<?php/** * simple class for LDAP authentification *  Copyright (C) 2013 Petr PalasThis program is free software; you can redistribute it and/ormodify it under the terms of the GNU General Public Licenseas published by the Free Software Foundation; either version 2of the License, or (at your option) any later version.This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See theGNU General Public License for more details.You should have received a copy of the GNU General Public Licensealong with this program; if not, write to the Free SoftwareFoundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. * inspired by http://samjlevy.com/2010/09/php-login-script-using-ldap-verify-group-membership/ */ namespace LDAP;use Exception;class auth {    /**     * url or ip of ldap server     * @var type string     */    protected $ldap_host;    /**     * active directory DN     * @var type string     */    protected $ldap_dn;    /**     * target user group     * @var type string     */    protected $ldap_user_group;    /**     * manager group (shud contain users with management access)     * @var type string     */    protected $ldap_manager_group;    /**     * contains email domain like "@somedomain.com"     * @var type string     */    protected $ldap_usr_dom;        /**     * countains connection resource     * @var type resource     */    protected $ldap;        /**     * contains status text     * if exeption is thrown msg contains this string     * @var type string     */    public $status;    /**     * contains result array if ldap_search is succesfull     * @var type array     */    public $result;    /**     * contains auth state 0=unathrized 1=authorized     * @var type int     */    public $auth=0;    /**     * contains access level 0=none or unathorized 1=user 2=managment acc     * @var type int     */    public $access=0;        /**     * contains username after user init     * @var type string     */    public $user;        /**     * contain user password after user init     * @var type string     */    protected $password;        /**     * Exeptions code constants     */    const ERROR_WRONG_USER_GROUP=2;    const ERROR_CANT_AUTH=1;    const ERROR_CANT_SEARCH=3;    const ERROR_IMG_DECODE=4;    const ERROR_CANT_CONNECT=5;    /**     * loads passed configuration in case of the ldap_usr_dom it makes sure that this strings begins with ‘@‘      * @param type $ldap_host     * @param type $ldap_dn     * @param type $ldap_user_group     * @param type $ldap_manager_group     * @param type $ldap_usr_dom     */    function __construct($ldap_host,$ldap_dn,$ldap_user_group,$ldap_manager_group,$ldap_usr_dom) {        $this->ldap_host=$ldap_host;        $this->ldap_dn=$ldap_dn;        $this->ldap_user_group=$ldap_user_group;        $this->ldap_manager_group=$ldap_manager_group;        $this->ldap_usr_dom=  ‘@‘.trim($ldap_usr_dom,‘@‘);    }        /**     * well destructor :P     * just in case there is opened connection to LDAP while destructing this class     */    public function __destruct() {        @ldap_unbind($this->ldap);    }        /**     * dumps result array for debug enclosed in pre tag     * Wont terminate script!     */    public function dump_resut() {        echo ‘<pre>‘;        print_r($this->result,FALSE);        echo ‘</pre>‘;    }        /**     * Inits connection to LDAP server throws exeption on failure     * @return boolean     * @throws Exception     */    protected function init_connection(){        $this->ldap=ldap_connect($this->ldap_host,3268);        if($this->ldap){            $this->status=‘connected :)‘;            ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION,3);            ldap_set_option($this->ldap, LDAP_OPT_REFERRALS,0);        }        else {            //TODO: PHP actualy dont check if there is LDAP present on the other end nor it will fail if target host is unreachable. So I need some work around that :(            $this->status=‘Cant connect to LDAP‘;            throw new Exception($this->status,  self::ERROR_CANT_CONNECT);        }        return TRUE;    }        public function userInit($user,$password) {        $this->user=$user;        $this->password=$password;                return TRUE;    }        /**     * Converts Binary string (like thumbnail from LDAP to base64 datastring for display     * @param type $file     * @param type $mime     * @return type base64 datastring     */    protected function data_uri($file, $mime) {        $base64   = base64_encode($file);       return (‘data:‘ . $mime . ‘;base64,‘ . $base64);    }        /**     * Gets LDAP thumbnail img     * @param type $user     * @param type $password     * @param type $raw if TRUE method will return raw binary string instead of base64 encoded with mime     * @return type base64 datatring of the thumbnail     * @throws Exception     */    public function getLDAPimg($user=null,$password=null,$raw=FALSE) {        $this->refreshCredentials($user, $password);        //since conection is one off we need to get it        $this->init_connection();                $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);//ldap_bind($this->ldap, $this->ldap_dn, $password);                if($bind){            $filter = "(sAMAccountName=" . $user . ")";            $attr = array("thumbnailphoto");            $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);            if($result==FALSE){                throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);            }              $entry= ldap_first_entry($this->ldap, $result);            if ($entry) {                $info = @ldap_get_values_len($this->ldap, $entry, "thumbnailphoto");                if(!$info){                   throw new Exception("Unable to decode thumbnail. Error: ".  ldap_error($this->ldap),  self::ERROR_IMG_DECODE);                }                //echo ‘<img src="http://www.mamicode.com/‘.$this->data_uri($info[0], ‘image/png‘).‘">‘;            }                                    if(!$raw){                return $this->data_uri($info[0], ‘image/png‘);            }            else{                return $info[0];            }        }        else {            // invalid name or password            $this->status=‘Cant authenticate for search on LDAP‘;            throw new Exception($this->status.‘ ‘.  ldap_error($this->ldap), self::ERROR_CANT_AUTH);        }        ldap_unbind($this->ldap);    }        /**     * Tries to authenticate suplied user with suplied pass     * @param type $user     * @param type $password     * @return boolean     * @throws Exception     */    public function authenticate($user=null, $password=null) {       $this->refreshCredentials($user, $password);        //since conection is one off we need to get it        $this->init_connection();                // verify user and password        $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);                if($bind) {            // valid            // check presence in groups            $filter = "(sAMAccountName=" . $user . ")";            $attr = array("memberof");            $result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);            if($result==FALSE){                 throw new Exception("Unable to search LDAP server. Reason: ".  ldap_error($this->ldap),  self::ERROR_CANT_SEARCH);            }              $entries = ldap_get_entries($this->ldap, $result);                        //save result for future use            $this->result=$entries;                                    $access = 0;                        // check groups            foreach($entries[0][‘memberof‘] as $grps) {                // is manager, break loop                if (strpos($grps, $this->ldap_manager_group)) { $access = 2; break; }                // is user                if (strpos($grps, $this->ldap_user_group)) $access = 1;            }            if ($access != 0) {                // establish result vars                                $this->status=‘Authenticated‘;                $this->access=$access;                $this->user= $user;                $this->auth=1;                return true;            } else {                // user has no rights                $this->access=$access;                $this->user= $user;                $this->auth=1;                $this->status=‘User exists but not part of the target group‘;                throw new Exception($this->status.‘ ‘.  ldap_error($this->ldap),  self::ERROR_WRONG_USER_GROUP);            }        } else {            // invalid name or password            $this->status=‘Cant authenticate for search on LDAP‘;            throw new Exception($this->status.‘ ‘.  ldap_error($this->ldap),  self::ERROR_CANT_AUTH);        }        ldap_unbind($this->ldap);    }        /**     * Saves new credentials if we got new or sets the old ones into referenced vars     * @param type $user Reference to var that shuld contain username or null     * @param type $password Reference to var that shuld contain password or null     */    private function refreshCredentials(&$user,&$password) {        $newCredentials=TRUE;        //since we cant set those in param def        if($password===null){$password=  $this->password;$newCredentials=FALSE;}        if($user===null){$user=  $this->user;$newCredentials=FALSE;}        //store user pass and name for future use        if($newCredentials){$this->userInit($user, $password);}    }}