plugins/password/drivers/ldap_simple.php

   1 <?php
   2
   3 /**
   4  * Simple LDAP Password Driver
   5  *
   6  * Driver for passwords stored in LDAP
   7  * This driver is based on Edouard's LDAP Password Driver, but does not
   8  * require PEAR's Net_LDAP2 to be installed
   9  *
  10  * @version 1.0 (2010-07-31)
  11  * @author Wout Decre <wout@canodus.be>
  12  */
  13 function password_save($curpass, $passwd)
  14 {
  15         $rcmail = rcmail::get_instance();
  16
  17         // Connect
  18         if (!$ds = ldap_connect($rcmail->config->get('password_ldap_host'), $rcmail->config->get('password_ldap_port'))) {
  19                 ldap_unbind($ds);
  20                 return PASSWORD_CONNECT_ERROR;
  21         }
  22
  23         // Set protocol version
  24         if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $rcmail->config->get('password_ldap_version'))) {
  25                 ldap_unbind($ds);
  26                 return PASSWORD_CONNECT_ERROR;
  27         }
  28
  29         // Start TLS
  30         if ($rcmail->config->get('password_ldap_starttls')) {
  31                 if (!ldap_start_tls($ds)) {
  32                         ldap_unbind($ds);
  33                         return PASSWORD_CONNECT_ERROR;
  34                 }
  35         }
  36
  37         // Build user DN
  38         if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) {
  39                 $user_dn = ldap_simple_substitute_vars($user_dn);
  40         } else {
  41                 $user_dn = ldap_simple_search_userdn($rcmail, $ds);
  42         }
  43
  44         if (empty($user_dn)) {
  45                 ldap_unbind($ds);
  46                 return PASSWORD_CONNECT_ERROR;
  47         }
  48
  49         // Connection method
  50         switch ($rcmail->config->get('password_ldap_method')) {
  51                 case 'admin':
  52                         $binddn = $rcmail->config->get('password_ldap_adminDN');
  53                         $bindpw = $rcmail->config->get('password_ldap_adminPW');
  54                         break;
  55                 case 'user':
  56                 default:
  57                         $binddn = $user_dn;
  58                         $bindpw = $curpass;
  59                         break;
  60         }
  61
  62
  63         $crypted_pass = ldap_simple_hash_password($passwd, $rcmail->config->get('password_ldap_encodage'));
  64         $lchattr      = $rcmail->config->get('password_ldap_lchattr');
  65         $pwattr       = $rcmail->config->get('password_ldap_pwattr');
  66     $smbpwattr    = $rcmail->config->get('password_ldap_samba_pwattr');
  67     $smblchattr   = $rcmail->config->get('password_ldap_samba_lchattr');
  68     $samba        = $rcmail->config->get('password_ldap_samba');
  69
  70     // Support password_ldap_samba option for backward compat.
  71     if ($samba && !$smbpwattr) {
  72         $smbpwattr  = 'sambaNTPassword';
  73         $smblchattr = 'sambaPwdLastSet';
  74     }
  75
  76         // Crypt new password
  77         if (!$crypted_pass) {
  78                 return PASSWORD_CRYPT_ERROR;
  79         }
  80
  81     // Crypt new Samba password
  82     if ($smbpwattr && !($samba_pass = ldap_simple_hash_password($passwd, 'samba'))) {
  83             return PASSWORD_CRYPT_ERROR;
  84     }
  85
  86         // Bind
  87         if (!ldap_bind($ds, $binddn, $bindpw)) {
  88                 ldap_unbind($ds);
  89                 return PASSWORD_CONNECT_ERROR;
  90         }
  91
  92         $entree[$pwattr] = $crypted_pass;
  93
  94         // Update PasswordLastChange Attribute if desired
  95         if ($lchattr) {
  96                 $entree[$lchattr] = (int)(time() / 86400);
  97         }
  98
  99     // Update Samba password
 100     if ($smbpwattr) {
 101         $entree[$smbpwattr] = $samba_pass;
 102     }
 103
 104     // Update Samba password last change
 105     if ($smblchattr) {
 106         $entree[$smblchattr] = time();
 107     }
 108
 109         if (!ldap_modify($ds, $user_dn, $entree)) {
 110                 ldap_unbind($ds);
 111                 return PASSWORD_CONNECT_ERROR;
 112         }
 113
 114         // All done, no error
 115         ldap_unbind($ds);
 116         return PASSWORD_SUCCESS;
 117 }
 118
 119 /**
 120  * Bind with searchDN and searchPW and search for the user's DN
 121  * Use search_base and search_filter defined in config file
 122  * Return the found DN
 123  */
 124 function ldap_simple_search_userdn($rcmail, $ds)
 125 {
 126         /* Bind */
 127         if (!ldap_bind($ds, $rcmail->config->get('password_ldap_searchDN'), $rcmail->config->get('password_ldap_searchPW'))) {
 128                 return false;
 129         }
 130
 131         /* Search for the DN */
 132         if (!$sr = ldap_search($ds, $rcmail->config->get('password_ldap_search_base'), ldap_simple_substitute_vars($rcmail->config->get('password_ldap_search_filter')))) {
 133                 return false;
 134         }
 135
 136         /* If no or more entries were found, return false */
 137         if (ldap_count_entries($ds, $sr) != 1) {
 138                 return false;
 139         }
 140
 141         return ldap_get_dn($ds, ldap_first_entry($ds, $sr));
 142 }
 143
 144 /**
 145  * Substitute %login, %name, %domain, %dc in $str
 146  * See plugin config for details
 147  */
 148 function ldap_simple_substitute_vars($str)
 149 {
 150         $str = str_replace('%login', $_SESSION['username'], $str);
 151         $str = str_replace('%l', $_SESSION['username'], $str);
 152
 153         $parts = explode('@', $_SESSION['username']);
 154
 155         if (count($parts) == 2) {
 156         $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string
 157
 158                 $str = str_replace('%name', $parts[0], $str);
 159         $str = str_replace('%n', $parts[0], $str);
 160         $str = str_replace('%dc', $dc, $str);
 161                 $str = str_replace('%domain', $parts[1], $str);
 162                 $str = str_replace('%d', $parts[1], $str);
 163         }
 164
 165         return $str;
 166 }
 167
 168 /**
 169  * Code originaly from the phpLDAPadmin development team
 170  * http://phpldapadmin.sourceforge.net/
 171  *
 172  * Hashes a password and returns the hash based on the specified enc_type
 173  */
 174 function ldap_simple_hash_password($password_clear, $encodage_type)
 175 {
 176         $encodage_type = strtolower($encodage_type);
 177         switch ($encodage_type) {
 178                 case 'crypt':
 179                         $crypted_password = '{CRYPT}' . crypt($password_clear, ldap_simple_random_salt(2));
 180                         break;
 181                 case 'ext_des':
 182                         /* Extended DES crypt. see OpenBSD crypt man page */
 183                         if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
 184                                 /* Your system crypt library does not support extended DES encryption */
 185                                 return false;
 186                         }
 187                         $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . ldap_simple_random_salt(8));
 188                         break;
 189                 case 'md5crypt':
 190                         if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
 191                                 /* Your system crypt library does not support md5crypt encryption */
 192                                 return false;
 193                         }
 194                         $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . ldap_simple_random_salt(9));
 195                         break;
 196                 case 'blowfish':
 197                         if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
 198                                 /* Your system crypt library does not support blowfish encryption */
 199                                 return false;
 200                         }
 201                         /* Hardcoded to second blowfish version and set number of rounds */
 202                         $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . ldap_simple_random_salt(13));
 203                         break;
 204                 case 'md5':
 205                         $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear)));
 206                         break;
 207                 case 'sha':
 208                         if (function_exists('sha1')) {
 209                                 /* Use PHP 4.3.0+ sha1 function, if it is available */
 210                                 $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear)));
 211                         } else if (function_exists('mhash')) {
 212                                 $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear));
 213                         } else {
 214                                 /* Your PHP install does not have the mhash() function */
 215                                 return false;
 216                         }
 217                         break;
 218                 case 'ssha':
 219                         if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
 220                                 mt_srand((double) microtime() * 1000000 );
 221                                 $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
 222                                 $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt);
 223                         } else {
 224                                 /* Your PHP install does not have the mhash() function */
 225                                 return false;
 226                         }
 227                         break;
 228                 case 'smd5':
 229                         if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
 230                                 mt_srand((double) microtime() * 1000000 );
 231                                 $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
 232                                 $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt);
 233                         } else {
 234                                 /* Your PHP install does not have the mhash() function */
 235                                 return false;
 236                         }
 237                         break;
 238         case 'samba':
 239             if (function_exists('hash')) {
 240                 $crypted_password = hash('md4', rcube_charset_convert($password_clear, RCMAIL_CHARSET, 'UTF-16LE'));
 241                 $crypted_password = strtoupper($crypted_password);
 242             } else {
 243                                 /* Your PHP install does not have the hash() function */
 244                                 return false;
 245             }
 246             break;
 247                 case 'clear':
 248                 default:
 249                         $crypted_password = $password_clear;
 250         }
 251
 252         return $crypted_password;
 253 }
 254
 255 /**
 256  * Code originaly from the phpLDAPadmin development team
 257  * http://phpldapadmin.sourceforge.net/
 258  *
 259  * Used to generate a random salt for crypt-style passwords
 260  */
 261 function ldap_simple_random_salt($length)
 262 {
 263         $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './';
 264         $str = '';
 265         // mt_srand((double)microtime() * 1000000);
 266         while (strlen($str) < $length) {
 267                 $str .= substr($possible, (rand() % strlen($possible)), 1);
 268         }
 269
 270         return $str;
 271 }