plugins/password/drivers/ldap_simple.php

   1 <?php
   2
   3 /**
   4  * Simple LDAP Password Driver
   5  *
   6  * Driver for passwords stored in LDAP
   7  * This driver is based on Edouard's LDAP Password Driver, but does not
   8  * require PEAR's Net_LDAP2 to be installed
   9  *
  10  * @version 1.0 (2010-07-31)
  11  * @author Wout Decre <wout@canodus.be>
  12  */
  13 function password_save($curpass, $passwd)
  14 {
  15         $rcmail = rcmail::get_instance();
  16
  17         /* Connect */
  18         if (!$ds = ldap_connect($rcmail->config->get('password_ldap_host'), $rcmail->config->get('password_ldap_port'))) {
  19                 ldap_unbind($ds);
  20                 return PASSWORD_CONNECT_ERROR;
  21         }
  22
  23         /* Set protocol version */
  24         if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $rcmail->config->get('password_ldap_version'))) {
  25                 ldap_unbind($ds);
  26                 return PASSWORD_CONNECT_ERROR;
  27         }
  28
  29         /* Start TLS */
  30         if ($rcmail->config->get('password_ldap_starttls')) {
  31                 if (!ldap_start_tls($ds)) {
  32                         ldap_unbind($ds);
  33                         return PASSWORD_CONNECT_ERROR;
  34                 }
  35         }
  36
  37         /* Build user DN */
  38         if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) {
  39                 $user_dn = ldap_simple_substitute_vars($user_dn);
  40         } else {
  41                 $user_dn = ldap_simple_search_userdn($rcmail, $ds);
  42         }
  43
  44         if (empty($user_dn)) {
  45                 ldap_unbind($ds);
  46                 return PASSWORD_CONNECT_ERROR;
  47         }
  48
  49         /* Connection method */
  50         switch ($rcmail->config->get('password_ldap_method')) {
  51                 case 'admin':
  52                         $binddn = $rcmail->config->get('password_ldap_adminDN');
  53                         $bindpw = $rcmail->config->get('password_ldap_adminPW');
  54                         break;
  55                 case 'user':
  56                 default:
  57                         $binddn = $user_dn;
  58                         $bindpw = $curpass;
  59                         break;
  60         }
  61
  62         /* Bind */
  63         if (!ldap_bind($ds, $binddn, $bindpw)) {
  64                 ldap_unbind($ds);
  65                 return PASSWORD_CONNECT_ERROR;
  66         }
  67
  68         /* Crypting new password */
  69         $crypted_pass = ldap_simple_hash_password($passwd, $rcmail->config->get('password_ldap_encodage'));
  70         if (!$crypted_pass) {
  71                 ldap_unbind($ds);
  72                 return PASSWORD_CRYPT_ERROR;
  73         }
  74
  75         $entree[$rcmail->config->get('password_ldap_pwattr')] = $crypted_pass;
  76
  77         /* Updating PasswordLastChange Attribute if desired */
  78         if ($lchattr = $rcmail->config->get('password_ldap_lchattr')) {
  79                 $entree[$lchattr] = (int)(time() / 86400);
  80         }
  81
  82     /* Update Samba password fields */
  83     if ($smbattr = $rcmail->config->get('password_ldap_samba')) {
  84         $sambaNTPassword = hash('md4', rcube_charset_convert($passwd, RCMAIL_CHARSET, 'UTF-16LE'));
  85         $entree['sambaNTPassword'] = $sambaNTPassword;
  86         $entree['sambaPwdLastSet'] = time();
  87     }
  88
  89         if (!ldap_modify($ds, $user_dn, $entree)) {
  90                 ldap_unbind($ds);
  91                 return PASSWORD_CONNECT_ERROR;
  92         }
  93
  94         /* All done, no error */
  95         ldap_unbind($ds);
  96         return PASSWORD_SUCCESS;
  97 }
  98
  99 /**
 100  * Bind with searchDN and searchPW and search for the user's DN
 101  * Use search_base and search_filter defined in config file
 102  * Return the found DN
 103  */
 104 function ldap_simple_search_userdn($rcmail, $ds)
 105 {
 106         /* Bind */
 107         if (!ldap_bind($ds, $rcmail->config->get('password_ldap_searchDN'), $rcmail->config->get('password_ldap_searchPW'))) {
 108                 return false;
 109         }
 110
 111         /* Search for the DN */
 112         if (!$sr = ldap_search($ds, $rcmail->config->get('password_ldap_search_base'), ldap_simple_substitute_vars($rcmail->config->get('password_ldap_search_filter')))) {
 113                 return false;
 114         }
 115
 116         /* If no or more entries were found, return false */
 117         if (ldap_count_entries($ds, $sr) != 1) {
 118                 return false;
 119         }
 120
 121         return ldap_get_dn($ds, ldap_first_entry($ds, $sr));
 122 }
 123
 124 /**
 125  * Substitute %login, %name, %domain, %dc in $str
 126  * See plugin config for details
 127  */
 128 function ldap_simple_substitute_vars($str)
 129 {
 130         $str = str_replace('%login', $_SESSION['username'], $str);
 131         $str = str_replace('%l', $_SESSION['username'], $str);
 132
 133         $parts = explode('@', $_SESSION['username']);
 134
 135         if (count($parts) == 2) {
 136         $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string
 137
 138                 $str = str_replace('%name', $parts[0], $str);
 139         $str = str_replace('%n', $parts[0], $str);
 140         $str = str_replace('%dc', $dc, $str);
 141                 $str = str_replace('%domain', $parts[1], $str);
 142                 $str = str_replace('%d', $parts[1], $str);
 143         }
 144
 145         return $str;
 146 }
 147
 148 /**
 149  * Code originaly from the phpLDAPadmin development team
 150  * http://phpldapadmin.sourceforge.net/
 151  *
 152  * Hashes a password and returns the hash based on the specified enc_type
 153  */
 154 function ldap_simple_hash_password($password_clear, $encodage_type)
 155 {
 156         $encodage_type = strtolower($encodage_type);
 157         switch ($encodage_type) {
 158                 case 'crypt':
 159                         $crypted_password = '{CRYPT}' . crypt($password_clear, ldap_simple_random_salt(2));
 160                         break;
 161                 case 'ext_des':
 162                         /* Extended DES crypt. see OpenBSD crypt man page */
 163                         if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
 164                                 /* Your system crypt library does not support extended DES encryption */
 165                                 return false;
 166                         }
 167                         $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . ldap_simple_random_salt(8));
 168                         break;
 169                 case 'md5crypt':
 170                         if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
 171                                 /* Your system crypt library does not support md5crypt encryption */
 172                                 return false;
 173                         }
 174                         $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . ldap_simple_random_salt(9));
 175                         break;
 176                 case 'blowfish':
 177                         if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
 178                                 /* Your system crypt library does not support blowfish encryption */
 179                                 return false;
 180                         }
 181                         /* Hardcoded to second blowfish version and set number of rounds */
 182                         $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . ldap_simple_random_salt(13));
 183                         break;
 184                 case 'md5':
 185                         $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear)));
 186                         break;
 187                 case 'sha':
 188                         if (function_exists('sha1')) {
 189                                 /* Use PHP 4.3.0+ sha1 function, if it is available */
 190                                 $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear)));
 191                         } else if (function_exists('mhash')) {
 192                                 $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear));
 193                         } else {
 194                                 /* Your PHP install does not have the mhash() function */
 195                                 return false;
 196                         }
 197                         break;
 198                 case 'ssha':
 199                         if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
 200                                 mt_srand((double) microtime() * 1000000 );
 201                                 $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
 202                                 $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt);
 203                         } else {
 204                                 /* Your PHP install does not have the mhash() function */
 205                                 return false;
 206                         }
 207                         break;
 208                 case 'smd5':
 209                         if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
 210                                 mt_srand((double) microtime() * 1000000 );
 211                                 $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
 212                                 $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt);
 213                         } else {
 214                                 /* Your PHP install does not have the mhash() function */
 215                                 return false;
 216                         }
 217                         break;
 218                 case 'clear':
 219                 default:
 220                         $crypted_password = $password_clear;
 221         }
 222
 223         return $crypted_password;
 224 }
 225
 226 /**
 227  * Code originaly from the phpLDAPadmin development team
 228  * http://phpldapadmin.sourceforge.net/
 229  *
 230  * Used to generate a random salt for crypt-style passwords
 231  */
 232 function ldap_simple_random_salt($length)
 233 {
 234         $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './';
 235         $str = '';
 236         // mt_srand((double)microtime() * 1000000);
 237         while (strlen($str) < $length) {
 238                 $str .= substr($possible, (rand() % strlen($possible)), 1);
 239         }
 240
 241         return $str;
 242 }