1
|
|
|
<?php |
2
|
|
|
/* For licensing terms, see /license.txt */ |
3
|
|
|
/** |
4
|
|
|
* LDAP module functions. |
5
|
|
|
* |
6
|
|
|
* If the application uses LDAP, these functions are used |
7
|
|
|
* for logging in, searching user info, adding this info |
8
|
|
|
* to the Chamilo database... |
9
|
|
|
- function ldap_authentication_check() |
10
|
|
|
- function ldap_find_user_info() |
11
|
|
|
- function ldap_login() |
12
|
|
|
- function ldap_put_user_info_locally() |
13
|
|
|
- ldap_set_version() |
14
|
|
|
|
15
|
|
|
known bugs |
16
|
|
|
---------- |
17
|
|
|
- (fixed 18 june 2003) code has been internationalized |
18
|
|
|
- (fixed 07/05/2003) fixed some non-relative urls or includes |
19
|
|
|
- (fixed 28/04/2003) we now use global config.inc variables instead of local ones |
20
|
|
|
- (fixed 22/04/2003) the last name of a user was restricted to the first part |
21
|
|
|
- (fixed 11/04/2003) the user was never registered as a course manager |
22
|
|
|
|
23
|
|
|
version history |
24
|
|
|
--------------- |
25
|
|
|
This historial has been discontinued. Please use the Mercurial logs for more |
26
|
|
|
3.2 - updated to allow for specific term search for teachers identification |
27
|
|
|
3.1 - updated code to use database settings, to respect coding conventions |
28
|
|
|
* as much as possible (camel-case removed) and to allow for non-anonymous login |
29
|
|
|
- Patrick Cool: fixing security hole |
30
|
|
|
|
31
|
|
|
* @author Roan Embrechts |
32
|
|
|
* |
33
|
|
|
* @version 3.0 |
34
|
|
|
* |
35
|
|
|
* @package chamilo.auth.ldap |
36
|
|
|
* Note: |
37
|
|
|
* If you are using a firewall, you might need to check port 389 is open in |
38
|
|
|
* order for Chamilo to communicate with the LDAP server. |
39
|
|
|
* See http://support.chamilo.org/issues/4675 for details. |
40
|
|
|
*/ |
41
|
|
|
/** |
42
|
|
|
* Inclusions. |
43
|
|
|
*/ |
44
|
|
|
use ChamiloSession as Session; |
45
|
|
|
|
46
|
|
|
/** |
47
|
|
|
* Code. |
48
|
|
|
*/ |
49
|
|
|
require_once api_get_path(SYS_CODE_PATH).'auth/external_login/ldap.inc.php'; |
50
|
|
|
require 'ldap_var.inc.php'; |
51
|
|
|
/** |
52
|
|
|
* Check login and password with LDAP. |
53
|
|
|
* |
54
|
|
|
* @return bool when login & password both OK, false otherwise |
55
|
|
|
* |
56
|
|
|
* @author Roan Embrechts (based on code from Universit� Jean Monet) |
57
|
|
|
*/ |
58
|
|
|
function ldap_login($login, $password) |
59
|
|
|
{ |
60
|
|
|
//error_log('Entering ldap_login('.$login.','.$password.')',0); |
61
|
|
|
$res = ldap_authentication_check($login, $password); |
62
|
|
|
|
63
|
|
|
// res=-1 -> the user does not exist in the ldap database |
64
|
|
|
// res=1 -> invalid password (user does exist) |
65
|
|
|
|
66
|
|
|
if ($res == 1) { //WRONG PASSWORD |
67
|
|
|
//$errorMessage = "LDAP User or password incorrect, try again.<br />"; |
68
|
|
|
if (isset($log)) { |
|
|
|
|
69
|
|
|
unset($log); |
70
|
|
|
} |
71
|
|
|
if (isset($uid)) { |
|
|
|
|
72
|
|
|
unset($uid); |
73
|
|
|
} |
74
|
|
|
$loginLdapSucces = false; |
75
|
|
|
} |
76
|
|
|
if ($res == -1) { //WRONG USERNAME |
77
|
|
|
//$errorMessage = "LDAP User or password incorrect, try again.<br />"; |
78
|
|
|
$login_ldap_success = false; |
79
|
|
|
} |
80
|
|
|
if ($res == 0) { //LOGIN & PASSWORD OK - SUCCES |
81
|
|
|
//$errorMessage = "Successful login w/ LDAP.<br>"; |
82
|
|
|
$login_ldap_success = true; |
83
|
|
|
} |
84
|
|
|
|
85
|
|
|
//$result = "This is the result: $errorMessage"; |
86
|
|
|
$result = $login_ldap_success; |
|
|
|
|
87
|
|
|
|
88
|
|
|
return $result; |
89
|
|
|
} |
90
|
|
|
|
91
|
|
|
/** |
92
|
|
|
* Find user info in LDAP. |
93
|
|
|
* |
94
|
|
|
* @return array Array with indexes: "firstname", "name", "email", "employeenumber" |
95
|
|
|
* |
96
|
|
|
* @author Stefan De Wannemacker |
97
|
|
|
* @author Roan Embrechts |
98
|
|
|
*/ |
99
|
|
|
function ldap_find_user_info($login) |
100
|
|
|
{ |
101
|
|
|
//error_log('Entering ldap_find_user_info('.$login.')',0); |
102
|
|
|
global $ldap_host, $ldap_port, $ldap_basedn, $ldap_rdn, $ldap_pass, $ldap_search_dn; |
103
|
|
|
// basic sequence with LDAP is connect, bind, search, |
104
|
|
|
// interpret search result, close connection |
105
|
|
|
|
106
|
|
|
//echo "Connecting ..."; |
107
|
|
|
$ldap_connect = ldap_connect($ldap_host, $ldap_port); |
108
|
|
|
ldap_set_version($ldap_connect); |
109
|
|
|
if ($ldap_connect) { |
110
|
|
|
//echo " Connect to LDAP server successful "; |
111
|
|
|
//echo "Binding ..."; |
112
|
|
|
$ldap_bind = false; |
113
|
|
|
$ldap_bind_res = ldap_handle_bind($ldap_connect, $ldap_bind); |
114
|
|
|
if ($ldap_bind_res) { |
115
|
|
|
//echo " LDAP bind successful... "; |
116
|
|
|
//echo " Searching for uid... "; |
117
|
|
|
// Search surname entry |
118
|
|
|
//OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); |
119
|
|
|
//echo "<p> ldapDc = '$LDAPbasedn' </p>"; |
120
|
|
|
if (!empty($ldap_search_dn)) { |
121
|
|
|
$sr = ldap_search($ldap_connect, $ldap_search_dn, "uid=$login"); |
122
|
|
|
} else { |
123
|
|
|
$sr = ldap_search($ldap_connect, $ldap_basedn, "uid=$login"); |
124
|
|
|
} |
125
|
|
|
//echo " Search result is ".$sr; |
126
|
|
|
//echo " Number of entries returned is ".ldap_count_entries($ldapconnect,$sr); |
127
|
|
|
//echo " Getting entries ..."; |
128
|
|
|
$info = ldap_get_entries($ldap_connect, $sr); |
129
|
|
|
//echo "Data for ".$info["count"]." items returned:<p>"; |
130
|
|
|
} // else could echo "LDAP bind failed..."; |
131
|
|
|
//echo "Closing LDAP connection<hr>"; |
132
|
|
|
ldap_close($ldap_connect); |
133
|
|
|
} // else could echo "<h3>Unable to connect to LDAP server</h3>"; |
134
|
|
|
//DEBUG: $result["firstname"] = "Jan"; $result["name"] = "De Test"; $result["email"] = "[email protected]"; |
135
|
|
|
$result["firstname"] = $info[0]["cn"][0]; |
|
|
|
|
136
|
|
|
$result["name"] = $info[0]["sn"][0]; |
137
|
|
|
$result["email"] = $info[0]["mail"][0]; |
138
|
|
|
$tutor_field = api_get_setting('ldap_filled_tutor_field'); |
139
|
|
|
$result[$tutor_field] = $info[0][$tutor_field]; //employeenumber by default |
140
|
|
|
|
141
|
|
|
return $result; |
142
|
|
|
} |
143
|
|
|
|
144
|
|
|
/** |
145
|
|
|
* This function uses the data from ldap_find_user_info() |
146
|
|
|
* to add the userdata to Chamilo |
147
|
|
|
* "firstname", "name", "email", "isEmployee". |
148
|
|
|
* |
149
|
|
|
* @author Roan Embrechts |
150
|
|
|
*/ |
151
|
|
|
function ldap_put_user_info_locally($login, $info_array) |
152
|
|
|
{ |
153
|
|
|
//error_log('Entering ldap_put_user_info_locally('.$login.',info_array)',0); |
154
|
|
|
global $ldap_pass_placeholder; |
155
|
|
|
global $submitRegistration, $submit, $uname, $email, |
156
|
|
|
$nom, $prenom, $password, $password1, $status; |
157
|
|
|
global $platformLanguage; |
158
|
|
|
global $loginFailed, $uidReset, $_user; |
159
|
|
|
|
160
|
|
|
/*---------------------------------------------------------- |
161
|
|
|
1. set the necessary variables |
162
|
|
|
------------------------------------------------------------ */ |
163
|
|
|
$uname = $login; |
164
|
|
|
$email = $info_array["email"]; |
165
|
|
|
$nom = $info_array["name"]; |
166
|
|
|
$prenom = $info_array["firstname"]; |
167
|
|
|
$password = $ldap_pass_placeholder; |
168
|
|
|
$password1 = $ldap_pass_placeholder; |
169
|
|
|
$official_code = ''; |
170
|
|
|
|
171
|
|
|
define("STUDENT", 5); |
172
|
|
|
define("COURSEMANAGER", 1); |
173
|
|
|
|
174
|
|
|
$tutor_field = api_get_setting('ldap_filled_tutor_field'); |
175
|
|
|
$tutor_value = api_get_setting('ldap_filled_tutor_field_value'); |
176
|
|
|
if (empty($tutor_field)) { |
177
|
|
|
$status = STUDENT; |
178
|
|
|
} else { |
179
|
|
|
if (empty($tutor_value)) { |
180
|
|
|
//in this case, we are assuming that the admin didn't give a criteria |
181
|
|
|
// so that if the field is not empty, it is a tutor |
182
|
|
|
if (!empty($info_array[$tutor_field])) { |
183
|
|
|
$status = COURSEMANAGER; |
184
|
|
|
} else { |
185
|
|
|
$status = STUDENT; |
186
|
|
|
} |
187
|
|
|
} else { |
188
|
|
|
//the tutor_value is filled, so we need to check the contents of the LDAP field |
189
|
|
|
if (is_array($info_array[$tutor_field]) && in_array($tutor_value, $info_array[$tutor_field])) { |
190
|
|
|
$status = COURSEMANAGER; |
191
|
|
|
} else { |
192
|
|
|
$status = STUDENT; |
193
|
|
|
} |
194
|
|
|
} |
195
|
|
|
} |
196
|
|
|
//$official_code = xxx; //example: choose an attribute |
197
|
|
|
|
198
|
|
|
/*---------------------------------------------------------- |
199
|
|
|
2. add info to Chamilo |
200
|
|
|
------------------------------------------------------------ */ |
201
|
|
|
|
202
|
|
|
$language = api_get_setting('platformLanguage'); |
203
|
|
|
if (empty($language)) { |
204
|
|
|
$language = 'english'; |
205
|
|
|
} |
206
|
|
|
$_userId = UserManager::create_user( |
207
|
|
|
$prenom, |
208
|
|
|
$nom, |
209
|
|
|
$status, |
210
|
|
|
$email, |
211
|
|
|
$uname, |
212
|
|
|
$password, |
213
|
|
|
$official_code, |
214
|
|
|
$language, |
215
|
|
|
'', |
216
|
|
|
'', |
217
|
|
|
'ldap' |
218
|
|
|
); |
219
|
|
|
|
220
|
|
|
//echo "new user added to Chamilo, id = $_userId"; |
221
|
|
|
|
222
|
|
|
//user_id, username, password, auth_source |
223
|
|
|
|
224
|
|
|
/*---------------------------------------------------------- |
225
|
|
|
3. register session |
226
|
|
|
------------------------------------------------------------ */ |
227
|
|
|
|
228
|
|
|
$uData['user_id'] = $_userId; |
|
|
|
|
229
|
|
|
$uData['username'] = $uname; |
230
|
|
|
$uData['auth_source'] = "ldap"; |
231
|
|
|
|
232
|
|
|
$loginFailed = false; |
233
|
|
|
$uidReset = true; |
234
|
|
|
$_user['user_id'] = $uData['user_id']; |
235
|
|
|
Session::write('_uid', $_user['user_id']); |
236
|
|
|
} |
237
|
|
|
|
238
|
|
|
/** |
239
|
|
|
* The code of UGent uses these functions to authenticate. |
240
|
|
|
* function AuthVerifEnseignant ($uname, $passwd) |
241
|
|
|
* function AuthVerifEtudiant ($uname, $passwd) |
242
|
|
|
* function Authentif ($uname, $passwd). |
243
|
|
|
* |
244
|
|
|
* @todo translate the comments and code to english |
245
|
|
|
* @todo let these functions use the variables in config.inc instead of ldap_var.inc |
246
|
|
|
*/ |
247
|
|
|
/** |
248
|
|
|
* Checks the existence of a member in LDAP. |
249
|
|
|
* |
250
|
|
|
* @param string username input on keyboard |
251
|
|
|
* @param string password given by user |
252
|
|
|
* |
253
|
|
|
* @return int 0 if authentication succeeded, 1 if password was incorrect, -1 if it didn't belong to LDAP |
254
|
|
|
*/ |
255
|
|
|
function ldap_authentication_check($uname, $passwd) |
256
|
|
|
{ |
257
|
|
|
//error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); |
258
|
|
|
global $ldap_host, $ldap_port, $ldap_basedn, $ldap_host2, $ldap_port2, $ldap_rdn, $ldap_pass; |
259
|
|
|
//error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); |
260
|
|
|
// Establish anonymous connection with LDAP server |
261
|
|
|
// Etablissement de la connexion anonyme avec le serveur LDAP |
262
|
|
|
$ds = ldap_connect($ldap_host, $ldap_port); |
263
|
|
|
ldap_set_version($ds); |
264
|
|
|
|
265
|
|
|
$test_bind = false; |
266
|
|
|
$test_bind_res = ldap_handle_bind($ds, $test_bind); |
267
|
|
|
//if problem, use the replica |
268
|
|
|
if ($test_bind_res === false) { |
269
|
|
|
$ds = ldap_connect($ldap_host2, $ldap_port2); |
270
|
|
|
ldap_set_version($ds); |
271
|
|
|
} // else: error_log('Connected to server '.$ldap_host); |
272
|
|
|
if ($ds !== false) { |
273
|
|
|
//Creation of filter containing values input by the user |
274
|
|
|
// Here it might be necessary to use $filter="(samaccountName=$uname)"; - see http://support.chamilo.org/issues/4675 |
275
|
|
|
$filter = "(uid=$uname)"; |
276
|
|
|
// Open anonymous LDAP connection |
277
|
|
|
$result = false; |
278
|
|
|
$ldap_bind_res = ldap_handle_bind($ds, $result); |
279
|
|
|
// Executing the search with the $filter parametr |
280
|
|
|
//error_log('Searching for '.$filter.' on LDAP server',0); |
281
|
|
|
$sr = ldap_search($ds, $ldap_basedn, $filter); |
282
|
|
|
$info = ldap_get_entries($ds, $sr); |
283
|
|
|
$dn = ($info[0]["dn"]); |
284
|
|
|
// debug !! echo"<br> dn = $dn<br> pass = $passwd<br>"; |
285
|
|
|
// closing 1st connection |
286
|
|
|
ldap_close($ds); |
287
|
|
|
} |
288
|
|
|
|
289
|
|
|
// test the Distinguish Name from the 1st connection |
290
|
|
|
if ($dn == "") { |
|
|
|
|
291
|
|
|
return -1; // doesn't belong to the addressbook |
292
|
|
|
} |
293
|
|
|
//bug ldap.. if password empty, return 1! |
294
|
|
|
if ($passwd == "") { |
295
|
|
|
return 1; |
296
|
|
|
} |
297
|
|
|
// Opening 2nd LDAP connection : Connection user for password check |
298
|
|
|
$ds = ldap_connect($ldap_host, $ldap_port); |
299
|
|
|
ldap_set_version($ds); |
300
|
|
|
if (!$test_bind) { |
301
|
|
|
$ds = ldap_connect($ldap_host2, $ldap_port2); |
302
|
|
|
ldap_set_version($ds); |
303
|
|
|
} |
304
|
|
|
// return in case of wrong password connection error |
305
|
|
|
if (@ldap_bind($ds, $dn, $passwd) === false) { |
306
|
|
|
return 1; // invalid password |
307
|
|
|
} else {// connection successfull |
308
|
|
|
return 0; |
309
|
|
|
} |
310
|
|
|
} // end of check |
311
|
|
|
/** |
312
|
|
|
* Set the protocol version with version from config file (enables LDAP version 3). |
313
|
|
|
* |
314
|
|
|
* @param resource resource LDAP connexion resource, passed by reference |
315
|
|
|
*/ |
316
|
|
|
function ldap_set_version(&$resource) |
317
|
|
|
{ |
318
|
|
|
//error_log('Entering ldap_set_version(&$resource)',0); |
319
|
|
|
global $ldap_version; |
320
|
|
|
if ($ldap_version > 2) { |
321
|
|
|
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); |
322
|
|
|
//ok - don't do anything |
323
|
|
|
//failure - should switch back to version 2 by default |
324
|
|
|
} |
325
|
|
|
} |
326
|
|
|
/** |
327
|
|
|
* Handle bind (whether authenticated or not). |
328
|
|
|
* |
329
|
|
|
* @param resource The LDAP handler to which we are connecting (by reference) |
330
|
|
|
* @param resource The LDAP bind handler we will be modifying |
331
|
|
|
* @param bool $ldap_bind |
332
|
|
|
* |
333
|
|
|
* @return bool Status of the bind assignment. True for success, false for failure. |
334
|
|
|
*/ |
335
|
|
|
function ldap_handle_bind(&$ldap_handler, &$ldap_bind) |
336
|
|
|
{ |
337
|
|
|
//error_log('Entering ldap_handle_bind(&$ldap_handler,&$ldap_bind)',0); |
338
|
|
|
global $ldap_rdn, $ldap_pass, $extldap_config; |
339
|
|
|
$ldap_rdn = $extldap_config['admin_dn']; |
340
|
|
|
$ldap_pass = $extldap_config['admin_password']; |
341
|
|
|
if (!empty($ldap_rdn) and !empty($ldap_pass)) { |
342
|
|
|
//error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0); |
343
|
|
|
$ldap_bind = ldap_bind($ldap_handler, $ldap_rdn, $ldap_pass); |
344
|
|
|
if (!$ldap_bind) { |
345
|
|
|
//error_log('Authenticated login failed',0); |
346
|
|
|
//try in anonymous mode, you never know... |
347
|
|
|
$ldap_bind = ldap_bind($ldap_handler); |
348
|
|
|
} |
349
|
|
|
} else { |
350
|
|
|
// this is an "anonymous" bind, typically read-only access: |
351
|
|
|
$ldap_bind = ldap_bind($ldap_handler); |
352
|
|
|
} |
353
|
|
|
if (!$ldap_bind) { |
354
|
|
|
return false; |
355
|
|
|
} else { |
356
|
|
|
//error_log('Login finally OK',0); |
357
|
|
|
return true; |
358
|
|
|
} |
359
|
|
|
} |
360
|
|
|
/** |
361
|
|
|
* Get the total number of users on the platform. |
362
|
|
|
* |
363
|
|
|
* @see SortableTable#get_total_number_of_items() |
364
|
|
|
* |
365
|
|
|
* @author Mustapha Alouani |
366
|
|
|
*/ |
367
|
|
|
function ldap_get_users() |
368
|
|
|
{ |
369
|
|
|
global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass, $ldap_search_dn, $extldap_user_correspondance; |
370
|
|
|
|
371
|
|
|
$keyword_firstname = isset($_GET['keyword_firstname']) ? trim(Database::escape_string($_GET['keyword_firstname'])) : ''; |
372
|
|
|
$keyword_lastname = isset($_GET['keyword_lastname']) ? trim(Database::escape_string($_GET['keyword_lastname'])) : ''; |
373
|
|
|
$keyword_username = isset($_GET['keyword_username']) ? trim(Database::escape_string($_GET['keyword_username'])) : ''; |
374
|
|
|
$keyword_type = isset($_GET['keyword_type']) ? Database::escape_string($_GET['keyword_type']) : ''; |
375
|
|
|
|
376
|
|
|
$ldap_query = []; |
377
|
|
|
|
378
|
|
|
if ($keyword_username != "") { |
379
|
|
|
$ldap_query[] = str_replace('%username%', $keyword_username, $ldap_search_dn); |
380
|
|
|
} else { |
381
|
|
|
if ($keyword_lastname != "") { |
382
|
|
|
$ldap_query[] = "(".$extldap_user_correspondance['lastname']."=".$keyword_lastname."*)"; |
383
|
|
|
} |
384
|
|
|
if ($keyword_firstname != "") { |
385
|
|
|
$ldap_query[] = "(".$extldap_user_correspondance['firstname']."=".$keyword_firstname."*)"; |
386
|
|
|
} |
387
|
|
|
} |
388
|
|
|
if ($keyword_type != "" && $keyword_type != "all") { |
389
|
|
|
$ldap_query[] = "(employeeType=".$keyword_type.")"; |
390
|
|
|
} |
391
|
|
|
|
392
|
|
|
if (count($ldap_query) > 1) { |
393
|
|
|
$str_query = "(& "; |
394
|
|
|
foreach ($ldap_query as $query) { |
395
|
|
|
$str_query .= " $query"; |
396
|
|
|
} |
397
|
|
|
$str_query .= " )"; |
398
|
|
|
} else { |
399
|
|
|
$str_query = count($ldap_query) > 0 ? $ldap_query[0] : null; |
400
|
|
|
} |
401
|
|
|
|
402
|
|
|
$ds = ldap_connect($ldap_host, $ldap_port); |
403
|
|
|
ldap_set_version($ds); |
404
|
|
|
if ($ds && count($ldap_query) > 0) { |
405
|
|
|
$r = false; |
406
|
|
|
$res = ldap_handle_bind($ds, $r); |
407
|
|
|
//$sr = ldap_search($ds, "ou=test-ou,$ldap_basedn", $str_query); |
408
|
|
|
$sr = ldap_search($ds, $ldap_basedn, $str_query); |
409
|
|
|
//echo "Le nombre de resultats est : ".ldap_count_entries($ds,$sr)."<p>"; |
410
|
|
|
$info = ldap_get_entries($ds, $sr); |
411
|
|
|
|
412
|
|
|
return $info; |
413
|
|
|
} else { |
414
|
|
|
if (count($ldap_query) != 0) { |
415
|
|
|
echo Display::return_message(get_lang('LDAPConnectionError'), 'error'); |
416
|
|
|
} |
417
|
|
|
|
418
|
|
|
return []; |
419
|
|
|
} |
420
|
|
|
} |
421
|
|
|
|
422
|
|
|
/** |
423
|
|
|
* Get the total number of users on the platform. |
424
|
|
|
* |
425
|
|
|
* @see SortableTable#get_total_number_of_items() |
426
|
|
|
* |
427
|
|
|
* @author Mustapha Alouani |
428
|
|
|
*/ |
429
|
|
|
function ldap_get_number_of_users() |
430
|
|
|
{ |
431
|
|
|
$info = ldap_get_users(); |
432
|
|
|
if (count($info) > 0) { |
433
|
|
|
return $info['count']; |
434
|
|
|
} else { |
435
|
|
|
return 0; |
436
|
|
|
} |
437
|
|
|
} |
438
|
|
|
|
439
|
|
|
/** |
440
|
|
|
* Get the users to display on the current page. |
441
|
|
|
* |
442
|
|
|
* @see SortableTable#get_table_data($from) |
443
|
|
|
* |
444
|
|
|
* @author Mustapha Alouani |
445
|
|
|
*/ |
446
|
|
|
function ldap_get_user_data($from, $number_of_items, $column, $direction) |
447
|
|
|
{ |
448
|
|
|
global $extldap_user_correspondance; |
449
|
|
|
|
450
|
|
|
$users = []; |
451
|
|
|
$is_western_name_order = api_is_western_name_order(); |
452
|
|
|
if (isset($_GET['submit'])) { |
453
|
|
|
$info = ldap_get_users(); |
454
|
|
|
if ($info['count'] > 0) { |
455
|
|
|
for ($key = 0; $key < $info["count"]; $key++) { |
456
|
|
|
$user = []; |
457
|
|
|
// Get uid from dn |
458
|
|
|
//YW: this might be a variation between LDAP 2 and LDAP 3, but in LDAP 3, the uid is in |
459
|
|
|
//the corresponding index of the array |
460
|
|
|
//$dn_array=ldap_explode_dn($info[$key]["dn"],1); |
461
|
|
|
//$user[] = $dn_array[0]; // uid is first key |
462
|
|
|
//$user[] = $dn_array[0]; // uid is first key |
463
|
|
|
$user[] = $info[$key][$extldap_user_correspondance['username']][0]; |
464
|
|
|
$user[] = $info[$key][$extldap_user_correspondance['username']][0]; |
465
|
|
|
if ($is_western_name_order) { |
466
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8'); |
467
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8'); |
468
|
|
|
} else { |
469
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8'); |
470
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8'); |
471
|
|
|
} |
472
|
|
|
$user[] = $info[$key]['mail'][0]; |
473
|
|
|
$user[] = $info[$key][$extldap_user_correspondance['username']][0]; |
474
|
|
|
$users[] = $user; |
475
|
|
|
} |
476
|
|
|
} else { |
477
|
|
|
echo Display::return_message(get_lang('NoUser'), 'error'); |
478
|
|
|
} |
479
|
|
|
} |
480
|
|
|
|
481
|
|
|
return $users; |
482
|
|
|
} |
483
|
|
|
|
484
|
|
|
/** |
485
|
|
|
* Build the modify-column of the table. |
486
|
|
|
* |
487
|
|
|
* @param int $user_id The user id |
488
|
|
|
* @param string $url_params |
489
|
|
|
* |
490
|
|
|
* @return string Some HTML-code with modify-buttons |
491
|
|
|
* |
492
|
|
|
* @author Mustapha Alouani |
493
|
|
|
*/ |
494
|
|
|
function modify_filter($user_id, $url_params, $row) |
495
|
|
|
{ |
496
|
|
|
$query_string = "id[]=".$row[0]; |
497
|
|
|
if (!empty($_GET['id_session'])) { |
498
|
|
|
$query_string .= '&id_session='.Security::remove_XSS($_GET['id_session']); |
499
|
|
|
} |
500
|
|
|
$icon = ''; |
501
|
|
|
if (UserManager::is_username_available($user_id)) { |
502
|
|
|
$icon = 'invitation_friend.png'; |
503
|
|
|
} else { |
504
|
|
|
$icon = 'reload.png'; |
505
|
|
|
} |
506
|
|
|
//$url_params_id="id=".$row[0]; |
507
|
|
|
$result = '<a href="ldap_users_list.php?action=add_user&user_id='.$user_id.'&'.$query_string.'&sec_token='.Security::getTokenFromSession().'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, api_get_system_encoding()))."'".')) return false;">'.Display::return_icon($icon, get_lang('AddUsers')).'</a>'; |
508
|
|
|
|
509
|
|
|
return $result; |
510
|
|
|
} |
511
|
|
|
|
512
|
|
|
/** |
513
|
|
|
* Adds a user to the Chamilo database or updates its data. |
514
|
|
|
* |
515
|
|
|
* @param string username (and uid inside LDAP) |
516
|
|
|
* |
517
|
|
|
* @author Mustapha Alouani |
518
|
|
|
*/ |
519
|
|
|
function ldap_add_user($login) |
520
|
|
|
{ |
521
|
|
|
if ($ldap_user = extldap_authenticate($login, 'nopass', true)) { |
522
|
|
|
return extldap_add_user_by_array($ldap_user); |
523
|
|
|
} |
524
|
|
|
} |
525
|
|
|
|
526
|
|
|
function ldap_add_user_by_array($data, $update_if_exists = true) |
527
|
|
|
{ |
528
|
|
|
$lastname = api_convert_encoding($data['sn'][0], api_get_system_encoding(), 'UTF-8'); |
529
|
|
|
$firstname = api_convert_encoding($data['cn'][0], api_get_system_encoding(), 'UTF-8'); |
530
|
|
|
$email = $data['mail'][0]; |
531
|
|
|
// Get uid from dn |
532
|
|
|
$dn_array = ldap_explode_dn($data['dn'], 1); |
533
|
|
|
$username = $dn_array[0]; // uid is first key |
534
|
|
|
$outab[] = $data['edupersonprimaryaffiliation'][0]; // Here, "student" |
|
|
|
|
535
|
|
|
//$val = ldap_get_values_len($ds, $entry, "userPassword"); |
536
|
|
|
//$val = ldap_get_values_len($ds, $data, "userPassword"); |
537
|
|
|
//$password = $val[0]; |
538
|
|
|
// TODO the password, if encrypted at the source, will be encrypted twice, which makes it useless. Try to fix that. |
539
|
|
|
$password = $data['userPassword'][0]; |
540
|
|
|
$structure = $data['edupersonprimaryorgunitdn'][0]; |
541
|
|
|
$array_structure = explode(",", $structure); |
542
|
|
|
$array_val = explode("=", $array_structure[0]); |
543
|
|
|
$etape = $array_val[1]; |
544
|
|
|
$array_val = explode("=", $array_structure[1]); |
545
|
|
|
$annee = $array_val[1]; |
546
|
|
|
// To ease management, we add the step-year (etape-annee) code |
547
|
|
|
$official_code = $etape."-".$annee; |
548
|
|
|
$auth_source = 'ldap'; |
549
|
|
|
// No expiration date for students (recover from LDAP's shadow expiry) |
550
|
|
|
$expiration_date = ''; |
551
|
|
|
$active = 1; |
552
|
|
|
if (empty($status)) { |
|
|
|
|
553
|
|
|
$status = 5; |
554
|
|
|
} |
555
|
|
|
if (empty($phone)) { |
|
|
|
|
556
|
|
|
$phone = ''; |
557
|
|
|
} |
558
|
|
|
if (empty($picture_uri)) { |
|
|
|
|
559
|
|
|
$picture_uri = ''; |
560
|
|
|
} |
561
|
|
|
// Adding user |
562
|
|
|
$user_id = 0; |
563
|
|
|
if (UserManager::is_username_available($username)) { |
564
|
|
|
$user_id = UserManager::create_user( |
565
|
|
|
$firstname, |
566
|
|
|
$lastname, |
567
|
|
|
$status, |
568
|
|
|
$email, |
569
|
|
|
$username, |
570
|
|
|
$password, |
571
|
|
|
$official_code, |
572
|
|
|
api_get_setting('platformLanguage'), |
573
|
|
|
$phone, |
574
|
|
|
$picture_uri, |
575
|
|
|
$auth_source, |
576
|
|
|
$expiration_date, |
577
|
|
|
$active |
578
|
|
|
); |
579
|
|
|
} else { |
580
|
|
|
if ($update_if_exists) { |
581
|
|
|
$user = api_get_user_info($username); |
582
|
|
|
$user_id = $user['user_id']; |
583
|
|
|
UserManager::update_user( |
584
|
|
|
$user_id, |
585
|
|
|
$firstname, |
586
|
|
|
$lastname, |
587
|
|
|
$username, |
588
|
|
|
null, |
589
|
|
|
null, |
590
|
|
|
$email, |
591
|
|
|
$status, |
592
|
|
|
$official_code, |
593
|
|
|
$phone, |
594
|
|
|
$picture_uri, |
595
|
|
|
$expiration_date, |
596
|
|
|
$active |
597
|
|
|
); |
598
|
|
|
} |
599
|
|
|
} |
600
|
|
|
|
601
|
|
|
return $user_id; |
602
|
|
|
} |
603
|
|
|
|
604
|
|
|
/** |
605
|
|
|
* Adds a list of users to one session. |
606
|
|
|
* |
607
|
|
|
* @param array Array of user ids |
608
|
|
|
* @param string Course code |
609
|
|
|
*/ |
610
|
|
|
function ldap_add_user_to_session($UserList, $id_session) |
611
|
|
|
{ |
612
|
|
|
// Database Table Definitions |
613
|
|
|
$tbl_session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); |
614
|
|
|
|
615
|
|
|
$id_session = (int) $id_session; |
616
|
|
|
// Once users are imported in the users base, we can assign them to the session |
617
|
|
|
$result = Database::query("SELECT c_id FROM $tbl_session_rel_course WHERE session_id ='$id_session'"); |
618
|
|
|
$CourseList = []; |
619
|
|
|
while ($row = Database::fetch_array($result)) { |
620
|
|
|
$CourseList[] = $row['c_id']; |
621
|
|
|
} |
622
|
|
|
|
623
|
|
|
SessionManager::insertUsersInCourses($UserList, $CourseList, $id_session); |
624
|
|
|
} |
625
|
|
|
|
626
|
|
|
/** |
627
|
|
|
* Synchronize users from the configured LDAP connection (in auth.conf.php). If |
628
|
|
|
* configured to disable old users,. |
629
|
|
|
* |
630
|
|
|
* @param bool $disableOldUsers Whether to disable users who have disappeared from LDAP (true) or just leave them be (default: false) |
631
|
|
|
* @param bool $deleteStudents Go one step further and delete completely students missing from LDAP |
632
|
|
|
* @param bool $deleteTeachers Go even one step further and also delete completely teachers missing from LDAP |
633
|
|
|
* |
634
|
|
|
* @return int Total number of users added (not counting possible removals) |
635
|
|
|
*/ |
636
|
|
|
function syncro_users( |
637
|
|
|
$disableOldUsers = false, |
638
|
|
|
$deleteStudents = false, |
639
|
|
|
$deleteTeachers = false |
640
|
|
|
) { |
641
|
|
|
global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass, $ldap_search_dn, $debug; |
642
|
|
|
$i = 0; |
643
|
|
|
if ($debug) { |
644
|
|
|
error_log('Connecting... ('.__FUNCTION__.')'); |
645
|
|
|
} |
646
|
|
|
$ldapConnect = ldap_connect($ldap_host, $ldap_port); |
647
|
|
|
ldap_set_version($ldapConnect); |
648
|
|
|
if ($ldapConnect) { |
649
|
|
|
if ($debug) { |
650
|
|
|
error_log('Connected to LDAP server successfully! Binding... ('.__FUNCTION__.')'); |
651
|
|
|
} |
652
|
|
|
$ldapBind = false; |
653
|
|
|
$ldapBindRes = ldap_handle_bind($ldapConnect, $ldapBind); |
654
|
|
|
if ($ldapBindRes) { |
655
|
|
|
if ($debug) { |
656
|
|
|
error_log('Bind successful! Searching for uid in LDAP DC: '.$ldap_search_dn); |
657
|
|
|
} |
658
|
|
|
$allUserQuery = "uid=*"; |
659
|
|
|
if (!empty($ldap_search_dn)) { |
660
|
|
|
$sr = ldap_search($ldapConnect, $ldap_search_dn, $allUserQuery); |
661
|
|
|
} else { |
662
|
|
|
//OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); |
663
|
|
|
$sr = ldap_search($ldapConnect, $ldap_basedn, $allUserQuery); |
664
|
|
|
} |
665
|
|
|
if ($debug) { |
666
|
|
|
error_log('Entries returned: '.ldap_count_entries($ldapConnect, $sr)); |
667
|
|
|
} |
668
|
|
|
$info = ldap_get_entries($ldapConnect, $sr); |
669
|
|
|
for ($key = 0; $key < $info['count']; $key++) { |
670
|
|
|
$user_id = ldap_add_user_by_array($info[$key], false); |
671
|
|
|
if ($user_id) { |
|
|
|
|
672
|
|
|
if ($debug) { |
673
|
|
|
error_log('User #'.$user_id.' created from LDAP'); |
674
|
|
|
} |
675
|
|
|
$i++; |
676
|
|
|
} else { |
677
|
|
|
if ($debug) { |
678
|
|
|
error_log('User '.$info[$key]['sn'][0].' ('.$info[$key]['mail'][0].') could not be created'); |
679
|
|
|
} |
680
|
|
|
} |
681
|
|
|
} |
682
|
|
|
if ($disableOldUsers === true) { |
683
|
|
|
if ($debug) { |
684
|
|
|
error_log('Disable mode selected in '.__FUNCTION__); |
685
|
|
|
if ($deleteStudents) { |
686
|
|
|
error_log('...with complete deletion of users if disabled'); |
687
|
|
|
} |
688
|
|
|
} |
689
|
|
|
// Get a big array of all user IDs, usernames only if they are |
690
|
|
|
// registered as auth_source = 'ldap' |
691
|
|
|
// This array will take about 60 bytes per user in memory, so |
692
|
|
|
// having 100K users should only take a few (6?) MB and will |
693
|
|
|
// highly reduce the number of DB queries |
694
|
|
|
$usersDBShortList = []; |
695
|
|
|
$usersLDAPShortList = []; |
696
|
|
|
$sql = "SELECT id, username, status FROM user WHERE auth_source = 'ldap' ORDER BY username"; |
697
|
|
|
$res = Database::query($sql); |
698
|
|
|
if ($res !== false) { |
699
|
|
|
// First build a list of users present in LDAP |
700
|
|
|
for ($key = 0; $key < $info['count']; $key++) { |
701
|
|
|
$dn_array = ldap_explode_dn($info[$key]['dn'], 1); |
702
|
|
|
$usersLDAPShortList[$dn_array[0]] = 1; |
703
|
|
|
} |
704
|
|
|
// Go through all 'extldap' users. For any that cannot |
705
|
|
|
// be found in the LDAP list, disable |
706
|
|
|
while ($row = Database::fetch_assoc($res)) { |
707
|
|
|
$usersDBShortList[$row['username']] = $row['id']; |
708
|
|
|
// If any of those users is NOT in LDAP, disable or remove |
709
|
|
|
if (empty($usersLDAPShortList[$row['username']])) { |
710
|
|
|
if ($deleteStudents === true && $row['status'] == 5) { |
711
|
|
|
UserManager::delete_user($usersDBShortList[$row['username']]); |
712
|
|
|
if ($debug) { |
713
|
|
|
error_log('Student '.$row['username'].' removed from Chamilo'); |
714
|
|
|
} |
715
|
|
|
} elseif ($deleteTeachers === true && $row['status'] == 1) { |
716
|
|
|
UserManager::delete_user($usersDBShortList[$row['username']]); |
717
|
|
|
if ($debug) { |
718
|
|
|
error_log('Teacher '.$row['username'].' removed from Chamilo'); |
719
|
|
|
} |
720
|
|
|
} else { |
721
|
|
|
UserManager::disable($usersDBShortList[$row['username']]); |
722
|
|
|
if ($debug) { |
723
|
|
|
error_log('User '.$row['username'].' disabled in Chamilo'); |
724
|
|
|
} |
725
|
|
|
} |
726
|
|
|
} |
727
|
|
|
} |
728
|
|
|
} |
729
|
|
|
} |
730
|
|
|
if ($debug) { |
731
|
|
|
error_log('Data for '.$info['count'].' items processed'); |
732
|
|
|
} |
733
|
|
|
//echo "Data for ".$info["count"]." items returned:<p>"; |
734
|
|
|
} else { |
735
|
|
|
error_log('Could not bind to LDAP server'); |
736
|
|
|
} |
737
|
|
|
ldap_close($ldapConnect); |
738
|
|
|
} else { |
739
|
|
|
error_log('Could not connect to LDAP server'); |
740
|
|
|
} |
741
|
|
|
error_log('Ended execution of function '.__FUNCTION__); |
742
|
|
|
} |
743
|
|
|
|