Ticket #547: ldap_v2.patch

lib/jelix-scripts/commands/createapp.cmd.php

@@ -7 +7 @@
-* @contributor Gildas Givaja (bug #83)
-* @contributor Christophe Thiriot
-* @contributor Bastien Jaillot
-7
+8
-* @link        http://www.jelix.org
-* @licence     GNU General Public Licence see LICENCE file or http://www.gnu.org/licenses/gpl.html
-*/
@@ -90 +90 @@
-       $this->createFile(JELIX_APP_PATH.'project.xml','project.xml.tpl',$param);
-       $this->createFile(JELIX_APP_CONFIG_PATH.'defaultconfig.ini.php','var/config/defaultconfig.ini.php.tpl',$param);
-       $this->createFile(JELIX_APP_CONFIG_PATH.'dbprofils.ini.php','var/config/dbprofils.ini.php.tpl',$param);
+       $this->createFile(JELIX_APP_CONFIG_PATH.'ldapprofils.ini.php','var/config/ldapprofils.ini.php.tpl',$param);
-       $this->createFile(JELIX_APP_CONFIG_PATH.'index/config.ini.php','var/config/index/config.ini.php.tpl',$param);
-
-       $this->createFile(JELIX_APP_PATH.'responses/myHtmlResponse.class.php','myHtmlResponse.class.php.tpl',$param);
@@ -139 +140 @@
-    }
-}
-
-?>

lib/jelix-scripts/templates/var/config/ldapprofils.ini.php.tpl

@@ +1 @@
+;<?php die(''); ?>
+;for security reasons, don't remove or modify the first line
+
+; name of the default profil to use for any connection
+default = ldap
+
+; each section correspond to a connection
+; the name of the section is the name of the connection, to use as an argument
+; for jLdap methods
+
+[ldap]
+server = "127.0.0.1"
+port = "389"
+base_dn = "dc=cnw,dc=local"
+mail_base = "dc=Mails,dc=Services,dc=cnw,dc=local"

lib/jelix/plugins/acl/ldap/ldap.acl.php

@@ +1 @@
+<?php
+/**
+* @package     jelix
+* @subpackage  acl_driver
+* @author      Lissyx
+* @contributor  Laurent Jouanneau
+* @copyright   2008 Lissyx, 2008  Laurent Jouanneau
+* @link        http://www.jelix.org
+* @licence     http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public Licence, see LICENCE file
+*/
+
+/**
+ * driver for jAcl based on a LDAP Server
+ * @package jelix
+ * @subpackage acl_driver
+ * @experimental
+ * @since 1.1
+ * @see jAcl
+ */
+class ldapAclDriver implements jIAclDriver {
+
+    private $params = array();
+
+    private $ldap = null;
+
+    /**
+     * 
+     */
+    function __construct ($params) {
+        $this->params = array_merge($params;
+        $this->ldap = jLdap::getConnection();
+    }
+
+
+    protected static $aclres = array();
+
+    protected static $acl = array();
+
+    /**
+     * return the value of the right on the given subject (and on the optional resource)
+     * @param string $subject the key of the subject
+     * @param string $resource the id of a resource
+     * @return array list of values corresponding to the right
+     */
+    public function getRight($subject, $resource=null){
+
+        if(!jAuth::isConnected()) // not authificated = no rights
+            return array();
+
+        $session = jAuth::getUserSession();
+
+        if ( false !== ($attrs = $this->ldap->searchFirst($session->login, "(" . $this->params["ldapAttributeRight"] . "=*)"))) {
+
+            $values= array();
+
+            foreach ($attrs[$this->params["ldapAttributeRight"]] as $obj) {
+                switch($subject) {
+                    case "domaines":
+                    case "accounts":
+                        switch($obj) {
+                            case $this->params["ldapRightUser"]:
+                                $values[] = "LIST";
+                                $values[] = "READ";
+                            break;
+
+                            case $this->params["ldapRightAdmin"]:
+                                $values[] = "LIST";
+                                $values[] = "UPDATE";
+                                $values[] = "CREATE";
+                                $values[] = "READ";
+                                $values[] = "DELETE";
+                            break;
+                        }
+                        break;
+                }
+            }
+        }
+
+        return $values;
+    }
+
+    /**
+     * clear right cache
+     * @since 1.0b2
+     */
+    public function clearCache(){
+        self::$acl = array();
+        self::$aclres = array();
+    }
+
+}
+
+

lib/jelix/plugins/auth/ldap/ldap.auth.php

@@ +1 @@
+<?php
+/**
+* @package    jelix
+* @subpackage auth_driver
+* @author     Lissyx
+* @contributor Laurent Jouanneau
+* @copyright  2008 Laurent Jouanneau, 2008 Lissyx
+* @licence  http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public Licence, see LICENCE file
+*/
+
+/**
+ * object which represent a user
+ *
+ * @package    jelix
+ * @subpackage auth_driver
+ * @since 1.1
+ */
+class jAuthUserLDAP extends jAuthUser {
+}
+
+/**
+ * authentification driver, which communicate with a LDAP server
+ * @package    jelix
+ * @subpackage auth_driver
+ * @see jAuth
+ * @since 1.1
+ * @experimental
+ */
+class ldapAuthDriver implements jIAuthDriver {
+
+    protected $_params;
+
+    protected $ldap;
+
+    function __construct($params){
+        $this->_params = $params;
+        $this->ldap =  jLdap::getConnection();
+    }
+
+    /**
+     * No write !
+     */
+    public function saveNewUser($user){
+        throw new Exception("Not implemented");
+        return true;
+    }
+
+    /**
+     * No write !
+     */
+    public function removeUser($login){
+        throw new Exception("Not implemented");
+        return true;
+    }
+
+    /**
+     * No write !
+     */
+    public function updateUser($user){
+        throw new Exception("Not implemented");
+        return true;
+    }
+
+    public function getUser($login){
+        throw new Exception("Not implemented");
+        return null;
+    }
+
+    /**
+     * No write !
+     */
+    public function createUserObject($login,$password){
+        throw new Exception("Not implemented");
+        return $user;
+    }
+
+    public function getUserList($pattern){
+        throw new Exception("Not implemented");
+    }
+
+    /**
+     * No write !
+     */
+    public function changePassword($login, $newpassword){
+        throw new Exception("Not implemented");
+
+    }
+
+    public function verifyPassword($login, $password) {
+        $this->ldap->bindServer($login, $password,  $this->params["mail_search"], $this->_params["mail_filter"], "mail");
+
+        if ($res["res"]) {
+            $user = new jAuthUserLDAP();
+            $user->login = $res["DN"];
+            $user->password = $res["password"];
+            return $user;
+        } else
+            return false;
+    }
+}

lib/jelix/core/defaultconfig.ini.php

@@ -16 +16 @@
-modulesPath = lib:jelix-modules/,app:modules/
-
-dbProfils = dbprofils.ini.php
+ldapProfils = ldapprofils.ini.php
-
-theme = default
-use_error_handler = on
@@ -210 +211 @@
-driver = db
-enableAcl2DbEventListener = off
-
+ldapAttributeRight = 
+ldapRightUser = 
+ldapRightAdmin = 
-
-[sessions]
-; to disable sessions, set the following parameter to 0

lib/jelix/init.php

@@ -159 +159 @@
-    if(file_exists($f)){
-        require_once($f);
-    }else{
-
+ ($f)
-    }
-#endif
-}

lib/jelix/core-modules/jelix/locales/fr_FR/ldap.UTF-8.properties

@@ +1 @@
+error.profil.unknow=(400)Le profil de connexion "%s" pour jLdap est inconnu
+error.database.unknow=(401)La base %s est inconnue
+error.connection=(402)Impossible de se connecter sur %s (mauvais host, login ou mot de passe ?)
+error.query.bad=(403)Erreur dans la requête (%s)
+error.feature.unsupported=(404)JLdap : le driver %s ne prend pas en charge la fonctionnalité "%s"
+error.nofunction=(405)jLdap : l'extension %s n'est pas installée dans php pour le driver jLdap configuré
+error.profil.type.unknow=(406)Le type de profil de connexion "%s" pour jLdap est inconnu
+error.default.profil.unknow=(407)Pas de profil de connexion par défaut pour jLdap
+error.driver.notfound=(408)Le driver "%s" pour jLdap est introuvable
+error.connection.closed=(409) La connection sur la base de donnée n'est plus valide : timeout, deconnection... (profil %s)

lib/jelix/utils/jLdap.class.php

@@ +1 @@
+<?php
+
+/**
+* @package    jelix
+* @subpackage utils
+* @author     Lissyx
+* @contributor Laurent Jouanneau
+* @copyright  2008 Lissyx, 2008 Laurent Jouanneau
+* @link       http://www.jelix.org
+* @licence    GNU Lesser General Public Licence see LICENCE file or http://www.gnu.org/licenses/lgpl.html
+*/
+
+/**
+ * Ldap class to connect to a LDAP
+ * @experimental
+ * @since 1.1
+ */
+class jLdap {
+
+    /**
+    * Connect to LDAP server if not connected
+    * @param string $name LDAP profile
+    * @return resource LDAP connection resource.
+    */
+    public static function getConnection( $name = null ) {
+        static $cnxPool = array();
+
+        $profil = self::getProfil($name);
+        if (!isset ($cnxPool[$name])){
+            $cnxPool[$name] = self::_ldapConnect ($profil);
+        }
+
+        return $cnxPool[$name];
+    }
+
+    /**
+    * Computes SSHA.
+    * @param string $pass The password to cipher.
+    * @return string The SSHA, including "{SSHA}".
+    */
+    /*public static function SSHA($pass) {
+        mt_srand((double)microtime()*1000000);
+                $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand());
+                $hash = "{SSHA}" . base64_encode(pack("H*", sha1($pass . $salt)) . $salt);
+        return $hash;
+    }*/
+
+    /**
+    * load properties of a connector profil
+    *
+    * a profil is a section in the dbprofils.ini.php file
+    *
+    * with getProfil('myprofil') (or getProfil('myprofil', false)), you get the profil which
+    * has the name "myprofil". this name should correspond to a section name in the ini file
+    *
+    * with getProfil('myprofiltype',true), it will search a parameter named 'myprofiltype' in the ini file.
+    * This parameter should contains a profil name, and the corresponding profil will be loaded.
+    *
+    * with getProfil(), it will load the default profil, (so the profil of "default" type)
+    *
+    * @param string   $name  profil name or profil type to load. if empty, use the default one
+    * @param boolean  $nameIsProfilType  says if the name is a profil name or a profil type. this parameter exists since 1.0b2
+    * @return array  properties
+    */
+    public static function getProfil ($name='', $nameIsProfilType=false) {
+        static $profils = null;
+        global $gJConfig;
+        if($profils === null){
+            $profils = parse_ini_file(JELIX_APP_CONFIG_PATH.$gJConfig->ldapProfils , true);
+        }
+
+        if ($name == '') {
+            if(isset($profils['default']))
+                $name=$profils['default'];
+            else
+                throw new jException('jelix~ldap.error.default.profil.unknow');
+
+        } elseif ($nameIsProfilType) {
+            if (isset($profils[$name]) && is_string($profils[$name])) {
+                $name = $profils[$name];
+            } else {
+                throw new jException('jelix~ldap.error.profil.type.unknow',$name);
+            }
+        }
+
+        if(isset($profils[$name]) && is_array($profils[$name])){
+            $profils[$name]['name'] = $name;
+            return $profils[$name];
+        } else {
+            throw new jException('jelix~ldap.error.profil.unknow',$name);
+        }
+    }
+
+    private static function _ldapConnect($profil) {
+        $cnx = ldap_connect($profil["server"], $profil["port"]);
+        if (!$cnx) {
+            throw new Exception('jelix~ldap.error.connect');
+        } else {
+            if (ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3) === false) {
+                throw new Exception('jelix~ldap.error.set_option');
+            }
+        }
+
+        return new jLdapConnection($cnx, $profil);
+    }
+
+}
+
+/**
+ * Ldap class to query a LDAP. This object is given by jLdap.
+ *
+ * @experimental
+ * @since 1.1
+ */
+class jLdapConnection {
+
+    /**
+     * ldap ressource connection
+     */
+    protected $conn = null
+
+    protected $profile;
+
+    function __construct( $conn, $profile) {
+        $this->conn = $conn;
+        $this->profile = $profile;
+    }
+
+    /**
+    * Get LDAP parameter stored in the profile of the connection
+    * @param string $paramName parameter name
+    * @return string the value
+    */
+    public function getParam($paramName) {
+        if (isset($this->profile[$paramName]))
+            return $this->profile[$paramName];
+        else
+            return null;
+    }
+
+    /**
+    * Bind to server. Handle either login as a DN or email address.
+    * If an email is passed, resolves to a DN and use it after.
+    *
+    * @param string $login Login as a DN or email address.
+    * @param string $password The password to bind with ...
+    * @param string $mailSearch a string definings how to search for email address in LDAP directory.
+    *               Scope is subtree. You can use #USER# and #DOMAIN# for them to be replaced with
+    *               the username and domainame of the email address. Base DN is added to the string.
+    * @param string $mailFilter Which filter to use (e.g. "(objectClass=CourierMailAccount)")
+    * @param string $mailAttrib Which attributes defines the email address ...
+    * @return array Informations array("res" => true/false, "DN" => ..., "password" => ... )
+    */
+    public function bindServer($login, $password, $mailSearch, $mailFilter, $mailAttrib) {
+        $filtre = new jFilter();
+        if ($filtre->isEmail($login)) {
+            $mail = explode("@", $login);
+            // Search an associated mail account to have the DN, to bind
+            $search = str_replace(array("#USER#", "#DOMAIN#"), array($mail[0], $mail[1]), $mailSearch) . "," . $this->getParam('mail_base');
+            if (($result = ldap_search($this->conn, $search, $mailFilter, array($mailAttrib) )) !== false) {
+                $data = ldap_get_entries($this->conn, $result);
+                $DN = $data[0]["dn"];
+            } else {
+                throw new Exception("LDAP search failed !");
+            }
+        } else if ($filtre->isDN($login)) {
+            // we already have a DN... 
+            $DN = $login;
+        } else {
+            throw new Exception("No valid account.");
+        }
+
+        $res = false;
+
+        if (ldap_bind($this->conn, $DN, $password) === false) {
+            throw new Exception("Cannot bind LDAP server.");
+        } else {
+            // Bind OK
+            $res = true;
+        }
+
+        return array("res" => $res, "DN" => $DN, "password" => $password);
+    }
+
+    /**
+    * Add values to the LDAP directory.
+    * @param string $target The DN to play with ...
+    * @param array $valeurs Associative array of attrib => values to put in.
+    */
+    public function add($target, $valeurs) {
+        return ldap_add($this->conn, $target, $valeurs);
+    }
+
+    /**
+    * Modify values of the LDAP directory.
+    * @param string $target The DN to play with ...
+    * @param array $valeurs Associative array of attrib => values to put in.
+    */
+    public function modify($target, $valeurs) {
+        return ldap_modify($this->conn, $target, $valeurs);
+    }
+
+    /**
+    * List in the LDAP directory.
+    * Uses the ldap_list() function ...
+    * @param string $target The DN to list from
+    * @param string $filter The filter to use
+    * @param array $attrib Attributes to get back.
+    * @return array Array of values found.
+    */
+    public function getAll($target, $filter, $attrib) {
+        $list = ldap_list($this->conn, $target, $filter, $attrib);
+        if(!$list)
+            return $list;
+        return ldap_get_entries($this->conn, $list );
+    }
+
+    /**
+    * Search in the LDAP directory.
+    * Uses the ldap_search() function ...
+    * @param string $target The DN to list from
+    * @param string $filter The filter to use
+    * @param array $attrib Attributes to get back.
+    * @return array Array of values found.
+    */
+    public function searchAll( $target, $filter, $attrib) {
+        $list = ldap_search($this->conn, $target, $filter, $attrib);
+        if(!$list)
+            return $list;
+        return ldap_get_entries($this->conn, $list);
+    }
+
+    /**
+    * Search in the LDAP directory. and return only the first entry
+    * Uses the ldap_search() function ...
+    * @param string $target The DN to list from
+    * @param string $filter The filter to use
+    * @param array $attrib Attributes to get back.
+    * @return array found value
+    */
+    public function searchFirst( $target, $filter, $attrib) {
+        $list = ldap_search($this->conn, $target, $filter, $attrib);
+        if(!$list)
+            return $list;
+        $first = ldap_first_entry($this->conn, $list);
+        if(!$first)
+            return $first;
+        return ldap_get_attributes($this->conn, $first);
+    }
+
+
+    /**
+    * Delete from the LDAP directory.
+    * Uses the ldap_delete() function ...
+    * @param string $target The DN to list from
+    * @return boolean Does it worked ? 
+    */
+    public function delete($target) {
+        return ldap_delete($this->conn, $target);
+    }
+
+    /**
+    * Makes a BIND !
+    * @return boolean true or false, wether the bind was successfull or not.
+    */
+    public function reBind()  {
+        $auth = jAuth::getUserSession();
+        $res = $this->bindServer($auth->login, $auth->password, null, null, null);
+        return $res["res"];
+    }
+
+}
+
+
+
+
+
+

lib/jelix/utils/jFilter.class.php

@@ -79 +79 @@
-        return in_array($val, array('true','false','1','0','TRUE', 'FALSE','on','off'));
-    }
-
+    /**
+     * check if the given value looks like a valid Distinguished Name
+     * @param string $val the value
+     * @return boolean true if it looks like a vali DN
+     */
+    static public function isDN($val) {
+        $reg = "/^[a-zA-Z]+=[\.\w\d\s]+(,[a-zA-Z]+=[\.\w\d\s]+)*$/";
+        // echo "Testing $val against $reg.\n<br />";
+        return filter_var($val, FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => $reg)));
+    }
-
-    /**
-     * check if the given value is a float