dolibarr  x.y.z
functions_ldap.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2007-2011 Laurent Destailleur <eldy@users.sourceforge.net>
3  * Copyright (C) 2008-2021 Regis Houssin <regis.houssin@inodbox.com>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <https://www.gnu.org/licenses/>.
17  *
18  */
19 
36 function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
37 {
38  global $db, $conf, $langs;
39  global $_POST;
40  global $dolibarr_main_auth_ldap_host, $dolibarr_main_auth_ldap_port;
41  global $dolibarr_main_auth_ldap_version, $dolibarr_main_auth_ldap_servertype;
42  global $dolibarr_main_auth_ldap_login_attribute, $dolibarr_main_auth_ldap_dn;
43  global $dolibarr_main_auth_ldap_admin_login, $dolibarr_main_auth_ldap_admin_pass;
44  global $dolibarr_main_auth_ldap_filter;
45  global $dolibarr_main_auth_ldap_debug;
46 
47  // Force master entity in transversal mode
48  $entity = $entitytotest;
49  if (isModEnabled('multicompany') && !empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
50  $entity = 1;
51  }
52 
53  $login = '';
54  $resultFetchUser = '';
55 
56  if (!function_exists("ldap_connect")) {
57  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP. LDAP functions are disabled on this PHP", LOG_ERR);
58  sleep(1);
59 
60  // Load translation files required by the page
61  $langs->loadLangs(array('main', 'other'));
62 
63  $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->transnoentitiesnoconv("TryAnotherConnectionMode");
64  return;
65  }
66 
67  if ($usertotest) {
68  dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." passwordtotest=".preg_replace('/./', '*', $passwordtotest)." entitytotest=".$entitytotest);
69 
70  // If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
71  $ldaphost = $dolibarr_main_auth_ldap_host;
72  $ldapport = $dolibarr_main_auth_ldap_port;
73  $ldapversion = $dolibarr_main_auth_ldap_version;
74  $ldapservertype = (empty($dolibarr_main_auth_ldap_servertype) ? 'openldap' : $dolibarr_main_auth_ldap_servertype);
75 
76  $ldapuserattr = $dolibarr_main_auth_ldap_login_attribute;
77  $ldapdn = $dolibarr_main_auth_ldap_dn;
78  $ldapadminlogin = $dolibarr_main_auth_ldap_admin_login;
79  $ldapadminpass = $dolibarr_main_auth_ldap_admin_pass;
80  $ldapdebug = ((empty($dolibarr_main_auth_ldap_debug) || $dolibarr_main_auth_ldap_debug == "false") ? false : true);
81 
82  if ($ldapdebug) {
83  print "DEBUG: Logging LDAP steps<br>\n";
84  }
85 
86  require_once DOL_DOCUMENT_ROOT.'/core/class/ldap.class.php';
87  $ldap = new Ldap();
88  $ldap->server = explode(',', $ldaphost);
89  $ldap->serverPort = $ldapport;
90  $ldap->ldapProtocolVersion = $ldapversion;
91  $ldap->serverType = $ldapservertype;
92  $ldap->searchUser = $ldapadminlogin;
93  $ldap->searchPassword = $ldapadminpass;
94 
95  if ($ldapdebug) {
96  dol_syslog("functions_ldap::check_user_password_ldap Server:".join(',', $ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
97  dol_syslog("functions_ldap::check_user_password_ldap uid/samaccountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".dol_trunc($ldap->searchPassword, 3));
98  print "DEBUG: Server:".join(',', $ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType."<br>\n";
99  print "DEBUG: uid/samaccountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".dol_trunc($ldap->searchPassword, 3)."<br>\n";
100  }
101 
102  $resultFetchLdapUser = 0;
103 
104  // Define $userSearchFilter
105  $userSearchFilter = "";
106  if (empty($dolibarr_main_auth_ldap_filter)) {
107  $userSearchFilter = "(".$ldapuserattr."=".$usertotest.")";
108  } else {
109  $userSearchFilter = str_replace('%1%', $usertotest, $dolibarr_main_auth_ldap_filter);
110  }
111 
112  // If admin login or ldap auth filter provided
113  // Code to get user in LDAP from an admin connection (may differ from user connection, done later)
114  if ($ldapadminlogin || $dolibarr_main_auth_ldap_filter) {
115  $result = $ldap->connect_bind();
116  if ($result > 0) {
117  $resultFetchLdapUser = $ldap->fetch($usertotest, $userSearchFilter);
118  //dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
119  if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) { // If ok but password need to be reset
120  dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
121  if ($ldapdebug) {
122  print "DEBUG: User ".$usertotest." must change password<br>\n";
123  }
124  $ldap->unbind();
125  sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
126  $langs->load('ldap');
127  $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("YouMustChangePassNextLogon", $usertotest, $ldap->domainFQDN);
128  return '';
129  }
130  } else {
131  if ($ldapdebug) {
132  print "DEBUG: ".$ldap->error."<br>\n";
133  }
134  }
135  $ldap->unbind();
136  }
137 
138  // Forge LDAP user and password to test with them
139  // If LDAP need a dn with login like "uid=jbloggs,ou=People,dc=foo,dc=com", default dn may work even if previous code with
140  // admin login no exectued.
141  $ldap->searchUser = $ldapuserattr."=".$usertotest.",".$ldapdn; // Default dn (will work if LDAP accept a dn with login value inside)
142  // But if LDAP need a dn with name like "cn=Jhon Bloggs,ou=People,dc=foo,dc=com", previous part must have been executed to have
143  // dn detected into ldapUserDN.
144  if ($resultFetchLdapUser && !empty($ldap->ldapUserDN)) {
145  $ldap->searchUser = $ldap->ldapUserDN;
146  }
147  $ldap->searchPassword = $passwordtotest;
148 
149  // Test with this->seachUser and this->searchPassword
150  //print $resultFetchLdapUser."-".$ldap->ldapUserDN."-".$ldap->searchUser.'-'.$ldap->searchPassword;exit;
151  $result = $ldap->connect_bind();
152  if ($result > 0) {
153  if ($result == 2) { // Connection is ok for user/pass into LDAP
154  $login = $usertotest;
155  dol_syslog("functions_ldap::check_user_password_ldap $login authentication ok");
156  // For the case, we search the user id using a search key without the login (but using other fields like id),
157  // we need to get the real login to use in the ldap answer.
158  if (!empty($conf->global->LDAP_FIELD_LOGIN) && !empty($ldap->login)) {
159  $login = $ldap->login;
160  dol_syslog("functions_ldap::check_user_password_ldap login is now $login (LDAP_FIELD_LOGIN=".getDolGlobalString('LDAP_FIELD_LOGIN').")");
161  }
162 
163  require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
164 
165  $tmpuser = new User($db);
166  $tmpuser->fetch('', $login, '', 1, ($entitytotest > 0 ? $entitytotest : -1));
167 
168  $now = dol_now();
169  if ($tmpuser->datestartvalidity && $db->jdate($tmpuser->datestartvalidity) >= $now) {
170  $ldap->unbind();
171  // Load translation files required by the page
172  $langs->loadLangs(array('main', 'errors'));
173  $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
174  return '--bad-login-validity--';
175  }
176  if ($tmpuser->dateendvalidity && $db->jdate($tmpuser->dateendvalidity) <= dol_get_first_hour($now)) {
177  $ldap->unbind();
178  // Load translation files required by the page
179  $langs->loadLangs(array('main', 'errors'));
180  $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
181  return '--bad-login-validity--';
182  }
183 
184  // ldap2dolibarr synchronisation
185  if ($login && !empty($conf->ldap->enabled) && getDolGlobalInt('LDAP_SYNCHRO_ACTIVE') == Ldap::SYNCHRO_LDAP_TO_DOLIBARR) { // ldap2dolibarr synchronization
186  dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
187 
188  // On charge les attributs du user ldap
189  if ($ldapdebug) {
190  print "DEBUG: login ldap = ".$login."<br>\n";
191  }
192  $resultFetchLdapUser = $ldap->fetch($login, $userSearchFilter);
193 
194  if ($ldapdebug) {
195  print "DEBUG: UACF = ".join(',', $ldap->uacf)."<br>\n";
196  }
197  if ($ldapdebug) {
198  print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset, 'day')."<br>\n";
199  }
200  if ($ldapdebug) {
201  print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime, 'day')."<br>\n";
202  }
203 
204  // On recherche le user dolibarr en fonction de son SID ldap (only for Active Directory)
205  $sid = null;
206  if ($conf->global->LDAP_SERVER_TYPE == "activedirectory") {
207  $sid = $ldap->getObjectSid($login);
208  if ($ldapdebug) {
209  print "DEBUG: sid = ".$sid."<br>\n";
210  }
211  }
212 
213  $usertmp = new User($db);
214  $resultFetchUser = $usertmp->fetch('', $login, $sid, 1, ($entitytotest > 0 ? $entitytotest : -1));
215  if ($resultFetchUser > 0) {
216  dol_syslog("functions_ldap::check_user_password_ldap Sync user found user id=".$usertmp->id);
217  // On verifie si le login a change et on met a jour les attributs dolibarr
218 
219  if ($usertmp->login != $ldap->login && $ldap->login) {
220  $usertmp->login = $ldap->login;
221  $usertmp->update($usertmp);
222  // TODO Que faire si update echoue car on update avec un login deja existant pour un autre compte.
223  }
224 
225  //$resultUpdate = $usertmp->update_ldap2dolibarr($ldap);
226  }
227 
228  unset($usertmp);
229  }
230 
231  if (isModEnabled('multicompany')) { // We must check entity (even if sync is not active)
232  global $mc;
233 
234  $usertmp = new User($db);
235  $usertmp->fetch('', $login);
236  if (is_object($mc)) {
237  $ret = $mc->checkRight($usertmp->id, $entitytotest);
238  if ($ret < 0) {
239  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO entity '".$entitytotest."' not allowed for user id '".$usertmp->id."'", LOG_NOTICE);
240  $login = ''; // force authentication failure
241  }
242  unset($usertmp);
243  }
244  }
245  }
246  if ($result == 1) {
247  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO bad user/password for '".$usertotest."'", LOG_NOTICE);
248  sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
249 
250  // Load translation files required by the page
251  $langs->loadLangs(array('main', 'other'));
252 
253  $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadLoginPassword");
254  }
255  } else {
256  /* Login failed. Return false, together with the error code and text from
257  ** the LDAP server. The common error codes and reasons are listed below :
258  ** (for iPlanet, other servers may differ)
259  ** 19 - Account locked out (too many invalid login attempts)
260  ** 32 - User does not exist
261  ** 49 - Wrong password
262  ** 53 - Account inactive (manually locked out by administrator)
263  */
264  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP for '".$usertotest."'", LOG_NOTICE);
265  if (is_resource($ldap->connection) || is_object($ldap->connection)) { // If connection ok but bind ko
266  $ldap->ldapErrorCode = ldap_errno($ldap->connection);
267  $ldap->ldapErrorText = ldap_error($ldap->connection);
268  dol_syslog("functions_ldap::check_user_password_ldap ".$ldap->ldapErrorCode." ".$ldap->ldapErrorText);
269  }
270  sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
271 
272  // Load translation files required by the page
273  $langs->loadLangs(array('main', 'other', 'errors'));
274  $_SESSION["dol_loginmesg"] = ($ldap->error ? $ldap->error : $langs->transnoentitiesnoconv("ErrorBadLoginPassword"));
275  }
276 
277  $ldap->unbind();
278  }
279 
280  return $login;
281 }
Ldap
Class to manage LDAP features.
Definition: ldap.class.php:35
Ldap\SYNCHRO_LDAP_TO_DOLIBARR
const SYNCHRO_LDAP_TO_DOLIBARR
Ldap to Dolibarr synchronization.
Definition: ldap.class.php:138
User
Class to manage Dolibarr users.
Definition: user.class.php:45
dol_get_first_hour
dol_get_first_hour($date, $gm='tzserver')
Return GMT time for first hour of a given GMT date (it removes hours, min and second part)
Definition: date.lib.php:635
dol_now
dol_now($mode='auto')
Return date for now.
Definition: functions.lib.php:2916
getDolGlobalInt
getDolGlobalInt($key, $default=0)
Return dolibarr global constant int value.
Definition: functions.lib.php:96
getDolGlobalString
if(!function_exists('utf8_encode')) if(!function_exists('utf8_decode')) getDolGlobalString($key, $default='')
Return dolibarr global constant string value.
Definition: functions.lib.php:82
dol_trunc
dol_trunc($string, $size=40, $trunc='right', $stringencoding='UTF-8', $nodot=0, $display=0)
Truncate a string to a particular length adding '…' if string larger than length.
Definition: functions.lib.php:3914
isModEnabled
isModEnabled($module)
Is Dolibarr module enabled.
Definition: functions.lib.php:137
dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition: functions.lib.php:1611
check_user_password_ldap
check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
Check validity of user/password/entity If test is ko, reason must be filled into $_SESSION["dol_login...
Definition: functions_ldap.php:36
Generated on Wed Jan 4 2023 18:05:22 for dolibarr by Doxygen 1.9.1