plugins/LdapAuthorization/LdapAuthorizationPlugin.php

   1 <?php
   2 /**
   3  * StatusNet, the distributed open-source microblogging tool
   4  *
   5  * Plugin to enable LDAP Authorization
   6  *
   7  * PHP version 5
   8  *
   9  * LICENCE: This program is free software: you can redistribute it and/or modify
  10  * it under the terms of the GNU Affero General Public License as published by
  11  * the Free Software Foundation, either version 3 of the License, or
  12  * (at your option) any later version.
  13  *
  14  * This program is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  * GNU Affero General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Affero General Public License
  20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21  *
  22  * @category  Plugin
  23  * @package   StatusNet
  24  * @author    Craig Andrews <candrews@integralblue.com>
  25  * @copyright 2009 Craig Andrews http://candrews.integralblue.com
  26  * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
  27  * @link      http://status.net/
  28  */
  29
  30 if (!defined('STATUSNET') && !defined('LACONICA')) {
  31     exit(1);
  32 }
  33
  34 require_once INSTALLDIR.'/plugins/Authorization/AuthorizationPlugin.php';
  35 require_once 'Net/LDAP2.php';
  36
  37 class LdapAuthorizationPlugin extends AuthorizationPlugin
  38 {
  39     public $host=null;
  40     public $port=null;
  41     public $version=null;
  42     public $starttls=null;
  43     public $binddn=null;
  44     public $bindpw=null;
  45     public $basedn=null;
  46     public $options=null;
  47     public $filter=null;
  48     public $scope=null;
  49     public $provider_name = null;
  50     public $uniqueMember_attribute = null;
  51     public $roles_to_groups = null;
  52     public $login_group = null;
  53
  54     function onInitializePlugin(){
  55         parent::onInitializePlugin();
  56         if(!isset($this->host)){
  57             throw new Exception("must specify a host");
  58         }
  59         if(!isset($this->basedn)){
  60             throw new Exception("must specify a basedn");
  61         }
  62         if(!isset($this->provider_name)){
  63             throw new Exception("provider_name must be set. Use the provider_name from the LDAP Authentication plugin.");
  64         }
  65         if(!isset($this->uniqueMember_attribute)){
  66             throw new Exception("uniqueMember_attribute must be set.");
  67         }
  68         if(!isset($this->roles_to_groups)){
  69             throw new Exception("roles_to_groups must be set.");
  70         }
  71     }
  72
  73     //---interface implementation---//
  74     function loginAllowed($user) {
  75         $user_username = new User_username();
  76         $user_username->user_id=$user->id;
  77         $user_username->provider_name=$this->provider_name;
  78         if($user_username->find() && $user_username->fetch()){
  79             $entry = $this->ldap_get_user($user_username->username);
  80             if($entry){
  81                 if(isset($this->login_group)){
  82                     if(is_array($this->login_group)){
  83                         foreach($this->login_group as $group){
  84                             if($this->isMemberOfGroup($entry->dn(),$group)){
  85                                 return true;
  86                             }
  87                         }
  88                     }else{
  89                         if($this->isMemberOfGroup($entry->dn(),login_group)){
  90                             return true;
  91                         }
  92                     }
  93                     return null;
  94                 }else{
  95                     //if a user exists, we can assume he's allowed to login
  96                     return true;
  97                 }
  98             }else{
  99                 return null;
 100             }
 101         }else{
 102             return null;
 103         }
 104     }
 105
 106     function hasRole($profile, $name) {
 107         $user_username = new User_username();
 108         $user_username->user_id=$profile->id;
 109         $user_username->provider_name=$this->provider_name;
 110         if($user_username->find() && $user_username->fetch()){
 111             $entry = $this->ldap_get_user($user_username->username);
 112             if($entry){
 113                 if(isset($this->roles_to_groups[$name])){
 114                     if(is_array($this->roles_to_groups[$name])){
 115                         foreach($this->roles_to_groups[$name] as $group){
 116                             if($this->isMemberOfGroup($entry->dn(),$group)){
 117                                 return true;
 118                             }
 119                         }
 120                     }else{
 121                         if($this->isMemberOfGroup($entry->dn(),$this->roles_to_groups[$name])){
 122                             return true;
 123                         }
 124                     }
 125                 }
 126             }
 127         }
 128         return false;
 129     }
 130
 131     function isMemberOfGroup($userDn, $groupDn)
 132     {
 133         $ldap = ldap_get_connection();
 134         $link = $ldap->getLink();
 135         $r = ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn);
 136         if ($r === true){
 137             return true;
 138         }else if($r === false){
 139             return false;
 140         }else{
 141             common_log(LOG_ERR, ldap_error($r));
 142             return false;
 143         }
 144     }
 145 }