ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
ConfigHelper.php
Go to the documentation of this file.
1<?php
2
12{
17 private $location;
18
19
23 private $hostname;
24
25
29 private $enableTLS;
30
31
37 private $debug;
38
39
45 private $timeout;
46
52 private $port;
53
57 private $referrals;
58
59
64
65
70
71
76
77
81 private $searchBase;
82
87
92
93
97 private $dnPattern;
98
99
103 private $attributes;
104
105
109 private $privRead;
110
111
116
117
122
123
130 public function __construct($config, $location)
131 {
132 assert('is_array($config)');
133 assert('is_string($location)');
134
135 $this->location = $location;
136
137 // Parse configuration
139
140 $this->hostname = $config->getString('hostname');
141 $this->enableTLS = $config->getBoolean('enable_tls', false);
142 $this->debug = $config->getBoolean('debug', false);
143 $this->timeout = $config->getInteger('timeout', 0);
144 $this->port = $config->getInteger('port', 389);
145 $this->referrals = $config->getBoolean('referrals', true);
146 $this->searchEnable = $config->getBoolean('search.enable', false);
147 $this->privRead = $config->getBoolean('priv.read', false);
148
149 if ($this->searchEnable) {
150 $this->searchUsername = $config->getString('search.username', null);
151 if ($this->searchUsername !== null) {
152 $this->searchPassword = $config->getString('search.password');
153 }
154
155 $this->searchBase = $config->getArrayizeString('search.base');
156 $this->searchFilter = $config->getString('search.filter', null);
157 $this->searchAttributes = $config->getArray('search.attributes');
158
159 } else {
160 $this->dnPattern = $config->getString('dnpattern');
161 }
162
163 // Are privs needed to get to the attributes?
164 if ($this->privRead) {
165 $this->privUsername = $config->getString('priv.username');
166 $this->privPassword = $config->getString('priv.password');
167 }
168
169 $this->attributes = $config->getArray('attributes', null);
170 }
171
172
184 public function login($username, $password, array $sasl_args = null)
185 {
186 assert('is_string($username)');
187 assert('is_string($password)');
188
189 if (empty($password)) {
190 SimpleSAML\Logger::info($this->location . ': Login with empty password disallowed.');
191 throw new SimpleSAML_Error_Error('WRONGUSERPASS');
192 }
193
194 $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals);
195
196 if (!$this->searchEnable) {
197 $ldapusername = addcslashes($username, ',+"\\<>;*');
198 $dn = str_replace('%username%', $ldapusername, $this->dnPattern);
199 } else {
200 if ($this->searchUsername !== null) {
201 if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
202 throw new Exception('Error authenticating using search username & password.');
203 }
204 }
205
206 $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, true, $this->searchFilter);
207 if ($dn === null) {
208 /* User not found with search. */
209 SimpleSAML\Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');
210 throw new SimpleSAML_Error_Error('WRONGUSERPASS');
211 }
212 }
213
214 if (!$ldap->bind($dn, $password, $sasl_args)) {
215 SimpleSAML\Logger::info($this->location . ': '. $username . ' failed to authenticate. DN=' . $dn);
216 throw new SimpleSAML_Error_Error('WRONGUSERPASS');
217 }
218
219 /* In case of SASL bind, authenticated and authorized DN may differ */
220 if (isset($sasl_args)) {
221 $dn = $ldap->whoami($this->searchBase, $this->searchAttributes);
222 }
223
224 /* Are privs needed to get the attributes? */
225 if ($this->privRead) {
226 /* Yes, rebind with privs */
227 if (!$ldap->bind($this->privUsername, $this->privPassword)) {
228 throw new Exception('Error authenticating using privileged DN & password.');
229 }
230 }
231
232 return $ldap->getAttributes($dn, $this->attributes);
233 }
234
235
258 public function searchfordn($attribute, $value, $allowZeroHits)
259 {
260 $ldap = new SimpleSAML_Auth_LDAP($this->hostname,
261 $this->enableTLS,
262 $this->debug,
263 $this->timeout,
264 $this->port,
265 $this->referrals);
266
267 if ($attribute == null) {
268 $attribute = $this->searchAttributes;
269 }
270
271 if ($this->searchUsername !== null) {
272 if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
273 throw new Exception('Error authenticating using search username & password.');
274 }
275 }
276
277 return $ldap->searchfordn($this->searchBase, $attribute,
278 $value, $allowZeroHits, $this->searchFilter);
279 }
280
281 public function getAttributes($dn, $attributes = null)
282 {
283 if ($attributes == null) {
285 }
286
287 $ldap = new SimpleSAML_Auth_LDAP($this->hostname,
288 $this->enableTLS,
289 $this->debug,
290 $this->timeout,
291 $this->port,
292 $this->referrals);
293
294 /* Are privs needed to get the attributes? */
295 if ($this->privRead) {
296 /* Yes, rebind with privs */
297 if (!$ldap->bind($this->privUsername, $this->privPassword)) {
298 throw new Exception('Error authenticating using privileged DN & password.');
299 }
300 }
301 return $ldap->getAttributes($dn, $attributes);
302 }
303
304}
An exception for terminatinating execution or to throw for unit testing.
static info($string)
Definition: Logger.php:201
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
$privPassword
The password we should bind with before we can get the attributes.
$hostname
The hostname of the LDAP server.
__construct($config, $location)
Constructor for this configuration parser.
$referrals
Whether to follow referrals.
$searchAttributes
The attributes which should match the username.
$searchBase
Array with the base DN(s) for the search.
getAttributes($dn, $attributes=null)
$searchUsername
The username we should bind with before we can search for the user.
$privUsername
The DN we should bind with before we can get the attributes.
$privRead
The user cannot get all attributes, privileged reader required.
searchfordn($attribute, $value, $allowZeroHits)
Search for a DN.
$attributes
The attributes we should fetch.
login($username, $password, array $sasl_args=null)
Attempt to log in using the given username and password.
$enableTLS
Whether we should use TLS/SSL when contacting the LDAP server.
$dnPattern
The DN pattern we should use to create the DN from the username.
$searchFilter
Additional LDAP filter fields for the search.
$searchEnable
Whether we need to search for the users DN.
$location
String with the location of this configuration.
$searchPassword
The password we should bind with before we can search for the user.
$password
Definition: pwgen.php:17