. * */ namespace OCA\user_ldap\lib; class Connection extends LDAPUtility { private $ldapConnectionRes = null; private $configPrefix; private $configID; private $configured = false; //whether connection should be kept on __destruct private $dontDestruct = false; private $hasPagedResultSupport = true; //cache handler protected $cache; //settings handler protected $configuration; protected $doNotValidate = false; /** * @brief Constructor * @param $configPrefix a string with the prefix for the configkey column (appconfig table) * @param $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections */ public function __construct(ILDAPWrapper $ldap, $configPrefix = '', $configID = 'user_ldap') { parent::__construct($ldap); $this->configPrefix = $configPrefix; $this->configID = $configID; $this->configuration = new Configuration($configPrefix, !is_null($configID)); $memcache = \OC::$server->getMemCacheFactory(); if($memcache->isAvailable()) { $this->cache = $memcache->create(); } else { $this->cache = \OC_Cache::getGlobalCache(); } $this->hasPagedResultSupport = $this->ldap->hasPagedResultSupport(); $this->doNotValidate = !in_array($this->configPrefix, Helper::getServerConfigurationPrefixes()); } public function __destruct() { if(!$this->dontDestruct && $this->ldap->isResource($this->ldapConnectionRes)) { @$this->ldap->unbind($this->ldapConnectionRes); }; } /** * @brief defines behaviour when the instance is cloned */ public function __clone() { //a cloned instance inherits the connection resource. It may use it, //but it may not disconnect it $this->dontDestruct = true; } public function __get($name) { if(!$this->configured) { $this->readConfiguration(); } if($name === 'hasPagedResultSupport') { return $this->hasPagedResultSupport; } return $this->configuration->$name; } public function __set($name, $value) { $this->doNotValidate = false; $before = $this->configuration->$name; $this->configuration->$name = $value; $after = $this->configuration->$name; if($before !== $after) { if(!empty($this->configID)) { $this->configuration->saveConfiguration(); } $this->validateConfiguration(); } } /** * @brief initializes the LDAP backend * @param $force read the config settings no matter what * * initializes the LDAP backend */ public function init($force = false) { $this->readConfiguration($force); $this->establishConnection(); } /** * Returns the LDAP handler */ public function getConnectionResource() { if(!$this->ldapConnectionRes) { $this->init(); } else if(!$this->ldap->isResource($this->ldapConnectionRes)) { $this->ldapConnectionRes = null; $this->establishConnection(); } if(is_null($this->ldapConnectionRes)) { \OCP\Util::writeLog('user_ldap', 'Connection could not be established', \OCP\Util::ERROR); } return $this->ldapConnectionRes; } private function getCacheKey($key) { $prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-'; if(is_null($key)) { return $prefix; } return $prefix.md5($key); } public function getFromCache($key) { if(!$this->configured) { $this->readConfiguration(); } if(!$this->configuration->ldapCacheTTL) { return null; } if(!$this->isCached($key)) { return null; } $key = $this->getCacheKey($key); return unserialize(base64_decode($this->cache->get($key))); } public function isCached($key) { if(!$this->configured) { $this->readConfiguration(); } if(!$this->configuration->ldapCacheTTL) { return false; } $key = $this->getCacheKey($key); return $this->cache->hasKey($key); } public function writeToCache($key, $value) { if(!$this->configured) { $this->readConfiguration(); } if(!$this->configuration->ldapCacheTTL || !$this->configuration->ldapConfigurationActive) { return null; } $key = $this->getCacheKey($key); $value = base64_encode(serialize($value)); $this->cache->set($key, $value, $this->configuration->ldapCacheTTL); } public function clearCache() { $this->cache->clear($this->getCacheKey(null)); } /** * @brief Caches the general LDAP configuration. * @param $force optional. true, if the re-read should be forced. defaults * to false. * @return null */ private function readConfiguration($force = false) { if((!$this->configured || $force) && !is_null($this->configID)) { $this->configuration->readConfiguration(); $this->configured = $this->validateConfiguration(); } } /** * @brief set LDAP configuration with values delivered by an array, not read from configuration * @param $config array that holds the config parameters in an associated array * @param &$setParameters optional; array where the set fields will be given to * @return true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters */ public function setConfiguration($config, &$setParameters = null) { if(is_null($setParameters)) { $setParameters = array(); } $this->doNotValidate = false; $this->configuration->setConfiguration($config, $setParameters); if(count($setParameters) > 0) { $this->configured = $this->validateConfiguration(); } return $this->configured; } /** * @brief saves the current Configuration in the database and empties the * cache * @return null */ public function saveConfiguration() { $this->configuration->saveConfiguration(); $this->clearCache(); } /** * @brief get the current LDAP configuration * @return array */ public function getConfiguration() { $this->readConfiguration(); $config = $this->configuration->getConfiguration(); $cta = $this->configuration->getConfigTranslationArray(); $result = array(); foreach($cta as $dbkey => $configkey) { switch($configkey) { case 'homeFolderNamingRule': if(strpos($config[$configkey], 'attr:') === 0) { $result[$dbkey] = substr($config[$configkey], 5); } else { $result[$dbkey] = ''; } break; case 'ldapBase': case 'ldapBaseUsers': case 'ldapBaseGroups': case 'ldapAttributesForUserSearch': case 'ldapAttributesForGroupSearch': if(is_array($config[$configkey])) { $result[$dbkey] = implode("\n", $config[$configkey]); break; } //else follows default default: $result[$dbkey] = $config[$configkey]; } } return $result; } private function doSoftValidation() { //if User or Group Base are not set, take over Base DN setting foreach(array('ldapBaseUsers', 'ldapBaseGroups') as $keyBase) { $val = $this->configuration->$keyBase; if(empty($val)) { $obj = strpos('Users', $keyBase) !== false ? 'Users' : 'Groups'; \OCP\Util::writeLog('user_ldap', 'Base tree for '.$obj. ' is empty, using Base DN', \OCP\Util::INFO); $this->configuration->$keyBase = $this->configuration->ldapBase; } } $groupFilter = $this->configuration->ldapGroupFilter; if(empty($groupFilter)) { \OCP\Util::writeLog('user_ldap', 'No group filter is specified, LDAP group '. 'feature will not be used.', \OCP\Util::INFO); } foreach(array('ldapExpertUUIDUserAttr' => 'ldapUuidUserAttribute', 'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute') as $expertSetting => $effectiveSetting) { $uuidOverride = $this->configuration->$expertSetting; if(!empty($uuidOverride)) { $this->configuration->$effectiveSetting = $uuidOverride; } else { $uuidAttributes = array('auto', 'entryuuid', 'nsuniqueid', 'objectguid', 'guid'); if(!in_array($this->configuration->$effectiveSetting, $uuidAttributes) && (!is_null($this->configID))) { $this->configuration->$effectiveSetting = 'auto'; $this->configuration->saveConfiguration(); \OCP\Util::writeLog('user_ldap', 'Illegal value for the '. $effectiveSetting.', '.'reset to '. 'autodetect.', \OCP\Util::INFO); } } } $backupPort = $this->configuration->ldapBackupPort; if(empty($backupPort)) { $this->configuration->backupPort = $this->configuration->ldapPort; } //make sure empty search attributes are saved as simple, empty array $sakeys = array('ldapAttributesForUserSearch', 'ldapAttributesForGroupSearch'); foreach($sakeys as $key) { $val = $this->configuration->$key; if(is_array($val) && count($val) === 1 && empty($val[0])) { $this->configuration->$key = array(); } } if((stripos($this->configuration->ldapHost, 'ldaps://') === 0) && $this->configuration->ldapTLS) { $this->configuration->ldapTLS = false; \OCP\Util::writeLog('user_ldap', 'LDAPS (already using secure connection) and '. 'TLS do not work together. Switched off TLS.', \OCP\Util::INFO); } } private function doCriticalValidation() { $configurationOK = true; $errorStr = 'Configuration Error (prefix '. strval($this->configPrefix).'): '; //options that shall not be empty $options = array('ldapHost', 'ldapPort', 'ldapUserDisplayName', 'ldapGroupDisplayName', 'ldapLoginFilter'); foreach($options as $key) { $val = $this->configuration->$key; if(empty($val)) { switch($key) { case 'ldapHost': $subj = 'LDAP Host'; break; case 'ldapPort': $subj = 'LDAP Port'; break; case 'ldapUserDisplayName': $subj = 'LDAP User Display Name'; break; case 'ldapGroupDisplayName': $subj = 'LDAP Group Display Name'; break; case 'ldapLoginFilter': $subj = 'LDAP Login Filter'; break; default: $subj = $key; break; } $configurationOK = false; \OCP\Util::writeLog('user_ldap', $errorStr.'No '.$subj.' given!', \OCP\Util::WARN); } } //combinations $agent = $this->configuration->ldapAgentName; $pwd = $this->configuration->ldapAgentPassword; if((empty($agent) && !empty($pwd)) || (!empty($agent) && empty($pwd))) { \OCP\Util::writeLog('user_ldap', $errorStr.'either no password is given for the'. 'user agent or a password is given, but not an'. 'LDAP agent.', \OCP\Util::WARN); $configurationOK = false; } $base = $this->configuration->ldapBase; $baseUsers = $this->configuration->ldapBaseUsers; $baseGroups = $this->configuration->ldapBaseGroups; if(empty($base) && empty($baseUsers) && empty($baseGroups)) { \OCP\Util::writeLog('user_ldap', $errorStr.'Not a single Base DN given.', \OCP\Util::WARN); $configurationOK = false; } if(mb_strpos($this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) { \OCP\Util::writeLog('user_ldap', $errorStr.'login filter does not contain %uid '. 'place holder.', \OCP\Util::WARN); $configurationOK = false; } return $configurationOK; } /** * @brief Validates the user specified configuration * @returns true if configuration seems OK, false otherwise */ private function validateConfiguration() { if($this->doNotValidate) { //don't do a validation if it is a new configuration with pure //default values. Will be allowed on changes via __set or //setConfiguration return false; } // first step: "soft" checks: settings that are not really // necessary, but advisable. If left empty, give an info message $this->doSoftValidation(); //second step: critical checks. If left empty or filled wrong, set as //unconfigured and give a warning. return $this->doCriticalValidation(); } /** * Connects and Binds to LDAP */ private function establishConnection() { if(!$this->configuration->ldapConfigurationActive) { return null; } static $phpLDAPinstalled = true; if(!$phpLDAPinstalled) { return false; } if(!$this->configured) { \OCP\Util::writeLog('user_ldap', 'Configuration is invalid, cannot connect', \OCP\Util::WARN); return false; } if(!$this->ldapConnectionRes) { if(!$this->ldap->areLDAPFunctionsAvailable()) { $phpLDAPinstalled = false; \OCP\Util::writeLog('user_ldap', 'function ldap_connect is not available. Make '. 'sure that the PHP ldap module is installed.', \OCP\Util::ERROR); return false; } if($this->configuration->turnOffCertCheck) { if(putenv('LDAPTLS_REQCERT=never')) { \OCP\Util::writeLog('user_ldap', 'Turned off SSL certificate validation successfully.', \OCP\Util::WARN); } else { \OCP\Util::writeLog('user_ldap', 'Could not turn off SSL certificate validation.', \OCP\Util::WARN); } } if(!$this->configuration->ldapOverrideMainServer && !$this->getFromCache('overrideMainServer')) { $this->doConnect($this->configuration->ldapHost, $this->configuration->ldapPort); $bindStatus = $this->bind(); $error = $this->ldap->isResource($this->ldapConnectionRes) ? $this->ldap->errno($this->ldapConnectionRes) : -1; } else { $bindStatus = false; $error = null; } //if LDAP server is not reachable, try the Backup (Replica!) Server if((!$bindStatus && ($error !== 0)) || $this->configuration->ldapOverrideMainServer || $this->getFromCache('overrideMainServer')) { $this->doConnect($this->configuration->ldapBackupHost, $this->configuration->ldapBackupPort); $bindStatus = $this->bind(); if(!$bindStatus && $error === -1) { //when bind to backup server succeeded and failed to main server, //skip contacting him until next cache refresh $this->writeToCache('overrideMainServer', true); } } return $bindStatus; } } private function doConnect($host, $port) { if(empty($host)) { return false; } if(strpos($host, '://') !== false) { //ldap_connect ignores port paramater when URLs are passed $host .= ':' . $port; } $this->ldapConnectionRes = $this->ldap->connect($host, $port); if($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) { if($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) { if($this->configuration->ldapTLS) { $this->ldap->startTls($this->ldapConnectionRes); } } } } /** * Binds to LDAP */ public function bind() { static $getConnectionResourceAttempt = false; if(!$this->configuration->ldapConfigurationActive) { return false; } if($getConnectionResourceAttempt) { $getConnectionResourceAttempt = false; return false; } $getConnectionResourceAttempt = true; $cr = $this->getConnectionResource(); $getConnectionResourceAttempt = false; if(!$this->ldap->isResource($cr)) { return false; } $ldapLogin = @$this->ldap->bind($cr, $this->configuration->ldapAgentName, $this->configuration->ldapAgentPassword); if(!$ldapLogin) { \OCP\Util::writeLog('user_ldap', 'Bind failed: ' . $this->ldap->errno($cr) . ': ' . $this->ldap->error($cr), \OCP\Util::ERROR); $this->ldapConnectionRes = null; return false; } return true; } }