Loading...
Helix SwarmHelix Swarm
Loading...

Ldap.php

  • //
  • guest/
  • thomas_gray/
  • jambox/
  • main/
  • swarm/
  • library/
  • Zend/
  • Authentication/
  • Adapter/
  • Ldap.php #1
  • View
  • Commits
  • Open Download .zip Download (15 KB) 
  1. <?php
  2. /**
  3.  * Zend Framework (http://framework.zend.com/)
  4.  *
  5.  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  6.  * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com)
  7.  * @license   http://framework.zend.com/license/new-bsd New BSD License
  8.  */
  9.  
  10. namespace Zend\Authentication\Adapter;
  11.  
  12. use stdClass;
  13. use Zend\Authentication\Result as AuthenticationResult;
  14. use Zend\Ldap as ZendLdap;
  15. use Zend\Ldap\Exception\LdapException;
  16.  
  17. class Ldap extends AbstractAdapter
  18. {
  19.  
  20.     /**
  21.      * The Zend\Ldap\Ldap context.
  22.      *
  23.      * @var ZendLdap\Ldap
  24.      */
  25.     protected $ldap = null;
  26.  
  27.     /**
  28.      * The array of arrays of Zend\Ldap\Ldap options passed to the constructor.
  29.      *
  30.      * @var array
  31.      */
  32.     protected $options = null;
  33.  
  34.     /**
  35.      * The DN of the authenticated account. Used to retrieve the account entry on request.
  36.      *
  37.      * @var string
  38.      */
  39.     protected $authenticatedDn = null;
  40.  
  41.     /**
  42.      * Constructor
  43.      *
  44.      * @param  array  $options    An array of arrays of Zend\Ldap\Ldap options
  45.      * @param  string $identity   The username of the account being authenticated
  46.      * @param  string $credential The password of the account being authenticated
  47.      */
  48.     public function __construct(array $options = array(), $identity = null, $credential = null)
  49.     {
  50.         $this->setOptions($options);
  51.         if ($identity !== null) {
  52.             $this->setIdentity($identity);
  53.         }
  54.         if ($credential !== null) {
  55.             $this->setCredential($credential);
  56.         }
  57.     }
  58.  
  59.     /**
  60.      * Returns the array of arrays of Zend\Ldap\Ldap options of this adapter.
  61.      *
  62.      * @return array|null
  63.      */
  64.     public function getOptions()
  65.     {
  66.         return $this->options;
  67.     }
  68.  
  69.     /**
  70.      * Sets the array of arrays of Zend\Ldap\Ldap options to be used by
  71.      * this adapter.
  72.      *
  73.      * @param  array $options The array of arrays of Zend\Ldap\Ldap options
  74.      * @return Ldap Provides a fluent interface
  75.      */
  76.     public function setOptions($options)
  77.     {
  78.         $this->options = is_array($options) ? $options : array();
  79.         if (array_key_exists('identity', $this->options)) {
  80.             $this->options['username'] = $this->options['identity'];
  81.         }
  82.         if (array_key_exists('credential', $this->options)) {
  83.             $this->options['password'] = $this->options['credential'];
  84.         }
  85.         return $this;
  86.     }
  87.  
  88.     /**
  89.      * Returns the username of the account being authenticated, or
  90.      * NULL if none is set.
  91.      *
  92.      * @return string|null
  93.      */
  94.     public function getUsername()
  95.     {
  96.         return $this->getIdentity();
  97.     }
  98.  
  99.     /**
  100.      * Sets the username for binding
  101.      *
  102.      * @param  string $username The username for binding
  103.      * @return Ldap Provides a fluent interface
  104.      */
  105.     public function setUsername($username)
  106.     {
  107.         return $this->setIdentity($username);
  108.     }
  109.  
  110.     /**
  111.      * Returns the password of the account being authenticated, or
  112.      * NULL if none is set.
  113.      *
  114.      * @return string|null
  115.      */
  116.     public function getPassword()
  117.     {
  118.         return $this->getCredential();
  119.     }
  120.  
  121.     /**
  122.      * Sets the password for the account
  123.      *
  124.      * @param  string $password The password of the account being authenticated
  125.      * @return Ldap Provides a fluent interface
  126.      */
  127.     public function setPassword($password)
  128.     {
  129.         return $this->setCredential($password);
  130.     }
  131.  
  132.     /**
  133.      * Returns the LDAP Object
  134.      *
  135.      * @return ZendLdap\Ldap The Zend\Ldap\Ldap object used to authenticate the credentials
  136.      */
  137.     public function getLdap()
  138.     {
  139.         if ($this->ldap === null) {
  140.             $this->ldap = new ZendLdap\Ldap();
  141.         }
  142.  
  143.         return $this->ldap;
  144.     }
  145.  
  146.     /**
  147.      * Set an Ldap connection
  148.      *
  149.      * @param  ZendLdap\Ldap $ldap An existing Ldap object
  150.      * @return Ldap Provides a fluent interface
  151.      */
  152.     public function setLdap(ZendLdap\Ldap $ldap)
  153.     {
  154.         $this->ldap = $ldap;
  155.  
  156.         $this->setOptions(array($ldap->getOptions()));
  157.  
  158.         return $this;
  159.     }
  160.  
  161.     /**
  162.      * Returns a domain name for the current LDAP options. This is used
  163.      * for skipping redundant operations (e.g. authentications).
  164.      *
  165.      * @return string
  166.      */
  167.     protected function getAuthorityName()
  168.     {
  169.         $options = $this->getLdap()->getOptions();
  170.         $name = $options['accountDomainName'];
  171.         if (!$name)
  172.             $name = $options['accountDomainNameShort'];
  173.         return $name ? $name : '';
  174.     }
  175.  
  176.     /**
  177.      * Authenticate the user
  178.      *
  179.      * @return AuthenticationResult
  180.      * @throws Exception\ExceptionInterface
  181.      */
  182.     public function authenticate()
  183.     {
  184.         $messages = array();
  185.         $messages[0] = ''; // reserved
  186.         $messages[1] = ''; // reserved
  187.  
  188.         $username = $this->identity;
  189.         $password = $this->credential;
  190.  
  191.         if (!$username) {
  192.             $code = AuthenticationResult::FAILURE_IDENTITY_NOT_FOUND;
  193.             $messages[0] = 'A username is required';
  194.             return new AuthenticationResult($code, '', $messages);
  195.         }
  196.         if (!$password) {
  197.             /* A password is required because some servers will
  198.              * treat an empty password as an anonymous bind.
  199.              */
  200.             $code = AuthenticationResult::FAILURE_CREDENTIAL_INVALID;
  201.             $messages[0] = 'A password is required';
  202.             return new AuthenticationResult($code, '', $messages);
  203.         }
  204.  
  205.         $ldap = $this->getLdap();
  206.  
  207.         $code = AuthenticationResult::FAILURE;
  208.         $messages[0] = "Authority not found: $username";
  209.         $failedAuthorities = array();
  210.  
  211.         /* Iterate through each server and try to authenticate the supplied
  212.          * credentials against it.
  213.          */
  214.         foreach ($this->options as $options) {
  215.  
  216.             if (!is_array($options)) {
  217.                 throw new Exception\InvalidArgumentException('Adapter options array not an array');
  218.             }
  219.             $adapterOptions = $this->prepareOptions($ldap, $options);
  220.             $dname = '';
  221.  
  222.             try {
  223.                 if ($messages[1])
  224.                     $messages[] = $messages[1];
  225.                 $messages[1] = '';
  226.                 $messages[] = $this->optionsToString($options);
  227.  
  228.                 $dname = $this->getAuthorityName();
  229.                 if (isset($failedAuthorities[$dname])) {
  230.                     /* If multiple sets of server options for the same domain
  231.                      * are supplied, we want to skip redundant authentications
  232.                      * where the identity or credentials where found to be
  233.                      * invalid with another server for the same domain. The
  234.                      * $failedAuthorities array tracks this condition (and also
  235.                      * serves to supply the original error message).
  236.                      * This fixes issue ZF-4093.
  237.                      */
  238.                     $messages[1] = $failedAuthorities[$dname];
  239.                     $messages[] = "Skipping previously failed authority: $dname";
  240.                     continue;
  241.                 }
  242.  
  243.                 $canonicalName = $ldap->getCanonicalAccountName($username);
  244.                 $ldap->bind($canonicalName, $password);
  245.                 /*
  246.                  * Fixes problem when authenticated user is not allowed to retrieve
  247.                  * group-membership information or own account.
  248.                  * This requires that the user specified with "username" and optionally
  249.                  * "password" in the Zend\Ldap\Ldap options is able to retrieve the required
  250.                  * information.
  251.                  */
  252.                 $requireRebind = false;
  253.                 if (isset($options['username'])) {
  254.                     $ldap->bind();
  255.                     $requireRebind = true;
  256.                 }
  257.                 $dn = $ldap->getCanonicalAccountName($canonicalName, ZendLdap\Ldap::ACCTNAME_FORM_DN);
  258.  
  259.                 $groupResult = $this->checkGroupMembership($ldap, $canonicalName, $dn, $adapterOptions);
  260.                 if ($groupResult === true) {
  261.                     $this->authenticatedDn = $dn;
  262.                     $messages[0] = '';
  263.                     $messages[1] = '';
  264.                     $messages[] = "$canonicalName authentication successful";
  265.                     if ($requireRebind === true) {
  266.                         // rebinding with authenticated user
  267.                         $ldap->bind($dn, $password);
  268.                     }
  269.                     return new AuthenticationResult(AuthenticationResult::SUCCESS, $canonicalName, $messages);
  270.                 } else {
  271.                     $messages[0] = 'Account is not a member of the specified group';
  272.                     $messages[1] = $groupResult;
  273.                     $failedAuthorities[$dname] = $groupResult;
  274.                 }
  275.             } catch (LdapException $zle) {
  276.  
  277.                 /* LDAP based authentication is notoriously difficult to diagnose. Therefore
  278.                  * we bend over backwards to capture and record every possible bit of
  279.                  * information when something goes wrong.
  280.                  */
  281.  
  282.                 $err = $zle->getCode();
  283.  
  284.                 if ($err == LdapException::LDAP_X_DOMAIN_MISMATCH) {
  285.                     /* This error indicates that the domain supplied in the
  286.                      * username did not match the domains in the server options
  287.                      * and therefore we should just skip to the next set of
  288.                      * server options.
  289.                      */
  290.                     continue;
  291.                 } elseif ($err == LdapException::LDAP_NO_SUCH_OBJECT) {
  292.                     $code = AuthenticationResult::FAILURE_IDENTITY_NOT_FOUND;
  293.                     $messages[0] = "Account not found: $username";
  294.                     $failedAuthorities[$dname] = $zle->getMessage();
  295.                 } elseif ($err == LdapException::LDAP_INVALID_CREDENTIALS) {
  296.                     $code = AuthenticationResult::FAILURE_CREDENTIAL_INVALID;
  297.                     $messages[0] = 'Invalid credentials';
  298.                     $failedAuthorities[$dname] = $zle->getMessage();
  299.                 } else {
  300.                     $line = $zle->getLine();
  301.                     $messages[] = $zle->getFile() . "($line): " . $zle->getMessage();
  302.                     $messages[] = preg_replace(
  303.                         '/\b'.preg_quote(substr($password, 0, 15), '/').'\b/',
  304.                         '*****',
  305.                         $zle->getTraceAsString()
  306.                     );
  307.                     $messages[0] = 'An unexpected failure occurred';
  308.                 }
  309.                 $messages[1] = $zle->getMessage();
  310.             }
  311.         }
  312.  
  313.         $msg = isset($messages[1]) ? $messages[1] : $messages[0];
  314.         $messages[] = "$username authentication failed: $msg";
  315.  
  316.         return new AuthenticationResult($code, $username, $messages);
  317.     }
  318.  
  319.     /**
  320.      * Sets the LDAP specific options on the Zend\Ldap\Ldap instance
  321.      *
  322.      * @param  ZendLdap\Ldap $ldap
  323.      * @param  array         $options
  324.      * @return array of auth-adapter specific options
  325.      */
  326.     protected function prepareOptions(ZendLdap\Ldap $ldap, array $options)
  327.     {
  328.         $adapterOptions = array(
  329.             'group'       => null,
  330.             'groupDn'     => $ldap->getBaseDn(),
  331.             'groupScope'  => ZendLdap\Ldap::SEARCH_SCOPE_SUB,
  332.             'groupAttr'   => 'cn',
  333.             'groupFilter' => 'objectClass=groupOfUniqueNames',
  334.             'memberAttr'  => 'uniqueMember',
  335.             'memberIsDn'  => true
  336.         );
  337.         foreach ($adapterOptions as $key => $value) {
  338.             if (array_key_exists($key, $options)) {
  339.                 $value = $options[$key];
  340.                 unset($options[$key]);
  341.                 switch ($key) {
  342.                     case 'groupScope':
  343.                         $value = (int) $value;
  344.                         if (in_array($value, array(ZendLdap\Ldap::SEARCH_SCOPE_BASE,
  345.                                 ZendLdap\Ldap::SEARCH_SCOPE_ONE, ZendLdap\Ldap::SEARCH_SCOPE_SUB), true)) {
  346.                            $adapterOptions[$key] = $value;
  347.                         }
  348.                         break;
  349.                     case 'memberIsDn':
  350.                         $adapterOptions[$key] = ($value === true ||
  351.                                 $value === '1' || strcasecmp($value, 'true') == 0);
  352.                         break;
  353.                     default:
  354.                         $adapterOptions[$key] = trim($value);
  355.                         break;
  356.                 }
  357.             }
  358.         }
  359.         $ldap->setOptions($options);
  360.         return $adapterOptions;
  361.     }
  362.  
  363.     /**
  364.      * Checks the group membership of the bound user
  365.      *
  366.      * @param  ZendLdap\Ldap $ldap
  367.      * @param  string        $canonicalName
  368.      * @param  string        $dn
  369.      * @param  array         $adapterOptions
  370.      * @return string|true
  371.      */
  372.     protected function checkGroupMembership(ZendLdap\Ldap $ldap, $canonicalName, $dn, array $adapterOptions)
  373.     {
  374.         if ($adapterOptions['group'] === null) {
  375.             return true;
  376.         }
  377.  
  378.         if ($adapterOptions['memberIsDn'] === false) {
  379.             $user = $canonicalName;
  380.         } else {
  381.             $user = $dn;
  382.         }
  383.  
  384.         $groupName   = ZendLdap\Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']);
  385.         $membership  = ZendLdap\Filter::equals($adapterOptions['memberAttr'], $user);
  386.         $group       = ZendLdap\Filter::andFilter($groupName, $membership);
  387.         $groupFilter = $adapterOptions['groupFilter'];
  388.         if (!empty($groupFilter)) {
  389.             $group = $group->addAnd($groupFilter);
  390.         }
  391.  
  392.         $result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']);
  393.  
  394.         if ($result === 1) {
  395.             return true;
  396.         }
  397.  
  398.         return 'Failed to verify group membership with ' . $group->toString();
  399.     }
  400.  
  401.     /**
  402.      * getAccountObject() - Returns the result entry as a stdClass object
  403.      *
  404.      * This resembles the feature {@see Zend\Authentication\Adapter\DbTable::getResultRowObject()}.
  405.      * Closes ZF-6813
  406.      *
  407.      * @param  array $returnAttribs
  408.      * @param  array $omitAttribs
  409.      * @return stdClass|bool
  410.      */
  411.     public function getAccountObject(array $returnAttribs = array(), array $omitAttribs = array())
  412.     {
  413.         if (!$this->authenticatedDn) {
  414.             return false;
  415.         }
  416.  
  417.         $returnObject = new stdClass();
  418.  
  419.         $returnAttribs = array_map('strtolower', $returnAttribs);
  420.         $omitAttribs   = array_map('strtolower', $omitAttribs);
  421.         $returnAttribs = array_diff($returnAttribs, $omitAttribs);
  422.  
  423.         $entry = $this->getLdap()->getEntry($this->authenticatedDn, $returnAttribs, true);
  424.         foreach ($entry as $attr => $value) {
  425.             if (in_array($attr, $omitAttribs)) {
  426.                 // skip attributes marked to be omitted
  427.                 continue;
  428.             }
  429.             if (is_array($value)) {
  430.                 $returnObject->$attr = (count($value) > 1) ? $value : $value[0];
  431.             } else {
  432.                 $returnObject->$attr = $value;
  433.             }
  434.         }
  435.         return $returnObject;
  436.     }
  437.  
  438.     /**
  439.      * Converts options to string
  440.      *
  441.      * @param  array $options
  442.      * @return string
  443.      */
  444.     private function optionsToString(array $options)
  445.     {
  446.         $str = '';
  447.         foreach ($options as $key => $val) {
  448.             if ($key === 'password' || $key === 'credential') {
  449.                 $val = '*****';
  450.             }
  451.             if ($str) {
  452.                 $str .= ',';
  453.             }
  454.             $str .= $key . '=' . $val;
  455.         }
  456.         return $str;
  457.     }
  458. }
# Change User Description Committed
#1 18334 Liz Lam initial add of jambox 9 years ago