Table of Contents
-
ldap.class.php
- class imlldap
- private array $_aLdap = [ 'server' => false, 'port' => false, 'DnLdapUser' => false, // ldap rdn oder dn 'PwLdapUser' => false, 'DnUserNode' => false, // ou=People... 'DnAppNode' => false, // cn=AppGroup... 'protoVersion' => 3, 'debugLevel' => 0, ]
- private object|bool $_ldapConn = false
- private object|bool $_ldapBind = false
- var bool $bDebug = false
- public function __construct(array $aConfig = [])
- public function debugOn(): void
- public function debugOff(): void
- private function _w(string $sText): bool
- private function _wLdaperror(string $sText = ''): bool
- public function setConfig(array $aConfig = []): void
- public function close(): void
- public function connect(): void
- public function bind(string $sUser = '', string $sPw = ''): bool
- public function unbind(): void
- public function DnExists(string $sDn): bool
- public function normalizeSearchentry(array $aRecord): bool|array
- static public function sanitizeFilter(string $s): string
- public function searchDn(string $sDn, string $sSearchFilter = '(objectclass=*)', array $aAttributesToGet = ["*"], bool $bRecursive = true): bool|array
- public function searchUser(string $sSearchFilter = '', array $aAttributesToGet = ["*"], bool $bRecursive = true): bool|array
- public function getUserInfo(string $sUser, array $aAttributesToGet = ["*"]): bool|array
- public function getUserDn(string $sUser): bool|string
- public function setPassword(string $sUser, string $sPW): bool
- private function _getNTLMHash(string $Input): string
- public function setPasswordSamba(string $sUser, string $sPW): bool
- public function objAdd(string $sDn, array $aItem): bool
- public function objAddAttr(string $sDn, array $aItem): bool
- public function objGet(string $sDn, string $sSearchFilter = '(objectclass=*)', array $aAttributesToGet = ["*"]): bool|array
- public function objUpdate(string $sDn, array $aItem): bool
- public function objDelete(string $sDn): bool
- public function objDeleteAttr(string $sDn, array $aItem): bool
- public function objectAttributeExists(string $sDn, string $sAttribute): bool
- public function objectAttributeAndValueExist(string $sDn, string $sAttribute, string $sAttrValue): bool
- public function objectAttributeAndValueMustExist(string $sDn, string $sAttribute, string $sAttrValue): bool
- public function userAdd(array $aItem, string $sDn = ""): bool
- public function userDelete(string $sUserDn): bool
- public function userUpdate(array $aItem): bool
- public function verifyPassword(string $sUser, string $sPW): bool
ldap.class.php
class imlldap
IML LDAP CONNECTOR
2022-02-22 ah added objGet(), sanitizeFilter() 2022-08-18 ah mask password (showing 4 chars only) 2022-08-22 ah mhash is deprecated 2022-08-26 ah fix verifyPassword 2024-07-11 ah php8 only: use variable types
private array $_aLdap = [ 'server' => false, 'port' => false, 'DnLdapUser' => false, // ldap rdn oder dn 'PwLdapUser' => false, 'DnUserNode' => false, // ou=People... 'DnAppNode' => false, // cn=AppGroup... 'protoVersion' => 3, 'debugLevel' => 0, ]
private object|bool $_ldapConn = false
private object|bool $_ldapBind = false
ldap bind object - bind was done?
var bool $bDebug = false
Flag if debug mode is on
public function __construct(array $aConfig = [])
constructor Parameters:
Var | Type | Desciption |
---|---|---|
$aConfig | array | optional set ldap connection |
public function debugOn(): void
turn debug messages on; if this detail level is not enough, set a value with key debugLevel in ldap config array
public function debugOff(): void
turn debug messages off
private function _w(string $sText): bool
write debug message if denugOn() was fired.
Parameters:
Var | Type | Desciption |
---|---|---|
$sText | string | message text |
Return:
boolean
private function _wLdaperror(string $sText = ''): bool
write last ldap error as debug
Parameters:
Var | Type | Desciption |
---|---|---|
$sText | string | message text |
Return:
boolean
public function setConfig(array $aConfig = []): void
set a ldap config
'server' => 'ldaps://ldap.example.com',
'port' => 636,
'DnLdapUser' => 'cn=Lookup,ou=ServiceAccounts,dc=org,dc=example.com', // ldap rdn oder dn
'PwLdapUser' => 'PasswordOfLookupUser', // password
'DnUserNode' => 'ou=People,ou=ORG,dc=org,dc=example.com',
'DnAppNode' => '' optional dn ... if a user must be member of a given group
'protoVersion' => 3
'debugLevel' => 0 // for debugging set higher 0 AND call debugOn()
Parameters:
Var | Type | Desciption |
---|---|---|
$aConfig | array | new config items |
public function close(): void
close an existing ldap connection
public function connect(): void
connect to ldap
public function bind(string $sUser = '', string $sPw = ''): bool
ldap bind connects with a ldap user. If the ldap connection was not opened yet the connection will be established. If a binding exists it will be unbind
Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | optional: username (overrides _aLdap[‘DnLdapUser’]) |
$sPw | string | optional: password (overrides _aLdap[‘PwLdapUser’]) |
public function unbind(): void
ldap unbind … if a bind exists
public function DnExists(string $sDn): bool
check if a DN already exists; return is true/ false Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | DN to check |
Return:
boolean
public function normalizeSearchentry(array $aRecord): bool|array
get simpler array from ldap_get_entries after ldap_search If the given array doesn’t contain the key “dn” it returns “false”
Parameters:
Var | Type | Desciption |
---|---|---|
$aRecord | array | single result item |
Return:
array
static public function sanitizeFilter(string $s): string
sanitize value to put into a search filter WARNING: the implementation is incomplete! I replaces the first N ascii chars only
source: https://www.rfc-editor.org/rfc/rfc4515.txt
$sCn = ‘John Smith (john)’; $sSearchFilter = ‘(cn=’.$oLdap->sanitizeFilter($sCn).’)’; Parameters:
Var | Type | Desciption |
---|---|---|
$s | string | value to sanitize |
Return:
string
public function searchDn(string $sDn, string $sSearchFilter = '(objectclass=*)', array $aAttributesToGet = ["*"], bool $bRecursive = true): bool|array
search in ldap directory and get result as array. It returns “false” on error: - no ldap connection - search failed
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | DN to search for |
$sSearchFilter | string | filter in ldap filter syntax |
$aAttributesToGet | array | flat array of attributes to fetch |
$bRecursive | boolean | recusrive (uses ldap_search) or not (ldap_list) |
Return:
boolean|array
public function searchUser(string $sSearchFilter = '', array $aAttributesToGet = ["*"], bool $bRecursive = true): bool|array
search for entries in in ldap user node and get result as array
Parameters:
Var | Type | Desciption |
---|---|---|
$sSearchFilter | string | filter in ldap filter syntax |
$aAttributesToGet | array | flat array of attributes to fetch |
$bRecursive | bool | flag: recursive search? default: true (=yes, recursive) |
Return:
boolean|array
public function getUserInfo(string $sUser, array $aAttributesToGet = ["*"]): bool|array
search user by a given username or email address. It returns false if the user does not exist or is not member of the group ‘DnAppNode’ (if it was set).
Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | user id (uid) or email (mail) to search |
$aAttributesToGet | array | i.e. [“ou”, “sn”, “vorname”, “mail”, “uid”, “memberOf”] |
Return:
boolean|array
public function getUserDn(string $sUser): bool|string
search for a DN entry with the lookup user by a given username or email address. It returns false if the user does not exist or is not member of the group ‘DnAppNode’ (if it was set).
Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | %s |
Return:
string
public function setPassword(string $sUser, string $sPW): bool
set a password for a given user; this requires a ldap bind with master/ admin account
Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | username or email |
$sPW | string | password |
Return:
boolean
private function _getNTLMHash(string $Input): string
get NTLM hash from a string taken from https://secure.php.net/manual/en/ref.hash.php
Parameters:
Var | Type | Desciption |
---|---|---|
$Input | string | %s |
Return:
string
public function setPasswordSamba(string $sUser, string $sPW): bool
set a password for a given user for Samba this requires a ldap bind with master/ admin account see https://msdn.microsoft.com/en-us/library/cc223248.aspx see http://php.net/ldap-modify-batch - last examle see https://secure.php.net/manual/en/ref.hash.php
Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | username or email |
$sPW | string | password |
Return:
boolean
public function objAdd(string $sDn, array $aItem): bool
update an ldap object this requires a ldap bind with master/ admin account It returns true if the action was successful
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | dn to update |
$aItem | array | array of new ldap properties |
Return:
boolean
public function objAddAttr(string $sDn, array $aItem): bool
update an ldap attribute this requires a ldap bind with master/ admin account
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | dn to update |
$aItem | array | array of new ldap properties |
Return:
boolean
public function objGet(string $sDn, string $sSearchFilter = '(objectclass=*)', array $aAttributesToGet = ["*"]): bool|array
read attributes from ldap node with given DN (using ldap_read) It returns “false” if the action was not successful - no ldap connection - DN or filter didn’t match
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | DN to search for |
$sSearchFilter | string | filter in ldap filter syntax |
$aAttributesToGet | array | flat array of attributes to fetch |
Return:
boolean|array
public function objUpdate(string $sDn, array $aItem): bool
update an ldap object with given key-value array if the attribute (key) does not exist it will be created. this requires a ldap bind with master/ admin account It returns “false” if the action failed
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | full DN where to update the item |
$aItem | array | updated entry |
Return:
boolean
public function objDelete(string $sDn): bool
delete an ldap object this requires a ldap bind with master/ admin account It returns “false” if the action failed
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | full DN to remove |
Return:
boolean
public function objDeleteAttr(string $sDn, array $aItem): bool
delete attributes of an ldap object this requires a ldap bind with master/ admin account It returns “false” if the action failed
remove attribute “userPassword” of user $sUserDn: $oLdap->objDeleteAttr($sUserDn, [‘userPassword’=>[]]
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | DN |
$aItem | array | item to remove |
Return:
boolean
public function objectAttributeExists(string $sDn, string $sAttribute): bool
check if an attribute exists in a DN
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | DN |
$sAttribute | string | attribute name to check |
$sAttrValue | string | value to check |
Return:
boolean
public function objectAttributeAndValueExist(string $sDn, string $sAttribute, string $sAttrValue): bool
check if an attribute and value exist in a DN
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | DN |
$sAttribute | string | attribute name to check |
$sAttrValue | string | value to check |
Return:
boolean
public function objectAttributeAndValueMustExist(string $sDn, string $sAttribute, string $sAttrValue): bool
check an attribute and value; it will be created if it does not exist this requires a ldap bind with master/ admin account
Parameters:
Var | Type | Desciption |
---|---|---|
$sDn | string | dn to update |
$sAttribute | string | attribute name to check |
$sAttrValue | string | value to check |
Return:
boolean
public function userAdd(array $aItem, string $sDn = ""): bool
create a new user item this requires a ldap bind with master/ admin account
Parameters:
Var | Type | Desciption |
---|---|---|
$aItem | array | ldap properties |
$sDn | string | optional DN where to create the user |
Return:
boolean
public function userDelete(string $sUserDn): bool
delete a user this requires a ldap bind with master/ admin account
Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | user to update |
$sPW | string | new password to set |
Return:
boolean
public function userUpdate(array $aItem): bool
update an ldap object this requires a ldap bind with master/ admin account
Parameters:
Var | Type | Desciption |
---|---|---|
$aItem | array | new user data to update |
Return:
boolean
public function verifyPassword(string $sUser, string $sPW): bool
verify user and password Parameters:
Var | Type | Desciption |
---|---|---|
$sUser | string | username or email |
$sPW | string | password |
Return:
boolean