg($user=null,$password=null,$raw=FALSE) {

         $this->refreshCredentials($user, $password);

         //since conection is one off we need to get it

         $this->init_connection();

         $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);//ldap_bind($this->ldap, $this->ldap_dn, $password);

         if($bind){

             $filter = "(sAMAccountName=" . $user . ")";

             $attr = array("thumbnailphoto");

             $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);

             if($result==FALSE){

                 throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);

             }

             $entry= ldap_first_entry($this->ldap, $result);

             if ($entry) {

                 $info = @ldap_get_values_len($this->ldap, $entry, "thumbnailphoto");

                 if(!$info){

                    throw new Exception("Unable to decode thumbnail. Error: ".  ldap_error($this->ldap),  self::ERROR_IMG_DECODE);

                 }

                 //echo '<img src="'.$this->data_uri($info[0], 'image/png').'">';

             }

             if(!$raw){

                 return $this->data_uri($info[0], 'image/png');

             }

             else{

                 return $info[0];

             }

         }

         else {

             // invalid name or password

             $this->status='Cant authenticate for search on LDAP';

             throw new Exception($this->status.' '.  ldap_error($this->ldap), self::ERROR_CANT_AUTH);

         }

         ldap_unbind($this->ldap);

     }

     /**

      * Tries to authenticate suplied user with suplied pass

      * @param type $user

      * @param type $password

      * @return boolean

      * @throws Exception

      */

     public function authenticate($user=null, $password=null) {

        $this->refreshCredentials($user, $password);

         //since conection is one off we need to get it

         $this->init_connection();

         // verify user and password

         $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);

         if($bind) {

             // valid

             // check presence in groups

             $filter = "(sAMAccountName=" . $user . ")";

             $attr = array("memberof");

             $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);

             if($result==FALSE){

                  throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);

             }

             $entries = ldap_get_entries($this->ldap, $result);

             //save result for future use

             $this->result=$entries;

             $access = 0;

             // check groups

             foreach($entries[0]['memberof'] as $grps) {

                 // is manager, break loop

                 if (strpos($grps, $this->ldap_manager_group)) { $access = 2; break; }

                 // is user

                 if (strpos($grps, $this->ldap_user_group)) $access = 1;

             }

             if ($access != 0) {

                 // establish result vars

                 $this->status='Authenticated';

                 $this->access=$access;

                 $this->user= $user;

                 $this->auth=1;

                 return true;

             } else {

                 // user has no rights

                 $this->access=$access;

                 $this->user= $user;

                 $this->auth=1;

                 $this->status='User exists but not part of the target group';

                 throw new Exception($this->status.' '.  ldap_error($this->ldap),  self::ERROR_WRONG_USER_GROUP);

             }

         } else {

             // invalid name or password

             $this->status='Cant authenticate for search on LDAP';

             throw new Exception($this->status.' '.  ldap_error($this->ldap),  self::ERROR_CANT_AUTH);

         }

         ldap_unbind($this->ldap);

     }

     /**

      * Saves new credentials if we got new or sets the old ones into referenced vars

      * @param type $user Reference to var that shuld contain username or null

      * @param type $password Reference to var that shuld contain password or null

      */

     private function refreshCredentials(&$user,&$password) {

         $newCredentials=TRUE;

         //since we cant set those in param def

         if($password===null){$password=  $this->password;$newCredentials=FALSE;}

         if($user===null){$user=  $this->user;$newCredentials=FALSE;}

         //store user pass and name for future use

         if($newCredentials){$this->userInit($user, $password);}

     }

 }

simple-LDAP-auth的更多相关文章

  1. opennebula extend(expending) auth module ldap

    LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively cent ...

  2. LDAP Authentication for openNebula3.2

    LDAP Authentication 3.2 The LDAP Authentication addon permits users to have the same credentials as ...

  3. 《Linux菜鸟入门2》Ldap

    ldap网络帐号1.ldap是什么ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式 2.ldap客户端所需软件yum install sssd krb-workstation ...

  4. ldap集成grafana

    grafana版本: 5.0.3 grafana通过k8s方式安装,所以需将配置文件挂载过去. cat grafana-configmap.yaml apiVersion: v1 kind: Conf ...

  5. LDAP落地实战(二):SVN集成OpenLDAP认证

    上一篇文章我们介绍了LDAP的部署以及管理维护,那么如何接入LDAP实现账号统一认证呢?这篇文章将带你完成svn的接入验证 subversion集成OpenLDAP认证 系统环境:debian8.4 ...

  6. Mantis集成 LDAP 认证

    mantis的用户认证函数Authentication中相关有 $g_login_method MD5 LDAP PLAIN CRYPT CRYPT_FULL_SALT BASIC_AUTH Some ...

  7. LDAP方式连接AD获取用户信息

    LDAP资料介绍可以参考:http://wenku.baidu.com/view/262742f9f705cc17552709f9.html ldap访问AD域的的错误一般会如下格式: Ldap lo ...

  8. python实现ldap接入

    需要提前安装python-ldap模块 python接入ldap其实分了几个步骤: 1.使用一个管理员账户登陆到ldap 2.使用一个字段值是唯一的字段,去搜索到要验证用户的DN值(ldap搜索到的单 ...

  9. JAVA中使用LDAP登录的三种方式

    搜索中关于java 登录ldap,大部分会采用  cn=xxx,ou=xxx,dc=xxx的方式,此处的cn是用户的Display Name,而不是account,而且如果ou有多层,比如我们的OU就 ...

  10. linux 利用LDAP身份集中认证

    碰巧所在的公司用到了ldap 集中身份认证,所有打算研究下这套架构,但是看遍了网络上的很多教程,要么不完整,要么就是照着根本弄不出来,十月一研究了三天,结合八方资源终于弄出来了,真是不容易,哎,特此记 ...

随机推荐

  1. css中元素居中总结

    很多时候,我们需要让元素居中显示:1. 一段文本的水平居中,2. 一张图片的水平居中,3. 一个块级元素的水平居中:4. 单行文本的竖直居中,5. 不确定高度的一段文本竖直居中,6. 确定高度的块级元 ...

  2. ASP.NET URL伪静态重写实现方法

    ASP.NET URL伪静态重写实现方法 首先说下,ASP.NET URL伪静态只是将~/a_1.html指向到了~/a.aspx?ID=1,但a.aspx还是真实存在的,你不用./a_1.html来 ...

  3. select2取值报错,Failed to read the 'selectionDirection' property from 'HTMLInputElement': The input element's type ('hidden') does not support selection.

    用到了 select2 组件来多选收件人,用搜狗浏览器(6.2版高速模式)在执行到如下这句时报错(Uncaught InvalidStateError: Failed to read the 'sel ...

  4. 第20章 DLL高级技术(2)

    20.3 延迟载入DLL 20.3.1延迟载入的目的 (1)如果应用程序使用了多个DLL,那么它的初始化可能比慢,因为加载程序要将所有必需的DLL映射到进程的地址空间.→利用延迟加载可将载入过程延伸到 ...

  5. [Unity2D]2D Mobile Joystick

    效果预览 操作步骤 1.下载素材 http://pan.bai du.com/s/1gdkQz8v 2.新建一个GUITexture(Joystick)及一个Sprite(Nyan)   3.添加背景 ...

  6. Jenkins学习六:修改Jenkins用户的密码

    很多时候在使用jenkins的时候忘记密码了,遇到这种情况,可以看看下面的讲解. Jenkins专有用户的数据存放在JENKINS_HOME/users目录.users目录的结构你一看就懂.users ...

  7. IO流的练习4 —— 键盘录入学生成绩信息,进行排序后存入文本中

    需求: 键盘录入5个学生信息(姓名,语文成绩,数学成绩,英语成绩),按照总分从高到低存入文本文件 分析: A:创建学生类 B:创建集合对象 TreeSet<Student> C:键盘录入学 ...

  8. linux下正向代理/反向代理/透明代理使用说明

    代理服务技术对于网站架构部署时非常重要的,一般实现代理技术的方式就是在服务器上安装代理服务软件,让其成为一个代理服务器,从而实现代理技术.常用的代理技术分为正向代理.反向代理和透明代理.以下就是针对这 ...

  9. 哎呀,发现自己不会用模块的方式用kprobe啊,弱爆了

    在内核外面编译模块,会报warning函数名undefined的错误,解决方法是把函数给export出来:EXPORT_SYMBOL 一直以来,用kprobe比较多的是kprobe event的用法, ...

  10. Install MySQL on Mac OS X——MAC安装MySQL

    很多关于如何安装MySQL的教程已经过时了,或者比必须的步骤复杂得多.这篇教程将展示如何安装MySQL,启动MySQL,以root用户进入MySQL,以及创建删除退出数据库. Step 1: 下载My ...