<?php
/*
** Copyright (C) 2001-2025 Zabbix SIA
**
** This program is free software: you can redistribute it and/or modify it under the terms of
** the GNU Affero General Public License as published by the Free Software Foundation, version 3.
**
** This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
** without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
** See the GNU Affero General Public License for more details.
**
** You should have received a copy of the GNU Affero General Public License along with this program.
** If not, see <https://www.gnu.org/licenses/>.
**/
class CLdap {
const BIND_NONE = 0;
const BIND_ANONYMOUS = 1;
const BIND_CONFIG_CREDENTIALS = 2;
const BIND_DNSTRING = 3;
const ERR_NONE = 0;
const ERR_PHP_EXTENSION = 1;
const ERR_SERVER_UNAVAILABLE = 2;
const ERR_BIND_FAILED = 3;
const ERR_BIND_ANON_FAILED = 4;
const ERR_USER_NOT_FOUND = 5;
const ERR_OPT_PROTOCOL_FAILED = 10;
const ERR_OPT_TLS_FAILED = 11;
const ERR_OPT_REFERRALS_FAILED = 12;
const ERR_OPT_DEREF_FAILED = 13;
const ERR_BIND_DNSTRING_UNAVAILABLE = 14;
const ERR_QUERY_FAILED = 15;
const DEFAULT_FILTER_USER = '(%{attr}=%{user})';
const DEFAULT_FILTER_GROUP = '(%{groupattr}=%{user})';
const DEFAULT_MEMBERSHIP_ATTRIBUTE = 'memberOf';
/**
* Type of binding made to LDAP server. One of static::BIND_ constant value.
*
* @var int
*/
public $bound;
/**
* @var int
*/
public $error;
/**
* Bind type to use when searching in LDAP tree. One of static::BIND_ constant value.
*
* @var int
*/
public $bind_type;
/**
* Bind DN string, may contain placeholders when BIND_TYPE_DNSTRING is detected.
*
* @var string
*/
protected $bind_dn;
/**
* @var array $cnf LDAP connection settings.
*/
protected $cnf = [
'host' => '',
'port' => '',
'bind_dn' => '',
'bind_password' => '',
'base_dn' => '',
'search_attribute' => '',
'search_filter' => '',
'group_basedn' => '',
'group_name' => '',
'group_member' => '',
'group_filter' => '',
'group_membership' => '',
'referrals' => 0,
'version' => 3,
'start_tls' => ZBX_AUTH_START_TLS_OFF,
'deref' => null
];
/**
* Placeholders with value used for building bind or search filter query.
* Key is placeholder name, %{attr} and value is placeholder value to replace to.
*
* @var array
*/
protected $placeholders = [];
/**
* Established LDAP connection resource, for PHP8.1.0+ LDAP\Connection class instance.
*
* @var bool|resource|LDAP\Connection
*/
protected $ds;
public function __construct(array $config = []) {
$this->ds = false;
$this->bound = static::BIND_NONE;
$this->error = static::ERR_NONE;
$this->cnf = zbx_array_merge($this->cnf, $config);
if ($this->cnf['search_filter'] === '') {
$this->cnf['search_filter'] = static::DEFAULT_FILTER_USER;
}
if ($this->cnf['group_filter'] === '') {
$this->cnf['group_filter'] = static::DEFAULT_FILTER_GROUP;
}
if ($this->cnf['group_membership'] === '') {
$this->cnf['group_membership'] = static::DEFAULT_MEMBERSHIP_ATTRIBUTE;
}
$this->initBindAttributes();
$this->error = $this->moduleEnabled() ? static::ERR_NONE : static::ERR_PHP_EXTENSION;
}
/**
* Check is the PHP extension enabled.
*
* @return bool
*/
public function moduleEnabled(): bool {
return function_exists('ldap_connect') && function_exists('ldap_set_option') && function_exists('ldap_bind')
&& function_exists('ldap_search') && function_exists('ldap_get_entries')
&& function_exists('ldap_free_result') && function_exists('ldap_start_tls');
}
/**
* Initialize connection to LDAP server. Set LDAP connection options defined in configuration when required.
* Return true on success.
*
* @return bool
*/
public function connect(): bool {
$this->error = static::ERR_NONE;
if ($this->ds !== false) {
return true;
}
$this->bound = static::BIND_NONE;
if (!$this->ds = @ldap_connect($this->cnf['host'], $this->cnf['port'])) {
$this->error = static::ERR_SERVER_UNAVAILABLE;
return false;
}
// Set protocol version and dependent options.
if ($this->cnf['version']) {
if (!@ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, $this->cnf['version'])) {
$this->error = static::ERR_OPT_PROTOCOL_FAILED;
}
elseif ($this->cnf['version'] == 3) {
if ($this->cnf['start_tls'] && !@ldap_start_tls($this->ds)) {
$this->error = static::ERR_OPT_TLS_FAILED;
}
if (!$this->cnf['referrals']
&& !@ldap_set_option($this->ds, LDAP_OPT_REFERRALS, $this->cnf['referrals'])) {
$this->error = static::ERR_OPT_REFERRALS_FAILED;
}
}
}
if (isset($this->cnf['deref']) && !@ldap_set_option($this->ds, LDAP_OPT_DEREF, $this->cnf['deref'])) {
$this->error = static::ERR_OPT_DEREF_FAILED;
}
return $this->error == static::ERR_NONE;
}
/**
* Bind to LDAP server. Set $this->bound to type of successful binding.
* Arguments $user and $password are required when bind type BIND_DNSTRING is set.
*
* Bind types:
* BIND_CONFIG_CREDENTIALS - Special configuration user is used to bind and search.
* BIND_ANONYMOUS - Anonymous user is used to bind and search.
* BIND_DNSTRING - Logging in user is used to bind and search.
*
* Both arguments $user and $password are required for bind type BIND_DNSTRING only.
*
* @param string $user User name value.
* @param string $password Password value.
*
* @return bool
*/
public function bind($user = null, $password = null): bool {
$this->bound = static::BIND_NONE;
if ($this->bind_type == static::BIND_ANONYMOUS) {
if (!@ldap_bind($this->ds)) {
$this->error = static::ERR_BIND_ANON_FAILED;
return false;
}
$this->bound = static::BIND_ANONYMOUS;
return true;
}
$dn = $this->bind_dn;
$dn_password = $this->cnf['bind_password'];
if ($this->bind_type == static::BIND_DNSTRING) {
if ($user === null || $password === null) {
$this->error = static::ERR_BIND_DNSTRING_UNAVAILABLE;
return false;
}
$dn = $this->makeFilter($this->bind_dn, ['%{user}' => $user], LDAP_ESCAPE_DN);
$dn_password = $password;
}
if (!@ldap_bind($this->ds, $dn, $dn_password)) {
$this->error = static::ERR_BIND_FAILED;
return false;
}
$this->bound = $this->bind_type;
return true;
}
/**
* Check validity of user credentials. Do not allow to check credentials when password is empty.
*
* @param string $user User name attribute value.
* @param string $pass User password attribute value.
*
* @return bool
*/
public function checkCredentials(string $user, string $pass): bool {
if (!$pass) {
$this->error = static::ERR_USER_NOT_FOUND;
return false;
}
if (!$this->connect() || !$this->bind($user, $pass)) {
return false;
}
if (!$this->bind($user, $pass)) {
if ($this->bind_type == static::BIND_DNSTRING) {
$this->error = static::ERR_USER_NOT_FOUND;
}
return false;
}
if ($this->bound == static::BIND_ANONYMOUS || $this->bound == static::BIND_CONFIG_CREDENTIALS) {
// No need for user default attributes, only 'dn'.
$users = $this->search($this->cnf['base_dn'], $this->cnf['search_filter'], ['%{user}' => $user], ['dn']);
if ($users['count'] != 1) {
// Multiple users matched criteria.
$this->error = static::ERR_USER_NOT_FOUND;
return false;
}
if (!array_key_exists('dn', $users[0]) || !@ldap_bind($this->ds, $users[0]['dn'], $pass)) {
$this->error = static::ERR_USER_NOT_FOUND;
return false;
}
}
return true;
}
/**
* Get array of user groups. Is not available for bind type BIND_DNSTRING if password is not supplied.
*
* @param array $attributes Array of group attributes to return for every group.
* @param string $user User username value.
* @param string $password User password value, is required only for BIND_DNSTRING.
*
* @return array Array of arrays of matched group.
*/
public function getGroupAttributes(array $attributes, string $user, $password = null): array {
if ($attributes == [] || !$this->connect() || !$this->bind($user, $password)) {
return [];
}
$placeholders = [
'%{user}' => $user,
'%{groupattr}' => $this->cnf['group_member']
];
$results = $this->search($this->cnf['group_basedn'], $this->cnf['group_filter'], $placeholders, $attributes);
$groups = [];
if ($results['count'] == 0) {
return $groups;
}
$attributes = array_flip(array_map('strtolower', $attributes));
for ($j = 0; $j < $results['count']; $j++) {
$result = $results[$j];
$result_attributes = array_intersect_key($result, $attributes);
if (!$result_attributes) {
continue;
}
foreach ($result_attributes as &$value) {
$value = $value[0];
}
unset($value);
$groups[] = $result_attributes;
}
return $groups;
}
/**
* Get user data with specified attributes. Not available for bind type BIND_DNSTRING if password is not supplied.
* Mapped attribute names will be set to lower case.
*
* @param array $attributes Array of LDAP tree attributes names to be returned.
* @param string $user User to search attributes for.
* @param string $password (optional) User password, required only for BIND_DNSTRING.
*
* @return array Associative array of user attributes.
*/
public function getUserAttributes(array $attributes, string $user, $password = null): array {
if ($attributes == [] || !$this->connect() || !$this->bind($user, $password)) {
return [];
}
$placeholders = ['%{user}' => $user];
$results = $this->search($this->cnf['base_dn'], $this->cnf['search_filter'], $placeholders, $attributes);
$user = [];
if ($results['count'] == 0) {
return $user;
}
$results = $results[0];
if ($results['count'] == 0) {
return $user;
}
$group_key = strtolower($this->cnf['group_membership']);
$group_name_key = strtolower($this->cnf['group_name']);
for ($i = 0; $i < $results['count']; $i++) {
$key = $results[$i];
$user[$key] = $results[$i] === $group_key
? $this->getGroupPatternsFromDns($group_name_key, $results[$key])
: $results[$key][0];
}
return $user;
}
/**
* Extract the group pattern from given DN strings.
* For DN string "cn=zabbix-admins,ou=Group,dc=example,dc=org" and the "Group name attribute" set to "cn",
* the string "zabbix-admins" will be stored to the $groups array.
*
* @param string $group_name_key Lower case group name attribute for which to extract value from RDN.
* @param array $group_dns Array of DN strings.
*
* @return array Strings with the extracted groups, if any.
*/
public function getGroupPatternsFromDns(string $group_name_key, array $group_dns): array {
$groups = [];
foreach ($group_dns as $group_dn) {
$rdns = ldap_explode_dn($group_dn, 0);
if (!is_array($rdns)) {
continue;
}
foreach ($rdns as $rdn) {
if (strpos($rdn, '=') === false) {
continue;
}
/*
* For multi-value RDNs $rdn_key will be set to key of first key-value pair, the rest of string as value.
* For example for RDN "cn=John Doe+mail=jdoe@example.com" $rdn_value is "John Doe+mail=jdoe@example.com".
*/
[$rdn_key, $rdn_value] = explode('=', $rdn, 2);
if (strtolower($rdn_key) !== $group_name_key) {
continue;
}
// Convert escaped charcodes, f.e. 'Universit\C4\81te' => 'Universitāte'.
$groups[] = preg_replace_callback('/\\\\([0-9A-F]{2})/i', function (array $match): string {
return chr(hexdec($match[1]));
}, $rdn_value);
}
}
return $groups;
}
/**
* Setter for additional placeholders supported in bind or search query.
*
* @param array $placeholders Associative array where key is placeholder in form %{name}.
*/
public function setQueryPlaceholders(array $placeholders) {
$this->placeholders = $placeholders;
}
/**
* Return user data with medias, groups, roleid and user attributes matched from LDAP user data according
* provisioning options. All attributes are matched in case insensitive way.
*
* @param CProvisioning $provisioning Provisioning class instance.
* @param string $username Username of user to get provisioned data for.
*
* @return array
*/
public function getProvisionedData(CProvisioning $provisioning, string $username): array {
$ldap_groups = [];
$user = [
'medias' => [],
'usrgrps' => [],
'roleid' => 0
];
$config = $provisioning->getIdpConfig();
$user_attributes = $provisioning->getUserIdpAttributes();
$idp_user = $this->getUserAttributes($user_attributes, $username);
$user = $provisioning->getUserAttributes($idp_user, false);
$user['medias'] = $provisioning->getUserMedias($idp_user, false);
if ($config['group_membership'] !== '') {
$group_key = strtolower($config['group_membership']);
if (array_key_exists($group_key, $idp_user) && is_array($idp_user[$group_key])) {
$ldap_groups = $idp_user[$group_key];
}
}
else if ($config['group_filter'] !== '') {
$user_ref_attr = strtolower($config['user_ref_attr']);
if ($user_ref_attr !== '' && array_key_exists($user_ref_attr, $idp_user)) {
$this->setQueryPlaceholders(['%{ref}' => $idp_user[$user_ref_attr]]);
}
$group_attributes = $provisioning->getGroupIdpAttributes();
$ldap_groups = $this->getGroupAttributes($group_attributes, $username);
$ldap_groups = array_column($ldap_groups, strtolower($config['group_name']));
}
$user = array_merge($user, $provisioning->getUserGroupsAndRole($ldap_groups));
return $user;
}
/**
* Setup bind attributes according LDAP configuration.
*/
protected function initBindAttributes() {
$this->bind_type = static::BIND_ANONYMOUS;
if ($this->cnf['bind_dn'] !== '' && $this->cnf['bind_password'] !== '') {
$this->bind_type = static::BIND_CONFIG_CREDENTIALS;
$this->bind_dn = $this->cnf['bind_dn'];
}
elseif ($this->cnf['bind_dn'] !== '' && $this->cnf['search_filter'] !== static::DEFAULT_FILTER_USER) {
$this->bind_type = static::BIND_DNSTRING;
$this->bind_dn = $this->cnf['bind_dn'];
}
elseif (strpos($this->cnf['base_dn'], '%{user}') !== false) {
$this->bind_type = static::BIND_DNSTRING;
$this->bind_dn = $this->cnf['base_dn'];
}
}
/**
* Replaces placeholders found in string with their data.
*
* @param string $filter Filter string where to replace placeholders.
* @param array $placeholders Associative array for replacement in $filter string.
* Placeholders %{attr}, %{host} will be added by default,
* array key should be in form %{placeholder_key_value}.
* @param int escape_context Resulting string usage context:
* LDAP_ESCAPE_FILTER - use result string as filter argument of ldap_search.
* LDAP_ESCAPE_DN - use result string as base dn.
*
* @return string Filter string with replaced placeholders in it.
*/
protected function makeFilter(string $filter, array $placeholders, $escape_context): string {
$replace_pairs = $placeholders + [
'%{attr}' => $this->cnf['search_attribute'],
'%{host}' => $this->cnf['host']
];
foreach ($replace_pairs as &$value) {
$value = ldap_escape($value, '', $escape_context);
}
unset($value);
return strtr($filter, $replace_pairs);
}
/**
* Search for entry in LDAP tree for specified $dn and $filter.
* Requested attributes in resulting array, will be set in lowercase.
*
* @param string $dn DN string value, supports placeholders.
* @param string $filter Filter string, supports placeholders.
* @param array $placeholders Associative array of placeholders for creating base and filter for ldap_search.
* @param array $attributes List of attributes to be returned.
*
* @return array Array of ldap_get_entries.
*/
protected function search(string $dn, string $filter, array $placeholders, array $attributes): array {
$this->error = static::ERR_NONE;
$base = $this->makeFilter($dn, $placeholders, LDAP_ESCAPE_DN);
$filter = $this->makeFilter($filter, $placeholders + $this->placeholders, LDAP_ESCAPE_FILTER);
$resource = @ldap_search($this->ds, $base, $filter, $attributes);
$results = false;
if ($resource !== false) {
$results = @ldap_get_entries($this->ds, $resource);
ldap_free_result($resource);
}
if ($resource === false || $results === false) {
$this->error = static::ERR_QUERY_FAILED;
return ['count' => 0];
}
return $results;
}
}