1 |
dpavlin |
1.1 |
<? |
2 |
|
|
/* |
3 |
|
|
Document manager handling for users in LDAP |
4 |
|
|
Created by Will LaSala (will@dahome.org) |
5 |
|
|
February 10th, 2002 |
6 |
|
|
Belenos INC |
7 |
|
|
For use with the DocMgr PHP scripts |
8 |
|
|
|
9 |
dpavlin |
1.2 |
Rewritten by Benjamin Baez on May 7, 2003 of platinasystems.com |
10 |
|
|
|
11 |
|
|
Arguments required in docman.conf file are: |
12 |
|
|
$ldapServer='x.x.x.x'; This can be in Dotted Notation or a DNS FQN |
13 |
|
|
$ldapServerPort='389'; This is the default port and doesnt need to be changed |
14 |
|
|
$basedn='o=CompanyName'; Branch of tree that your search will start on |
15 |
|
|
|
16 |
|
|
Use the following if you want docman to search LDAP for the users dn to |
17 |
|
|
use in binding: |
18 |
|
|
|
19 |
|
|
$bind="cn=Manager, o=CompanyName"; Login for searching dn in LDAP |
20 |
|
|
$bindpw=""; Password for the above account |
21 |
|
|
|
22 |
|
|
uid is assumed for the dn of the user, may be cn in some cases |
23 |
|
|
|
24 |
|
|
LDAP query must return login, md5 password hash, full_name, and e-mail |
25 |
|
|
In order to do this it may be possible that you may need to |
26 |
|
|
modify a section of the code below, |
27 |
|
|
however this is highly unlikly and usually only a person |
28 |
dpavlin |
1.1 |
that has in-depth knowledge of thier LDAP tree structure will |
29 |
|
|
even know if they do have to make changes. |
30 |
|
|
The items that may need to changed are: |
31 |
dpavlin |
1.2 |
$entries[0]['cn'][0]; This should return the Full Name |
32 |
|
|
$entries[0]['mail'][0]; This should return the Email |
33 |
dpavlin |
1.1 |
|
34 |
|
|
This file is included early in docman.php and it should return: |
35 |
|
|
$gblUserName descriptive username |
36 |
dpavlin |
1.2 |
$secHash md5 hash of joint login and md5 password hash |
37 |
|
|
$gblEmail e-mail address of user |
38 |
|
|
|
39 |
|
|
Placed @ in front of key ldap function that would send output |
40 |
|
|
before php could send out HTTP_AUTH headers, causing inability |
41 |
|
|
to relogin |
42 |
dpavlin |
1.1 |
|
43 |
|
|
*/ |
44 |
dpavlin |
1.2 |
// This isset function required so that auth dialog appears |
45 |
|
|
if (isset($_SERVER['PHP_AUTH_PW'])) { |
46 |
|
|
if (isset($bind)) { |
47 |
|
|
$ds = ldap_connect_search($bind, $bindpw, $ldapServer, $ldapServerPort); |
48 |
|
|
} else { |
49 |
|
|
$ds = ldap_connect_bind($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'], $ldapServer, $ldapServerPort, $basedn); |
50 |
|
|
} |
51 |
|
|
if ($ds) { |
52 |
|
|
$sres = ldap_search($ds, $basedn,'uid='.$_SERVER['PHP_AUTH_USER'],ARRAY('cn','mail')); |
53 |
|
|
if ($sres && isset($bind)) { |
54 |
|
|
$count = ldap_count_entries($ds,$sres); |
55 |
|
|
$entry = ldap_first_entry($ds,$sres); |
56 |
|
|
// $dn = ldap_dn2ufn(ldap_get_dn($ds,$entry)); // Nice presentation |
57 |
|
|
$entry_dn = @ldap_get_dn($ds,$entry); |
58 |
|
|
$password = ldap_verify_bindpw($_SERVER['PHP_AUTH_PW']); |
59 |
|
|
if (@ldap_bind($ds,$entry_dn,$password) && $count > 0) { |
60 |
|
|
ldap_return_values($ds,$sres); |
61 |
|
|
} |
62 |
|
|
} else if ($sres) { |
63 |
|
|
ldap_return_values($ds,$sres); |
64 |
|
|
} else { |
65 |
|
|
Error('Not Found','LDAP Search returned false'); |
66 |
|
|
} |
67 |
|
|
ldap_close($ds); |
68 |
|
|
} |
69 |
|
|
} |
70 |
dpavlin |
1.1 |
|
71 |
dpavlin |
1.2 |
function ldap_verify_bindpw($password) { |
72 |
|
|
if(!$password) { |
73 |
|
|
// generate a bogus password to bind with |
74 |
|
|
// if the user doesn't give us one. |
75 |
|
|
// this gets around systems that are anonymous search enabled |
76 |
|
|
// and thus ldap_bind would succeed without a password |
77 |
|
|
$password = crypt(microtime()); |
78 |
|
|
} |
79 |
|
|
return $password; |
80 |
dpavlin |
1.1 |
} |
81 |
|
|
|
82 |
dpavlin |
1.2 |
function ldap_return_values($ds,$sres) { |
83 |
|
|
|
84 |
|
|
GLOBAL $gblUserName,$gblEmail,$secHash; |
85 |
|
|
|
86 |
|
|
$entries = ldap_get_entries($ds,$sres); |
87 |
|
|
// Full Name |
88 |
|
|
$gblUserName = $entries[0]['cn'][0]; |
89 |
|
|
// E-mail |
90 |
|
|
$gblEmail = $entries[0]['mail'][0]; |
91 |
|
|
// Create user hash |
92 |
|
|
$secHash=md5($_SERVER['PHP_AUTH_USER'].$_SERVER['PHP_AUTH_PW']); |
93 |
|
|
} |
94 |
|
|
|
95 |
|
|
function ldap_connect_search($bindRDN, $bindpass, $ldapServer, $ldapServerPort) { |
96 |
|
|
$linkid = ldap_connect($ldapServer, $ldapServerPort); |
97 |
|
|
if ($linkid) { |
98 |
|
|
if (@ldap_bind($linkid, $bindRDN, $bindpass)) { |
99 |
|
|
return $linkid; |
100 |
|
|
} else { |
101 |
|
|
Error('LDAP BIND','Unable to bind to LDAP server with RDN!'); |
102 |
|
|
return 0; |
103 |
|
|
} |
104 |
|
|
} else { |
105 |
|
|
Error('LDAP CONNECT','Unable to connect to LDAP server!'); |
106 |
|
|
return 0; |
107 |
|
|
} |
108 |
|
|
} |
109 |
dpavlin |
1.1 |
|
110 |
dpavlin |
1.2 |
function ldap_connect_bind($user, $password, $ldapServer, $ldapServerPort, $basedn) { |
111 |
|
|
$linkid = ldap_connect($ldapServer, $ldapServerPort); |
112 |
|
|
$UserDN = 'uid='.$user.','.$basedn; |
113 |
|
|
if ($linkid) { |
114 |
|
|
$password = ldap_verify_bindpw($password); |
115 |
|
|
if (@ldap_bind($linkid, $UserDN, $password)) { |
116 |
|
|
return $linkid; |
117 |
|
|
} else { |
118 |
|
|
return 0; |
119 |
|
|
} |
120 |
|
|
} else { |
121 |
|
|
Error('LDAP CONNECT','Unable to connect to LDAP server!'); |
122 |
|
|
return 0; |
123 |
|
|
} |
124 |
dpavlin |
1.1 |
} |
125 |
|
|
?> |