dolibarr  13.0.2
functions_ldap.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (C) 2007-2011 Laurent Destailleur <eldy@users.sourceforge.net>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 3 of the License, or
7  * (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program. If not, see <https://www.gnu.org/licenses/>.
16  *
17  */
18 
35 function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
36 {
37  global $db, $conf, $langs;
38  global $_POST;
39  global $dolibarr_main_auth_ldap_host, $dolibarr_main_auth_ldap_port;
40  global $dolibarr_main_auth_ldap_version, $dolibarr_main_auth_ldap_servertype;
41  global $dolibarr_main_auth_ldap_login_attribute, $dolibarr_main_auth_ldap_dn;
42  global $dolibarr_main_auth_ldap_admin_login, $dolibarr_main_auth_ldap_admin_pass;
43  global $dolibarr_main_auth_ldap_filter;
44  global $dolibarr_main_auth_ldap_debug;
45 
46  // Force master entity in transversal mode
47  $entity = $entitytotest;
48  if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) $entity = 1;
49 
50  $login = '';
51  $resultFetchUser = '';
52 
53  if (!function_exists("ldap_connect"))
54  {
55  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP. LDAP functions are disabled on this PHP", LOG_ERR);
56  sleep(1);
57 
58  // Load translation files required by the page
59  $langs->loadLangs(array('main', 'other'));
60 
61  $_SESSION["dol_loginmesg"] = $langs->trans("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->trans("TryAnotherConnectionMode");
62  return;
63  }
64 
65  if ($usertotest)
66  {
67  dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." passwordtotest=".preg_replace('/./', '*', $passwordtotest)." entitytotest=".$entitytotest);
68 
69  // If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
70  $ldaphost = $dolibarr_main_auth_ldap_host;
71  $ldapport = $dolibarr_main_auth_ldap_port;
72  $ldapversion = $dolibarr_main_auth_ldap_version;
73  $ldapservertype = (empty($dolibarr_main_auth_ldap_servertype) ? 'openldap' : $dolibarr_main_auth_ldap_servertype);
74 
75  $ldapuserattr = $dolibarr_main_auth_ldap_login_attribute;
76  $ldapdn = $dolibarr_main_auth_ldap_dn;
77  $ldapadminlogin = $dolibarr_main_auth_ldap_admin_login;
78  $ldapadminpass = $dolibarr_main_auth_ldap_admin_pass;
79  $ldapdebug = (empty($dolibarr_main_auth_ldap_debug) || $dolibarr_main_auth_ldap_debug == "false" ? false : true);
80 
81  if ($ldapdebug) print "DEBUG: Logging LDAP steps<br>\n";
82 
83  require_once DOL_DOCUMENT_ROOT.'/core/class/ldap.class.php';
84  $ldap = new Ldap();
85  $ldap->server = explode(',', $ldaphost);
86  $ldap->serverPort = $ldapport;
87  $ldap->ldapProtocolVersion = $ldapversion;
88  $ldap->serverType = $ldapservertype;
89  $ldap->searchUser = $ldapadminlogin;
90  $ldap->searchPassword = $ldapadminpass;
91 
92  if ($ldapdebug)
93  {
94  dol_syslog("functions_ldap::check_user_password_ldap Server:".join(',', $ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
95  dol_syslog("functions_ldap::check_user_password_ldap uid/samacountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
96  print "DEBUG: Server:".join(',', $ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType."<br>\n";
97  print "DEBUG: uid/samacountname=".$ldapuserattr.", dn=".$ldapdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword."<br>\n";
98  }
99 
100  $resultFetchLdapUser = 0;
101 
102  // Define $userSearchFilter
103  $userSearchFilter = "";
104  if (empty($dolibarr_main_auth_ldap_filter)) {
105  $userSearchFilter = "(".$ldapuserattr."=".$usertotest.")";
106  } else {
107  $userSearchFilter = str_replace('%1%', $usertotest, $dolibarr_main_auth_ldap_filter);
108  }
109 
110  // If admin login provided
111  // Code to get user in LDAP from an admin connection (may differ from user connection, done later)
112  if ($ldapadminlogin)
113  {
114  $result = $ldap->connect_bind();
115  if ($result > 0)
116  {
117  $resultFetchLdapUser = $ldap->fetch($usertotest, $userSearchFilter);
118  //dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
119  if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) // If ok but password need to be reset
120  {
121  dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
122  if ($ldapdebug) print "DEBUG: User ".$usertotest." must change password<br>\n";
123  $ldap->close();
124  sleep(1);
125  $langs->load('ldap');
126  $_SESSION["dol_loginmesg"] = $langs->trans("YouMustChangePassNextLogon", $usertotest, $ldap->domainFQDN);
127  return '';
128  }
129  } else {
130  if ($ldapdebug) print "DEBUG: ".$ldap->error."<br>\n";
131  }
132  $ldap->close();
133  }
134 
135  // Forge LDAP user and password to test with them
136  // If LDAP need a dn with login like "uid=jbloggs,ou=People,dc=foo,dc=com", default dn may work even if previous code with
137  // admin login no exectued.
138  $ldap->searchUser = $ldapuserattr."=".$usertotest.",".$ldapdn; // Default dn (will work if LDAP accept a dn with login value inside)
139  // But if LDAP need a dn with name like "cn=Jhon Bloggs,ou=People,dc=foo,dc=com", previous part must have been executed to have
140  // dn detected into ldapUserDN.
141  if ($resultFetchLdapUser && !empty($ldap->ldapUserDN)) $ldap->searchUser = $ldap->ldapUserDN;
142  $ldap->searchPassword = $passwordtotest;
143 
144  // Test with this->seachUser and this->searchPassword
145  //print $resultFetchLdapUser."-".$ldap->ldapUserDN."-".$ldap->searchUser.'-'.$ldap->searchPassword;exit;
146  $result = $ldap->connect_bind();
147  if ($result > 0)
148  {
149  if ($result == 2) // Connection is ok for user/pass into LDAP
150  {
151  dol_syslog("functions_ldap::check_user_password_ldap Authentification ok");
152  $login = $usertotest;
153 
154  require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
155 
156  $tmpuser = new User($db);
157  $tmpuser->fetch('', $login, '', 1, ($entitytotest > 0 ? $entitytotest : -1));
158 
159  $now = dol_now();
160  if ($tmpuser->datestartvalidity && $db->jdate($tmpuser->datestartvalidity) >= $now) {
161  $ldap->close();
162  // Load translation files required by the page
163  $langs->loadLangs(array('main', 'errors'));
164  $_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
165  return '--bad-login-validity--';
166  }
167  if ($tmpuser->dateendvalidity && $db->jdate($tmpuser->dateendvalidity) <= dol_get_first_hour($now)) {
168  $ldap->close();
169  // Load translation files required by the page
170  $langs->loadLangs(array('main', 'errors'));
171  $_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
172  return '--bad-login-validity--';
173  }
174 
175  // ldap2dolibarr synchronisation
176  if ($login && !empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr') // ldap2dolibarr synchronisation
177  {
178  dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
179 
180  // On charge les attributs du user ldap
181  if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
182  $resultFetchLdapUser = $ldap->fetch($login, $userSearchFilter);
183 
184  if ($ldapdebug) print "DEBUG: UACF = ".join(',', $ldap->uacf)."<br>\n";
185  if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset, 'day')."<br>\n";
186  if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime, 'day')."<br>\n";
187 
188  // On recherche le user dolibarr en fonction de son SID ldap (only for Active Directory)
189  $sid = null;
190  if ($conf->global->LDAP_SERVER_TYPE == "activedirectory")
191  {
192  $sid = $ldap->getObjectSid($login);
193  if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
194  }
195 
196  $usertmp = new User($db);
197  $resultFetchUser = $usertmp->fetch('', $login, $sid);
198  if ($resultFetchUser > 0)
199  {
200  dol_syslog("functions_ldap::check_user_password_ldap Sync user found user id=".$usertmp->id);
201  // On verifie si le login a change et on met a jour les attributs dolibarr
202 
203  if ($usertmp->login != $ldap->login && $ldap->login)
204  {
205  $usertmp->login = $ldap->login;
206  $usertmp->update($usertmp);
207  // TODO Que faire si update echoue car on update avec un login deja existant.
208  }
209 
210  //$resultUpdate = $usertmp->update_ldap2dolibarr($ldap);
211  }
212 
213  unset($usertmp);
214  }
215 
216  if (!empty($conf->multicompany->enabled)) // We must check entity (even if sync is not active)
217  {
218  global $mc;
219 
220  $usertmp = new User($db);
221  $usertmp->fetch('', $login);
222  $ret = $mc->checkRight($usertmp->id, $entitytotest);
223  if ($ret < 0)
224  {
225  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO entity '".$entitytotest."' not allowed for user '".$usertmp->id."'", LOG_NOTICE);
226  $login = ''; // force authentication failure
227  }
228  unset($usertmp);
229  }
230  }
231  if ($result == 1)
232  {
233  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO bad user/password for '".$usertotest."'", LOG_NOTICE);
234  sleep(1);
235 
236  // Load translation files required by the page
237  $langs->loadLangs(array('main', 'other'));
238 
239  $_SESSION["dol_loginmesg"] = $langs->trans("ErrorBadLoginPassword");
240  }
241  } else {
242  /* Login failed. Return false, together with the error code and text from
243  ** the LDAP server. The common error codes and reasons are listed below :
244  ** (for iPlanet, other servers may differ)
245  ** 19 - Account locked out (too many invalid login attempts)
246  ** 32 - User does not exist
247  ** 49 - Wrong password
248  ** 53 - Account inactive (manually locked out by administrator)
249  */
250  dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP for '".$usertotest."'", LOG_NOTICE);
251  if (is_resource($ldap->connection)) // If connection ok but bind ko
252  {
253  $ldap->ldapErrorCode = ldap_errno($ldap->connection);
254  $ldap->ldapErrorText = ldap_error($ldap->connection);
255  dol_syslog("functions_ldap::check_user_password_ldap ".$ldap->ldapErrorCode." ".$ldap->ldapErrorText);
256  }
257  sleep(2); // Anti brut force protection
258 
259  // Load translation files required by the page
260  $langs->loadLangs(array('main', 'other', 'errors'));
261  $_SESSION["dol_loginmesg"] = ($ldap->error ? $ldap->error : $langs->trans("ErrorBadLoginPassword"));
262  }
263 
264  $ldap->close();
265  }
266 
267  return $login;
268 }
check_user_password_ldap
check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
Check validity of user/password/entity If test is ko, reason must be filled into $_SESSION[&quot;dol_login...
Definition: functions_ldap.php:35
dol_now
dol_now($mode= 'auto')
Return date for now.
Definition: functions.lib.php:2288
User
Class to manage Dolibarr users.
Definition: user.class.php:44
dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename= '', $restricttologhandler= '', $logcontext=null)
Write log message into outputs.
Definition: functions.lib.php:1208
dol_get_first_hour
dol_get_first_hour($date, $gm= 'tzserver')
Return GMT time for first hour of a given GMT date (it removes hours, min and second part) ...
Definition: date.lib.php:538
Ldap
Class to manage LDAP features.
Definition: ldap.class.php:30
print
print
Draft customers invoices.
Definition: index.php:89
Generated on Sat Aug 23 2025 13:17:21 for dolibarr by Doxygen 1.8.5