ConfigHelper.php

Go to the documentation of this file.

<?php
 
class sspmod_ldap_ConfigHelper
{
    private $location;
 
 
    private $hostname;
 
 
    private $enableTLS;
 
 
    private $debug;
 
 
    private $timeout;
 
    private $port;
 
    private $referrals;
 
    private $searchEnable;
 
    private $searchUsername;
 
    private $searchPassword;
 
    private $searchBase;
 
    private $searchScope;
 
    private $searchFilter;
 
    private $searchAttributes;
 
    private $dnPattern;
 
    private $attributes;
 
    private $privRead;
 
    private $privUsername;
 
    private $privPassword;
 
 
    public function __construct($config, $location)
    {
        assert(is_array($config));
        assert(is_string($location));
 
        $this->location = $location;
 
        // Parse configuration
        $config = SimpleSAML_Configuration::loadFromArray($config, $location);
 
        $this->hostname = $config->getString('hostname');
        $this->enableTLS = $config->getBoolean('enable_tls', false);
        $this->debug = $config->getBoolean('debug', false);
        $this->timeout = $config->getInteger('timeout', 0);
        $this->port = $config->getInteger('port', 389);
        $this->referrals = $config->getBoolean('referrals', true);
        $this->searchEnable = $config->getBoolean('search.enable', false);
        $this->privRead = $config->getBoolean('priv.read', false);
 
        if ($this->searchEnable) {
            $this->searchUsername = $config->getString('search.username', null);
            if ($this->searchUsername !== null) {
                $this->searchPassword = $config->getString('search.password');
            }
 
            $this->searchBase = $config->getArrayizeString('search.base');
            $this->searchScope = $config->getString('search.scope', 'subtree');
            $this->searchFilter = $config->getString('search.filter', null);
            $this->searchAttributes = $config->getArray('search.attributes');
 
        } else {
            $this->dnPattern = $config->getString('dnpattern');
        }
 
        // Are privs needed to get to the attributes?
        if ($this->privRead) {
            $this->privUsername = $config->getString('priv.username');
            $this->privPassword = $config->getString('priv.password');
        }
 
        $this->attributes = $config->getArray('attributes', null);
    }
 
 
    public function login($username, $password, array $sasl_args = null)
    {
        assert(is_string($username));
        assert(is_string($password));
 
        if (empty($password)) {
            SimpleSAML\Logger::info($this->location.': Login with empty password disallowed.');
            throw new SimpleSAML_Error_Error('WRONGUSERPASS');
        }
 
        $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals);
 
        if (!$this->searchEnable) {
            $ldapusername = addcslashes($username, ',+"\\<>;*');
            $dn = str_replace('%username%', $ldapusername, $this->dnPattern);
        } else {
            if ($this->searchUsername !== null) {
                if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
                    throw new Exception('Error authenticating using search username & password.');
                }
            }
 
            $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, true, $this->searchFilter, $this->searchScope);
            if ($dn === null) {
                /* User not found with search. */
                SimpleSAML\Logger::info($this->location.': Unable to find users DN. username=\''.$username.'\'');
                throw new SimpleSAML_Error_Error('WRONGUSERPASS');
            }
        }
 
        if (!$ldap->bind($dn, $password, $sasl_args)) {
            SimpleSAML\Logger::info($this->location.': '.$username.' failed to authenticate. DN='.$dn);
            throw new SimpleSAML_Error_Error('WRONGUSERPASS');
        }
 
        /* In case of SASL bind, authenticated and authorized DN may differ */
        if (isset($sasl_args)) {
            $dn = $ldap->whoami($this->searchBase, $this->searchAttributes);
        }
 
        /* Are privs needed to get the attributes? */
        if ($this->privRead) {
            /* Yes, rebind with privs */
            if (!$ldap->bind($this->privUsername, $this->privPassword)) {
                throw new Exception('Error authenticating using privileged DN & password.');
            }
        }
 
        return $ldap->getAttributes($dn, $this->attributes);
    }
 
 
    public function searchfordn($attribute, $value, $allowZeroHits)
    {
        $ldap = new SimpleSAML_Auth_LDAP($this->hostname,
            $this->enableTLS,
            $this->debug,
            $this->timeout,
            $this->port,
            $this->referrals);
 
        if ($attribute == null) {
            $attribute = $this->searchAttributes;
        }
 
        if ($this->searchUsername !== null) {
            if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
                throw new Exception('Error authenticating using search username & password.');
            }
        }
 
        return $ldap->searchfordn($this->searchBase, $attribute,
            $value, $allowZeroHits, $this->searchFilter, $this->searchScope);
    }
 
    public function getAttributes($dn, $attributes = null)
    {
        if ($attributes == null) {
            $attributes = $this->attributes;
        }
 
        $ldap = new SimpleSAML_Auth_LDAP($this->hostname,
            $this->enableTLS,
            $this->debug,
            $this->timeout,
            $this->port,
            $this->referrals);
 
        /* Are privs needed to get the attributes? */
        if ($this->privRead) {
            /* Yes, rebind with privs */
            if (!$ldap->bind($this->privUsername, $this->privPassword)) {
                throw new Exception('Error authenticating using privileged DN & password.');
            }
        }
        return $ldap->getAttributes($dn, $attributes);
    }
 
}