sspmod_ldap_ConfigHelper Class Reference

Collaboration diagram for sspmod_ldap_ConfigHelper:

Public Member Functions
	__construct ($config, $location)
	Constructor for this configuration parser. More...
	login ($username, $password, array $sasl_args=null)
	Attempt to log in using the given username and password. More...
	searchfordn ($attribute, $value, $allowZeroHits)
	Search for a DN. More...
	getAttributes ($dn, $attributes=null)

Private Attributes
	$location
	String with the location of this configuration. More...
	$hostname
	The hostname of the LDAP server. More...
	$enableTLS
	Whether we should use TLS/SSL when contacting the LDAP server. More...
	$debug
	$timeout
	$port
	$referrals
	Whether to follow referrals. More...
	$searchEnable
	Whether we need to search for the users DN. More...
	$searchUsername
	The username we should bind with before we can search for the user. More...
	$searchPassword
	The password we should bind with before we can search for the user. More...
	$searchBase
	Array with the base DN(s) for the search. More...
	$searchFilter
	Additional LDAP filter fields for the search. More...
	$searchAttributes
	The attributes which should match the username. More...
	$dnPattern
	The DN pattern we should use to create the DN from the username. More...
	$attributes
	The attributes we should fetch. More...
	$privRead
	The user cannot get all attributes, privileged reader required. More...
	$privUsername
	The DN we should bind with before we can get the attributes. More...
	$privPassword
	The password we should bind with before we can get the attributes. More...

Detailed Description

Definition at line 11 of file ConfigHelper.php.

Constructor & Destructor Documentation

__construct()

sspmod_ldap_ConfigHelper::__construct	(		$config,
			$location
	)

Constructor for this configuration parser.

Parameters

array	$config	Configuration.
string	$location	The location of this configuration. Used for error reporting.

Definition at line 130 of file ConfigHelper.php.

References $config, $location, and SimpleSAML_Configuration\loadFromArray().

    {
        assert('is_array($config)');
        assert('is_string($location)');

        $this->location = $location;

        // Parse configuration
        $config = SimpleSAML_Configuration::loadFromArray($config, $location);

        $this->hostname = $config->getString('hostname');
        $this->enableTLS = $config->getBoolean('enable_tls', false);
        $this->debug = $config->getBoolean('debug', false);
        $this->timeout = $config->getInteger('timeout', 0);
        $this->port = $config->getInteger('port', 389);
        $this->referrals = $config->getBoolean('referrals', true);
        $this->searchEnable = $config->getBoolean('search.enable', false);
        $this->privRead = $config->getBoolean('priv.read', false);

        if ($this->searchEnable) {
            $this->searchUsername = $config->getString('search.username', null);
            if ($this->searchUsername !== null) {
                $this->searchPassword = $config->getString('search.password');
            }

            $this->searchBase = $config->getArrayizeString('search.base');
            $this->searchFilter = $config->getString('search.filter', null);
            $this->searchAttributes = $config->getArray('search.attributes');

        } else {
            $this->dnPattern = $config->getString('dnpattern');
        }

        // Are privs needed to get to the attributes?
        if ($this->privRead) {
            $this->privUsername = $config->getString('priv.username');
            $this->privPassword = $config->getString('priv.password');
        }

        $this->attributes = $config->getArray('attributes', null);
    }

Here is the call graph for this function:

Member Function Documentation

getAttributes()

sspmod_ldap_ConfigHelper::getAttributes	(		$dn,
			$attributes = null
	)

Definition at line 281 of file ConfigHelper.php.

References $attributes.

    {
        if ($attributes == null) {
            $attributes = $this->attributes;
        }

        $ldap = new SimpleSAML_Auth_LDAP($this->hostname,
            $this->enableTLS,
            $this->debug,
            $this->timeout,
            $this->port,
            $this->referrals);

        /* Are privs needed to get the attributes? */
        if ($this->privRead) {
            /* Yes, rebind with privs */
            if (!$ldap->bind($this->privUsername, $this->privPassword)) {
                throw new Exception('Error authenticating using privileged DN & password.');
            }
        }
        return $ldap->getAttributes($dn, $attributes);
    }

login()

sspmod_ldap_ConfigHelper::login	(		$username,
			$password,
		array	$sasl_args = null
	)

Attempt to log in using the given username and password.

Will throw a SimpleSAML_Error_Error('WRONGUSERPASS') if the username or password is wrong. If there is a configuration problem, an Exception will be thrown.

Parameters

string	$username	The username the user wrote.
string	$password	The password the user wrote.
arrray	$sasl_args	Array of SASL options for LDAP bind.

Returns

array Associative array with the users attributes.

Definition at line 184 of file ConfigHelper.php.

References $password, and SimpleSAML\Logger\info().

    {
        assert('is_string($username)');
        assert('is_string($password)');

        if (empty($password)) {
            SimpleSAML\Logger::info($this->location . ': Login with empty password disallowed.');
            throw new SimpleSAML_Error_Error('WRONGUSERPASS');
        }

        $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals);

        if (!$this->searchEnable) {
            $ldapusername = addcslashes($username, ',+"\\<>;*');
            $dn = str_replace('%username%', $ldapusername, $this->dnPattern);
        } else {
            if ($this->searchUsername !== null) {
                if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
                    throw new Exception('Error authenticating using search username & password.');
                }
            }

            $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, true, $this->searchFilter);
            if ($dn === null) {
                /* User not found with search. */
                SimpleSAML\Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');
                throw new SimpleSAML_Error_Error('WRONGUSERPASS');
            }
        }

        if (!$ldap->bind($dn, $password, $sasl_args)) {
            SimpleSAML\Logger::info($this->location . ': '. $username . ' failed to authenticate. DN=' . $dn);
            throw new SimpleSAML_Error_Error('WRONGUSERPASS');
        }

        /* In case of SASL bind, authenticated and authorized DN may differ */
        if (isset($sasl_args)) {
            $dn = $ldap->whoami($this->searchBase, $this->searchAttributes);
        }

        /* Are privs needed to get the attributes? */
        if ($this->privRead) {
            /* Yes, rebind with privs */
            if (!$ldap->bind($this->privUsername, $this->privPassword)) {
                throw new Exception('Error authenticating using privileged DN & password.');
            }
        }

        return $ldap->getAttributes($dn, $this->attributes);
    }

Here is the call graph for this function:

searchfordn()

sspmod_ldap_ConfigHelper::searchfordn	(		$attribute,
			$value,
			$allowZeroHits
	)

Search for a DN.

Parameters

string | array	$attribute	The attribute name(s) searched for. If set to NULL, values from configuration is used.
string	$value	The attribute value searched for.
bool	$allowZeroHits	Determines if the method will throw an exception if no hits are found. Defaults to FALSE.

Returns

string The DN of the matching element, if found. If no element was found and $allowZeroHits is set to FALSE, an exception will be thrown; otherwise NULL will be returned.

Exceptions

SimpleSAML_Error_AuthSource	if: LDAP search encounter some problems when searching cataloge Not able to connect to LDAP server
SimpleSAML_Error_UserNotFound	if: $allowZeroHits is FALSE and no result is found

Definition at line 258 of file ConfigHelper.php.

References $searchAttributes.

    {
        $ldap = new SimpleSAML_Auth_LDAP($this->hostname,
            $this->enableTLS,
            $this->debug,
            $this->timeout,
            $this->port,
            $this->referrals);

        if ($attribute == null) {
            $attribute = $this->searchAttributes;
        }

        if ($this->searchUsername !== null) {
            if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
                throw new Exception('Error authenticating using search username & password.');
            }
        }

        return $ldap->searchfordn($this->searchBase, $attribute,
            $value, $allowZeroHits, $this->searchFilter);
    }

Field Documentation

$attributes

sspmod_ldap_ConfigHelper::$attributes

private

The attributes we should fetch.

Can be NULL in which case we will fetch all attributes.

Definition at line 103 of file ConfigHelper.php.

Referenced by getAttributes().

$debug

sspmod_ldap_ConfigHelper::$debug

private

Definition at line 37 of file ConfigHelper.php.

$dnPattern

sspmod_ldap_ConfigHelper::$dnPattern

private

The DN pattern we should use to create the DN from the username.

Definition at line 97 of file ConfigHelper.php.

$enableTLS

sspmod_ldap_ConfigHelper::$enableTLS

private

Whether we should use TLS/SSL when contacting the LDAP server.

Definition at line 29 of file ConfigHelper.php.

$hostname

sspmod_ldap_ConfigHelper::$hostname

private

The hostname of the LDAP server.

Definition at line 23 of file ConfigHelper.php.

$location

sspmod_ldap_ConfigHelper::$location

private

String with the location of this configuration.

Used for error reporting.

Definition at line 17 of file ConfigHelper.php.

Referenced by __construct().

$port

sspmod_ldap_ConfigHelper::$port

private

Definition at line 52 of file ConfigHelper.php.

$privPassword

sspmod_ldap_ConfigHelper::$privPassword

private

The password we should bind with before we can get the attributes.

Definition at line 121 of file ConfigHelper.php.

$privRead

sspmod_ldap_ConfigHelper::$privRead

private

The user cannot get all attributes, privileged reader required.

Definition at line 109 of file ConfigHelper.php.

$privUsername

sspmod_ldap_ConfigHelper::$privUsername

private

The DN we should bind with before we can get the attributes.

Definition at line 115 of file ConfigHelper.php.

$referrals

sspmod_ldap_ConfigHelper::$referrals

private

Whether to follow referrals.

Definition at line 57 of file ConfigHelper.php.

$searchAttributes

sspmod_ldap_ConfigHelper::$searchAttributes

private

The attributes which should match the username.

Definition at line 91 of file ConfigHelper.php.

Referenced by searchfordn().

$searchBase

sspmod_ldap_ConfigHelper::$searchBase

private

Array with the base DN(s) for the search.

Definition at line 81 of file ConfigHelper.php.

$searchEnable

sspmod_ldap_ConfigHelper::$searchEnable

private

Whether we need to search for the users DN.

Definition at line 63 of file ConfigHelper.php.

$searchFilter

sspmod_ldap_ConfigHelper::$searchFilter

private

Additional LDAP filter fields for the search.

Definition at line 86 of file ConfigHelper.php.

$searchPassword

sspmod_ldap_ConfigHelper::$searchPassword

private

The password we should bind with before we can search for the user.

Definition at line 75 of file ConfigHelper.php.

$searchUsername

sspmod_ldap_ConfigHelper::$searchUsername

private

The username we should bind with before we can search for the user.

Definition at line 69 of file ConfigHelper.php.

$timeout

sspmod_ldap_ConfigHelper::$timeout

private

Definition at line 45 of file ConfigHelper.php.

---

The documentation for this class was generated from the following file:

• libs/composer/vendor/simplesamlphp/simplesamlphp/modules/ldap/lib/ConfigHelper.php