the user does not exist in the ldap database // res=1 -> invalid password (user does exist) if ($res == 1) { //WRONG PASSWORD //$errorMessage = "LDAP User or password incorrect, try again.
"; if (isset($log)) { unset($log); } if (isset($uid)) { unset($uid); } $loginLdapSucces = false; } if ($res == -1) { //WRONG USERNAME //$errorMessage = "LDAP User or password incorrect, try again.
"; $login_ldap_success = false; } if ($res == 0) { //LOGIN & PASSWORD OK - SUCCES //$errorMessage = "Successful login w/ LDAP.
"; $login_ldap_success = true; } //$result = "This is the result: $errorMessage"; $result = $login_ldap_success; return $result; } /** * Find user info in LDAP. * * @return array Array with indexes: "firstname", "name", "email", "employeenumber" * * @author Stefan De Wannemacker * @author Roan Embrechts */ function ldap_find_user_info($login) { //error_log('Entering ldap_find_user_info('.$login.')',0); global $ldap_host, $ldap_port, $ldap_basedn, $ldap_rdn, $ldap_pass, $ldap_search_dn; // basic sequence with LDAP is connect, bind, search, // interpret search result, close connection //echo "Connecting ..."; $ldap_connect = ldap_connect($ldap_host, $ldap_port); ldap_set_version($ldap_connect); if ($ldap_connect) { //echo " Connect to LDAP server successful "; //echo "Binding ..."; $ldap_bind = false; $ldap_bind_res = ldap_handle_bind($ldap_connect, $ldap_bind); if ($ldap_bind_res) { //echo " LDAP bind successful... "; //echo " Searching for uid... "; // Search surname entry //OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); //echo "

ldapDc = '$LDAPbasedn'

"; if (!empty($ldap_search_dn)) { $sr = ldap_search($ldap_connect, $ldap_search_dn, "uid=$login"); } else { $sr = ldap_search($ldap_connect, $ldap_basedn, "uid=$login"); } //echo " Search result is ".$sr; //echo " Number of entries returned is ".ldap_count_entries($ldapconnect,$sr); //echo " Getting entries ..."; $info = ldap_get_entries($ldap_connect, $sr); //echo "Data for ".$info["count"]." items returned:

"; } // else could echo "LDAP bind failed..."; //echo "Closing LDAP connection

"; ldap_close($ldap_connect); } // else could echo "

Unable to connect to LDAP server

"; //DEBUG: $result["firstname"] = "Jan"; $result["name"] = "De Test"; $result["email"] = "email@ugent.be"; $result["firstname"] = $info[0]["cn"][0]; $result["name"] = $info[0]["sn"][0]; $result["email"] = $info[0]["mail"][0]; $tutor_field = api_get_setting('ldap_filled_tutor_field'); $result[$tutor_field] = $info[0][$tutor_field]; //employeenumber by default return $result; } /** * This function uses the data from ldap_find_user_info() * to add the userdata to Chamilo * "firstname", "name", "email", "isEmployee". * * @author Roan Embrechts */ function ldap_put_user_info_locally($login, $info_array) { //error_log('Entering ldap_put_user_info_locally('.$login.',info_array)',0); global $ldap_pass_placeholder; global $submitRegistration, $submit, $uname, $email, $nom, $prenom, $password, $password1, $status; global $platformLanguage; global $loginFailed, $uidReset, $_user; /*---------------------------------------------------------- 1. set the necessary variables ------------------------------------------------------------ */ $uname = $login; $email = $info_array["email"]; $nom = $info_array["name"]; $prenom = $info_array["firstname"]; $password = $ldap_pass_placeholder; $password1 = $ldap_pass_placeholder; $official_code = ''; define("STUDENT", 5); define("COURSEMANAGER", 1); $tutor_field = api_get_setting('ldap_filled_tutor_field'); $tutor_value = api_get_setting('ldap_filled_tutor_field_value'); if (empty($tutor_field)) { $status = STUDENT; } else { if (empty($tutor_value)) { //in this case, we are assuming that the admin didn't give a criteria // so that if the field is not empty, it is a tutor if (!empty($info_array[$tutor_field])) { $status = COURSEMANAGER; } else { $status = STUDENT; } } else { //the tutor_value is filled, so we need to check the contents of the LDAP field if (is_array($info_array[$tutor_field]) && in_array($tutor_value, $info_array[$tutor_field])) { $status = COURSEMANAGER; } else { $status = STUDENT; } } } //$official_code = xxx; //example: choose an attribute /*---------------------------------------------------------- 2. add info to Chamilo ------------------------------------------------------------ */ $language = api_get_setting('platformLanguage'); if (empty($language)) { $language = 'english'; } $_userId = UserManager::create_user( $prenom, $nom, $status, $email, $uname, $password, $official_code, $language, '', '', 'ldap' ); //echo "new user added to Chamilo, id = $_userId"; //user_id, username, password, auth_source /*---------------------------------------------------------- 3. register session ------------------------------------------------------------ */ $uData['user_id'] = $_userId; $uData['username'] = $uname; $uData['auth_source'] = "ldap"; $loginFailed = false; $uidReset = true; $_user['user_id'] = $uData['user_id']; Session::write('_uid', $_user['user_id']); } /** * The code of UGent uses these functions to authenticate. * function AuthVerifEnseignant ($uname, $passwd) * function AuthVerifEtudiant ($uname, $passwd) * function Authentif ($uname, $passwd). * * @todo translate the comments and code to english * @todo let these functions use the variables in config.inc instead of ldap_var.inc */ /** * Checks the existence of a member in LDAP. * * @param string username input on keyboard * @param string password given by user * * @return int 0 if authentication succeeded, 1 if password was incorrect, -1 if it didn't belong to LDAP */ function ldap_authentication_check($uname, $passwd) { //error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); global $ldap_host, $ldap_port, $ldap_basedn, $ldap_host2, $ldap_port2, $ldap_rdn, $ldap_pass; //error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); // Establish anonymous connection with LDAP server // Etablissement de la connexion anonyme avec le serveur LDAP $ds = ldap_connect($ldap_host, $ldap_port); ldap_set_version($ds); $test_bind = false; $test_bind_res = ldap_handle_bind($ds, $test_bind); //if problem, use the replica if ($test_bind_res === false) { $ds = ldap_connect($ldap_host2, $ldap_port2); ldap_set_version($ds); } // else: error_log('Connected to server '.$ldap_host); if ($ds !== false) { //Creation of filter containing values input by the user // Here it might be necessary to use $filter="(samaccountName=$uname)"; - see http://support.chamilo.org/issues/4675 $filter = "(uid=$uname)"; // Open anonymous LDAP connection $result = false; $ldap_bind_res = ldap_handle_bind($ds, $result); // Executing the search with the $filter parametr //error_log('Searching for '.$filter.' on LDAP server',0); $sr = ldap_search($ds, $ldap_basedn, $filter); $info = ldap_get_entries($ds, $sr); $dn = ($info[0]["dn"]); // debug !! echo"
dn = $dn
pass = $passwd
"; // closing 1st connection ldap_close($ds); } // test the Distinguish Name from the 1st connection if ($dn == "") { return -1; // doesn't belong to the addressbook } //bug ldap.. if password empty, return 1! if ($passwd == "") { return 1; } // Opening 2nd LDAP connection : Connection user for password check $ds = ldap_connect($ldap_host, $ldap_port); ldap_set_version($ds); if (!$test_bind) { $ds = ldap_connect($ldap_host2, $ldap_port2); ldap_set_version($ds); } // return in case of wrong password connection error if (@ldap_bind($ds, $dn, $passwd) === false) { return 1; // invalid password } else {// connection successfull return 0; } } // end of check /** * Set the protocol version with version from config file (enables LDAP version 3). * * @param resource resource LDAP connexion resource, passed by reference */ function ldap_set_version(&$resource) { //error_log('Entering ldap_set_version(&$resource)',0); global $ldap_version; if ($ldap_version > 2) { ldap_set_option($resource, LDAP_OPT_PROTOCOL_VERSION, 3); //ok - don't do anything //failure - should switch back to version 2 by default } } /** * Handle bind (whether authenticated or not). * * @param resource The LDAP handler to which we are connecting (by reference) * @param resource The LDAP bind handler we will be modifying * @param bool $ldap_bind * * @return bool Status of the bind assignment. True for success, false for failure. */ function ldap_handle_bind(&$ldap_handler, &$ldap_bind) { //error_log('Entering ldap_handle_bind(&$ldap_handler,&$ldap_bind)',0); global $ldap_rdn, $ldap_pass, $extldap_config; $ldap_rdn = $extldap_config['admin_dn']; $ldap_pass = $extldap_config['admin_password']; if (!empty($ldap_rdn) and !empty($ldap_pass)) { //error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0); $ldap_bind = ldap_bind($ldap_handler, $ldap_rdn, $ldap_pass); if (!$ldap_bind) { //error_log('Authenticated login failed',0); //try in anonymous mode, you never know... $ldap_bind = ldap_bind($ldap_handler); } } else { // this is an "anonymous" bind, typically read-only access: $ldap_bind = ldap_bind($ldap_handler); } if (!$ldap_bind) { return false; } else { //error_log('Login finally OK',0); return true; } } /** * Get the total number of users on the platform. * * @see SortableTable#get_total_number_of_items() * * @author Mustapha Alouani */ function ldap_get_users() { global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass, $ldap_search_dn, $extldap_user_correspondance; $keyword_firstname = isset($_GET['keyword_firstname']) ? trim(Database::escape_string($_GET['keyword_firstname'])) : ''; $keyword_lastname = isset($_GET['keyword_lastname']) ? trim(Database::escape_string($_GET['keyword_lastname'])) : ''; $keyword_username = isset($_GET['keyword_username']) ? trim(Database::escape_string($_GET['keyword_username'])) : ''; $keyword_type = isset($_GET['keyword_type']) ? Database::escape_string($_GET['keyword_type']) : ''; $ldap_query = []; if ($keyword_username != "") { $ldap_query[] = str_replace('%username%', $keyword_username, $ldap_search_dn); } else { if ($keyword_lastname != "") { $ldap_query[] = "(".$extldap_user_correspondance['lastname']."=".$keyword_lastname."*)"; } if ($keyword_firstname != "") { $ldap_query[] = "(".$extldap_user_correspondance['firstname']."=".$keyword_firstname."*)"; } } if ($keyword_type != "" && $keyword_type != "all") { $ldap_query[] = "(employeeType=".$keyword_type.")"; } if (count($ldap_query) > 1) { $str_query = "(& "; foreach ($ldap_query as $query) { $str_query .= " $query"; } $str_query .= " )"; } else { $str_query = count($ldap_query) > 0 ? $ldap_query[0] : null; } $ds = ldap_connect($ldap_host, $ldap_port); ldap_set_version($ds); if ($ds && count($ldap_query) > 0) { $r = false; $res = ldap_handle_bind($ds, $r); //$sr = ldap_search($ds, "ou=test-ou,$ldap_basedn", $str_query); $sr = ldap_search($ds, $ldap_basedn, $str_query); //echo "Le nombre de resultats est : ".ldap_count_entries($ds,$sr)."

"; $info = ldap_get_entries($ds, $sr); return $info; } else { if (count($ldap_query) != 0) { echo Display::return_message(get_lang('LDAPConnectionError'), 'error'); } return []; } } /** * Get the total number of users on the platform. * * @see SortableTable#get_total_number_of_items() * * @author Mustapha Alouani */ function ldap_get_number_of_users() { $info = ldap_get_users(); if (count($info) > 0) { return $info['count']; } else { return 0; } } /** * Get the users to display on the current page. * * @see SortableTable#get_table_data($from) * * @author Mustapha Alouani */ function ldap_get_user_data($from, $number_of_items, $column, $direction) { global $extldap_user_correspondance; $users = []; $is_western_name_order = api_is_western_name_order(); if (isset($_GET['submit'])) { $info = ldap_get_users(); if ($info['count'] > 0) { for ($key = 0; $key < $info["count"]; $key++) { $user = []; // Get uid from dn //YW: this might be a variation between LDAP 2 and LDAP 3, but in LDAP 3, the uid is in //the corresponding index of the array //$dn_array=ldap_explode_dn($info[$key]["dn"],1); //$user[] = $dn_array[0]; // uid is first key //$user[] = $dn_array[0]; // uid is first key $user[] = $info[$key][$extldap_user_correspondance['username']][0]; $user[] = $info[$key][$extldap_user_correspondance['username']][0]; if ($is_western_name_order) { $user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8'); $user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8'); } else { $user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['firstname']][0], api_get_system_encoding(), 'UTF-8'); $user[] = api_convert_encoding($info[$key][$extldap_user_correspondance['lastname']][0], api_get_system_encoding(), 'UTF-8'); } $user[] = $info[$key]['mail'][0]; $user[] = $info[$key][$extldap_user_correspondance['username']][0]; $users[] = $user; } } else { echo Display::return_message(get_lang('NoUser'), 'error'); } } return $users; } /** * Build the modify-column of the table. * * @param int $user_id The user id * @param string $url_params * * @return string Some HTML-code with modify-buttons * * @author Mustapha Alouani */ function modify_filter($user_id, $url_params, $row) { $query_string = "id[]=".$row[0]; if (!empty($_GET['id_session'])) { $query_string .= '&id_session='.Security::remove_XSS($_GET['id_session']); } $icon = ''; if (UserManager::is_username_available($user_id)) { $icon = 'invitation_friend.png'; } else { $icon = 'reload.png'; } //$url_params_id="id=".$row[0]; $result = ''.Display::return_icon($icon, get_lang('AddUsers')).''; return $result; } /** * Adds a user to the Chamilo database or updates its data. * * @param string username (and uid inside LDAP) * * @author Mustapha Alouani */ function ldap_add_user($login) { if ($ldap_user = extldap_authenticate($login, 'nopass', true)) { return extldap_add_user_by_array($ldap_user); } } function ldap_add_user_by_array($data, $update_if_exists = true) { $lastname = api_convert_encoding($data['sn'][0], api_get_system_encoding(), 'UTF-8'); $firstname = api_convert_encoding($data['cn'][0], api_get_system_encoding(), 'UTF-8'); $email = $data['mail'][0]; // Get uid from dn $dn_array = ldap_explode_dn($data['dn'], 1); $username = $dn_array[0]; // uid is first key $outab[] = $data['edupersonprimaryaffiliation'][0]; // Here, "student" //$val = ldap_get_values_len($ds, $entry, "userPassword"); //$val = ldap_get_values_len($ds, $data, "userPassword"); //$password = $val[0]; // TODO the password, if encrypted at the source, will be encrypted twice, which makes it useless. Try to fix that. $password = $data['userPassword'][0]; $structure = $data['edupersonprimaryorgunitdn'][0]; $array_structure = explode(",", $structure); $array_val = explode("=", $array_structure[0]); $etape = $array_val[1]; $array_val = explode("=", $array_structure[1]); $annee = $array_val[1]; // To ease management, we add the step-year (etape-annee) code $official_code = $etape."-".$annee; $auth_source = 'ldap'; // No expiration date for students (recover from LDAP's shadow expiry) $expiration_date = ''; $active = 1; if (empty($status)) { $status = 5; } if (empty($phone)) { $phone = ''; } if (empty($picture_uri)) { $picture_uri = ''; } // Adding user $user_id = 0; if (UserManager::is_username_available($username)) { $user_id = UserManager::create_user( $firstname, $lastname, $status, $email, $username, $password, $official_code, api_get_setting('platformLanguage'), $phone, $picture_uri, $auth_source, $expiration_date, $active ); } else { if ($update_if_exists) { $user = api_get_user_info($username); $user_id = $user['user_id']; UserManager::update_user( $user_id, $firstname, $lastname, $username, null, null, $email, $status, $official_code, $phone, $picture_uri, $expiration_date, $active ); } } return $user_id; } /** * Adds a list of users to one session. * * @param array Array of user ids * @param string Course code */ function ldap_add_user_to_session($UserList, $id_session) { // Database Table Definitions $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION); $tbl_session_rel_class = Database::get_main_table(TABLE_MAIN_SESSION_CLASS); $tbl_session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); $tbl_session_rel_course_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER); $tbl_course = Database::get_main_table(TABLE_MAIN_COURSE); $tbl_user = Database::get_main_table(TABLE_MAIN_USER); $tbl_session_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_USER); $tbl_class = Database::get_main_table(TABLE_MAIN_CLASS); $tbl_class_user = Database::get_main_table(TABLE_MAIN_CLASS_USER); $id_session = (int) $id_session; // Once users are imported in the users base, we can assign them to the session $result = Database::query("SELECT c_id FROM $tbl_session_rel_course WHERE session_id ='$id_session'"); $CourseList = []; while ($row = Database::fetch_array($result)) { $CourseList[] = $row['c_id']; } foreach ($CourseList as $enreg_course) { foreach ($UserList as $enreg_user) { $enreg_user = (int) $enreg_user; Database::query("INSERT IGNORE ". " INTO $tbl_session_rel_course_rel_user ". "(session_id,c_id,user_id) VALUES ". "('$id_session','$enreg_course','$enreg_user')"); } $sql = "SELECT COUNT(user_id) as nbUsers ". " FROM $tbl_session_rel_course_rel_user ". " WHERE session_id='$id_session' ". " AND c_id='$enreg_course'"; $rs = Database::query($sql); list($nbr_users) = Database::fetch_array($rs); Database::query("UPDATE $tbl_session_rel_course ". " SET nbr_users=$nbr_users ". " WHERE session_id='$id_session' ". " AND c_id='$enreg_course'"); } foreach ($UserList as $enreg_user) { $enreg_user = (int) $enreg_user; Database::query("INSERT IGNORE INTO $tbl_session_rel_user ". " (session_id, user_id, registered_at) ". " VALUES('$id_session','$enreg_user', '".api_get_utc_datetime()."')"); } // We update the number of users in the session $sql = "SELECT COUNT(user_id) as nbUsers FROM $tbl_session_rel_user ". " WHERE session_id='$id_session' ". " AND relation_type<>".SESSION_RELATION_TYPE_RRHH." "; $rs = Database::query($sql); list($nbr_users) = Database::fetch_array($rs); Database::query("UPDATE $tbl_session SET nbr_users=$nbr_users ". " WHERE id='$id_session'"); } /** * Synchronize users from the configured LDAP connection (in auth.conf.php). If * configured to disable old users,. * * @param bool $disableOldUsers Whether to disable users who have disappeared from LDAP (true) or just leave them be (default: false) * @param bool $deleteStudents Go one step further and delete completely students missing from LDAP * @param bool $deleteTeachers Go even one step further and also delete completely teachers missing from LDAP * * @return int Total number of users added (not counting possible removals) */ function syncro_users( $disableOldUsers = false, $deleteStudents = false, $deleteTeachers = false ) { global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass, $ldap_search_dn, $debug; $i = 0; if ($debug) { error_log('Connecting... ('.__FUNCTION__.')'); } $ldapConnect = ldap_connect($ldap_host, $ldap_port); ldap_set_version($ldapConnect); if ($ldapConnect) { if ($debug) { error_log('Connected to LDAP server successfully! Binding... ('.__FUNCTION__.')'); } $ldapBind = false; $ldapBindRes = ldap_handle_bind($ldapConnect, $ldapBind); if ($ldapBindRes) { if ($debug) { error_log('Bind successful! Searching for uid in LDAP DC: '.$ldap_search_dn); } $allUserQuery = "uid=*"; if (!empty($ldap_search_dn)) { $sr = ldap_search($ldapConnect, $ldap_search_dn, $allUserQuery); } else { //OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); $sr = ldap_search($ldapConnect, $ldap_basedn, $allUserQuery); } if ($debug) { error_log('Entries returned: '.ldap_count_entries($ldapConnect, $sr)); } $info = ldap_get_entries($ldapConnect, $sr); for ($key = 0; $key < $info['count']; $key++) { $user_id = ldap_add_user_by_array($info[$key], false); if ($user_id) { if ($debug) { error_log('User #'.$user_id.' created from LDAP'); } $i++; } else { if ($debug) { error_log('User '.$info[$key]['sn'][0].' ('.$info[$key]['mail'][0].') could not be created'); } } } if ($disableOldUsers === true) { if ($debug) { error_log('Disable mode selected in '.__FUNCTION__); if ($deleteStudents) { error_log('...with complete deletion of users if disabled'); } } // Get a big array of all user IDs, usernames only if they are // registered as auth_source = 'ldap' // This array will take about 60 bytes per user in memory, so // having 100K users should only take a few (6?) MB and will // highly reduce the number of DB queries $usersDBShortList = []; $usersLDAPShortList = []; $sql = "SELECT id, username, status FROM user WHERE auth_source = 'ldap' ORDER BY username"; $res = Database::query($sql); if ($res !== false) { // First build a list of users present in LDAP for ($key = 0; $key < $info['count']; $key++) { $dn_array = ldap_explode_dn($info[$key]['dn'], 1); $usersLDAPShortList[$dn_array[0]] = 1; } // Go through all 'extldap' users. For any that cannot // be found in the LDAP list, disable while ($row = Database::fetch_assoc($res)) { $usersDBShortList[$row['username']] = $row['id']; // If any of those users is NOT in LDAP, disable or remove if (empty($usersLDAPShortList[$row['username']])) { if ($deleteStudents === true && $row['status'] == 5) { UserManager::delete_user($usersDBShortList[$row['username']]); if ($debug) { error_log('Student '.$row['username'].' removed from Chamilo'); } } elseif ($deleteTeachers === true && $row['status'] == 1) { UserManager::delete_user($usersDBShortList[$row['username']]); if ($debug) { error_log('Teacher '.$row['username'].' removed from Chamilo'); } } else { UserManager::disable($usersDBShortList[$row['username']]); if ($debug) { error_log('User '.$row['username'].' disabled in Chamilo'); } } } } } } if ($debug) { error_log('Data for '.$info['count'].' items processed'); } //echo "Data for ".$info["count"]." items returned:

"; } else { error_log('Could not bind to LDAP server'); } ldap_close($ldapConnect); } else { error_log('Could not connect to LDAP server'); } error_log('Ended execution of function '.__FUNCTION__); }