Table of Contents

ldap.class.php


class imlldap

IML LDAP CONNECTOR

2022-02-22 ah added objGet(), sanitizeFilter() 2022-08-18 ah mask password (showing 4 chars only) 2022-08-22 ah mhash is deprecated 2022-08-26 ah fix verifyPassword 2024-07-11 ah php8 only: use variable types


private array $_aLdap = [ 'server' => false, 'port' => false, 'DnLdapUser' => false, // ldap rdn oder dn 'PwLdapUser' => false, 'DnUserNode' => false, // ou=People... 'DnAppNode' => false, // cn=AppGroup... 'protoVersion' => 3, 'debugLevel' => 0, ]


private object|bool $_ldapConn = false


private object|bool $_ldapBind = false

ldap bind object - bind was done?


var bool $bDebug = false

Flag if debug mode is on


public function __construct(array $aConfig = [])

constructor Parameters:

Var Type Desciption
$aConfig array optional set ldap connection

public function debugOn(): void

turn debug messages on; if this detail level is not enough, set a value with key debugLevel in ldap config array


public function debugOff(): void

turn debug messages off


private function _w(string $sText): bool

write debug message if denugOn() was fired.

Parameters:

Var Type Desciption
$sText string message text

Return:

boolean


private function _wLdaperror(string $sText = ''): bool

write last ldap error as debug

Parameters:

Var Type Desciption
$sText string message text

Return:

boolean


public function setConfig(array $aConfig = []): void

set a ldap config

        'server'       => 'ldaps://ldap.example.com',
        'port'         => 636,
        'DnLdapUser' => 'cn=Lookup,ou=ServiceAccounts,dc=org,dc=example.com',     // ldap rdn oder dn
        'PwLdapUser' => 'PasswordOfLookupUser',                                   // password
        'DnUserNode'   => 'ou=People,ou=ORG,dc=org,dc=example.com',
        'DnAppNode'    => '' optional dn ... if a user must be member of a given group
        'protoVersion' => 3
        'debugLevel'   => 0 // for debugging set higher 0 AND call debugOn()

Parameters:

Var Type Desciption
$aConfig array new config items

public function close(): void

close an existing ldap connection


public function connect(): void

connect to ldap


public function bind(string $sUser = '', string $sPw = ''): bool

ldap bind connects with a ldap user. If the ldap connection was not opened yet the connection will be established. If a binding exists it will be unbind

Parameters:

Var Type Desciption
$sUser string optional: username (overrides _aLdap[‘DnLdapUser’])
$sPw string optional: password (overrides _aLdap[‘PwLdapUser’])

public function unbind(): void

ldap unbind … if a bind exists


public function DnExists(string $sDn): bool

check if a DN already exists; return is true/ false Parameters:

Var Type Desciption
$sDn string DN to check

Return:

boolean


public function normalizeSearchentry(array $aRecord): bool|array

get simpler array from ldap_get_entries after ldap_search If the given array doesn’t contain the key “dn” it returns “false”

Parameters:

Var Type Desciption
$aRecord array single result item

Return:

array


static public function sanitizeFilter(string $s): string

sanitize value to put into a search filter WARNING: the implementation is incomplete! I replaces the first N ascii chars only

source: https://www.rfc-editor.org/rfc/rfc4515.txt

$sCn = ‘John Smith (john)’; $sSearchFilter = ‘(cn=’.$oLdap->sanitizeFilter($sCn).’)’; Parameters:

Var Type Desciption
$s string value to sanitize

Return:

string


public function searchDn(string $sDn, string $sSearchFilter = '(objectclass=*)', array $aAttributesToGet = ["*"], bool $bRecursive = true): bool|array

search in ldap directory and get result as array. It returns “false” on error: - no ldap connection - search failed

Parameters:

Var Type Desciption
$sDn string DN to search for
$sSearchFilter string filter in ldap filter syntax
$aAttributesToGet array flat array of attributes to fetch
$bRecursive boolean recusrive (uses ldap_search) or not (ldap_list)

Return:

boolean|array


public function searchUser(string $sSearchFilter = '', array $aAttributesToGet = ["*"], bool $bRecursive = true): bool|array

search for entries in in ldap user node and get result as array

Parameters:

Var Type Desciption
$sSearchFilter string filter in ldap filter syntax
$aAttributesToGet array flat array of attributes to fetch
$bRecursive bool flag: recursive search? default: true (=yes, recursive)

Return:

boolean|array


public function getUserInfo(string $sUser, array $aAttributesToGet = ["*"]): bool|array

search user by a given username or email address. It returns false if the user does not exist or is not member of the group ‘DnAppNode’ (if it was set).

Parameters:

Var Type Desciption
$sUser string user id (uid) or email (mail) to search
$aAttributesToGet array i.e. [“ou”, “sn”, “vorname”, “mail”, “uid”, “memberOf”]

Return:

boolean|array


public function getUserDn(string $sUser): bool|string

search for a DN entry with the lookup user by a given username or email address. It returns false if the user does not exist or is not member of the group ‘DnAppNode’ (if it was set).

Parameters:

Var Type Desciption
$sUser string %s

Return:

string


public function setPassword(string $sUser, string $sPW): bool

set a password for a given user; this requires a ldap bind with master/ admin account

Parameters:

Var Type Desciption
$sUser string username or email
$sPW string password

Return:

boolean


private function _getNTLMHash(string $Input): string

get NTLM hash from a string taken from https://secure.php.net/manual/en/ref.hash.php

Parameters:

Var Type Desciption
$Input string %s

Return:

string


public function setPasswordSamba(string $sUser, string $sPW): bool

set a password for a given user for Samba this requires a ldap bind with master/ admin account see https://msdn.microsoft.com/en-us/library/cc223248.aspx see http://php.net/ldap-modify-batch - last examle see https://secure.php.net/manual/en/ref.hash.php

Parameters:

Var Type Desciption
$sUser string username or email
$sPW string password

Return:

boolean


public function objAdd(string $sDn, array $aItem): bool

update an ldap object this requires a ldap bind with master/ admin account It returns true if the action was successful

Parameters:

Var Type Desciption
$sDn string dn to update
$aItem array array of new ldap properties

Return:

boolean


public function objAddAttr(string $sDn, array $aItem): bool

update an ldap attribute this requires a ldap bind with master/ admin account

Parameters:

Var Type Desciption
$sDn string dn to update
$aItem array array of new ldap properties

Return:

boolean


public function objGet(string $sDn, string $sSearchFilter = '(objectclass=*)', array $aAttributesToGet = ["*"]): bool|array

read attributes from ldap node with given DN (using ldap_read) It returns “false” if the action was not successful - no ldap connection - DN or filter didn’t match

Parameters:

Var Type Desciption
$sDn string DN to search for
$sSearchFilter string filter in ldap filter syntax
$aAttributesToGet array flat array of attributes to fetch

Return:

boolean|array


public function objUpdate(string $sDn, array $aItem): bool

update an ldap object with given key-value array if the attribute (key) does not exist it will be created. this requires a ldap bind with master/ admin account It returns “false” if the action failed

Parameters:

Var Type Desciption
$sDn string full DN where to update the item
$aItem array updated entry

Return:

boolean


public function objDelete(string $sDn): bool

delete an ldap object this requires a ldap bind with master/ admin account It returns “false” if the action failed

Parameters:

Var Type Desciption
$sDn string full DN to remove

Return:

boolean


public function objDeleteAttr(string $sDn, array $aItem): bool

delete attributes of an ldap object this requires a ldap bind with master/ admin account It returns “false” if the action failed

remove attribute “userPassword” of user $sUserDn: $oLdap->objDeleteAttr($sUserDn, [‘userPassword’=>[]] Parameters:

Var Type Desciption
$sDn string DN
$aItem array item to remove

Return:

boolean


public function objectAttributeExists(string $sDn, string $sAttribute): bool

check if an attribute exists in a DN

Parameters:

Var Type Desciption
$sDn string DN
$sAttribute string attribute name to check
$sAttrValue string value to check

Return:

boolean


public function objectAttributeAndValueExist(string $sDn, string $sAttribute, string $sAttrValue): bool

check if an attribute and value exist in a DN

Parameters:

Var Type Desciption
$sDn string DN
$sAttribute string attribute name to check
$sAttrValue string value to check

Return:

boolean


public function objectAttributeAndValueMustExist(string $sDn, string $sAttribute, string $sAttrValue): bool

check an attribute and value; it will be created if it does not exist this requires a ldap bind with master/ admin account

Parameters:

Var Type Desciption
$sDn string dn to update
$sAttribute string attribute name to check
$sAttrValue string value to check

Return:

boolean


public function userAdd(array $aItem, string $sDn = ""): bool

create a new user item this requires a ldap bind with master/ admin account

Parameters:

Var Type Desciption
$aItem array ldap properties
$sDn string optional DN where to create the user

Return:

boolean


public function userDelete(string $sUserDn): bool

delete a user this requires a ldap bind with master/ admin account

Parameters:

Var Type Desciption
$sUser string user to update
$sPW string new password to set

Return:

boolean


public function userUpdate(array $aItem): bool

update an ldap object this requires a ldap bind with master/ admin account

Parameters:

Var Type Desciption
$aItem array new user data to update

Return:

boolean


public function verifyPassword(string $sUser, string $sPW): bool

verify user and password Parameters:

Var Type Desciption
$sUser string username or email
$sPW string password

Return:

boolean