chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Chamilo is a learning management system focused on ease of use and accessibility
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54464 Commits
17 Branches
107 Tags
940 MiB
 
 
 
 
 
 
Tag: Branch: Tree: a528ca1375
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a528ca1375'
${ noResults }
chamilo-lms/main/auth/external_login/ldap.inc.php

522 lines
16 KiB
Raw Blame History

<?php
/* For licensing terms, see /license.txt */
/**
* This files is included by newUser.ldap.php and login.ldap.php
* It implements the functions nedded by both files.
* */
require_once __DIR__.'/../../inc/global.inc.php';
$debug = false;
/**
* Returns a transcoded and trimmed string.
*
* @param string
*
* @return string
*
* @author ndiechburg <noel@cblue.be>
* */
function extldap_purify_string($string)
{
global $extldap_config;
if (isset($extldap_config['encoding'])) {
return trim(api_to_system_encoding($string, $extldap_config['encoding']));
} else {
return trim($string);
}
}
/**
* Establishes a connection to the LDAP server and sets the protocol version.
*
* @return resource|bool ldap link identifier or false
*
* @author ndiechburg <noel@cblue.be>
* */
function extldap_connect()
{
global $extldap_config, $debug;
if (!is_array($extldap_config['host'])) {
$extldap_config['host'] = [$extldap_config['host']];
}
foreach ($extldap_config['host'] as $host) {
//Trying to connect
if (isset($extldap_config['port'])) {
$ds = ldap_connect($host, $extldap_config['port']);
} else {
$ds = ldap_connect($host);
}
if (!$ds) {
$port = isset($extldap_config['port']) ? $extldap_config['port'] : 389;
if ($debug) {
error_log(
'EXTLDAP ERROR : cannot connect to '.$extldap_config['host'].':'.$port
);
}
} else {
break;
}
}
if (!$ds) {
if ($debug) {
error_log('EXTLDAP ERROR : no valid server found');
}
return false;
}
// Setting protocol version
if (isset($extldap_config['protocol_version'])) {
if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $extldap_config['protocol_version'])) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 2);
}
}
// Setting protocol version
if (isset($extldap_config['referrals'])) {
if (!ldap_set_option($ds, LDAP_OPT_REFERRALS, $extldap_config['referrals'])) {
ldap_set_option($ds, LDAP_OPT_REFERRALS, $extldap_config['referrals']);
}
}
return $ds;
}
/**
* Authenticate user on external ldap server and return user ldap entry if that succeeds.
*
* @param string $password
*
* @return mixed false if user cannot authenticate on ldap, user ldap entry if tha succeeds
*
* @author ndiechburg <noel@cblue.be>
* Modified by hubert.borderiou@grenet.fr
* Add possibility to get user info from LDAP without check password (if CAS auth and LDAP profil update)
*
* */
function extldap_authenticate($username, $password, $in_auth_with_no_password = false)
{
global $extldap_config, $debug;
if (empty($username) || empty($password)) {
return false;
}
$ds = extldap_connect();
if (!$ds) {
return false;
}
// Connection as admin to search dn of user
if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
} else {
$ldap_pass = $extldap_config['admin_password'];
}
$ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $ldap_pass);
if ($ldapbind === false) {
if ($debug) {
error_log(
'EXTLDAP ERROR : cannot connect with admin login/password'
);
}
return false;
}
$user_search = extldap_get_user_search_string($username);
// Search distinguish name of user
$sr = ldap_search($ds, $extldap_config['base_dn'], $user_search);
if (!$sr) {
if ($debug) {
error_log(
'EXTLDAP ERROR : ldap_search('.$ds.', '.$extldap_config['base_dn'].", $user_search) failed"
);
}
return false;
}
$entries_count = ldap_count_entries($ds, $sr);
if ($entries_count > 1) {
if ($debug) {
error_log(
'EXTLDAP ERROR : more than one entry for that user ( ldap_search(ds, '.$extldap_config['base_dn'].", $user_search) )"
);
}
return false;
}
if ($entries_count < 1) {
if ($debug) {
error_log(
'EXTLDAP ERROR : No entry for that user ( ldap_search(ds, '.$extldap_config['base_dn'].", $user_search) )"
);
}
return false;
}
$users = ldap_get_entries($ds, $sr);
$user = $users[0];
// If we just want to have user info from LDAP and not to check password
if ($in_auth_with_no_password) {
return $user;
}
// now we try to autenthicate the user in the ldap
$ubind = @ldap_bind($ds, $user['dn'], $password);
if ($ubind !== false) {
return $user;
} else {
if ($debug) {
error_log('EXTLDAP : Wrong password for '.$user['dn']);
}
return false;
}
}
/**
* Return an array with userinfo compatible with chamilo using $extldap_user_correspondance
* configuration array declared in ldap.conf.php file.
*
* @param array ldap user
* @param array correspondance array (if not set use extldap_user_correspondance declared in auth.conf.php
*
* @return array userinfo array
*
* @author ndiechburg <noel@cblue.be>
* */
function extldap_get_chamilo_user($ldap_user, $cor = null)
{
global $extldap_user_correspondance, $debug;
if (is_null($cor)) {
$cor = $extldap_user_correspondance;
}
$chamilo_user = [];
foreach ($cor as $chamilo_field => $ldap_field) {
if (is_array($ldap_field)) {
$chamilo_user[$chamilo_field] = extldap_get_chamilo_user($ldap_user, $ldap_field);
continue;
}
switch ($ldap_field) {
case 'func':
$func = "extldap_get_$chamilo_field";
if (function_exists($func)) {
$chamilo_user[$chamilo_field] = extldap_purify_string($func($ldap_user));
} else {
if ($debug) {
error_log(
"EXTLDAP WARNING : You forgot to declare $func"
);
}
}
break;
default:
//if string begins with "!", then this is a constant
if ($ldap_field[0] === '!') {
$chamilo_user[$chamilo_field] = trim($ldap_field, "!\t\n\r\0");
break;
}
if (!array_key_exists($ldap_field, $ldap_user)) {
$lowerCaseFieldName = strtolower($ldap_field);
if (array_key_exists($lowerCaseFieldName, $ldap_user)) {
$ldap_field = $lowerCaseFieldName;
}
}
if (isset($ldap_user[$ldap_field][0])) {
$chamilo_user[$chamilo_field] = extldap_purify_string($ldap_user[$ldap_field][0]);
} else {
if ($debug) {
error_log(
'EXTLDAP WARNING : '.$ldap_field.'[0] field is not set in ldap array'
);
}
}
break;
}
}
return $chamilo_user;
}
/**
* Please declare here all the function you use in extldap_user_correspondance
* All these functions must have an $ldap_user parameter. This parameter is the
* array returned by the ldap for the user.
* */
function extldap_get_status($ldap_user)
{
return STUDENT;
}
function extldap_get_admin($ldap_user)
{
return false;
}
/**
* return the string used to search a user in ldap.
*
* @param string username
*
* @return string the serach string
*
* @author ndiechburg <noel@cblue.be>
* */
function extldap_get_user_search_string($username)
{
global $extldap_config;
// init
$filter = '('.$extldap_config['user_search'].')';
// replacing %username% by the actual username
$filter = str_replace('%username%', $username, $filter);
// append a global filter if needed
if (isset($extldap_config['filter']) && $extldap_config['filter'] != "") {
$filter = '(&'.$filter.'('.$extldap_config['filter'].'))';
}
return $filter;
}
/**
* Imports all LDAP users into Chamilo.
*
* @return false|null false on error, true otherwise
*/
function extldap_import_all_users()
{
global $extldap_config, $debug;
//echo "Connecting...\n";
$ds = extldap_connect();
if (!$ds) {
return false;
}
//echo "Binding...\n";
$ldapbind = false;
//Connection as admin to search dn of user
if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
} else {
$ldap_pass = $extldap_config['admin_password'];
}
$ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $ldap_pass);
if ($ldapbind === false) {
if ($debug) {
error_log(
'EXTLDAP ERROR : cannot connect with admin login/password'
);
}
return false;
}
//browse ASCII values from a to z to avoid 1000 results limit of LDAP
$count = 0;
$alphanum = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9'];
for ($a = 97; $a <= 122; $a++) {
$alphanum[] = chr($a);
}
foreach ($alphanum as $char1) {
foreach ($alphanum as $char2) {
$user_search = $extldap_config['user_search_import_all_users'];
//Search distinguish name of user
$sr = ldap_search($ds, $extldap_config['base_dn'], $user_search);
if (!$sr) {
if ($debug) {
error_log(
'EXTLDAP ERROR : ldap_search('.$ds.', '.$extldap_config['base_dn'].", $user_search) failed"
);
}
return false;
}
//echo "Getting entries\n";
$users = ldap_get_entries($ds, $sr);
//echo "Entries: ".$users['count']."\n";
for ($key = 0; $key < $users['count']; $key++) {
$user_id = extldap_add_user_by_array($users[$key], true);
$count++;
}
}
}
//echo "Found $count users in total\n";
@ldap_close($ds);
}
/**
* Insert users from an array of user fields.
*/
function extldap_add_user_by_array($data, $update_if_exists = true)
{
global $extldap_user_correspondance;
$lastname = api_convert_encoding($data[$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8');
$firstname = api_convert_encoding($data[$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8');
$email = $data[$extldap_user_correspondance['email']][0];
$username = $data[$extldap_user_correspondance['username']][0];
// TODO the password, if encrypted at the source, will be encrypted twice, which makes it useless. Try to fix that.
$passwordKey = isset($extldap_user_correspondance['password']) ? $extldap_user_correspondance['password'] : 'userPassword';
$password = $data[$passwordKey][0];
// To ease management, we add the step-year (etape-annee) code
//$official_code = $etape."-".$annee;
$official_code = api_convert_encoding($data[$extldap_user_correspondance['official_code']][0], api_get_system_encoding(), 'UTF-8');
$auth_source = 'ldap';
// No expiration date for students (recover from LDAP's shadow expiry)
$expiration_date = '';
$active = 1;
$status = 5;
$phone = '';
$picture_uri = '';
// Adding user
$user_id = 0;
if (UserManager::is_username_available($username)) {
//echo "$username\n";
$user_id = UserManager::create_user(
$firstname,
$lastname,
$status,
$email,
$username,
$password,
$official_code,
api_get_setting('platformLanguage'),
$phone,
$picture_uri,
$auth_source,
$expiration_date,
$active
);
} else {
if ($update_if_exists) {
$user = api_get_user_info($username);
$user_id = $user['user_id'];
//echo "$username\n";
UserManager::update_user(
$user_id,
$firstname,
$lastname,
$username,
null,
null,
$email,
$status,
$official_code,
$phone,
$picture_uri,
$expiration_date,
$active
);
}
}
return $user_id;
}
/**
* Get one user's single attribute value.
* User is identified by filter.
* $extldap_config['filter'] is also applied in complement, if defined.
*
* @param $filter string LDAP entry filter, such as '(uid=10000)'
* @param $attribute string name of the LDAP attribute to read the value from
*
* @throws Exception if more than one entries matched or on internal error
*
* @return string|bool the single matching user entry's single attribute value or false if not found
*/
function extldapGetUserAttributeValue($filter, $attribute)
{
global $extldap_config;
if (array_key_exists('filter', $extldap_config) && !empty($extldap_config['filter'])) {
$filter = '(&'.$filter.'('.$extldap_config['filter'].'))';
}
$ldap = extldap_connect();
if (false === $ldap) {
throw new Exception(get_lang('LDAPConnectFailed'));
}
if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
} else {
$ldap_pass = $extldap_config['admin_password'];
}
if (false === ldap_bind($ldap, $extldap_config['admin_dn'], $ldap_pass)) {
throw new Exception(get_lang('LDAPBindFailed'));
}
$searchResult = ldap_search($ldap, $extldap_config['base_dn'], $filter, [$attribute]);
if (false === $searchResult) {
throw new Exception(get_lang('LDAPSearchFailed'));
}
switch (ldap_count_entries($ldap, $searchResult)) {
case 0:
return false;
case 1:
$entry = ldap_first_entry($ldap, $searchResult);
if (false === $entry) {
throw new Exception(get_lang('LDAPFirstEntryFailed'));
}
$values = ldap_get_values($ldap, $entry, $attribute);
if (false == $values) {
throw new Exception(get_lang('LDAPGetValuesFailed'));
}
if ($values['count'] == 1) {
return $values[0];
}
throw new Exception(get_lang('MoreThanOneAttributeValueFound'));
default:
throw new Exception(get_lang('MoreThanOneUserMatched'));
}
}
/**
* Get the username from the CAS-supplied user identifier.
*
* searches in attribute $extldap_user_correspondance['extra']['cas_user'] or 'uid' by default
* reads value from attribute $extldap_user_correspondance['username'] or 'uid' by default
*
* @param $casUser string code returned from the CAS server to identify the user
*
* @throws Exception on error
*
* @return string|bool user login name, false if not found
*/
function extldapCasUserLogin($casUser)
{
global $extldap_user_correspondance;
// which LDAP attribute is the cas user identifier stored in ?
$attributeToFilterOn = 'uid';
if (is_array($extldap_user_correspondance) && array_key_exists('extra', $extldap_user_correspondance)) {
$extra = $extldap_user_correspondance['extra'];
if (is_array($extra) && array_key_exists('cas_user', $extra) && !empty($extra['cas_user'])) {
$attributeToFilterOn = $extra['cas_user'];
}
}
// which LDAP attribute is the username ?
$attributeToRead = 'uid';
if (is_array($extldap_user_correspondance)
&& array_key_exists('username', $extldap_user_correspondance)
&& !empty($extldap_user_correspondance['username'])
) {
$attributeToRead = $extldap_user_correspondance['username'];
}
// return the value
return extldapGetUserAttributeValue("($attributeToFilterOn=$casUser)", $attributeToRead);
}