Home Explore Help
Sign In
ShariX_Open
/
sharix-open-wiki
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 2abb002708
Branches Tags
sharix-open-wik...
/
lib
/
plugins
/
authad
/
auth.php

auth.php 27 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792 
  1. <?php
    2. 

  2. use dokuwiki\Utf8\Sort;
    3. 

  3. use dokuwiki\Logger;
    4. 

  4. 

  5. /**
    6. 

  6.  * Active Directory authentication backend for DokuWiki
    7. 

  7.  *
    8. 

  8.  * This makes authentication with a Active Directory server much easier
    9. 

  9.  * than when using the normal LDAP backend by utilizing the adLDAP library
    10. 

  10.  *
    11. 

  11.  * Usage:
    12. 

  12.  *   Set DokuWiki's local.protected.php auth setting to read
    13. 

  13.  *
    14. 

  14.  *   $conf['authtype']       = 'authad';
    15. 

  15.  *
    16. 

  16.  *   $conf['plugin']['authad']['account_suffix']     = '@my.domain.org';
    17. 

  17.  *   $conf['plugin']['authad']['base_dn']            = 'DC=my,DC=domain,DC=org';
    18. 

  18.  *   $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org';
    19. 

  19.  *
    20. 

  20.  *   //optional:
    21. 

  21.  *   $conf['plugin']['authad']['sso']                = 1;
    22. 

  22.  *   $conf['plugin']['authad']['admin_username']     = 'root';
    23. 

  23.  *   $conf['plugin']['authad']['admin_password']     = 'pass';
    24. 

  24.  *   $conf['plugin']['authad']['real_primarygroup']  = 1;
    25. 

  25.  *   $conf['plugin']['authad']['use_ssl']            = 1;
    26. 

  26.  *   $conf['plugin']['authad']['use_tls']            = 1;
    27. 

  27.  *   $conf['plugin']['authad']['debug']              = 1;
    28. 

  28.  *   // warn user about expiring password this many days in advance:
    29. 

  29.  *   $conf['plugin']['authad']['expirywarn']         = 5;
    30. 

  30.  *
    31. 

  31.  *   // get additional information to the userinfo array
    32. 

  32.  *   // add a list of comma separated ldap contact fields.
    33. 

  33.  *   $conf['plugin']['authad']['additional'] = 'field1,field2';
    34. 

  34.  *
    35. 

  35.  * @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
    36. 

  36.  * @author  James Van Lommel <jamesvl@gmail.com>
    37. 

  37.  * @link    http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/
    38. 

  38.  * @author  Andreas Gohr <andi@splitbrain.org>
    39. 

  39.  * @author  Jan Schumann <js@schumann-it.com>
    40. 

  40.  */
    41. 

  41. class auth_plugin_authad extends DokuWiki_Auth_Plugin
    42. 

  42. {
    43. 

  43. 

  44.     /**
    45. 

  45.      * @var array hold connection data for a specific AD domain
    46. 

  46.      */
    47. 

  47.     protected $opts = array();
    48. 

  48. 

  49.     /**
    50. 

  50.      * @var array open connections for each AD domain, as adLDAP objects
    51. 

  51.      */
    52. 

  52.     protected $adldap = array();
    53. 

  53. 

  54.     /**
    55. 

  55.      * @var bool message state
    56. 

  56.      */
    57. 

  57.     protected $msgshown = false;
    58. 

  58. 

  59.     /**
    60. 

  60.      * @var array user listing cache
    61. 

  61.      */
    62. 

  62.     protected $users = array();
    63. 

  63. 

  64.     /**
    65. 

  65.      * @var array filter patterns for listing users
    66. 

  66.      */
    67. 

  67.     protected $pattern = array();
    68. 

  68. 

  69.     protected $grpsusers = array();
    70. 

  70. 

  71.     /**
    72. 

  72.      * Constructor
    73. 

  73.      */
    74. 

  74.     public function __construct()
    75. 

  75.     {
    76. 

  76.         global $INPUT;
    77. 

  77.         parent::__construct();
    78. 

  78. 

  79.         require_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php');
    80. 

  80.         require_once(DOKU_PLUGIN.'authad/adLDAP/classes/adLDAPUtils.php');
    81. 

  81. 

  82.         // we load the config early to modify it a bit here
    83. 

  83.         $this->loadConfig();
    84. 

  84. 

  85.         // additional information fields
    86. 

  86.         if (isset($this->conf['additional'])) {
    87. 

  87.             $this->conf['additional'] = str_replace(' ', '', $this->conf['additional']);
    88. 

  88.             $this->conf['additional'] = explode(',', $this->conf['additional']);
    89. 

  89.         } else $this->conf['additional'] = array();
    90. 

  90. 

  91.         // ldap extension is needed
    92. 

  92.         if (!function_exists('ldap_connect')) {
    93. 

  93.             if ($this->conf['debug'])
    94. 

  94.                 msg("AD Auth: PHP LDAP extension not found.", -1);
    95. 

  95.             $this->success = false;
    96. 

  96.             return;
    97. 

  97.         }
    98. 

  98. 

  99.         // Prepare SSO
    100. 

  100.         if (!empty($INPUT->server->str('REMOTE_USER'))) {
    101. 

  101.             // make sure the right encoding is used
    102. 

  102.             if ($this->getConf('sso_charset')) {
    103. 

  103.                 $INPUT->server->set('REMOTE_USER',
    104. 

  104.                     iconv($this->getConf('sso_charset'), 'UTF-8', $INPUT->server->str('REMOTE_USER')));
    105. 

  105.             } elseif (!\dokuwiki\Utf8\Clean::isUtf8($INPUT->server->str('REMOTE_USER'))) {
    106. 

  106.                 $INPUT->server->set('REMOTE_USER', utf8_encode($INPUT->server->str('REMOTE_USER')));
    107. 

  107.             }
    108. 

  108. 

  109.             // trust the incoming user
    110. 

  110.             if ($this->conf['sso']) {
    111. 

  111.                 $INPUT->server->set('REMOTE_USER', $this->cleanUser($INPUT->server->str('REMOTE_USER')));
    112. 

  112. 

  113.                 // we need to simulate a login
    114. 

  114.                 if (empty($_COOKIE[DOKU_COOKIE])) {
    115. 

  115.                     $INPUT->set('u', $INPUT->server->str('REMOTE_USER'));
    116. 

  116.                     $INPUT->set('p', 'sso_only');
    117. 

  117.                 }
    118. 

  118.             }
    119. 

  119.         }
    120. 

  120. 

  121.         // other can do's are changed in $this->_loadServerConfig() base on domain setup
    122. 

  122.         $this->cando['modName'] = (bool)$this->conf['update_name'];
    123. 

  123.         $this->cando['modMail'] = (bool)$this->conf['update_mail'];
    124. 

  124.         $this->cando['getUserCount'] = true;
    125. 

  125.     }
    126. 

  126. 

  127.     /**
    128. 

  128.      * Load domain config on capability check
    129. 

  129.      *
    130. 

  130.      * @param string $cap
    131. 

  131.      * @return bool
    132. 

  132.      */
    133. 

  133.     public function canDo($cap)
    134. 

  134.     {
    135. 

  135.         global $INPUT;
    136. 

  136.         //capabilities depend on config, which may change depending on domain
    137. 

  137.         $domain = $this->getUserDomain($INPUT->server->str('REMOTE_USER'));
    138. 

  138.         $this->loadServerConfig($domain);
    139. 

  139.         return parent::canDo($cap);
    140. 

  140.     }
    141. 

  141. 

  142.     /**
    143. 

  143.      * Check user+password [required auth function]
    144. 

  144.      *
    145. 

  145.      * Checks if the given user exists and the given
    146. 

  146.      * plaintext password is correct by trying to bind
    147. 

  147.      * to the LDAP server
    148. 

  148.      *
    149. 

  149.      * @author  James Van Lommel <james@nosq.com>
    150. 

  150.      * @param string $user
    151. 

  151.      * @param string $pass
    152. 

  152.      * @return  bool
    153. 

  153.      */
    154. 

  154.     public function checkPass($user, $pass)
    155. 

  155.     {
    156. 

  156.         global $INPUT;
    157. 

  157.         if ($INPUT->server->str('REMOTE_USER') == $user &&
    158. 

  158.             $this->conf['sso']
    159. 

  159.         ) return true;
    160. 

  160. 

  161.         $adldap = $this->initAdLdap($this->getUserDomain($user));
    162. 

  162.         if (!$adldap) return false;
    163. 

  163. 

  164.         try {
    165. 

  165.             return $adldap->authenticate($this->getUserName($user), $pass);
    166. 

  166.         } catch (adLDAPException $e) {
    167. 

  167.             // shouldn't really happen
    168. 

  168.             return false;
    169. 

  169.         }
    170. 

  170.     }
    171. 

  171. 

  172.     /**
    173. 

  173.      * Return user info [required auth function]
    174. 

  174.      *
    175. 

  175.      * Returns info about the given user needs to contain
    176. 

  176.      * at least these fields:
    177. 

  177.      *
    178. 

  178.      * name    string  full name of the user
    179. 

  179.      * mail    string  email address of the user
    180. 

  180.      * grps    array   list of groups the user is in
    181. 

  181.      *
    182. 

  182.      * This AD specific function returns the following
    183. 

  183.      * addional fields:
    184. 

  184.      *
    185. 

  185.      * dn         string    distinguished name (DN)
    186. 

  186.      * uid        string    samaccountname
    187. 

  187.      * lastpwd    int       timestamp of the date when the password was set
    188. 

  188.      * expires    true      if the password expires
    189. 

  189.      * expiresin  int       seconds until the password expires
    190. 

  190.      * any fields specified in the 'additional' config option
    191. 

  191.      *
    192. 

  192.      * @author  James Van Lommel <james@nosq.com>
    193. 

  193.      * @param string $user
    194. 

  194.      * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin
    195. 

  195.      * @return array
    196. 

  196.      */
    197. 

  197.     public function getUserData($user, $requireGroups = true)
    198. 

  198.     {
    199. 

  199.         global $conf;
    200. 

  200.         global $lang;
    201. 

  201.         global $ID;
    202. 

  202.         global $INPUT;
    203. 

  203.         $adldap = $this->initAdLdap($this->getUserDomain($user));
    204. 

  204.         if (!$adldap) return array();
    205. 

  205. 

  206.         if ($user == '') return array();
    207. 

  207. 

  208.         $fields = array('mail', 'displayname', 'samaccountname', 'lastpwd', 'pwdlastset', 'useraccountcontrol');
    209. 

  209. 

  210.         // add additional fields to read
    211. 

  211.         $fields = array_merge($fields, $this->conf['additional']);
    212. 

  212.         $fields = array_unique($fields);
    213. 

  213.         $fields = array_filter($fields);
    214. 

  214. 

  215.         //get info for given user
    216. 

  216.         $result = $adldap->user()->info($this->getUserName($user), $fields);
    217. 

  217.         if ($result == false) {
    218. 

  218.             return array();
    219. 

  219.         }
    220. 

  220. 

  221.         //general user info
    222. 

  222.         $info = array();
    223. 

  223.         $info['name'] = $result[0]['displayname'][0];
    224. 

  224.         $info['mail'] = $result[0]['mail'][0];
    225. 

  225.         $info['uid']  = $result[0]['samaccountname'][0];
    226. 

  226.         $info['dn']   = $result[0]['dn'];
    227. 

  227.         //last password set (Windows counts from January 1st 1601)
    228. 

  228.         $info['lastpwd'] = $result[0]['pwdlastset'][0] / 10000000 - 11644473600;
    229. 

  229.         //will it expire?
    230. 

  230.         $info['expires'] = !($result[0]['useraccountcontrol'][0] & 0x10000); //ADS_UF_DONT_EXPIRE_PASSWD
    231. 

  231. 

  232.         // additional information
    233. 

  233.         foreach ($this->conf['additional'] as $field) {
    234. 

  234.             if (isset($result[0][strtolower($field)])) {
    235. 

  235.                 $info[$field] = $result[0][strtolower($field)][0];
    236. 

  236.             }
    237. 

  237.         }
    238. 

  238. 

  239.         // handle ActiveDirectory memberOf
    240. 

  240.         $info['grps'] = $adldap->user()->groups($this->getUserName($user), (bool) $this->opts['recursive_groups']);
    241. 

  241. 

  242.         if (is_array($info['grps'])) {
    243. 

  243.             foreach ($info['grps'] as $ndx => $group) {
    244. 

  244.                 $info['grps'][$ndx] = $this->cleanGroup($group);
    245. 

  245.             }
    246. 

  246.         }
    247. 

  247. 

  248.         // always add the default group to the list of groups
    249. 

  249.         if (!is_array($info['grps']) || !in_array($conf['defaultgroup'], $info['grps'])) {
    250. 

  250.             $info['grps'][] = $conf['defaultgroup'];
    251. 

  251.         }
    252. 

  252. 

  253.         // add the user's domain to the groups
    254. 

  254.         $domain = $this->getUserDomain($user);
    255. 

  255.         if ($domain && !in_array("domain-$domain", (array) $info['grps'])) {
    256. 

  256.             $info['grps'][] = $this->cleanGroup("domain-$domain");
    257. 

  257.         }
    258. 

  258. 

  259.         // check expiry time
    260. 

  260.         if ($info['expires'] && $this->conf['expirywarn']) {
    261. 

  261.             try {
    262. 

  262.                 $expiry = $adldap->user()->passwordExpiry($user);
    263. 

  263.                 if (is_array($expiry)) {
    264. 

  264.                     $info['expiresat'] = $expiry['expiryts'];
    265. 

  265.                     $info['expiresin'] = round(($info['expiresat'] - time())/(24*60*60));
    266. 

  266. 

  267.                     // if this is the current user, warn him (once per request only)
    268. 

  268.                     if (($INPUT->server->str('REMOTE_USER') == $user) &&
    269. 

  269.                         ($info['expiresin'] <= $this->conf['expirywarn']) &&
    270. 

  270.                         !$this->msgshown
    271. 

  271.                     ) {
    272. 

  272.                         $msg = sprintf($this->getLang('authpwdexpire'), $info['expiresin']);
    273. 

  273.                         if ($this->canDo('modPass')) {
    274. 

  274.                             $url = wl($ID, array('do'=> 'profile'));
    275. 

  275.                             $msg .= ' <a href="'.$url.'">'.$lang['btn_profile'].'</a>';
    276. 

  276.                         }
    277. 

  277.                         msg($msg);
    278. 

  278.                         $this->msgshown = true;
    279. 

  279.                     }
    280. 

  280.                 }
    281. 

  281.             } catch (adLDAPException $e) {
    282. 

  282.                 // ignore. should usually not happen
    283. 

  283.             }
    284. 

  284.         }
    285. 

  285. 

  286.         return $info;
    287. 

  287.     }
    288. 

  288. 

  289.     /**
    290. 

  290.      * Make AD group names usable by DokuWiki.
    291. 

  291.      *
    292. 

  292.      * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores.
    293. 

  293.      *
    294. 

  294.      * @author  James Van Lommel (jamesvl@gmail.com)
    295. 

  295.      * @param string $group
    296. 

  296.      * @return string
    297. 

  297.      */
    298. 

  298.     public function cleanGroup($group)
    299. 

  299.     {
    300. 

  300.         $group = str_replace('\\', '', $group);
    301. 

  301.         $group = str_replace('#', '', $group);
    302. 

  302.         $group = preg_replace('[\s]', '_', $group);
    303. 

  303.         $group = \dokuwiki\Utf8\PhpString::strtolower(trim($group));
    304. 

  304.         return $group;
    305. 

  305.     }
    306. 

  306. 

  307.     /**
    308. 

  308.      * Sanitize user names
    309. 

  309.      *
    310. 

  310.      * Normalizes domain parts, does not modify the user name itself (unlike cleanGroup)
    311. 

  311.      *
    312. 

  312.      * @author Andreas Gohr <gohr@cosmocode.de>
    313. 

  313.      * @param string $user
    314. 

  314.      * @return string
    315. 

  315.      */
    316. 

  316.     public function cleanUser($user)
    317. 

  317.     {
    318. 

  318.         $domain = '';
    319. 

  319. 

  320.         // get NTLM or Kerberos domain part
    321. 

  321.         list($dom, $user) = sexplode('\\', $user, 2, '');
    322. 

  322.         if (!$user) $user = $dom;
    323. 

  323.         if ($dom) $domain = $dom;
    324. 

  324.         list($user, $dom) = sexplode('@', $user, 2, '');
    325. 

  325.         if ($dom) $domain = $dom;
    326. 

  326. 

  327.         // clean up both
    328. 

  328.         $domain = \dokuwiki\Utf8\PhpString::strtolower(trim($domain));
    329. 

  329.         $user   = \dokuwiki\Utf8\PhpString::strtolower(trim($user));
    330. 

  330. 

  331.         // is this a known, valid domain or do we work without account suffix? if not discard
    332. 

  332.         if ((!isset($this->conf[$domain]) || !is_array($this->conf[$domain])) &&
    333. 

  333.             $this->conf['account_suffix'] !== '') {
    334. 

  334.             $domain = '';
    335. 

  335.         }
    336. 

  336. 

  337.         // reattach domain
    338. 

  338.         if ($domain) $user = "$user@$domain";
    339. 

  339.         return $user;
    340. 

  340.     }
    341. 

  341. 

  342.     /**
    343. 

  343.      * Most values in LDAP are case-insensitive
    344. 

  344.      *
    345. 

  345.      * @return bool
    346. 

  346.      */
    347. 

  347.     public function isCaseSensitive()
    348. 

  348.     {
    349. 

  349.         return false;
    350. 

  350.     }
    351. 

  351. 

  352.     /**
    353. 

  353.      * Create a Search-String useable by adLDAPUsers::all($includeDescription = false, $search = "*", $sorted = true)
    354. 

  354.      *
    355. 

  355.      * @param array $filter
    356. 

  356.      * @return string
    357. 

  357.      */
    358. 

  358.     protected function constructSearchString($filter)
    359. 

  359.     {
    360. 

  360.         if (!$filter) {
    361. 

  361.             return '*';
    362. 

  362.         }
    363. 

  363.         $adldapUtils = new adLDAPUtils($this->initAdLdap(null));
    364. 

  364.         $result = '*';
    365. 

  365.         if (isset($filter['name'])) {
    366. 

  366.             $result .= ')(displayname=*' . $adldapUtils->ldapSlashes($filter['name']) . '*';
    367. 

  367.             unset($filter['name']);
    368. 

  368.         }
    369. 

  369. 

  370.         if (isset($filter['user'])) {
    371. 

  371.             $result .= ')(samAccountName=*' . $adldapUtils->ldapSlashes($filter['user']) . '*';
    372. 

  372.             unset($filter['user']);
    373. 

  373.         }
    374. 

  374. 

  375.         if (isset($filter['mail'])) {
    376. 

  376.             $result .= ')(mail=*' . $adldapUtils->ldapSlashes($filter['mail']) . '*';
    377. 

  377.             unset($filter['mail']);
    378. 

  378.         }
    379. 

  379.         return $result;
    380. 

  380.     }
    381. 

  381. 

  382.     /**
    383. 

  383.      * Return a count of the number of user which meet $filter criteria
    384. 

  384.      *
    385. 

  385.      * @param array $filter  $filter array of field/pattern pairs, empty array for no filter
    386. 

  386.      * @return int number of users
    387. 

  387.      */
    388. 

  388.     public function getUserCount($filter = array())
    389. 

  389.     {
    390. 

  390.         $adldap = $this->initAdLdap(null);
    391. 

  391.         if (!$adldap) {
    392. 

  392.             Logger::debug("authad/auth.php getUserCount(): _adldap not set.");
    393. 

  393.             return -1;
    394. 

  394.         }
    395. 

  395.         if ($filter == array()) {
    396. 

  396.             $result = $adldap->user()->all();
    397. 

  397.         } else {
    398. 

  398.             $searchString = $this->constructSearchString($filter);
    399. 

  399.             $result = $adldap->user()->all(false, $searchString);
    400. 

  400.             if (isset($filter['grps'])) {
    401. 

  401.                 $this->users = array_fill_keys($result, false);
    402. 

  402.                 /** @var admin_plugin_usermanager $usermanager */
    403. 

  403.                 $usermanager = plugin_load("admin", "usermanager", false);
    404. 

  404.                 $usermanager->setLastdisabled(true);
    405. 

  405.                 if (!isset($this->grpsusers[$this->filterToString($filter)])) {
    406. 

  406.                     $this->fillGroupUserArray($filter, $usermanager->getStart() + 3*$usermanager->getPagesize());
    407. 

  407.                 } elseif (count($this->grpsusers[$this->filterToString($filter)]) <
    408. 

  408.                     $usermanager->getStart() + 3*$usermanager->getPagesize()
    409. 

  409.                 ) {
    410. 

  410.                     $this->fillGroupUserArray(
    411. 

  411.                         $filter,
    412. 

  412.                         $usermanager->getStart() +
    413. 

  413.                         3*$usermanager->getPagesize() -
    414. 

  414.                         count($this->grpsusers[$this->filterToString($filter)])
    415. 

  415.                     );
    416. 

  416.                 }
    417. 

  417.                 $result = $this->grpsusers[$this->filterToString($filter)];
    418. 

  418.             } else {
    419. 

  419.                 /** @var admin_plugin_usermanager $usermanager */
    420. 

  420.                 $usermanager = plugin_load("admin", "usermanager", false);
    421. 

  421.                 $usermanager->setLastdisabled(false);
    422. 

  422.             }
    423. 

  423.         }
    424. 

  424. 

  425.         if (!$result) {
    426. 

  426.             return 0;
    427. 

  427.         }
    428. 

  428.         return count($result);
    429. 

  429.     }
    430. 

  430. 

  431.     /**
    432. 

  432.      *
    433. 

  433.      * create a unique string for each filter used with a group
    434. 

  434.      *
    435. 

  435.      * @param array $filter
    436. 

  436.      * @return string
    437. 

  437.      */
    438. 

  438.     protected function filterToString($filter)
    439. 

  439.     {
    440. 

  440.         $result = '';
    441. 

  441.         if (isset($filter['user'])) {
    442. 

  442.             $result .= 'user-' . $filter['user'];
    443. 

  443.         }
    444. 

  444.         if (isset($filter['name'])) {
    445. 

  445.             $result .= 'name-' . $filter['name'];
    446. 

  446.         }
    447. 

  447.         if (isset($filter['mail'])) {
    448. 

  448.             $result .= 'mail-' . $filter['mail'];
    449. 

  449.         }
    450. 

  450.         if (isset($filter['grps'])) {
    451. 

  451.             $result .= 'grps-' . $filter['grps'];
    452. 

  452.         }
    453. 

  453.         return $result;
    454. 

  454.     }
    455. 

  455. 

  456.     /**
    457. 

  457.      * Create an array of $numberOfAdds users passing a certain $filter, including belonging
    458. 

  458.      * to a certain group and save them to a object-wide array. If the array
    459. 

  459.      * already exists try to add $numberOfAdds further users to it.
    460. 

  460.      *
    461. 

  461.      * @param array $filter
    462. 

  462.      * @param int $numberOfAdds additional number of users requested
    463. 

  463.      * @return int number of Users actually add to Array
    464. 

  464.      */
    465. 

  465.     protected function fillGroupUserArray($filter, $numberOfAdds)
    466. 

  466.     {
    467. 

  467.         if (isset($this->grpsusers[$this->filterToString($filter)])) {
    468. 

  468.             $actualstart = count($this->grpsusers[$this->filterToString($filter)]);
    469. 

  469.         } else {
    470. 

  470.             $this->grpsusers[$this->filterToString($filter)] = [];
    471. 

  471.             $actualstart = 0;
    472. 

  472.         }
    473. 

  473. 

  474.         $i=0;
    475. 

  475.         $count = 0;
    476. 

  476.         $this->constructPattern($filter);
    477. 

  477.         foreach ($this->users as $user => &$info) {
    478. 

  478.             if ($i++ < $actualstart) {
    479. 

  479.                 continue;
    480. 

  480.             }
    481. 

  481.             if ($info === false) {
    482. 

  482.                 $info = $this->getUserData($user);
    483. 

  483.             }
    484. 

  484.             if ($this->filter($user, $info)) {
    485. 

  485.                 $this->grpsusers[$this->filterToString($filter)][$user] = $info;
    486. 

  486.                 if (($numberOfAdds > 0) && (++$count >= $numberOfAdds)) break;
    487. 

  487.             }
    488. 

  488.         }
    489. 

  489.         return $count;
    490. 

  490.     }
    491. 

  491. 

  492.     /**
    493. 

  493.      * Bulk retrieval of user data
    494. 

  494.      *
    495. 

  495.      * @author  Dominik Eckelmann <dokuwiki@cosmocode.de>
    496. 

  496.      *
    497. 

  497.      * @param   int $start index of first user to be returned
    498. 

  498.      * @param   int $limit max number of users to be returned
    499. 

  499.      * @param   array $filter array of field/pattern pairs, null for no filter
    500. 

  500.      * @return array userinfo (refer getUserData for internal userinfo details)
    501. 

  501.      */
    502. 

  502.     public function retrieveUsers($start = 0, $limit = 0, $filter = array())
    503. 

  503.     {
    504. 

  504.         $adldap = $this->initAdLdap(null);
    505. 

  505.         if (!$adldap) return array();
    506. 

  506. 

  507.         //if (!$this->users) {
    508. 

  508.             //get info for given user
    509. 

  509.             $result = $adldap->user()->all(false, $this->constructSearchString($filter));
    510. 

  510.             if (!$result) return array();
    511. 

  511.             $this->users = array_fill_keys($result, false);
    512. 

  512.         //}
    513. 

  513. 

  514.         $i     = 0;
    515. 

  515.         $count = 0;
    516. 

  516.         $result = array();
    517. 

  517. 

  518.         if (!isset($filter['grps'])) {
    519. 

  519.             /** @var admin_plugin_usermanager $usermanager */
    520. 

  520.             $usermanager = plugin_load("admin", "usermanager", false);
    521. 

  521.             $usermanager->setLastdisabled(false);
    522. 

  522.             $this->constructPattern($filter);
    523. 

  523.             foreach ($this->users as $user => &$info) {
    524. 

  524.                 if ($i++ < $start) {
    525. 

  525.                     continue;
    526. 

  526.                 }
    527. 

  527.                 if ($info === false) {
    528. 

  528.                     $info = $this->getUserData($user);
    529. 

  529.                 }
    530. 

  530.                 $result[$user] = $info;
    531. 

  531.                 if (($limit > 0) && (++$count >= $limit)) break;
    532. 

  532.             }
    533. 

  533.         } else {
    534. 

  534.             /** @var admin_plugin_usermanager $usermanager */
    535. 

  535.             $usermanager = plugin_load("admin", "usermanager", false);
    536. 

  536.             $usermanager->setLastdisabled(true);
    537. 

  537.             if (!isset($this->grpsusers[$this->filterToString($filter)]) ||
    538. 

  538.                 count($this->grpsusers[$this->filterToString($filter)]) < ($start+$limit)
    539. 

  539.             ) {
    540. 

  540.                 if(!isset($this->grpsusers[$this->filterToString($filter)])) {
    541. 

  541.                     $this->grpsusers[$this->filterToString($filter)] = [];
    542. 

  542.                 }
    543. 

  543. 

  544.                 $this->fillGroupUserArray(
    545. 

  545.                     $filter,
    546. 

  546.                     $start+$limit - count($this->grpsusers[$this->filterToString($filter)]) +1
    547. 

  547.                 );
    548. 

  548.             }
    549. 

  549.             if (!$this->grpsusers[$this->filterToString($filter)]) return array();
    550. 

  550.             foreach ($this->grpsusers[$this->filterToString($filter)] as $user => &$info) {
    551. 

  551.                 if ($i++ < $start) {
    552. 

  552.                     continue;
    553. 

  553.                 }
    554. 

  554.                 $result[$user] = $info;
    555. 

  555.                 if (($limit > 0) && (++$count >= $limit)) break;
    556. 

  556.             }
    557. 

  557.         }
    558. 

  558.         return $result;
    559. 

  559.     }
    560. 

  560. 

  561.     /**
    562. 

  562.      * Modify user data
    563. 

  563.      *
    564. 

  564.      * @param   string $user      nick of the user to be changed
    565. 

  565.      * @param   array  $changes   array of field/value pairs to be changed
    566. 

  566.      * @return  bool
    567. 

  567.      */
    568. 

  568.     public function modifyUser($user, $changes)
    569. 

  569.     {
    570. 

  570.         $return = true;
    571. 

  571.         $adldap = $this->initAdLdap($this->getUserDomain($user));
    572. 

  572.         if (!$adldap) {
    573. 

  573.             msg($this->getLang('connectfail'), -1);
    574. 

  574.             return false;
    575. 

  575.         }
    576. 

  576. 

  577.         // password changing
    578. 

  578.         if (isset($changes['pass'])) {
    579. 

  579.             try {
    580. 

  580.                 $return = $adldap->user()->password($this->getUserName($user), $changes['pass']);
    581. 

  581.             } catch (adLDAPException $e) {
    582. 

  582.                 if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1);
    583. 

  583.                 $return = false;
    584. 

  584.             }
    585. 

  585.             if (!$return) msg($this->getLang('passchangefail'), -1);
    586. 

  586.         }
    587. 

  587. 

  588.         // changing user data
    589. 

  589.         $adchanges = array();
    590. 

  590.         if (isset($changes['name'])) {
    591. 

  591.             // get first and last name
    592. 

  592.             $parts                     = explode(' ', $changes['name']);
    593. 

  593.             $adchanges['surname']      = array_pop($parts);
    594. 

  594.             $adchanges['firstname']    = join(' ', $parts);
    595. 

  595.             $adchanges['display_name'] = $changes['name'];
    596. 

  596.         }
    597. 

  597.         if (isset($changes['mail'])) {
    598. 

  598.             $adchanges['email'] = $changes['mail'];
    599. 

  599.         }
    600. 

  600.         if (count($adchanges)) {
    601. 

  601.             try {
    602. 

  602.                 $return = $return & $adldap->user()->modify($this->getUserName($user), $adchanges);
    603. 

  603.             } catch (adLDAPException $e) {
    604. 

  604.                 if ($this->conf['debug']) msg('AD Auth: '.$e->getMessage(), -1);
    605. 

  605.                 $return = false;
    606. 

  606.             }
    607. 

  607.             if (!$return) msg($this->getLang('userchangefail'), -1);
    608. 

  608.         }
    609. 

  609. 

  610.         return $return;
    611. 

  611.     }
    612. 

  612. 

  613.     /**
    614. 

  614.      * Initialize the AdLDAP library and connect to the server
    615. 

  615.      *
    616. 

  616.      * When you pass null as domain, it will reuse any existing domain.
    617. 

  617.      * Eg. the one of the logged in user. It falls back to the default
    618. 

  618.      * domain if no current one is available.
    619. 

  619.      *
    620. 

  620.      * @param string|null $domain The AD domain to use
    621. 

  621.      * @return adLDAP|bool true if a connection was established
    622. 

  622.      */
    623. 

  623.     protected function initAdLdap($domain)
    624. 

  624.     {
    625. 

  625.         if (is_null($domain) && is_array($this->opts)) {
    626. 

  626.             $domain = $this->opts['domain'];
    627. 

  627.         }
    628. 

  628. 

  629.         $this->opts = $this->loadServerConfig((string) $domain);
    630. 

  630.         if (isset($this->adldap[$domain])) return $this->adldap[$domain];
    631. 

  631. 

  632.         // connect
    633. 

  633.         try {
    634. 

  634.             $this->adldap[$domain] = new adLDAP($this->opts);
    635. 

  635.             return $this->adldap[$domain];
    636. 

  636.         } catch (Exception $e) {
    637. 

  637.             if ($this->conf['debug']) {
    638. 

  638.                 msg('AD Auth: '.$e->getMessage(), -1);
    639. 

  639.             }
    640. 

  640.             $this->success         = false;
    641. 

  641.             $this->adldap[$domain] = null;
    642. 

  642.         }
    643. 

  643.         return false;
    644. 

  644.     }
    645. 

  645. 

  646.     /**
    647. 

  647.      * Get the domain part from a user
    648. 

  648.      *
    649. 

  649.      * @param string $user
    650. 

  650.      * @return string
    651. 

  651.      */
    652. 

  652.     public function getUserDomain($user)
    653. 

  653.     {
    654. 

  654.         list(, $domain) = sexplode('@', $user, 2, '');
    655. 

  655.         return $domain;
    656. 

  656.     }
    657. 

  657. 

  658.     /**
    659. 

  659.      * Get the user part from a user
    660. 

  660.      *
    661. 

  661.      * When an account suffix is set, we strip the domain part from the user
    662. 

  662.      *
    663. 

  663.      * @param string $user
    664. 

  664.      * @return string
    665. 

  665.      */
    666. 

  666.     public function getUserName($user)
    667. 

  667.     {
    668. 

  668.         if ($this->conf['account_suffix'] !== '') {
    669. 

  669.             list($user) = explode('@', $user, 2);
    670. 

  670.         }
    671. 

  671.         return $user;
    672. 

  672.     }
    673. 

  673. 

  674.     /**
    675. 

  675.      * Fetch the configuration for the given AD domain
    676. 

  676.      *
    677. 

  677.      * @param string $domain current AD domain
    678. 

  678.      * @return array
    679. 

  679.      */
    680. 

  680.     protected function loadServerConfig($domain)
    681. 

  681.     {
    682. 

  682.         // prepare adLDAP standard configuration
    683. 

  683.         $opts = $this->conf;
    684. 

  684. 

  685.         $opts['domain'] = $domain;
    686. 

  686. 

  687.         // add possible domain specific configuration
    688. 

  688.         if ($domain && is_array($this->conf[$domain])) foreach ($this->conf[$domain] as $key => $val) {
    689. 

  689.             $opts[$key] = $val;
    690. 

  690.         }
    691. 

  691. 

  692.         // handle multiple AD servers
    693. 

  693.         $opts['domain_controllers'] = explode(',', $opts['domain_controllers']);
    694. 

  694.         $opts['domain_controllers'] = array_map('trim', $opts['domain_controllers']);
    695. 

  695.         $opts['domain_controllers'] = array_filter($opts['domain_controllers']);
    696. 

  696. 

  697.         // compatibility with old option name
    698. 

  698.         if (empty($opts['admin_username']) && !empty($opts['ad_username'])) {
    699. 

  699.             $opts['admin_username'] = $opts['ad_username'];
    700. 

  700.         }
    701. 

  701.         if (empty($opts['admin_password']) && !empty($opts['ad_password'])) {
    702. 

  702.             $opts['admin_password'] = $opts['ad_password'];
    703. 

  703.         }
    704. 

  704.         $opts['admin_password'] = conf_decodeString($opts['admin_password']); // deobfuscate
    705. 

  705. 

  706.         // we can change the password if SSL is set
    707. 

  707.         if ($opts['update_pass'] && ($opts['use_ssl'] || $opts['use_tls'])) {
    708. 

  708.             $this->cando['modPass'] = true;
    709. 

  709.         } else {
    710. 

  710.             $this->cando['modPass'] = false;
    711. 

  711.         }
    712. 

  712. 

  713.         // adLDAP expects empty user/pass as NULL, we're less strict FS#2781
    714. 

  714.         if (empty($opts['admin_username'])) $opts['admin_username'] = null;
    715. 

  715.         if (empty($opts['admin_password'])) $opts['admin_password'] = null;
    716. 

  716. 

  717.         // user listing needs admin priviledges
    718. 

  718.         if (!empty($opts['admin_username']) && !empty($opts['admin_password'])) {
    719. 

  719.             $this->cando['getUsers'] = true;
    720. 

  720.         } else {
    721. 

  721.             $this->cando['getUsers'] = false;
    722. 

  722.         }
    723. 

  723. 

  724.         return $opts;
    725. 

  725.     }
    726. 

  726. 

  727.     /**
    728. 

  728.      * Returns a list of configured domains
    729. 

  729.      *
    730. 

  730.      * The default domain has an empty string as key
    731. 

  731.      *
    732. 

  732.      * @return array associative array(key => domain)
    733. 

  733.      */
    734. 

  734.     public function getConfiguredDomains()
    735. 

  735.     {
    736. 

  736.         $domains = array();
    737. 

  737.         if (empty($this->conf['account_suffix'])) return $domains; // not configured yet
    738. 

  738. 

  739.         // add default domain, using the name from account suffix
    740. 

  740.         $domains[''] = ltrim($this->conf['account_suffix'], '@');
    741. 

  741. 

  742.         // find additional domains
    743. 

  743.         foreach ($this->conf as $key => $val) {
    744. 

  744.             if (is_array($val) && isset($val['account_suffix'])) {
    745. 

  745.                 $domains[$key] = ltrim($val['account_suffix'], '@');
    746. 

  746.             }
    747. 

  747.         }
    748. 

  748.         Sort::ksort($domains);
    749. 

  749. 

  750.         return $domains;
    751. 

  751.     }
    752. 

  752. 

  753.     /**
    754. 

  754.      * Check provided user and userinfo for matching patterns
    755. 

  755.      *
    756. 

  756.      * The patterns are set up with $this->_constructPattern()
    757. 

  757.      *
    758. 

  758.      * @author Chris Smith <chris@jalakai.co.uk>
    759. 

  759.      *
    760. 

  760.      * @param string $user
    761. 

  761.      * @param array  $info
    762. 

  762.      * @return bool
    763. 

  763.      */
    764. 

  764.     protected function filter($user, $info)
    765. 

  765.     {
    766. 

  766.         foreach ($this->pattern as $item => $pattern) {
    767. 

  767.             if ($item == 'user') {
    768. 

  768.                 if (!preg_match($pattern, $user)) return false;
    769. 

  769.             } elseif ($item == 'grps') {
    770. 

  770.                 if (!count(preg_grep($pattern, $info['grps']))) return false;
    771. 

  771.             } else {
    772. 

  772.                 if (!preg_match($pattern, $info[$item])) return false;
    773. 

  773.             }
    774. 

  774.         }
    775. 

  775.         return true;
    776. 

  776.     }
    777. 

  777. 

  778.     /**
    779. 

  779.      * Create a pattern for $this->_filter()
    780. 

  780.      *
    781. 

  781.      * @author Chris Smith <chris@jalakai.co.uk>
    782. 

  782.      *
    783. 

  783.      * @param array $filter
    784. 

  784.      */
    785. 

  785.     protected function constructPattern($filter)
    786. 

  786.     {
    787. 

  787.         $this->pattern = array();
    788. 

  788.         foreach ($filter as $item => $pattern) {
    789. 

  789.             $this->pattern[$item] = '/'.str_replace('/', '\/', $pattern).'/i'; // allow regex characters
    790. 

  790.         }
    791. 

  791.     }
    792. 

  792. }
    793.