|
1
|
|
|
<?php |
|
2
|
|
|
/* For licensing terms, see /license.txt */ |
|
3
|
|
|
/** |
|
4
|
|
|
* LDAP module functions. |
|
5
|
|
|
* |
|
6
|
|
|
* If the application uses LDAP, these functions are used |
|
7
|
|
|
* for logging in, searching user info, adding this info |
|
8
|
|
|
* to the Chamilo database... |
|
9
|
|
|
- function ldap_authentication_check() |
|
10
|
|
|
- function ldap_find_user_info() |
|
11
|
|
|
- function ldap_login() |
|
12
|
|
|
- function ldap_put_user_info_locally() |
|
13
|
|
|
- ldap_set_version() |
|
14
|
|
|
|
|
15
|
|
|
known bugs |
|
16
|
|
|
---------- |
|
17
|
|
|
- (fixed 18 june 2003) code has been internationalized |
|
18
|
|
|
- (fixed 07/05/2003) fixed some non-relative urls or includes |
|
19
|
|
|
- (fixed 28/04/2003) we now use global config.inc variables instead of local ones |
|
20
|
|
|
- (fixed 22/04/2003) the last name of a user was restricted to the first part |
|
21
|
|
|
- (fixed 11/04/2003) the user was never registered as a course manager |
|
22
|
|
|
|
|
23
|
|
|
version history |
|
24
|
|
|
--------------- |
|
25
|
|
|
This historial has been discontinued. Please use the Mercurial logs for more |
|
26
|
|
|
3.2 - updated to allow for specific term search for teachers identification |
|
27
|
|
|
3.1 - updated code to use database settings, to respect coding conventions |
|
28
|
|
|
* as much as possible (camel-case removed) and to allow for non-anonymous login |
|
29
|
|
|
- Patrick Cool: fixing security hole |
|
30
|
|
|
|
|
31
|
|
|
* @author Roan Embrechts |
|
32
|
|
|
* |
|
33
|
|
|
* @version 3.0 |
|
34
|
|
|
* |
|
35
|
|
|
* @package chamilo.auth.ldap |
|
36
|
|
|
* Note: |
|
37
|
|
|
* If you are using a firewall, you might need to check port 389 is open in |
|
38
|
|
|
* order for Chamilo to communicate with the LDAP server. |
|
39
|
|
|
* See http://support.chamilo.org/issues/4675 for details. |
|
40
|
|
|
*/ |
|
41
|
|
|
/** |
|
42
|
|
|
* Inclusions. |
|
43
|
|
|
*/ |
|
44
|
|
|
use ChamiloSession as Session; |
|
45
|
|
|
|
|
46
|
|
|
/** |
|
47
|
|
|
* Code. |
|
48
|
|
|
*/ |
|
49
|
|
|
require_once api_get_path(SYS_CODE_PATH).'auth/external_login/ldap.inc.php'; |
|
50
|
|
|
require 'ldap_var.inc.php'; |
|
51
|
|
|
/** |
|
52
|
|
|
* Check login and password with LDAP. |
|
53
|
|
|
* |
|
54
|
|
|
* @return bool when login & password both OK, false otherwise |
|
55
|
|
|
* |
|
56
|
|
|
* @author Roan Embrechts (based on code from Universit� Jean Monet) |
|
57
|
|
|
*/ |
|
58
|
|
|
function ldap_login($login, $password) |
|
59
|
|
|
{ |
|
60
|
|
|
//error_log('Entering ldap_login('.$login.','.$password.')',0); |
|
61
|
|
|
$res = ldap_authentication_check($login, $password); |
|
62
|
|
|
|
|
63
|
|
|
// res=-1 -> the user does not exist in the ldap database |
|
64
|
|
|
// res=1 -> invalid password (user does exist) |
|
65
|
|
|
|
|
66
|
|
|
if ($res == 1) { //WRONG PASSWORD |
|
67
|
|
|
//$errorMessage = "LDAP User or password incorrect, try again.<br />"; |
|
68
|
|
|
if (isset($log)) { |
|
|
|
|
|
|
69
|
|
|
unset($log); |
|
70
|
|
|
} |
|
71
|
|
|
if (isset($uid)) { |
|
|
|
|
|
|
72
|
|
|
unset($uid); |
|
73
|
|
|
} |
|
74
|
|
|
$loginLdapSucces = false; |
|
75
|
|
|
} |
|
76
|
|
|
if ($res == -1) { //WRONG USERNAME |
|
77
|
|
|
//$errorMessage = "LDAP User or password incorrect, try again.<br />"; |
|
78
|
|
|
$login_ldap_success = false; |
|
79
|
|
|
} |
|
80
|
|
|
if ($res == 0) { //LOGIN & PASSWORD OK - SUCCES |
|
81
|
|
|
//$errorMessage = "Successful login w/ LDAP.<br>"; |
|
82
|
|
|
$login_ldap_success = true; |
|
83
|
|
|
} |
|
84
|
|
|
|
|
85
|
|
|
//$result = "This is the result: $errorMessage"; |
|
86
|
|
|
$result = $login_ldap_success; |
|
|
|
|
|
|
87
|
|
|
|
|
88
|
|
|
return $result; |
|
89
|
|
|
} |
|
90
|
|
|
|
|
91
|
|
|
/** |
|
92
|
|
|
* Find user info in LDAP. |
|
93
|
|
|
* |
|
94
|
|
|
* @return array Array with indexes: "firstname", "name", "email", "employeenumber" |
|
95
|
|
|
* |
|
96
|
|
|
* @author Stefan De Wannemacker |
|
97
|
|
|
* @author Roan Embrechts |
|
98
|
|
|
*/ |
|
99
|
|
|
function ldap_find_user_info($login) |
|
100
|
|
|
{ |
|
101
|
|
|
//error_log('Entering ldap_find_user_info('.$login.')',0); |
|
102
|
|
|
global $ldap_host, $ldap_port, $ldap_basedn, $ldap_rdn, $ldap_pass, $ldap_search_dn; |
|
103
|
|
|
// basic sequence with LDAP is connect, bind, search, |
|
104
|
|
|
// interpret search result, close connection |
|
105
|
|
|
|
|
106
|
|
|
//echo "Connecting ..."; |
|
107
|
|
|
$ldap_connect = ldap_connect($ldap_host, $ldap_port); |
|
108
|
|
|
ldap_set_version($ldap_connect); |
|
109
|
|
|
if ($ldap_connect) { |
|
110
|
|
|
//echo " Connect to LDAP server successful "; |
|
111
|
|
|
//echo "Binding ..."; |
|
112
|
|
|
$ldap_bind = false; |
|
113
|
|
|
$ldap_bind_res = ldap_handle_bind($ldap_connect, $ldap_bind); |
|
114
|
|
|
if ($ldap_bind_res) { |
|
115
|
|
|
//echo " LDAP bind successful... "; |
|
116
|
|
|
//echo " Searching for uid... "; |
|
117
|
|
|
// Search surname entry |
|
118
|
|
|
//OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); |
|
119
|
|
|
//echo "<p> ldapDc = '$LDAPbasedn' </p>"; |
|
120
|
|
|
if (!empty($ldap_search_dn)) { |
|
121
|
|
|
$sr = ldap_search($ldap_connect, $ldap_search_dn, "uid=$login"); |
|
122
|
|
|
} else { |
|
123
|
|
|
$sr = ldap_search($ldap_connect, $ldap_basedn, "uid=$login"); |
|
124
|
|
|
} |
|
125
|
|
|
//echo " Search result is ".$sr; |
|
126
|
|
|
//echo " Number of entries returned is ".ldap_count_entries($ldapconnect,$sr); |
|
127
|
|
|
//echo " Getting entries ..."; |
|
128
|
|
|
$info = ldap_get_entries($ldap_connect, $sr); |
|
129
|
|
|
//echo "Data for ".$info["count"]." items returned:<p>"; |
|
130
|
|
|
} // else could echo "LDAP bind failed..."; |
|
131
|
|
|
//echo "Closing LDAP connection<hr>"; |
|
132
|
|
|
ldap_close($ldap_connect); |
|
133
|
|
|
} // else could echo "<h3>Unable to connect to LDAP server</h3>"; |
|
134
|
|
|
//DEBUG: $result["firstname"] = "Jan"; $result["name"] = "De Test"; $result["email"] = "[email protected]"; |
|
135
|
|
|
$result["firstname"] = $info[0]["cn"][0]; |
|
|
|
|
|
|
136
|
|
|
$result["name"] = $info[0]["sn"][0]; |
|
137
|
|
|
$result["email"] = $info[0]["mail"][0]; |
|
138
|
|
|
$tutor_field = api_get_setting('ldap_filled_tutor_field'); |
|
139
|
|
|
$result[$tutor_field] = $info[0][$tutor_field]; //employeenumber by default |
|
140
|
|
|
|
|
141
|
|
|
return $result; |
|
142
|
|
|
} |
|
143
|
|
|
|
|
144
|
|
|
/** |
|
145
|
|
|
* This function uses the data from ldap_find_user_info() |
|
146
|
|
|
* to add the userdata to Chamilo |
|
147
|
|
|
* "firstname", "name", "email", "isEmployee". |
|
148
|
|
|
* |
|
149
|
|
|
* @author Roan Embrechts |
|
150
|
|
|
*/ |
|
151
|
|
|
function ldap_put_user_info_locally($login, $info_array) |
|
152
|
|
|
{ |
|
153
|
|
|
//error_log('Entering ldap_put_user_info_locally('.$login.',info_array)',0); |
|
154
|
|
|
global $ldap_pass_placeholder; |
|
155
|
|
|
global $submitRegistration, $submit, $uname, $email, |
|
156
|
|
|
$nom, $prenom, $password, $password1, $status; |
|
157
|
|
|
global $platformLanguage; |
|
158
|
|
|
global $loginFailed, $uidReset, $_user; |
|
159
|
|
|
|
|
160
|
|
|
/*---------------------------------------------------------- |
|
161
|
|
|
1. set the necessary variables |
|
162
|
|
|
------------------------------------------------------------ */ |
|
163
|
|
|
$uname = $login; |
|
164
|
|
|
$email = $info_array["email"]; |
|
165
|
|
|
$nom = $info_array["name"]; |
|
166
|
|
|
$prenom = $info_array["firstname"]; |
|
167
|
|
|
$password = $ldap_pass_placeholder; |
|
168
|
|
|
$password1 = $ldap_pass_placeholder; |
|
169
|
|
|
$official_code = ''; |
|
170
|
|
|
|
|
171
|
|
|
define("STUDENT", 5); |
|
172
|
|
|
define("COURSEMANAGER", 1); |
|
173
|
|
|
|
|
174
|
|
|
$tutor_field = api_get_setting('ldap_filled_tutor_field'); |
|
175
|
|
|
$tutor_value = api_get_setting('ldap_filled_tutor_field_value'); |
|
176
|
|
|
if (empty($tutor_field)) { |
|
177
|
|
|
$status = STUDENT; |
|
178
|
|
|
} else { |
|
179
|
|
|
if (empty($tutor_value)) { |
|
180
|
|
|
//in this case, we are assuming that the admin didn't give a criteria |
|
181
|
|
|
// so that if the field is not empty, it is a tutor |
|
182
|
|
|
if (!empty($info_array[$tutor_field])) { |
|
183
|
|
|
$status = COURSEMANAGER; |
|
184
|
|
|
} else { |
|
185
|
|
|
$status = STUDENT; |
|
186
|
|
|
} |
|
187
|
|
|
} else { |
|
188
|
|
|
//the tutor_value is filled, so we need to check the contents of the LDAP field |
|
189
|
|
|
if (is_array($info_array[$tutor_field]) && in_array($tutor_value, $info_array[$tutor_field])) { |
|
190
|
|
|
$status = COURSEMANAGER; |
|
191
|
|
|
} else { |
|
192
|
|
|
$status = STUDENT; |
|
193
|
|
|
} |
|
194
|
|
|
} |
|
195
|
|
|
} |
|
196
|
|
|
//$official_code = xxx; //example: choose an attribute |
|
197
|
|
|
|
|
198
|
|
|
/*---------------------------------------------------------- |
|
199
|
|
|
2. add info to Chamilo |
|
200
|
|
|
------------------------------------------------------------ */ |
|
201
|
|
|
|
|
202
|
|
|
$language = api_get_setting('platformLanguage'); |
|
203
|
|
|
if (empty($language)) { |
|
204
|
|
|
$language = 'english'; |
|
205
|
|
|
} |
|
206
|
|
|
$_userId = UserManager::create_user( |
|
207
|
|
|
$prenom, |
|
208
|
|
|
$nom, |
|
209
|
|
|
$status, |
|
210
|
|
|
$email, |
|
211
|
|
|
$uname, |
|
212
|
|
|
$password, |
|
213
|
|
|
$official_code, |
|
214
|
|
|
$language, |
|
215
|
|
|
'', |
|
216
|
|
|
'', |
|
217
|
|
|
'ldap' |
|
218
|
|
|
); |
|
219
|
|
|
|
|
220
|
|
|
//echo "new user added to Chamilo, id = $_userId"; |
|
221
|
|
|
|
|
222
|
|
|
//user_id, username, password, auth_source |
|
223
|
|
|
|
|
224
|
|
|
/*---------------------------------------------------------- |
|
225
|
|
|
3. register session |
|
226
|
|
|
------------------------------------------------------------ */ |
|
227
|
|
|
|
|
228
|
|
|
$uData['user_id'] = $_userId; |
|
|
|
|
|
|
229
|
|
|
$uData['username'] = $uname; |
|
230
|
|
|
$uData['auth_source'] = "ldap"; |
|
231
|
|
|
|
|
232
|
|
|
$loginFailed = false; |
|
233
|
|
|
$uidReset = true; |
|
234
|
|
|
$_user['user_id'] = $uData['user_id']; |
|
235
|
|
|
Session::write('_uid', $_user['user_id']); |
|
236
|
|
|
} |
|
237
|
|
|
|
|
238
|
|
|
/** |
|
239
|
|
|
* The code of UGent uses these functions to authenticate. |
|
240
|
|
|
* function AuthVerifEnseignant ($uname, $passwd) |
|
241
|
|
|
* function AuthVerifEtudiant ($uname, $passwd) |
|
242
|
|
|
* function Authentif ($uname, $passwd). |
|
243
|
|
|
* |
|
244
|
|
|
* @todo translate the comments and code to english |
|
245
|
|
|
* @todo let these functions use the variables in config.inc instead of ldap_var.inc |
|
246
|
|
|
*/ |
|
247
|
|
|
/** |
|
248
|
|
|
* Checks the existence of a member in LDAP. |
|
249
|
|
|
* |
|
250
|
|
|
* @param string username input on keyboard |
|
251
|
|
|
* @param string password given by user |
|
252
|
|
|
* |
|
253
|
|
|
* @return int 0 if authentication succeeded, 1 if password was incorrect, -1 if it didn't belong to LDAP |
|
254
|
|
|
*/ |
|
255
|
|
|
function ldap_authentication_check($uname, $passwd) |
|
256
|
|
|
{ |
|
257
|
|
|
//error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); |
|
258
|
|
|
global $ldap_host, $ldap_port, $ldap_basedn, $ldap_host2, $ldap_port2, $ldap_rdn, $ldap_pass; |
|
259
|
|
|
//error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); |
|
260
|
|
|
// Establish anonymous connection with LDAP server |
|
261
|
|
|
// Etablissement de la connexion anonyme avec le serveur LDAP |
|
262
|
|
|
$ds = ldap_connect($ldap_host, $ldap_port); |
|
263
|
|
|
ldap_set_version($ds); |
|
264
|
|
|
|
|
265
|
|
|
$test_bind = false; |
|
266
|
|
|
$test_bind_res = ldap_handle_bind($ds, $test_bind); |
|
267
|
|
|
//if problem, use the replica |
|
268
|
|
|
if ($test_bind_res === false) { |
|
269
|
|
|
$ds = ldap_connect($ldap_host2, $ldap_port2); |
|
270
|
|
|
ldap_set_version($ds); |
|
271
|
|
|
} // else: error_log('Connected to server '.$ldap_host); |
|
272
|
|
|
if ($ds !== false) { |
|
273
|
|
|
//Creation of filter containing values input by the user |
|
274
|
|
|
// Here it might be necessary to use $filter="(samaccountName=$uname)"; - see http://support.chamilo.org/issues/4675 |
|
275
|
|
|
$filter = "(uid=$uname)"; |
|
276
|
|
|
// Open anonymous LDAP connection |
|
277
|
|
|
$result = false; |
|
278
|
|
|
$ldap_bind_res = ldap_handle_bind($ds, $result); |
|
279
|
|
|
// Executing the search with the $filter parametr |
|
280
|
|
|
//error_log('Searching for '.$filter.' on LDAP server',0); |
|
281
|
|
|
$sr = ldap_search($ds, $ldap_basedn, $filter); |
|
282
|
|
|
$info = ldap_get_entries($ds, $sr); |
|
283
|
|
|
$dn = ($info[0]["dn"]); |
|
284
|
|
|
// debug !! echo"<br> dn = $dn<br> pass = $passwd<br>"; |
|
285
|
|
|
// closing 1st connection |
|
286
|
|
|
ldap_close($ds); |
|
287
|
|
|
} |
|
288
|
|
|
|
|
289
|
|
|
// test the Distinguish Name from the 1st connection |
|
290
|
|
|
if ($dn == "") { |
|
|
|
|
|
|
291
|
|
|
return -1; // doesn't belong to the addressbook |
|
292
|
|
|
} |
|
293
|
|
|
//bug ldap.. if password empty, return 1! |
|
294
|
|
|
if ($passwd == "") { |
|
295
|
|
|
return 1; |
|
296
|
|
|
} |
|
297
|
|
|
// Opening 2nd LDAP connection : Connection user for password check |
|
298
|
|
|
$ds = ldap_connect($ldap_host, $ldap_port); |
|
299
|
|
|
ldap_set_version($ds); |
|
300
|
|
|
if (!$test_bind) { |
|
301
|
|
|
$ds = ldap_connect($ldap_host2, $ldap_port2); |
|
302
|
|
|
ldap_set_version($ds); |
|
303
|
|
|
} |
|
304
|
|
|
// return in case of wrong password connection error |
|
305
|
|
|
if (@ldap_bind($ds, $dn, $passwd) === false) { |
|
306
|
|
|
return 1; // invalid password |
|
307
|
|
|
} else {// connection successfull |
|
308
|
|
|
return 0; |
|
309
|
|
|
} |
|
310
|
|
|
} // end of check |
|
311
|
|
|
/** |
|
312
|
|
|
* Set the protocol version with version from config file (enables LDAP version 3). |
|
313
|
|
|
* |
|
314
|
|
|
* @param resource resource LDAP connexion resource, passed by reference |
|
315
|
|
|
*/ |
|
316
|
|
|
function ldap_set_version(&$resource) |
|
317
|
|
|
{ |
|
318
|
|
|
//error_log('Entering ldap_set_version(&$resource)',0); |
|
319
|
|
|
global $ldap_version; |
|
320
|
|
|
if ($ldap_version > 2) { |
|
321
|
|
|
ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); |
|
322
|
|
|
//ok - don't do anything |
|
323
|
|
|
//failure - should switch back to version 2 by default |
|
324
|
|
|
} |
|
325
|
|
|
} |
|
326
|
|
|
/** |
|
327
|
|
|
* Handle bind (whether authenticated or not). |
|
328
|
|
|
* |
|
329
|
|
|
* @param resource The LDAP handler to which we are connecting (by reference) |
|
330
|
|
|
* @param resource The LDAP bind handler we will be modifying |
|
331
|
|
|
* @param bool $ldap_bind |
|
332
|
|
|
* |
|
333
|
|
|
* @return bool Status of the bind assignment. True for success, false for failure. |
|
334
|
|
|
*/ |
|
335
|
|
|
function ldap_handle_bind(&$ldap_handler, &$ldap_bind) |
|
336
|
|
|
{ |
|
337
|
|
|
//error_log('Entering ldap_handle_bind(&$ldap_handler,&$ldap_bind)',0); |
|
338
|
|
|
global $ldap_rdn, $ldap_pass, $extldap_config; |
|
339
|
|
|
$ldap_rdn = $extldap_config['admin_dn']; |
|
340
|
|
|
$ldap_pass = $extldap_config['admin_password']; |
|
341
|
|
|
if (api_get_configuration_value('ldap_encrypt_admin_password')) { |
|
342
|
|
|
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']); |
|
343
|
|
|
} |
|
344
|
|
|
if (!empty($ldap_rdn) and !empty($ldap_pass)) { |
|
345
|
|
|
//error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0); |
|
346
|
|
|
$ldap_bind = ldap_bind($ldap_handler, $ldap_rdn, $ldap_pass); |
|
347
|
|
|
if (!$ldap_bind) { |
|
348
|
|
|
//error_log('Authenticated login failed',0); |
|
349
|
|
|
//try in anonymous mode, you never know... |
|
350
|
|
|
$ldap_bind = ldap_bind($ldap_handler); |
|
351
|
|
|
} |
|
352
|
|
|
} else { |
|
353
|
|
|
// this is an "anonymous" bind, typically read-only access: |
|
354
|
|
|
$ldap_bind = ldap_bind($ldap_handler); |
|
355
|
|
|
} |
|
356
|
|
|
if (!$ldap_bind) { |
|
357
|
|
|
return false; |
|
358
|
|
|
} else { |
|
359
|
|
|
//error_log('Login finally OK',0); |
|
360
|
|
|
return true; |
|
361
|
|
|
} |
|
362
|
|
|
} |
|
363
|
|
|
/** |
|
364
|
|
|
* Get the total number of users on the platform. |
|
365
|
|
|
* |
|
366
|
|
|
* @see SortableTable#get_total_number_of_items() |
|
367
|
|
|
* |
|
368
|
|
|
* @author Mustapha Alouani |
|
369
|
|
|
*/ |
|
370
|
|
|
function ldap_get_users() |
|
371
|
|
|
{ |
|
372
|
|
|
global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass, $ldap_search_dn, $extldap_user_correspondance; |
|
373
|
|
|
|
|
374
|
|
|
$keyword_firstname = isset($_GET['keyword_firstname']) ? trim(Database::escape_string($_GET['keyword_firstname'])) : ''; |
|
375
|
|
|
$keyword_lastname = isset($_GET['keyword_lastname']) ? trim(Database::escape_string($_GET['keyword_lastname'])) : ''; |
|
376
|
|
|
$keyword_username = isset($_GET['keyword_username']) ? trim(Database::escape_string($_GET['keyword_username'])) : ''; |
|
377
|
|
|
$keyword_type = isset($_GET['keyword_type']) ? Database::escape_string($_GET['keyword_type']) : ''; |
|
378
|
|
|
|
|
379
|
|
|
$ldap_query = []; |
|
380
|
|
|
|
|
381
|
|
|
if ($keyword_username != "") { |
|
382
|
|
|
$ldap_query[] = str_replace('%username%', $keyword_username, $ldap_search_dn); |
|
383
|
|
|
} else { |
|
384
|
|
|
if ($keyword_lastname != "") { |
|
385
|
|
|
$ldap_query[] = "(".$extldap_user_correspondance['lastname']."=".$keyword_lastname."*)"; |
|
386
|
|
|
} |
|
387
|
|
|
if ($keyword_firstname != "") { |
|
388
|
|
|
$ldap_query[] = "(".$extldap_user_correspondance['firstname']."=".$keyword_firstname."*)"; |
|
389
|
|
|
} |
|
390
|
|
|
} |
|
391
|
|
|
if ($keyword_type != "" && $keyword_type != "all") { |
|
392
|
|
|
$ldap_query[] = "(employeeType=".$keyword_type.")"; |
|
393
|
|
|
} |
|
394
|
|
|
|
|
395
|
|
|
if (count($ldap_query) > 1) { |
|
396
|
|
|
$str_query = "(& "; |
|
397
|
|
|
foreach ($ldap_query as $query) { |
|
398
|
|
|
$str_query .= " $query"; |
|
399
|
|
|
} |
|
400
|
|
|
$str_query .= " )"; |
|
401
|
|
|
} else { |
|
402
|
|
|
$str_query = count($ldap_query) > 0 ? $ldap_query[0] : null; |
|
403
|
|
|
} |
|
404
|
|
|
|
|
405
|
|
|
$ds = ldap_connect($ldap_host, $ldap_port); |
|
406
|
|
|
ldap_set_version($ds); |
|
407
|
|
|
if ($ds && count($ldap_query) > 0) { |
|
408
|
|
|
$r = false; |
|
409
|
|
|
$res = ldap_handle_bind($ds, $r); |
|
410
|
|
|
//$sr = ldap_search($ds, "ou=test-ou,$ldap_basedn", $str_query); |
|
411
|
|
|
$sr = ldap_search($ds, $ldap_basedn, $str_query); |
|
412
|
|
|
//echo "Le nombre de resultats est : ".ldap_count_entries($ds,$sr)."<p>"; |
|
413
|
|
|
$info = ldap_get_entries($ds, $sr); |
|
414
|
|
|
|
|
415
|
|
|
return $info; |
|
416
|
|
|
} else { |
|
417
|
|
|
if (count($ldap_query) != 0) { |
|
418
|
|
|
echo Display::return_message(get_lang('LDAPConnectionError'), 'error'); |
|
419
|
|
|
} |
|
420
|
|
|
|
|
421
|
|
|
return []; |
|
422
|
|
|
} |
|
423
|
|
|
} |
|
424
|
|
|
|
|
425
|
|
|
/** |
|
426
|
|
|
* Get the total number of users on the platform. |
|
427
|
|
|
* |
|
428
|
|
|
* @see SortableTable#get_total_number_of_items() |
|
429
|
|
|
* |
|
430
|
|
|
* @author Mustapha Alouani |
|
431
|
|
|
*/ |
|
432
|
|
|
function ldap_get_number_of_users() |
|
433
|
|
|
{ |
|
434
|
|
|
$info = ldap_get_users(); |
|
435
|
|
|
if (count($info) > 0) { |
|
436
|
|
|
return $info['count']; |
|
437
|
|
|
} else { |
|
438
|
|
|
return 0; |
|
439
|
|
|
} |
|
440
|
|
|
} |
|
441
|
|
|
|
|
442
|
|
|
/** |
|
443
|
|
|
* Get the users to display on the current page. |
|
444
|
|
|
* |
|
445
|
|
|
* @see SortableTable#get_table_data($from) |
|
446
|
|
|
* |
|
447
|
|
|
* @author Mustapha Alouani |
|
448
|
|
|
*/ |
|
449
|
|
|
function ldap_get_user_data($from, $number_of_items, $column, $direction) |
|
450
|
|
|
{ |
|
451
|
|
|
global $extldap_user_correspondance; |
|
452
|
|
|
|
|
453
|
|
|
$users = []; |
|
454
|
|
|
$is_western_name_order = api_is_western_name_order(); |
|
455
|
|
|
if (isset($_GET['submit'])) { |
|
456
|
|
|
$info = ldap_get_users(); |
|
457
|
|
|
if ($info['count'] > 0) { |
|
458
|
|
|
for ($key = 0; $key < $info["count"]; $key++) { |
|
459
|
|
|
$user = []; |
|
460
|
|
|
// Get uid from dn |
|
461
|
|
|
//YW: this might be a variation between LDAP 2 and LDAP 3, but in LDAP 3, the uid is in |
|
462
|
|
|
//the corresponding index of the array |
|
463
|
|
|
//$dn_array=ldap_explode_dn($info[$key]["dn"],1); |
|
464
|
|
|
//$user[] = $dn_array[0]; // uid is first key |
|
465
|
|
|
//$user[] = $dn_array[0]; // uid is first key |
|
466
|
|
|
$user[] = $info[$key][$extldap_user_correspondance['username']][0]; |
|
467
|
|
|
$user[] = $info[$key][$extldap_user_correspondance['username']][0]; |
|
468
|
|
|
if ($is_western_name_order) { |
|
469
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8'); |
|
470
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8'); |
|
471
|
|
|
} else { |
|
472
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8'); |
|
473
|
|
|
$user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8'); |
|
474
|
|
|
} |
|
475
|
|
|
$user[] = $info[$key]['mail'][0]; |
|
476
|
|
|
$user[] = $info[$key][$extldap_user_correspondance['username']][0]; |
|
477
|
|
|
$users[] = $user; |
|
478
|
|
|
} |
|
479
|
|
|
} else { |
|
480
|
|
|
echo Display::return_message(get_lang('NoUser'), 'error'); |
|
481
|
|
|
} |
|
482
|
|
|
} |
|
483
|
|
|
|
|
484
|
|
|
return $users; |
|
485
|
|
|
} |
|
486
|
|
|
|
|
487
|
|
|
/** |
|
488
|
|
|
* Build the modify-column of the table. |
|
489
|
|
|
* |
|
490
|
|
|
* @param int $user_id The user id |
|
491
|
|
|
* @param string $url_params |
|
492
|
|
|
* |
|
493
|
|
|
* @return string Some HTML-code with modify-buttons |
|
494
|
|
|
* |
|
495
|
|
|
* @author Mustapha Alouani |
|
496
|
|
|
*/ |
|
497
|
|
|
function modify_filter($user_id, $url_params, $row) |
|
498
|
|
|
{ |
|
499
|
|
|
$query_string = "id[]=".$row[0]; |
|
500
|
|
|
if (!empty($_GET['id_session'])) { |
|
501
|
|
|
$query_string .= '&id_session='.Security::remove_XSS($_GET['id_session']); |
|
502
|
|
|
} |
|
503
|
|
|
$icon = ''; |
|
504
|
|
|
if (UserManager::is_username_available($user_id)) { |
|
505
|
|
|
$icon = 'invitation_friend.png'; |
|
506
|
|
|
} else { |
|
507
|
|
|
$icon = 'reload.png'; |
|
508
|
|
|
} |
|
509
|
|
|
//$url_params_id="id=".$row[0]; |
|
510
|
|
|
$result = '<a href="ldap_users_list.php?action=add_user&user_id='.$user_id.'&'.$query_string.'&sec_token='.Security::getTokenFromSession().'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, api_get_system_encoding()))."'".')) return false;">'.Display::return_icon($icon, get_lang('AddUsers')).'</a>'; |
|
511
|
|
|
|
|
512
|
|
|
return $result; |
|
513
|
|
|
} |
|
514
|
|
|
|
|
515
|
|
|
/** |
|
516
|
|
|
* Adds a user to the Chamilo database or updates its data. |
|
517
|
|
|
* |
|
518
|
|
|
* @param string username (and uid inside LDAP) |
|
519
|
|
|
* |
|
520
|
|
|
* @author Mustapha Alouani |
|
521
|
|
|
*/ |
|
522
|
|
|
function ldap_add_user($login) |
|
523
|
|
|
{ |
|
524
|
|
|
if ($ldap_user = extldap_authenticate($login, 'nopass', true)) { |
|
525
|
|
|
return extldap_add_user_by_array($ldap_user); |
|
526
|
|
|
} |
|
527
|
|
|
} |
|
528
|
|
|
|
|
529
|
|
|
function ldap_add_user_by_array($data, $update_if_exists = true) |
|
530
|
|
|
{ |
|
531
|
|
|
$lastname = api_convert_encoding($data['sn'][0], api_get_system_encoding(), 'UTF-8'); |
|
532
|
|
|
$firstname = api_convert_encoding($data['cn'][0], api_get_system_encoding(), 'UTF-8'); |
|
533
|
|
|
$email = $data['mail'][0]; |
|
534
|
|
|
// Get uid from dn |
|
535
|
|
|
$dn_array = ldap_explode_dn($data['dn'], 1); |
|
536
|
|
|
$username = $dn_array[0]; // uid is first key |
|
537
|
|
|
$outab[] = $data['edupersonprimaryaffiliation'][0]; // Here, "student" |
|
|
|
|
|
|
538
|
|
|
//$val = ldap_get_values_len($ds, $entry, "userPassword"); |
|
539
|
|
|
//$val = ldap_get_values_len($ds, $data, "userPassword"); |
|
540
|
|
|
//$password = $val[0]; |
|
541
|
|
|
// TODO the password, if encrypted at the source, will be encrypted twice, which makes it useless. Try to fix that. |
|
542
|
|
|
$password = $data['userPassword'][0]; |
|
543
|
|
|
$structure = $data['edupersonprimaryorgunitdn'][0]; |
|
544
|
|
|
$array_structure = explode(",", $structure); |
|
545
|
|
|
$array_val = explode("=", $array_structure[0]); |
|
546
|
|
|
$etape = $array_val[1]; |
|
547
|
|
|
$array_val = explode("=", $array_structure[1]); |
|
548
|
|
|
$annee = $array_val[1]; |
|
549
|
|
|
// To ease management, we add the step-year (etape-annee) code |
|
550
|
|
|
$official_code = $etape."-".$annee; |
|
551
|
|
|
$auth_source = 'ldap'; |
|
552
|
|
|
// No expiration date for students (recover from LDAP's shadow expiry) |
|
553
|
|
|
$expiration_date = ''; |
|
554
|
|
|
$active = 1; |
|
555
|
|
|
if (empty($status)) { |
|
|
|
|
|
|
556
|
|
|
$status = 5; |
|
557
|
|
|
} |
|
558
|
|
|
if (empty($phone)) { |
|
|
|
|
|
|
559
|
|
|
$phone = ''; |
|
560
|
|
|
} |
|
561
|
|
|
if (empty($picture_uri)) { |
|
|
|
|
|
|
562
|
|
|
$picture_uri = ''; |
|
563
|
|
|
} |
|
564
|
|
|
// Adding user |
|
565
|
|
|
$user_id = 0; |
|
566
|
|
|
if (UserManager::is_username_available($username)) { |
|
567
|
|
|
$user_id = UserManager::create_user( |
|
568
|
|
|
$firstname, |
|
569
|
|
|
$lastname, |
|
570
|
|
|
$status, |
|
571
|
|
|
$email, |
|
572
|
|
|
$username, |
|
573
|
|
|
$password, |
|
574
|
|
|
$official_code, |
|
575
|
|
|
api_get_setting('platformLanguage'), |
|
576
|
|
|
$phone, |
|
577
|
|
|
$picture_uri, |
|
578
|
|
|
$auth_source, |
|
579
|
|
|
$expiration_date, |
|
580
|
|
|
$active |
|
581
|
|
|
); |
|
582
|
|
|
} else { |
|
583
|
|
|
if ($update_if_exists) { |
|
584
|
|
|
$user = api_get_user_info($username); |
|
585
|
|
|
$user_id = $user['user_id']; |
|
586
|
|
|
UserManager::update_user( |
|
587
|
|
|
$user_id, |
|
588
|
|
|
$firstname, |
|
589
|
|
|
$lastname, |
|
590
|
|
|
$username, |
|
591
|
|
|
null, |
|
592
|
|
|
null, |
|
593
|
|
|
$email, |
|
594
|
|
|
$status, |
|
595
|
|
|
$official_code, |
|
596
|
|
|
$phone, |
|
597
|
|
|
$picture_uri, |
|
598
|
|
|
$expiration_date, |
|
599
|
|
|
$active |
|
600
|
|
|
); |
|
601
|
|
|
} |
|
602
|
|
|
} |
|
603
|
|
|
|
|
604
|
|
|
return $user_id; |
|
605
|
|
|
} |
|
606
|
|
|
|
|
607
|
|
|
/** |
|
608
|
|
|
* Adds a list of users to one session. |
|
609
|
|
|
* |
|
610
|
|
|
* @param array Array of user ids |
|
611
|
|
|
* @param string Course code |
|
612
|
|
|
*/ |
|
613
|
|
|
function ldap_add_user_to_session($UserList, $id_session) |
|
614
|
|
|
{ |
|
615
|
|
|
// Database Table Definitions |
|
616
|
|
|
$tbl_session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); |
|
617
|
|
|
|
|
618
|
|
|
$id_session = (int) $id_session; |
|
619
|
|
|
// Once users are imported in the users base, we can assign them to the session |
|
620
|
|
|
$result = Database::query("SELECT c_id FROM $tbl_session_rel_course WHERE session_id ='$id_session'"); |
|
621
|
|
|
$CourseList = []; |
|
622
|
|
|
while ($row = Database::fetch_array($result)) { |
|
623
|
|
|
$CourseList[] = $row['c_id']; |
|
624
|
|
|
} |
|
625
|
|
|
|
|
626
|
|
|
SessionManager::insertUsersInCourses($UserList, $CourseList, $id_session); |
|
627
|
|
|
} |
|
628
|
|
|
|
|
629
|
|
|
/** |
|
630
|
|
|
* Synchronize users from the configured LDAP connection (in auth.conf.php). If |
|
631
|
|
|
* configured to disable old users,. |
|
632
|
|
|
* |
|
633
|
|
|
* @param bool $disableOldUsers Whether to disable users who have disappeared from LDAP (true) or just leave them be (default: false) |
|
634
|
|
|
* @param bool $deleteStudents Go one step further and delete completely students missing from LDAP |
|
635
|
|
|
* @param bool $deleteTeachers Go even one step further and also delete completely teachers missing from LDAP |
|
636
|
|
|
* |
|
637
|
|
|
* @return int Total number of users added (not counting possible removals) |
|
638
|
|
|
*/ |
|
639
|
|
|
function syncro_users( |
|
640
|
|
|
$disableOldUsers = false, |
|
641
|
|
|
$deleteStudents = false, |
|
642
|
|
|
$deleteTeachers = false |
|
643
|
|
|
) { |
|
644
|
|
|
global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass, $ldap_search_dn, $debug; |
|
645
|
|
|
$i = 0; |
|
646
|
|
|
if ($debug) { |
|
647
|
|
|
error_log('Connecting... ('.__FUNCTION__.')'); |
|
648
|
|
|
} |
|
649
|
|
|
$ldapConnect = ldap_connect($ldap_host, $ldap_port); |
|
650
|
|
|
ldap_set_version($ldapConnect); |
|
651
|
|
|
if ($ldapConnect) { |
|
652
|
|
|
if ($debug) { |
|
653
|
|
|
error_log('Connected to LDAP server successfully! Binding... ('.__FUNCTION__.')'); |
|
654
|
|
|
} |
|
655
|
|
|
$ldapBind = false; |
|
656
|
|
|
$ldapBindRes = ldap_handle_bind($ldapConnect, $ldapBind); |
|
657
|
|
|
if ($ldapBindRes) { |
|
658
|
|
|
if ($debug) { |
|
659
|
|
|
error_log('Bind successful! Searching for uid in LDAP DC: '.$ldap_search_dn); |
|
660
|
|
|
} |
|
661
|
|
|
$allUserQuery = "uid=*"; |
|
662
|
|
|
if (!empty($ldap_search_dn)) { |
|
663
|
|
|
$sr = ldap_search($ldapConnect, $ldap_search_dn, $allUserQuery); |
|
664
|
|
|
} else { |
|
665
|
|
|
//OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); |
|
666
|
|
|
$sr = ldap_search($ldapConnect, $ldap_basedn, $allUserQuery); |
|
667
|
|
|
} |
|
668
|
|
|
if ($debug) { |
|
669
|
|
|
error_log('Entries returned: '.ldap_count_entries($ldapConnect, $sr)); |
|
670
|
|
|
} |
|
671
|
|
|
$info = ldap_get_entries($ldapConnect, $sr); |
|
672
|
|
|
for ($key = 0; $key < $info['count']; $key++) { |
|
673
|
|
|
$user_id = ldap_add_user_by_array($info[$key], false); |
|
674
|
|
|
if ($user_id) { |
|
|
|
|
|
|
675
|
|
|
if ($debug) { |
|
676
|
|
|
error_log('User #'.$user_id.' created from LDAP'); |
|
677
|
|
|
} |
|
678
|
|
|
$i++; |
|
679
|
|
|
} else { |
|
680
|
|
|
if ($debug) { |
|
681
|
|
|
error_log('User '.$info[$key]['sn'][0].' ('.$info[$key]['mail'][0].') could not be created'); |
|
682
|
|
|
} |
|
683
|
|
|
} |
|
684
|
|
|
} |
|
685
|
|
|
if ($disableOldUsers === true) { |
|
686
|
|
|
if ($debug) { |
|
687
|
|
|
error_log('Disable mode selected in '.__FUNCTION__); |
|
688
|
|
|
if ($deleteStudents) { |
|
689
|
|
|
error_log('...with complete deletion of users if disabled'); |
|
690
|
|
|
} |
|
691
|
|
|
} |
|
692
|
|
|
// Get a big array of all user IDs, usernames only if they are |
|
693
|
|
|
// registered as auth_source = 'ldap' |
|
694
|
|
|
// This array will take about 60 bytes per user in memory, so |
|
695
|
|
|
// having 100K users should only take a few (6?) MB and will |
|
696
|
|
|
// highly reduce the number of DB queries |
|
697
|
|
|
$usersDBShortList = []; |
|
698
|
|
|
$usersLDAPShortList = []; |
|
699
|
|
|
$sql = "SELECT id, username, status FROM user WHERE auth_source = 'ldap' ORDER BY username"; |
|
700
|
|
|
$res = Database::query($sql); |
|
701
|
|
|
if ($res !== false) { |
|
702
|
|
|
// First build a list of users present in LDAP |
|
703
|
|
|
for ($key = 0; $key < $info['count']; $key++) { |
|
704
|
|
|
$dn_array = ldap_explode_dn($info[$key]['dn'], 1); |
|
705
|
|
|
$usersLDAPShortList[$dn_array[0]] = 1; |
|
706
|
|
|
} |
|
707
|
|
|
// Go through all 'extldap' users. For any that cannot |
|
708
|
|
|
// be found in the LDAP list, disable |
|
709
|
|
|
while ($row = Database::fetch_assoc($res)) { |
|
710
|
|
|
$usersDBShortList[$row['username']] = $row['id']; |
|
711
|
|
|
// If any of those users is NOT in LDAP, disable or remove |
|
712
|
|
|
if (empty($usersLDAPShortList[$row['username']])) { |
|
713
|
|
|
if ($deleteStudents === true && $row['status'] == 5) { |
|
714
|
|
|
UserManager::delete_user($usersDBShortList[$row['username']]); |
|
715
|
|
|
if ($debug) { |
|
716
|
|
|
error_log('Student '.$row['username'].' removed from Chamilo'); |
|
717
|
|
|
} |
|
718
|
|
|
} elseif ($deleteTeachers === true && $row['status'] == 1) { |
|
719
|
|
|
UserManager::delete_user($usersDBShortList[$row['username']]); |
|
720
|
|
|
if ($debug) { |
|
721
|
|
|
error_log('Teacher '.$row['username'].' removed from Chamilo'); |
|
722
|
|
|
} |
|
723
|
|
|
} else { |
|
724
|
|
|
UserManager::disable($usersDBShortList[$row['username']]); |
|
725
|
|
|
if ($debug) { |
|
726
|
|
|
error_log('User '.$row['username'].' disabled in Chamilo'); |
|
727
|
|
|
} |
|
728
|
|
|
} |
|
729
|
|
|
} |
|
730
|
|
|
} |
|
731
|
|
|
} |
|
732
|
|
|
} |
|
733
|
|
|
if ($debug) { |
|
734
|
|
|
error_log('Data for '.$info['count'].' items processed'); |
|
735
|
|
|
} |
|
736
|
|
|
//echo "Data for ".$info["count"]." items returned:<p>"; |
|
737
|
|
|
} else { |
|
738
|
|
|
error_log('Could not bind to LDAP server'); |
|
739
|
|
|
} |
|
740
|
|
|
ldap_close($ldapConnect); |
|
741
|
|
|
} else { |
|
742
|
|
|
error_log('Could not connect to LDAP server'); |
|
743
|
|
|
} |
|
744
|
|
|
error_log('Ended execution of function '.__FUNCTION__); |
|
745
|
|
|
} |
|
746
|
|
|
|
chamilo /
chamilo-lms
Yannick Warnier
Julio Montoya
Scrutinizer Auto-Fixer
Loading history...