LDAP Account Manager

This abstract class provides the basic variables and methods for LDAP datastores

package	phpLDAPadmin
subpackage	DataStore

Methods

Returns an array of MatchingRule objects for the specified server.

MatchingRules($method, $dn)

The key of each entry is the OID of the matching rule.

Parameters

$method

$dn

Gets an associative array of AttributeType objects for the specified server.

SchemaAttributes($method, string $dn) : array

Each array entry's key is the name of the attributeType in lower-case and the value is an AttributeType object.

Parameters

$method

$dn

string

(optional) It is easier to fetch schema if a DN is provided which defines the subschemaSubEntry attribute (all entries should).

Returns

arrayAn array of AttributeType objects.

Gets an associative array of ObjectClass objects for the specified server.

SchemaObjectClasses($method, string $dn) : array

Each array entry's key is the name of the objectClass in lower-case and the value is an ObjectClass object.

see	\global\ObjectClass
see	\global\getSchemaObjectClass

Parameters

$method

$dn

string

(optional) It is easier to fetch schema if a DN is provided which defines the subschemaSubEntry attribute (all entries should).

Returns

arrayAn array of ObjectClass objects.

Returns an array of Syntax objects that this LDAP server uses mapped to their descriptions.

SchemaSyntaxes($method, $dn)

The key of each entry is the OID of the Syntax.

Parameters

$method

$dn

__construct()

__construct($index)

Parameters

$index

Gets whether an entry exists based on its DN.

dnExists(string $dn, string $method) : boolean

If the entry exists, returns true. Otherwise returns false.

Parameters

$dn

string

The DN of the entry of interest.

$method

string

Which connection method resource to use

Returns

boolean

Return the authentication type for this object

getAuthType()

Inherited

inherited_from	\DS::getAuthType()

Gets the root DN of the specified LDAPServer, or null if it can't find it (ie, the server won't give it to us, or it isnt specified in the configuration file).

getBaseDN(string $method) : array

Tested with OpenLDAP 2.0, Netscape iPlanet, and Novell eDirectory 8.7 (nldap.com) Please report any and all bugs!!

Please note: On FC systems, it seems that php_ldap uses /etc/openldap/ldap.conf in the search base if it is blank - so edit that file and comment out the BASE line.

todo	Sort the entries, so that they are in the correct DN order.

Parameters

$method

string

Which connection method resource to use

Returns

arraydn|null The root DN of the server on success (string) or null on error.

Given a DN string, this returns the parent container portion of the string.

getContainer(string $dn) : string

For example. given 'cn=Manager,dc=example,dc=com', this function returns 'dc=example,dc=com'.

Parameters

$dn

string

The DN whose container string to return.

Returns

stringThe container

Gets a list of child entries for an entry.

getContainerContents(string $dn, string $method, int $size_limit, string $filter, \constant $deref) : array

Given a DN, this function fetches the list of DNs of child entries one level beneath the parent. For example, for the following tree:

dc=example,dc=com
    ou=People
        cn=Dave
        cn=Fred
        cn=Joe
    ou=More People
        cn=Mark
        cn=Bob

Calling

getContainerContents("ou=people,dc=example,dc=com")

would return the following list:

cn=Dave
cn=Fred
cn=Joe
ou=More People

Parameters

$dn

string

The DN of the entry whose children to return.

$method

string

Which connection method resource to use

$size_limit

int

(optional) The maximum number of entries to return. If unspecified, no limit is applied to the number of entries in the returned.

$filter

string

(optional) An LDAP filter to apply when fetching children, example: "(objectClass=inetOrgPerson)"

$deref

\constant

(optional) The LDAP deref setting to use in the query

Returns

arrayAn array of DN strings listing the immediate children of the specified entry.

Given a DN string and a path like syntax, this returns the parent container portion of the string.

getContainerPath(string $dn, string $path) : string

Parameters

$dn

string

The DN whose container string to return.

$path

string

Either '/', '.' or something like '../../'

Returns

stringThe container

Given a DN string, this returns the top container portion of the string.

getContainerTop(string $dn) : string

Parameters

$dn

string

The DN whose container string to return.

Returns

stringThe container

Much like getDNAttrValues(), but only returns the values for one attribute of an object.

getDNAttrValue(string $dn, string $attr, string $method, \constant $deref) : array

Example calls:

print_r(getDNAttrValue('cn=Bob,ou=people,dc=example,dc=com','sn'));
Array (
    [0] => Smith
)

print_r(getDNAttrValue('cn=Bob,ou=people,dc=example,dc=com','objectClass'));
Array (
    [0] => top
    [1] => person
)

see	\global\getDNAttrValues
todo	Caching these values may be problematic with multiple calls and different deref values.

Parameters

$dn

string

The distinguished name (DN) of the entry whose attributes/values to fetch.

$attr

string

The attribute whose value(s) to return (ie, "objectClass", "cn", "userPassword")

$method

string

Which connection method resource to use

$deref

\constant

For aliases and referrals, this parameter specifies whether to follow references to the referenced DN or to fetch the attributes for the referencing DN. See http://php.net/ldap_search for the 4 valid options.

Returns

array

Gets the attributes/values of an entry.

getDNAttrValues(string $dn, string $method, \constant $deref, $attrs) : array

Returns an associative array whose keys are attribute value names and whose values are arrays of values for said attribute.

Optionally, callers may specify true for the parameter $lower_case_attr_names to force all keys in the associate array (attribute names) to be lower case.

Example of its usage:

print_r(getDNAttrValues('cn=Bob,ou=pepole,dc=example,dc=com')
Array (
    [objectClass] => Array (
        [0] => person
        [1] => top
    )
    [cn] => Array (
        [0] => Bob
    )
    [sn] => Array (
        [0] => Jones
    )
    [dn] => Array (
        [0] => cn=Bob,ou=pepole,dc=example,dc=com
    )
)

see	\global\getDNSysAttrs
see	\global\getDNAttrValue

Parameters

$dn

string

The distinguished name (DN) of the entry whose attributes/values to fetch.

$method

string

Which connection method resource to use

$deref

\constant

$attrs

Returns

array

Get the last error string

getErrorMessage(string $method)

Parameters

$method

string

Which connection method resource to use

Get the last error number

getErrorNum(string $method)

Parameters

$method

string

Which connection method resource to use

getIndex()

getIndex()

Inherited

inherited_from	\DS::getIndex()

Get the login name of the user logged into this datastore's connection method If this returns null, we are not logged in.

getLogin($method)

Inherited

If this returns '', we are logged in with anonymous

inherited_from	\DS::getLogin()

Parameters

$method

Get a user ID

getLoginID(string $user, $method)

Parameters

$user

string

Which connection method resource to use

$method

Get the name of this datastore

getName()

Inherited

inherited_from	\DS::getName()

getRootDSE()

getRootDSE($method)

Parameters

$method

Gets a single AttributeType object specified by name.

getSchemaAttribute($attr_name, $method, string $dn) : \AttributeType

see	\global\AttributeType
see	\global\SchemaAttributes

Parameters

$attr_name

$method

$dn

string

(optional) It is easier to fetch schema if a DN is provided which defines the subschemaSubEntry attribute (all entries should).

Returns

\AttributeTypeThe specified AttributeType object or false on error.

Gets a single ObjectClass object specified by name.

getSchemaObjectClass(string $oclass_name, $method, string $dn) : \ObjectClass

see	\global\ObjectClass
see	\global\SchemaObjectClasses

Parameters

$oclass_name

string

The name of the objectClass to fetch.

$method

$dn

string

(optional) It is easier to fetch schema if a DN is provided which defines the subschemaSubEntry attribute (all entries should).

Returns

\ObjectClassThe specified ObjectClass object or false on error.

Return a configuration value

getValue($key, $setting, $fatal)

Inherited

inherited_from	\DS::getValue()

Parameters

$key

$setting

$fatal

Return the time left in seconds until this connection times out.

inactivityTime()

Inherited

If there is not timeout, this function will return null.

inherited_from	\DS::inactivityTime()

Return if anonymous bind is allowed in the configuration

isAnonBindAllowed()

Given an attribute name and server ID number, this function returns whether the attribute may contain binary data.

isAttrBinary(string $attr_name) : boolean

This is useful for developers who wish to display the contents of an arbitrary attribute but don't want to dump binary data on the page.

see	\global\isJpegPhoto

Parameters

$attr_name

string

The name of the attribute to test.

Returns

boolean

Given an attribute name and server ID number, this function returns whether the attrbiute contains boolean data.

isAttrBoolean(string $attr_name) : boolean

This is useful for developers who wish to display the contents of a boolean attribute with a drop-down.

Parameters

$attr_name

string

The name of the attribute to test.

Returns

boolean

Returns true if the attribute specified is required to take as input a DN.

isDNAttr(string $attr_name, $method) : boolean

Some examples include 'distinguishedName', 'member' and 'uniqueMember'.

Parameters

$attr_name

string

The name of the attribute of interest (case insensitive)

$method

Returns

boolean

isDefaultKey()

isDefaultKey($key)

Inherited

inherited_from	\DS::isDefaultKey()

Parameters

$key

isDefaultSetting()

isDefaultSetting($key, $setting)

Inherited

inherited_from	\DS::isDefaultSetting()

Parameters

$key

$setting

This function determines if the specified attribute is contained in the force_may list as configured in config.php.

isForceMay($attr_name) : boolean

Parameters

$attr_name

Returns

booleanTrue if the specified attribute is in the $force_may list and false otherwise.

Used to determine if the specified attribute is indeed a jpegPhoto.

isJpegPhoto(string $attr_name) : boolean

If the specified attribute is one that houses jpeg data, true is returned. Otherwise this function returns false.

see	\global\draw_jpeg_photo

Parameters

$attr_name

string

The name of the attribute to test.

Returns

boolean

Return if this datastore's connection method has been logged into

isLoggedIn($method)

Inherited

inherited_from	\DS::isLoggedIn()

Parameters

$method

isReadOnly()

isReadOnly()

Inherited

inherited_from	\DS::isReadOnly()

This method should be overridden in application specific ds files

isSessionValid()

Inherited

inherited_from	\DS::isSessionValid()

Functions that return the condition of the datasource

isVisible()

Inherited

inherited_from	\DS::isVisible()

Login to the database with the application user/password

login($user, $pass, $method, $new) : boolean

method: 'user', connect with auth_id method: '', any custom extra connection to ds.

Parameters

$user

$pass

$method

$new

Returns

booleantrue|false for successful login.

Logout of this datastore's connection method

logout($method)

Inherited

inherited_from	\DS::logout()

Parameters

$method

Modify attributes of a DN

modify($dn, $attrs, $method)

Parameters

$dn

$attrs

$method

Perform a query to the Database

query(string $query, string $method, string $index, boolean $debug) : array | null

Parameters

$query

string

query to perform $query['base'] $query['filter'] $query['scope'] $query['attrs'] = array(); $query['deref']

$method

string

Which connection method resource to use

$index

string

Index items according to this key

$debug

boolean

Enable debugging output

Returns

arraynullResults of query.

Functions that set and verify object configuration details

setDefaults($defaults)

Inherited

inherited_from	\DS::setDefaults()

Parameters

$defaults

Set a configuration value

setValue($key, $setting, $value)

Inherited

inherited_from	\DS::setValue()

Parameters

$key

$setting

$value

Return the untested config items

untested()

Inherited

inherited_from	\DS::untested()

This function will test if a user is a member of a group.

userIsMember(string $user, \dn $group) : bool

Inputs:

Parameters

$user

string

membership value that is being checked

$group

\dn

DN to see if user is a member

Returns

booltrue|false

Connect and Bind to the Database

connect(string $method, $debug, $new) : resource | null

Parameters

$method

string

Which connection method resource to use

$debug

$new

Returns

resourcenullConnection resource if successful, null if not.

Parse a DN and escape any special characters

escapeDN($dn)

Parameters

$dn

Work out which connection method to use.

getMethod(int $method) : string

Inherited

If a method is passed, then it will be passed back. If no method is passed, then we'll check to see if the user is logged in. If they are, then 'user' is used, otherwise 'anon' is used.

inherited_from	\DS::getMethod()

Parameters

$method

int

Server ID

Returns

stringConnection Method

Get the login password of the user logged into this datastore's connection method

getPassword($method)

Inherited

inherited_from	\DS::getPassword()

Parameters

$method

Set the login details of the user logged into this datastore's connection method

setLogin($user, $pass, $method)

Inherited

inherited_from	\DS::setLogin()

Parameters

$user

$pass

$method

This function will determine if the user is allowed to login based on a filter

userIsAllowedLogin($dn)

Parameters

$dn

Explode a DN into an array of its RDN parts.

explodeDN(string $dn, int $with_attributes) : array

Parameters

$dn

string

The DN to explode.

$with_attributes

int

(optional) Whether to include attribute names (see http://php.net/ldap_explode_dn for details)

Returns

arrayAn array of RDN parts of this format: Array ( [0] => uid=ppratt [1] => ou=People [2] => dc=example [3] => dc=com ) NOTE: When a multivalue RDN is passed to ldap_explode_dn, the results returns with 'value + value';

Return the login base DNs If no login base DNs are defined, then the LDAP server Base DNs are used.

getLoginBaseDN()

Return the login classes that a user must have to login

getLoginClass()

Fetches the raw schema array for the subschemaSubentry of the server.

getRawSchema(string $method, string $schema_to_fetch, \dn $dn) : array

Note, this function has grown many hairs to accomodate more LDAP servers. It is needfully complicated as it now supports many popular LDAP servers that don't necessarily expose their schema "the right way".

Please note: On FC systems, it seems that php_ldap uses /etc/openldap/ldap.conf in the search base if it is blank - so edit that file and comment out the BASE line.

Parameters

$method

string

Which connection method resource to use

$schema_to_fetch

string

A string indicating which type of schema to fetch. Five valid values: 'objectclasses', 'attributetypes', 'ldapsyntaxes', 'matchingruleuse', or 'matchingrules'. Case insensitive.

$dn

\dn

(optional) This paremeter is the DN of the entry whose schema you would like to fetch. Entries have the option of specifying their own subschemaSubentry that points to the DN of the system schema entry which applies to this attribute. If unspecified, this will try to retrieve the schema from the RootDSE subschemaSubentry. Failing that, we use some commonly known schema DNs. Default value is the Root DSE DN (zero-length string)

Returns

arrayan array of strings of this form: Array ( [0] => "(1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' DESC 'Pool ... [1] => "(1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' DESC 'Sa ... etc.

This function will query the ldap server and request the subSchemaSubEntry which should be the Schema DN.

getSchemaDN(string $method, \dn $dn) : array | false

If we cant connect to the LDAP server, we'll return false. If we can connect but cant get the entry, then we'll return null.

Parameters

$method

string

Which connection method resource to use

$dn

\dn

The DN to use to obtain the schema

Returns

arrayfalseSchema if available, null if its not or false if we cant connect.

Fetches whether PROXY AUTH has been configured for use with a certain server.

isProxyEnabled() : boolean

Users may configure phpLDAPadmin to use PROXY AUTH in config,php thus:

$servers->setValue('login','auth_type','proxy');

Returns

boolean

Fetches whether SASL has been configured for use with a certain server.

isSASLEnabled() : boolean

Users may configure phpLDAPadmin to use SASL in config,php thus:

$servers->setValue('server','sasl',true|false);

Returns

boolean

Fetches whether TLS has been configured for use with a certain server.

isTLSEnabled() : boolean

Users may configure phpLDAPadmin to use TLS in config,php thus:

$servers->setValue('server','tls',true|false);

Returns

boolean

If PROXY AUTH is configured, then start it

startProxy($resource, $method)

Parameters

$resource

$method

If SASL is configured, then start it To be able to use SASL, PHP should have been compliled with --with-ldap-sasl=DIR

startSASL($resource, $method)

todo	This has not been tested, please let the developers know if this function works as expected.

Parameters

$resource

$method

If TLS is configured, then start it

startTLS($resource)

Parameters

$resource

Parse a DN and unescape any special characters

unescapeDN($dn)

Parameters

$dn

Properties

$custom

$custom

Inherited

inherited_from	\DS::$$custom

$default

$default

Inherited

inherited_from	\DS::$$default

$index

$index

Inherited

inherited_from	\DS::$$index

$type

$type

Inherited

inherited_from	\DS::$$type

$_schemaDN

$_schemaDN

$_schema_entries

$_schema_entries

$force_may

$force_may

$noconnect

$noconnect