2012-07-25 14:37:39 +04:00
|
|
|
<?php
|
|
|
|
/**
|
2016-07-21 17:49:16 +03:00
|
|
|
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
|
|
|
*
|
2016-05-26 20:56:05 +03:00
|
|
|
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Bart Visscher <bartv@thisnet.nl>
|
2017-11-06 17:56:42 +03:00
|
|
|
* @author Brent Bloxam <brent.bloxam@gmail.com>
|
|
|
|
* @author Jarkko Lehtoranta <devel@jlranta.com>
|
2016-07-21 17:49:16 +03:00
|
|
|
* @author Joas Schilling <coding@schilljs.com>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
|
2016-05-26 20:56:05 +03:00
|
|
|
* @author Lukas Reschke <lukas@statuscode.ch>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Lyonel Vincent <lyonel@ezix.org>
|
|
|
|
* @author Morris Jobke <hey@morrisjobke.de>
|
2016-07-21 19:13:36 +03:00
|
|
|
* @author Robin Appelman <robin@icewind.nl>
|
2016-01-12 17:02:16 +03:00
|
|
|
* @author Robin McCorkell <robin@mccorkell.me.uk>
|
2017-11-06 17:56:42 +03:00
|
|
|
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
* @author root <root@localhost.localdomain>
|
|
|
|
* @author Victor Dubiniuk <dubiniuk@owncloud.com>
|
2017-03-18 09:56:24 +03:00
|
|
|
* @author Xuanwo <xuanwo@yunify.com>
|
2012-07-25 14:37:39 +04:00
|
|
|
*
|
2015-03-26 13:44:34 +03:00
|
|
|
* @license AGPL-3.0
|
2012-07-25 14:37:39 +04:00
|
|
|
*
|
2015-03-26 13:44:34 +03:00
|
|
|
* This code is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
* as published by the Free Software Foundation.
|
2012-07-25 14:37:39 +04:00
|
|
|
*
|
2015-03-26 13:44:34 +03:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
2012-07-25 14:37:39 +04:00
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
2015-03-26 13:44:34 +03:00
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Affero General Public License for more details.
|
2012-07-25 14:37:39 +04:00
|
|
|
*
|
2015-03-26 13:44:34 +03:00
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
2012-07-25 14:37:39 +04:00
|
|
|
*
|
|
|
|
*/
|
2015-02-26 13:37:37 +03:00
|
|
|
|
2016-05-12 17:35:33 +03:00
|
|
|
namespace OCA\User_LDAP;
|
2012-07-25 14:37:39 +04:00
|
|
|
|
2015-04-01 18:12:28 +03:00
|
|
|
use OC\ServerNotAvailableException;
|
2018-04-25 16:22:28 +03:00
|
|
|
use OCP\ILogger;
|
2015-04-01 18:12:28 +03:00
|
|
|
|
2014-07-02 00:02:41 +04:00
|
|
|
/**
|
2015-04-09 15:03:30 +03:00
|
|
|
* magic properties (incomplete)
|
2014-07-02 00:02:41 +04:00
|
|
|
* responsible for LDAP connections in context with the provided configuration
|
2015-01-12 18:25:11 +03:00
|
|
|
*
|
2016-03-05 02:18:34 +03:00
|
|
|
* @property string ldapHost
|
|
|
|
* @property string ldapPort holds the port number
|
2014-07-02 00:02:41 +04:00
|
|
|
* @property string ldapUserFilter
|
|
|
|
* @property string ldapUserDisplayName
|
2016-02-03 15:16:55 +03:00
|
|
|
* @property string ldapUserDisplayName2
|
2018-07-04 01:10:43 +03:00
|
|
|
* @property string ldapUserAvatarRule
|
2016-11-23 21:58:43 +03:00
|
|
|
* @property boolean turnOnPasswordChange
|
2014-11-05 15:05:07 +03:00
|
|
|
* @property string[] ldapBaseUsers
|
2017-12-21 16:29:56 +03:00
|
|
|
* @property int|null ldapPagingSize holds an integer
|
2015-01-29 02:15:55 +03:00
|
|
|
* @property bool|mixed|void ldapGroupMemberAssocAttr
|
2017-02-17 14:05:51 +03:00
|
|
|
* @property string ldapUuidUserAttribute
|
|
|
|
* @property string ldapUuidGroupAttribute
|
2017-10-31 21:42:17 +03:00
|
|
|
* @property string ldapExpertUUIDUserAttr
|
|
|
|
* @property string ldapExpertUUIDGroupAttr
|
2018-06-28 02:11:36 +03:00
|
|
|
* @property string ldapQuotaAttribute
|
|
|
|
* @property string ldapQuotaDefault
|
|
|
|
* @property string ldapEmailAttribute
|
2019-02-13 02:14:56 +03:00
|
|
|
* @property string ldapExtStorageHomeAttribute
|
|
|
|
* @property string homeFolderNamingRule
|
2019-03-02 02:36:08 +03:00
|
|
|
* @property bool|string ldapNestedGroups
|
|
|
|
* @property string[] ldapBaseGroups
|
|
|
|
* @property string ldapGroupFilter
|
2015-01-12 18:25:11 +03:00
|
|
|
*/
|
2013-09-10 19:11:02 +04:00
|
|
|
class Connection extends LDAPUtility {
|
2012-07-25 14:37:39 +04:00
|
|
|
private $ldapConnectionRes = null;
|
2013-01-11 02:30:26 +04:00
|
|
|
private $configPrefix;
|
2012-07-25 14:37:39 +04:00
|
|
|
private $configID;
|
|
|
|
private $configured = false;
|
2016-07-22 11:46:29 +03:00
|
|
|
//whether connection should be kept on __destruct
|
|
|
|
private $dontDestruct = false;
|
2013-08-14 18:03:18 +04:00
|
|
|
|
2015-06-03 18:37:36 +03:00
|
|
|
/**
|
|
|
|
* @var bool runtime flag that indicates whether supported primary groups are available
|
|
|
|
*/
|
|
|
|
public $hasPrimaryGroups = true;
|
|
|
|
|
2017-03-18 09:56:24 +03:00
|
|
|
/**
|
|
|
|
* @var bool runtime flag that indicates whether supported POSIX gidNumber are available
|
|
|
|
*/
|
|
|
|
public $hasGidNumber = true;
|
|
|
|
|
2012-07-26 18:11:23 +04:00
|
|
|
//cache handler
|
|
|
|
protected $cache;
|
|
|
|
|
2015-04-02 16:05:37 +03:00
|
|
|
/** @var Configuration settings handler **/
|
2013-09-27 00:31:57 +04:00
|
|
|
protected $configuration;
|
2012-07-25 14:37:39 +04:00
|
|
|
|
2013-10-24 22:26:05 +04:00
|
|
|
protected $doNotValidate = false;
|
|
|
|
|
2014-06-11 15:35:35 +04:00
|
|
|
protected $ignoreValidation = false;
|
|
|
|
|
2018-02-22 14:45:28 +03:00
|
|
|
protected $bindResult = [];
|
|
|
|
|
2013-01-11 02:34:24 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Constructor
|
2014-05-11 17:17:27 +04:00
|
|
|
* @param ILDAPWrapper $ldap
|
|
|
|
* @param string $configPrefix a string with the prefix for the configkey column (appconfig table)
|
2014-06-11 15:35:35 +04:00
|
|
|
* @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections
|
2013-01-11 02:34:24 +04:00
|
|
|
*/
|
2013-09-10 19:11:02 +04:00
|
|
|
public function __construct(ILDAPWrapper $ldap, $configPrefix = '', $configID = 'user_ldap') {
|
|
|
|
parent::__construct($ldap);
|
2013-01-11 02:30:26 +04:00
|
|
|
$this->configPrefix = $configPrefix;
|
2012-07-25 14:37:39 +04:00
|
|
|
$this->configID = $configID;
|
2013-12-13 21:01:42 +04:00
|
|
|
$this->configuration = new Configuration($configPrefix,
|
|
|
|
!is_null($configID));
|
2014-01-09 16:54:50 +04:00
|
|
|
$memcache = \OC::$server->getMemCacheFactory();
|
2013-08-17 19:22:54 +04:00
|
|
|
if($memcache->isAvailable()) {
|
2017-12-15 12:48:48 +03:00
|
|
|
$this->cache = $memcache->createDistributed();
|
2013-08-17 19:22:54 +04:00
|
|
|
}
|
2016-10-10 11:18:18 +03:00
|
|
|
$helper = new Helper(\OC::$server->getConfig());
|
2013-10-24 22:26:05 +04:00
|
|
|
$this->doNotValidate = !in_array($this->configPrefix,
|
2014-08-21 19:59:13 +04:00
|
|
|
$helper->getServerConfigurationPrefixes());
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
public function __destruct() {
|
2016-07-22 11:46:29 +03:00
|
|
|
if(!$this->dontDestruct && $this->ldap->isResource($this->ldapConnectionRes)) {
|
2013-08-18 15:33:59 +04:00
|
|
|
@$this->ldap->unbind($this->ldapConnectionRes);
|
2018-02-22 14:45:28 +03:00
|
|
|
$this->bindResult = [];
|
2018-01-27 01:46:40 +03:00
|
|
|
}
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
|
2013-08-14 18:03:18 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* defines behaviour when the instance is cloned
|
2013-08-14 18:03:18 +04:00
|
|
|
*/
|
|
|
|
public function __clone() {
|
2014-03-21 18:27:51 +04:00
|
|
|
$this->configuration = new Configuration($this->configPrefix,
|
|
|
|
!is_null($this->configID));
|
2018-04-27 12:29:15 +03:00
|
|
|
if(count($this->bindResult) !== 0 && $this->bindResult['result'] === true) {
|
|
|
|
$this->bindResult = [];
|
|
|
|
}
|
2016-04-22 22:43:41 +03:00
|
|
|
$this->ldapConnectionRes = null;
|
2016-07-22 11:46:29 +03:00
|
|
|
$this->dontDestruct = true;
|
2013-08-14 18:03:18 +04:00
|
|
|
}
|
|
|
|
|
2014-05-11 17:17:27 +04:00
|
|
|
/**
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param string $name
|
2017-10-25 18:23:42 +03:00
|
|
|
* @return bool|mixed
|
2014-05-11 17:17:27 +04:00
|
|
|
*/
|
2012-07-25 14:37:39 +04:00
|
|
|
public function __get($name) {
|
|
|
|
if(!$this->configured) {
|
|
|
|
$this->readConfiguration();
|
|
|
|
}
|
|
|
|
|
2013-09-27 00:31:57 +04:00
|
|
|
return $this->configuration->$name;
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
|
2014-05-11 17:17:27 +04:00
|
|
|
/**
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param string $name
|
|
|
|
* @param mixed $value
|
2014-05-11 17:17:27 +04:00
|
|
|
*/
|
2012-08-23 20:29:43 +04:00
|
|
|
public function __set($name, $value) {
|
2013-10-24 22:26:05 +04:00
|
|
|
$this->doNotValidate = false;
|
2013-09-27 00:31:57 +04:00
|
|
|
$before = $this->configuration->$name;
|
|
|
|
$this->configuration->$name = $value;
|
|
|
|
$after = $this->configuration->$name;
|
|
|
|
if($before !== $after) {
|
2017-06-30 12:13:07 +03:00
|
|
|
if ($this->configID !== '' && $this->configID !== null) {
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->configuration->saveConfiguration();
|
2012-08-23 20:29:43 +04:00
|
|
|
}
|
|
|
|
$this->validateConfiguration();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-04 01:10:43 +03:00
|
|
|
/**
|
|
|
|
* @param string $rule
|
|
|
|
* @return array
|
|
|
|
* @throws \RuntimeException
|
|
|
|
*/
|
|
|
|
public function resolveRule($rule) {
|
|
|
|
return $this->configuration->resolveRule($rule);
|
|
|
|
}
|
|
|
|
|
2014-06-11 15:35:35 +04:00
|
|
|
/**
|
|
|
|
* sets whether the result of the configuration validation shall
|
|
|
|
* be ignored when establishing the connection. Used by the Wizard
|
|
|
|
* in early configuration state.
|
|
|
|
* @param bool $state
|
|
|
|
*/
|
|
|
|
public function setIgnoreValidation($state) {
|
|
|
|
$this->ignoreValidation = (bool)$state;
|
|
|
|
}
|
|
|
|
|
2012-07-25 14:37:39 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* initializes the LDAP backend
|
2014-05-11 17:17:27 +04:00
|
|
|
* @param bool $force read the config settings no matter what
|
2012-07-25 14:37:39 +04:00
|
|
|
*/
|
|
|
|
public function init($force = false) {
|
|
|
|
$this->readConfiguration($force);
|
|
|
|
$this->establishConnection();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Returns the LDAP handler
|
2012-07-25 14:37:39 +04:00
|
|
|
*/
|
|
|
|
public function getConnectionResource() {
|
|
|
|
if(!$this->ldapConnectionRes) {
|
|
|
|
$this->init();
|
2013-08-20 14:39:24 +04:00
|
|
|
} else if(!$this->ldap->isResource($this->ldapConnectionRes)) {
|
2012-08-22 17:22:52 +04:00
|
|
|
$this->ldapConnectionRes = null;
|
|
|
|
$this->establishConnection();
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
if(is_null($this->ldapConnectionRes)) {
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog('user_ldap', 'No LDAP Connection to server ' . $this->configuration->ldapHost, ILogger::ERROR);
|
2015-04-01 18:12:28 +03:00
|
|
|
throw new ServerNotAvailableException('Connection to LDAP server could not be established');
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
return $this->ldapConnectionRes;
|
|
|
|
}
|
|
|
|
|
2016-03-16 02:45:30 +03:00
|
|
|
/**
|
|
|
|
* resets the connection resource
|
|
|
|
*/
|
|
|
|
public function resetConnectionResource() {
|
|
|
|
if(!is_null($this->ldapConnectionRes)) {
|
|
|
|
@$this->ldap->unbind($this->ldapConnectionRes);
|
|
|
|
$this->ldapConnectionRes = null;
|
2018-02-22 14:45:28 +03:00
|
|
|
$this->bindResult = [];
|
2016-03-16 02:45:30 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-04-14 19:39:29 +04:00
|
|
|
/**
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param string|null $key
|
2014-05-11 17:17:27 +04:00
|
|
|
* @return string
|
2014-04-14 19:39:29 +04:00
|
|
|
*/
|
2012-07-26 18:11:23 +04:00
|
|
|
private function getCacheKey($key) {
|
2013-01-11 02:30:26 +04:00
|
|
|
$prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-';
|
2012-07-26 18:11:23 +04:00
|
|
|
if(is_null($key)) {
|
|
|
|
return $prefix;
|
|
|
|
}
|
2018-03-02 18:26:36 +03:00
|
|
|
return $prefix.hash('sha256', $key);
|
2012-07-26 18:11:23 +04:00
|
|
|
}
|
|
|
|
|
2014-02-06 19:30:58 +04:00
|
|
|
/**
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param string $key
|
2014-05-11 17:17:27 +04:00
|
|
|
* @return mixed|null
|
2014-02-06 19:30:58 +04:00
|
|
|
*/
|
2012-07-26 18:11:23 +04:00
|
|
|
public function getFromCache($key) {
|
|
|
|
if(!$this->configured) {
|
|
|
|
$this->readConfiguration();
|
|
|
|
}
|
2015-05-07 15:52:44 +03:00
|
|
|
if(is_null($this->cache) || !$this->configuration->ldapCacheTTL) {
|
2012-07-26 18:11:23 +04:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
$key = $this->getCacheKey($key);
|
|
|
|
|
2016-01-29 09:51:16 +03:00
|
|
|
return json_decode(base64_decode($this->cache->get($key)), true);
|
2012-07-26 18:11:23 +04:00
|
|
|
}
|
|
|
|
|
2014-02-06 19:30:58 +04:00
|
|
|
/**
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param string $key
|
|
|
|
* @param mixed $value
|
2015-05-07 15:52:44 +03:00
|
|
|
*
|
|
|
|
* @return string
|
2014-02-06 19:30:58 +04:00
|
|
|
*/
|
2012-07-26 18:11:23 +04:00
|
|
|
public function writeToCache($key, $value) {
|
|
|
|
if(!$this->configured) {
|
|
|
|
$this->readConfiguration();
|
|
|
|
}
|
2015-05-07 15:52:44 +03:00
|
|
|
if(is_null($this->cache)
|
|
|
|
|| !$this->configuration->ldapCacheTTL
|
2013-09-27 00:31:57 +04:00
|
|
|
|| !$this->configuration->ldapConfigurationActive) {
|
2012-07-26 18:11:23 +04:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
$key = $this->getCacheKey($key);
|
2015-09-02 13:12:31 +03:00
|
|
|
$value = base64_encode(json_encode($value));
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->cache->set($key, $value, $this->configuration->ldapCacheTTL);
|
2012-07-26 18:11:23 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
public function clearCache() {
|
2015-05-07 15:52:44 +03:00
|
|
|
if(!is_null($this->cache)) {
|
|
|
|
$this->cache->clear($this->getCacheKey(null));
|
|
|
|
}
|
2012-07-26 18:11:23 +04:00
|
|
|
}
|
|
|
|
|
2013-06-22 01:58:44 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Caches the general LDAP configuration.
|
2014-05-11 17:17:27 +04:00
|
|
|
* @param bool $force optional. true, if the re-read should be forced. defaults
|
2013-09-27 00:31:57 +04:00
|
|
|
* to false.
|
|
|
|
* @return null
|
2012-07-25 14:37:39 +04:00
|
|
|
*/
|
|
|
|
private function readConfiguration($force = false) {
|
|
|
|
if((!$this->configured || $force) && !is_null($this->configID)) {
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->configuration->readConfiguration();
|
2012-07-25 14:37:39 +04:00
|
|
|
$this->configured = $this->validateConfiguration();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-01-30 06:44:11 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* set LDAP configuration with values delivered by an array, not read from configuration
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param array $config array that holds the config parameters in an associated array
|
2014-05-11 17:17:27 +04:00
|
|
|
* @param array &$setParameters optional; array where the set fields will be given to
|
2014-02-06 19:30:58 +04:00
|
|
|
* @return boolean true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters
|
2012-07-25 14:37:39 +04:00
|
|
|
*/
|
|
|
|
public function setConfiguration($config, &$setParameters = null) {
|
2013-09-27 00:31:57 +04:00
|
|
|
if(is_null($setParameters)) {
|
|
|
|
$setParameters = array();
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
2013-10-24 22:26:05 +04:00
|
|
|
$this->doNotValidate = false;
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->configuration->setConfiguration($config, $setParameters);
|
|
|
|
if(count($setParameters) > 0) {
|
|
|
|
$this->configured = $this->validateConfiguration();
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
|
2013-10-24 22:26:05 +04:00
|
|
|
|
2012-07-25 14:37:39 +04:00
|
|
|
return $this->configured;
|
|
|
|
}
|
|
|
|
|
2013-01-30 06:44:11 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* saves the current Configuration in the database and empties the
|
2013-09-27 00:31:57 +04:00
|
|
|
* cache
|
|
|
|
* @return null
|
2013-01-30 06:44:11 +04:00
|
|
|
*/
|
2013-01-20 21:02:44 +04:00
|
|
|
public function saveConfiguration() {
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->configuration->saveConfiguration();
|
2013-01-24 15:44:30 +04:00
|
|
|
$this->clearCache();
|
2013-01-20 21:02:44 +04:00
|
|
|
}
|
|
|
|
|
2013-01-18 16:53:26 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* get the current LDAP configuration
|
2013-01-18 16:53:26 +04:00
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function getConfiguration() {
|
2013-01-24 02:40:21 +04:00
|
|
|
$this->readConfiguration();
|
2013-09-27 00:31:57 +04:00
|
|
|
$config = $this->configuration->getConfiguration();
|
|
|
|
$cta = $this->configuration->getConfigTranslationArray();
|
|
|
|
$result = array();
|
|
|
|
foreach($cta as $dbkey => $configkey) {
|
|
|
|
switch($configkey) {
|
|
|
|
case 'homeFolderNamingRule':
|
|
|
|
if(strpos($config[$configkey], 'attr:') === 0) {
|
|
|
|
$result[$dbkey] = substr($config[$configkey], 5);
|
|
|
|
} else {
|
|
|
|
$result[$dbkey] = '';
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'ldapBase':
|
|
|
|
case 'ldapBaseUsers':
|
|
|
|
case 'ldapBaseGroups':
|
|
|
|
case 'ldapAttributesForUserSearch':
|
|
|
|
case 'ldapAttributesForGroupSearch':
|
|
|
|
if(is_array($config[$configkey])) {
|
|
|
|
$result[$dbkey] = implode("\n", $config[$configkey]);
|
|
|
|
break;
|
|
|
|
} //else follows default
|
|
|
|
default:
|
|
|
|
$result[$dbkey] = $config[$configkey];
|
2013-01-24 02:40:21 +04:00
|
|
|
}
|
2013-01-20 21:02:44 +04:00
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
return $result;
|
2013-01-18 16:53:26 +04:00
|
|
|
}
|
|
|
|
|
2013-09-27 00:31:57 +04:00
|
|
|
private function doSoftValidation() {
|
|
|
|
//if User or Group Base are not set, take over Base DN setting
|
|
|
|
foreach(array('ldapBaseUsers', 'ldapBaseGroups') as $keyBase) {
|
2014-05-16 00:47:28 +04:00
|
|
|
$val = $this->configuration->$keyBase;
|
2013-09-27 00:31:57 +04:00
|
|
|
if(empty($val)) {
|
|
|
|
$this->configuration->$keyBase = $this->configuration->ldapBase;
|
|
|
|
}
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
2013-10-17 21:40:59 +04:00
|
|
|
foreach(array('ldapExpertUUIDUserAttr' => 'ldapUuidUserAttribute',
|
|
|
|
'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute')
|
|
|
|
as $expertSetting => $effectiveSetting) {
|
|
|
|
$uuidOverride = $this->configuration->$expertSetting;
|
|
|
|
if(!empty($uuidOverride)) {
|
|
|
|
$this->configuration->$effectiveSetting = $uuidOverride;
|
|
|
|
} else {
|
2017-10-31 21:42:17 +03:00
|
|
|
$uuidAttributes = Access::UUID_ATTRIBUTES;
|
|
|
|
array_unshift($uuidAttributes, 'auto');
|
2013-10-17 21:40:59 +04:00
|
|
|
if(!in_array($this->configuration->$effectiveSetting,
|
|
|
|
$uuidAttributes)
|
|
|
|
&& (!is_null($this->configID))) {
|
|
|
|
$this->configuration->$effectiveSetting = 'auto';
|
|
|
|
$this->configuration->saveConfiguration();
|
|
|
|
\OCP\Util::writeLog('user_ldap',
|
|
|
|
'Illegal value for the '.
|
|
|
|
$effectiveSetting.', '.'reset to '.
|
2018-04-25 16:22:28 +03:00
|
|
|
'autodetect.', ILogger::INFO);
|
2013-10-17 21:40:59 +04:00
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
2013-10-17 21:40:59 +04:00
|
|
|
}
|
2012-08-23 20:29:43 +04:00
|
|
|
}
|
2013-09-13 21:01:40 +04:00
|
|
|
|
2018-01-26 01:06:53 +03:00
|
|
|
$backupPort = (int)$this->configuration->ldapBackupPort;
|
2016-09-23 01:30:57 +03:00
|
|
|
if ($backupPort <= 0) {
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->configuration->backupPort = $this->configuration->ldapPort;
|
2013-01-17 16:56:37 +04:00
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
|
|
|
//make sure empty search attributes are saved as simple, empty array
|
2014-05-11 17:17:27 +04:00
|
|
|
$saKeys = array('ldapAttributesForUserSearch',
|
2013-09-27 00:31:57 +04:00
|
|
|
'ldapAttributesForGroupSearch');
|
2014-05-11 17:17:27 +04:00
|
|
|
foreach($saKeys as $key) {
|
2013-09-27 00:31:57 +04:00
|
|
|
$val = $this->configuration->$key;
|
|
|
|
if(is_array($val) && count($val) === 1 && empty($val[0])) {
|
|
|
|
$this->configuration->$key = array();
|
2013-01-31 04:46:34 +04:00
|
|
|
}
|
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
|
|
|
if((stripos($this->configuration->ldapHost, 'ldaps://') === 0)
|
|
|
|
&& $this->configuration->ldapTLS) {
|
|
|
|
$this->configuration->ldapTLS = false;
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
|
|
|
|
ILogger::INFO
|
|
|
|
);
|
2013-02-06 17:30:17 +04:00
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
}
|
2013-01-31 04:46:34 +04:00
|
|
|
|
2014-05-11 17:17:27 +04:00
|
|
|
/**
|
|
|
|
* @return bool
|
|
|
|
*/
|
2013-09-27 00:31:57 +04:00
|
|
|
private function doCriticalValidation() {
|
2012-07-25 14:37:39 +04:00
|
|
|
$configurationOK = true;
|
2013-09-27 00:31:57 +04:00
|
|
|
$errorStr = 'Configuration Error (prefix '.
|
2018-01-26 01:06:53 +03:00
|
|
|
(string)$this->configPrefix .'): ';
|
2013-09-27 00:31:57 +04:00
|
|
|
|
|
|
|
//options that shall not be empty
|
|
|
|
$options = array('ldapHost', 'ldapPort', 'ldapUserDisplayName',
|
|
|
|
'ldapGroupDisplayName', 'ldapLoginFilter');
|
|
|
|
foreach($options as $key) {
|
|
|
|
$val = $this->configuration->$key;
|
|
|
|
if(empty($val)) {
|
|
|
|
switch($key) {
|
|
|
|
case 'ldapHost':
|
|
|
|
$subj = 'LDAP Host';
|
|
|
|
break;
|
|
|
|
case 'ldapPort':
|
|
|
|
$subj = 'LDAP Port';
|
|
|
|
break;
|
|
|
|
case 'ldapUserDisplayName':
|
|
|
|
$subj = 'LDAP User Display Name';
|
|
|
|
break;
|
|
|
|
case 'ldapGroupDisplayName':
|
|
|
|
$subj = 'LDAP Group Display Name';
|
|
|
|
break;
|
|
|
|
case 'ldapLoginFilter':
|
|
|
|
$subj = 'LDAP Login Filter';
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
$subj = $key;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
$configurationOK = false;
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
$errorStr.'No '.$subj.' given!',
|
|
|
|
ILogger::WARN
|
|
|
|
);
|
2013-09-27 00:31:57 +04:00
|
|
|
}
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
|
|
|
//combinations
|
|
|
|
$agent = $this->configuration->ldapAgentName;
|
|
|
|
$pwd = $this->configuration->ldapAgentPassword;
|
2016-09-23 01:30:57 +03:00
|
|
|
if (
|
|
|
|
($agent === '' && $pwd !== '')
|
|
|
|
|| ($agent !== '' && $pwd === '')
|
|
|
|
) {
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
$errorStr.'either no password is given for the user ' .
|
|
|
|
'agent or a password is given, but not an LDAP agent.',
|
|
|
|
ILogger::WARN);
|
2012-07-25 14:37:39 +04:00
|
|
|
$configurationOK = false;
|
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
|
|
|
$base = $this->configuration->ldapBase;
|
|
|
|
$baseUsers = $this->configuration->ldapBaseUsers;
|
|
|
|
$baseGroups = $this->configuration->ldapBaseGroups;
|
|
|
|
|
|
|
|
if(empty($base) && empty($baseUsers) && empty($baseGroups)) {
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
$errorStr.'Not a single Base DN given.',
|
|
|
|
ILogger::WARN
|
|
|
|
);
|
2012-07-25 14:37:39 +04:00
|
|
|
$configurationOK = false;
|
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
|
|
|
|
if(mb_strpos($this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8')
|
|
|
|
=== false) {
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
$errorStr.'login filter does not contain %uid place holder.',
|
|
|
|
ILogger::WARN
|
|
|
|
);
|
2012-07-25 14:37:39 +04:00
|
|
|
$configurationOK = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $configurationOK;
|
|
|
|
}
|
|
|
|
|
2013-01-18 16:35:40 +04:00
|
|
|
/**
|
2014-05-19 19:50:53 +04:00
|
|
|
* Validates the user specified configuration
|
2014-05-11 18:29:59 +04:00
|
|
|
* @return bool true if configuration seems OK, false otherwise
|
2013-01-18 16:35:40 +04:00
|
|
|
*/
|
2013-09-27 00:31:57 +04:00
|
|
|
private function validateConfiguration() {
|
2013-10-24 22:26:05 +04:00
|
|
|
|
|
|
|
if($this->doNotValidate) {
|
|
|
|
//don't do a validation if it is a new configuration with pure
|
|
|
|
//default values. Will be allowed on changes via __set or
|
|
|
|
//setConfiguration
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2013-09-27 00:31:57 +04:00
|
|
|
// first step: "soft" checks: settings that are not really
|
|
|
|
// necessary, but advisable. If left empty, give an info message
|
|
|
|
$this->doSoftValidation();
|
|
|
|
|
2014-05-11 17:17:27 +04:00
|
|
|
//second step: critical checks. If left empty or filled wrong, mark as
|
|
|
|
//not configured and give a warning.
|
2013-09-27 00:31:57 +04:00
|
|
|
return $this->doCriticalValidation();
|
2013-01-18 16:35:40 +04:00
|
|
|
}
|
|
|
|
|
2013-09-27 00:31:57 +04:00
|
|
|
|
2012-07-25 14:37:39 +04:00
|
|
|
/**
|
|
|
|
* Connects and Binds to LDAP
|
2018-06-28 00:09:44 +03:00
|
|
|
*
|
|
|
|
* @throws ServerNotAvailableException
|
2012-07-25 14:37:39 +04:00
|
|
|
*/
|
|
|
|
private function establishConnection() {
|
2013-09-27 00:31:57 +04:00
|
|
|
if(!$this->configuration->ldapConfigurationActive) {
|
2013-01-25 01:39:05 +04:00
|
|
|
return null;
|
|
|
|
}
|
2012-07-25 20:40:48 +04:00
|
|
|
static $phpLDAPinstalled = true;
|
|
|
|
if(!$phpLDAPinstalled) {
|
|
|
|
return false;
|
|
|
|
}
|
2014-06-11 15:35:35 +04:00
|
|
|
if(!$this->ignoreValidation && !$this->configured) {
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
'Configuration is invalid, cannot connect',
|
|
|
|
ILogger::WARN
|
|
|
|
);
|
2012-07-25 14:37:39 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if(!$this->ldapConnectionRes) {
|
2013-08-18 15:33:59 +04:00
|
|
|
if(!$this->ldap->areLDAPFunctionsAvailable()) {
|
2012-07-25 20:40:48 +04:00
|
|
|
$phpLDAPinstalled = false;
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
|
|
|
|
ILogger::ERROR
|
|
|
|
);
|
2012-07-25 20:40:48 +04:00
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
2013-09-27 00:31:57 +04:00
|
|
|
if($this->configuration->turnOffCertCheck) {
|
2012-08-06 01:00:47 +04:00
|
|
|
if(putenv('LDAPTLS_REQCERT=never')) {
|
2013-02-15 01:16:48 +04:00
|
|
|
\OCP\Util::writeLog('user_ldap',
|
|
|
|
'Turned off SSL certificate validation successfully.',
|
2018-04-25 16:22:28 +03:00
|
|
|
ILogger::DEBUG);
|
2012-08-06 01:00:47 +04:00
|
|
|
} else {
|
2018-04-25 16:22:28 +03:00
|
|
|
\OCP\Util::writeLog(
|
|
|
|
'user_ldap',
|
|
|
|
'Could not turn off SSL certificate validation.',
|
|
|
|
ILogger::WARN
|
|
|
|
);
|
2012-08-06 01:00:47 +04:00
|
|
|
}
|
|
|
|
}
|
2015-11-03 19:17:00 +03:00
|
|
|
|
2017-07-23 14:46:25 +03:00
|
|
|
$isOverrideMainServer = ($this->configuration->ldapOverrideMainServer
|
|
|
|
|| $this->getFromCache('overrideMainServer'));
|
|
|
|
$isBackupHost = (trim($this->configuration->ldapBackupHost) !== "");
|
2015-11-03 19:17:00 +03:00
|
|
|
$bindStatus = false;
|
|
|
|
try {
|
2017-07-23 14:46:25 +03:00
|
|
|
if (!$isOverrideMainServer) {
|
2015-11-03 19:17:00 +03:00
|
|
|
$this->doConnect($this->configuration->ldapHost,
|
|
|
|
$this->configuration->ldapPort);
|
2018-07-13 09:25:02 +03:00
|
|
|
return $this->bind();
|
2015-11-03 19:17:00 +03:00
|
|
|
}
|
2017-07-16 13:05:48 +03:00
|
|
|
} catch (ServerNotAvailableException $e) {
|
2017-07-23 14:46:25 +03:00
|
|
|
if(!$isBackupHost) {
|
2015-11-03 19:17:00 +03:00
|
|
|
throw $e;
|
|
|
|
}
|
2013-01-17 16:31:14 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
//if LDAP server is not reachable, try the Backup (Replica!) Server
|
2018-06-28 00:09:44 +03:00
|
|
|
if($isBackupHost || $isOverrideMainServer) {
|
2015-11-03 19:17:00 +03:00
|
|
|
$this->doConnect($this->configuration->ldapBackupHost,
|
|
|
|
$this->configuration->ldapBackupPort);
|
2018-02-22 14:45:28 +03:00
|
|
|
$this->bindResult = [];
|
2015-11-03 19:17:00 +03:00
|
|
|
$bindStatus = $this->bind();
|
2017-06-13 21:08:14 +03:00
|
|
|
$error = $this->ldap->isResource($this->ldapConnectionRes) ?
|
|
|
|
$this->ldap->errno($this->ldapConnectionRes) : -1;
|
|
|
|
if($bindStatus && $error === 0 && !$this->getFromCache('overrideMainServer')) {
|
2015-11-03 19:17:00 +03:00
|
|
|
//when bind to backup server succeeded and failed to main server,
|
|
|
|
//skip contacting him until next cache refresh
|
|
|
|
$this->writeToCache('overrideMainServer', true);
|
|
|
|
}
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
2017-06-13 21:08:14 +03:00
|
|
|
|
2013-01-17 16:31:14 +04:00
|
|
|
return $bindStatus;
|
|
|
|
}
|
2016-08-17 10:46:54 +03:00
|
|
|
return null;
|
2013-01-17 16:31:14 +04:00
|
|
|
}
|
2012-07-25 14:37:39 +04:00
|
|
|
|
2014-05-11 17:17:27 +04:00
|
|
|
/**
|
2014-05-13 15:29:25 +04:00
|
|
|
* @param string $host
|
|
|
|
* @param string $port
|
2016-08-29 21:20:17 +03:00
|
|
|
* @return bool
|
2015-12-05 02:43:38 +03:00
|
|
|
* @throws \OC\ServerNotAvailableException
|
2014-05-11 17:17:27 +04:00
|
|
|
*/
|
2013-01-17 16:31:14 +04:00
|
|
|
private function doConnect($host, $port) {
|
2016-09-23 01:30:57 +03:00
|
|
|
if ($host === '') {
|
2013-02-06 17:32:00 +04:00
|
|
|
return false;
|
|
|
|
}
|
2017-07-16 13:01:25 +03:00
|
|
|
|
2013-08-18 15:33:59 +04:00
|
|
|
$this->ldapConnectionRes = $this->ldap->connect($host, $port);
|
2017-07-16 13:01:25 +03:00
|
|
|
|
|
|
|
if(!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) {
|
2017-07-16 13:05:48 +03:00
|
|
|
throw new ServerNotAvailableException('Could not set required LDAP Protocol version.');
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
2017-07-16 13:01:25 +03:00
|
|
|
|
|
|
|
if(!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) {
|
2017-07-16 13:05:48 +03:00
|
|
|
throw new ServerNotAvailableException('Could not disable LDAP referrals.');
|
2017-07-16 13:01:25 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
if($this->configuration->ldapTLS) {
|
|
|
|
if(!$this->ldap->startTls($this->ldapConnectionRes)) {
|
2017-07-16 13:05:48 +03:00
|
|
|
throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
|
2017-07-16 13:01:25 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-17 10:46:54 +03:00
|
|
|
return true;
|
2012-07-25 14:37:39 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Binds to LDAP
|
|
|
|
*/
|
|
|
|
public function bind() {
|
2013-09-27 00:31:57 +04:00
|
|
|
if(!$this->configuration->ldapConfigurationActive) {
|
2013-01-25 01:39:05 +04:00
|
|
|
return false;
|
|
|
|
}
|
2018-02-22 14:45:28 +03:00
|
|
|
$cr = $this->ldapConnectionRes;
|
2013-08-20 14:39:24 +04:00
|
|
|
if(!$this->ldap->isResource($cr)) {
|
2018-02-22 14:45:28 +03:00
|
|
|
$cr = $this->getConnectionResource();
|
|
|
|
}
|
|
|
|
|
|
|
|
if(
|
|
|
|
count($this->bindResult) !== 0
|
|
|
|
&& $this->bindResult['dn'] === $this->configuration->ldapAgentName
|
|
|
|
&& \OC::$server->getHasher()->verify(
|
|
|
|
$this->configPrefix . $this->configuration->ldapAgentPassword,
|
|
|
|
$this->bindResult['hash']
|
|
|
|
)
|
|
|
|
) {
|
|
|
|
// don't attempt to bind again with the same data as before
|
|
|
|
// bind might have been invoked via getConnectionResource(),
|
|
|
|
// but we need results specifically for e.g. user login
|
|
|
|
return $this->bindResult['result'];
|
2013-02-06 17:32:00 +04:00
|
|
|
}
|
2018-02-22 14:45:28 +03:00
|
|
|
|
2013-09-11 21:42:08 +04:00
|
|
|
$ldapLogin = @$this->ldap->bind($cr,
|
2013-09-27 00:31:57 +04:00
|
|
|
$this->configuration->ldapAgentName,
|
|
|
|
$this->configuration->ldapAgentPassword);
|
2018-02-22 14:45:28 +03:00
|
|
|
|
|
|
|
$this->bindResult = [
|
|
|
|
'dn' => $this->configuration->ldapAgentName,
|
|
|
|
'hash' => \OC::$server->getHasher()->hash($this->configPrefix . $this->configuration->ldapAgentPassword),
|
|
|
|
'result' => $ldapLogin,
|
|
|
|
];
|
|
|
|
|
2012-07-25 14:37:39 +04:00
|
|
|
if(!$ldapLogin) {
|
2017-06-13 21:13:40 +03:00
|
|
|
$errno = $this->ldap->errno($cr);
|
|
|
|
|
2013-02-15 01:16:48 +04:00
|
|
|
\OCP\Util::writeLog('user_ldap',
|
2017-06-13 21:13:40 +03:00
|
|
|
'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr),
|
2018-04-25 16:22:28 +03:00
|
|
|
ILogger::WARN);
|
2017-06-13 21:13:40 +03:00
|
|
|
|
|
|
|
// Set to failure mode, if LDAP error code is not LDAP_SUCCESS or LDAP_INVALID_CREDENTIALS
|
|
|
|
if($errno !== 0x00 && $errno !== 0x31) {
|
|
|
|
$this->ldapConnectionRes = null;
|
|
|
|
}
|
|
|
|
|
2012-07-25 14:37:39 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2012-09-19 17:35:50 +04:00
|
|
|
}
|