- <?php
-
- /**
- * Zend Framework
- *
- * LICENSE
- *
- * This source file is subject to the new BSD license that is bundled
- * with this package in the file LICENSE.txt.
- * It is also available through the world-wide-web at this URL:
- * http://framework.zend.com/license/new-bsd
- * If you did not receive a copy of the license and are unable to
- * obtain it through the world-wide-web, please send an email
- * to license@zend.com so we can send you a copy immediately.
- *
- * @category Zend
- * @package Zend_Ldap
- * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
- * @license http://framework.zend.com/license/new-bsd New BSD License
- * @version $Id: Ldap.php 24594 2012-01-05 21:27:01Z matthew $
- */
-
- /**
- * @category Zend
- * @package Zend_Ldap
- * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
- * @license http://framework.zend.com/license/new-bsd New BSD License
- */
- class Zend_Ldap
- {
- const SEARCH_SCOPE_SUB = 1;
- const SEARCH_SCOPE_ONE = 2;
- const SEARCH_SCOPE_BASE = 3;
-
- const ACCTNAME_FORM_DN = 1;
- const ACCTNAME_FORM_USERNAME = 2;
- const ACCTNAME_FORM_BACKSLASH = 3;
- const ACCTNAME_FORM_PRINCIPAL = 4;
-
- /**
- * String used with ldap_connect for error handling purposes.
- *
- * @var string
- */
- private $_connectString;
-
- /**
- * The options used in connecting, binding, etc.
- *
- * @var array
- */
- protected $_options = null;
-
- /**
- * The raw LDAP extension resource.
- *
- * @var resource
- */
- protected $_resource = null;
-
- /**
- * FALSE if no user is bound to the LDAP resource
- * NULL if there has been an anonymous bind
- * username of the currently bound user
- *
- * @var boolean|null|string
- */
- protected $_boundUser = false;
-
- /**
- * Caches the RootDSE
- *
- * @var Zend_Ldap_Node
- */
- protected $_rootDse = null;
-
- /**
- * Caches the schema
- *
- * @var Zend_Ldap_Node
- */
- protected $_schema = null;
-
- /**
- * @deprecated will be removed, use {@see Zend_Ldap_Filter_Abstract::escapeValue()}
- * @param string $str The string to escape.
- * @return string The escaped string
- */
- public static function filterEscape($str)
- {
- /**
- * @see Zend_Ldap_Filter_Abstract
- */
- require_once 'Zend/Ldap/Filter/Abstract.php';
- return Zend_Ldap_Filter_Abstract::escapeValue($str);
- }
-
- /**
- * @deprecated will be removed, use {@see Zend_Ldap_Dn::checkDn()}
- * @param string $dn The DN to parse
- * @param array $keys An optional array to receive DN keys (e.g. CN, OU, DC, ...)
- * @param array $vals An optional array to receive DN values
- * @return boolean True if the DN was successfully parsed or false if the string is
- * not a valid DN.
- */
- public static function explodeDn($dn, array &$keys = null, array &$vals = null)
- {
- /**
- * @see Zend_Ldap_Dn
- */
- require_once 'Zend/Ldap/Dn.php';
- return Zend_Ldap_Dn::checkDn($dn, $keys, $vals);
- }
-
- /**
- * Constructor.
- *
- * @param array|Zend_Config $options Options used in connecting, binding, etc.
- * @return void
- * @throws Zend_Ldap_Exception if ext/ldap is not installed
- */
- public function __construct($options = array())
- {
- if (!extension_loaded('ldap')) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'LDAP extension not loaded',
- Zend_Ldap_Exception::LDAP_X_EXTENSION_NOT_LOADED);
- }
- $this->setOptions($options);
- }
-
- /**
- * Destructor.
- *
- * @return void
- */
- public function __destruct()
- {
- $this->disconnect();
- }
-
- /**
- * @return resource The raw LDAP extension resource.
- */
- public function getResource()
- {
- if (!is_resource($this->_resource) || $this->_boundUser === false) {
- $this->bind();
- }
- return $this->_resource;
- }
-
- /**
- * Return the LDAP error number of the last LDAP command
- *
- * @return int
- */
- public function getLastErrorCode()
- {
- $ret = @ldap_get_option($this->_resource, LDAP_OPT_ERROR_NUMBER, $err);
- if ($ret === true) {
- if ($err <= -1 && $err >= -17) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- /* For some reason draft-ietf-ldapext-ldap-c-api-xx.txt error
- * codes in OpenLDAP are negative values from -1 to -17.
- */
- $err = Zend_Ldap_Exception::LDAP_SERVER_DOWN + (-$err - 1);
- }
- return $err;
- }
- return 0;
- }
-
- /**
- * Return the LDAP error message of the last LDAP command
- *
- * @param int $errorCode
- * @param array $errorMessages
- * @return string
- */
- public function getLastError(&$errorCode = null, array &$errorMessages = null)
- {
- $errorCode = $this->getLastErrorCode();
- $errorMessages = array();
-
- /* The various error retrieval functions can return
- * different things so we just try to collect what we
- * can and eliminate dupes.
- */
- $estr1 = @ldap_error($this->_resource);
- if ($errorCode !== 0 && $estr1 === 'Success') {
- $estr1 = @ldap_err2str($errorCode);
- }
- if (!empty($estr1)) {
- $errorMessages[] = $estr1;
- }
-
- @ldap_get_option($this->_resource, LDAP_OPT_ERROR_STRING, $estr2);
- if (!empty($estr2) && !in_array($estr2, $errorMessages)) {
- $errorMessages[] = $estr2;
- }
-
- $message = '';
- if ($errorCode > 0) {
- $message = '0x' . dechex($errorCode) . ' ';
- } else {
- $message = '';
- }
- if (count($errorMessages) > 0) {
- $message .= '(' . implode('; ', $errorMessages) . ')';
- } else {
- $message .= '(no error message from LDAP)';
- }
- return $message;
- }
-
- /**
- * Get the currently bound user
- *
- * FALSE if no user is bound to the LDAP resource
- * NULL if there has been an anonymous bind
- * username of the currently bound user
- *
- * @return false|null|string
- */
- public function getBoundUser()
- {
- return $this->_boundUser;
- }
-
- /**
- * Sets the options used in connecting, binding, etc.
- *
- * Valid option keys:
- * host
- * port
- * useSsl
- * username
- * password
- * bindRequiresDn
- * baseDn
- * accountCanonicalForm
- * accountDomainName
- * accountDomainNameShort
- * accountFilterFormat
- * allowEmptyPassword
- * useStartTls
- * optRefferals
- * tryUsernameSplit
- *
- * @param array|Zend_Config $options Options used in connecting, binding, etc.
- * @return Zend_Ldap Provides a fluent interface
- * @throws Zend_Ldap_Exception
- */
- public function setOptions($options)
- {
- if ($options instanceof Zend_Config) {
- $options = $options->toArray();
- }
-
- $permittedOptions = array(
- 'host' => null,
- 'port' => 0,
- 'useSsl' => false,
- 'username' => null,
- 'password' => null,
- 'bindRequiresDn' => false,
- 'baseDn' => null,
- 'accountCanonicalForm' => null,
- 'accountDomainName' => null,
- 'accountDomainNameShort' => null,
- 'accountFilterFormat' => null,
- 'allowEmptyPassword' => false,
- 'useStartTls' => false,
- 'optReferrals' => false,
- 'tryUsernameSplit' => true,
- );
-
- foreach ($permittedOptions as $key => $val) {
- if (array_key_exists($key, $options)) {
- $val = $options[$key];
- unset($options[$key]);
- /* Enforce typing. This eliminates issues like Zend_Config_Ini
- * returning '1' as a string (ZF-3163).
- */
- switch ($key) {
- case 'port':
- case 'accountCanonicalForm':
- $permittedOptions[$key] = (int)$val;
- break;
- case 'useSsl':
- case 'bindRequiresDn':
- case 'allowEmptyPassword':
- case 'useStartTls':
- case 'optReferrals':
- case 'tryUsernameSplit':
- $permittedOptions[$key] = ($val === true ||
- $val === '1' || strcasecmp($val, 'true') == 0);
- break;
- default:
- $permittedOptions[$key] = trim($val);
- break;
- }
- }
- }
- if (count($options) > 0) {
- $key = key($options);
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, "Unknown Zend_Ldap option: $key");
- }
- $this->_options = $permittedOptions;
- return $this;
- }
-
- /**
- * @return array The current options.
- */
- public function getOptions()
- {
- return $this->_options;
- }
-
- /**
- * @return string The hostname of the LDAP server being used to authenticate accounts
- */
- protected function _getHost()
- {
- return $this->_options['host'];
- }
-
- /**
- * @return int The port of the LDAP server or 0 to indicate that no port value is set
- */
- protected function _getPort()
- {
- return $this->_options['port'];
- }
-
- /**
- * @return boolean The default SSL / TLS encrypted transport control
- */
- protected function _getUseSsl()
- {
- return $this->_options['useSsl'];
- }
-
- /**
- * @return string The default acctname for binding
- */
- protected function _getUsername()
- {
- return $this->_options['username'];
- }
-
- /**
- * @return string The default password for binding
- */
- protected function _getPassword()
- {
- return $this->_options['password'];
- }
-
- /**
- * @return boolean Bind requires DN
- */
- protected function _getBindRequiresDn()
- {
- return $this->_options['bindRequiresDn'];
- }
-
- /**
- * Gets the base DN under which objects of interest are located
- *
- * @return string
- */
- public function getBaseDn()
- {
- return $this->_options['baseDn'];
- }
-
- /**
- * @return integer Either ACCTNAME_FORM_BACKSLASH, ACCTNAME_FORM_PRINCIPAL or
- * ACCTNAME_FORM_USERNAME indicating the form usernames should be canonicalized to.
- */
- protected function _getAccountCanonicalForm()
- {
- /* Account names should always be qualified with a domain. In some scenarios
- * using non-qualified account names can lead to security vulnerabilities. If
- * no account canonical form is specified, we guess based in what domain
- * names have been supplied.
- */
-
- $accountCanonicalForm = $this->_options['accountCanonicalForm'];
- if (!$accountCanonicalForm) {
- $accountDomainName = $this->_getAccountDomainName();
- $accountDomainNameShort = $this->_getAccountDomainNameShort();
- if ($accountDomainNameShort) {
- $accountCanonicalForm = Zend_Ldap::ACCTNAME_FORM_BACKSLASH;
- } else if ($accountDomainName) {
- $accountCanonicalForm = Zend_Ldap::ACCTNAME_FORM_PRINCIPAL;
- } else {
- $accountCanonicalForm = Zend_Ldap::ACCTNAME_FORM_USERNAME;
- }
- }
-
- return $accountCanonicalForm;
- }
-
- /**
- * @return string The account domain name
- */
- protected function _getAccountDomainName()
- {
- return $this->_options['accountDomainName'];
- }
-
- /**
- * @return string The short account domain name
- */
- protected function _getAccountDomainNameShort()
- {
- return $this->_options['accountDomainNameShort'];
- }
-
- /**
- * @return string A format string for building an LDAP search filter to match
- * an account
- */
- protected function _getAccountFilterFormat()
- {
- return $this->_options['accountFilterFormat'];
- }
-
- /**
- * @return boolean Allow empty passwords
- */
- protected function _getAllowEmptyPassword()
- {
- return $this->_options['allowEmptyPassword'];
- }
-
- /**
- * @return boolean The default SSL / TLS encrypted transport control
- */
- protected function _getUseStartTls()
- {
- return $this->_options['useStartTls'];
- }
-
- /**
- * @return boolean Opt. Referrals
- */
- protected function _getOptReferrals()
- {
- return $this->_options['optReferrals'];
- }
-
- /**
- * @return boolean Try splitting the username into username and domain
- */
- protected function _getTryUsernameSplit()
- {
- return $this->_options['tryUsernameSplit'];
- }
-
- /**
- * @return string The LDAP search filter for matching directory accounts
- */
- protected function _getAccountFilter($acctname)
- {
- /**
- * @see Zend_Ldap_Filter_Abstract
- */
- require_once 'Zend/Ldap/Filter/Abstract.php';
- $this->_splitName($acctname, $dname, $aname);
- $accountFilterFormat = $this->_getAccountFilterFormat();
- $aname = Zend_Ldap_Filter_Abstract::escapeValue($aname);
- if ($accountFilterFormat) {
- return sprintf($accountFilterFormat, $aname);
- }
- if (!$this->_getBindRequiresDn()) {
- // is there a better way to detect this?
- return sprintf("(&(objectClass=user)(sAMAccountName=%s))", $aname);
- }
- return sprintf("(&(objectClass=posixAccount)(uid=%s))", $aname);
- }
-
- /**
- * @param string $name The name to split
- * @param string $dname The resulting domain name (this is an out parameter)
- * @param string $aname The resulting account name (this is an out parameter)
- * @return void
- */
- protected function _splitName($name, &$dname, &$aname)
- {
- $dname = null;
- $aname = $name;
-
- if (!$this->_getTryUsernameSplit()) {
- return;
- }
-
- $pos = strpos($name, '@');
- if ($pos) {
- $dname = substr($name, $pos + 1);
- $aname = substr($name, 0, $pos);
- } else {
- $pos = strpos($name, '\\');
- if ($pos) {
- $dname = substr($name, 0, $pos);
- $aname = substr($name, $pos + 1);
- }
- }
- }
-
- /**
- * @param string $acctname The name of the account
- * @return string The DN of the specified account
- * @throws Zend_Ldap_Exception
- */
- protected function _getAccountDn($acctname)
- {
- /**
- * @see Zend_Ldap_Dn
- */
- require_once 'Zend/Ldap/Dn.php';
- if (Zend_Ldap_Dn::checkDn($acctname)) return $acctname;
- $acctname = $this->getCanonicalAccountName($acctname, Zend_Ldap::ACCTNAME_FORM_USERNAME);
- $acct = $this->_getAccount($acctname, array('dn'));
- return $acct['dn'];
- }
-
- /**
- * @param string $dname The domain name to check
- * @return boolean
- */
- protected function _isPossibleAuthority($dname)
- {
- if ($dname === null) {
- return true;
- }
- $accountDomainName = $this->_getAccountDomainName();
- $accountDomainNameShort = $this->_getAccountDomainNameShort();
- if ($accountDomainName === null && $accountDomainNameShort === null) {
- return true;
- }
- if (strcasecmp($dname, $accountDomainName) == 0) {
- return true;
- }
- if (strcasecmp($dname, $accountDomainNameShort) == 0) {
- return true;
- }
- return false;
- }
-
- /**
- * @param string $acctname The name to canonicalize
- * @param int $type The desired form of canonicalization
- * @return string The canonicalized name in the desired form
- * @throws Zend_Ldap_Exception
- */
- public function getCanonicalAccountName($acctname, $form = 0)
- {
- $this->_splitName($acctname, $dname, $uname);
-
- if (!$this->_isPossibleAuthority($dname)) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null,
- "Binding domain is not an authority for user: $acctname",
- Zend_Ldap_Exception::LDAP_X_DOMAIN_MISMATCH);
- }
-
- if (!$uname) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, "Invalid account name syntax: $acctname");
- }
-
- if (function_exists('mb_strtolower')) {
- $uname = mb_strtolower($uname, 'UTF-8');
- } else {
- $uname = strtolower($uname);
- }
-
- if ($form === 0) {
- $form = $this->_getAccountCanonicalForm();
- }
-
- switch ($form) {
- case Zend_Ldap::ACCTNAME_FORM_DN:
- return $this->_getAccountDn($acctname);
- case Zend_Ldap::ACCTNAME_FORM_USERNAME:
- return $uname;
- case Zend_Ldap::ACCTNAME_FORM_BACKSLASH:
- $accountDomainNameShort = $this->_getAccountDomainNameShort();
- if (!$accountDomainNameShort) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'Option required: accountDomainNameShort');
- }
- return "$accountDomainNameShort\\$uname";
- case Zend_Ldap::ACCTNAME_FORM_PRINCIPAL:
- $accountDomainName = $this->_getAccountDomainName();
- if (!$accountDomainName) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'Option required: accountDomainName');
- }
- return "$uname@$accountDomainName";
- default:
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, "Unknown canonical name form: $form");
- }
- }
-
- /**
- * @param array $attrs An array of names of desired attributes
- * @return array An array of the attributes representing the account
- * @throws Zend_Ldap_Exception
- */
- protected function _getAccount($acctname, array $attrs = null)
- {
- $baseDn = $this->getBaseDn();
- if (!$baseDn) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'Base DN not set');
- }
-
- $accountFilter = $this->_getAccountFilter($acctname);
- if (!$accountFilter) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'Invalid account filter');
- }
-
- if (!is_resource($this->getResource())) {
- $this->bind();
- }
-
- $accounts = $this->search($accountFilter, $baseDn, self::SEARCH_SCOPE_SUB, $attrs);
- $count = $accounts->count();
- if ($count === 1) {
- $acct = $accounts->getFirst();
- $accounts->close();
- return $acct;
- } else if ($count === 0) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- $code = Zend_Ldap_Exception::LDAP_NO_SUCH_OBJECT;
- $str = "No object found for: $accountFilter";
- } else {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- $code = Zend_Ldap_Exception::LDAP_OPERATIONS_ERROR;
- $str = "Unexpected result count ($count) for: $accountFilter";
- }
- $accounts->close();
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, $str, $code);
- }
-
- /**
- * @return Zend_Ldap Provides a fluent interface
- */
- public function disconnect()
- {
- if (is_resource($this->_resource)) {
- @ldap_unbind($this->_resource);
- }
- $this->_resource = null;
- $this->_boundUser = false;
- return $this;
- }
-
- /**
- * To connect using SSL it seems the client tries to verify the server
- * certificate by default. One way to disable this behavior is to set
- * 'TLS_REQCERT never' in OpenLDAP's ldap.conf and restarting Apache. Or,
- * if you really care about the server's cert you can put a cert on the
- * web server.
- *
- * @param string $host The hostname of the LDAP server to connect to
- * @param int $port The port number of the LDAP server to connect to
- * @param boolean $useSsl Use SSL
- * @param boolean $useStartTls Use STARTTLS
- * @return Zend_Ldap Provides a fluent interface
- * @throws Zend_Ldap_Exception
- */
- public function connect($host = null, $port = null, $useSsl = null, $useStartTls = null)
- {
- if ($host === null) {
- $host = $this->_getHost();
- }
- if ($port === null) {
- $port = $this->_getPort();
- } else {
- $port = (int)$port;
- }
- if ($useSsl === null) {
- $useSsl = $this->_getUseSsl();
- } else {
- $useSsl = (bool)$useSsl;
- }
- if ($useStartTls === null) {
- $useStartTls = $this->_getUseStartTls();
- } else {
- $useStartTls = (bool)$useStartTls;
- }
-
- if (!$host) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'A host parameter is required');
- }
-
- $useUri = false;
- /* Because ldap_connect doesn't really try to connect, any connect error
- * will actually occur during the ldap_bind call. Therefore, we save the
- * connect string here for reporting it in error handling in bind().
- */
- $hosts = array();
- if (preg_match_all('~ldap(?:i|s)?://~', $host, $hosts, PREG_SET_ORDER) > 0) {
- $this->_connectString = $host;
- $useUri = true;
- $useSsl = false;
- } else {
- if ($useSsl) {
- $this->_connectString = 'ldaps://' . $host;
- $useUri = true;
- } else {
- $this->_connectString = 'ldap://' . $host;
- }
- if ($port) {
- $this->_connectString .= ':' . $port;
- }
- }
-
- $this->disconnect();
-
- /* Only OpenLDAP 2.2 + supports URLs so if SSL is not requested, just
- * use the old form.
- */
- $resource = ($useUri) ? @ldap_connect($this->_connectString) : @ldap_connect($host, $port);
-
- if (is_resource($resource) === true) {
- $this->_resource = $resource;
- $this->_boundUser = false;
-
- $optReferrals = ($this->_getOptReferrals()) ? 1 : 0;
- if (@ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3) &&
- @ldap_set_option($resource, LDAP_OPT_REFERRALS, $optReferrals)) {
- if ($useSsl || !$useStartTls || @ldap_start_tls($resource)) {
- return $this;
- }
- }
-
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- $zle = new Zend_Ldap_Exception($this, "$host:$port");
- $this->disconnect();
- throw $zle;
- }
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, "Failed to connect to LDAP server: $host:$port");
- }
-
- /**
- * @param string $username The username for authenticating the bind
- * @param string $password The password for authenticating the bind
- * @return Zend_Ldap Provides a fluent interface
- * @throws Zend_Ldap_Exception
- */
- public function bind($username = null, $password = null)
- {
- $moreCreds = true;
-
- if ($username === null) {
- $username = $this->_getUsername();
- $password = $this->_getPassword();
- $moreCreds = false;
- }
-
- if (empty($username)) {
- /* Perform anonymous bind
- */
- $username = null;
- $password = null;
- } else {
- /* Check to make sure the username is in DN form.
- */
- /**
- * @see Zend_Ldap_Dn
- */
- require_once 'Zend/Ldap/Dn.php';
- if (!Zend_Ldap_Dn::checkDn($username)) {
- if ($this->_getBindRequiresDn()) {
- /* moreCreds stops an infinite loop if _getUsername does not
- * return a DN and the bind requires it
- */
- if ($moreCreds) {
- try {
- $username = $this->_getAccountDn($username);
- } catch (Zend_Ldap_Exception $zle) {
- switch ($zle->getCode()) {
- case Zend_Ldap_Exception::LDAP_NO_SUCH_OBJECT:
- case Zend_Ldap_Exception::LDAP_X_DOMAIN_MISMATCH:
- case Zend_Ldap_Exception::LDAP_X_EXTENSION_NOT_LOADED:
- throw $zle;
- }
- throw new Zend_Ldap_Exception(null,
- 'Failed to retrieve DN for account: ' . $username .
- ' [' . $zle->getMessage() . ']',
- Zend_Ldap_Exception::LDAP_OPERATIONS_ERROR);
- }
- } else {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null, 'Binding requires username in DN form');
- }
- } else {
- $username = $this->getCanonicalAccountName($username,
- $this->_getAccountCanonicalForm());
- }
- }
- }
-
- if (!is_resource($this->_resource)) {
- $this->connect();
- }
-
- if ($username !== null && $password === '' && $this->_getAllowEmptyPassword() !== true) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- $zle = new Zend_Ldap_Exception(null,
- 'Empty password not allowed - see allowEmptyPassword option.');
- } else {
- if (@ldap_bind($this->_resource, $username, $password)) {
- $this->_boundUser = $username;
- return $this;
- }
-
- $message = ($username === null) ? $this->_connectString : $username;
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- switch ($this->getLastErrorCode()) {
- case Zend_Ldap_Exception::LDAP_SERVER_DOWN:
- /* If the error is related to establishing a connection rather than binding,
- * the connect string is more informative than the username.
- */
- $message = $this->_connectString;
- }
-
- $zle = new Zend_Ldap_Exception($this, $message);
- }
- $this->disconnect();
- throw $zle;
- }
-
- /**
- * A global LDAP search routine for finding information.
- *
- * Options can be either passed as single parameters according to the
- * method signature or as an array with one or more of the following keys
- * - filter
- * - baseDn
- * - scope
- * - attributes
- * - sort
- * - collectionClass
- * - sizelimit
- * - timelimit
- *
- * @param string|Zend_Ldap_Filter_Abstract|array $filter
- * @param string|Zend_Ldap_Dn|null $basedn
- * @param integer $scope
- * @param array $attributes
- * @param string|null $sort
- * @param string|null $collectionClass
- * @param integer $sizelimit
- * @param integer $timelimit
- * @return Zend_Ldap_Collection
- * @throws Zend_Ldap_Exception
- */
- public function search($filter, $basedn = null, $scope = self::SEARCH_SCOPE_SUB, array $attributes = array(),
- $sort = null, $collectionClass = null, $sizelimit = 0, $timelimit = 0)
- {
- if (is_array($filter)) {
- $options = array_change_key_case($filter, CASE_LOWER);
- foreach ($options as $key => $value) {
- switch ($key) {
- case 'filter':
- case 'basedn':
- case 'scope':
- case 'sort':
- $$key = $value;
- break;
- case 'attributes':
- if (is_array($value)) {
- $attributes = $value;
- }
- break;
- case 'collectionclass':
- $collectionClass = $value;
- break;
- case 'sizelimit':
- case 'timelimit':
- $$key = (int)$value;
- }
- }
- }
-
- if ($basedn === null) {
- $basedn = $this->getBaseDn();
- }
- else if ($basedn instanceof Zend_Ldap_Dn) {
- $basedn = $basedn->toString();
- }
-
- if ($filter instanceof Zend_Ldap_Filter_Abstract) {
- $filter = $filter->toString();
- }
-
- switch ($scope) {
- case self::SEARCH_SCOPE_ONE:
- $search = @ldap_list($this->getResource(), $basedn, $filter, $attributes, 0, $sizelimit, $timelimit);
- break;
- case self::SEARCH_SCOPE_BASE:
- $search = @ldap_read($this->getResource(), $basedn, $filter, $attributes, 0, $sizelimit, $timelimit);
- break;
- case self::SEARCH_SCOPE_SUB:
- default:
- $search = @ldap_search($this->getResource(), $basedn, $filter, $attributes, 0, $sizelimit, $timelimit);
- break;
- }
-
- if($search === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'searching: ' . $filter);
- }
- if ($sort !== null && is_string($sort)) {
- $isSorted = @ldap_sort($this->getResource(), $search, $sort);
- if($isSorted === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'sorting: ' . $sort);
- }
- }
-
- /**
- * Zend_Ldap_Collection_Iterator_Default
- */
- require_once 'Zend/Ldap/Collection/Iterator/Default.php';
- $iterator = new Zend_Ldap_Collection_Iterator_Default($this, $search);
- return $this->_createCollection($iterator, $collectionClass);
- }
-
- /**
- * Extension point for collection creation
- *
- * @param Zend_Ldap_Collection_Iterator_Default $iterator
- * @param string|null $collectionClass
- * @return Zend_Ldap_Collection
- * @throws Zend_Ldap_Exception
- */
- protected function _createCollection(Zend_Ldap_Collection_Iterator_Default $iterator, $collectionClass)
- {
- if ($collectionClass === null) {
- /**
- * Zend_Ldap_Collection
- */
- require_once 'Zend/Ldap/Collection.php';
- return new Zend_Ldap_Collection($iterator);
- } else {
- $collectionClass = (string)$collectionClass;
- if (!class_exists($collectionClass)) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null,
- "Class '$collectionClass' can not be found");
- }
- if (!is_subclass_of($collectionClass, 'Zend_Ldap_Collection')) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception(null,
- "Class '$collectionClass' must subclass 'Zend_Ldap_Collection'");
- }
- return new $collectionClass($iterator);
- }
- }
-
- /**
- * Count items found by given filter.
- *
- * @param string|Zend_Ldap_Filter_Abstract $filter
- * @param string|Zend_Ldap_Dn|null $basedn
- * @param integer $scope
- * @return integer
- * @throws Zend_Ldap_Exception
- */
- public function count($filter, $basedn = null, $scope = self::SEARCH_SCOPE_SUB)
- {
- try {
- $result = $this->search($filter, $basedn, $scope, array('dn'), null);
- } catch (Zend_Ldap_Exception $e) {
- if ($e->getCode() === Zend_Ldap_Exception::LDAP_NO_SUCH_OBJECT) return 0;
- else throw $e;
- }
- return $result->count();
- }
-
- /**
- * Count children for a given DN.
- *
- * @param string|Zend_Ldap_Dn $dn
- * @return integer
- * @throws Zend_Ldap_Exception
- */
- public function countChildren($dn)
- {
- return $this->count('(objectClass=*)', $dn, self::SEARCH_SCOPE_ONE);
- }
-
- /**
- * Check if a given DN exists.
- *
- * @param string|Zend_Ldap_Dn $dn
- * @return boolean
- * @throws Zend_Ldap_Exception
- */
- public function exists($dn)
- {
- return ($this->count('(objectClass=*)', $dn, self::SEARCH_SCOPE_BASE) == 1);
- }
-
- /**
- * Search LDAP registry for entries matching filter and optional attributes
- *
- * Options can be either passed as single parameters according to the
- * method signature or as an array with one or more of the following keys
- * - filter
- * - baseDn
- * - scope
- * - attributes
- * - sort
- * - reverseSort
- * - sizelimit
- * - timelimit
- *
- * @param string|Zend_Ldap_Filter_Abstract|array $filter
- * @param string|Zend_Ldap_Dn|null $basedn
- * @param integer $scope
- * @param array $attributes
- * @param string|null $sort
- * @param boolean $reverseSort
- * @param integer $sizelimit
- * @param integer $timelimit
- * @return array
- * @throws Zend_Ldap_Exception
- */
- public function searchEntries($filter, $basedn = null, $scope = self::SEARCH_SCOPE_SUB,
- array $attributes = array(), $sort = null, $reverseSort = false, $sizelimit = 0, $timelimit = 0)
- {
- if (is_array($filter)) {
- $filter = array_change_key_case($filter, CASE_LOWER);
- if (isset($filter['collectionclass'])) {
- unset($filter['collectionclass']);
- }
- if (isset($filter['reversesort'])) {
- $reverseSort = $filter['reversesort'];
- unset($filter['reversesort']);
- }
- }
- $result = $this->search($filter, $basedn, $scope, $attributes, $sort, null, $sizelimit, $timelimit);
- $items = $result->toArray();
- if ((bool)$reverseSort === true) {
- $items = array_reverse($items, false);
- }
- return $items;
- }
-
- /**
- * Get LDAP entry by DN
- *
- * @param string|Zend_Ldap_Dn $dn
- * @param array $attributes
- * @param boolean $throwOnNotFound
- * @return array
- * @throws Zend_Ldap_Exception
- */
- public function getEntry($dn, array $attributes = array(), $throwOnNotFound = false)
- {
- try {
- $result = $this->search("(objectClass=*)", $dn, self::SEARCH_SCOPE_BASE,
- $attributes, null);
- return $result->getFirst();
- } catch (Zend_Ldap_Exception $e){
- if ($throwOnNotFound !== false) throw $e;
- }
- return null;
- }
-
- /**
- * Prepares an ldap data entry array for insert/update operation
- *
- * @param array $entry
- * @return void
- * @throws InvalidArgumentException
- */
- public static function prepareLdapEntryArray(array &$entry)
- {
- if (array_key_exists('dn', $entry)) unset($entry['dn']);
- foreach ($entry as $key => $value) {
- if (is_array($value)) {
- foreach ($value as $i => $v) {
- if ($v === null) unset($value[$i]);
- else if (!is_scalar($v)) {
- throw new InvalidArgumentException('Only scalar values allowed in LDAP data');
- } else {
- $v = (string)$v;
- if (strlen($v) == 0) {
- unset($value[$i]);
- } else {
- $value[$i] = $v;
- }
- }
- }
- $entry[$key] = array_values($value);
- } else {
- if ($value === null) $entry[$key] = array();
- else if (!is_scalar($value)) {
- throw new InvalidArgumentException('Only scalar values allowed in LDAP data');
- } else {
- $value = (string)$value;
- if (strlen($value) == 0) {
- $entry[$key] = array();
- } else {
- $entry[$key] = array($value);
- }
- }
- }
- }
- $entry = array_change_key_case($entry, CASE_LOWER);
- }
-
- /**
- * Add new information to the LDAP repository
- *
- * @param string|Zend_Ldap_Dn $dn
- * @param array $entry
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function add($dn, array $entry)
- {
- if (!($dn instanceof Zend_Ldap_Dn)) {
- $dn = Zend_Ldap_Dn::factory($dn, null);
- }
- self::prepareLdapEntryArray($entry);
- foreach ($entry as $key => $value) {
- if (is_array($value) && count($value) === 0) {
- unset($entry[$key]);
- }
- }
-
- $rdnParts = $dn->getRdn(Zend_Ldap_Dn::ATTR_CASEFOLD_LOWER);
- foreach ($rdnParts as $key => $value) {
- $value = Zend_Ldap_Dn::unescapeValue($value);
- if (!array_key_exists($key, $entry)) {
- $entry[$key] = array($value);
- } else if (!in_array($value, $entry[$key])) {
- $entry[$key] = array_merge(array($value), $entry[$key]);
- }
- }
- $adAttributes = array('distinguishedname', 'instancetype', 'name', 'objectcategory',
- 'objectguid', 'usnchanged', 'usncreated', 'whenchanged', 'whencreated');
- foreach ($adAttributes as $attr) {
- if (array_key_exists($attr, $entry)) {
- unset($entry[$attr]);
- }
- }
-
- $isAdded = @ldap_add($this->getResource(), $dn->toString(), $entry);
- if($isAdded === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'adding: ' . $dn->toString());
- }
- return $this;
- }
-
- /**
- * Update LDAP registry
- *
- * @param string|Zend_Ldap_Dn $dn
- * @param array $entry
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function update($dn, array $entry)
- {
- if (!($dn instanceof Zend_Ldap_Dn)) {
- $dn = Zend_Ldap_Dn::factory($dn, null);
- }
- self::prepareLdapEntryArray($entry);
-
- $rdnParts = $dn->getRdn(Zend_Ldap_Dn::ATTR_CASEFOLD_LOWER);
- foreach ($rdnParts as $key => $value) {
- $value = Zend_Ldap_Dn::unescapeValue($value);
- if (array_key_exists($key, $entry) && !in_array($value, $entry[$key])) {
- $entry[$key] = array_merge(array($value), $entry[$key]);
- }
- }
-
- $adAttributes = array('distinguishedname', 'instancetype', 'name', 'objectcategory',
- 'objectguid', 'usnchanged', 'usncreated', 'whenchanged', 'whencreated');
- foreach ($adAttributes as $attr) {
- if (array_key_exists($attr, $entry)) {
- unset($entry[$attr]);
- }
- }
-
- if (count($entry) > 0) {
- $isModified = @ldap_modify($this->getResource(), $dn->toString(), $entry);
- if($isModified === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'updating: ' . $dn->toString());
- }
- }
- return $this;
- }
-
- /**
- * Save entry to LDAP registry.
- *
- * Internally decides if entry will be updated to added by calling
- * {@link exists()}.
- *
- * @param string|Zend_Ldap_Dn $dn
- * @param array $entry
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function save($dn, array $entry)
- {
- if ($dn instanceof Zend_Ldap_Dn) {
- $dn = $dn->toString();
- }
- if ($this->exists($dn)) $this->update($dn, $entry);
- else $this->add($dn, $entry);
- return $this;
- }
-
- /**
- * Delete an LDAP entry
- *
- * @param string|Zend_Ldap_Dn $dn
- * @param boolean $recursively
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function delete($dn, $recursively = false)
- {
- if ($dn instanceof Zend_Ldap_Dn) {
- $dn = $dn->toString();
- }
- if ($recursively === true) {
- if ($this->countChildren($dn)>0) {
- $children = $this->_getChildrenDns($dn);
- foreach ($children as $c) {
- $this->delete($c, true);
- }
- }
- }
- $isDeleted = @ldap_delete($this->getResource(), $dn);
- if($isDeleted === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'deleting: ' . $dn);
- }
- return $this;
- }
-
- /**
- * Retrieve the immediate children DNs of the given $parentDn
- *
- * This method is used in recursive methods like {@see delete()}
- * or {@see copy()}
- *
- * @param string|Zend_Ldap_Dn $parentDn
- * @return array of DNs
- */
- protected function _getChildrenDns($parentDn)
- {
- if ($parentDn instanceof Zend_Ldap_Dn) {
- $parentDn = $parentDn->toString();
- }
- $children = array();
- $search = @ldap_list($this->getResource(), $parentDn, '(objectClass=*)', array('dn'));
- for ($entry = @ldap_first_entry($this->getResource(), $search);
- $entry !== false;
- $entry = @ldap_next_entry($this->getResource(), $entry)) {
- $childDn = @ldap_get_dn($this->getResource(), $entry);
- if ($childDn === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'getting dn');
- }
- $children[] = $childDn;
- }
- @ldap_free_result($search);
- return $children;
- }
-
- /**
- * Moves a LDAP entry from one DN to another subtree.
- *
- * @param string|Zend_Ldap_Dn $from
- * @param string|Zend_Ldap_Dn $to
- * @param boolean $recursively
- * @param boolean $alwaysEmulate
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function moveToSubtree($from, $to, $recursively = false, $alwaysEmulate = false)
- {
- if ($from instanceof Zend_Ldap_Dn) {
- $orgDnParts = $from->toArray();
- } else {
- $orgDnParts = Zend_Ldap_Dn::explodeDn($from);
- }
-
- if ($to instanceof Zend_Ldap_Dn) {
- $newParentDnParts = $to->toArray();
- } else {
- $newParentDnParts = Zend_Ldap_Dn::explodeDn($to);
- }
-
- $newDnParts = array_merge(array(array_shift($orgDnParts)), $newParentDnParts);
- $newDn = Zend_Ldap_Dn::fromArray($newDnParts);
- return $this->rename($from, $newDn, $recursively, $alwaysEmulate);
- }
-
- /**
- * Moves a LDAP entry from one DN to another DN.
- *
- * This is an alias for {@link rename()}
- *
- * @param string|Zend_Ldap_Dn $from
- * @param string|Zend_Ldap_Dn $to
- * @param boolean $recursively
- * @param boolean $alwaysEmulate
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function move($from, $to, $recursively = false, $alwaysEmulate = false)
- {
- return $this->rename($from, $to, $recursively, $alwaysEmulate);
- }
-
- /**
- * Renames a LDAP entry from one DN to another DN.
- *
- * This method implicitely moves the entry to another location within the tree.
- *
- * @param string|Zend_Ldap_Dn $from
- * @param string|Zend_Ldap_Dn $to
- * @param boolean $recursively
- * @param boolean $alwaysEmulate
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function rename($from, $to, $recursively = false, $alwaysEmulate = false)
- {
- $emulate = (bool)$alwaysEmulate;
- if (!function_exists('ldap_rename')) $emulate = true;
- else if ($recursively) $emulate = true;
-
- if ($emulate === false) {
- if ($from instanceof Zend_Ldap_Dn) {
- $from = $from->toString();
- }
-
- if ($to instanceof Zend_Ldap_Dn) {
- $newDnParts = $to->toArray();
- } else {
- $newDnParts = Zend_Ldap_Dn::explodeDn($to);
- }
-
- $newRdn = Zend_Ldap_Dn::implodeRdn(array_shift($newDnParts));
- $newParent = Zend_Ldap_Dn::implodeDn($newDnParts);
- $isOK = @ldap_rename($this->getResource(), $from, $newRdn, $newParent, true);
- if($isOK === false) {
- /**
- * @see Zend_Ldap_Exception
- */
- require_once 'Zend/Ldap/Exception.php';
- throw new Zend_Ldap_Exception($this, 'renaming ' . $from . ' to ' . $to);
- }
- else if (!$this->exists($to)) $emulate = true;
- }
- if ($emulate) {
- $this->copy($from, $to, $recursively);
- $this->delete($from, $recursively);
- }
- return $this;
- }
-
- /**
- * Copies a LDAP entry from one DN to another subtree.
- *
- * @param string|Zend_Ldap_Dn $from
- * @param string|Zend_Ldap_Dn $to
- * @param boolean $recursively
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function copyToSubtree($from, $to, $recursively = false)
- {
- if ($from instanceof Zend_Ldap_Dn) {
- $orgDnParts = $from->toArray();
- } else {
- $orgDnParts = Zend_Ldap_Dn::explodeDn($from);
- }
-
- if ($to instanceof Zend_Ldap_Dn) {
- $newParentDnParts = $to->toArray();
- } else {
- $newParentDnParts = Zend_Ldap_Dn::explodeDn($to);
- }
-
- $newDnParts = array_merge(array(array_shift($orgDnParts)), $newParentDnParts);
- $newDn = Zend_Ldap_Dn::fromArray($newDnParts);
- return $this->copy($from, $newDn, $recursively);
- }
-
- /**
- * Copies a LDAP entry from one DN to another DN.
- *
- * @param string|Zend_Ldap_Dn $from
- * @param string|Zend_Ldap_Dn $to
- * @param boolean $recursively
- * @return Zend_Ldap Provides a fluid interface
- * @throws Zend_Ldap_Exception
- */
- public function copy($from, $to, $recursively = false)
- {
- $entry = $this->getEntry($from, array(), true);
-
- if ($to instanceof Zend_Ldap_Dn) {
- $toDnParts = $to->toArray();
- } else {
- $toDnParts = Zend_Ldap_Dn::explodeDn($to);
- }
- $this->add($to, $entry);
-
- if ($recursively === true && $this->countChildren($from)>0) {
- $children = $this->_getChildrenDns($from);
- foreach ($children as $c) {
- $cDnParts = Zend_Ldap_Dn::explodeDn($c);
- $newChildParts = array_merge(array(array_shift($cDnParts)), $toDnParts);
- $newChild = Zend_Ldap_Dn::implodeDn($newChildParts);
- $this->copy($c, $newChild, true);
- }
- }
- return $this;
- }
-
- /**
- * Returns the specified DN as a Zend_Ldap_Node
- *
- * @param string|Zend_Ldap_Dn $dn
- * @return Zend_Ldap_Node|null
- * @throws Zend_Ldap_Exception
- */
- public function getNode($dn)
- {
- /**
- * Zend_Ldap_Node
- */
- require_once 'Zend/Ldap/Node.php';
- return Zend_Ldap_Node::fromLdap($dn, $this);
- }
-
- /**
- * Returns the base node as a Zend_Ldap_Node
- *
- * @return Zend_Ldap_Node
- * @throws Zend_Ldap_Exception
- */
- public function getBaseNode()
- {
- return $this->getNode($this->getBaseDn(), $this);
- }
-
- /**
- * Returns the RootDSE
- *
- * @return Zend_Ldap_Node_RootDse
- * @throws Zend_Ldap_Exception
- */
- public function getRootDse()
- {
- if ($this->_rootDse === null) {
- /**
- * @see Zend_Ldap_Node_Schema
- */
- require_once 'Zend/Ldap/Node/RootDse.php';
- $this->_rootDse = Zend_Ldap_Node_RootDse::create($this);
- }
- return $this->_rootDse;
- }
-
- /**
- * Returns the schema
- *
- * @return Zend_Ldap_Node_Schema
- * @throws Zend_Ldap_Exception
- */
- public function getSchema()
- {
- if ($this->_schema === null) {
- /**
- * @see Zend_Ldap_Node_Schema
- */
- require_once 'Zend/Ldap/Node/Schema.php';
- $this->_schema = Zend_Ldap_Node_Schema::create($this);
- }
- return $this->_schema;
- }
- }