123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 |
- <?php
- class ActiveDirectory{
- const FORBIDDEN_CHARS = "/\\[]:;|=,+*?<>@";
- const USER_SEARCH_DEFAULT_FILTER = "(&(objectClass=user)(objectCategory=person))";
-
- const USER_SEARCH_DEFAULT_ATTRIBUTES = "sn,givenname,mail,telephonenumber,mobile,title,samaccountname,department,thumbnailphoto,jpegphoto,accountexpires,memberof,manager,userprincipalname,whencreated";
- public $server,$port,$login,$password,$userRoot,$groupRoot,$domain,$datasource,$protocolVersion;
-
-
-
- public function connect($login=false,$password=false){
- putenv('LDAPTLS_REQCERT=never');
- if($this->server==null || $this->port==null || $this->userRoot==null) throw new Exception('Paramètres de connexion manquants',400);
- $this->datasource = ldap_connect($this->server,$this->port);
- if(!$this->datasource) throw new Exception('Connexion échouée', 400);
- ldap_set_option($this->datasource,LDAP_OPT_PROTOCOL_VERSION,$this->protocolVersion);
- ldap_set_option($this->datasource, LDAP_OPT_REFERRALS, 0);
- if(@ldap_bind($this->datasource,$login,$password) == false) throw new Exception('Identifiant ou mot de passe incorrect', 401);
- }
-
-
- public function userFromCn($cn){
- $entries = $this->search($this->userRoot,'(distinguishedname='.$cn.')');
- return $entries;
- }
-
- public function cnFromLogin($login,$attribute){
- $entries= $this->search($this->userRoot,$this->authentification_filter($login,$attribute));
- return (isset($entries[0])) ? $entries[0]['dn'] : false;
- }
-
- function recursiveGroups(&$groups,$groupCN){
- $entries = $this->search($this->groupRoot,"(member=".$groupCN.")",'name');
- if(count($entries)!=0 && $entries['count']!=0) {
- if(isset($entries[0])){
- $groups[] = $entries[0]['name'][0];
- $parentCN = $entries[0]['dn'][0];
- $this->recursiveGroups($groups,$parentCN);
- }
- }
- }
-
-
- public function search($dn, $filter=null, $attributes=null){
- if(is_null($filter)) $filter = self::USER_SEARCH_DEFAULT_FILTER;
- if(is_null($attributes)) $attributes = self::USER_SEARCH_DEFAULT_ATTRIBUTES;
- $attributes = explode(',',$attributes);
- $dns = (substr_count($dn, ';') > 0) ? explode(';', $dn) : array($dn);
- $dataSources = array();
-
- foreach($dns as $dn)
- $dataSources[] = $this->datasource;
- $searches = ldap_search($dataSources, $dns, $filter, $attributes);
- $infos = array();
- foreach($searches as $search){
- if($search === false) continue;
- $info = ldap_get_entries($this->datasource, $search);
-
- for($i=0; $i<$info['count']; $i++)
- $infos[] = $info[$i];
- }
- return $infos;
- }
- public function set($dn,$entry,$value){
- putenv('LDAPTLS_REQCERT=never');
- if($value != ''){
- $attributes[$entry][0] = $value;
- return ldap_modify($this->datasource,$dn,$attributes);
- }else{
-
- $attributes[$entry] ='0';
- ldap_modify($this->datasource,$dn,$attributes);
- $attributes[$entry] = array();
- return ldap_mod_del($this->datasource,$dn,$attributes);
- }
- }
- public function change_password($userDn, $newPassword){
- if (!ldap_mod_replace($this->datasource, $userDn , self::encrypt_password($newPassword))) throw new Exception("Impossible de modifier le mot de passe : ".ldap_error($this->datasource));
- }
- public static function encrypt_password($newPassword){
- $newPassword = "\"" . $newPassword . "\"";
- $len = strlen( $newPassword );
- $newPassw = "";
- for ( $i = 0; $i < $len; $i++ ){
- $newPassw .= "{".$newPassword[$i]."}\000";
- }
- return array("unicodePwd" => $newPassw);
- }
-
- public function authentification_filter($login,$attribute){
- $attributeName = self::authentification_attribute($attribute);
- switch($attributeName){
- case 'samaccountname':
- $authentification = "(".$attributeName."=".$login.")";
- break;
- case 'userprincipalname':
- $authentification = "(".$attributeName."=".$login.$this->domain.")";
- break;
- default:
- $authentification = "(".$attributeName."=".$login.$this->domain.")";
- break;
- }
- return '(&'.$authentification.'(objectClass=user)(objectCategory=person))';
- }
- public static function authentification_attribute($attribute){
- return $attribute == '' ? $GLOBALS['setting']['activedirectory']['activedirectory_authentification']['default'] : $attribute;
- }
- public function attribute_to_login($attribute){
- return str_replace(mb_strtolower($this->domain), '', $attribute);
- }
-
- public function disconnect(){
- if($this->datasource!=null){
- @ldap_close($this->datasource);
- }
- }
- }
- ?>
|