Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // error_reporting(E_ALL);
- // connect to ldap server
- $domain = "example.com";
- $ldap = new LDAP();
- class LDAP{
- public $ldapconn = "";
- public $ldap_sadmin;
- function __construct(){
- global $ldap_sadmin;
- $this->ldap_sadmin = $ldap_sadmin;
- $this->ldapconn = ldap_connect("ldap://" . $this->ldap_sadmin['ldapServer']) or die("Could not connect to LDAP server.");
- ldap_set_option($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
- ldap_set_option($this->ldapconn, LDAP_OPT_REFERRALS, 0);
- }
- public function login($username, $password){
- $ldapbind = ldap_bind($this->ldapconn, $username . "@" . $this->ldap_sadmin['domain'] , $password);
- if (!$ldapbind) return false;
- $_SESSION['username'] = $username;
- $_SESSION['password'] = $password;
- $userAttr = $this->getLdapUserAttr($username);
- foreach($userAttr as $attr => $value)
- $_SESSION[$attr] = $value;
- if(isset($userAttr['groups'])){
- $group = $this->checkGroup($userAttr['groups']);
- if($group){
- $_SESSION['level'] = "admin";
- return true;
- }
- }
- $_SESSION['level'] = "user";
- return true;
- // exit();
- }
- public function changePassword($username, $password, $npassword){
- // $npassword = "";
- global $ldap_sadmin;
- $ldap_root_username = $ldap_sadmin['username'];
- $ldap_root_password = $ldap_sadmin['password'];
- if ($username != $_SESSION['username']){
- if ($_SESSION['level'] != "admin")
- return "You don't have enough permissions to change another user password!";
- } else {
- ldap_bind($this->ldapconn, $username . "@" . $domain, $password) or die("Wrong password");
- }
- $ldapbind = ldap_bind($this->ldapconn, $ldap_root_username . "@" . $domain, $ldap_root_password);
- $newPassw = "";
- $newPassword = "\"" . $npassword . "\"";
- $len = strlen($newPassword);
- for ($i = 0; $i < $len; $i++)
- $newPassw .= "{$newPassword{$i}}\000";
- $newPassword = $newPassw;
- $userdata["unicodePwd"] = $newPassword;
- $userAttr = $this->getLdapUserAttr($username);
- if(ldap_mod_replace($this->ldapconn, $userAttr['distinguishedname'], $userdata)){
- if(!ldap_errno($this->ldapconn)) return "Error"; // (" . ldap_errno($this->ldapconn) . "): " . ldap_error($this->ldapconn);
- }
- return true;
- }
- function getLdapUserAttr($username){
- $searchFilter = "(sAMAccountName=" . $username. ")";
- $searchAttr = array("displayName","description","cn","distinguishedName","givenName","sn","mail","company","displayName","memberof");
- $user_search = ldap_search($this->ldapconn,$this->ldap_sadmin['domainDN'],$searchFilter, $searchAttr) or die ("Error in search query");
- $user_get = ldap_get_entries($this->ldapconn, $user_search);
- foreach($searchAttr as $key){
- $key = strtolower($key);
- if (!isset($user_get[0][$key])) continue;
- if ($key == "memberof" && is_array($user_get[0]["memberof"])){
- foreach($user_get[0][$key] as $groupID => $groupDN)
- if (!is_numeric($groupDN))
- $ldap_user_attr['groups'][] = $groupDN;
- } elseif (isset($user_get[0][$key][0])){
- $ldap_user_attr[$key] = $user_get[0][$key][0];
- }
- }
- //$ldap_user_attr["user_dn"] = $data = ldap_get_dn($this->ldapconn, $user_search);
- return $ldap_user_attr;
- }
- function checkGroup($userMemberOf){
- foreach($userMemberOf as $groupID => $groupDN){
- $searchResult = strpos($groupDN, $this->ldap_sadmin['admin_group']);
- if( $searchResult > 0 )
- return true;
- }
- return false;
- }
- public function addOrganization($orgFullName, $orgShortName ){
- if ($_SESSION['level'] != 'admin')
- return "You have no enough permissions to perform this action!";
- $nOrgDN = "OU=" . $orgShortName . "," . $this->ldap_sadmin["domainClientsDN"];
- $newou["objectClass"][0] = "top";
- $newou["objectClass"][1] = "organizationalUnit";
- $newou["ou"] = $orgShortName;
- $result = ldap_add($this->ldapconn,$nOrgDN,$newou);
- if (!$result){
- return false;
- } else {
- return true;
- }
- }
- public function addOrganizationUser($arrNewUser){
- if ($_SESSION['level'] != "admin")
- return "You have no enough permissions to perform this action!";
- $userinfo['cn'] = $arrNewUser['name'] . " " . $arrNewUser['surname'];
- $userinfo['sn'] = $arrNewUser['surname'];
- $userinfo['mail'] = $arrNewUser['mail'];
- $userinfo['name'] = $userinfo['name'];
- $userinfo['givenName'] = $arrNewUser['name'];
- $userinfo['displayName'] = $userinfo['cn'];
- $userinfo['userpassword'] = $arrNewUser['password'];
- $userinfo['sAMAccountName'] = $arrNewUser['username'];
- $userinfo['UserPrincipalName'] = $arrNewUser['mail'];
- // $userinfo['useraccountcontrol'] = 512; // Normal Account
- $userinfo['useraccountcontrol'] = 65536; // Don't expire password
- $userinfo['objectclass'][0] = 'top';
- $userinfo['objectclass'][3] = 'user';
- $userinfo['objectclass'][1] = 'person';
- $userinfo['objectclass'][2] = 'organizationalPerson';
- $nuserDN = "CN=" . $userinfo['cn'] . ",OU=" . $arrNewUser["clOrganization"] . "," . $this->ldap_sadmin["domainClientsDN"];
- $result = ldap_add($this->ldapconn, $nuserDN, $userinfo);
- if (!$result)
- return "Error: (" . ldap_errno($this->ldapconn) . ") - ". ldap_error($this->ldapconn);
- else
- return "OK";
- }
- public function listOrganization(){
- $listOnly = array("ou");
- $searchOU = ldap_list($this->ldapconn, $this->ldap_sadmin['domainClientsDN'], "ou=*", $listOnly);
- $OUs = ldap_get_entries($this->ldapconn, $searchOU);
- $arrOrganizations = array();
- for ($i=0; $i < $OUs["count"]; $i++) {
- $arrOrganizations[] = $OUs[$i]["ou"][0];
- }
- asort($arrOrganizations);
- return $arrOrganizations;
- }
- }
- // function addUser(ldapconn, $arrNewUser){
- // if ($_SESSION['level'] != "admin")
- // return "You have no enough permissions to perform this action!";
- // $nuserDN = "CN=" . explode(" ", $arrNewUser)[0];
- // $nuserDN .= ",CN=" . $arrNewUser["clOrganization"] . "," . $ldap_sadmin["domainDN"];
- // $result = ldap_add(ldapconn, $nuserDN, $arrNewUser['attr']);
- // if (!$result){
- // return "Error: (" . ldap_errno(ldapconn) . ") - ". ldap_error(ldapconn);
- // } else {
- // return "OK";
- // }
- // }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement