6 * Module: LDAP Authenticate
8 * Authenticate a user against an LDAP directory
9 * Useful for Windows Active Directory and other LDAP-based organisations
10 * to maintain a single password across the organisation.
12 * Optionally authenticates only if a member of a given group in the directory.
14 * The person must have registered with Friendika using the normal registration
15 * procedures in order to have a Friendika user record, contact, and profile.
17 * Note when using with Windows Active Directory: you may need to set TLS_CACERT in your site
18 * ldap.conf file to the signing cert for your LDAP server.
20 * The required configuration options for this module may be set in the .htconfig.php file
23 * $a->config['ldapauth']['ldap_server'] = 'host.example.com';
30 function ldapauth_install() {
31 register_hook('authenticate', 'addon/ldapauth/ldapauth.php', 'ldapauth_hook_authenticate');
35 function ldapauth_uninstall() {
36 unregister_hook('authenticate', 'addon/ldapauth/ldapauth.php', 'ldapauth_hook_authenticate');
40 function ldapauth_hook_authenticate($a,&$b) {
41 if(ldapauth_authenticate($b['username'],$b['password'])) {
42 $results = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 AND `verified` = 1 LIMIT 1",
46 $b['user_record'] = $results[0];
47 $b['authenticated'] = 1;
54 function ldapauth_authenticate($username,$password) {
56 $ldap_server = get_config('ldapauth','ldap_server');
57 $ldap_binddn = get_config('ldapauth','ldap_binddn');
58 $ldap_bindpw = get_config('ldapauth','ldap_bindpw');
59 $ldap_searchdn = get_config('ldapauth','ldap_searchdn');
60 $ldap_userattr = get_config('ldapauth','ldap_userattr');
61 $ldap_group = get_config('ldapauth','ldap_group');
63 if(! ((strlen($password))
64 && (function_exists('ldap_connect'))
65 && (strlen($ldap_server))))
68 $connect = @ldap_connect($ldap_server);
73 @ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION,3);
74 @ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
75 if((@ldap_bind($connect,$ldap_binddn,$ldap_bindpw)) === false) {
79 $res = @ldap_search($connect,$ldap_searchdn, $ldap_userattr . '=' . $username);
85 $id = @ldap_first_entry($connect,$res);
91 $dn = @ldap_get_dn($connect,$id);
93 if(! @ldap_bind($connect,$dn,$password))
96 if(! strlen($ldap_group))
99 $r = @ldap_compare($connect,$ldap_group,'member',$dn);
101 $err = @ldap_error($connect);
102 $eno = @ldap_errno($connect);
103 @ldap_close($connect);
106 logger("ldapauth: access control group Does Not Exist");
109 elseif ($eno === 16) {
110 logger('ldapauth: membership attribute does not exist in access control group');
114 logger('ldapauth: error: ' . $err);
118 elseif ($r === false) {
119 @ldap_close($connect);