"LDAP settings",
"page_callback" => "fp_render_form",
"page_arguments" => array("ldap_settings_form", "system_settings"),
"access_arguments" => array("administer_ldap"),
"page_settings" => array(
"page_has_search" => FALSE,
"page_banner_is_link" => TRUE,
"page_hide_report_error" => TRUE,
"menu_links" => array(
0 => array(
"text" => "Back to main menu",
"path" => "admin-tools/admin",
),
),
),
"type" => MENU_TYPE_NORMAL_ITEM,
"tab_parent" => "admin-tools/admin",
);
return $items;
}
function ldap_perm() {
return array(
"administer_ldap" => array(
"title" => t("Administer LDAP"),
"description" => t("Configure LDAP settings."),
),
);
}
/**
* Authenticate the user with the ldap server.
*
* Checks the username and password in the ldap server, and returns
* back the result.
*
*/
function ldap_auth_connect($username, $password) {
$rtn = FALSE;
// First, connect to the LDAP server and see that this is
// a valid login.
$server = variable_get("ldap_server_ip", "");
$server2 = variable_get("ldap_server_ip2", "");
// If we have a second server specified, then try to randomly select between the two, for
// load balancing purposes.
if (trim($server2) != "") {
$r = rand(1, 2);
if ($r == 2) {
$server = $server2;
}
}
$port = variable_get("ldap_server_port", "389");
if (in_array("yes", variable_get("ldap_connect_secure", array()))) {
// This should be a secure connection.
$server = "ldaps://" . $server;
}
$ldapconn = ldap_connect($server, $port);
if (!$ldapconn) {
fp_add_message(t("Could not connect to ldap server at %server. Please
consult with your system administrator.", array("%server" => "$server:$port")));
return FALSE;
}
$uid_attr = variable_get("ldap_uid_attr", "uid");
// First, let's try to connect using the search dn, to try and find the user and get our results.
$search_dn = variable_get("ldap_search_dn", "");
$search_password = variable_get("ldap_search_password", "");
// Attempt the non-anonymous search bind first.
$x = ldap_bind($ldapconn, $search_dn, $search_password);
if (!$x) {
watchdog("ldap", "Could not bind to search DN, using the search DN and password.");
fp_add_message(t("Could not authenticate to LDAP server for a non-anonymous search. Please inform your
technical support, as this may indicate a configuration error."), "error");
return FALSE;
}
$base_dns = variable_get("ldap_base_dns", "");
$lines = explode("\n", $base_dns);
foreach($lines as $base_dn) {
// Try out all of our base_dns
$base_dn = trim($base_dn);
$r = ldap_search($ldapconn, $base_dn, "$uid_attr=$username");
if ($r) {
$result = ldap_get_entries($ldapconn, $r);
if (is_array($result) && intval($result["count"]) > 0) {
$result = $result[0];
// Okay, it was successful! Let's store the results about this user.
$rtn = $result;
// Okay, now we need this individual user's DN, so we can authenticate.
$user_dn_field = variable_get("ldap_user_dn_field_name", "dn");
$user_base_dn = ldap_get_field_value_from_result($user_dn_field, $result);
// Continuing, let's now bind for the individual user, using their full DN and supplied password.
// Attempt to authenticate...
$bind_successful = FALSE;
$bind_successful = @ldap_bind($ldapconn, $user_base_dn, $password);
if ($bind_successful) break;
}
}
} //foreach
// Tidy up...
ldap_close($ldapconn);
// If we were never able to authenticate, then $rtn still equals "FALSE"
return $rtn;
}
function z__old__ldap_auth_connect($username, $password) {
$rtn = FALSE;
// First, connect to the LDAP server and see that this is
// a valid login.
$server = variable_get("ldap_server_ip", "");
$server2 = variable_get("ldap_server_ip2", "");
// If we have a second server specified, then try to randomly select between the two, for
// load balancing purposes.
if (trim($server2) != "") {
$r = rand(1, 2);
if ($r == 2) {
$server = $server2;
}
}
$port = variable_get("ldap_server_port", "389");
if (in_array("yes", variable_get("ldap_connect_secure", array()))) {
// This should be a secure connection.
$server = "ldaps://" . $server;
}
$ldapconn = ldap_connect($server, $port);
if (!$ldapconn) {
fp_add_message(t("Could not connect to ldap server at %server. Please
consult with your system administrator.", array("%server" => "$server:$port")));
return;
}
// Attempt to authenticate...
$uid_attr = variable_get("ldap_uid_attr", "uid");
$base_dns = variable_get("ldap_base_dns", "");
$lines = explode("\n", $base_dns);
$bind_successful = FALSE;
foreach($lines as $base_dn) {
// Try out all of our base_dns
$base_dn = trim($base_dn);
$bind_successful = @ldap_bind($ldapconn, "$uid_attr=$username,$base_dn", $password);
if ($bind_successful) break;
}
// If the bind was successful, it means we got a valid username and password
// from the user. Now, let's bind with our search DN and search password
// to get more information about the user.
if ($bind_successful)
{
$search_dn = variable_get("ldap_search_dn", "");
$search_password = variable_get("ldap_search_password", "");
$x = ldap_bind($ldapconn, $search_dn, $search_password);
$r = ldap_search($ldapconn, $base_dn, "$uid_attr=$username");
if ($r)
{
$result = ldap_get_entries($ldapconn, $r);
if (is_array($result)) {
$result = $result[0];
// Okay, it was successful! We can now return a success
// message with our result.
$rtn = $result;
}
}
}
ldap_close($ldapconn);
return $rtn;
}
/**
* This is the config form for the ldap module.
*
*/
function ldap_settings_form() {
$form = array();
fp_add_css(fp_get_module_path("ldap") . "/css/ldap.css");
$form["ldap_server_ip"] = array(
"label" => t("Primary LDAP server name or IP address:"),
"type" => "text",
"value" => variable_get("ldap_server_ip", ""),
"description" => t("Ex: 192.168.5.73 or ldap.example.com"),
);
$form["ldap_server_ip2"] = array(
"label" => t("(Optional) Secondary LDAP server name or IP address:"),
"type" => "text",
"value" => variable_get("ldap_server_ip2", ""),
"description" => t("This is for the purposes of load balancing ONLY! If you have enter a second
LDAP server address, this module will randomly select between your two
addresses when a user logs on. If you do not have a second LDAP
server, or are unsure what to do, then LEAVE THIS FIELD BLANK."),
);
$form["ldap_server_port"] = array(
"label" => t("LDAP server port:"),
"type" => "text",
"size" => 10,
"value" => variable_get("ldap_server_port", "389"),
"description" => t("Ex: 389"),
);
$form["ldap_connect_secure"] = array(
"label" => t("Security:"),
"type" => "checkboxes",
"options" => array("yes" => t("Connect to LDAP server securely")),
"value" => variable_get("ldap_connect_secure", array()),
"description" => t("If checked, the LDAP connection will
be conducted securely, using the ldaps:// protocol.
If your LDAP server does not use a security certificate,
or if you have problems, leave this unchecked."),
);
$form["ldap_search_dn"] = array(
"label" => t("DN for non-anonymous search:"),
"type" => "text",
"value" => variable_get("ldap_search_dn", ""),
"description" => t("Ex: cn=ldapFPuser,ou=profile,dc=example,dc=edu"),
);
$form["ldap_search_password"] = array(
"label" => t("Password for non-anonymous search:"),
"type" => "password",
"value" => variable_get("ldap_search_password", ""),
);
$form["ldap_base_dns"] = array(
"label" => t("Base DNs for LDAP user entries:"),
"type" => "textarea",
"value" => variable_get("ldap_base_dns", ""),
"description" => t("Enter one DN per line.
Ex: ou=Students,ou=People,dc=example,dc=edu
ou=Employees,ou=People,dc=example,dc=edu"),
);
$form["ldap_uid_attr"] = array(
"label" => t("Username attribute:"),
"type" => "text",
"size" => 20,
"value" => variable_get("ldap_uid_attr", "uid"),
"description" => t("Ex: uid or cn, etc.") . "
" . t("Note that your field names may need to be all-lowercase, regardless
of how it is represented in LDAP.") . "",
);
$form["ldap_user_dn_field"] = array(
"label" => t("User base DN field name in LDAP entry:"),
"type" => "text",
"size" => 20,
"value" => variable_get("ldap_user_dn_field_name", "dn"),
"description" => t("Ex: dn. This is the field name, returned by LDAP, which contains the user's full DN. In most cases,
it is simply dn, though it might be name or something similar, depending on your set up. If you
are not sure what to do, leave this as dn.") . "
" . t("Note that your field names may need to be all-lowercase, regardless
of how it is represented in LDAP.") . "",
);
$form["ldap_no_cwid_msg"] = array(
"label" => t("Message to display if the CWID cannot be found:"),
"type" => "textarea",
"rows" => 2,
"value" => variable_get("ldap_no_cwid_msg", t("The user's CWID cannot be found in the LDAP result. Please consult the system administrator.")),
"description" => t("Ex: This user's CWID cannot be found in the LDAP result. Please consult the system administrator."),
);
///////////////////
$form["ldap_cwid_field"] = array(
"label" => t("User CWID field:"),
"type" => "text",
"size" => 30,
"prefix" => "
" . t("How to determine if the user is a student:") . "
" . t("If field name:") . " ", ); $form["ldap_is_student_op"] = array( "type" => "select", "options" => $op_options, "no_please_select" => TRUE, "value" => variable_get("ldap_is_student_op", array()), ); $form["ldap_is_student_op_value"] = array( "type" => "text", "size" => 15, "value" => variable_get("ldap_is_student_op_value", "student"), "prefix" => " " . t("value:"), "description" => t("This will determine if the user logging in should have their is_student flag set in the database." . t("How to determine if the user is a faculty:") . "
" . t("If field name:") . " ", ); $form["ldap_is_faculty_op"] = array( "type" => "select", "options" => $op_options, "no_please_select" => TRUE, "value" => variable_get("ldap_is_faculty_op", array()), ); $form["ldap_is_faculty_op_value"] = array( "type" => "text", "size" => 15, "value" => variable_get("ldap_is_faculty_op_value", "faculty"), "prefix" => " " . t("value:"), "description" => t("This will determine if the user logging in should have their is_faculty flag set in the database.