librenms-librenms/html/includes/authentication/active_directory.inc.php

<?php

// easier to rewrite for Active Directory than to bash it into existing LDAP implementation

// disable certificate checking before connect if required
if (isset($config['auth_ad_check_certificates']) &&
          $config['auth_ad_check_certificates'] == 0) {
    putenv('LDAPTLS_REQCERT=never');
};

$ds = @ldap_connect($config['auth_ad_url']);

// disable referrals and force ldap version to 3

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

function authenticate($username, $password) {
    global $config, $ds;

    if ($username && $ds) {
        // bind with sAMAccountName instead of full LDAP DN
        if (ldap_bind($ds, "{$username}@{$config['auth_ad_domain']}", $password)) {
            // group membership in one of the configured groups is required
            if (isset($config['auth_ad_require_groupmembership']) &&
                $config['auth_ad_require_groupmembership'] > 0) {
                $search = ldap_search($ds, $config['auth_ad_base_dn'],
                                      "(samaccountname={$username})", array('memberOf'));
                $entries = ldap_get_entries($ds, $search);

                $user_authenticated = 0; 
                
                foreach ($entries[0]['memberof'] as $entry) {
                    $group_cn = get_cn($entry);
                    if (isset($config['auth_ad_groups'][$group_cn]['level'])) {
                        // user is in one of the defined groups
                        $user_authenticated = 1;
                        adduser($username);
                    } 
                }

                return $user_authenticated;
                
            }
            else {
                // group membership is not required and user is valid
                adduser($username);
                return 1;
            }
        }
        else {
            return 0;
        }
    }
    else {
        echo ldap_error($ds);
    }

    return 0;
}

function reauthenticate() {
    // not supported so return 0
    return 0;
}


function passwordscanchange() {
    // not supported so return 0
    return 0;
}


function changepassword() {
    // not supported so return 0
    return 0;
}


function auth_usermanagement() {
    // not supported so return 0
    return 0;
}


function adduser($username) {
    // Check to see if user is already added in the database
    if (!user_exists_in_db($username)) {
        $userid = dbInsert(array('username' => $username, 'user_id' => get_userid($username), 'level' => "0", 'can_modify_passwd' => 0, 'twofactor' => 0), 'users');
        if ($userid == false) {
            return false;
        }
        else {
            foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc',array($userid)) as $notif) {
                dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1),'notifications_attribs');
            }
        }
        return $userid;
    }
    else {
        return false;
    }
}

function user_exists_in_db($username) {
    $return = dbFetchCell('SELECT COUNT(*) FROM users WHERE username = ?', array($username), true);
    return $return;
}

function user_exists($username) {
    global $config, $ds;

    $search = ldap_search($ds, $config['auth_ad_base_dn'],
                          "(samaccountname={$username})",array('samaccountname'));
    $entries = ldap_get_entries($ds, $search);


    if ($entries['count']) {
        return 1;
    }

    return 0;
}


function get_userlevel($username) {
    global $config, $ds;

    $userlevel = 0;

    // Find all defined groups $username is in
    $search = ldap_search($ds, $config['auth_ad_base_dn'],
                          "(samaccountname={$username})", array('memberOf'));
    $entries = ldap_get_entries($ds, $search);
    
    // Loop the list and find the highest level
    foreach ($entries[0]['memberof'] as $entry) {
        $group_cn = get_cn($entry);
        if ($config['auth_ad_groups'][$group_cn]['level'] > $userlevel) {
            $userlevel = $config['auth_ad_groups'][$group_cn]['level'];
        }
    }

    return $userlevel;
}


function get_userid($username) {
    global $config, $ds;

    $attributes = array('objectsid');
    $search = ldap_search($ds, $config['auth_ad_base_dn'],
                          "(samaccountname={$username})", $attributes);    
    $entries = ldap_get_entries($ds, $search);

    if ($entries['count']) {
        return preg_replace('/.*-(\d+)$/','$1',sid_from_ldap($entries[0]['objectsid'][0]));
    }

    return -1;
}


function deluser() {
    // not supported so return 0 
    return 0;
}


function get_userlist() {
    global $config, $ds;
    $userlist = array();
    $userhash = array();

    $ldap_groups = get_group_list();

    foreach($ldap_groups as $ldap_group) {
        $group_cn = get_cn($ldap_group);
        $search = ldap_search($ds, $config['auth_ad_base_dn'], "(cn={$group_cn})", array('member'));
        $entries = ldap_get_entries($ds, $search);
        
        foreach($entries[0]['member'] as $member) {
            $member_cn = get_cn($member);
            $search = ldap_search($ds, $config['auth_ad_base_dn'], "(cn={$member_cn})",
                                  array('sAMAccountname', 'displayName', 'objectSID', 'mail'));
            $results = ldap_get_entries($ds, $search);
            foreach($results as $result) {
                if(isset($result['samaccountname'][0])) {
                    $userid = preg_replace('/.*-(\d+)$/','$1',
                                           sid_from_ldap($result['objectsid'][0]));

                    // don't make duplicates, user may be member of more than one group
                    $userhash[$result['samaccountname'][0]] = array(
                        'realname' => $result['displayName'][0],
                        'user_id'  => $userid,
                        'email'    => $result['mail'][0]
                    );
                }
            }
        }
    }

    foreach(array_keys($userhash) as $key) {
        $userlist[] = array(
            'username' => $key,
            'realname' => $userhash[$key]['realname'],
            'user_id'  => $userhash[$key]['user_id'],
            'email'    => $userhash[$key]['email']
        );
    }
    
    return $userlist;
}


function can_update_users() {
    // not supported so return 0
    return 0;
}


function get_user($user_id) {
    // not supported so return 0
    return 0;
}


function update_user($user_id, $realname, $level, $can_modify_passwd, $email) {
    // not supported so return 0 
    return 0;

}


function get_fullname($username) {
    global $config, $ds;

    $attributes = array('name');
    $result = ldap_search($ds, $config['auth_ad_base_dn'],
                          "(samaccountname={$username})", $attributes);
    $entries = ldap_get_entries($ds, $result);
    if ($entries['count'] > 0) {
        $membername = $entries[0]['name'][0];
    }
    else {
        $membername = $username;
    }

    return $membername;
}


function get_group_list() {
    global $config;

    $ldap_groups   = array();

    // show all Active Directory Users by default
    $default_group = 'Users';

    if (isset($config['auth_ad_group'])) {
        if ($config['auth_ad_group'] !== $default_group) {
            $ldap_groups[] = $config['auth_ad_group'];
        }
    }

    if (!isset($config['auth_ad_groups']) && !isset($config['auth_ad_group'])) {
        $ldap_groups[] = get_dn($default_group);
    }

    foreach ($config['auth_ad_groups'] as $key => $value) {
        $ldap_groups[] = get_dn($key);
    }

    return $ldap_groups;

}

function get_dn($samaccountname) {
    global $config, $ds;


    $attributes = array('dn');
    $result = ldap_search($ds, $config['auth_ad_base_dn'],
                          "(samaccountname={$samaccountname})", $attributes);
    $entries = ldap_get_entries($ds, $result);
    if ($entries['count'] > 0) {
        return $entries[0]['dn'];
    }
    else {
        return '';
    }
}

function get_cn($dn) {
    preg_match('/[^,]*/', $dn, $matches, PREG_OFFSET_CAPTURE, 3);
    return $matches[0][0];
}

function sid_from_ldap($sid)
{
        $sidHex = unpack('H*hex', $sid);
        $subAuths = unpack('H2/H2/n/N/V*', $sid);        
        $revLevel = hexdec(substr($sidHex, 0, 2));
        $authIdent = hexdec(substr($sidHex, 4, 12));      
        return 'S-'.$revLevel.'-'.$authIdent.'-'.implode('-', $subAuths);
}
Initial commit 2015-10-16 09:40:17 +02:00			`<?php`

			`// easier to rewrite for Active Directory than to bash it into existing LDAP implementation`

Fix AD auth with untrusted certificates. LDAPTLS_REQCERT=never must be set before ldap_connect. 2015-11-13 11:05:05 -06:00			`// disable certificate checking before connect if required`
Moved auth_ad_dont_check_certificates to auth_ad_check_certificates 2015-11-16 10:24:16 +01:00			`if (isset($config['auth_ad_check_certificates']) &&`
			`$config['auth_ad_check_certificates'] == 0) {`
Fix AD auth with untrusted certificates. LDAPTLS_REQCERT=never must be set before ldap_connect. 2015-11-13 11:05:05 -06:00			`putenv('LDAPTLS_REQCERT=never');`
			`};`

Initial commit 2015-10-16 09:40:17 +02:00			`$ds = @ldap_connect($config['auth_ad_url']);`

			`// disable referrals and force ldap version to 3`

			`ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);`
			`ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);`

			`function authenticate($username, $password) {`
			`global $config, $ds;`

			`if ($username && $ds) {`
			`// bind with sAMAccountName instead of full LDAP DN`
			`if (ldap_bind($ds, "{$username}@{$config['auth_ad_domain']}", $password)) {`
Checking for groups now 2015-10-30 17:17:55 +01:00			`// group membership in one of the configured groups is required`
			`if (isset($config['auth_ad_require_groupmembership']) &&`
			`$config['auth_ad_require_groupmembership'] > 0) {`
			`$search = ldap_search($ds, $config['auth_ad_base_dn'],`
			`"(samaccountname={$username})", array('memberOf'));`
			`$entries = ldap_get_entries($ds, $search);`

			`$user_authenticated = 0;`

			`foreach ($entries[0]['memberof'] as $entry) {`
			`$group_cn = get_cn($entry);`
			`if (isset($config['auth_ad_groups'][$group_cn]['level'])) {`
			`// user is in one of the defined groups`
			`$user_authenticated = 1;`
Functionality added: adduser(), user_exists_in_db() 2015-11-16 13:37:12 +01:00			`adduser($username);`
Checking for groups now 2015-10-30 17:17:55 +01:00			`}`
			`}`

			`return $user_authenticated;`

Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`}`
			`else {`
Checking for groups now 2015-10-30 17:17:55 +01:00			`// group membership is not required and user is valid`
Functionality added: adduser(), user_exists_in_db() 2015-11-16 13:37:12 +01:00			`adduser($username);`
Checking for groups now 2015-10-30 17:17:55 +01:00			`return 1;`
Coding style 2015-11-10 10:39:42 +01:00			`}`
Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`}`
			`else {`
Initial commit 2015-10-16 09:40:17 +02:00			`return 0;`
			`}`
Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`}`
			`else {`
Initial commit 2015-10-16 09:40:17 +02:00			`echo ldap_error($ds);`
			`}`

			`return 0;`
			`}`

Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`function reauthenticate() {`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`// not supported so return 0`
Initial commit 2015-10-16 09:40:17 +02:00			`return 0;`
			`}`


Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`function passwordscanchange() {`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`// not supported so return 0`
Initial commit 2015-10-16 09:40:17 +02:00			`return 0;`
			`}`


Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`function changepassword() {`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`// not supported so return 0`
Initial commit 2015-10-16 09:40:17 +02:00			`return 0;`
			`}`


			`function auth_usermanagement() {`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`// not supported so return 0`
Initial commit 2015-10-16 09:40:17 +02:00			`return 0;`
			`}`


Functionality added: adduser(), user_exists_in_db() 2015-11-16 13:37:12 +01:00			`function adduser($username) {`
			`// Check to see if user is already added in the database`
			`if (!user_exists_in_db($username)) {`
fix rest of the authmodules 2015-11-21 12:25:34 +00:00			`$userid = dbInsert(array('username' => $username, 'user_id' => get_userid($username), 'level' => "0", 'can_modify_passwd' => 0, 'twofactor' => 0), 'users');`
			`if ($userid == false) {`
			`return false;`
			`}`
			`else {`
			`foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc',array($userid)) as $notif) {`
			`dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1),'notifications_attribs');`
			`}`
			`}`
			`return $userid;`
Functionality added: adduser(), user_exists_in_db() 2015-11-16 13:37:12 +01:00			`}`
			`else {`
			`return false;`
			`}`
Initial commit 2015-10-16 09:40:17 +02:00			`}`

Functionality added: adduser(), user_exists_in_db() 2015-11-16 13:37:12 +01:00			`function user_exists_in_db($username) {`
Update active_directory.inc.php 2015-11-17 12:28:28 +01:00			`$return = dbFetchCell('SELECT COUNT(*) FROM users WHERE username = ?', array($username), true);`
Functionality added: adduser(), user_exists_in_db() 2015-11-16 13:37:12 +01:00			`return $return;`
			`}`
Initial commit 2015-10-16 09:40:17 +02:00
			`function user_exists($username) {`
			`global $config, $ds;`

			`$search = ldap_search($ds, $config['auth_ad_base_dn'],`
			`"(samaccountname={$username})",array('samaccountname'));`
			`$entries = ldap_get_entries($ds, $search);`


			`if ($entries['count']) {`
			`return 1;`
			`}`

			`return 0;`
			`}`


			`function get_userlevel($username) {`
			`global $config, $ds;`

			`$userlevel = 0;`

			`// Find all defined groups $username is in`
			`$search = ldap_search($ds, $config['auth_ad_base_dn'],`
			`"(samaccountname={$username})", array('memberOf'));`
			`$entries = ldap_get_entries($ds, $search);`

			`// Loop the list and find the highest level`
			`foreach ($entries[0]['memberof'] as $entry) {`
			`$group_cn = get_cn($entry);`
			`if ($config['auth_ad_groups'][$group_cn]['level'] > $userlevel) {`
			`$userlevel = $config['auth_ad_groups'][$group_cn]['level'];`
			`}`
			`}`

			`return $userlevel;`
			`}`


			`function get_userid($username) {`
			`global $config, $ds;`

			`$attributes = array('objectsid');`
Fixed a bug from scrutinizer 2015-11-10 10:03:47 +01:00			`$search = ldap_search($ds, $config['auth_ad_base_dn'],`
Initial commit 2015-10-16 09:40:17 +02:00			`"(samaccountname={$username})", $attributes);`
			`$entries = ldap_get_entries($ds, $search);`

			`if ($entries['count']) {`
			`return preg_replace('/.*-(\d+)$/','$1',sid_from_ldap($entries[0]['objectsid'][0]));`
			`}`

			`return -1;`
			`}`


Removed unused variables 2015-11-10 10:47:50 +01:00			`function deluser() {`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`// not supported so return 0`
Initial commit 2015-10-16 09:40:17 +02:00			`return 0;`
			`}`


			`function get_userlist() {`
			`global $config, $ds;`
			`$userlist = array();`
Fixed a bug from scrutinizer 2015-11-10 10:03:47 +01:00			`$userhash = array();`
Initial commit 2015-10-16 09:40:17 +02:00
			`$ldap_groups = get_group_list();`

			`foreach($ldap_groups as $ldap_group) {`
			`$group_cn = get_cn($ldap_group);`
			`$search = ldap_search($ds, $config['auth_ad_base_dn'], "(cn={$group_cn})", array('member'));`
			`$entries = ldap_get_entries($ds, $search);`

			`foreach($entries[0]['member'] as $member) {`
			`$member_cn = get_cn($member);`
			`$search = ldap_search($ds, $config['auth_ad_base_dn'], "(cn={$member_cn})",`
			`array('sAMAccountname', 'displayName', 'objectSID', 'mail'));`
			`$results = ldap_get_entries($ds, $search);`
			`foreach($results as $result) {`
			`if(isset($result['samaccountname'][0])) {`
			`$userid = preg_replace('/.*-(\d+)$/','$1',`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`sid_from_ldap($result['objectsid'][0]));`
Initial commit 2015-10-16 09:40:17 +02:00
			`// don't make duplicates, user may be member of more than one group`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`$userhash[$result['samaccountname'][0]] = array(`
Initial commit 2015-10-16 09:40:17 +02:00			`'realname' => $result['displayName'][0],`
			`'user_id' => $userid,`
			`'email' => $result['mail'][0]`
			`);`
			`}`
			`}`
			`}`
			`}`

Authenticate against active directory 2015-10-22 09:16:20 +02:00			`foreach(array_keys($userhash) as $key) {`
Initial commit 2015-10-16 09:40:17 +02:00			`$userlist[] = array(`
			`'username' => $key,`
			`'realname' => $userhash[$key]['realname'],`
			`'user_id' => $userhash[$key]['user_id'],`
			`'email' => $userhash[$key]['email']`
			`);`
			`}`

			`return $userlist;`
			`}`


			`function can_update_users() {`
			`// not supported so return 0`
			`return 0;`
			`}`


			`function get_user($user_id) {`
			`// not supported so return 0`
			`return 0;`
			`}`


			`function update_user($user_id, $realname, $level, $can_modify_passwd, $email) {`
			`// not supported so return 0`
			`return 0;`

			`}`


			`function get_fullname($username) {`
			`global $config, $ds;`

			`$attributes = array('name');`
			`$result = ldap_search($ds, $config['auth_ad_base_dn'],`
			`"(samaccountname={$username})", $attributes);`
			`$entries = ldap_get_entries($ds, $result);`
			`if ($entries['count'] > 0) {`
			`$membername = $entries[0]['name'][0];`
Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`}`
			`else {`
Initial commit 2015-10-16 09:40:17 +02:00			`$membername = $username;`
			`}`

			`return $membername;`
			`}`


			`function get_group_list() {`
			`global $config;`

			`$ldap_groups = array();`

			`// show all Active Directory Users by default`
			`$default_group = 'Users';`

			`if (isset($config['auth_ad_group'])) {`
			`if ($config['auth_ad_group'] !== $default_group) {`
			`$ldap_groups[] = $config['auth_ad_group'];`
			`}`
			`}`

			`if (!isset($config['auth_ad_groups']) && !isset($config['auth_ad_group'])) {`
			`$ldap_groups[] = get_dn($default_group);`
			`}`

			`foreach ($config['auth_ad_groups'] as $key => $value) {`
			`$ldap_groups[] = get_dn($key);`
			`}`

			`return $ldap_groups;`

			`}`

			`function get_dn($samaccountname) {`
			`global $config, $ds;`


			`$attributes = array('dn');`
			`$result = ldap_search($ds, $config['auth_ad_base_dn'],`
			`"(samaccountname={$samaccountname})", $attributes);`
			`$entries = ldap_get_entries($ds, $result);`
			`if ($entries['count'] > 0) {`
			`return $entries[0]['dn'];`
Removed unused variables and updated coding style 2015-11-10 10:38:42 +01:00			`}`
			`else {`
Initial commit 2015-10-16 09:40:17 +02:00			`return '';`
			`}`
			`}`

			`function get_cn($dn) {`
			`preg_match('/[^,]*/', $dn, $matches, PREG_OFFSET_CAPTURE, 3);`
			`return $matches[0][0];`
			`}`

			`function sid_from_ldap($sid)`
			`{`
Authenticate against active directory 2015-10-22 09:16:20 +02:00			`$sidHex = unpack('H*hex', $sid);`
Initial commit 2015-10-16 09:40:17 +02:00			`$subAuths = unpack('H2/H2/n/N/V*', $sid);`
			`$revLevel = hexdec(substr($sidHex, 0, 2));`
			`$authIdent = hexdec(substr($sidHex, 4, 12));`
			`return 'S-'.$revLevel.'-'.$authIdent.'-'.implode('-', $subAuths);`
			`}`