ataxya/dockerwiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Ataxya
2021-10-26 13:02:53 +02:00
commit 73843b66ce
4678 changed files with 319494 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
content/lib/plugins/authad/adLDAP/classes/adLDAPComputers.php Normal file
View File

@@ -0,0 +1,153 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Computers
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPComputerCollection.php');
/**
* COMPUTER MANAGEMENT FUNCTIONS
*/
class adLDAPComputers {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Get information about a specific computer. Returned in a raw array format from AD
*
* @param string $computerName The name of the computer
* @param array $fields Attributes to return
* @return array
*/
public function info($computerName, $fields = NULL)
{
if ($computerName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$filter = "(&(objectClass=computer)(cn=" . $computerName . "))";
if ($fields === NULL) {
$fields = array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion");
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
/**
* Find information about the computers. Returned in a raw array format from AD
*
* @param string $computerName The name of the computer
* @param array $fields Array of parameters to query
* @return mixed
*/
public function infoCollection($computerName, $fields = NULL)
{
if ($computerName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($computerName, $fields);
if ($info !== false) {
$collection = new adLDAPComputerCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Check if a computer is in a group
*
* @param string $computerName The name of the computer
* @param string $group The group to check
* @param bool $recursive Whether to check recursively
* @return array
*/
public function inGroup($computerName, $group, $recursive = NULL)
{
if ($computerName === NULL) { return false; }
if ($group === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // use the default option if they haven't set it
//get a list of the groups
$groups = $this->groups($computerName, array("memberof"), $recursive);
//return true if the specified group is in the group list
if (in_array($group, $groups)){
return true;
}
return false;
}
/**
* Get the groups a computer is in
*
* @param string $computerName The name of the computer
* @param bool $recursive Whether to check recursively
* @return array
*/
public function groups($computerName, $recursive = NULL)
{
if ($computerName === NULL) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
if (!$this->adldap->getLdapBind()){ return false; }
//search the directory for their information
$info = @$this->info($computerName, array("memberof", "primarygroupid"));
$groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames)
if ($recursive === true) {
foreach ($groups as $id => $groupName){
$extraGroups = $this->adldap->group()->recursiveGroups($groupName);
$groups = array_merge($groups, $extraGroups);
}
}
return $groups;
}
}
?>

294
content/lib/plugins/authad/adLDAP/classes/adLDAPContacts.php Normal file
View File

@@ -0,0 +1,294 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Contacts
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPContactCollection.php');
class adLDAPContacts {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
//*****************************************************************************************************************
// CONTACT FUNCTIONS
// * Still work to do in this area, and new functions to write
/**
* Create a contact
*
* @param array $attributes The attributes to set to the contact
* @return bool
*/
public function create($attributes)
{
// Check for compulsory fields
if (!array_key_exists("display_name", $attributes)) { return "Missing compulsory field [display_name]"; }
if (!array_key_exists("email", $attributes)) { return "Missing compulsory field [email]"; }
if (!array_key_exists("container", $attributes)) { return "Missing compulsory field [container]"; }
if (!is_array($attributes["container"])) { return "Container attribute must be an array."; }
// Translate the schema
$add = $this->adldap->adldap_schema($attributes);
// Additional stuff only used for adding contacts
$add["cn"][0] = $attributes["display_name"];
$add["objectclass"][0] = "top";
$add["objectclass"][1] = "person";
$add["objectclass"][2] = "organizationalPerson";
$add["objectclass"][3] = "contact";
if (!isset($attributes['exchange_hidefromlists'])) {
$add["msExchHideFromAddressLists"][0] = "TRUE";
}
// Determine the container
$attributes["container"] = array_reverse($attributes["container"]);
$container= "OU=" . implode(",OU=", $attributes["container"]);
// Add the entry
$result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $this->adldap->utilities()->escapeCharacters($add["cn"][0]) . ", " . $container . "," . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
/**
* Determine the list of groups a contact is a member of
*
* @param string $distinguisedname The full DN of a contact
* @param bool $recursive Recursively check groups
* @return array
*/
public function groups($distinguishedName, $recursive = NULL)
{
if ($distinguishedName === NULL) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
if (!$this->adldap->getLdapBind()){ return false; }
// Search the directory for their information
$info = @$this->info($distinguishedName, array("memberof", "primarygroupid"));
$groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); //presuming the entry returned is our contact
if ($recursive === true){
foreach ($groups as $id => $groupName){
$extraGroups = $this->adldap->group()->recursiveGroups($groupName);
$groups = array_merge($groups, $extraGroups);
}
}
return $groups;
}
/**
* Get contact information. Returned in a raw array format from AD
*
* @param string $distinguisedname The full DN of a contact
* @param array $fields Attributes to be returned
* @return array
*/
public function info($distinguishedName, $fields = NULL)
{
if ($distinguishedName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$filter = "distinguishedName=" . $distinguishedName;
if ($fields === NULL) {
$fields = array("distinguishedname", "mail", "memberof", "department", "displayname", "telephonenumber", "primarygroupid", "objectsid");
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if ($entries[0]['count'] >= 1) {
// AD does not return the primary group in the ldap query, we may need to fudge it
if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){
//$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
$entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
} else {
$entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn();
}
}
$entries[0]["memberof"]["count"]++;
return $entries;
}
/**
* Find information about the contacts. Returned in a raw array format from AD
*
* @param string $distinguishedName The full DN of a contact
* @param array $fields Array of parameters to query
* @return mixed
*/
public function infoCollection($distinguishedName, $fields = NULL)
{
if ($distinguishedName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($distinguishedName, $fields);
if ($info !== false) {
$collection = new adLDAPContactCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Determine if a contact is a member of a group
*
* @param string $distinguisedName The full DN of a contact
* @param string $group The group name to query
* @param bool $recursive Recursively check groups
* @return bool
*/
public function inGroup($distinguisedName, $group, $recursive = NULL)
{
if ($distinguisedName === NULL) { return false; }
if ($group === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
// Get a list of the groups
$groups = $this->groups($distinguisedName, array("memberof"), $recursive);
// Return true if the specified group is in the group list
if (in_array($group, $groups)){
return true;
}
return false;
}
/**
* Modify a contact
*
* @param string $distinguishedName The contact to query
* @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
* @return bool
*/
public function modify($distinguishedName, $attributes) {
if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedname]"; }
// Translate the update to the LDAP schema
$mod = $this->adldap->adldap_schema($attributes);
// Check to see if this is an enabled status update
if (!$mod) {
return false;
}
// Do the update
$result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod);
if ($result == false) {
return false;
}
return true;
}
/**
* Delete a contact
*
* @param string $distinguishedName The contact dn to delete (please be careful here!)
* @return array
*/
public function delete($distinguishedName)
{
$result = $this->folder()->delete($distinguishedName);
if ($result != true) {
return false;
}
return true;
}
/**
* Return a list of all contacts
*
* @param bool $includeDescription Include a description of a contact
* @param string $search The search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function all($includeDescription = false, $search = "*", $sorted = true) {
if (!$this->adldap->getLdapBind()) { return false; }
// Perform the search and grab all their details
$filter = "(&(objectClass=contact)(cn=" . $search . "))";
$fields = array("displayname","distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$usersArray = array();
for ($i=0; $i<$entries["count"]; $i++){
if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){
$usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["displayname"][0];
} elseif ($includeDescription){
$usersArray[$entries[$i]["distinguishedname"][0]] = $entries[$i]["distinguishedname"][0];
} else {
array_push($usersArray, $entries[$i]["distinguishedname"][0]);
}
}
if ($sorted) {
asort($usersArray);
}
return $usersArray;
}
/**
* Mail enable a contact
* Allows email to be sent to them through Exchange
*
* @param string $distinguishedname The contact to mail enable
* @param string $emailaddress The email address to allow emails to be sent through
* @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name
* @return bool
*/
public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL){
return $this->adldap->exchange()->contactMailEnable($distinguishedName, $emailAddress, $mailNickname);
}
}
?>

390
content/lib/plugins/authad/adLDAP/classes/adLDAPExchange.php Normal file
View File

@@ -0,0 +1,390 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Exchange
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
/**
* MICROSOFT EXCHANGE FUNCTIONS
*/
class adLDAPExchange {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Create an Exchange account
*
* @param string $username The username of the user to add the Exchange account to
* @param array $storageGroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN
* If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn
* @param string $emailAddress The primary email address to add to this user
* @param string $mailNickname The mail nick name. If mail nickname is blank, the username will be used
* @param bool $mdbUseDefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota.
* @param string $baseDn Specify an alternative base_dn for the Exchange storage group
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function createMailbox($username, $storageGroup, $emailAddress, $mailNickname=NULL, $useDefaults=TRUE, $baseDn=NULL, $isGUID=false)
{
if ($username === NULL){ return "Missing compulsory field [username]"; }
if ($storageGroup === NULL) { return "Missing compulsory array [storagegroup]"; }
if (!is_array($storageGroup)) { return "[storagegroup] must be an array"; }
if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; }
if ($baseDn === NULL) {
$baseDn = $this->adldap->getBaseDn();
}
$container = "CN=" . implode(",CN=", $storageGroup);
if ($mailNickname === NULL) {
$mailNickname = $username;
}
$mdbUseDefaults = $this->adldap->utilities()->boolToString($useDefaults);
$attributes = array(
'exchange_homemdb'=>$container.",".$baseDn,
'exchange_proxyaddress'=>'SMTP:' . $emailAddress,
'exchange_mailnickname'=>$mailNickname,
'exchange_usedefaults'=>$mdbUseDefaults
);
$result = $this->adldap->user()->modify($username, $attributes, $isGUID);
if ($result == false) {
return false;
}
return true;
}
/**
* Add an X400 address to Exchange
* See http://tools.ietf.org/html/rfc1685 for more information.
* An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John;
*
* @param string $username The username of the user to add the X400 to to
* @param string $country Country
* @param string $admd Administration Management Domain
* @param string $pdmd Private Management Domain (often your AD domain)
* @param string $org Organization
* @param string $surname Surname
* @param string $givenName Given name
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function addX400($username, $country, $admd, $pdmd, $org, $surname, $givenName, $isGUID=false)
{
if ($username === NULL){ return "Missing compulsory field [username]"; }
$proxyValue = 'X400:';
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL) { return false; }
$userDn = $user[0]["dn"];
// We do not have to demote an email address from the default so we can just add the new proxy address
$attributes['exchange_proxyaddress'] = $proxyValue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenName . ';';
// Translate the update to the LDAP schema
$add = $this->adldap->adldap_schema($attributes);
if (!$add) { return false; }
// Do the update
// Take out the @ to see any errors, usually this error might occur because the address already
// exists in the list of proxyAddresses
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Add an address to Exchange
*
* @param string $username The username of the user to add the Exchange account to
* @param string $emailAddress The email address to add to this user
* @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function addAddress($username, $emailAddress, $default = FALSE, $isGUID = false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; }
$proxyValue = 'smtp:';
if ($default === true) {
$proxyValue = 'SMTP:';
}
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL){ return false; }
$userDn = $user[0]["dn"];
// We need to scan existing proxy addresses and demote the default one
if (is_array($user[0]["proxyaddresses"]) && $default === true) {
$modAddresses = array();
for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
$user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
}
if ($user[0]['proxyaddresses'][$i] != '') {
$modAddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
}
}
$modAddresses['proxyAddresses'][(sizeof($user[0]['proxyaddresses'])-1)] = 'SMTP:' . $emailAddress;
$result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $modAddresses);
if ($result == false) {
return false;
}
return true;
}
else {
// We do not have to demote an email address from the default so we can just add the new proxy address
$attributes['exchange_proxyaddress'] = $proxyValue . $emailAddress;
// Translate the update to the LDAP schema
$add = $this->adldap->adldap_schema($attributes);
if (!$add) {
return false;
}
// Do the update
// Take out the @ to see any errors, usually this error might occur because the address already
// exists in the list of proxyAddresses
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $userDn,$add);
if ($result == false) {
return false;
}
return true;
}
}
/**
* Remove an address to Exchange
* If you remove a default address the account will no longer have a default,
* we recommend changing the default address first
*
* @param string $username The username of the user to add the Exchange account to
* @param string $emailAddress The email address to add to this user
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function deleteAddress($username, $emailAddress, $isGUID=false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; }
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL) { return false; }
$userDn = $user[0]["dn"];
if (is_array($user[0]["proxyaddresses"])) {
$mod = array();
for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false && $user[0]['proxyaddresses'][$i] == 'SMTP:' . $emailAddress) {
$mod['proxyAddresses'][0] = 'SMTP:' . $emailAddress;
}
elseif (strstr($user[0]['proxyaddresses'][$i], 'smtp:') !== false && $user[0]['proxyaddresses'][$i] == 'smtp:' . $emailAddress) {
$mod['proxyAddresses'][0] = 'smtp:' . $emailAddress;
}
}
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $userDn,$mod);
if ($result == false) {
return false;
}
return true;
}
else {
return false;
}
}
/**
* Change the default address
*
* @param string $username The username of the user to add the Exchange account to
* @param string $emailAddress The email address to make default
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function primaryAddress($username, $emailAddress, $isGUID = false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
if ($emailAddress === NULL) { return "Missing compulsory fields [emailAddress]"; }
// Find the dn of the user
$user = $this->adldap->user()->info($username, array("cn","proxyaddresses"), $isGUID);
if ($user[0]["dn"] === NULL){ return false; }
$userDn = $user[0]["dn"];
if (is_array($user[0]["proxyaddresses"])) {
$modAddresses = array();
for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
$user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
}
if ($user[0]['proxyaddresses'][$i] == 'smtp:' . $emailAddress) {
$user[0]['proxyaddresses'][$i] = str_replace('smtp:', 'SMTP:', $user[0]['proxyaddresses'][$i]);
}
if ($user[0]['proxyaddresses'][$i] != '') {
$modAddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
}
}
$result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $modAddresses);
if ($result == false) {
return false;
}
return true;
}
}
/**
* Mail enable a contact
* Allows email to be sent to them through Exchange
*
* @param string $distinguishedName The contact to mail enable
* @param string $emailAddress The email address to allow emails to be sent through
* @param string $mailNickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name
* @return bool
*/
public function contactMailEnable($distinguishedName, $emailAddress, $mailNickname = NULL)
{
if ($distinguishedName === NULL) { return "Missing compulsory field [distinguishedName]"; }
if ($emailAddress === NULL) { return "Missing compulsory field [emailAddress]"; }
if ($mailNickname !== NULL) {
// Find the dn of the user
$user = $this->adldap->contact()->info($distinguishedName, array("cn","displayname"));
if ($user[0]["displayname"] === NULL) { return false; }
$mailNickname = $user[0]['displayname'][0];
}
$attributes = array("email"=>$emailAddress,"contact_email"=>"SMTP:" . $emailAddress,"exchange_proxyaddress"=>"SMTP:" . $emailAddress,"exchange_mailnickname" => $mailNickname);
// Translate the update to the LDAP schema
$mod = $this->adldap->adldap_schema($attributes);
// Check to see if this is an enabled status update
if (!$mod) { return false; }
// Do the update
$result = ldap_modify($this->adldap->getLdapConnection(), $distinguishedName, $mod);
if ($result == false) { return false; }
return true;
}
/**
* Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain
*
* @param array $attributes An array of the AD attributes you wish to return
* @return array
*/
public function servers($attributes = array('cn','distinguishedname','serialnumber'))
{
if (!$this->adldap->getLdapBind()){ return false; }
$configurationNamingContext = $this->adldap->getRootDse(array('configurationnamingcontext'));
$sr = @ldap_search($this->adldap->getLdapConnection(), $configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))', $attributes);
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
/**
* Returns a list of Storage Groups in Exchange for a given mail server
*
* @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server
* @param array $attributes An array of the AD attributes you wish to return
* @param bool $recursive If enabled this will automatically query the databases within a storage group
* @return array
*/
public function storageGroups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL)
{
if (!$this->adldap->getLdapBind()){ return false; }
if ($exchangeServer === NULL) { return "Missing compulsory field [exchangeServer]"; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); }
$filter = '(&(objectCategory=msExchStorageGroup))';
$sr = @ldap_search($this->adldap->getLdapConnection(), $exchangeServer, $filter, $attributes);
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if ($recursive === true) {
for ($i=0; $i<$entries['count']; $i++) {
$entries[$i]['msexchprivatemdb'] = $this->storageDatabases($entries[$i]['distinguishedname'][0]);
}
}
return $entries;
}
/**
* Returns a list of Databases within any given storage group in Exchange for a given mail server
*
* @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN
* @param array $attributes An array of the AD attributes you wish to return
* @return array
*/
public function storageDatabases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) {
if (!$this->adldap->getLdapBind()){ return false; }
if ($storageGroup === NULL) { return "Missing compulsory field [storageGroup]"; }
$filter = '(&(objectCategory=msExchPrivateMDB))';
$sr = @ldap_search($this->adldap->getLdapConnection(), $storageGroup, $filter, $attributes);
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
}
?>

179
content/lib/plugins/authad/adLDAP/classes/adLDAPFolders.php Normal file
View File

@@ -0,0 +1,179 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Folders
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
/**
* FOLDER / OU MANAGEMENT FUNCTIONS
*/
class adLDAPFolders {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Delete a distinguished name from Active Directory
* You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete
*
* @param string $dn The distinguished name to delete
* @return bool
*/
public function delete($dn){
$result = ldap_delete($this->adldap->getLdapConnection(), $dn);
if ($result != true) {
return false;
}
return true;
}
/**
* Returns a folder listing for a specific OU
* See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions
*
* @param array $folderName An array to the OU you wish to list.
* If set to NULL will list the root, strongly recommended to set
* $recursive to false in that instance!
* @param string $dnType The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER.
* @param bool $recursive Recursively search sub folders
* @param bool $type Specify a type of object to search for
* @return array
*/
public function listing($folderName = NULL, $dnType = adLDAP::ADLDAP_FOLDER, $recursive = NULL, $type = NULL)
{
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } //use the default option if they haven't set it
if (!$this->adldap->getLdapBind()) { return false; }
$filter = '(&';
if ($type !== NULL) {
switch ($type) {
case 'contact':
$filter .= '(objectClass=contact)';
break;
case 'computer':
$filter .= '(objectClass=computer)';
break;
case 'group':
$filter .= '(objectClass=group)';
break;
case 'folder':
$filter .= '(objectClass=organizationalUnit)';
break;
case 'container':
$filter .= '(objectClass=container)';
break;
case 'domain':
$filter .= '(objectClass=builtinDomain)';
break;
default:
$filter .= '(objectClass=user)';
break;
}
}
else {
$filter .= '(objectClass=*)';
}
// If the folder name is null then we will search the root level of AD
// This requires us to not have an OU= part, just the base_dn
$searchOu = $this->adldap->getBaseDn();
if (is_array($folderName)) {
$ou = $dnType . "=" . implode("," . $dnType . "=", $folderName);
$filter .= '(!(distinguishedname=' . $ou . ',' . $this->adldap->getBaseDn() . ')))';
$searchOu = $ou . ',' . $this->adldap->getBaseDn();
}
else {
$filter .= '(!(distinguishedname=' . $this->adldap->getBaseDn() . ')))';
}
if ($recursive === true) {
$sr = ldap_search($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (is_array($entries)) {
return $entries;
}
}
else {
$sr = ldap_list($this->adldap->getLdapConnection(), $searchOu, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
$entries = @ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (is_array($entries)) {
return $entries;
}
}
return false;
}
/**
* Create an organizational unit
*
* @param array $attributes Default attributes of the ou
* @return bool
*/
public function create($attributes)
{
if (!is_array($attributes)){ return "Attributes must be an array"; }
if (!is_array($attributes["container"])) { return "Container attribute must be an array."; }
if (!array_key_exists("ou_name",$attributes)) { return "Missing compulsory field [ou_name]"; }
if (!array_key_exists("container",$attributes)) { return "Missing compulsory field [container]"; }
$attributes["container"] = array_reverse($attributes["container"]);
$add=array();
$add["objectClass"] = "organizationalUnit";
$add["OU"] = $attributes['ou_name'];
$containers = "";
if (count($attributes['container']) > 0) {
$containers = "OU=" . implode(",OU=", $attributes["container"]) . ",";
}
$containers = "OU=" . implode(",OU=", $attributes["container"]);
$result = ldap_add($this->adldap->getLdapConnection(), "OU=" . $add["OU"] . ", " . $containers . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
}
?>

631
content/lib/plugins/authad/adLDAP/classes/adLDAPGroups.php Normal file
View File

@@ -0,0 +1,631 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Groups
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPGroupCollection.php');
/**
* GROUP FUNCTIONS
*/
class adLDAPGroups {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Add a group to a group
*
* @param string $parent The parent group name
* @param string $child The child group name
* @return bool
*/
public function addGroup($parent,$child){
// Find the parent group's dn
$parentGroup = $this->ginfo($parent, array("cn"));
if ($parentGroup[0]["dn"] === NULL){
return false;
}
$parentDn = $parentGroup[0]["dn"];
// Find the child group's dn
$childGroup = $this->info($child, array("cn"));
if ($childGroup[0]["dn"] === NULL){
return false;
}
$childDn = $childGroup[0]["dn"];
$add = array();
$add["member"] = $childDn;
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $parentDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Add a user to a group
*
* @param string $group The group to add the user to
* @param string $user The user to add to the group
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function addUser($group, $user, $isGUID = false)
{
// Adding a user is a bit fiddly, we need to get the full DN of the user
// and add it using the full DN of the group
// Find the user's dn
$userDn = $this->adldap->user()->dn($user, $isGUID);
if ($userDn === false) {
return false;
}
// Find the group's dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
$add = array();
$add["member"] = $userDn;
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Add a contact to a group
*
* @param string $group The group to add the contact to
* @param string $contactDn The DN of the contact to add
* @return bool
*/
public function addContact($group, $contactDn)
{
// To add a contact we take the contact's DN
// and add it using the full DN of the group
// Find the group's dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
$add = array();
$add["member"] = $contactDn;
$result = @ldap_mod_add($this->adldap->getLdapConnection(), $groupDn, $add);
if ($result == false) {
return false;
}
return true;
}
/**
* Create a group
*
* @param array $attributes Default attributes of the group
* @return bool
*/
public function create($attributes)
{
if (!is_array($attributes)){ return "Attributes must be an array"; }
if (!array_key_exists("group_name", $attributes)){ return "Missing compulsory field [group_name]"; }
if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; }
if (!array_key_exists("description", $attributes)){ return "Missing compulsory field [description]"; }
if (!is_array($attributes["container"])){ return "Container attribute must be an array."; }
$attributes["container"] = array_reverse($attributes["container"]);
//$member_array = array();
//$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
//$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
$add = array();
$add["cn"] = $attributes["group_name"];
$add["samaccountname"] = $attributes["group_name"];
$add["objectClass"] = "Group";
$add["description"] = $attributes["description"];
//$add["member"] = $member_array; UNTESTED
$container = "OU=" . implode(",OU=", $attributes["container"]);
$result = ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"] . ", " . $container . "," . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
/**
* Delete a group account
*
* @param string $group The group to delete (please be careful here!)
*
* @return array
*/
public function delete($group) {
if (!$this->adldap->getLdapBind()){ return false; }
if ($group === null){ return "Missing compulsory field [group]"; }
$groupInfo = $this->info($group, array("*"));
$dn = $groupInfo[0]['distinguishedname'][0];
$result = $this->adldap->folder()->delete($dn);
if ($result !== true) {
return false;
} return true;
}
/**
* Remove a group from a group
*
* @param string $parent The parent group name
* @param string $child The child group name
* @return bool
*/
public function removeGroup($parent , $child)
{
// Find the parent dn
$parentGroup = $this->info($parent, array("cn"));
if ($parentGroup[0]["dn"] === NULL) {
return false;
}
$parentDn = $parentGroup[0]["dn"];
// Find the child dn
$childGroup = $this->info($child, array("cn"));
if ($childGroup[0]["dn"] === NULL) {
return false;
}
$childDn = $childGroup[0]["dn"];
$del = array();
$del["member"] = $childDn;
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $parentDn, $del);
if ($result == false) {
return false;
}
return true;
}
/**
* Remove a user from a group
*
* @param string $group The group to remove a user from
* @param string $user The AD user to remove from the group
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function removeUser($group, $user, $isGUID = false)
{
// Find the parent dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL){
return false;
}
$groupDn = $groupInfo[0]["dn"];
// Find the users dn
$userDn = $this->adldap->user()->dn($user, $isGUID);
if ($userDn === false) {
return false;
}
$del = array();
$del["member"] = $userDn;
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del);
if ($result == false) {
return false;
}
return true;
}
/**
* Remove a contact from a group
*
* @param string $group The group to remove a user from
* @param string $contactDn The DN of a contact to remove from the group
* @return bool
*/
public function removeContact($group, $contactDn)
{
// Find the parent dn
$groupInfo = $this->info($group, array("cn"));
if ($groupInfo[0]["dn"] === NULL) {
return false;
}
$groupDn = $groupInfo[0]["dn"];
$del = array();
$del["member"] = $contactDn;
$result = @ldap_mod_del($this->adldap->getLdapConnection(), $groupDn, $del);
if ($result == false) {
return false;
}
return true;
}
/**
* Return a list of groups in a group
*
* @param string $group The group to query
* @param bool $recursive Recursively get groups
* @return array
*/
public function inGroup($group, $recursive = NULL)
{
if (!$this->adldap->getLdapBind()){ return false; }
if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
// Search the directory for the members of a group
$info = $this->info($group, array("member","cn"));
$groups = $info[0]["member"];
if (!is_array($groups)) {
return false;
}
$groupArray = array();
for ($i=0; $i<$groups["count"]; $i++){
$filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))";
$fields = array("samaccountname", "distinguishedname", "objectClass");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
// not a person, look for a group
if ($entries['count'] == 0 && $recursive == true) {
$filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($groups[$i]) . "))";
$fields = array("distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (!isset($entries[0]['distinguishedname'][0])) {
continue;
}
$subGroups = $this->inGroup($entries[0]['distinguishedname'][0], $recursive);
if (is_array($subGroups)) {
$groupArray = array_merge($groupArray, $subGroups);
$groupArray = array_unique($groupArray);
}
continue;
}
$groupArray[] = $entries[0]['distinguishedname'][0];
}
return $groupArray;
}
/**
* Return a list of members in a group
*
* @param string $group The group to query
* @param bool $recursive Recursively get group members
* @return array
*/
public function members($group, $recursive = NULL)
{
if (!$this->adldap->getLdapBind()){ return false; }
if ($recursive === NULL){ $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
// Search the directory for the members of a group
$info = $this->info($group, array("member","cn"));
$users = $info[0]["member"];
if (!is_array($users)) {
return false;
}
$userArray = array();
for ($i=0; $i<$users["count"]; $i++){
$filter = "(&(objectCategory=person)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))";
$fields = array("samaccountname", "distinguishedname", "objectClass");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
// not a person, look for a group
if ($entries['count'] == 0 && $recursive == true) {
$filter = "(&(objectCategory=group)(distinguishedName=" . $this->adldap->utilities()->ldapSlashes($users[$i]) . "))";
$fields = array("samaccountname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (!isset($entries[0]['samaccountname'][0])) {
continue;
}
$subUsers = $this->members($entries[0]['samaccountname'][0], $recursive);
if (is_array($subUsers)) {
$userArray = array_merge($userArray, $subUsers);
$userArray = array_unique($userArray);
}
continue;
}
else if ($entries['count'] == 0) {
continue;
}
if ((!isset($entries[0]['samaccountname'][0]) || $entries[0]['samaccountname'][0] === NULL) && $entries[0]['distinguishedname'][0] !== NULL) {
$userArray[] = $entries[0]['distinguishedname'][0];
}
else if ($entries[0]['samaccountname'][0] !== NULL) {
$userArray[] = $entries[0]['samaccountname'][0];
}
}
return $userArray;
}
/**
* Group Information. Returns an array of raw information about a group.
* The group name is case sensitive
*
* @param string $groupName The group name to retrieve info about
* @param array $fields Fields to retrieve
* @return array
*/
public function info($groupName, $fields = NULL)
{
if ($groupName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if (stristr($groupName, '+')) {
$groupName = stripslashes($groupName);
}
$filter = "(&(objectCategory=group)(name=" . $this->adldap->utilities()->ldapSlashes($groupName) . "))";
if ($fields === NULL) {
$fields = array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname");
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
return $entries;
}
/**
* Group Information. Returns an collection
* The group name is case sensitive
*
* @param string $groupName The group name to retrieve info about
* @param array $fields Fields to retrieve
* @return adLDAPGroupCollection
*/
public function infoCollection($groupName, $fields = NULL)
{
if ($groupName === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($groupName, $fields);
if ($info !== false) {
$collection = new adLDAPGroupCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Return a complete list of "groups in groups"
*
* @param string $group The group to get the list from
* @return array
*/
public function recursiveGroups($group)
{
if ($group === NULL) { return false; }
$stack = array();
$processed = array();
$retGroups = array();
array_push($stack, $group); // Initial Group to Start with
while (count($stack) > 0) {
$parent = array_pop($stack);
array_push($processed, $parent);
$info = $this->info($parent, array("memberof"));
if (isset($info[0]["memberof"]) && is_array($info[0]["memberof"])) {
$groups = $info[0]["memberof"];
if ($groups) {
$groupNames = $this->adldap->utilities()->niceNames($groups);
$retGroups = array_merge($retGroups, $groupNames); //final groups to return
foreach ($groupNames as $id => $groupName) {
if (!in_array($groupName, $processed)) {
array_push($stack, $groupName);
}
}
}
}
}
return $retGroups;
}
/**
* Returns a complete list of the groups in AD based on a SAM Account Type
*
* @param string $sAMAaccountType The account type to return
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function search($sAMAaccountType = adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription = false, $search = "*", $sorted = true) {
if (!$this->adldap->getLdapBind()) { return false; }
$filter = '(&(objectCategory=group)';
if ($sAMAaccountType !== null) {
$filter .= '(samaccounttype='. $sAMAaccountType .')';
}
$filter .= '(cn=' . $search . '))';
// Perform the search and grab all their details
$fields = array("samaccountname", "description");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$groupsArray = array();
for ($i=0; $i<$entries["count"]; $i++){
if ($includeDescription && strlen($entries[$i]["description"][0]) > 0 ) {
$groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["description"][0];
}
else if ($includeDescription){
$groupsArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0];
}
else {
array_push($groupsArray, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted) {
asort($groupsArray);
}
return $groupsArray;
}
/**
* Returns a complete list of all groups in AD
*
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function all($includeDescription = false, $search = "*", $sorted = true){
$groupsArray = $this->search(null, $includeDescription, $search, $sorted);
return $groupsArray;
}
/**
* Returns a complete list of security groups in AD
*
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function allSecurity($includeDescription = false, $search = "*", $sorted = true){
$groupsArray = $this->search(adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, $includeDescription, $search, $sorted);
return $groupsArray;
}
/**
* Returns a complete list of distribution lists in AD
*
* @param bool $includeDescription Whether to return a description
* @param string $search Search parameters
* @param bool $sorted Whether to sort the results
* @return array
*/
public function allDistribution($includeDescription = false, $search = "*", $sorted = true){
$groupsArray = $this->search(adLDAP::ADLDAP_DISTRIBUTION_GROUP, $includeDescription, $search, $sorted);
return $groupsArray;
}
/**
* Coping with AD not returning the primary group
* http://support.microsoft.com/?kbid=321360
*
* This is a re-write based on code submitted by Bruce which prevents the
* need to search each security group to find the true primary group
*
* @param string $gid Group ID
* @param string $usersid User's Object SID
* @return mixed
*/
public function getPrimaryGroup($gid, $usersid)
{
if ($gid === NULL || $usersid === NULL) { return false; }
$sr = false;
$gsid = substr_replace($usersid, pack('V',$gid), strlen($usersid)-4,4);
$filter = '(objectsid=' . $this->adldap->utilities()->getTextSID($gsid).')';
$fields = array("samaccountname","distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (isset($entries[0]['distinguishedname'][0])) {
return $entries[0]['distinguishedname'][0];
}
return false;
}
/**
* Coping with AD not returning the primary group
* http://support.microsoft.com/?kbid=321360
*
* For some reason it's not possible to search on primarygrouptoken=XXX
* If someone can show otherwise, I'd like to know about it :)
* this way is resource intensive and generally a pain in the @#%^
*
* @deprecated deprecated since version 3.1, see get get_primary_group
* @param string $gid Group ID
* @return string
*/
public function cn($gid){
if ($gid === NULL) { return false; }
$sr = false;
$r = '';
$filter = "(&(objectCategory=group)(samaccounttype=" . adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP . "))";
$fields = array("primarygrouptoken", "samaccountname", "distinguishedname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
for ($i=0; $i<$entries["count"]; $i++){
if ($entries[$i]["primarygrouptoken"][0] == $gid) {
$r = $entries[$i]["distinguishedname"][0];
$i = $entries["count"];
}
}
return $r;
}
}
?>

682
content/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php Normal file
View File

@@ -0,0 +1,682 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage User
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
require_once(dirname(__FILE__) . '/../collections/adLDAPUserCollection.php');
/**
* USER FUNCTIONS
*/
class adLDAPUsers {
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Validate a user's login credentials
*
* @param string $username A user's AD username
* @param string $password A user's AD password
* @param bool optional $prevent_rebind
* @return bool
*/
public function authenticate($username, $password, $preventRebind = false) {
return $this->adldap->authenticate($username, $password, $preventRebind);
}
/**
* Create a user
*
* If you specify a password here, this can only be performed over SSL
*
* @param array $attributes The attributes to set to the user account
* @return bool
*/
public function create($attributes)
{
// Check for compulsory fields
if (!array_key_exists("username", $attributes)){ return "Missing compulsory field [username]"; }
if (!array_key_exists("firstname", $attributes)){ return "Missing compulsory field [firstname]"; }
if (!array_key_exists("surname", $attributes)){ return "Missing compulsory field [surname]"; }
if (!array_key_exists("email", $attributes)){ return "Missing compulsory field [email]"; }
if (!array_key_exists("container", $attributes)){ return "Missing compulsory field [container]"; }
if (!is_array($attributes["container"])){ return "Container attribute must be an array."; }
if (array_key_exists("password",$attributes) && (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS())){
throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
}
if (!array_key_exists("display_name", $attributes)) {
$attributes["display_name"] = $attributes["firstname"] . " " . $attributes["surname"];
}
// Translate the schema
$add = $this->adldap->adldap_schema($attributes);
// Additional stuff only used for adding accounts
$add["cn"][0] = $attributes["display_name"];
$add["samaccountname"][0] = $attributes["username"];
$add["objectclass"][0] = "top";
$add["objectclass"][1] = "person";
$add["objectclass"][2] = "organizationalPerson";
$add["objectclass"][3] = "user"; //person?
//$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
// Set the account control attribute
$control_options = array("NORMAL_ACCOUNT");
if (!$attributes["enabled"]) {
$control_options[] = "ACCOUNTDISABLE";
}
$add["userAccountControl"][0] = $this->accountControl($control_options);
// Determine the container
$attributes["container"] = array_reverse($attributes["container"]);
$container = "OU=" . implode(", OU=",$attributes["container"]);
// Add the entry
$result = @ldap_add($this->adldap->getLdapConnection(), "CN=" . $add["cn"][0] . ", " . $container . "," . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;
}
/**
* Account control options
*
* @param array $options The options to convert to int
* @return int
*/
protected function accountControl($options)
{
$val=0;
if (is_array($options)) {
if (in_array("SCRIPT",$options)){ $val=$val+1; }
if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; }
if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; }
if (in_array("LOCKOUT",$options)){ $val=$val+16; }
if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; }
//PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute.
//For information about how to set the permission programmatically, see the "Property flag descriptions" section.
if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; }
if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; }
if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; }
if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; }
if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; }
if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; }
if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; }
if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; }
if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; }
if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; }
if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; }
if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; }
if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; }
if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; }
if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; }
}
return $val;
}
/**
* Delete a user account
*
* @param string $username The username to delete (please be careful here!)
* @param bool $isGUID Is the username a GUID or a samAccountName
* @return array
*/
public function delete($username, $isGUID = false)
{
$userinfo = $this->info($username, array("*"), $isGUID);
$dn = $userinfo[0]['distinguishedname'][0];
$result = $this->adldap->folder()->delete($dn);
if ($result != true) {
return false;
}
return true;
}
/**
* Groups the user is a member of
*
* @param string $username The username to query
* @param bool $recursive Recursive list of groups
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return array
*/
public function groups($username, $recursive = NULL, $isGUID = false)
{
if ($username === NULL) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
if (!$this->adldap->getLdapBind()) { return false; }
// Search the directory for their information
$info = @$this->info($username, array("memberof", "primarygroupid"), $isGUID);
$groups = $this->adldap->utilities()->niceNames($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames)
if ($recursive === true){
foreach ($groups as $id => $groupName){
$extraGroups = $this->adldap->group()->recursiveGroups($groupName);
$groups = array_merge($groups, $extraGroups);
}
}
return $groups;
}
/**
* Find information about the users. Returned in a raw array format from AD
*
* @param string $username The username to query
* @param array $fields Array of parameters to query
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return array
*/
public function info($username, $fields = NULL, $isGUID = false)
{
if ($username === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($isGUID === true) {
$username = $this->adldap->utilities()->strGuidToHex($username);
$filter = "objectguid=" . $username;
}
else if (strstr($username, "@")) {
$filter = "userPrincipalName=" . $username;
}
else {
$filter = "samaccountname=" . $username;
}
$filter = "(&(objectCategory=person)({$filter}))";
if ($fields === NULL) {
$fields = array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid");
}
if (!in_array("objectsid", $fields)) {
$fields[] = "objectsid";
}
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
if (isset($entries[0])) {
if ($entries[0]['count'] >= 1) {
if (in_array("memberof", $fields)) {
// AD does not return the primary group in the ldap query, we may need to fudge it
if ($this->adldap->getRealPrimaryGroup() && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])){
//$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
$entries[0]["memberof"][] = $this->adldap->group()->getPrimaryGroup($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
} else {
$entries[0]["memberof"][] = "CN=Domain Users,CN=Users," . $this->adldap->getBaseDn();
}
if (!isset($entries[0]["memberof"]["count"])) {
$entries[0]["memberof"]["count"] = 0;
}
$entries[0]["memberof"]["count"]++;
}
}
return $entries;
}
return false;
}
/**
* Find information about the users. Returned in a raw array format from AD
*
* @param string $username The username to query
* @param array $fields Array of parameters to query
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return mixed
*/
public function infoCollection($username, $fields = NULL, $isGUID = false)
{
if ($username === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
$info = $this->info($username, $fields, $isGUID);
if ($info !== false) {
$collection = new adLDAPUserCollection($info, $this->adldap);
return $collection;
}
return false;
}
/**
* Determine if a user is in a specific group
*
* @param string $username The username to query
* @param string $group The name of the group to check against
* @param bool $recursive Check groups recursively
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function inGroup($username, $group, $recursive = NULL, $isGUID = false)
{
if ($username === NULL) { return false; }
if ($group === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if ($recursive === NULL) { $recursive = $this->adldap->getRecursiveGroups(); } // Use the default option if they haven't set it
// Get a list of the groups
$groups = $this->groups($username, $recursive, $isGUID);
// Return true if the specified group is in the group list
if (in_array($group, $groups)) {
return true;
}
return false;
}
/**
* Determine a user's password expiry date
*
* @param string $username The username to query
* @param book $isGUID Is the username passed a GUID or a samAccountName
* @requires bcmath http://php.net/manual/en/book.bc.php
* @return array
*/
public function passwordExpiry($username, $isGUID = false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
if (!$this->adldap->getLdapBind()) { return false; }
if (!function_exists('bcmod')) { throw new adLDAPException("Missing function support [bcmod] http://php.net/manual/en/book.bc.php"); };
$userInfo = $this->info($username, array("pwdlastset", "useraccountcontrol"), $isGUID);
$pwdLastSet = $userInfo[0]['pwdlastset'][0];
$status = array();
if ($userInfo[0]['useraccountcontrol'][0] == '66048') {
// Password does not expire
return "Does not expire";
}
if ($pwdLastSet === '0') {
// Password has already expired
return "Password has expired";
}
// Password expiry in AD can be calculated from TWO values:
// - User's own pwdLastSet attribute: stores the last time the password was changed
// - Domain's maxPwdAge attribute: how long passwords last in the domain
//
// Although Microsoft chose to use a different base and unit for time measurements.
// This function will convert them to Unix timestamps
$sr = ldap_read($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), 'objectclass=*', array('maxPwdAge'));
if (!$sr) {
return false;
}
$info = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$maxPwdAge = $info[0]['maxpwdage'][0];
// See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx
//
// pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC),
// stored in a 64 bit integer.
//
// The number of seconds between this date and Unix epoch is 11644473600.
//
// maxPwdAge is stored as a large integer that represents the number of 100 nanosecond
// intervals from the time the password was set before the password expires.
//
// We also need to scale this to seconds but also this value is a _negative_ quantity!
//
// If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire
//
// Unfortunately the maths involved are too big for PHP integers, so I've had to require
// BCMath functions to work with arbitrary precision numbers.
if (bcmod($maxPwdAge, 4294967296) === '0') {
return "Domain does not expire passwords";
}
// Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's
// time units. Because maxpwd age is negative we need to subtract it.
$pwdExpire = bcsub($pwdLastSet, $maxPwdAge);
// Convert MS's time to Unix time
$status['expiryts'] = bcsub(bcdiv($pwdExpire, '10000000'), '11644473600');
$status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdExpire, '10000000'), '11644473600'));
return $status;
}
/**
* Modify a user
*
* @param string $username The username to query
* @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function modify($username, $attributes, $isGUID = false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
if (array_key_exists("password", $attributes) && !$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) {
throw new adLDAPException('SSL/TLS must be configured on your webserver and enabled in the class to set passwords.');
}
// Find the dn of the user
$userDn = $this->dn($username, $isGUID);
if ($userDn === false) {
return false;
}
// Translate the update to the LDAP schema
$mod = $this->adldap->adldap_schema($attributes);
// Check to see if this is an enabled status update
if (!$mod && !array_key_exists("enabled", $attributes)){
return false;
}
// Set the account control attribute (only if specified)
if (array_key_exists("enabled", $attributes)){
if ($attributes["enabled"]){
$controlOptions = array("NORMAL_ACCOUNT");
}
else {
$controlOptions = array("NORMAL_ACCOUNT", "ACCOUNTDISABLE");
}
$mod["userAccountControl"][0] = $this->accountControl($controlOptions);
}
// Do the update
$result = @ldap_modify($this->adldap->getLdapConnection(), $userDn, $mod);
if ($result == false) {
return false;
}
return true;
}
/**
* Disable a user account
*
* @param string $username The username to disable
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function disable($username, $isGUID = false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
$attributes = array("enabled" => 0);
$result = $this->modify($username, $attributes, $isGUID);
if ($result == false) { return false; }
return true;
}
/**
* Enable a user account
*
* @param string $username The username to enable
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function enable($username, $isGUID = false)
{
if ($username === NULL) { return "Missing compulsory field [username]"; }
$attributes = array("enabled" => 1);
$result = $this->modify($username, $attributes, $isGUID);
if ($result == false) { return false; }
return true;
}
/**
* Set the password of a user - This must be performed over SSL
*
* @param string $username The username to modify
* @param string $password The new password
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return bool
*/
public function password($username, $password, $isGUID = false)
{
if ($username === NULL) { return false; }
if ($password === NULL) { return false; }
if (!$this->adldap->getLdapBind()) { return false; }
if (!$this->adldap->getUseSSL() && !$this->adldap->getUseTLS()) {
throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
}
$userDn = $this->dn($username, $isGUID);
if ($userDn === false) {
return false;
}
$add=array();
$add["unicodePwd"][0] = $this->encodePassword($password);
$result = @ldap_mod_replace($this->adldap->getLdapConnection(), $userDn, $add);
if ($result === false){
$err = ldap_errno($this->adldap->getLdapConnection());
if ($err) {
$msg = 'Error ' . $err . ': ' . ldap_err2str($err) . '.';
if($err == 53) {
$msg .= ' Your password might not match the password policy.';
}
throw new adLDAPException($msg);
}
else {
return false;
}
}
return true;
}
/**
* Encode a password for transmission over LDAP
*
* @param string $password The password to encode
* @return string
*/
public function encodePassword($password)
{
$password="\"".$password."\"";
$encoded="";
for ($i=0; $i <strlen($password); $i++){ $encoded.="{$password{$i}}\000"; }
return $encoded;
}
/**
* Obtain the user's distinguished name based on their userid
*
*
* @param string $username The username
* @param bool $isGUID Is the username passed a GUID or a samAccountName
* @return string
*/
public function dn($username, $isGUID=false)
{
$user = $this->info($username, array("cn"), $isGUID);
if ($user[0]["dn"] === NULL) {
return false;
}
$userDn = $user[0]["dn"];
return $userDn;
}
/**
* Return a list of all users in AD
*
* @param bool $includeDescription Return a description of the user
* @param string $search Search parameter
* @param bool $sorted Sort the user accounts
* @return array
*/
public function all($includeDescription = false, $search = "*", $sorted = true)
{
if (!$this->adldap->getLdapBind()) { return false; }
// Perform the search and grab all their details
$filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=" . $search . "))";
$fields = array("samaccountname","displayname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$usersArray = array();
for ($i=0; $i<$entries["count"]; $i++){
if ($includeDescription && strlen($entries[$i]["displayname"][0])>0){
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0];
} elseif ($includeDescription){
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0];
} else {
array_push($usersArray, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted) {
asort($usersArray);
}
return $usersArray;
}
/**
* Converts a username (samAccountName) to a GUID
*
* @param string $username The username to query
* @return string
*/
public function usernameToGuid($username)
{
if (!$this->adldap->getLdapBind()){ return false; }
if ($username === null){ return "Missing compulsory field [username]"; }
$filter = "samaccountname=" . $username;
$fields = array("objectGUID");
$sr = @ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
if (ldap_count_entries($this->adldap->getLdapConnection(), $sr) > 0) {
$entry = @ldap_first_entry($this->adldap->getLdapConnection(), $sr);
$guid = @ldap_get_values_len($this->adldap->getLdapConnection(), $entry, 'objectGUID');
$strGUID = $this->adldap->utilities()->binaryToText($guid[0]);
return $strGUID;
}
return false;
}
/**
* Return a list of all users in AD that have a specific value in a field
*
* @param bool $includeDescription Return a description of the user
* @param string $searchField Field to search search for
* @param string $searchFilter Value to search for in the specified field
* @param bool $sorted Sort the user accounts
* @return array
*/
public function find($includeDescription = false, $searchField = false, $searchFilter = false, $sorted = true){
if (!$this->adldap->getLdapBind()){ return false; }
// Perform the search and grab all their details
$searchParams = "";
if ($searchField) {
$searchParams = "(" . $searchField . "=" . $searchFilter . ")";
}
$filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)" . $searchParams . ")";
$fields = array("samaccountname","displayname");
$sr = ldap_search($this->adldap->getLdapConnection(), $this->adldap->getBaseDn(), $filter, $fields);
$entries = ldap_get_entries($this->adldap->getLdapConnection(), $sr);
$usersArray = array();
for ($i=0; $i < $entries["count"]; $i++) {
if ($includeDescription && strlen($entries[$i]["displayname"][0]) > 0) {
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["displayname"][0];
}
else if ($includeDescription) {
$usersArray[$entries[$i]["samaccountname"][0]] = $entries[$i]["samaccountname"][0];
}
else {
array_push($usersArray, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted){
asort($usersArray);
}
return ($usersArray);
}
/**
* Move a user account to a different OU
*
* @param string $username The username to move (please be careful here!)
* @param array $container The container or containers to move the user to (please be careful here!).
* accepts containers in 1. parent 2. child order
* @return array
*/
public function move($username, $container)
{
if (!$this->adldap->getLdapBind()) { return false; }
if ($username === null) { return "Missing compulsory field [username]"; }
if ($container === null) { return "Missing compulsory field [container]"; }
if (!is_array($container)) { return "Container must be an array"; }
$userInfo = $this->info($username, array("*"));
$dn = $userInfo[0]['distinguishedname'][0];
$newRDn = "cn=" . $username;
$container = array_reverse($container);
$newContainer = "ou=" . implode(",ou=",$container);
$newBaseDn = strtolower($newContainer) . "," . $this->adldap->getBaseDn();
$result = @ldap_rename($this->adldap->getLdapConnection(), $dn, $newRDn, $newBaseDn, true);
if ($result !== true) {
return false;
}
return true;
}
/**
* Get the last logon time of any user as a Unix timestamp
*
* @param string $username
* @return long $unixTimestamp
*/
public function getLastLogon($username) {
if (!$this->adldap->getLdapBind()) { return false; }
if ($username === null) { return "Missing compulsory field [username]"; }
$userInfo = $this->info($username, array("lastLogonTimestamp"));
$lastLogon = adLDAPUtils::convertWindowsTimeToUnixTime($userInfo[0]['lastLogonTimestamp'][0]);
return $lastLogon;
}
}
?>

268
content/lib/plugins/authad/adLDAP/classes/adLDAPUtils.php Normal file
View File

@@ -0,0 +1,268 @@
<?php
/**
* PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
* Version 4.0.4
*
* PHP Version 5 with SSL and LDAP support
*
* Written by Scott Barnett, Richard Hyland
* email: scott@wiggumworld.com, adldap@richardhyland.com
* http://adldap.sourceforge.net/
*
* Copyright (c) 2006-2012 Scott Barnett, Richard Hyland
*
* We'd appreciate any improvements or additions to be submitted back
* to benefit the entire community :)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* @category ToolsAndUtilities
* @package adLDAP
* @subpackage Utils
* @author Scott Barnett, Richard Hyland
* @copyright (c) 2006-2012 Scott Barnett, Richard Hyland
* @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
* @revision $Revision: 97 $
* @version 4.0.4
* @link http://adldap.sourceforge.net/
*/
require_once(dirname(__FILE__) . '/../adLDAP.php');
/**
* UTILITY FUNCTIONS
*/
class adLDAPUtils {
const ADLDAP_VERSION = '4.0.4';
/**
* The current adLDAP connection via dependency injection
*
* @var adLDAP
*/
protected $adldap;
public function __construct(adLDAP $adldap) {
$this->adldap = $adldap;
}
/**
* Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN)
*
* @param array $groups
* @return array
*/
public function niceNames($groups)
{
$groupArray = array();
for ($i=0; $i<$groups["count"]; $i++){ // For each group
$line = $groups[$i];
if (strlen($line)>0) {
// More presumptions, they're all prefixed with CN=
// so we ditch the first three characters and the group
// name goes up to the first comma
$bits=explode(",", $line);
$groupArray[] = substr($bits[0], 3, (strlen($bits[0])-3));
}
}
return $groupArray;
}
/**
* Escape characters for use in an ldap_create function
*
* @param string $str
* @return string
*/
public function escapeCharacters($str) {
$str = str_replace(",", "\,", $str);
return $str;
}
/**
* Escape strings for the use in LDAP filters
*
* DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT
* Ported from Perl's Net::LDAP::Util escape_filter_value
*
* @param string $str The string the parse
* @author Port by Andreas Gohr <andi@splitbrain.org>
* @return string
*/
public function ldapSlashes($str) {
// see https://github.com/adldap/adLDAP/issues/22
return preg_replace_callback(
'/([\x00-\x1F\*\(\)\\\\])/',
function ($matches) {
return "\\".join("", unpack("H2", $matches[1]));
},
$str
);
}
/**
* Converts a string GUID to a hexdecimal value so it can be queried
*
* @param string $strGUID A string representation of a GUID
* @return string
*/
public function strGuidToHex($strGUID)
{
$strGUID = str_replace('-', '', $strGUID);
$octet_str = '\\' . substr($strGUID, 6, 2);
$octet_str .= '\\' . substr($strGUID, 4, 2);
$octet_str .= '\\' . substr($strGUID, 2, 2);
$octet_str .= '\\' . substr($strGUID, 0, 2);
$octet_str .= '\\' . substr($strGUID, 10, 2);
$octet_str .= '\\' . substr($strGUID, 8, 2);
$octet_str .= '\\' . substr($strGUID, 14, 2);
$octet_str .= '\\' . substr($strGUID, 12, 2);
//$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID));
for ($i=16; $i<=(strlen($strGUID)-2); $i++) {
if (($i % 2) == 0) {
$octet_str .= '\\' . substr($strGUID, $i, 2);
}
}
return $octet_str;
}
/**
* Convert a binary SID to a text SID
*
* @param string $binsid A Binary SID
* @return string
*/
public function getTextSID($binsid) {
$hex_sid = bin2hex($binsid);
$rev = hexdec(substr($hex_sid, 0, 2));
$subcount = hexdec(substr($hex_sid, 2, 2));
$auth = hexdec(substr($hex_sid, 4, 12));
$result = "$rev-$auth";
for ($x=0;$x < $subcount; $x++) {
$subauth[$x] =
hexdec($this->littleEndian(substr($hex_sid, 16 + ($x * 8), 8)));
$result .= "-" . $subauth[$x];
}
// Cheat by tacking on the S-
return 'S-' . $result;
}
/**
* Converts a little-endian hex number to one that hexdec() can convert
*
* @param string $hex A hex code
* @return string
*/
public function littleEndian($hex)
{
$result = '';
for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) {
$result .= substr($hex, $x, 2);
}
return $result;
}
/**
* Converts a binary attribute to a string
*
* @param string $bin A binary LDAP attribute
* @return string
*/
public function binaryToText($bin)
{
$hex_guid = bin2hex($bin);
$hex_guid_to_guid_str = '';
for($k = 1; $k <= 4; ++$k) {
$hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
}
$hex_guid_to_guid_str .= '-';
for($k = 1; $k <= 2; ++$k) {
$hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
}
$hex_guid_to_guid_str .= '-';
for($k = 1; $k <= 2; ++$k) {
$hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
}
$hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
$hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
return strtoupper($hex_guid_to_guid_str);
}
/**
* Converts a binary GUID to a string GUID
*
* @param string $binaryGuid The binary GUID attribute to convert
* @return string
*/
public function decodeGuid($binaryGuid)
{
if ($binaryGuid === null){ return "Missing compulsory field [binaryGuid]"; }
$strGUID = $this->binaryToText($binaryGuid);
return $strGUID;
}
/**
* Convert a boolean value to a string
* You should never need to call this yourself
*
* @param bool $bool Boolean value
* @return string
*/
public function boolToStr($bool)
{
return ($bool) ? 'TRUE' : 'FALSE';
}
/**
* Convert 8bit characters e.g. accented characters to UTF8 encoded characters
*/
public function encode8Bit(&$item, $key) {
$encode = false;
if (is_string($item)) {
for ($i=0; $i<strlen($item); $i++) {
if (ord($item[$i]) >> 7) {
$encode = true;
}
}
}
if ($encode === true && $key != 'password') {
$item = utf8_encode($item);
}
}
/**
* Get the current class version number
*
* @return string
*/
public function getVersion() {
return self::ADLDAP_VERSION;
}
/**
* Round a Windows timestamp down to seconds and remove the seconds between 1601-01-01 and 1970-01-01
*
* @param long $windowsTime
* @return long $unixTime
*/
public static function convertWindowsTimeToUnixTime($windowsTime) {
$unixTime = round($windowsTime / 10000000) - 11644477200;
return $unixTime;
}
}
?>