1 | <?php
|
---|
2 | /**
|
---|
3 | * PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
|
---|
4 | * Version 3.3.2
|
---|
5 | *
|
---|
6 | * PHP Version 5 with SSL and LDAP support
|
---|
7 | *
|
---|
8 | * Written by Scott Barnett, Richard Hyland
|
---|
9 | * email: [email protected], [email protected]
|
---|
10 | * http://adldap.sourceforge.net/
|
---|
11 | *
|
---|
12 | * Copyright (c) 2006-2010 Scott Barnett, Richard Hyland
|
---|
13 | *
|
---|
14 | * We'd appreciate any improvements or additions to be submitted back
|
---|
15 | * to benefit the entire community :)
|
---|
16 | *
|
---|
17 | * This library is free software; you can redistribute it and/or
|
---|
18 | * modify it under the terms of the GNU Lesser General Public
|
---|
19 | * License as published by the Free Software Foundation; either
|
---|
20 | * version 2.1 of the License.
|
---|
21 | *
|
---|
22 | * This library is distributed in the hope that it will be useful,
|
---|
23 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
24 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
25 | * Lesser General Public License for more details.
|
---|
26 | *
|
---|
27 | * @category ToolsAndUtilities
|
---|
28 | * @package adLDAP
|
---|
29 | * @author Scott Barnett, Richard Hyland
|
---|
30 | * @copyright (c) 2006-2010 Scott Barnett, Richard Hyland
|
---|
31 | * @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html LGPLv2.1
|
---|
32 | * @revision $Revision: 91 $
|
---|
33 | * @version 3.3.2
|
---|
34 | * @link http://adldap.sourceforge.net/
|
---|
35 | */
|
---|
36 |
|
---|
37 | /**
|
---|
38 | * Define the different types of account in AD
|
---|
39 | */
|
---|
40 | define ('ADLDAP_NORMAL_ACCOUNT', 805306368);
|
---|
41 | define ('ADLDAP_WORKSTATION_TRUST', 805306369);
|
---|
42 | define ('ADLDAP_INTERDOMAIN_TRUST', 805306370);
|
---|
43 | define ('ADLDAP_SECURITY_GLOBAL_GROUP', 268435456);
|
---|
44 | define ('ADLDAP_DISTRIBUTION_GROUP', 268435457);
|
---|
45 | define ('ADLDAP_SECURITY_LOCAL_GROUP', 536870912);
|
---|
46 | define ('ADLDAP_DISTRIBUTION_LOCAL_GROUP', 536870913);
|
---|
47 | define ('ADLDAP_FOLDER', 'OU');
|
---|
48 | define ('ADLDAP_CONTAINER', 'CN');
|
---|
49 |
|
---|
50 | /**
|
---|
51 | * Main adLDAP class
|
---|
52 | *
|
---|
53 | * Can be initialised using $adldap = new adLDAP();
|
---|
54 | *
|
---|
55 | * Something to keep in mind is that Active Directory is a permissions
|
---|
56 | * based directory. If you bind as a domain user, you can't fetch as
|
---|
57 | * much information on other users as you could as a domain admin.
|
---|
58 | *
|
---|
59 | * Before asking questions, please read the Documentation at
|
---|
60 | * http://adldap.sourceforge.net/wiki/doku.php?id=api
|
---|
61 | */
|
---|
62 | class adLDAP {
|
---|
63 | /**
|
---|
64 | * The account suffix for your domain, can be set when the class is invoked
|
---|
65 | *
|
---|
66 | * @var string
|
---|
67 | */
|
---|
68 | protected $_account_suffix = "@mydomain.local";
|
---|
69 |
|
---|
70 | /**
|
---|
71 | * The base dn for your domain
|
---|
72 | *
|
---|
73 | * @var string
|
---|
74 | */
|
---|
75 | protected $_base_dn = "DC=mydomain,DC=local";
|
---|
76 |
|
---|
77 | /**
|
---|
78 | * Array of domain controllers. Specifiy multiple controllers if you
|
---|
79 | * would like the class to balance the LDAP queries amongst multiple servers
|
---|
80 | *
|
---|
81 | * @var array
|
---|
82 | */
|
---|
83 | protected $_domain_controllers = array ("dc01.mydomain.local");
|
---|
84 |
|
---|
85 | /**
|
---|
86 | * Optional account with higher privileges for searching
|
---|
87 | * This should be set to a domain admin account
|
---|
88 | *
|
---|
89 | * @var string
|
---|
90 | * @var string
|
---|
91 | */
|
---|
92 | protected $_ad_username=NULL;
|
---|
93 | protected $_ad_password=NULL;
|
---|
94 |
|
---|
95 | /**
|
---|
96 | * AD does not return the primary group. http://support.microsoft.com/?kbid=321360
|
---|
97 | * This tweak will resolve the real primary group.
|
---|
98 | * Setting to false will fudge "Domain Users" and is much faster. Keep in mind though that if
|
---|
99 | * someone's primary group is NOT domain users, this is obviously going to mess up the results
|
---|
100 | *
|
---|
101 | * @var bool
|
---|
102 | */
|
---|
103 | protected $_real_primarygroup=true;
|
---|
104 |
|
---|
105 | /**
|
---|
106 | * Use SSL (LDAPS), your server needs to be setup, please see
|
---|
107 | * http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
|
---|
108 | *
|
---|
109 | * @var bool
|
---|
110 | */
|
---|
111 | protected $_use_ssl=false;
|
---|
112 |
|
---|
113 | /**
|
---|
114 | * Use TLS
|
---|
115 | * If you wish to use TLS you should ensure that $_use_ssl is set to false and vice-versa
|
---|
116 | *
|
---|
117 | * @var bool
|
---|
118 | */
|
---|
119 | protected $_use_tls=false;
|
---|
120 |
|
---|
121 | /**
|
---|
122 | * When querying group memberships, do it recursively
|
---|
123 | * eg. User Fred is a member of Group A, which is a member of Group B, which is a member of Group C
|
---|
124 | * user_ingroup("Fred","C") will returns true with this option turned on, false if turned off
|
---|
125 | *
|
---|
126 | * @var bool
|
---|
127 | */
|
---|
128 | protected $_recursive_groups=true;
|
---|
129 |
|
---|
130 | // You should not need to edit anything below this line
|
---|
131 | //******************************************************************************************
|
---|
132 |
|
---|
133 | /**
|
---|
134 | * Connection and bind default variables
|
---|
135 | *
|
---|
136 | * @var mixed
|
---|
137 | * @var mixed
|
---|
138 | */
|
---|
139 | protected $_conn;
|
---|
140 | protected $_bind;
|
---|
141 |
|
---|
142 | /**
|
---|
143 | * Getters and Setters
|
---|
144 | */
|
---|
145 |
|
---|
146 | /**
|
---|
147 | * Set the account suffix
|
---|
148 | *
|
---|
149 | * @param string $_account_suffix
|
---|
150 | * @return void
|
---|
151 | */
|
---|
152 | public function set_account_suffix($_account_suffix)
|
---|
153 | {
|
---|
154 | $this->_account_suffix = $_account_suffix;
|
---|
155 | }
|
---|
156 |
|
---|
157 | /**
|
---|
158 | * Get the account suffix
|
---|
159 | *
|
---|
160 | * @return string
|
---|
161 | */
|
---|
162 | public function get_account_suffix()
|
---|
163 | {
|
---|
164 | return $this->_account_suffix;
|
---|
165 | }
|
---|
166 |
|
---|
167 | /**
|
---|
168 | * Set the domain controllers array
|
---|
169 | *
|
---|
170 | * @param array $_domain_controllers
|
---|
171 | * @return void
|
---|
172 | */
|
---|
173 | public function set_domain_controllers(array $_domain_controllers)
|
---|
174 | {
|
---|
175 | $this->_domain_controllers = $_domain_controllers;
|
---|
176 | }
|
---|
177 |
|
---|
178 | /**
|
---|
179 | * Get the list of domain controllers
|
---|
180 | *
|
---|
181 | * @return void
|
---|
182 | */
|
---|
183 | public function get_domain_controllers()
|
---|
184 | {
|
---|
185 | return $this->_domain_controllers;
|
---|
186 | }
|
---|
187 |
|
---|
188 | /**
|
---|
189 | * Set the username of an account with higher priviledges
|
---|
190 | *
|
---|
191 | * @param string $_ad_username
|
---|
192 | * @return void
|
---|
193 | */
|
---|
194 | public function set_ad_username($_ad_username)
|
---|
195 | {
|
---|
196 | $this->_ad_username = $_ad_username;
|
---|
197 | }
|
---|
198 |
|
---|
199 | /**
|
---|
200 | * Get the username of the account with higher priviledges
|
---|
201 | *
|
---|
202 | * This will throw an exception for security reasons
|
---|
203 | */
|
---|
204 | public function get_ad_username()
|
---|
205 | {
|
---|
206 | throw new adLDAPException('For security reasons you cannot access the domain administrator account details');
|
---|
207 | }
|
---|
208 |
|
---|
209 | /**
|
---|
210 | * Set the password of an account with higher priviledges
|
---|
211 | *
|
---|
212 | * @param string $_ad_password
|
---|
213 | * @return void
|
---|
214 | */
|
---|
215 | public function set_ad_password($_ad_password)
|
---|
216 | {
|
---|
217 | $this->_ad_password = $_ad_password;
|
---|
218 | }
|
---|
219 |
|
---|
220 | /**
|
---|
221 | * Get the password of the account with higher priviledges
|
---|
222 | *
|
---|
223 | * This will throw an exception for security reasons
|
---|
224 | */
|
---|
225 | public function get_ad_password()
|
---|
226 | {
|
---|
227 | throw new adLDAPException('For security reasons you cannot access the domain administrator account details');
|
---|
228 | }
|
---|
229 |
|
---|
230 | /**
|
---|
231 | * Set whether to detect the true primary group
|
---|
232 | *
|
---|
233 | * @param bool $_real_primary_group
|
---|
234 | * @return void
|
---|
235 | */
|
---|
236 | public function set_real_primarygroup($_real_primarygroup)
|
---|
237 | {
|
---|
238 | $this->_real_primarygroup = $_real_primarygroup;
|
---|
239 | }
|
---|
240 |
|
---|
241 | /**
|
---|
242 | * Get the real primary group setting
|
---|
243 | *
|
---|
244 | * @return bool
|
---|
245 | */
|
---|
246 | public function get_real_primarygroup()
|
---|
247 | {
|
---|
248 | return $this->_real_primarygroup;
|
---|
249 | }
|
---|
250 |
|
---|
251 | /**
|
---|
252 | * Set whether to use SSL
|
---|
253 | *
|
---|
254 | * @param bool $_use_ssl
|
---|
255 | * @return void
|
---|
256 | */
|
---|
257 | public function set_use_ssl($_use_ssl)
|
---|
258 | {
|
---|
259 | $this->_use_ssl = $_use_ssl;
|
---|
260 | }
|
---|
261 |
|
---|
262 | /**
|
---|
263 | * Get the SSL setting
|
---|
264 | *
|
---|
265 | * @return bool
|
---|
266 | */
|
---|
267 | public function get_use_ssl()
|
---|
268 | {
|
---|
269 | return $this->_use_ssl;
|
---|
270 | }
|
---|
271 |
|
---|
272 | /**
|
---|
273 | * Set whether to use TLS
|
---|
274 | *
|
---|
275 | * @param bool $_use_tls
|
---|
276 | * @return void
|
---|
277 | */
|
---|
278 | public function set_use_tls($_use_tls)
|
---|
279 | {
|
---|
280 | $this->_use_tls = $_use_tls;
|
---|
281 | }
|
---|
282 |
|
---|
283 | /**
|
---|
284 | * Get the TLS setting
|
---|
285 | *
|
---|
286 | * @return bool
|
---|
287 | */
|
---|
288 | public function get_use_tls()
|
---|
289 | {
|
---|
290 | return $this->_use_tls;
|
---|
291 | }
|
---|
292 |
|
---|
293 | /**
|
---|
294 | * Set whether to lookup recursive groups
|
---|
295 | *
|
---|
296 | * @param bool $_recursive_groups
|
---|
297 | * @return void
|
---|
298 | */
|
---|
299 | public function set_recursive_groups($_recursive_groups)
|
---|
300 | {
|
---|
301 | $this->_recursive_groups = $_recursive_groups;
|
---|
302 | }
|
---|
303 |
|
---|
304 | /**
|
---|
305 | * Get the recursive groups setting
|
---|
306 | *
|
---|
307 | * @return bool
|
---|
308 | */
|
---|
309 | public function get_recursive_groups()
|
---|
310 | {
|
---|
311 | return $this->_recursive_groups;
|
---|
312 | }
|
---|
313 |
|
---|
314 | /**
|
---|
315 | * Default Constructor
|
---|
316 | *
|
---|
317 | * Tries to bind to the AD domain over LDAP or LDAPs
|
---|
318 | *
|
---|
319 | * @param array $options Array of options to pass to the constructor
|
---|
320 | * @throws Exception - if unable to bind to Domain Controller
|
---|
321 | * @return bool
|
---|
322 | */
|
---|
323 | function __construct($options=array()){
|
---|
324 | // You can specifically overide any of the default configuration options setup above
|
---|
325 | if (count($options)>0){
|
---|
326 | if (array_key_exists("account_suffix",$options)){ $this->_account_suffix=$options["account_suffix"]; }
|
---|
327 | if (array_key_exists("base_dn",$options)){ $this->_base_dn=$options["base_dn"]; }
|
---|
328 | if (array_key_exists("domain_controllers",$options)){ $this->_domain_controllers=$options["domain_controllers"]; }
|
---|
329 | if (array_key_exists("ad_username",$options)){ $this->_ad_username=$options["ad_username"]; }
|
---|
330 | if (array_key_exists("ad_password",$options)){ $this->_ad_password=$options["ad_password"]; }
|
---|
331 | if (array_key_exists("real_primarygroup",$options)){ $this->_real_primarygroup=$options["real_primarygroup"]; }
|
---|
332 | if (array_key_exists("use_ssl",$options)){ $this->_use_ssl=$options["use_ssl"]; }
|
---|
333 | if (array_key_exists("use_tls",$options)){ $this->_use_tls=$options["use_tls"]; }
|
---|
334 | if (array_key_exists("recursive_groups",$options)){ $this->_recursive_groups=$options["recursive_groups"]; }
|
---|
335 | }
|
---|
336 |
|
---|
337 | if ($this->ldap_supported() === false) {
|
---|
338 | throw new adLDAPException('No LDAP support for PHP. See: http://www.php.net/ldap');
|
---|
339 | }
|
---|
340 |
|
---|
341 | return $this->connect();
|
---|
342 | }
|
---|
343 |
|
---|
344 | /**
|
---|
345 | * Default Destructor
|
---|
346 | *
|
---|
347 | * Closes the LDAP connection
|
---|
348 | *
|
---|
349 | * @return void
|
---|
350 | */
|
---|
351 | function __destruct(){ $this->close(); }
|
---|
352 |
|
---|
353 | /**
|
---|
354 | * Connects and Binds to the Domain Controller
|
---|
355 | *
|
---|
356 | * @return bool
|
---|
357 | */
|
---|
358 | public function connect() {
|
---|
359 | // Connect to the AD/LDAP server as the username/password
|
---|
360 | $dc=$this->random_controller();
|
---|
361 | if ($this->_use_ssl){
|
---|
362 | $this->_conn = ldap_connect("ldaps://".$dc, 636);
|
---|
363 | } else {
|
---|
364 | $this->_conn = ldap_connect($dc);
|
---|
365 | }
|
---|
366 |
|
---|
367 | // Set some ldap options for talking to AD
|
---|
368 | ldap_set_option($this->_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
|
---|
369 | ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);
|
---|
370 |
|
---|
371 | if ($this->_use_tls) {
|
---|
372 | ldap_start_tls($this->_conn);
|
---|
373 | }
|
---|
374 |
|
---|
375 | // Bind as a domain admin if they've set it up
|
---|
376 | if ($this->_ad_username!=NULL && $this->_ad_password!=NULL){
|
---|
377 | $this->_bind = @ldap_bind($this->_conn,$this->_ad_username.$this->_account_suffix,$this->_ad_password);
|
---|
378 | if (!$this->_bind){
|
---|
379 | if ($this->_use_ssl && !$this->_use_tls){
|
---|
380 | // If you have problems troubleshooting, remove the @ character from the ldap_bind command above to get the actual error message
|
---|
381 | throw new adLDAPException('Bind to Active Directory failed. Either the LDAPs connection failed or the login credentials are incorrect. AD said: ' . $this->get_last_error());
|
---|
382 | } else {
|
---|
383 | throw new adLDAPException('Bind to Active Directory failed. Check the login credentials and/or server details. AD said: ' . $this->get_last_error());
|
---|
384 | }
|
---|
385 | }
|
---|
386 | }
|
---|
387 |
|
---|
388 | if ($this->_base_dn == NULL) {
|
---|
389 | $this->_base_dn = $this->find_base_dn();
|
---|
390 | }
|
---|
391 |
|
---|
392 | return (true);
|
---|
393 | }
|
---|
394 |
|
---|
395 | /**
|
---|
396 | * Closes the LDAP connection
|
---|
397 | *
|
---|
398 | * @return void
|
---|
399 | */
|
---|
400 | public function close() {
|
---|
401 | ldap_close ($this->_conn);
|
---|
402 | }
|
---|
403 |
|
---|
404 | /**
|
---|
405 | * Validate a user's login credentials
|
---|
406 | *
|
---|
407 | * @param string $username A user's AD username
|
---|
408 | * @param string $password A user's AD password
|
---|
409 | * @param bool optional $prevent_rebind
|
---|
410 | * @return bool
|
---|
411 | */
|
---|
412 | public function authenticate($username, $password, $prevent_rebind = false) {
|
---|
413 | // Prevent null binding
|
---|
414 | if ($username === NULL || $password === NULL) { return false; }
|
---|
415 | if (empty($username) || empty($password)) { return false; }
|
---|
416 |
|
---|
417 | // Bind as the user
|
---|
418 | $ret = true;
|
---|
419 | $this->_bind = @ldap_bind($this->_conn, $username . $this->_account_suffix, $password);
|
---|
420 | if (!$this->_bind){ $ret = false; }
|
---|
421 |
|
---|
422 | // Cnce we've checked their details, kick back into admin mode if we have it
|
---|
423 | if ($this->_ad_username !== NULL && !$prevent_rebind) {
|
---|
424 | $this->_bind = @ldap_bind($this->_conn, $this->_ad_username . $this->_account_suffix , $this->_ad_password);
|
---|
425 | if (!$this->_bind){
|
---|
426 | // This should never happen in theory
|
---|
427 | throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->get_last_error());
|
---|
428 | }
|
---|
429 | }
|
---|
430 |
|
---|
431 | return $ret;
|
---|
432 | }
|
---|
433 |
|
---|
434 | //*****************************************************************************************************************
|
---|
435 | // GROUP FUNCTIONS
|
---|
436 |
|
---|
437 | /**
|
---|
438 | * Add a group to a group
|
---|
439 | *
|
---|
440 | * @param string $parent The parent group name
|
---|
441 | * @param string $child The child group name
|
---|
442 | * @return bool
|
---|
443 | */
|
---|
444 | public function group_add_group($parent,$child){
|
---|
445 |
|
---|
446 | // Find the parent group's dn
|
---|
447 | $parent_group=$this->group_info($parent,array("cn"));
|
---|
448 | if ($parent_group[0]["dn"]===NULL){ return (false); }
|
---|
449 | $parent_dn=$parent_group[0]["dn"];
|
---|
450 |
|
---|
451 | // Find the child group's dn
|
---|
452 | $child_group=$this->group_info($child,array("cn"));
|
---|
453 | if ($child_group[0]["dn"]===NULL){ return (false); }
|
---|
454 | $child_dn=$child_group[0]["dn"];
|
---|
455 |
|
---|
456 | $add=array();
|
---|
457 | $add["member"] = $child_dn;
|
---|
458 |
|
---|
459 | $result=@ldap_mod_add($this->_conn,$parent_dn,$add);
|
---|
460 | if ($result==false){ return (false); }
|
---|
461 | return (true);
|
---|
462 | }
|
---|
463 |
|
---|
464 | /**
|
---|
465 | * Add a user to a group
|
---|
466 | *
|
---|
467 | * @param string $group The group to add the user to
|
---|
468 | * @param string $user The user to add to the group
|
---|
469 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
470 | * @return bool
|
---|
471 | */
|
---|
472 | public function group_add_user($group,$user,$isGUID=false){
|
---|
473 | // Adding a user is a bit fiddly, we need to get the full DN of the user
|
---|
474 | // and add it using the full DN of the group
|
---|
475 |
|
---|
476 | // Find the user's dn
|
---|
477 | $user_dn=$this->user_dn($user,$isGUID);
|
---|
478 | if ($user_dn===false){ return (false); }
|
---|
479 |
|
---|
480 | // Find the group's dn
|
---|
481 | $group_info=$this->group_info($group,array("cn"));
|
---|
482 | if ($group_info[0]["dn"]===NULL){ return (false); }
|
---|
483 | $group_dn=$group_info[0]["dn"];
|
---|
484 |
|
---|
485 | $add=array();
|
---|
486 | $add["member"] = $user_dn;
|
---|
487 |
|
---|
488 | $result=@ldap_mod_add($this->_conn,$group_dn,$add);
|
---|
489 | if ($result==false){ return (false); }
|
---|
490 | return (true);
|
---|
491 | }
|
---|
492 |
|
---|
493 | /**
|
---|
494 | * Add a contact to a group
|
---|
495 | *
|
---|
496 | * @param string $group The group to add the contact to
|
---|
497 | * @param string $contact_dn The DN of the contact to add
|
---|
498 | * @return bool
|
---|
499 | */
|
---|
500 | public function group_add_contact($group,$contact_dn){
|
---|
501 | // To add a contact we take the contact's DN
|
---|
502 | // and add it using the full DN of the group
|
---|
503 |
|
---|
504 | // Find the group's dn
|
---|
505 | $group_info=$this->group_info($group,array("cn"));
|
---|
506 | if ($group_info[0]["dn"]===NULL){ return (false); }
|
---|
507 | $group_dn=$group_info[0]["dn"];
|
---|
508 |
|
---|
509 | $add=array();
|
---|
510 | $add["member"] = $contact_dn;
|
---|
511 |
|
---|
512 | $result=@ldap_mod_add($this->_conn,$group_dn,$add);
|
---|
513 | if ($result==false){ return (false); }
|
---|
514 | return (true);
|
---|
515 | }
|
---|
516 |
|
---|
517 | /**
|
---|
518 | * Create a group
|
---|
519 | *
|
---|
520 | * @param array $attributes Default attributes of the group
|
---|
521 | * @return bool
|
---|
522 | */
|
---|
523 | public function group_create($attributes){
|
---|
524 | if (!is_array($attributes)){ return ("Attributes must be an array"); }
|
---|
525 | if (!array_key_exists("group_name",$attributes)){ return ("Missing compulsory field [group_name]"); }
|
---|
526 | if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
|
---|
527 | if (!array_key_exists("description",$attributes)){ return ("Missing compulsory field [description]"); }
|
---|
528 | if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
|
---|
529 | $attributes["container"]=array_reverse($attributes["container"]);
|
---|
530 |
|
---|
531 | //$member_array = array();
|
---|
532 | //$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
|
---|
533 | //$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
|
---|
534 |
|
---|
535 | $add=array();
|
---|
536 | $add["cn"] = $attributes["group_name"];
|
---|
537 | $add["samaccountname"] = $attributes["group_name"];
|
---|
538 | $add["objectClass"] = "Group";
|
---|
539 | $add["description"] = $attributes["description"];
|
---|
540 | //$add["member"] = $member_array; UNTESTED
|
---|
541 |
|
---|
542 | $container="OU=".implode(",OU=",$attributes["container"]);
|
---|
543 | $result=ldap_add($this->_conn,"CN=".$add["cn"].", ".$container.",".$this->_base_dn,$add);
|
---|
544 | if ($result!=true){ return (false); }
|
---|
545 |
|
---|
546 | return (true);
|
---|
547 | }
|
---|
548 |
|
---|
549 | /**
|
---|
550 | * Remove a group from a group
|
---|
551 | *
|
---|
552 | * @param string $parent The parent group name
|
---|
553 | * @param string $child The child group name
|
---|
554 | * @return bool
|
---|
555 | */
|
---|
556 | public function group_del_group($parent,$child){
|
---|
557 |
|
---|
558 | // Find the parent dn
|
---|
559 | $parent_group=$this->group_info($parent,array("cn"));
|
---|
560 | if ($parent_group[0]["dn"]===NULL){ return (false); }
|
---|
561 | $parent_dn=$parent_group[0]["dn"];
|
---|
562 |
|
---|
563 | // Find the child dn
|
---|
564 | $child_group=$this->group_info($child,array("cn"));
|
---|
565 | if ($child_group[0]["dn"]===NULL){ return (false); }
|
---|
566 | $child_dn=$child_group[0]["dn"];
|
---|
567 |
|
---|
568 | $del=array();
|
---|
569 | $del["member"] = $child_dn;
|
---|
570 |
|
---|
571 | $result=@ldap_mod_del($this->_conn,$parent_dn,$del);
|
---|
572 | if ($result==false){ return (false); }
|
---|
573 | return (true);
|
---|
574 | }
|
---|
575 |
|
---|
576 | /**
|
---|
577 | * Remove a user from a group
|
---|
578 | *
|
---|
579 | * @param string $group The group to remove a user from
|
---|
580 | * @param string $user The AD user to remove from the group
|
---|
581 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
582 | * @return bool
|
---|
583 | */
|
---|
584 | public function group_del_user($group,$user,$isGUID=false){
|
---|
585 |
|
---|
586 | // Find the parent dn
|
---|
587 | $group_info=$this->group_info($group,array("cn"));
|
---|
588 | if ($group_info[0]["dn"]===NULL){ return (false); }
|
---|
589 | $group_dn=$group_info[0]["dn"];
|
---|
590 |
|
---|
591 | // Find the users dn
|
---|
592 | $user_dn=$this->user_dn($user,$isGUID);
|
---|
593 | if ($user_dn===false){ return (false); }
|
---|
594 |
|
---|
595 | $del=array();
|
---|
596 | $del["member"] = $user_dn;
|
---|
597 |
|
---|
598 | $result=@ldap_mod_del($this->_conn,$group_dn,$del);
|
---|
599 | if ($result==false){ return (false); }
|
---|
600 | return (true);
|
---|
601 | }
|
---|
602 |
|
---|
603 | /**
|
---|
604 | * Remove a contact from a group
|
---|
605 | *
|
---|
606 | * @param string $group The group to remove a user from
|
---|
607 | * @param string $contact_dn The DN of a contact to remove from the group
|
---|
608 | * @return bool
|
---|
609 | */
|
---|
610 | public function group_del_contact($group,$contact_dn){
|
---|
611 |
|
---|
612 | // Find the parent dn
|
---|
613 | $group_info=$this->group_info($group,array("cn"));
|
---|
614 | if ($group_info[0]["dn"]===NULL){ return (false); }
|
---|
615 | $group_dn=$group_info[0]["dn"];
|
---|
616 |
|
---|
617 | $del=array();
|
---|
618 | $del["member"] = $contact_dn;
|
---|
619 |
|
---|
620 | $result=@ldap_mod_del($this->_conn,$group_dn,$del);
|
---|
621 | if ($result==false){ return (false); }
|
---|
622 | return (true);
|
---|
623 | }
|
---|
624 |
|
---|
625 | /**
|
---|
626 | * Return a list of groups in a group
|
---|
627 | *
|
---|
628 | * @param string $group The group to query
|
---|
629 | * @param bool $recursive Recursively get groups
|
---|
630 | * @return array
|
---|
631 | */
|
---|
632 | public function groups_in_group($group, $recursive = NULL){
|
---|
633 | if (!$this->_bind){ return (false); }
|
---|
634 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
|
---|
635 |
|
---|
636 | // Search the directory for the members of a group
|
---|
637 | $info=$this->group_info($group,array("member","cn"));
|
---|
638 | $groups=$info[0]["member"];
|
---|
639 | if (!is_array($groups)) {
|
---|
640 | return (false);
|
---|
641 | }
|
---|
642 |
|
---|
643 | $group_array=array();
|
---|
644 |
|
---|
645 | for ($i=0; $i<$groups["count"]; $i++){
|
---|
646 | $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($groups[$i])."))";
|
---|
647 | $fields = array("samaccountname", "distinguishedname", "objectClass");
|
---|
648 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
649 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
650 |
|
---|
651 | // not a person, look for a group
|
---|
652 | if ($entries['count'] == 0 && $recursive == true) {
|
---|
653 | $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($groups[$i])."))";
|
---|
654 | $fields = array("distinguishedname");
|
---|
655 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
656 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
657 | if (!isset($entries[0]['distinguishedname'][0])) {
|
---|
658 | continue;
|
---|
659 | }
|
---|
660 | $sub_groups = $this->groups_in_group($entries[0]['distinguishedname'][0], $recursive);
|
---|
661 | if (is_array($sub_groups)) {
|
---|
662 | $group_array = array_merge($group_array, $sub_groups);
|
---|
663 | $group_array = array_unique($group_array);
|
---|
664 | }
|
---|
665 | continue;
|
---|
666 | }
|
---|
667 |
|
---|
668 | $group_array[] = $entries[0]['distinguishedname'][0];
|
---|
669 | }
|
---|
670 | return ($group_array);
|
---|
671 | }
|
---|
672 |
|
---|
673 | /**
|
---|
674 | * Return a list of members in a group
|
---|
675 | *
|
---|
676 | * @param string $group The group to query
|
---|
677 | * @param bool $recursive Recursively get group members
|
---|
678 | * @return array
|
---|
679 | */
|
---|
680 | public function group_members($group, $recursive = NULL){
|
---|
681 | if (!$this->_bind){ return (false); }
|
---|
682 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
|
---|
683 | // Search the directory for the members of a group
|
---|
684 | $info=$this->group_info($group,array("member","cn"));
|
---|
685 | $users=$info[0]["member"];
|
---|
686 | if (!is_array($users)) {
|
---|
687 | return (false);
|
---|
688 | }
|
---|
689 |
|
---|
690 | $user_array=array();
|
---|
691 |
|
---|
692 | for ($i=0; $i<$users["count"]; $i++){
|
---|
693 | $filter="(&(objectCategory=person)(distinguishedName=".$this->ldap_slashes($users[$i])."))";
|
---|
694 | $fields = array("samaccountname", "distinguishedname", "objectClass");
|
---|
695 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
696 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
697 |
|
---|
698 | // not a person, look for a group
|
---|
699 | if ($entries['count'] == 0 && $recursive == true) {
|
---|
700 | $filter="(&(objectCategory=group)(distinguishedName=".$this->ldap_slashes($users[$i])."))";
|
---|
701 | $fields = array("samaccountname");
|
---|
702 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
703 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
704 | if (!isset($entries[0]['samaccountname'][0])) {
|
---|
705 | continue;
|
---|
706 | }
|
---|
707 | $sub_users = $this->group_members($entries[0]['samaccountname'][0], $recursive);
|
---|
708 | if (is_array($sub_users)) {
|
---|
709 | $user_array = array_merge($user_array, $sub_users);
|
---|
710 | $user_array = array_unique($user_array);
|
---|
711 | }
|
---|
712 | continue;
|
---|
713 | }
|
---|
714 |
|
---|
715 | if ($entries[0]['samaccountname'][0] === NULL && $entries[0]['distinguishedname'][0] !== NULL) {
|
---|
716 | $user_array[] = $entries[0]['distinguishedname'][0];
|
---|
717 | }
|
---|
718 | elseif ($entries[0]['samaccountname'][0] !== NULL) {
|
---|
719 | $user_array[] = $entries[0]['samaccountname'][0];
|
---|
720 | }
|
---|
721 | }
|
---|
722 | return ($user_array);
|
---|
723 | }
|
---|
724 |
|
---|
725 | /**
|
---|
726 | * Group Information. Returns an array of information about a group.
|
---|
727 | * The group name is case sensitive
|
---|
728 | *
|
---|
729 | * @param string $group_name The group name to retrieve info about
|
---|
730 | * @param array $fields Fields to retrieve
|
---|
731 | * @return array
|
---|
732 | */
|
---|
733 | public function group_info($group_name,$fields=NULL){
|
---|
734 | if ($group_name===NULL){ return (false); }
|
---|
735 | if (!$this->_bind){ return (false); }
|
---|
736 |
|
---|
737 | if (stristr($group_name, '+')) {
|
---|
738 | $group_name=stripslashes($group_name);
|
---|
739 | }
|
---|
740 |
|
---|
741 | $filter="(&(objectCategory=group)(name=".$this->ldap_slashes($group_name)."))";
|
---|
742 | //echo ($filter."!!!<br>");
|
---|
743 | if ($fields===NULL){ $fields=array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname"); }
|
---|
744 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
745 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
746 | //print_r($entries);
|
---|
747 | return ($entries);
|
---|
748 | }
|
---|
749 |
|
---|
750 | /**
|
---|
751 | * Return a complete list of "groups in groups"
|
---|
752 | *
|
---|
753 | * @param string $group The group to get the list from
|
---|
754 | * @return array
|
---|
755 | */
|
---|
756 | public function recursive_groups($group){
|
---|
757 | if ($group===NULL){ return (false); }
|
---|
758 |
|
---|
759 | $ret_groups=array();
|
---|
760 |
|
---|
761 | $groups=$this->group_info($group,array("memberof"));
|
---|
762 | if (isset($groups[0]["memberof"]) && is_array($groups[0]["memberof"])) {
|
---|
763 | $groups=$groups[0]["memberof"];
|
---|
764 |
|
---|
765 | if ($groups){
|
---|
766 | $group_names=$this->nice_names($groups);
|
---|
767 | $ret_groups=array_merge($ret_groups,$group_names); //final groups to return
|
---|
768 |
|
---|
769 | foreach ($group_names as $id => $group_name){
|
---|
770 | $child_groups=$this->recursive_groups($group_name);
|
---|
771 | $ret_groups=array_merge($ret_groups,$child_groups);
|
---|
772 | }
|
---|
773 | }
|
---|
774 | }
|
---|
775 |
|
---|
776 | return ($ret_groups);
|
---|
777 | }
|
---|
778 |
|
---|
779 | /**
|
---|
780 | * Returns a complete list of the groups in AD based on a SAM Account Type
|
---|
781 | *
|
---|
782 | * @param string $samaccounttype The account type to return
|
---|
783 | * @param bool $include_desc Whether to return a description
|
---|
784 | * @param string $search Search parameters
|
---|
785 | * @param bool $sorted Whether to sort the results
|
---|
786 | * @return array
|
---|
787 | */
|
---|
788 | public function search_groups($samaccounttype = ADLDAP_SECURITY_GLOBAL_GROUP, $include_desc = false, $search = "*", $sorted = true) {
|
---|
789 | if (!$this->_bind){ return (false); }
|
---|
790 |
|
---|
791 | $filter = '(&(objectCategory=group)';
|
---|
792 | if ($samaccounttype !== null) {
|
---|
793 | $filter .= '(samaccounttype='. $samaccounttype .')';
|
---|
794 | }
|
---|
795 | $filter .= '(cn='.$search.'))';
|
---|
796 | // Perform the search and grab all their details
|
---|
797 | $fields=array("samaccountname","description");
|
---|
798 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
799 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
800 |
|
---|
801 | $groups_array = array();
|
---|
802 | for ($i=0; $i<$entries["count"]; $i++){
|
---|
803 | if ($include_desc && strlen($entries[$i]["description"][0]) > 0 ){
|
---|
804 | $groups_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["description"][0];
|
---|
805 | } elseif ($include_desc){
|
---|
806 | $groups_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["samaccountname"][0];
|
---|
807 | } else {
|
---|
808 | array_push($groups_array, $entries[$i]["samaccountname"][0]);
|
---|
809 | }
|
---|
810 | }
|
---|
811 | if( $sorted ){ asort($groups_array); }
|
---|
812 | return ($groups_array);
|
---|
813 | }
|
---|
814 |
|
---|
815 | /**
|
---|
816 | * Returns a complete list of all groups in AD
|
---|
817 | *
|
---|
818 | * @param bool $include_desc Whether to return a description
|
---|
819 | * @param string $search Search parameters
|
---|
820 | * @param bool $sorted Whether to sort the results
|
---|
821 | * @return array
|
---|
822 | */
|
---|
823 | public function all_groups($include_desc = false, $search = "*", $sorted = true){
|
---|
824 | $groups_array = $this->search_groups(null, $include_desc, $search, $sorted);
|
---|
825 | return ($groups_array);
|
---|
826 | }
|
---|
827 |
|
---|
828 | /**
|
---|
829 | * Returns a complete list of security groups in AD
|
---|
830 | *
|
---|
831 | * @param bool $include_desc Whether to return a description
|
---|
832 | * @param string $search Search parameters
|
---|
833 | * @param bool $sorted Whether to sort the results
|
---|
834 | * @return array
|
---|
835 | */
|
---|
836 | public function all_security_groups($include_desc = false, $search = "*", $sorted = true){
|
---|
837 | $groups_array = $this->search_groups(ADLDAP_SECURITY_GLOBAL_GROUP, $include_desc, $search, $sorted);
|
---|
838 | return ($groups_array);
|
---|
839 | }
|
---|
840 |
|
---|
841 | /**
|
---|
842 | * Returns a complete list of distribution lists in AD
|
---|
843 | *
|
---|
844 | * @param bool $include_desc Whether to return a description
|
---|
845 | * @param string $search Search parameters
|
---|
846 | * @param bool $sorted Whether to sort the results
|
---|
847 | * @return array
|
---|
848 | */
|
---|
849 | public function all_distribution_groups($include_desc = false, $search = "*", $sorted = true){
|
---|
850 | $groups_array = $this->search_groups(ADLDAP_DISTRIBUTION_GROUP, $include_desc, $search, $sorted);
|
---|
851 | return ($groups_array);
|
---|
852 | }
|
---|
853 |
|
---|
854 | //*****************************************************************************************************************
|
---|
855 | // USER FUNCTIONS
|
---|
856 |
|
---|
857 | /**
|
---|
858 | * Create a user
|
---|
859 | *
|
---|
860 | * If you specify a password here, this can only be performed over SSL
|
---|
861 | *
|
---|
862 | * @param array $attributes The attributes to set to the user account
|
---|
863 | * @return bool
|
---|
864 | */
|
---|
865 | public function user_create($attributes){
|
---|
866 | // Check for compulsory fields
|
---|
867 | if (!array_key_exists("username",$attributes)){ return ("Missing compulsory field [username]"); }
|
---|
868 | if (!array_key_exists("firstname",$attributes)){ return ("Missing compulsory field [firstname]"); }
|
---|
869 | if (!array_key_exists("surname",$attributes)){ return ("Missing compulsory field [surname]"); }
|
---|
870 | if (!array_key_exists("email",$attributes)){ return ("Missing compulsory field [email]"); }
|
---|
871 | if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
|
---|
872 | if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
|
---|
873 |
|
---|
874 | if (array_key_exists("password",$attributes) && (!$this->_use_ssl && !$this->_use_tls)){
|
---|
875 | throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
|
---|
876 | }
|
---|
877 |
|
---|
878 | if (!array_key_exists("display_name",$attributes)){ $attributes["display_name"]=$attributes["firstname"]." ".$attributes["surname"]; }
|
---|
879 |
|
---|
880 | // Translate the schema
|
---|
881 | $add=$this->adldap_schema($attributes);
|
---|
882 |
|
---|
883 | // Additional stuff only used for adding accounts
|
---|
884 | $add["cn"][0]=$attributes["display_name"];
|
---|
885 | $add["samaccountname"][0]=$attributes["username"];
|
---|
886 | $add["objectclass"][0]="top";
|
---|
887 | $add["objectclass"][1]="person";
|
---|
888 | $add["objectclass"][2]="organizationalPerson";
|
---|
889 | $add["objectclass"][3]="user"; //person?
|
---|
890 | //$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
|
---|
891 |
|
---|
892 | // Set the account control attribute
|
---|
893 | $control_options=array("NORMAL_ACCOUNT");
|
---|
894 | if (!$attributes["enabled"]){ $control_options[]="ACCOUNTDISABLE"; }
|
---|
895 | $add["userAccountControl"][0]=$this->account_control($control_options);
|
---|
896 | //echo ("<pre>"); print_r($add);
|
---|
897 |
|
---|
898 | // Determine the container
|
---|
899 | $attributes["container"]=array_reverse($attributes["container"]);
|
---|
900 | $container="OU=".implode(",OU=",$attributes["container"]);
|
---|
901 |
|
---|
902 | // Add the entry
|
---|
903 | $result=@ldap_add($this->_conn, "CN=".$add["cn"][0].", ".$container.",".$this->_base_dn, $add);
|
---|
904 | if ($result!=true){ return (false); }
|
---|
905 |
|
---|
906 | return (true);
|
---|
907 | }
|
---|
908 |
|
---|
909 | /**
|
---|
910 | * Delete a user account
|
---|
911 | *
|
---|
912 | * @param string $username The username to delete (please be careful here!)
|
---|
913 | * @param bool $isGUID Is the username a GUID or a samAccountName
|
---|
914 | * @return array
|
---|
915 | */
|
---|
916 | public function user_delete($username,$isGUID=false) {
|
---|
917 | $userinfo = $this->user_info($username, array("*"),$isGUID);
|
---|
918 | $dn = $userinfo[0]['distinguishedname'][0];
|
---|
919 | $result=$this->dn_delete($dn);
|
---|
920 | if ($result!=true){ return (false); }
|
---|
921 | return (true);
|
---|
922 | }
|
---|
923 |
|
---|
924 | /**
|
---|
925 | * Groups the user is a member of
|
---|
926 | *
|
---|
927 | * @param string $username The username to query
|
---|
928 | * @param bool $recursive Recursive list of groups
|
---|
929 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
930 | * @return array
|
---|
931 | */
|
---|
932 | public function user_groups($username,$recursive=NULL,$isGUID=false){
|
---|
933 | if ($username===NULL){ return (false); }
|
---|
934 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
|
---|
935 | if (!$this->_bind){ return (false); }
|
---|
936 |
|
---|
937 | // Search the directory for their information
|
---|
938 | $info=@$this->user_info($username,array("memberof","primarygroupid"),$isGUID);
|
---|
939 | $groups=$this->nice_names($info[0]["memberof"]); // Presuming the entry returned is our guy (unique usernames)
|
---|
940 |
|
---|
941 | if ($recursive === true){
|
---|
942 | foreach ($groups as $id => $group_name){
|
---|
943 | $extra_groups=$this->recursive_groups($group_name);
|
---|
944 | $groups=array_merge($groups,$extra_groups);
|
---|
945 | }
|
---|
946 | }
|
---|
947 |
|
---|
948 | return ($groups);
|
---|
949 | }
|
---|
950 |
|
---|
951 | /**
|
---|
952 | * Find information about the users
|
---|
953 | *
|
---|
954 | * @param string $username The username to query
|
---|
955 | * @param array $fields Array of parameters to query
|
---|
956 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
957 | * @return array
|
---|
958 | */
|
---|
959 | public function user_info($username,$fields=NULL,$isGUID=false){
|
---|
960 | if ($username===NULL){ return (false); }
|
---|
961 | if (!$this->_bind){ return (false); }
|
---|
962 |
|
---|
963 | if ($isGUID === true) {
|
---|
964 | $username = $this->strguid2hex($username);
|
---|
965 | $filter="objectguid=".$username;
|
---|
966 | }
|
---|
967 | else if (strstr($username, "@")) {
|
---|
968 | $filter="userPrincipalName=".$username;
|
---|
969 | }
|
---|
970 | else {
|
---|
971 | $filter="samaccountname=".$username;
|
---|
972 | }
|
---|
973 | $filter = "(&(objectCategory=person)({$filter}))";
|
---|
974 | if ($fields===NULL){ $fields=array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); }
|
---|
975 | if (!in_array("objectsid",$fields)){
|
---|
976 | $fields[] = "objectsid";
|
---|
977 | }
|
---|
978 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
979 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
980 |
|
---|
981 | if (isset($entries[0])) {
|
---|
982 | if ($entries[0]['count'] >= 1) {
|
---|
983 | if (in_array("memberof", $fields)) {
|
---|
984 | // AD does not return the primary group in the ldap query, we may need to fudge it
|
---|
985 | if ($this->_real_primarygroup && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["objectsid"][0])){
|
---|
986 | //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
|
---|
987 | $entries[0]["memberof"][]=$this->get_primary_group($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
|
---|
988 | } else {
|
---|
989 | $entries[0]["memberof"][]="CN=Domain Users,CN=Users,".$this->_base_dn;
|
---|
990 | }
|
---|
991 | $entries[0]["memberof"]["count"]++;
|
---|
992 | }
|
---|
993 | }
|
---|
994 | return $entries;
|
---|
995 | }
|
---|
996 | return false;
|
---|
997 | }
|
---|
998 |
|
---|
999 | /**
|
---|
1000 | * Determine if a user is in a specific group
|
---|
1001 | *
|
---|
1002 | * @param string $username The username to query
|
---|
1003 | * @param string $group The name of the group to check against
|
---|
1004 | * @param bool $recursive Check groups recursively
|
---|
1005 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1006 | * @return bool
|
---|
1007 | */
|
---|
1008 | public function user_ingroup($username,$group,$recursive=NULL,$isGUID=false){
|
---|
1009 | if ($username===NULL){ return (false); }
|
---|
1010 | if ($group===NULL){ return (false); }
|
---|
1011 | if (!$this->_bind){ return (false); }
|
---|
1012 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // Use the default option if they haven't set it
|
---|
1013 |
|
---|
1014 | // Get a list of the groups
|
---|
1015 | $groups=$this->user_groups($username,$recursive,$isGUID);
|
---|
1016 |
|
---|
1017 | // Return true if the specified group is in the group list
|
---|
1018 | if (in_array($group,$groups)){ return (true); }
|
---|
1019 |
|
---|
1020 | return (false);
|
---|
1021 | }
|
---|
1022 |
|
---|
1023 | /**
|
---|
1024 | * Determine a user's password expiry date
|
---|
1025 | *
|
---|
1026 | * @param string $username The username to query
|
---|
1027 | * @param book $isGUID Is the username passed a GUID or a samAccountName
|
---|
1028 | * @requires bcmath http://www.php.net/manual/en/book.bc.php
|
---|
1029 | * @return array
|
---|
1030 | */
|
---|
1031 | public function user_password_expiry($username,$isGUID=false) {
|
---|
1032 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1033 | if (!$this->_bind){ return (false); }
|
---|
1034 | if (!function_exists('bcmod')) { return ("Missing function support [bcmod] http://www.php.net/manual/en/book.bc.php"); };
|
---|
1035 |
|
---|
1036 | $userinfo = $this->user_info($username, array("pwdlastset", "useraccountcontrol"), $isGUID);
|
---|
1037 | $pwdlastset = $userinfo[0]['pwdlastset'][0];
|
---|
1038 | $status = array();
|
---|
1039 |
|
---|
1040 | if ($userinfo[0]['useraccountcontrol'][0] == '66048') {
|
---|
1041 | // Password does not expire
|
---|
1042 | return "Does not expire";
|
---|
1043 | }
|
---|
1044 | if ($pwdlastset === '0') {
|
---|
1045 | // Password has already expired
|
---|
1046 | return "Password has expired";
|
---|
1047 | }
|
---|
1048 |
|
---|
1049 | // Password expiry in AD can be calculated from TWO values:
|
---|
1050 | // - User's own pwdLastSet attribute: stores the last time the password was changed
|
---|
1051 | // - Domain's maxPwdAge attribute: how long passwords last in the domain
|
---|
1052 | //
|
---|
1053 | // Although Microsoft chose to use a different base and unit for time measurements.
|
---|
1054 | // This function will convert them to Unix timestamps
|
---|
1055 | $sr = ldap_read($this->_conn, $this->_base_dn, 'objectclass=*', array('maxPwdAge'));
|
---|
1056 | if (!$sr) {
|
---|
1057 | return false;
|
---|
1058 | }
|
---|
1059 | $info = ldap_get_entries($this->_conn, $sr);
|
---|
1060 | $maxpwdage = $info[0]['maxpwdage'][0];
|
---|
1061 |
|
---|
1062 |
|
---|
1063 | // See MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx
|
---|
1064 | //
|
---|
1065 | // pwdLastSet contains the number of 100 nanosecond intervals since January 1, 1601 (UTC),
|
---|
1066 | // stored in a 64 bit integer.
|
---|
1067 | //
|
---|
1068 | // The number of seconds between this date and Unix epoch is 11644473600.
|
---|
1069 | //
|
---|
1070 | // maxPwdAge is stored as a large integer that represents the number of 100 nanosecond
|
---|
1071 | // intervals from the time the password was set before the password expires.
|
---|
1072 | //
|
---|
1073 | // We also need to scale this to seconds but also this value is a _negative_ quantity!
|
---|
1074 | //
|
---|
1075 | // If the low 32 bits of maxPwdAge are equal to 0 passwords do not expire
|
---|
1076 | //
|
---|
1077 | // Unfortunately the maths involved are too big for PHP integers, so I've had to require
|
---|
1078 | // BCMath functions to work with arbitrary precision numbers.
|
---|
1079 | if (bcmod($maxpwdage, 4294967296) === '0') {
|
---|
1080 | return "Domain does not expire passwords";
|
---|
1081 | }
|
---|
1082 |
|
---|
1083 | // Add maxpwdage and pwdlastset and we get password expiration time in Microsoft's
|
---|
1084 | // time units. Because maxpwd age is negative we need to subtract it.
|
---|
1085 | $pwdexpire = bcsub($pwdlastset, $maxpwdage);
|
---|
1086 |
|
---|
1087 | // Convert MS's time to Unix time
|
---|
1088 | $status['expiryts'] = bcsub(bcdiv($pwdexpire, '10000000'), '11644473600');
|
---|
1089 | $status['expiryformat'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdexpire, '10000000'), '11644473600'));
|
---|
1090 |
|
---|
1091 | return $status;
|
---|
1092 | }
|
---|
1093 |
|
---|
1094 | /**
|
---|
1095 | * Modify a user
|
---|
1096 | *
|
---|
1097 | * @param string $username The username to query
|
---|
1098 | * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
|
---|
1099 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1100 | * @return bool
|
---|
1101 | */
|
---|
1102 | public function user_modify($username,$attributes,$isGUID=false){
|
---|
1103 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1104 | if (array_key_exists("password",$attributes) && !$this->_use_ssl){
|
---|
1105 | throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
|
---|
1106 | }
|
---|
1107 |
|
---|
1108 | // Find the dn of the user
|
---|
1109 | $user_dn=$this->user_dn($username,$isGUID);
|
---|
1110 | if ($user_dn===false){ return (false); }
|
---|
1111 |
|
---|
1112 | // Translate the update to the LDAP schema
|
---|
1113 | $mod=$this->adldap_schema($attributes);
|
---|
1114 |
|
---|
1115 | // Check to see if this is an enabled status update
|
---|
1116 | if (!$mod && !array_key_exists("enabled", $attributes)){ return (false); }
|
---|
1117 |
|
---|
1118 | // Set the account control attribute (only if specified)
|
---|
1119 | if (array_key_exists("enabled",$attributes)){
|
---|
1120 | if ($attributes["enabled"]){ $control_options=array("NORMAL_ACCOUNT"); }
|
---|
1121 | else { $control_options=array("NORMAL_ACCOUNT","ACCOUNTDISABLE"); }
|
---|
1122 | $mod["userAccountControl"][0]=$this->account_control($control_options);
|
---|
1123 | }
|
---|
1124 |
|
---|
1125 | // Do the update
|
---|
1126 | $result=@ldap_modify($this->_conn,$user_dn,$mod);
|
---|
1127 | if ($result==false){ return (false); }
|
---|
1128 |
|
---|
1129 | return (true);
|
---|
1130 | }
|
---|
1131 |
|
---|
1132 | /**
|
---|
1133 | * Disable a user account
|
---|
1134 | *
|
---|
1135 | * @param string $username The username to disable
|
---|
1136 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1137 | * @return bool
|
---|
1138 | */
|
---|
1139 | public function user_disable($username,$isGUID=false){
|
---|
1140 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1141 | $attributes=array("enabled"=>0);
|
---|
1142 | $result = $this->user_modify($username, $attributes, $isGUID);
|
---|
1143 | if ($result==false){ return (false); }
|
---|
1144 |
|
---|
1145 | return (true);
|
---|
1146 | }
|
---|
1147 |
|
---|
1148 | /**
|
---|
1149 | * Enable a user account
|
---|
1150 | *
|
---|
1151 | * @param string $username The username to enable
|
---|
1152 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1153 | * @return bool
|
---|
1154 | */
|
---|
1155 | public function user_enable($username,$isGUID=false){
|
---|
1156 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1157 | $attributes=array("enabled"=>1);
|
---|
1158 | $result = $this->user_modify($username, $attributes, $isGUID);
|
---|
1159 | if ($result==false){ return (false); }
|
---|
1160 |
|
---|
1161 | return (true);
|
---|
1162 | }
|
---|
1163 |
|
---|
1164 | /**
|
---|
1165 | * Set the password of a user - This must be performed over SSL
|
---|
1166 | *
|
---|
1167 | * @param string $username The username to modify
|
---|
1168 | * @param string $password The new password
|
---|
1169 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1170 | * @return bool
|
---|
1171 | */
|
---|
1172 | public function user_password($username,$password,$isGUID=false){
|
---|
1173 | if ($username===NULL){ return (false); }
|
---|
1174 | if ($password===NULL){ return (false); }
|
---|
1175 | if (!$this->_bind){ return (false); }
|
---|
1176 | if (!$this->_use_ssl && !$this->_use_tls){
|
---|
1177 | throw new adLDAPException('SSL must be configured on your webserver and enabled in the class to set passwords.');
|
---|
1178 | }
|
---|
1179 |
|
---|
1180 | $user_dn=$this->user_dn($username,$isGUID);
|
---|
1181 | if ($user_dn===false){ return (false); }
|
---|
1182 |
|
---|
1183 | $add=array();
|
---|
1184 | $add["unicodePwd"][0]=$this->encode_password($password);
|
---|
1185 |
|
---|
1186 | $result=@ldap_mod_replace($this->_conn,$user_dn,$add);
|
---|
1187 | if ($result==false){
|
---|
1188 | $err = ldap_errno($this->_conn);
|
---|
1189 | if($err){
|
---|
1190 | $msg = 'Error '.$err.': '.ldap_err2str($err).'.';
|
---|
1191 | if($err == 53) $msg .= ' Your password might not match the password policy.';
|
---|
1192 | throw new adLDAPException($msg);
|
---|
1193 | }else{
|
---|
1194 | return false;
|
---|
1195 | }
|
---|
1196 | }
|
---|
1197 |
|
---|
1198 | return (true);
|
---|
1199 | }
|
---|
1200 |
|
---|
1201 | /**
|
---|
1202 | * Return a list of all users in AD
|
---|
1203 | *
|
---|
1204 | * @param bool $include_desc Return a description of the user
|
---|
1205 | * @param string $search Search parameter
|
---|
1206 | * @param bool $sorted Sort the user accounts
|
---|
1207 | * @return array
|
---|
1208 | */
|
---|
1209 | public function all_users($include_desc = false, $search = "*", $sorted = true){
|
---|
1210 | if (!$this->_bind){ return (false); }
|
---|
1211 |
|
---|
1212 | // Perform the search and grab all their details
|
---|
1213 | $filter = "(&(objectClass=user)(samaccounttype=". ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=".$search."))";
|
---|
1214 | $fields=array("samaccountname","displayname");
|
---|
1215 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
1216 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
1217 |
|
---|
1218 | $users_array = array();
|
---|
1219 | for ($i=0; $i<$entries["count"]; $i++){
|
---|
1220 | if ($include_desc && strlen($entries[$i]["displayname"][0])>0){
|
---|
1221 | $users_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["displayname"][0];
|
---|
1222 | } elseif ($include_desc){
|
---|
1223 | $users_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["samaccountname"][0];
|
---|
1224 | } else {
|
---|
1225 | array_push($users_array, $entries[$i]["samaccountname"][0]);
|
---|
1226 | }
|
---|
1227 | }
|
---|
1228 | if ($sorted){ asort($users_array); }
|
---|
1229 | return ($users_array);
|
---|
1230 | }
|
---|
1231 |
|
---|
1232 | /**
|
---|
1233 | * Converts a username (samAccountName) to a GUID
|
---|
1234 | *
|
---|
1235 | * @param string $username The username to query
|
---|
1236 | * @return string
|
---|
1237 | */
|
---|
1238 | public function username2guid($username) {
|
---|
1239 | if (!$this->_bind){ return (false); }
|
---|
1240 | if ($username === null){ return ("Missing compulsory field [username]"); }
|
---|
1241 |
|
---|
1242 | $filter = "samaccountname=" . $username;
|
---|
1243 | $fields = array("objectGUID");
|
---|
1244 | $sr = @ldap_search($this->_conn, $this->_base_dn, $filter, $fields);
|
---|
1245 | if (ldap_count_entries($this->_conn, $sr) > 0) {
|
---|
1246 | $entry = @ldap_first_entry($this->_conn, $sr);
|
---|
1247 | $guid = @ldap_get_values_len($this->_conn, $entry, 'objectGUID');
|
---|
1248 | $strGUID = $this->binary2text($guid[0]);
|
---|
1249 | return ($strGUID);
|
---|
1250 | }
|
---|
1251 | else {
|
---|
1252 | return (false);
|
---|
1253 | }
|
---|
1254 | }
|
---|
1255 |
|
---|
1256 | /**
|
---|
1257 | * Move a user account to a different OU
|
---|
1258 | *
|
---|
1259 | * @param string $username The username to move (please be careful here!)
|
---|
1260 | * @param array $container The container or containers to move the user to (please be careful here!).
|
---|
1261 | * accepts containers in 1. parent 2. child order
|
---|
1262 | * @return array
|
---|
1263 | */
|
---|
1264 | public function user_move($username, $container) {
|
---|
1265 | if (!$this->_bind){ return (false); }
|
---|
1266 | if ($username === null){ return ("Missing compulsory field [username]"); }
|
---|
1267 | if ($container === null){ return ("Missing compulsory field [container]"); }
|
---|
1268 | if (!is_array($container)){ return ("Container must be an array"); }
|
---|
1269 |
|
---|
1270 | $userinfo = $this->user_info($username, array("*"));
|
---|
1271 | $dn = $userinfo[0]['distinguishedname'][0];
|
---|
1272 | $newrdn = "cn=" . $username;
|
---|
1273 | $container = array_reverse($container);
|
---|
1274 | $newcontainer = "ou=" . implode(",ou=",$container);
|
---|
1275 | $newbasedn = strtolower($newcontainer) . "," . $this->_base_dn;
|
---|
1276 | $result=@ldap_rename($this->_conn,$dn,$newrdn,$newbasedn,true);
|
---|
1277 | if ($result !== true) {
|
---|
1278 | return (false);
|
---|
1279 | }
|
---|
1280 | return (true);
|
---|
1281 | }
|
---|
1282 |
|
---|
1283 | //*****************************************************************************************************************
|
---|
1284 | // CONTACT FUNCTIONS
|
---|
1285 | // * Still work to do in this area, and new functions to write
|
---|
1286 |
|
---|
1287 | /**
|
---|
1288 | * Create a contact
|
---|
1289 | *
|
---|
1290 | * @param array $attributes The attributes to set to the contact
|
---|
1291 | * @return bool
|
---|
1292 | */
|
---|
1293 | public function contact_create($attributes){
|
---|
1294 | // Check for compulsory fields
|
---|
1295 | if (!array_key_exists("display_name",$attributes)){ return ("Missing compulsory field [display_name]"); }
|
---|
1296 | if (!array_key_exists("email",$attributes)){ return ("Missing compulsory field [email]"); }
|
---|
1297 | if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
|
---|
1298 | if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
|
---|
1299 |
|
---|
1300 | // Translate the schema
|
---|
1301 | $add=$this->adldap_schema($attributes);
|
---|
1302 |
|
---|
1303 | // Additional stuff only used for adding contacts
|
---|
1304 | $add["cn"][0]=$attributes["display_name"];
|
---|
1305 | $add["objectclass"][0]="top";
|
---|
1306 | $add["objectclass"][1]="person";
|
---|
1307 | $add["objectclass"][2]="organizationalPerson";
|
---|
1308 | $add["objectclass"][3]="contact";
|
---|
1309 | if (!isset($attributes['exchange_hidefromlists'])) {
|
---|
1310 | $add["msExchHideFromAddressLists"][0]="TRUE";
|
---|
1311 | }
|
---|
1312 |
|
---|
1313 | // Determine the container
|
---|
1314 | $attributes["container"]=array_reverse($attributes["container"]);
|
---|
1315 | $container="OU=".implode(",OU=",$attributes["container"]);
|
---|
1316 |
|
---|
1317 | // Add the entry
|
---|
1318 | $result=@ldap_add($this->_conn, "CN=".$add["cn"][0].", ".$container.",".$this->_base_dn, $add);
|
---|
1319 | if ($result!=true){ return (false); }
|
---|
1320 |
|
---|
1321 | return (true);
|
---|
1322 | }
|
---|
1323 |
|
---|
1324 | /**
|
---|
1325 | * Determine the list of groups a contact is a member of
|
---|
1326 | *
|
---|
1327 | * @param string $distinguisedname The full DN of a contact
|
---|
1328 | * @param bool $recursive Recursively check groups
|
---|
1329 | * @return array
|
---|
1330 | */
|
---|
1331 | public function contact_groups($distinguishedname,$recursive=NULL){
|
---|
1332 | if ($distinguishedname===NULL){ return (false); }
|
---|
1333 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
|
---|
1334 | if (!$this->_bind){ return (false); }
|
---|
1335 |
|
---|
1336 | // Search the directory for their information
|
---|
1337 | $info=@$this->contact_info($distinguishedname,array("memberof","primarygroupid"));
|
---|
1338 | $groups=$this->nice_names($info[0]["memberof"]); //presuming the entry returned is our contact
|
---|
1339 |
|
---|
1340 | if ($recursive === true){
|
---|
1341 | foreach ($groups as $id => $group_name){
|
---|
1342 | $extra_groups=$this->recursive_groups($group_name);
|
---|
1343 | $groups=array_merge($groups,$extra_groups);
|
---|
1344 | }
|
---|
1345 | }
|
---|
1346 |
|
---|
1347 | return ($groups);
|
---|
1348 | }
|
---|
1349 |
|
---|
1350 | /**
|
---|
1351 | * Get contact information
|
---|
1352 | *
|
---|
1353 | * @param string $distinguisedname The full DN of a contact
|
---|
1354 | * @param array $fields Attributes to be returned
|
---|
1355 | * @return array
|
---|
1356 | */
|
---|
1357 | public function contact_info($distinguishedname,$fields=NULL){
|
---|
1358 | if ($distinguishedname===NULL){ return (false); }
|
---|
1359 | if (!$this->_bind){ return (false); }
|
---|
1360 |
|
---|
1361 | $filter="distinguishedName=".$distinguishedname;
|
---|
1362 | if ($fields===NULL){ $fields=array("distinguishedname","mail","memberof","department","displayname","telephonenumber","primarygroupid","objectsid"); }
|
---|
1363 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
1364 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
1365 |
|
---|
1366 | if ($entries[0]['count'] >= 1) {
|
---|
1367 | // AD does not return the primary group in the ldap query, we may need to fudge it
|
---|
1368 | if ($this->_real_primarygroup && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){
|
---|
1369 | //$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
|
---|
1370 | $entries[0]["memberof"][]=$this->get_primary_group($entries[0]["primarygroupid"][0], $entries[0]["objectsid"][0]);
|
---|
1371 | } else {
|
---|
1372 | $entries[0]["memberof"][]="CN=Domain Users,CN=Users,".$this->_base_dn;
|
---|
1373 | }
|
---|
1374 | }
|
---|
1375 |
|
---|
1376 | $entries[0]["memberof"]["count"]++;
|
---|
1377 | return ($entries);
|
---|
1378 | }
|
---|
1379 |
|
---|
1380 | /**
|
---|
1381 | * Determine if a contact is a member of a group
|
---|
1382 | *
|
---|
1383 | * @param string $distinguisedname The full DN of a contact
|
---|
1384 | * @param string $group The group name to query
|
---|
1385 | * @param bool $recursive Recursively check groups
|
---|
1386 | * @return bool
|
---|
1387 | */
|
---|
1388 | public function contact_ingroup($distinguisedname,$group,$recursive=NULL){
|
---|
1389 | if ($distinguisedname===NULL){ return (false); }
|
---|
1390 | if ($group===NULL){ return (false); }
|
---|
1391 | if (!$this->_bind){ return (false); }
|
---|
1392 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
|
---|
1393 |
|
---|
1394 | // Get a list of the groups
|
---|
1395 | $groups=$this->contact_groups($distinguisedname,array("memberof"),$recursive);
|
---|
1396 |
|
---|
1397 | // Return true if the specified group is in the group list
|
---|
1398 | if (in_array($group,$groups)){ return (true); }
|
---|
1399 |
|
---|
1400 | return (false);
|
---|
1401 | }
|
---|
1402 |
|
---|
1403 | /**
|
---|
1404 | * Modify a contact
|
---|
1405 | *
|
---|
1406 | * @param string $distinguishedname The contact to query
|
---|
1407 | * @param array $attributes The attributes to modify. Note if you set the enabled attribute you must not specify any other attributes
|
---|
1408 | * @return bool
|
---|
1409 | */
|
---|
1410 | public function contact_modify($distinguishedname,$attributes){
|
---|
1411 | if ($distinguishedname===NULL){ return ("Missing compulsory field [distinguishedname]"); }
|
---|
1412 |
|
---|
1413 | // Translate the update to the LDAP schema
|
---|
1414 | $mod=$this->adldap_schema($attributes);
|
---|
1415 |
|
---|
1416 | // Check to see if this is an enabled status update
|
---|
1417 | if (!$mod){ return (false); }
|
---|
1418 |
|
---|
1419 | // Do the update
|
---|
1420 | $result=ldap_modify($this->_conn,$distinguishedname,$mod);
|
---|
1421 | if ($result==false){ return (false); }
|
---|
1422 |
|
---|
1423 | return (true);
|
---|
1424 | }
|
---|
1425 |
|
---|
1426 | /**
|
---|
1427 | * Delete a contact
|
---|
1428 | *
|
---|
1429 | * @param string $distinguishedname The contact dn to delete (please be careful here!)
|
---|
1430 | * @return array
|
---|
1431 | */
|
---|
1432 | public function contact_delete($distinguishedname) {
|
---|
1433 | $result = $this->dn_delete($distinguishedname);
|
---|
1434 | if ($result!=true){ return (false); }
|
---|
1435 | return (true);
|
---|
1436 | }
|
---|
1437 |
|
---|
1438 | /**
|
---|
1439 | * Return a list of all contacts
|
---|
1440 | *
|
---|
1441 | * @param bool $include_desc Include a description of a contact
|
---|
1442 | * @param string $search The search parameters
|
---|
1443 | * @param bool $sorted Whether to sort the results
|
---|
1444 | * @return array
|
---|
1445 | */
|
---|
1446 | public function all_contacts($include_desc = false, $search = "*", $sorted = true){
|
---|
1447 | if (!$this->_bind){ return (false); }
|
---|
1448 |
|
---|
1449 | // Perform the search and grab all their details
|
---|
1450 | $filter = "(&(objectClass=contact)(cn=".$search."))";
|
---|
1451 | $fields=array("displayname","distinguishedname");
|
---|
1452 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
1453 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
1454 |
|
---|
1455 | $users_array = array();
|
---|
1456 | for ($i=0; $i<$entries["count"]; $i++){
|
---|
1457 | if ($include_desc && strlen($entries[$i]["displayname"][0])>0){
|
---|
1458 | $users_array[ $entries[$i]["distinguishedname"][0] ] = $entries[$i]["displayname"][0];
|
---|
1459 | } elseif ($include_desc){
|
---|
1460 | $users_array[ $entries[$i]["distinguishedname"][0] ] = $entries[$i]["distinguishedname"][0];
|
---|
1461 | } else {
|
---|
1462 | array_push($users_array, $entries[$i]["distinguishedname"][0]);
|
---|
1463 | }
|
---|
1464 | }
|
---|
1465 | if ($sorted){ asort($users_array); }
|
---|
1466 | return ($users_array);
|
---|
1467 | }
|
---|
1468 |
|
---|
1469 | //*****************************************************************************************************************
|
---|
1470 | // FOLDER FUNCTIONS
|
---|
1471 |
|
---|
1472 | /**
|
---|
1473 | * Returns a folder listing for a specific OU
|
---|
1474 | * See http://adldap.sourceforge.net/wiki/doku.php?id=api_folder_functions
|
---|
1475 | *
|
---|
1476 | * @param array $folder_name An array to the OU you wish to list.
|
---|
1477 | * If set to NULL will list the root, strongly recommended to set
|
---|
1478 | * $recursive to false in that instance!
|
---|
1479 | * @param string $dn_type The type of record to list. This can be ADLDAP_FOLDER or ADLDAP_CONTAINER.
|
---|
1480 | * @param bool $recursive Recursively search sub folders
|
---|
1481 | * @param bool $type Specify a type of object to search for
|
---|
1482 | * @return array
|
---|
1483 | */
|
---|
1484 | public function folder_list($folder_name = NULL, $dn_type = ADLDAP_FOLDER, $recursive = NULL, $type = NULL) {
|
---|
1485 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
|
---|
1486 | if (!$this->_bind){ return (false); }
|
---|
1487 |
|
---|
1488 | $filter = '(&';
|
---|
1489 | if ($type !== NULL) {
|
---|
1490 | switch ($type) {
|
---|
1491 | case 'contact':
|
---|
1492 | $filter .= '(objectClass=contact)';
|
---|
1493 | break;
|
---|
1494 | case 'computer':
|
---|
1495 | $filter .= '(objectClass=computer)';
|
---|
1496 | break;
|
---|
1497 | case 'group':
|
---|
1498 | $filter .= '(objectClass=group)';
|
---|
1499 | break;
|
---|
1500 | case 'folder':
|
---|
1501 | $filter .= '(objectClass=organizationalUnit)';
|
---|
1502 | break;
|
---|
1503 | case 'container':
|
---|
1504 | $filter .= '(objectClass=container)';
|
---|
1505 | break;
|
---|
1506 | case 'domain':
|
---|
1507 | $filter .= '(objectClass=builtinDomain)';
|
---|
1508 | break;
|
---|
1509 | default:
|
---|
1510 | $filter .= '(objectClass=user)';
|
---|
1511 | break;
|
---|
1512 | }
|
---|
1513 | }
|
---|
1514 | else {
|
---|
1515 | $filter .= '(objectClass=*)';
|
---|
1516 | }
|
---|
1517 | // If the folder name is null then we will search the root level of AD
|
---|
1518 | // This requires us to not have an OU= part, just the base_dn
|
---|
1519 | $searchou = $this->_base_dn;
|
---|
1520 | if (is_array($folder_name)) {
|
---|
1521 | $ou = $dn_type . "=".implode("," . $dn_type . "=",$folder_name);
|
---|
1522 | $filter .= '(!(distinguishedname=' . $ou . ',' . $this->_base_dn . ')))';
|
---|
1523 | $searchou = $ou . ',' . $this->_base_dn;
|
---|
1524 | }
|
---|
1525 | else {
|
---|
1526 | $filter .= '(!(distinguishedname=' . $this->_base_dn . ')))';
|
---|
1527 | }
|
---|
1528 |
|
---|
1529 | if ($recursive === true) {
|
---|
1530 | $sr=ldap_search($this->_conn, $searchou, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
|
---|
1531 | $entries = @ldap_get_entries($this->_conn, $sr);
|
---|
1532 | if (is_array($entries)) {
|
---|
1533 | return $entries;
|
---|
1534 | }
|
---|
1535 | }
|
---|
1536 | else {
|
---|
1537 | $sr=ldap_list($this->_conn, $searchou, $filter, array('objectclass', 'distinguishedname', 'samaccountname'));
|
---|
1538 | $entries = @ldap_get_entries($this->_conn, $sr);
|
---|
1539 | if (is_array($entries)) {
|
---|
1540 | return $entries;
|
---|
1541 | }
|
---|
1542 | }
|
---|
1543 |
|
---|
1544 | return false;
|
---|
1545 | }
|
---|
1546 |
|
---|
1547 | //*****************************************************************************************************************
|
---|
1548 | // COMPUTER FUNCTIONS
|
---|
1549 |
|
---|
1550 | /**
|
---|
1551 | * Get information about a specific computer
|
---|
1552 | *
|
---|
1553 | * @param string $computer_name The name of the computer
|
---|
1554 | * @param array $fields Attributes to return
|
---|
1555 | * @return array
|
---|
1556 | */
|
---|
1557 | public function computer_info($computer_name,$fields=NULL){
|
---|
1558 | if ($computer_name===NULL){ return (false); }
|
---|
1559 | if (!$this->_bind){ return (false); }
|
---|
1560 |
|
---|
1561 | $filter="(&(objectClass=computer)(cn=".$computer_name."))";
|
---|
1562 | if ($fields===NULL){ $fields=array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion"); }
|
---|
1563 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
1564 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
1565 |
|
---|
1566 | return ($entries);
|
---|
1567 | }
|
---|
1568 |
|
---|
1569 | /**
|
---|
1570 | * Check if a computer is in a group
|
---|
1571 | *
|
---|
1572 | * @param string $computer_name The name of the computer
|
---|
1573 | * @param string $group The group to check
|
---|
1574 | * @param bool $recursive Whether to check recursively
|
---|
1575 | * @return array
|
---|
1576 | */
|
---|
1577 | public function computer_ingroup($computer_name,$group,$recursive=NULL){
|
---|
1578 | if ($computer_name===NULL){ return (false); }
|
---|
1579 | if ($group===NULL){ return (false); }
|
---|
1580 | if (!$this->_bind){ return (false); }
|
---|
1581 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } // use the default option if they haven't set it
|
---|
1582 |
|
---|
1583 | //get a list of the groups
|
---|
1584 | $groups=$this->computer_groups($computer_name,array("memberof"),$recursive);
|
---|
1585 |
|
---|
1586 | //return true if the specified group is in the group list
|
---|
1587 | if (in_array($group,$groups)){ return (true); }
|
---|
1588 |
|
---|
1589 | return (false);
|
---|
1590 | }
|
---|
1591 |
|
---|
1592 | /**
|
---|
1593 | * Get the groups a computer is in
|
---|
1594 | *
|
---|
1595 | * @param string $computer_name The name of the computer
|
---|
1596 | * @param bool $recursive Whether to check recursively
|
---|
1597 | * @return array
|
---|
1598 | */
|
---|
1599 | public function computer_groups($computer_name,$recursive=NULL){
|
---|
1600 | if ($computer_name===NULL){ return (false); }
|
---|
1601 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
|
---|
1602 | if (!$this->_bind){ return (false); }
|
---|
1603 |
|
---|
1604 | //search the directory for their information
|
---|
1605 | $info=@$this->computer_info($computer_name,array("memberof","primarygroupid"));
|
---|
1606 | $groups=$this->nice_names($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames)
|
---|
1607 |
|
---|
1608 | if ($recursive === true){
|
---|
1609 | foreach ($groups as $id => $group_name){
|
---|
1610 | $extra_groups=$this->recursive_groups($group_name);
|
---|
1611 | $groups=array_merge($groups,$extra_groups);
|
---|
1612 | }
|
---|
1613 | }
|
---|
1614 |
|
---|
1615 | return ($groups);
|
---|
1616 | }
|
---|
1617 |
|
---|
1618 | //************************************************************************************************************
|
---|
1619 | // ORGANIZATIONAL UNIT FUNCTIONS
|
---|
1620 |
|
---|
1621 | /**
|
---|
1622 | * Create an organizational unit
|
---|
1623 | *
|
---|
1624 | * @param array $attributes Default attributes of the ou
|
---|
1625 | * @return bool
|
---|
1626 | */
|
---|
1627 | public function ou_create($attributes){
|
---|
1628 | if (!is_array($attributes)){ return ("Attributes must be an array"); }
|
---|
1629 | if (!array_key_exists("ou_name",$attributes)){ return ("Missing compulsory field [ou_name]"); }
|
---|
1630 | if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
|
---|
1631 | if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
|
---|
1632 | $attributes["container"]=array_reverse($attributes["container"]);
|
---|
1633 |
|
---|
1634 | $add=array();
|
---|
1635 | $add["objectClass"] = "organizationalUnit";
|
---|
1636 |
|
---|
1637 | $container="OU=".implode(",OU=",$attributes["container"]);
|
---|
1638 | $result=ldap_add($this->_conn,"CN=".$add["cn"].", ".$container.",".$this->_base_dn,$add);
|
---|
1639 | if ($result!=true){ return (false); }
|
---|
1640 |
|
---|
1641 | return (true);
|
---|
1642 | }
|
---|
1643 |
|
---|
1644 | //************************************************************************************************************
|
---|
1645 | // EXCHANGE FUNCTIONS
|
---|
1646 |
|
---|
1647 | /**
|
---|
1648 | * Create an Exchange account
|
---|
1649 | *
|
---|
1650 | * @param string $username The username of the user to add the Exchange account to
|
---|
1651 | * @param array $storagegroup The mailbox, Exchange Storage Group, for the user account, this must be a full CN
|
---|
1652 | * If the storage group has a different base_dn to the adLDAP configuration, set it using $base_dn
|
---|
1653 | * @param string $emailaddress The primary email address to add to this user
|
---|
1654 | * @param string $mailnickname The mail nick name. If mail nickname is blank, the username will be used
|
---|
1655 | * @param bool $usedefaults Indicates whether the store should use the default quota, rather than the per-mailbox quota.
|
---|
1656 | * @param string $base_dn Specify an alternative base_dn for the Exchange storage group
|
---|
1657 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1658 | * @return bool
|
---|
1659 | */
|
---|
1660 | public function exchange_create_mailbox($username, $storagegroup, $emailaddress, $mailnickname=NULL, $usedefaults=TRUE, $base_dn=NULL, $isGUID=false){
|
---|
1661 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1662 | if ($storagegroup===NULL){ return ("Missing compulsory array [storagegroup]"); }
|
---|
1663 | if (!is_array($storagegroup)){ return ("[storagegroup] must be an array"); }
|
---|
1664 | if ($emailaddress===NULL){ return ("Missing compulsory field [emailaddress]"); }
|
---|
1665 |
|
---|
1666 | if ($base_dn===NULL) {
|
---|
1667 | $base_dn = $this->_base_dn;
|
---|
1668 | }
|
---|
1669 |
|
---|
1670 | $container="CN=".implode(",CN=",$storagegroup);
|
---|
1671 |
|
---|
1672 | if ($mailnickname===NULL) { $mailnickname=$username; }
|
---|
1673 | $mdbUseDefaults = $this->bool2str($usedefaults);
|
---|
1674 |
|
---|
1675 | $attributes = array(
|
---|
1676 | 'exchange_homemdb'=>$container.",".$base_dn,
|
---|
1677 | 'exchange_proxyaddress'=>'SMTP:' . $emailaddress,
|
---|
1678 | 'exchange_mailnickname'=>$mailnickname,
|
---|
1679 | 'exchange_usedefaults'=>$mdbUseDefaults
|
---|
1680 | );
|
---|
1681 | $result = $this->user_modify($username,$attributes,$isGUID);
|
---|
1682 | if ($result==false){ return (false); }
|
---|
1683 | return (true);
|
---|
1684 | }
|
---|
1685 |
|
---|
1686 | /**
|
---|
1687 | * Add an X400 address to Exchange
|
---|
1688 | * See http://tools.ietf.org/html/rfc1685 for more information.
|
---|
1689 | * An X400 Address looks similar to this X400:c=US;a= ;p=Domain;o=Organization;s=Doe;g=John;
|
---|
1690 | *
|
---|
1691 | * @param string $username The username of the user to add the X400 to to
|
---|
1692 | * @param string $country Country
|
---|
1693 | * @param string $admd Administration Management Domain
|
---|
1694 | * @param string $pdmd Private Management Domain (often your AD domain)
|
---|
1695 | * @param string $org Organization
|
---|
1696 | * @param string $surname Surname
|
---|
1697 | * @param string $givenName Given name
|
---|
1698 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1699 | * @return bool
|
---|
1700 | */
|
---|
1701 | public function exchange_add_X400($username, $country, $admd, $pdmd, $org, $surname, $givenname, $isGUID=false) {
|
---|
1702 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1703 |
|
---|
1704 | $proxyvalue = 'X400:';
|
---|
1705 |
|
---|
1706 | // Find the dn of the user
|
---|
1707 | $user=$this->user_info($username,array("cn","proxyaddresses"), $isGUID);
|
---|
1708 | if ($user[0]["dn"]===NULL){ return (false); }
|
---|
1709 | $user_dn=$user[0]["dn"];
|
---|
1710 |
|
---|
1711 | // We do not have to demote an email address from the default so we can just add the new proxy address
|
---|
1712 | $attributes['exchange_proxyaddress'] = $proxyvalue . 'c=' . $country . ';a=' . $admd . ';p=' . $pdmd . ';o=' . $org . ';s=' . $surname . ';g=' . $givenname . ';';
|
---|
1713 |
|
---|
1714 | // Translate the update to the LDAP schema
|
---|
1715 | $add=$this->adldap_schema($attributes);
|
---|
1716 |
|
---|
1717 | if (!$add){ return (false); }
|
---|
1718 |
|
---|
1719 | // Do the update
|
---|
1720 | // Take out the @ to see any errors, usually this error might occur because the address already
|
---|
1721 | // exists in the list of proxyAddresses
|
---|
1722 | $result=@ldap_mod_add($this->_conn,$user_dn,$add);
|
---|
1723 | if ($result==false){ return (false); }
|
---|
1724 |
|
---|
1725 | return (true);
|
---|
1726 | }
|
---|
1727 |
|
---|
1728 | /**
|
---|
1729 | * Add an address to Exchange
|
---|
1730 | *
|
---|
1731 | * @param string $username The username of the user to add the Exchange account to
|
---|
1732 | * @param string $emailaddress The email address to add to this user
|
---|
1733 | * @param bool $default Make this email address the default address, this is a bit more intensive as we have to demote any existing default addresses
|
---|
1734 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1735 | * @return bool
|
---|
1736 | */
|
---|
1737 | public function exchange_add_address($username, $emailaddress, $default=FALSE, $isGUID=false) {
|
---|
1738 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1739 | if ($emailaddress===NULL) { return ("Missing compulsory fields [emailaddress]"); }
|
---|
1740 |
|
---|
1741 | $proxyvalue = 'smtp:';
|
---|
1742 | if ($default === true) {
|
---|
1743 | $proxyvalue = 'SMTP:';
|
---|
1744 | }
|
---|
1745 |
|
---|
1746 | // Find the dn of the user
|
---|
1747 | $user=$this->user_info($username,array("cn","proxyaddresses"),$isGUID);
|
---|
1748 | if ($user[0]["dn"]===NULL){ return (false); }
|
---|
1749 | $user_dn=$user[0]["dn"];
|
---|
1750 |
|
---|
1751 | // We need to scan existing proxy addresses and demote the default one
|
---|
1752 | if (is_array($user[0]["proxyaddresses"]) && $default===true) {
|
---|
1753 | $modaddresses = array();
|
---|
1754 | for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
|
---|
1755 | if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
|
---|
1756 | $user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
|
---|
1757 | }
|
---|
1758 | if ($user[0]['proxyaddresses'][$i] != '') {
|
---|
1759 | $modaddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
|
---|
1760 | }
|
---|
1761 | }
|
---|
1762 | $modaddresses['proxyAddresses'][(sizeof($user[0]['proxyaddresses'])-1)] = 'SMTP:' . $emailaddress;
|
---|
1763 |
|
---|
1764 | $result=@ldap_mod_replace($this->_conn,$user_dn,$modaddresses);
|
---|
1765 | if ($result==false){ return (false); }
|
---|
1766 |
|
---|
1767 | return (true);
|
---|
1768 | }
|
---|
1769 | else {
|
---|
1770 | // We do not have to demote an email address from the default so we can just add the new proxy address
|
---|
1771 | $attributes['exchange_proxyaddress'] = $proxyvalue . $emailaddress;
|
---|
1772 |
|
---|
1773 | // Translate the update to the LDAP schema
|
---|
1774 | $add=$this->adldap_schema($attributes);
|
---|
1775 |
|
---|
1776 | if (!$add){ return (false); }
|
---|
1777 |
|
---|
1778 | // Do the update
|
---|
1779 | // Take out the @ to see any errors, usually this error might occur because the address already
|
---|
1780 | // exists in the list of proxyAddresses
|
---|
1781 | $result=@ldap_mod_add($this->_conn,$user_dn,$add);
|
---|
1782 | if ($result==false){ return (false); }
|
---|
1783 |
|
---|
1784 | return (true);
|
---|
1785 | }
|
---|
1786 | }
|
---|
1787 |
|
---|
1788 | /**
|
---|
1789 | * Remove an address to Exchange
|
---|
1790 | * If you remove a default address the account will no longer have a default,
|
---|
1791 | * we recommend changing the default address first
|
---|
1792 | *
|
---|
1793 | * @param string $username The username of the user to add the Exchange account to
|
---|
1794 | * @param string $emailaddress The email address to add to this user
|
---|
1795 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1796 | * @return bool
|
---|
1797 | */
|
---|
1798 | public function exchange_del_address($username, $emailaddress, $isGUID=false) {
|
---|
1799 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1800 | if ($emailaddress===NULL) { return ("Missing compulsory fields [emailaddress]"); }
|
---|
1801 |
|
---|
1802 | // Find the dn of the user
|
---|
1803 | $user=$this->user_info($username,array("cn","proxyaddresses"),$isGUID);
|
---|
1804 | if ($user[0]["dn"]===NULL){ return (false); }
|
---|
1805 | $user_dn=$user[0]["dn"];
|
---|
1806 |
|
---|
1807 | if (is_array($user[0]["proxyaddresses"])) {
|
---|
1808 | $mod = array();
|
---|
1809 | for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
|
---|
1810 | if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false && $user[0]['proxyaddresses'][$i] == 'SMTP:' . $emailaddress) {
|
---|
1811 | $mod['proxyAddresses'][0] = 'SMTP:' . $emailaddress;
|
---|
1812 | }
|
---|
1813 | elseif (strstr($user[0]['proxyaddresses'][$i], 'smtp:') !== false && $user[0]['proxyaddresses'][$i] == 'smtp:' . $emailaddress) {
|
---|
1814 | $mod['proxyAddresses'][0] = 'smtp:' . $emailaddress;
|
---|
1815 | }
|
---|
1816 | }
|
---|
1817 |
|
---|
1818 | $result=@ldap_mod_del($this->_conn,$user_dn,$mod);
|
---|
1819 | if ($result==false){ return (false); }
|
---|
1820 |
|
---|
1821 | return (true);
|
---|
1822 | }
|
---|
1823 | else {
|
---|
1824 | return (false);
|
---|
1825 | }
|
---|
1826 | }
|
---|
1827 | /**
|
---|
1828 | * Change the default address
|
---|
1829 | *
|
---|
1830 | * @param string $username The username of the user to add the Exchange account to
|
---|
1831 | * @param string $emailaddress The email address to make default
|
---|
1832 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
1833 | * @return bool
|
---|
1834 | */
|
---|
1835 | public function exchange_primary_address($username, $emailaddress, $isGUID=false) {
|
---|
1836 | if ($username===NULL){ return ("Missing compulsory field [username]"); }
|
---|
1837 | if ($emailaddress===NULL) { return ("Missing compulsory fields [emailaddress]"); }
|
---|
1838 |
|
---|
1839 | // Find the dn of the user
|
---|
1840 | $user=$this->user_info($username,array("cn","proxyaddresses"), $isGUID);
|
---|
1841 | if ($user[0]["dn"]===NULL){ return (false); }
|
---|
1842 | $user_dn=$user[0]["dn"];
|
---|
1843 |
|
---|
1844 | if (is_array($user[0]["proxyaddresses"])) {
|
---|
1845 | $modaddresses = array();
|
---|
1846 | for ($i=0;$i<sizeof($user[0]['proxyaddresses']);$i++) {
|
---|
1847 | if (strstr($user[0]['proxyaddresses'][$i], 'SMTP:') !== false) {
|
---|
1848 | $user[0]['proxyaddresses'][$i] = str_replace('SMTP:', 'smtp:', $user[0]['proxyaddresses'][$i]);
|
---|
1849 | }
|
---|
1850 | if ($user[0]['proxyaddresses'][$i] == 'smtp:' . $emailaddress) {
|
---|
1851 | $user[0]['proxyaddresses'][$i] = str_replace('smtp:', 'SMTP:', $user[0]['proxyaddresses'][$i]);
|
---|
1852 | }
|
---|
1853 | if ($user[0]['proxyaddresses'][$i] != '') {
|
---|
1854 | $modaddresses['proxyAddresses'][$i] = $user[0]['proxyaddresses'][$i];
|
---|
1855 | }
|
---|
1856 | }
|
---|
1857 |
|
---|
1858 | $result=@ldap_mod_replace($this->_conn,$user_dn,$modaddresses);
|
---|
1859 | if ($result==false){ return (false); }
|
---|
1860 |
|
---|
1861 | return (true);
|
---|
1862 | }
|
---|
1863 |
|
---|
1864 | }
|
---|
1865 |
|
---|
1866 | /**
|
---|
1867 | * Mail enable a contact
|
---|
1868 | * Allows email to be sent to them through Exchange
|
---|
1869 | *
|
---|
1870 | * @param string $distinguishedname The contact to mail enable
|
---|
1871 | * @param string $emailaddress The email address to allow emails to be sent through
|
---|
1872 | * @param string $mailnickname The mailnickname for the contact in Exchange. If NULL this will be set to the display name
|
---|
1873 | * @return bool
|
---|
1874 | */
|
---|
1875 | public function exchange_contact_mailenable($distinguishedname, $emailaddress, $mailnickname=NULL){
|
---|
1876 | if ($distinguishedname===NULL){ return ("Missing compulsory field [distinguishedname]"); }
|
---|
1877 | if ($emailaddress===NULL){ return ("Missing compulsory field [emailaddress]"); }
|
---|
1878 |
|
---|
1879 | if ($mailnickname !== NULL) {
|
---|
1880 | // Find the dn of the user
|
---|
1881 | $user=$this->contact_info($distinguishedname,array("cn","displayname"));
|
---|
1882 | if ($user[0]["displayname"]===NULL){ return (false); }
|
---|
1883 | $mailnickname = $user[0]['displayname'][0];
|
---|
1884 | }
|
---|
1885 |
|
---|
1886 | $attributes = array("email"=>$emailaddress,"contact_email"=>"SMTP:" . $emailaddress,"exchange_proxyaddress"=>"SMTP:" . $emailaddress,"exchange_mailnickname"=>$mailnickname);
|
---|
1887 |
|
---|
1888 | // Translate the update to the LDAP schema
|
---|
1889 | $mod=$this->adldap_schema($attributes);
|
---|
1890 |
|
---|
1891 | // Check to see if this is an enabled status update
|
---|
1892 | if (!$mod){ return (false); }
|
---|
1893 |
|
---|
1894 | // Do the update
|
---|
1895 | $result=ldap_modify($this->_conn,$distinguishedname,$mod);
|
---|
1896 | if ($result==false){ return (false); }
|
---|
1897 |
|
---|
1898 | return (true);
|
---|
1899 | }
|
---|
1900 |
|
---|
1901 | /**
|
---|
1902 | * Returns a list of Exchange Servers in the ConfigurationNamingContext of the domain
|
---|
1903 | *
|
---|
1904 | * @param array $attributes An array of the AD attributes you wish to return
|
---|
1905 | * @return array
|
---|
1906 | */
|
---|
1907 | public function exchange_servers($attributes = array('cn','distinguishedname','serialnumber')) {
|
---|
1908 | if (!$this->_bind){ return (false); }
|
---|
1909 |
|
---|
1910 | $configurationNamingContext = $this->get_root_dse(array('configurationnamingcontext'));
|
---|
1911 | $sr = @ldap_search($this->_conn,$configurationNamingContext[0]['configurationnamingcontext'][0],'(&(objectCategory=msExchExchangeServer))',$attributes);
|
---|
1912 | $entries = @ldap_get_entries($this->_conn, $sr);
|
---|
1913 | return $entries;
|
---|
1914 | }
|
---|
1915 |
|
---|
1916 | /**
|
---|
1917 | * Returns a list of Storage Groups in Exchange for a given mail server
|
---|
1918 | *
|
---|
1919 | * @param string $exchangeServer The full DN of an Exchange server. You can use exchange_servers() to find the DN for your server
|
---|
1920 | * @param array $attributes An array of the AD attributes you wish to return
|
---|
1921 | * @param bool $recursive If enabled this will automatically query the databases within a storage group
|
---|
1922 | * @return array
|
---|
1923 | */
|
---|
1924 | public function exchange_storage_groups($exchangeServer, $attributes = array('cn','distinguishedname'), $recursive = NULL) {
|
---|
1925 | if (!$this->_bind){ return (false); }
|
---|
1926 | if ($exchangeServer===NULL){ return ("Missing compulsory field [exchangeServer]"); }
|
---|
1927 | if ($recursive===NULL){ $recursive=$this->_recursive_groups; }
|
---|
1928 |
|
---|
1929 | $filter = '(&(objectCategory=msExchStorageGroup))';
|
---|
1930 | $sr=@ldap_search($this->_conn, $exchangeServer, $filter, $attributes);
|
---|
1931 | $entries = @ldap_get_entries($this->_conn, $sr);
|
---|
1932 |
|
---|
1933 | if ($recursive === true) {
|
---|
1934 | for ($i=0; $i<$entries['count']; $i++) {
|
---|
1935 | $entries[$i]['msexchprivatemdb'] = $this->exchange_storage_databases($entries[$i]['distinguishedname'][0]);
|
---|
1936 | }
|
---|
1937 | }
|
---|
1938 |
|
---|
1939 | return $entries;
|
---|
1940 | }
|
---|
1941 |
|
---|
1942 | /**
|
---|
1943 | * Returns a list of Databases within any given storage group in Exchange for a given mail server
|
---|
1944 | *
|
---|
1945 | * @param string $storageGroup The full DN of an Storage Group. You can use exchange_storage_groups() to find the DN
|
---|
1946 | * @param array $attributes An array of the AD attributes you wish to return
|
---|
1947 | * @return array
|
---|
1948 | */
|
---|
1949 | public function exchange_storage_databases($storageGroup, $attributes = array('cn','distinguishedname','displayname')) {
|
---|
1950 | if (!$this->_bind){ return (false); }
|
---|
1951 | if ($storageGroup===NULL){ return ("Missing compulsory field [storageGroup]"); }
|
---|
1952 |
|
---|
1953 | $filter = '(&(objectCategory=msExchPrivateMDB))';
|
---|
1954 | $sr=@ldap_search($this->_conn, $storageGroup, $filter, $attributes);
|
---|
1955 | $entries = @ldap_get_entries($this->_conn, $sr);
|
---|
1956 | return $entries;
|
---|
1957 | }
|
---|
1958 |
|
---|
1959 | //************************************************************************************************************
|
---|
1960 | // SERVER FUNCTIONS
|
---|
1961 |
|
---|
1962 | /**
|
---|
1963 | * Find the Base DN of your domain controller
|
---|
1964 | *
|
---|
1965 | * @return string
|
---|
1966 | */
|
---|
1967 | public function find_base_dn() {
|
---|
1968 | $namingContext = $this->get_root_dse(array('defaultnamingcontext'));
|
---|
1969 | return $namingContext[0]['defaultnamingcontext'][0];
|
---|
1970 | }
|
---|
1971 |
|
---|
1972 | /**
|
---|
1973 | * Get the RootDSE properties from a domain controller
|
---|
1974 | *
|
---|
1975 | * @param array $attributes The attributes you wish to query e.g. defaultnamingcontext
|
---|
1976 | * @return array
|
---|
1977 | */
|
---|
1978 | public function get_root_dse($attributes = array("*", "+")) {
|
---|
1979 | if (!$this->_bind){ return (false); }
|
---|
1980 |
|
---|
1981 | $sr = @ldap_read($this->_conn, NULL, 'objectClass=*', $attributes);
|
---|
1982 | $entries = @ldap_get_entries($this->_conn, $sr);
|
---|
1983 | return $entries;
|
---|
1984 | }
|
---|
1985 |
|
---|
1986 | //************************************************************************************************************
|
---|
1987 | // UTILITY FUNCTIONS (Many of these functions are protected and can only be called from within the class)
|
---|
1988 |
|
---|
1989 | /**
|
---|
1990 | * Get last error from Active Directory
|
---|
1991 | *
|
---|
1992 | * This function gets the last message from Active Directory
|
---|
1993 | * This may indeed be a 'Success' message but if you get an unknown error
|
---|
1994 | * it might be worth calling this function to see what errors were raised
|
---|
1995 | *
|
---|
1996 | * return string
|
---|
1997 | */
|
---|
1998 | public function get_last_error() {
|
---|
1999 | return @ldap_error($this->_conn);
|
---|
2000 | }
|
---|
2001 |
|
---|
2002 | /**
|
---|
2003 | * Detect LDAP support in php
|
---|
2004 | *
|
---|
2005 | * @return bool
|
---|
2006 | */
|
---|
2007 | protected function ldap_supported() {
|
---|
2008 | if (!function_exists('ldap_connect')) {
|
---|
2009 | return (false);
|
---|
2010 | }
|
---|
2011 | return (true);
|
---|
2012 | }
|
---|
2013 |
|
---|
2014 | /**
|
---|
2015 | * Schema
|
---|
2016 | *
|
---|
2017 | * @param array $attributes Attributes to be queried
|
---|
2018 | * @return array
|
---|
2019 | */
|
---|
2020 | protected function adldap_schema($attributes){
|
---|
2021 |
|
---|
2022 | // LDAP doesn't like NULL attributes, only set them if they have values
|
---|
2023 | // If you wish to remove an attribute you should set it to a space
|
---|
2024 | // TO DO: Adapt user_modify to use ldap_mod_delete to remove a NULL attribute
|
---|
2025 | $mod=array();
|
---|
2026 |
|
---|
2027 | // Check every attribute to see if it contains 8bit characters and then UTF8 encode them
|
---|
2028 | array_walk($attributes, array($this, 'encode8bit'));
|
---|
2029 |
|
---|
2030 | if ($attributes["address_city"]){ $mod["l"][0]=$attributes["address_city"]; }
|
---|
2031 | if ($attributes["address_code"]){ $mod["postalCode"][0]=$attributes["address_code"]; }
|
---|
2032 | //if ($attributes["address_country"]){ $mod["countryCode"][0]=$attributes["address_country"]; } // use country codes?
|
---|
2033 | if ($attributes["address_country"]){ $mod["c"][0]=$attributes["address_country"]; }
|
---|
2034 | if ($attributes["address_pobox"]){ $mod["postOfficeBox"][0]=$attributes["address_pobox"]; }
|
---|
2035 | if ($attributes["address_state"]){ $mod["st"][0]=$attributes["address_state"]; }
|
---|
2036 | if ($attributes["address_street"]){ $mod["streetAddress"][0]=$attributes["address_street"]; }
|
---|
2037 | if ($attributes["company"]){ $mod["company"][0]=$attributes["company"]; }
|
---|
2038 | if ($attributes["change_password"]){ $mod["pwdLastSet"][0]=0; }
|
---|
2039 | if ($attributes["department"]){ $mod["department"][0]=$attributes["department"]; }
|
---|
2040 | if ($attributes["description"]){ $mod["description"][0]=$attributes["description"]; }
|
---|
2041 | if ($attributes["display_name"]){ $mod["displayName"][0]=$attributes["display_name"]; }
|
---|
2042 | if ($attributes["email"]){ $mod["mail"][0]=$attributes["email"]; }
|
---|
2043 | if ($attributes["expires"]){ $mod["accountExpires"][0]=$attributes["expires"]; } //unix epoch format?
|
---|
2044 | if ($attributes["firstname"]){ $mod["givenName"][0]=$attributes["firstname"]; }
|
---|
2045 | if ($attributes["home_directory"]){ $mod["homeDirectory"][0]=$attributes["home_directory"]; }
|
---|
2046 | if ($attributes["home_drive"]){ $mod["homeDrive"][0]=$attributes["home_drive"]; }
|
---|
2047 | if ($attributes["initials"]){ $mod["initials"][0]=$attributes["initials"]; }
|
---|
2048 | if ($attributes["logon_name"]){ $mod["userPrincipalName"][0]=$attributes["logon_name"]; }
|
---|
2049 | if ($attributes["manager"]){ $mod["manager"][0]=$attributes["manager"]; } //UNTESTED ***Use DistinguishedName***
|
---|
2050 | if ($attributes["office"]){ $mod["physicalDeliveryOfficeName"][0]=$attributes["office"]; }
|
---|
2051 | if ($attributes["password"]){ $mod["unicodePwd"][0]=$this->encode_password($attributes["password"]); }
|
---|
2052 | if ($attributes["profile_path"]){ $mod["profilepath"][0]=$attributes["profile_path"]; }
|
---|
2053 | if ($attributes["script_path"]){ $mod["scriptPath"][0]=$attributes["script_path"]; }
|
---|
2054 | if ($attributes["surname"]){ $mod["sn"][0]=$attributes["surname"]; }
|
---|
2055 | if ($attributes["title"]){ $mod["title"][0]=$attributes["title"]; }
|
---|
2056 | if ($attributes["telephone"]){ $mod["telephoneNumber"][0]=$attributes["telephone"]; }
|
---|
2057 | if ($attributes["mobile"]){ $mod["mobile"][0]=$attributes["mobile"]; }
|
---|
2058 | if ($attributes["pager"]){ $mod["pager"][0]=$attributes["pager"]; }
|
---|
2059 | if ($attributes["ipphone"]){ $mod["ipphone"][0]=$attributes["ipphone"]; }
|
---|
2060 | if ($attributes["web_page"]){ $mod["wWWHomePage"][0]=$attributes["web_page"]; }
|
---|
2061 | if ($attributes["fax"]){ $mod["facsimileTelephoneNumber"][0]=$attributes["fax"]; }
|
---|
2062 | if ($attributes["enabled"]){ $mod["userAccountControl"][0]=$attributes["enabled"]; }
|
---|
2063 |
|
---|
2064 | // Distribution List specific schema
|
---|
2065 | if ($attributes["group_sendpermission"]){ $mod["dlMemSubmitPerms"][0]=$attributes["group_sendpermission"]; }
|
---|
2066 | if ($attributes["group_rejectpermission"]){ $mod["dlMemRejectPerms"][0]=$attributes["group_rejectpermission"]; }
|
---|
2067 |
|
---|
2068 | // Exchange Schema
|
---|
2069 | if ($attributes["exchange_homemdb"]){ $mod["homeMDB"][0]=$attributes["exchange_homemdb"]; }
|
---|
2070 | if ($attributes["exchange_mailnickname"]){ $mod["mailNickname"][0]=$attributes["exchange_mailnickname"]; }
|
---|
2071 | if ($attributes["exchange_proxyaddress"]){ $mod["proxyAddresses"][0]=$attributes["exchange_proxyaddress"]; }
|
---|
2072 | if ($attributes["exchange_usedefaults"]){ $mod["mDBUseDefaults"][0]=$attributes["exchange_usedefaults"]; }
|
---|
2073 | if ($attributes["exchange_policyexclude"]){ $mod["msExchPoliciesExcluded"][0]=$attributes["exchange_policyexclude"]; }
|
---|
2074 | if ($attributes["exchange_policyinclude"]){ $mod["msExchPoliciesIncluded"][0]=$attributes["exchange_policyinclude"]; }
|
---|
2075 | if ($attributes["exchange_addressbook"]){ $mod["showInAddressBook"][0]=$attributes["exchange_addressbook"]; }
|
---|
2076 |
|
---|
2077 | // This schema is designed for contacts
|
---|
2078 | if ($attributes["exchange_hidefromlists"]){ $mod["msExchHideFromAddressLists"][0]=$attributes["exchange_hidefromlists"]; }
|
---|
2079 | if ($attributes["contact_email"]){ $mod["targetAddress"][0]=$attributes["contact_email"]; }
|
---|
2080 |
|
---|
2081 | //echo ("<pre>"); print_r($mod);
|
---|
2082 | /*
|
---|
2083 | // modifying a name is a bit fiddly
|
---|
2084 | if ($attributes["firstname"] && $attributes["surname"]){
|
---|
2085 | $mod["cn"][0]=$attributes["firstname"]." ".$attributes["surname"];
|
---|
2086 | $mod["displayname"][0]=$attributes["firstname"]." ".$attributes["surname"];
|
---|
2087 | $mod["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
|
---|
2088 | }
|
---|
2089 | */
|
---|
2090 |
|
---|
2091 | if (count($mod)==0){ return (false); }
|
---|
2092 | return ($mod);
|
---|
2093 | }
|
---|
2094 |
|
---|
2095 | /**
|
---|
2096 | * Coping with AD not returning the primary group
|
---|
2097 | * http://support.microsoft.com/?kbid=321360
|
---|
2098 | *
|
---|
2099 | * For some reason it's not possible to search on primarygrouptoken=XXX
|
---|
2100 | * If someone can show otherwise, I'd like to know about it :)
|
---|
2101 | * this way is resource intensive and generally a pain in the @#%^
|
---|
2102 | *
|
---|
2103 | * @deprecated deprecated since version 3.1, see get get_primary_group
|
---|
2104 | * @param string $gid Group ID
|
---|
2105 | * @return string
|
---|
2106 | */
|
---|
2107 | protected function group_cn($gid){
|
---|
2108 | if ($gid===NULL){ return (false); }
|
---|
2109 | $r=false;
|
---|
2110 |
|
---|
2111 | $filter="(&(objectCategory=group)(samaccounttype=". ADLDAP_SECURITY_GLOBAL_GROUP ."))";
|
---|
2112 | $fields=array("primarygrouptoken","samaccountname","distinguishedname");
|
---|
2113 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
2114 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
2115 |
|
---|
2116 | for ($i=0; $i<$entries["count"]; $i++){
|
---|
2117 | if ($entries[$i]["primarygrouptoken"][0]==$gid){
|
---|
2118 | $r=$entries[$i]["distinguishedname"][0];
|
---|
2119 | $i=$entries["count"];
|
---|
2120 | }
|
---|
2121 | }
|
---|
2122 |
|
---|
2123 | return ($r);
|
---|
2124 | }
|
---|
2125 |
|
---|
2126 | /**
|
---|
2127 | * Coping with AD not returning the primary group
|
---|
2128 | * http://support.microsoft.com/?kbid=321360
|
---|
2129 | *
|
---|
2130 | * This is a re-write based on code submitted by Bruce which prevents the
|
---|
2131 | * need to search each security group to find the true primary group
|
---|
2132 | *
|
---|
2133 | * @param string $gid Group ID
|
---|
2134 | * @param string $usersid User's Object SID
|
---|
2135 | * @return string
|
---|
2136 | */
|
---|
2137 | protected function get_primary_group($gid, $usersid){
|
---|
2138 | if ($gid===NULL || $usersid===NULL){ return (false); }
|
---|
2139 | $r=false;
|
---|
2140 |
|
---|
2141 | $gsid = substr_replace($usersid,pack('V',$gid),strlen($usersid)-4,4);
|
---|
2142 | $filter='(objectsid='.$this->getTextSID($gsid).')';
|
---|
2143 | $fields=array("samaccountname","distinguishedname");
|
---|
2144 | $sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
|
---|
2145 | $entries = ldap_get_entries($this->_conn, $sr);
|
---|
2146 |
|
---|
2147 | return $entries[0]['distinguishedname'][0];
|
---|
2148 | }
|
---|
2149 |
|
---|
2150 | /**
|
---|
2151 | * Convert a binary SID to a text SID
|
---|
2152 | *
|
---|
2153 | * @param string $binsid A Binary SID
|
---|
2154 | * @return string
|
---|
2155 | */
|
---|
2156 | protected function getTextSID($binsid) {
|
---|
2157 | $hex_sid = bin2hex($binsid);
|
---|
2158 | $rev = hexdec(substr($hex_sid, 0, 2));
|
---|
2159 | $subcount = hexdec(substr($hex_sid, 2, 2));
|
---|
2160 | $auth = hexdec(substr($hex_sid, 4, 12));
|
---|
2161 | $result = "$rev-$auth";
|
---|
2162 |
|
---|
2163 | for ($x=0;$x < $subcount; $x++) {
|
---|
2164 | $subauth[$x] =
|
---|
2165 | hexdec($this->little_endian(substr($hex_sid, 16 + ($x * 8), 8)));
|
---|
2166 | $result .= "-" . $subauth[$x];
|
---|
2167 | }
|
---|
2168 |
|
---|
2169 | // Cheat by tacking on the S-
|
---|
2170 | return 'S-' . $result;
|
---|
2171 | }
|
---|
2172 |
|
---|
2173 | /**
|
---|
2174 | * Converts a little-endian hex number to one that hexdec() can convert
|
---|
2175 | *
|
---|
2176 | * @param string $hex A hex code
|
---|
2177 | * @return string
|
---|
2178 | */
|
---|
2179 | protected function little_endian($hex) {
|
---|
2180 | $result = '';
|
---|
2181 | for ($x = strlen($hex) - 2; $x >= 0; $x = $x - 2) {
|
---|
2182 | $result .= substr($hex, $x, 2);
|
---|
2183 | }
|
---|
2184 | return $result;
|
---|
2185 | }
|
---|
2186 |
|
---|
2187 | /**
|
---|
2188 | * Converts a binary attribute to a string
|
---|
2189 | *
|
---|
2190 | * @param string $bin A binary LDAP attribute
|
---|
2191 | * @return string
|
---|
2192 | */
|
---|
2193 | protected function binary2text($bin) {
|
---|
2194 | $hex_guid = bin2hex($bin);
|
---|
2195 | $hex_guid_to_guid_str = '';
|
---|
2196 | for($k = 1; $k <= 4; ++$k) {
|
---|
2197 | $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
|
---|
2198 | }
|
---|
2199 | $hex_guid_to_guid_str .= '-';
|
---|
2200 | for($k = 1; $k <= 2; ++$k) {
|
---|
2201 | $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
|
---|
2202 | }
|
---|
2203 | $hex_guid_to_guid_str .= '-';
|
---|
2204 | for($k = 1; $k <= 2; ++$k) {
|
---|
2205 | $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
|
---|
2206 | }
|
---|
2207 | $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
|
---|
2208 | $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
|
---|
2209 | return strtoupper($hex_guid_to_guid_str);
|
---|
2210 | }
|
---|
2211 |
|
---|
2212 | /**
|
---|
2213 | * Converts a binary GUID to a string GUID
|
---|
2214 | *
|
---|
2215 | * @param string $binaryGuid The binary GUID attribute to convert
|
---|
2216 | * @return string
|
---|
2217 | */
|
---|
2218 | public function decodeGuid($binaryGuid) {
|
---|
2219 | if ($binaryGuid === null){ return ("Missing compulsory field [binaryGuid]"); }
|
---|
2220 |
|
---|
2221 | $strGUID = $this->binary2text($binaryGuid);
|
---|
2222 | return ($strGUID);
|
---|
2223 | }
|
---|
2224 |
|
---|
2225 | /**
|
---|
2226 | * Converts a string GUID to a hexdecimal value so it can be queried
|
---|
2227 | *
|
---|
2228 | * @param string $strGUID A string representation of a GUID
|
---|
2229 | * @return string
|
---|
2230 | */
|
---|
2231 | protected function strguid2hex($strGUID) {
|
---|
2232 | $strGUID = str_replace('-', '', $strGUID);
|
---|
2233 |
|
---|
2234 | $octet_str = '\\' . substr($strGUID, 6, 2);
|
---|
2235 | $octet_str .= '\\' . substr($strGUID, 4, 2);
|
---|
2236 | $octet_str .= '\\' . substr($strGUID, 2, 2);
|
---|
2237 | $octet_str .= '\\' . substr($strGUID, 0, 2);
|
---|
2238 | $octet_str .= '\\' . substr($strGUID, 10, 2);
|
---|
2239 | $octet_str .= '\\' . substr($strGUID, 8, 2);
|
---|
2240 | $octet_str .= '\\' . substr($strGUID, 14, 2);
|
---|
2241 | $octet_str .= '\\' . substr($strGUID, 12, 2);
|
---|
2242 | //$octet_str .= '\\' . substr($strGUID, 16, strlen($strGUID));
|
---|
2243 | for ($i=16; $i<=(strlen($strGUID)-2); $i++) {
|
---|
2244 | if (($i % 2) == 0) {
|
---|
2245 | $octet_str .= '\\' . substr($strGUID, $i, 2);
|
---|
2246 | }
|
---|
2247 | }
|
---|
2248 |
|
---|
2249 | return $octet_str;
|
---|
2250 | }
|
---|
2251 |
|
---|
2252 | /**
|
---|
2253 | * Obtain the user's distinguished name based on their userid
|
---|
2254 | *
|
---|
2255 | *
|
---|
2256 | * @param string $username The username
|
---|
2257 | * @param bool $isGUID Is the username passed a GUID or a samAccountName
|
---|
2258 | * @return string
|
---|
2259 | */
|
---|
2260 | protected function user_dn($username,$isGUID=false){
|
---|
2261 | $user=$this->user_info($username,array("cn"),$isGUID);
|
---|
2262 | if ($user[0]["dn"]===NULL){ return (false); }
|
---|
2263 | $user_dn=$user[0]["dn"];
|
---|
2264 | return ($user_dn);
|
---|
2265 | }
|
---|
2266 |
|
---|
2267 | /**
|
---|
2268 | * Encode a password for transmission over LDAP
|
---|
2269 | *
|
---|
2270 | * @param string $password The password to encode
|
---|
2271 | * @return string
|
---|
2272 | */
|
---|
2273 | protected function encode_password($password){
|
---|
2274 | $password="\"".$password."\"";
|
---|
2275 | $encoded="";
|
---|
2276 | for ($i=0; $i <strlen($password); $i++){ $encoded.="{$password{$i}}\000"; }
|
---|
2277 | return ($encoded);
|
---|
2278 | }
|
---|
2279 |
|
---|
2280 | /**
|
---|
2281 | * Escape strings for the use in LDAP filters
|
---|
2282 | *
|
---|
2283 | * DEVELOPERS SHOULD BE DOING PROPER FILTERING IF THEY'RE ACCEPTING USER INPUT
|
---|
2284 | * Ported from Perl's Net::LDAP::Util escape_filter_value
|
---|
2285 | *
|
---|
2286 | * @param string $str The string the parse
|
---|
2287 | * @author Port by Andreas Gohr <[email protected]>
|
---|
2288 | * @return string
|
---|
2289 | */
|
---|
2290 | protected function ldap_slashes($str){
|
---|
2291 | return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e',
|
---|
2292 | '"\\\\\".join("",unpack("H2","$1"))',
|
---|
2293 | $str);
|
---|
2294 | }
|
---|
2295 |
|
---|
2296 | /**
|
---|
2297 | * Select a random domain controller from your domain controller array
|
---|
2298 | *
|
---|
2299 | * @return string
|
---|
2300 | */
|
---|
2301 | protected function random_controller(){
|
---|
2302 | mt_srand(doubleval(microtime()) * 100000000); // For older PHP versions
|
---|
2303 | return ($this->_domain_controllers[array_rand($this->_domain_controllers)]);
|
---|
2304 | }
|
---|
2305 |
|
---|
2306 | /**
|
---|
2307 | * Account control options
|
---|
2308 | *
|
---|
2309 | * @param array $options The options to convert to int
|
---|
2310 | * @return int
|
---|
2311 | */
|
---|
2312 | protected function account_control($options){
|
---|
2313 | $val=0;
|
---|
2314 |
|
---|
2315 | if (is_array($options)){
|
---|
2316 | if (in_array("SCRIPT",$options)){ $val=$val+1; }
|
---|
2317 | if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; }
|
---|
2318 | if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; }
|
---|
2319 | if (in_array("LOCKOUT",$options)){ $val=$val+16; }
|
---|
2320 | if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; }
|
---|
2321 | //PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute.
|
---|
2322 | //For information about how to set the permission programmatically, see the "Property flag descriptions" section.
|
---|
2323 | if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; }
|
---|
2324 | if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; }
|
---|
2325 | if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; }
|
---|
2326 | if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; }
|
---|
2327 | if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; }
|
---|
2328 | if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; }
|
---|
2329 | if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; }
|
---|
2330 | if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; }
|
---|
2331 | if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; }
|
---|
2332 | if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; }
|
---|
2333 | if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; }
|
---|
2334 | if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; }
|
---|
2335 | if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; }
|
---|
2336 | if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; }
|
---|
2337 | if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; }
|
---|
2338 | }
|
---|
2339 | return ($val);
|
---|
2340 | }
|
---|
2341 |
|
---|
2342 | /**
|
---|
2343 | * Take an LDAP query and return the nice names, without all the LDAP prefixes (eg. CN, DN)
|
---|
2344 | *
|
---|
2345 | * @param array $groups
|
---|
2346 | * @return array
|
---|
2347 | */
|
---|
2348 | protected function nice_names($groups){
|
---|
2349 |
|
---|
2350 | $group_array=array();
|
---|
2351 | for ($i=0; $i<$groups["count"]; $i++){ // For each group
|
---|
2352 | $line=$groups[$i];
|
---|
2353 |
|
---|
2354 | if (strlen($line)>0){
|
---|
2355 | // More presumptions, they're all prefixed with CN=
|
---|
2356 | // so we ditch the first three characters and the group
|
---|
2357 | // name goes up to the first comma
|
---|
2358 | $bits=explode(",",$line);
|
---|
2359 | $group_array[]=substr($bits[0],3,(strlen($bits[0])-3));
|
---|
2360 | }
|
---|
2361 | }
|
---|
2362 | return ($group_array);
|
---|
2363 | }
|
---|
2364 |
|
---|
2365 | /**
|
---|
2366 | * Delete a distinguished name from Active Directory
|
---|
2367 | * You should never need to call this yourself, just use the wrapper functions user_delete and contact_delete
|
---|
2368 | *
|
---|
2369 | * @param string $dn The distinguished name to delete
|
---|
2370 | * @return bool
|
---|
2371 | */
|
---|
2372 | protected function dn_delete($dn){
|
---|
2373 | $result=ldap_delete($this->_conn, $dn);
|
---|
2374 | if ($result!=true){ return (false); }
|
---|
2375 | return (true);
|
---|
2376 | }
|
---|
2377 |
|
---|
2378 | /**
|
---|
2379 | * Convert a boolean value to a string
|
---|
2380 | * You should never need to call this yourself
|
---|
2381 | *
|
---|
2382 | * @param bool $bool Boolean value
|
---|
2383 | * @return string
|
---|
2384 | */
|
---|
2385 | protected function bool2str($bool) {
|
---|
2386 | return ($bool) ? 'TRUE' : 'FALSE';
|
---|
2387 | }
|
---|
2388 |
|
---|
2389 | /**
|
---|
2390 | * Convert 8bit characters e.g. accented characters to UTF8 encoded characters
|
---|
2391 | */
|
---|
2392 | protected function encode8bit(&$item, $key) {
|
---|
2393 | $encode = false;
|
---|
2394 | if (is_string($item)) {
|
---|
2395 | for ($i=0; $i<strlen($item); $i++) {
|
---|
2396 | if (ord($item[$i]) >> 7) {
|
---|
2397 | $encode = true;
|
---|
2398 | }
|
---|
2399 | }
|
---|
2400 | }
|
---|
2401 | if ($encode === true && $key != 'password') {
|
---|
2402 | $item = utf8_encode($item);
|
---|
2403 | }
|
---|
2404 | }
|
---|
2405 | }
|
---|
2406 |
|
---|
2407 | /**
|
---|
2408 | * adLDAP Exception Handler
|
---|
2409 | *
|
---|
2410 | * Exceptions of this type are thrown on bind failure or when SSL is required but not configured
|
---|
2411 | * Example:
|
---|
2412 | * try {
|
---|
2413 | * $adldap = new adLDAP();
|
---|
2414 | * }
|
---|
2415 | * catch (adLDAPException $e) {
|
---|
2416 | * echo $e;
|
---|
2417 | * exit();
|
---|
2418 | * }
|
---|
2419 | */
|
---|
2420 | class adLDAPException extends Exception {}
|
---|
2421 |
|
---|
2422 | ?>
|
---|