~fkooman/vpn-user-portal: src/LdapClient.php - sourcehut git


                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?php

/*
 * eduVPN - End-user friendly VPN.
 *
 * Copyright: 2016-2019, The Commons Conservancy eduVPN Programme
 * SPDX-License-Identifier: AGPL-3.0+
 */

namespace LC\Portal;

use LC\Portal\Exception\LdapClientException;
use RuntimeException;

class LdapClient
{
    /** @var resource */
    private $ldapResource;

    /**
     * @param string $ldapUri
     */
    public function __construct($ldapUri)
    {
        if (false === \extension_loaded('ldap')) {
            throw new RuntimeException('"ldap" PHP extension not available');
        }
        $this->ldapResource = ldap_connect($ldapUri);
        if (false === $this->ldapResource) {
            // only with very old OpenLDAP will it ever return false...
            throw new LdapClientException(sprintf('unacceptable LDAP URI "%s"', $ldapUri));
        }
        if (false === ldap_set_option($this->ldapResource, LDAP_OPT_PROTOCOL_VERSION, 3)) {
            throw new LdapClientException('unable to set LDAP option');
        }
        if (false === ldap_set_option($this->ldapResource, LDAP_OPT_REFERRALS, 0)) {
            throw new LdapClientException('unable to set LDAP option');
        }
    }

    /**
     * Bind to an LDAP server.
     *
     * @param string|null $bindUser you MUST use LdapClient::escapeDn on any user input used to contruct the DN!
     * @param string|null $bindPass
     *
     * @return void
     */
    public function bind($bindUser = null, $bindPass = null)
    {
        if (false === ldap_bind($this->ldapResource, $bindUser, $bindPass)) {
            throw new LdapClientException(sprintf('LDAP error: (%d) %s', ldap_errno($this->ldapResource), ldap_error($this->ldapResource)));
        }
    }

    /**
     * @param string $str
     *
     * @return string
     */
    public static function escapeDn($str)
    {
        // ldap_escape in PHP >= 5.6 (or symfony/polyfill-php56)
        return ldap_escape($str, '', LDAP_ESCAPE_DN);
    }

    /**
     * @param string $str
     *
     * @return string
     */
    public static function escapeFilter($str)
    {
        // ldap_escape in PHP >= 5.6 (or symfony/polyfill-php56)
        return ldap_escape($str, '', LDAP_ESCAPE_FILTER);
    }

    /**
     * @param string        $baseDn
     * @param string        $searchFilter
     * @param array<string> $attributeList
     *
     * @return array
     */
    public function search($baseDn, $searchFilter, array $attributeList = [])
    {
        $searchResource = ldap_search(
            $this->ldapResource,    // link_identifier
            $baseDn,                // base_dn
            $searchFilter,          // filter
            $attributeList,         // attributes (dn is always returned...)
            0,                      // attrsonly
            0,                      // sizelimit
            10                      // timelimit
        );
        if (false === $searchResource) {
            throw new LdapClientException(sprintf('LDAP error: (%d) %s', ldap_errno($this->ldapResource), ldap_error($this->ldapResource)));
        }

        $ldapEntries = ldap_get_entries($this->ldapResource, $searchResource);
        if (false === $ldapEntries) {
            throw new LdapClientException(sprintf('LDAP error: (%d) %s', ldap_errno($this->ldapResource), ldap_error($this->ldapResource)));
        }

        return $ldapEntries;
    }
}