plugins/LdapAuthorization/LdapAuthorizationPlugin.php

   1 <?php
   2 /**
   3  * StatusNet, the distributed open-source microblogging tool
   4  *
   5  * Plugin to enable LDAP Authorization
   6  *
   7  * PHP version 5
   8  *
   9  * LICENCE: This program is free software: you can redistribute it and/or modify
  10  * it under the terms of the GNU Affero General Public License as published by
  11  * the Free Software Foundation, either version 3 of the License, or
  12  * (at your option) any later version.
  13  *
  14  * This program is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  * GNU Affero General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Affero General Public License
  20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21  *
  22  * @category  Plugin
  23  * @package   StatusNet
  24  * @author    Craig Andrews <candrews@integralblue.com>
  25  * @copyright 2009 Craig Andrews http://candrews.integralblue.com
  26  * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
  27  * @link      http://status.net/
  28  */
  29
  30 if (!defined('STATUSNET') && !defined('LACONICA')) {
  31     exit(1);
  32 }
  33
  34 require_once 'Net/LDAP2.php';
  35
  36 class LdapAuthorizationPlugin extends AuthorizationPlugin
  37 {
  38     public $host=null;
  39     public $port=null;
  40     public $version=null;
  41     public $starttls=null;
  42     public $binddn=null;
  43     public $bindpw=null;
  44     public $basedn=null;
  45     public $options=null;
  46     public $filter=null;
  47     public $scope=null;
  48     public $provider_name = null;
  49     public $uniqueMember_attribute = null;
  50     public $roles_to_groups = array();
  51     public $login_group = null;
  52     public $attributes = array();
  53
  54     function onInitializePlugin(){
  55         if(!isset($this->host)){
  56             throw new Exception("must specify a host");
  57         }
  58         if(!isset($this->basedn)){
  59             throw new Exception("must specify a basedn");
  60         }
  61         if(!isset($this->provider_name)){
  62             throw new Exception("provider_name must be set. Use the provider_name from the LDAP Authentication plugin.");
  63         }
  64         if(!isset($this->uniqueMember_attribute)){
  65             throw new Exception("uniqueMember_attribute must be set.");
  66         }
  67         if(!isset($this->attributes['username'])){
  68             throw new Exception("username attribute must be set.");
  69         }
  70     }
  71
  72     //---interface implementation---//
  73     function loginAllowed($user) {
  74         $user_username = new User_username();
  75         $user_username->user_id=$user->id;
  76         $user_username->provider_name=$this->provider_name;
  77         if($user_username->find() && $user_username->fetch()){
  78             $entry = $this->ldap_get_user($user_username->username);
  79             if($entry){
  80                 if(isset($this->login_group)){
  81                     if(is_array($this->login_group)){
  82                         foreach($this->login_group as $group){
  83                             if($this->ldap_is_dn_member_of_group($entry->dn(),$group)){
  84                                 return true;
  85                             }
  86                         }
  87                     }else{
  88                         if($this->ldap_is_dn_member_of_group($entry->dn(),$this->login_group)){
  89                             return true;
  90                         }
  91                     }
  92                     return null;
  93                 }else{
  94                     //if a user exists, we can assume he's allowed to login
  95                     return true;
  96                 }
  97             }else{
  98                 return null;
  99             }
 100         }else{
 101             return null;
 102         }
 103     }
 104
 105     function hasRole($profile, $name) {
 106         $user_username = new User_username();
 107         $user_username->user_id=$profile->id;
 108         $user_username->provider_name=$this->provider_name;
 109         if($user_username->find() && $user_username->fetch()){
 110             $entry = $this->ldap_get_user($user_username->username);
 111             if($entry){
 112                 if(isset($this->roles_to_groups[$name])){
 113                     if(is_array($this->roles_to_groups[$name])){
 114                         foreach($this->roles_to_groups[$name] as $group){
 115                             if($this->ldap_is_dn_member_of_group($entry->dn(),$group)){
 116                                 return true;
 117                             }
 118                         }
 119                     }else{
 120                         if($this->ldap_is_dn_member_of_group($entry->dn(),$this->roles_to_groups[$name])){
 121                             return true;
 122                         }
 123                     }
 124                 }
 125             }
 126         }
 127         return false;
 128     }
 129
 130     function ldap_is_dn_member_of_group($userDn, $groupDn)
 131     {
 132         $ldap = $this->ldap_get_connection();
 133         $link = $ldap->getLink();
 134         $r = @ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn);
 135         if ($r === true){
 136             return true;
 137         }else if($r === false){
 138             return false;
 139         }else{
 140             common_log(LOG_ERR, "LDAP error determining if userDn=$userDn is a member of groupDn=groupDn using uniqueMember_attribute=$this->uniqueMember_attribute error: ".ldap_error($link));
 141             return false;
 142         }
 143     }
 144
 145     function ldap_get_config(){
 146         $config = array();
 147         $keys = array('host','port','version','starttls','binddn','bindpw','basedn','options','filter','scope');
 148         foreach($keys as $key){
 149             $value = $this->$key;
 150             if($value!==null){
 151                 $config[$key]=$value;
 152             }
 153         }
 154         return $config;
 155     }
 156
 157     //-----the below function were copied from LDAPAuthenticationPlugin. They will be moved to a utility class soon.----\\
 158     function ldap_get_connection($config = null){
 159         if($config == null && isset($this->default_ldap)){
 160             return $this->default_ldap;
 161         }
 162
 163         //cannot use Net_LDAP2::connect() as StatusNet uses
 164         //PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError');
 165         //PEAR handling can be overridden on instance objects, so we do that.
 166         $ldap = new Net_LDAP2(isset($config)?$config:$this->ldap_get_config());
 167         $ldap->setErrorHandling(PEAR_ERROR_RETURN);
 168         $err=$ldap->bind();
 169         if (Net_LDAP2::isError($err)) {
 170             // if we were called with a config, assume caller will handle
 171             // incorrect username/password (LDAP_INVALID_CREDENTIALS)
 172             if (isset($config) && $err->getCode() == 0x31) {
 173                 return null;
 174             }
 175             throw new Exception('Could not connect to LDAP server: '.$err->getMessage());
 176             return false;
 177         }
 178         if($config == null) $this->default_ldap=$ldap;
 179         return $ldap;
 180     }
 181
 182     /**
 183      * get an LDAP entry for a user with a given username
 184      *
 185      * @param string $username
 186      * $param array $attributes LDAP attributes to retrieve
 187      * @return string DN
 188      */
 189     function ldap_get_user($username,$attributes=array(),$ldap=null){
 190         if($ldap==null) {
 191             $ldap = $this->ldap_get_connection();
 192         }
 193         if(! $ldap) {
 194             throw new Exception("Could not connect to LDAP");
 195         }
 196         $filter = Net_LDAP2_Filter::create($this->attributes['username'], 'equals',  $username);
 197         $options = array(
 198             'attributes' => $attributes
 199         );
 200         $search = $ldap->search(null,$filter,$options);
 201
 202         if (PEAR::isError($search)) {
 203             common_log(LOG_WARNING, 'Error while getting DN for user: '.$search->getMessage());
 204             return false;
 205         }
 206
 207         if($search->count()==0){
 208             return false;
 209         }else if($search->count()==1){
 210             $entry = $search->shiftEntry();
 211             return $entry;
 212         }else{
 213             common_log(LOG_WARNING, 'Found ' . $search->count() . ' ldap user with the username: ' . $username);
 214             return false;
 215         }
 216     }
 217
 218     function onPluginVersion(&$versions)
 219     {
 220         $versions[] = array('name' => 'LDAP Authorization',
 221                             'version' => STATUSNET_VERSION,
 222                             'author' => 'Craig Andrews',
 223                             'homepage' => 'http://status.net/wiki/Plugin:LdapAuthorization',
 224                             'rawdescription' =>
 225                             _m('The LDAP Authorization plugin allows for StatusNet to handle authorization through LDAP.'));
 226         return true;
 227     }
 228 }