<?php /** * @package Joomla.Plugin * @subpackage Authentication.ldap * * @copyright (C) 2006 Open Source Matters, Inc. <https://www.joomla.org> * @license GNU General Public License version 2 or later; see LICENSE.txt * @phpcs:disable PSR1.Classes.ClassDeclaration.MissingNamespace */ use Joomla\CMS\Authentication\Authentication; use Joomla\CMS\Language\Text; use Joomla\CMS\Plugin\CMSPlugin; use Symfony\Component\Ldap\Entry; use Symfony\Component\Ldap\Exception\ConnectionException; use Symfony\Component\Ldap\Exception\LdapException; use Symfony\Component\Ldap\Ldap; // phpcs:disable PSR1.Files.SideEffects \defined('_JEXEC') or die; // phpcs:enable PSR1.Files.SideEffects /** * LDAP Authentication Plugin * * @since 1.5 */ class PlgAuthenticationLdap extends CMSPlugin { /** * This method should handle any authentication and report back to the subject * * @param array $credentials Array holding the user credentials * @param array $options Array of extra options * @param object &$response Authentication response object * * @return boolean * * @since 1.5 */ public function onUserAuthenticate($credentials, $options, &$response) { // If LDAP not correctly configured then bail early. if (!$this->params->get('host')) { return false; } // For JLog $response->type = 'LDAP'; // Strip null bytes from the password $credentials['password'] = str_replace(chr(0), '', $credentials['password']); // LDAP does not like Blank passwords (tries to Anon Bind which is bad) if (empty($credentials['password'])) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED'); return false; } // Load plugin params info $ldap_email = $this->params->get('ldap_email'); $ldap_fullname = $this->params->get('ldap_fullname'); $ldap_uid = $this->params->get('ldap_uid'); $auth_method = $this->params->get('auth_method'); $ldap = Ldap::create( 'ext_ldap', [ 'host' => $this->params->get('host'), 'port' => (int) $this->params->get('port'), 'version' => $this->params->get('use_ldapV3', '0') == '1' ? 3 : 2, 'referrals' => (bool) $this->params->get('no_referrals', '0'), 'encryption' => $this->params->get('negotiate_tls', '0') == '1' ? 'tls' : 'none', ] ); switch ($auth_method) { case 'search': try { $dn = str_replace('[username]', $this->params->get('username', ''), $this->params->get('users_dn', '')); $ldap->bind($dn, $this->params->get('password', '')); } catch (ConnectionException | LdapException $exception) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_NOT_CONNECT'); return; } // Search for users DN try { $entry = $this->searchByString( str_replace( '[search]', str_replace(';', '\3b', $ldap->escape($credentials['username'], '', LDAP_ESCAPE_FILTER)), $this->params->get('search_string') ), $ldap ); } catch (LdapException $exception) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_UNKNOWN_ACCESS_DENIED'); return; } if (!$entry) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_NOT_CONNECT'); return; } try { // Verify Users Credentials $ldap->bind($entry->getDn(), $credentials['password']); } catch (ConnectionException $exception) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_INVALID_PASS'); return; } break; case 'bind': // We just accept the result here try { $ldap->bind($ldap->escape($credentials['username'], '', LDAP_ESCAPE_DN), $credentials['password']); } catch (ConnectionException | LdapException $exception) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_INVALID_PASS'); return; } try { $entry = $this->searchByString( str_replace( '[search]', str_replace(';', '\3b', $ldap->escape($credentials['username'], '', LDAP_ESCAPE_FILTER)), $this->params->get('search_string') ), $ldap ); } catch (LdapException $exception) { $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_UNKNOWN_ACCESS_DENIED'); return; } break; default: // Unsupported configuration $response->status = Authentication::STATUS_FAILURE; $response->error_message = Text::_('JGLOBAL_AUTH_UNKNOWN_ACCESS_DENIED'); return; } // Grab some details from LDAP and return them $response->username = $entry->getAttribute($ldap_uid)[0] ?? false; $response->email = $entry->getAttribute($ldap_email)[0] ?? false; $response->fullname = $entry->getAttribute($ldap_fullname)[0] ?? trim($entry->getAttribute($ldap_fullname)[0]) ?: $credentials['username']; // Were good - So say so. $response->status = Authentication::STATUS_SUCCESS; $response->error_message = ''; // The connection is no longer needed, destroy the object to close it unset($ldap); } /** * Shortcut method to perform a LDAP search based on a semicolon separated string * * Note that this method requires that semicolons which should be part of the search term to be escaped * to correctly split the search string into separate lookups * * @param string $search search string of search values * @param Ldap $ldap The LDAP client * * @return Entry|null The search result entry if a matching record was found * * @since 3.8.2 */ private function searchByString($search, Ldap $ldap) { $dn = $this->params->get('base_dn'); // We return the first entry from the first search result which contains data foreach (explode(';', $search) as $key => $result) { $results = $ldap->query($dn, '(' . str_replace('\3b', ';', $result) . ')')->execute(); if (count($results)) { return $results[0]; } } } }
