0){
if (array_key_exists("account_suffix",$options)){ $this->_account_suffix=$options["account_suffix"]; }
if (array_key_exists("base_dn",$options)){ $this->_base_dn=$options["base_dn"]; }
if (array_key_exists("domain_controllers",$options)){ $this->_domain_controllers=$options["domain_controllers"]; }
if (array_key_exists("ad_username",$options)){ $this->_ad_username=$options["ad_username"]; }
if (array_key_exists("ad_password",$options)){ $this->_ad_password=$options["ad_password"]; }
if (array_key_exists("real_primarygroup",$options)){ $this->_real_primarygroup=$options["real_primarygroup"]; }
if (array_key_exists("use_ssl",$options)){ $this->_use_ssl=$options["use_ssl"]; }
if (array_key_exists("recursive_groups",$options)){ $this->_recursive_groups=$options["recursive_groups"]; }
}
//connect to the LDAP server as the username/password
$dc=$this->random_controller();
if ($this->_use_ssl){
$this->_conn = ldap_connect("ldaps://".$dc);
} else {
$this->_conn = ldap_connect($dc);
}
//set some ldap options for talking to AD
ldap_set_option($this->_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);
//bind as a domain admin if they've set it up
if ($this->_ad_username!=NULL && $this->_ad_password!=NULL){
$this->_bind = @ldap_bind($this->_conn,$this->_ad_username.$this->_account_suffix,$this->_ad_password);
if (!$this->_bind){
if ($this->_use_ssl){
//if you have problems troubleshooting, remove the @ character from the ldap_bind command above to get the actual error message
echo ("FATAL: AD bind failed. Either the LDAPS connection failed or the login credentials are incorrect."); exit();
} else {
echo ("FATAL: AD bind failed. Check the login credentials."); exit();
}
}
}
return (true);
}
// default destructor
function __destruct(){ ldap_close ($this->_conn); }
//validate a users login credentials
function authenticate($username,$password,$prevent_rebind=false){
if ($username==NULL || $password==NULL){ return (false); } //prevent null binding
//bind as the user
$this->_bind = @ldap_bind($this->_conn,$username.$this->_account_suffix,$password);
if (!$this->_bind){ return (false); }
//once we've checked their details, kick back into admin mode if we have it
if ($this->_ad_username!=NULL && !$prevent_rebind){
$this->_bind = @ldap_bind($this->_conn,$this->_ad_username.$this->_account_suffix,$this->_ad_password);
if (!$this->_bind){ echo ("FATAL: AD rebind failed."); exit(); } //this should never happen in theory
}
return (true);
}
//*****************************************************************************************************************
// GROUP FUNCTIONS
// Add a group to a group
function group_add_group($parent,$child){
//find the parent group's dn
$parent_group=$this->group_info($parent,array("cn"));
if ($parent_group[0]["dn"]==NULL){ return (false); }
$parent_dn=$parent_group[0]["dn"];
//find the child group's dn
$child_group=$this->group_info($child,array("cn"));
if ($child_group[0]["dn"]==NULL){ return (false); }
$child_dn=$child_group[0]["dn"];
$add=array();
$add["member"] = $child_dn;
$result=@ldap_mod_add($this->_conn,$parent_dn,$add);
if ($result==false){ return (false); }
return (true);
}
// Add a user to a group
function group_add_user($group,$user){
//adding a user is a bit fiddly, we need to get the full DN of the user
//and add it using the full DN of the group
//find the user's dn
$user_info=$this->user_info($user,array("cn"));
if ($user_info[0]["dn"]==NULL){ return (false); }
$user_dn=$user_info[0]["dn"];
//find the group's dn
$group_info=$this->group_info($group,array("cn"));
if ($group_info[0]["dn"]==NULL){ return (false); }
$group_dn=$group_info[0]["dn"];
$add=array();
$add["member"] = $user_dn;
$result=@ldap_mod_add($this->_conn,$group_dn,$add);
if ($result==false){ return (false); }
return (true);
}
// Create a group
function group_create($attributes){
if (!is_array($attributes)){ return ("Attributes must be an array"); }
if (!array_key_exists("group_name",$attributes)){ return ("Missing compulsory field [group_name]"); }
if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
if (!array_key_exists("description",$attributes)){ return ("Missing compulsory field [description]"); }
if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
$attributes["container"]=array_reverse($attributes["container"]);
//$member_array = array();
//$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
//$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
$add=array();
$add["cn"] = $attributes["group_name"];
$add["samaccountname"] = $attributes["group_name"];
$add["objectClass"] = "Group";
$add["description"] = $attributes["description"];
//$add["member"] = $member_array; UNTESTED
$container="OU=".implode(",OU=",$attributes["container"]);
$result=ldap_add($this->_conn,"CN=".$add["cn"].", ".$container.",".$this->_base_dn,$add);
if ($result!=true){ return (false); }
return (true);
}
// Remove a group from a group
function group_del_group($parent,$child){
//find the parent dn
$parent_group=$this->group_info($parent,array("cn"));
if ($parent_group[0]["dn"]==NULL){ return (false); }
$parent_dn=$parent_group[0]["dn"];
//find the child dn
$child_group=$this->group_info($child,array("cn"));
if ($child_group[0]["dn"]==NULL){ return (false); }
$child_dn=$child_group[0]["dn"];
$del=array();
$del["member"] = $child_dn;
$result=@ldap_mod_del($this->_conn,$parent_dn,$del);
if ($result==false){ return (false); }
return (true);
}
// Remove a user from a group
function group_del_user($group,$user){
//find the parent dn
$group_info=$this->group_info($group,array("cn"));
if ($group_info[0]["dn"]==NULL){ return (false); }
$group_dn=$group_info[0]["dn"];
//find the child dn
$user_info=$this->user_info($user,array("cn"));
if ($user_info[0]["dn"]==NULL){ return (false); }
$user_dn=$user_info[0]["dn"];
$del=array();
$del["member"] = $user_dn;
$result=@ldap_mod_del($this->_conn,$group_dn,$del);
if ($result==false){ return (false); }
return (true);
}
// Returns an array of information for a specified group
function group_info($group_name,$fields=NULL){
if ($group_name==NULL){ return (false); }
if (!$this->_bind){ return (false); }
$filter="(&(objectCategory=group)(name=".$this->ldap_slashes($group_name)."))";
//echo ($filter."!!!
");
if ($fields==NULL){ $fields=array("member","memberof","cn","description","distinguishedname","objectcategory","samaccountname"); }
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);
//print_r($entries);
return ($entries);
}
// Retun a complete list of "groups in groups"
function recursive_groups($group){
if ($group==NULL){ return (false); }
$ret_groups=array();
$groups=$this->group_info($group,array("memberof"));
$groups=$groups[0]["memberof"];
if ($groups){
$group_names=$this->nice_names($groups);
$ret_groups=array_merge($ret_groups,$group_names); //final groups to return
foreach ($group_names as $id => $group_name){
$child_groups=$this->recursive_groups($group_name);
$ret_groups=array_merge($ret_groups,$child_groups);
}
}
return ($ret_groups);
}
//*****************************************************************************************************************
// USER FUNCTIONS
//create a user
function user_create($attributes){
//check for compulsory fields
if (!array_key_exists("username",$attributes)){ return ("Missing compulsory field [username]"); }
if (!array_key_exists("firstname",$attributes)){ return ("Missing compulsory field [firstname]"); }
if (!array_key_exists("surname",$attributes)){ return ("Missing compulsory field [surname]"); }
if (!array_key_exists("email",$attributes)){ return ("Missing compulsory field [email]"); }
if (!array_key_exists("container",$attributes)){ return ("Missing compulsory field [container]"); }
if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
if (array_key_exists("password",$attributes) && !$this->_use_ssl){ echo ("FATAL: SSL must be configured on your webserver and enabled in the class to set passwords."); exit(); }
if (!array_key_exists("display_name",$attributes)){ $attributes["display_name"]=$attributes["firstname"]." ".$attributes["surname"]; }
//translate the schema
$add=$this->adldap_schema($attributes);
//additional stuff only used for adding accounts
$add["cn"][0]=$attributes["display_name"];
$add["samaccountname"][0]=$attributes["username"];
$add["objectclass"][0]="top";
$add["objectclass"][1]="person";
$add["objectclass"][2]="organizationalPerson";
$add["objectclass"][3]="user"; //person?
//$add["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
//set the account control attribute
$control_options=array("NORMAL_ACCOUNT");
if (!$attributes["enabled"]){ $control_options[]="ACCOUNTDISABLE"; }
$add["userAccountControl"][0]=$this->account_control($control_options);
//echo (""); print_r($add);
//determine the container
$attributes["container"]=array_reverse($attributes["container"]);
$container="OU=".implode(",OU=",$attributes["container"]);
//add the entry
$result=@ldap_add($this->_conn, "CN=".$add["cn"][0].", ".$container.",".$this->_base_dn, $add);
if ($result!=true){ return (false); }
return (true);
}
// user_groups($user)
// Returns an array of groups that a user is a member off
function user_groups($username,$recursive=NULL){
if ($username==NULL){ return (false); }
if ($recursive==NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
if (!$this->_bind){ return (false); }
//search the directory for their information
$info=@$this->user_info($username,array("memberof","primarygroupid"));
$groups=$this->nice_names($info[0]["memberof"]); //presuming the entry returned is our guy (unique usernames)
if ($recursive){
foreach ($groups as $id => $group_name){
$extra_groups=$this->recursive_groups($group_name);
$groups=array_merge($groups,$extra_groups);
}
}
return ($groups);
}
// Returns an array of information for a specific user
function user_info($username,$fields=NULL){
if ($username==NULL){ return (false); }
if (!$this->_bind){ return (false); }
$filter="samaccountname=".$username;
if ($fields==NULL){ $fields=array("samaccountname","mail","memberof","department","displayname","telephonenumber","primarygroupid"); }
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);
// AD does not return the primary group in the ldap query, we may need to fudge it
if ($this->_real_primarygroup){
$entries[0]["memberof"][]=$this->group_cn($entries[0]["primarygroupid"][0]);
} else {
$entries[0]["memberof"][]="CN=Domain Users,CN=Users,".$this->_base_dn;
}
$entries[0]["memberof"]["count"]++;
return ($entries);
}
// Returns true if the user is a member of the group
function user_ingroup($username,$group,$recursive=NULL){
if ($username==NULL){ return (false); }
if ($group==NULL){ return (false); }
if (!$this->_bind){ return (false); }
if ($recursive==NULL){ $recursive=$this->_recursive_groups; } //use the default option if they haven't set it
//get a list of the groups
$groups=$this->user_groups($username,array("memberof"),$recursive);
//return true if the specified group is in the group list
if (in_array($group,$groups)){ return (true); }
return (false);
}
//modify a user
function user_modify($username,$attributes){
if ($username==NULL){ return ("Missing compulsory field [username]"); }
if (array_key_exists("password",$attributes) && !$this->_use_ssl){ echo ("FATAL: SSL must be configured on your webserver and enabled in the class to set passwords."); exit(); }
//if (array_key_exists("container",$attributes)){
//if (!is_array($attributes["container"])){ return ("Container attribute must be an array."); }
//$attributes["container"]=array_reverse($attributes["container"]);
//}
//find the dn of the user
$user=$this->user_info($username,array("cn"));
if ($user[0]["dn"]==NULL){ return (false); }
$user_dn=$user[0]["dn"];
//translate the update to the LDAP schema
$mod=$this->adldap_schema($attributes);
if (!$mod){ return (false); }
//set the account control attribute (only if specified)
if (array_key_exists("enabled",$attributes)){
if ($attributes["enabled"]){ $control_options=array("NORMAL_ACCOUNT"); }
else { $control_options=array("NORMAL_ACCOUNT","ACCOUNTDISABLE"); }
$mod["userAccountControl"][0]=$this->account_control($control_options);
}
//do the update
$result=ldap_modify($this->_conn,$user_dn,$mod);
if ($result==false){ return (false); }
return (true);
}
// Set the password of a user
function user_password($username,$password){
if ($username==NULL){ return (false); }
if ($password==NULL){ return (false); }
if (!$this->_bind){ return (false); }
if (!$this->_use_ssl){ echo ("FATAL: SSL must be configured on your webserver and enabled in the class to set passwords."); exit(); }
$user=$this->user_info($username,array("cn"));
if ($user[0]["dn"]==NULL){ return (false); }
$user_dn=$user[0]["dn"];
$add=array();
$add["unicodePwd"][0]=$this->encode_password($password);
$result=ldap_mod_replace($this->_conn,$user_dn,$add);
if ($result==false){ return (false); }
return (true);
}
//*****************************************************************************************************************
// COMPUTER FUNCTIONS
// Returns an array of information for a specific computer
function computer_info($computer_name,$fields=NULL){
if ($computer_name==NULL){ return (false); }
if (!$this->_bind){ return (false); }
$filter="(&(objectClass=computer)(cn=".$computer_name."))";
if ($fields==NULL){ $fields=array("memberof","cn","displayname","dnshostname","distinguishedname","objectcategory","operatingsystem","operatingsystemservicepack","operatingsystemversion"); }
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);
return ($entries);
}
// Returns all AD users
function all_users($include_desc = false, $search = "*", $sorted = true){
if (!$this->_bind){ return (false); }
//perform the search and grab all their details
$filter = "(&(objectClass=user)(samaccounttype=". ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=".$search."))";
$fields=array("samaccountname","displayname");
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);
$users_array = array();
for ($i=0; $i<$entries["count"]; $i++){
if ($include_desc && strlen($entries[$i]["displayname"][0])>0){
$users_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["displayname"][0];
} elseif ($include_desc){
$users_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["samaccountname"][0];
} else {
array_push($users_array, $entries[$i]["samaccountname"][0]);
}
}
if ($sorted){ asort($users_array); }
return ($users_array);
}
// Returns a complete list of the groups in AD
function all_groups($include_desc = false, $search = "*", $sorted = true){
if (!$this->_bind){ return (false); }
//perform the search and grab all their details
$filter = "(&(objectCategory=group)(samaccounttype=". ADLDAP_SECURITY_GLOBAL_GROUP .")(cn=".$search."))";
$fields=array("samaccountname","description");
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);
$groups_array = array();
for ($i=0; $i<$entries["count"]; $i++){
if ($include_desc && strlen($entries[$i]["description"][0]) > 0 ){
$groups_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["description"][0];
} elseif ($include_desc){
$groups_array[ $entries[$i]["samaccountname"][0] ] = $entries[$i]["samaccountname"][0];
} else {
array_push($groups_array, $entries[$i]["samaccountname"][0]);
}
}
if( $sorted ){ asort($groups_array); }
return ($groups_array);
}
//************************************************************************************************************
// UTILITY FUNCTIONS (not intended to be called directly but I spose you could?)
function adldap_schema($attributes){
//ldap doesn't like NULL attributes, only set them if they have values
// I'd like to know how to set an LDAP attribute to NULL though, at the moment I set it to a space
$mod=array();
if ($attributes["address_city"]){ $mod["l"][0]=$attributes["address_city"]; }
if ($attributes["address_code"]){ $mod["postalCode"][0]=$attributes["address_code"]; }
//if ($attributes["address_country"]){ $mod["countryCode"][0]=$attributes["address_country"]; } // use country codes?
if ($attributes["address_pobox"]){ $mod["postOfficeBox"][0]=$attributes["address_pobox"]; }
if ($attributes["address_state"]){ $mod["st"][0]=$attributes["address_state"]; }
if ($attributes["address_street"]){ $mod["streetAddress"][0]=$attributes["address_street"]; }
if ($attributes["company"]){ $mod["company"][0]=$attributes["company"]; }
if ($attributes["change_password"]){ $mod["pwdLastSet"][0]=0; }
if ($attributes["company"]){ $mod["company"][0]=$attributes["company"]; }
if ($attributes["department"]){ $mod["department"][0]=$attributes["department"]; }
if ($attributes["description"]){ $mod["description"][0]=$attributes["description"]; }
if ($attributes["display_name"]){ $mod["displayName"][0]=$attributes["display_name"]; }
if ($attributes["email"]){ $mod["mail"][0]=$attributes["email"]; }
if ($attributes["expires"]){ $mod["accountExpires"][0]=$attributes["expires"]; } //unix epoch format?
if ($attributes["firstname"]){ $mod["givenName"][0]=$attributes["firstname"]; }
if ($attributes["home_directory"]){ $mod["homeDirectory"][0]=$attributes["home_directory"]; }
if ($attributes["home_drive"]){ $mod["homeDrive"][0]=$attributes["home_drive"]; }
if ($attributes["initials"]){ $mod["initials"][0]=$attributes["initials"]; }
if ($attributes["logon_name"]){ $mod["userPrincipalName"][0]=$attributes["logon_name"]; }
if ($attributes["manager"]){ $mod["manager"][0]=$attributes["manager"]; } //UNTESTED ***Use DistinguishedName***
if ($attributes["office"]){ $mod["physicalDeliveryOfficeName"][0]=$attributes["office"]; }
if ($attributes["password"]){ $mod["unicodePwd"][0]=$this->encode_password($attributes["password"]); }
if ($attributes["profile_path"]){ $mod["profilepath"][0]=$attributes["profile_path"]; }
if ($attributes["script_path"]){ $mod["scriptPath"][0]=$attributes["script_path"]; }
if ($attributes["surname"]){ $mod["sn"][0]=$attributes["surname"]; }
if ($attributes["title"]){ $mod["title"][0]=$attributes["title"]; }
if ($attributes["telephone"]){ $mod["telephoneNumber"][0]=$attributes["telephone"]; }
if ($attributes["web_page"]){ $mod["wWWHomePage"][0]=$attributes["web_page"]; }
//echo (""); print_r($mod);
/*
// modifying a name is a bit fiddly
if ($attributes["firstname"] && $attributes["surname"]){
$mod["cn"][0]=$attributes["firstname"]." ".$attributes["surname"];
$mod["displayname"][0]=$attributes["firstname"]." ".$attributes["surname"];
$mod["name"][0]=$attributes["firstname"]." ".$attributes["surname"];
}
*/
if (count($mod)==0){ return (false); }
return ($mod);
}
function group_cn($gid){
// coping with AD not returning the primary group
// http://support.microsoft.com/?kbid=321360
// for some reason it's not possible to search on primarygrouptoken=XXX
// if someone can show otherwise, I'd like to know about it :)
// this way is resource intensive and generally a pain in the @#%^
if ($gid==NULL){ return (false); }
$r=false;
$filter="(&(objectCategory=group)(samaccounttype=". ADLDAP_SECURITY_GLOBAL_GROUP ."))";
$fields=array("primarygrouptoken","samaccountname","distinguishedname");
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);
for ($i=0; $i<$entries["count"]; $i++){
if ($entries[$i]["primarygrouptoken"][0]==$gid){
$r=$entries[$i]["distinguishedname"][0];
$i=$entries["count"];
}
}
return ($r);
}
// Encode a password for transmission over LDAP
function encode_password($password){
$password="\"".$password."\"";
$encoded="";
for ($i=0; $i $char){ $legal[$id]="\\".$char; } //make up the array of legal chars
$str=str_replace($illegal,$legal,$str); //replace them
return ($str);
}
// Return a random controller
function random_controller(){
//select a random domain controller
mt_srand(doubleval(microtime()) * 100000000); // for older php versions
return ($this->_domain_controllers[array_rand($this->_domain_controllers)]);
}
function account_control($options){
$val=0;
if (is_array($options)){
if (in_array("SCRIPT",$options)){ $val=$val+1; }
if (in_array("ACCOUNTDISABLE",$options)){ $val=$val+2; }
if (in_array("HOMEDIR_REQUIRED",$options)){ $val=$val+8; }
if (in_array("LOCKOUT",$options)){ $val=$val+16; }
if (in_array("PASSWD_NOTREQD",$options)){ $val=$val+32; }
//PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute.
//For information about how to set the permission programmatically, see the "Property flag descriptions" section.
if (in_array("ENCRYPTED_TEXT_PWD_ALLOWED",$options)){ $val=$val+128; }
if (in_array("TEMP_DUPLICATE_ACCOUNT",$options)){ $val=$val+256; }
if (in_array("NORMAL_ACCOUNT",$options)){ $val=$val+512; }
if (in_array("INTERDOMAIN_TRUST_ACCOUNT",$options)){ $val=$val+2048; }
if (in_array("WORKSTATION_TRUST_ACCOUNT",$options)){ $val=$val+4096; }
if (in_array("SERVER_TRUST_ACCOUNT",$options)){ $val=$val+8192; }
if (in_array("DONT_EXPIRE_PASSWORD",$options)){ $val=$val+65536; }
if (in_array("MNS_LOGON_ACCOUNT",$options)){ $val=$val+131072; }
if (in_array("SMARTCARD_REQUIRED",$options)){ $val=$val+262144; }
if (in_array("TRUSTED_FOR_DELEGATION",$options)){ $val=$val+524288; }
if (in_array("NOT_DELEGATED",$options)){ $val=$val+1048576; }
if (in_array("USE_DES_KEY_ONLY",$options)){ $val=$val+2097152; }
if (in_array("DONT_REQ_PREAUTH",$options)){ $val=$val+4194304; }
if (in_array("PASSWORD_EXPIRED",$options)){ $val=$val+8388608; }
if (in_array("TRUSTED_TO_AUTH_FOR_DELEGATION",$options)){ $val=$val+16777216; }
}
return ($val);
}
// Take an ldap query and return the nice names, without all the LDAP prefixes (eg. CN, DN)
function nice_names($groups){
$group_array=array();
for ($i=0; $i<$groups["count"]; $i++){ //for each group
$line=$groups[$i];
if (strlen($line)>0){
//more presumptions, they're all prefixed with CN=
//so we ditch the first three characters and the group
//name goes up to the first comma
$bits=explode(",",$line);
$group_array[]=substr($bits[0],3,(strlen($bits[0])-3));
}
}
return ($group_array);
}
// Returns an array of information for a specific user
function user_dump($dn){
if ($dn==NULL){ return (false); }
if (!$this->_bind){ return (false); }
$filter = "(objectclass=*)";
$sr=ldap_read($this->_conn,$dn,$filter);
$entries = ldap_get_entries($this->_conn, $sr);
return ($entries);
}
} // End class
?>