rafaelfoster · March 28, 2016 19:48
diff --git a/lib_ldap.php b/lib_ldap.php
 <?php
 // error_reporting(E_ALL);

 // connect to ldap server
 $domain = "example.com";
 $ldap = new LDAP();

 class LDAP{
 	public $ldapconn = "";
 	public $ldap_sadmin;
 	
 	function __construct(){
 		global $ldap_sadmin;
 		$this->ldap_sadmin = $ldap_sadmin;

 		$this->ldapconn = ldap_connect("ldap://" . $this->ldap_sadmin['ldapServer']) or die("Could not connect to LDAP server.");
 		ldap_set_option($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
 		ldap_set_option($this->ldapconn, LDAP_OPT_REFERRALS, 0);		
 	}
 	
 	public function login($username, $password){
 		$ldapbind = ldap_bind($this->ldapconn, $username . "@" . $this->ldap_sadmin['domain'] , $password);
 		if (!$ldapbind) return false;
 		$_SESSION['username'] = $username;
 		$_SESSION['password'] = $password;

 		$userAttr = $this->getLdapUserAttr($username);

 		foreach($userAttr as $attr => $value)
 			$_SESSION[$attr] = $value;

 		if(isset($userAttr['groups'])){
 			$group = $this->checkGroup($userAttr['groups']);
 			if($group){
 				$_SESSION['level'] = "admin";
 				return true;
 			}
 		}
 		$_SESSION['level'] = "user";
 		return true;
 		// exit();	
 	}
 	
 	public function changePassword($username, $password, $npassword){
 		// $npassword = "";
 		global $ldap_sadmin;
 		$ldap_root_username = $ldap_sadmin['username'];

 		$ldap_root_password = $ldap_sadmin['password']; 



 		if ($username != $_SESSION['username']){
 			if ($_SESSION['level'] != "admin") 
 				return "You don't have enough permissions to change another user password!"; 
 		} else {
 			ldap_bind($this->ldapconn, $username . "@" . $domain, $password) or die("Wrong password");
 		}

 		$ldapbind = ldap_bind($this->ldapconn, $ldap_root_username . "@" . $domain, $ldap_root_password);
 		
 		$newPassw = "";
 		$newPassword = "\"" . $npassword . "\"";  
 		$len = strlen($newPassword);  
 		for ($i = 0; $i < $len; $i++)  
 			$newPassw .= "{$newPassword{$i}}\000";

 		$newPassword = $newPassw;
 		$userdata["unicodePwd"] = $newPassword;  
 		
 		$userAttr = $this->getLdapUserAttr($username);
 		if(ldap_mod_replace($this->ldapconn, $userAttr['distinguishedname'], $userdata)){ 
 			if(!ldap_errno($this->ldapconn)) return "Error"; // (" . ldap_errno($this->ldapconn) . "): " . ldap_error($this->ldapconn);
 		} 
 		
 		return true;
 		
 	}
 	
 	
 	function getLdapUserAttr($username){
 		$searchFilter = "(sAMAccountName=" . $username. ")";
 		$searchAttr   = array("displayName","description","cn","distinguishedName","givenName","sn","mail","company","displayName","memberof");
 		$user_search  = ldap_search($this->ldapconn,$this->ldap_sadmin['domainDN'],$searchFilter, $searchAttr) or die ("Error in search query");
 		$user_get     = ldap_get_entries($this->ldapconn, $user_search);

 		foreach($searchAttr as $key){
 			$key = strtolower($key);
 			if (!isset($user_get[0][$key])) continue;
 			if ($key == "memberof" && is_array($user_get[0]["memberof"])){
 				foreach($user_get[0][$key] as $groupID => $groupDN)
 					if (!is_numeric($groupDN)) 
 						$ldap_user_attr['groups'][] = $groupDN;
 			} elseif (isset($user_get[0][$key][0])){
 				$ldap_user_attr[$key] = $user_get[0][$key][0];
 			}
 		}
 		//$ldap_user_attr["user_dn"] = $data = ldap_get_dn($this->ldapconn, $user_search);

 		return $ldap_user_attr;
 	}

 	function checkGroup($userMemberOf){
 		foreach($userMemberOf as $groupID => $groupDN){
 			$searchResult = strpos($groupDN, $this->ldap_sadmin['admin_group']);
 			if( $searchResult > 0 )
 				return true;
 		}
 		return false;
 	}

 	public function addOrganization($orgFullName, $orgShortName ){
 		if ($_SESSION['level'] != 'admin')
 			return "You have no enough permissions to perform this action!";

 		$nOrgDN = "OU=" . $orgShortName . "," . $this->ldap_sadmin["domainClientsDN"];
 		$newou["objectClass"][0] = "top";
 		$newou["objectClass"][1] = "organizationalUnit";
 		$newou["ou"] = $orgShortName;
 		$result = ldap_add($this->ldapconn,$nOrgDN,$newou);

 		if (!$result){
 			return false;
 		} else {
 			return true;
 		}
 	}
 	
 	public function addOrganizationUser($arrNewUser){
 		if ($_SESSION['level'] != "admin")
 			return "You have no enough permissions to perform this action!";

 		$userinfo['cn']                 = $arrNewUser['name'] . " " . $arrNewUser['surname'];
 		$userinfo['sn']                 = $arrNewUser['surname'];
 		$userinfo['mail']               = $arrNewUser['mail'];
 		$userinfo['name']               = $userinfo['name'];
 		$userinfo['givenName']          = $arrNewUser['name'];
 		$userinfo['displayName']        = $userinfo['cn'];
 		$userinfo['userpassword']       = $arrNewUser['password'];
 		$userinfo['sAMAccountName']     = $arrNewUser['username'];
 		$userinfo['UserPrincipalName']  = $arrNewUser['mail'];
 		// $userinfo['useraccountcontrol'] = 512; // Normal Account 
 		$userinfo['useraccountcontrol'] = 65536; // Don't expire password
 		$userinfo['objectclass'][0]     = 'top';
 		$userinfo['objectclass'][3]     = 'user';
 		$userinfo['objectclass'][1]     = 'person';
 		$userinfo['objectclass'][2]     = 'organizationalPerson';

 		$nuserDN = "CN=" . $userinfo['cn'] . ",OU=" . $arrNewUser["clOrganization"] . "," . $this->ldap_sadmin["domainClientsDN"];

 		$result = ldap_add($this->ldapconn, $nuserDN, $userinfo);
 		
 		if (!$result)
 			return "Error: (" . ldap_errno($this->ldapconn) . ") - ". ldap_error($this->ldapconn);
 		else
 			return "OK";

 	}
 	
 	public function listOrganization(){
 	
 		$listOnly = array("ou");
 		$searchOU = ldap_list($this->ldapconn, $this->ldap_sadmin['domainClientsDN'], "ou=*", $listOnly);
 		$OUs = ldap_get_entries($this->ldapconn, $searchOU);
 		
 		$arrOrganizations = array();
 		for ($i=0; $i < $OUs["count"]; $i++) {
 			$arrOrganizations[] =  $OUs[$i]["ou"][0];
 		}
 		asort($arrOrganizations);
 		return $arrOrganizations;
 	}


 }


 // function addUser(ldapconn, $arrNewUser){
 	// if ($_SESSION['level'] != "admin")
 		// return "You have no enough permissions to perform this action!";

 	// $nuserDN = "CN=" . explode(" ", $arrNewUser)[0];
 	// $nuserDN .= ",CN=" . $arrNewUser["clOrganization"] . "," . $ldap_sadmin["domainDN"];
 	
 	// $result = ldap_add(ldapconn, $nuserDN, $arrNewUser['attr']);
 	
 	// if (!$result){
 		// return "Error: (" . ldap_errno(ldapconn) . ") - ". ldap_error(ldapconn);
 	// } else {
 		// return "OK";
 	// }
 // }
	<?php
	// error_reporting(E_ALL);

	// connect to ldap server
	$domain = "example.com";
	$ldap = new LDAP();

	class LDAP{
	public $ldapconn = "";
	public $ldap_sadmin;

	function __construct(){
	global $ldap_sadmin;
	$this->ldap_sadmin = $ldap_sadmin;

	$this->ldapconn = ldap_connect("ldap://" . $this->ldap_sadmin['ldapServer']) or die("Could not connect to LDAP server.");
	ldap_set_option($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
	ldap_set_option($this->ldapconn, LDAP_OPT_REFERRALS, 0);
	}

	public function login($username, $password){
	$ldapbind = ldap_bind($this->ldapconn, $username . "@" . $this->ldap_sadmin['domain'] , $password);
	if (!$ldapbind) return false;
	$_SESSION['username'] = $username;
	$_SESSION['password'] = $password;

	$userAttr = $this->getLdapUserAttr($username);

	foreach($userAttr as $attr => $value)
	$_SESSION[$attr] = $value;

	if(isset($userAttr['groups'])){
	$group = $this->checkGroup($userAttr['groups']);
	if($group){
	$_SESSION['level'] = "admin";
	return true;
	}
	}
	$_SESSION['level'] = "user";
	return true;
	// exit();
	}

	public function changePassword($username, $password, $npassword){
	// $npassword = "";
	global $ldap_sadmin;
	$ldap_root_username = $ldap_sadmin['username'];

	$ldap_root_password = $ldap_sadmin['password'];



	if ($username != $_SESSION['username']){
	if ($_SESSION['level'] != "admin")
	return "You don't have enough permissions to change another user password!";
	} else {
	ldap_bind($this->ldapconn, $username . "@" . $domain, $password) or die("Wrong password");
	}

	$ldapbind = ldap_bind($this->ldapconn, $ldap_root_username . "@" . $domain, $ldap_root_password);

	$newPassw = "";
	$newPassword = "\"" . $npassword . "\"";
	$len = strlen($newPassword);
	for ($i = 0; $i < $len; $i++)
	$newPassw .= "{$newPassword{$i}}\000";

	$newPassword = $newPassw;
	$userdata["unicodePwd"] = $newPassword;

	$userAttr = $this->getLdapUserAttr($username);
	if(ldap_mod_replace($this->ldapconn, $userAttr['distinguishedname'], $userdata)){
	if(!ldap_errno($this->ldapconn)) return "Error"; // (" . ldap_errno($this->ldapconn) . "): " . ldap_error($this->ldapconn);
	}

	return true;

	}


	function getLdapUserAttr($username){
	$searchFilter = "(sAMAccountName=" . $username. ")";
	$searchAttr = array("displayName","description","cn","distinguishedName","givenName","sn","mail","company","displayName","memberof");
	$user_search = ldap_search($this->ldapconn,$this->ldap_sadmin['domainDN'],$searchFilter, $searchAttr) or die ("Error in search query");
	$user_get = ldap_get_entries($this->ldapconn, $user_search);

	foreach($searchAttr as $key){
	$key = strtolower($key);
	if (!isset($user_get[0][$key])) continue;
	if ($key == "memberof" && is_array($user_get[0]["memberof"])){
	foreach($user_get[0][$key] as $groupID => $groupDN)
	if (!is_numeric($groupDN))
	$ldap_user_attr['groups'][] = $groupDN;
	} elseif (isset($user_get[0][$key][0])){
	$ldap_user_attr[$key] = $user_get[0][$key][0];
	}
	}
	//$ldap_user_attr["user_dn"] = $data = ldap_get_dn($this->ldapconn, $user_search);

	return $ldap_user_attr;
	}

	function checkGroup($userMemberOf){
	foreach($userMemberOf as $groupID => $groupDN){
	$searchResult = strpos($groupDN, $this->ldap_sadmin['admin_group']);
	if( $searchResult > 0 )
	return true;
	}
	return false;
	}

	public function addOrganization($orgFullName, $orgShortName ){
	if ($_SESSION['level'] != 'admin')
	return "You have no enough permissions to perform this action!";

	$nOrgDN = "OU=" . $orgShortName . "," . $this->ldap_sadmin["domainClientsDN"];
	$newou["objectClass"][0] = "top";
	$newou["objectClass"][1] = "organizationalUnit";
	$newou["ou"] = $orgShortName;
	$result = ldap_add($this->ldapconn,$nOrgDN,$newou);

	if (!$result){
	return false;
	} else {
	return true;
	}
	}

	public function addOrganizationUser($arrNewUser){
	if ($_SESSION['level'] != "admin")
	return "You have no enough permissions to perform this action!";

	$userinfo['cn'] = $arrNewUser['name'] . " " . $arrNewUser['surname'];
	$userinfo['sn'] = $arrNewUser['surname'];
	$userinfo['mail'] = $arrNewUser['mail'];
	$userinfo['name'] = $userinfo['name'];
	$userinfo['givenName'] = $arrNewUser['name'];
	$userinfo['displayName'] = $userinfo['cn'];
	$userinfo['userpassword'] = $arrNewUser['password'];
	$userinfo['sAMAccountName'] = $arrNewUser['username'];
	$userinfo['UserPrincipalName'] = $arrNewUser['mail'];
	// $userinfo['useraccountcontrol'] = 512; // Normal Account
	$userinfo['useraccountcontrol'] = 65536; // Don't expire password
	$userinfo['objectclass'][0] = 'top';
	$userinfo['objectclass'][3] = 'user';
	$userinfo['objectclass'][1] = 'person';
	$userinfo['objectclass'][2] = 'organizationalPerson';

	$nuserDN = "CN=" . $userinfo['cn'] . ",OU=" . $arrNewUser["clOrganization"] . "," . $this->ldap_sadmin["domainClientsDN"];

	$result = ldap_add($this->ldapconn, $nuserDN, $userinfo);

	if (!$result)
	return "Error: (" . ldap_errno($this->ldapconn) . ") - ". ldap_error($this->ldapconn);
	else
	return "OK";

	}

	public function listOrganization(){

	$listOnly = array("ou");
	$searchOU = ldap_list($this->ldapconn, $this->ldap_sadmin['domainClientsDN'], "ou=*", $listOnly);
	$OUs = ldap_get_entries($this->ldapconn, $searchOU);

	$arrOrganizations = array();
	for ($i=0; $i < $OUs["count"]; $i++) {
	$arrOrganizations[] = $OUs[$i]["ou"][0];
	}
	asort($arrOrganizations);
	return $arrOrganizations;
	}


	}


	// function addUser(ldapconn, $arrNewUser){
	// if ($_SESSION['level'] != "admin")
	// return "You have no enough permissions to perform this action!";

	// $nuserDN = "CN=" . explode(" ", $arrNewUser)[0];
	// $nuserDN .= ",CN=" . $arrNewUser["clOrganization"] . "," . $ldap_sadmin["domainDN"];

	// $result = ldap_add(ldapconn, $nuserDN, $arrNewUser['attr']);

	// if (!$result){
	// return "Error: (" . ldap_errno(ldapconn) . ") - ". ldap_error(ldapconn);
	// } else {
	// return "OK";
	// }
	// }