diff options
Diffstat (limited to 'lib/SimpleSAML/Auth/LDAP.php')
| -rw-r--r-- | lib/SimpleSAML/Auth/LDAP.php | 115 |
1 files changed, 60 insertions, 55 deletions
diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php index 3a3679d..f8a56eb 100644 --- a/lib/SimpleSAML/Auth/LDAP.php +++ b/lib/SimpleSAML/Auth/LDAP.php @@ -22,9 +22,8 @@ if (!defined('LDAP_OPT_DIAGNOSTIC_MESSAGE')) { * @author Anders Lund, UNINETT AS. <anders.lund@uninett.no> * @package SimpleSAMLphp */ -class SimpleSAML_Auth_LDAP { - - +class SimpleSAML_Auth_LDAP +{ /** * LDAP link identifier. * @@ -55,7 +54,8 @@ class SimpleSAML_Auth_LDAP { * @param bool $referrals */ // TODO: Flesh out documentation - public function __construct($hostname, $enable_tls = TRUE, $debug = FALSE, $timeout = 0, $port = 389, $referrals = TRUE) { + public function __construct($hostname, $enable_tls = true, $debug = false, $timeout = 0, $port = 389, $referrals = true) + { // Debug SimpleSAML\Logger::debug('Library - LDAP __construct(): Setup LDAP with ' . @@ -71,7 +71,7 @@ class SimpleSAML_Auth_LDAP { * * OpenLDAP 2.x.x or Netscape Directory SDK x.x needed for this option. */ - if ($debug && !ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7)) { + if ($debug && !ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7)) { SimpleSAML\Logger::warning('Library - LDAP __construct(): Unable to set debug level (LDAP_OPT_DEBUG_LEVEL) to 7'); } @@ -80,7 +80,7 @@ class SimpleSAML_Auth_LDAP { * doesn't actually connect to the server. */ $this->ldap = @ldap_connect($hostname, $port); - if ($this->ldap === FALSE) { + if ($this->ldap === false) { throw $this->makeException('Library - LDAP __construct(): Unable to connect to \'' . $hostname . '\'', ERR_INTERNAL); } @@ -107,7 +107,7 @@ class SimpleSAML_Auth_LDAP { } // Enable TLS, if needed - if (stripos($hostname, "ldaps:") === FALSE and $enable_tls) { + if (stripos($hostname, "ldaps:") === false and $enable_tls) { if (!@ldap_start_tls($this->ldap)) { throw $this->makeException('Library - LDAP __construct(): Unable to force TLS', ERR_INTERNAL); } @@ -123,7 +123,8 @@ class SimpleSAML_Auth_LDAP { * The exception's description * @return Exception */ - private function makeException($description, $type = NULL) { + private function makeException($description, $type = null) + { $errNo = 0x00; // Log LDAP code and description, if possible @@ -200,21 +201,21 @@ class SimpleSAML_Auth_LDAP { * - Failed to get first entry from result * - Failed to get DN for entry * @throws SimpleSAML_Error_UserNotFound if: - * - Zero entries was found + * - Zero entries were found */ - private function search($base, $attribute, $value, $searchFilter=NULL) { - + private function search($base, $attribute, $value, $searchFilter = null) + { // Create the search filter - $attribute = self::escape_filter_value($attribute, FALSE); + $attribute = self::escape_filter_value($attribute, false); $value = self::escape_filter_value($value); $filter = ''; - foreach ($attribute AS $attr) { + foreach ($attribute as $attr) { $filter .= '(' . $attr . '=' . $value. ')'; } $filter = '(|' . $filter . ')'; // Append LDAP filters if defined - if ($searchFilter!=NULL) { + if ($searchFilter != null) { $filter = "(&".$filter."".$searchFilter.")"; } @@ -222,13 +223,13 @@ class SimpleSAML_Auth_LDAP { SimpleSAML\Logger::debug('Library - LDAP search(): Searching base \'' . $base . '\' for \'' . $filter . '\''); // TODO: Should aliases be dereferenced? $result = @ldap_search($this->ldap, $base, $filter, array(), 0, 0, $this->timeout); - if ($result === FALSE) { + if ($result === false) { throw $this->makeException('Library - LDAP search(): Failed search on base \'' . $base . '\' for \'' . $filter . '\''); } // Sanity checks on search results $count = @ldap_count_entries($this->ldap, $result); - if ($count === FALSE) { + if ($count === false) { throw $this->makeException('Library - LDAP search(): Failed to get number of entries returned'); } elseif ($count > 1) { // More than one entry is found. External error @@ -241,11 +242,11 @@ class SimpleSAML_Auth_LDAP { // Resolve the DN from the search result $entry = @ldap_first_entry($this->ldap, $result); - if ($entry === FALSE) { + if ($entry === false) { throw $this->makeException('Library - LDAP search(): Unable to retrieve result after searching base \'' . $base . '\' for \'' . $filter . '\''); } $dn = @ldap_get_dn($this->ldap, $entry); - if ($dn === FALSE) { + if ($dn === false) { throw $this->makeException('Library - LDAP search(): Unable to get DN after searching base \'' . $base . '\' for \'' . $filter . '\''); } // FIXME: Are we now sure, if no excepton has been thrown, that we are returning a DN? @@ -273,15 +274,15 @@ class SimpleSAML_Auth_LDAP { * - LDAP search encounter some problems when searching cataloge * - Not able to connect to LDAP server * @throws SimpleSAML_Error_UserNotFound if: - * - $allowZeroHits er TRUE and no result is found + * - $allowZeroHits is FALSE and no result is found * */ - public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE, $searchFilter = NULL) { - + public function searchfordn($base, $attribute, $value, $allowZeroHits = false, $searchFilter = null) + { // Traverse all search bases, returning DN if found $bases = SimpleSAML\Utils\Arrays::arrayize($base); - $result = NULL; - foreach ($bases AS $current) { + $result = null; + foreach ($bases as $current) { try { // Single base search $result = $this->search($current, $attribute, $value, $searchFilter); @@ -299,7 +300,7 @@ class SimpleSAML_Auth_LDAP { SimpleSAML\Logger::debug('Library - LDAP searchfordn(): No entries found'); if ($allowZeroHits) { // Zero hits allowed - return NULL; + return null; } else { // Zero hits not allowed throw $this->makeException('Library - LDAP searchfordn(): LDAP search returned zero entries for filter \'(' . @@ -320,11 +321,11 @@ class SimpleSAML_Auth_LDAP { * @param bool $escape Weather to escape the filter values or not * @return array */ - public function searchformultiple($bases, $filters, $attributes = array(), $and = TRUE, $escape = TRUE) { - + public function searchformultiple($bases, $filters, $attributes = array(), $and = true, $escape = true) + { // Escape the filter values, if requested if ($escape) { - $filters = $this->escape_filter_value($filters, FALSE); + $filters = $this->escape_filter_value($filters, false); } // Build search filter @@ -352,16 +353,16 @@ class SimpleSAML_Auth_LDAP { } // Search each base until result is found - $result = FALSE; + $result = false; foreach ($bases as $base) { $result = @ldap_search($this->ldap, $base, $filter, $attributes, 0, 0, $this->timeout); - if ($result !== FALSE) { - break; + if ($result !== false) { + break; } } // Verify that a result was found in one of the bases - if ($result === FALSE) { + if ($result === false) { throw $this->makeException( 'ldap:LdapConnection->search_manual : Failed to search LDAP using base(s) [' . implode('; ', $bases) . '] with filter [' . $filter . ']. LDAP error [' . @@ -377,7 +378,7 @@ class SimpleSAML_Auth_LDAP { // Get all results $results = ldap_get_entries($this->ldap, $result); - if ($results === FALSE) { + if ($results === false) { throw $this->makeException( 'ldap:LdapConnection->search_manual : Unable to retrieve entries from search results' ); @@ -424,10 +425,11 @@ class SimpleSAML_Auth_LDAP { * LDAP_INAPPROPRIATE_AUTH, LDAP_INSUFFICIENT_ACCESS * @throws SimpleSAML_Error_Exception on other errors */ - public function bind($dn, $password, array $sasl_args = NULL) { + public function bind($dn, $password, array $sasl_args = null) + { $authz_id = null; - if ($sasl_args != NULL) { + if ($sasl_args != null) { if (!function_exists('ldap_sasl_bind')) { $ex_msg = 'Library - missing SASL support'; throw $this->makeException($ex_msg); @@ -447,26 +449,26 @@ class SimpleSAML_Auth_LDAP { $error = @ldap_bind($this->ldap, $dn, $password); } - if ($error === TRUE) { + if ($error === true) { // Good $this->authz_id = $authz_id; SimpleSAML\Logger::debug('Library - LDAP bind(): Bind successful with DN \'' . $dn . '\''); - return TRUE; + return true; } /* Handle errors * LDAP_INVALID_CREDENTIALS * LDAP_INSUFFICIENT_ACCESS */ - switch(ldap_errno($this->ldap)) { - case 32: // LDAP_NO_SUCH_OBJECT + switch (ldap_errno($this->ldap)) { + case 32: // LDAP_NO_SUCH_OBJECT // no break - case 47: // LDAP_X_PROXY_AUTHZ_FAILURE + case 47: // LDAP_X_PROXY_AUTHZ_FAILURE // no break - case 48: // LDAP_INAPPROPRIATE_AUTH + case 48: // LDAP_INAPPROPRIATE_AUTH // no break - case 49: // LDAP_INVALID_CREDENTIALS + case 49: // LDAP_INVALID_CREDENTIALS // no break - case 50: // LDAP_INSUFFICIENT_ACCESS + case 50: // LDAP_INSUFFICIENT_ACCESS return false; default: break; @@ -485,12 +487,12 @@ class SimpleSAML_Auth_LDAP { * @param $value * @return void */ - public function setOption($option, $value) { - + public function setOption($option, $value) + { // Attempt to set the LDAP option if (!@ldap_set_option($this->ldap, $option, $value)) { throw $this->makeException( - 'ldap:LdapConnection->setOption : Failed to set LDAP option [' . + 'ldap:LdapConnection->setOption : Failed to set LDAP option [' . $option . '] with the value [' . $value . '] error: ' . ldap_error($this->ldap), ERR_INTERNAL ); @@ -520,8 +522,8 @@ class SimpleSAML_Auth_LDAP { * The array of attributes and their values. * @see http://no.php.net/manual/en/function.ldap-read.php */ - public function getAttributes($dn, $attributes = NULL, $maxsize = NULL) { - + public function getAttributes($dn, $attributes = null, $maxsize = null) + { // Preparations, including a pretty debug message... $description = 'all attributes'; if (is_array($attributes)) { @@ -597,8 +599,8 @@ class SimpleSAML_Auth_LDAP { * @return array|bool */ // TODO: Documentation; only cleared up exception/log messages - public function validate($config, $username, $password = null) { - + public function validate($config, $username, $password = null) + { /* Escape any characters with a special meaning in LDAP. The following * characters have a special meaning (according to RFC 2253): * ',', '+', '"', '\', '<', '>', ';', '*' @@ -620,7 +622,7 @@ class SimpleSAML_Auth_LDAP { $password = addcslashes($password, ',+"\\<>;*'); if (!$this->bind($dn, $password)) { SimpleSAML\Logger::info('Library - LDAP validate(): Failed to authenticate \''. $username . '\' using DN \'' . $dn . '\''); - return FALSE; + return false; } } @@ -646,7 +648,8 @@ class SimpleSAML_Auth_LDAP { * @param array $values Array of values to escape * @return array Array $values, but escaped */ - public static function escape_filter_value($values = array(), $singleValue = TRUE) { + public static function escape_filter_value($values = array(), $singleValue = true) + { // Parameter validation if (!is_array($values)) { $values = array($values); @@ -685,7 +688,8 @@ class SimpleSAML_Auth_LDAP { * @static * @return string */ - public static function asc2hex32($string) { + public static function asc2hex32($string) + { for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); if (ord($char) < 32) { @@ -702,7 +706,8 @@ class SimpleSAML_Auth_LDAP { /** * Convert SASL authz_id into a DN */ - private function authzid_to_dn($searchBase, $searchAttributes, $authz_id) { + private function authzid_to_dn($searchBase, $searchAttributes, $authz_id) + { if (preg_match("/^dn:/", $authz_id)) { return preg_replace("/^dn:/", "", $authz_id); } @@ -723,7 +728,8 @@ class SimpleSAML_Auth_LDAP { * And the patch against lastest PHP release: * http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/php-ldap/files/ldap-ctrl-exop.patch */ - public function whoami($searchBase, $searchAttributes) { + public function whoami($searchBase, $searchAttributes) + { $authz_id = ''; if (function_exists('ldap_exop_whoami')) { @@ -742,5 +748,4 @@ class SimpleSAML_Auth_LDAP { return $dn; } - } |