egroupware_official/emailadmin/doc/dovecot_checkpassword_ads.php

331 lines
11 KiB
PHP
Raw Normal View History

2015-01-21 20:49:09 +01:00
#!/usr/bin/php -Cq
<?php
/**
* EGroupware -checkpasswd for Dovecot and Active Directory
*
* Quota is stored with "quota:" prefix in multivalued proxyAddresses attribute.
* Group-memberships are passed to Dovecot to use them in ACL.
*
* Reads descriptor 3 through end of file and then closes descriptor 3.
* There must be at most 512 bytes of data before end of file.
*
* The information supplied on descriptor 3 is a login name terminated by \0, a password terminated by \0,
* a timestamp terminated by \0, and possibly more data.
* There are no other restrictions on the form of the login name, password, and timestamp.
*
* If the password is unacceptable, checkpassword exits 1. If checkpassword is misused, it may instead exit 2.
* If user is not found, checkpassword exits 3.
* If there is a temporary problem checking the password, checkpassword exits 111.
*
* If the password is acceptable, checkpassword runs prog. prog consists of one or more arguments.
*
* Following enviroment variables are used by Dovecot:
* - SERVICE: contains eg. imap, pop3 or smtp
* - TCPLOCALIP and TCPREMOTEIP: Client socket's IP addresses if available
* Following is document, but does NOT work:
* - MASTER_USER: If master login is attempted. This means that the password contains the master user's password and the normal username contains the user who master wants to log in as.
* Found working:
* - AUTH_LOGIN_USER: If master login is attempted. This means that username/password are from master, AUTH_LOGIN_USER is user master wants to log in as.
*
* Following enviroment variables are used on return:
* - USER: modified user name
* - HOME: mail_home
* - EXTRA: userdb extra fields eg. "system_groups_user=... userdb_quota_rule=*:storage=10000"
*
* @author rb(at)stylite.de
* @copyright (c) 2012-13 by rb(at)stylite.de
* @package emailadmin
* @link http://wiki2.dovecot.org/AuthDatabase/CheckPassword
* @link http://cr.yp.to/checkpwd/interface.html
* @version $Id$
*/
// protect from being called via HTTP
if (php_sapi_name() !== 'cli') die('This is a command line only script!');
// uncomment to write to log-file, otherwise errors go to stderr
//$log = '/var/log/dovecot_checkpassword.log';
//$log_verbose = true; // error's are always logged, set to true to log auth failures and success too
// ldap server settings
$ldap_uri = 'ldaps://10.7.102.13/';
$ldap_base = 'CN=Users,DC=gruene,DC=intern';
$bind_dn = "CN=Administrator,$ldap_base";
//$bind_dn = "Administrator@gruene.intern";
//$bind_pw = 'secret';
$version = 3;
$use_tls = false;
$search_base = $ldap_base;//'o=%d,dc=egroupware';
$passdb_filter = $userdb_filter = '(&(objectCategory=person)(sAMAccountName=%s))';
// %d for domain and %s for username given by Dovecot is set automatic
$user_attrs = array(
'%u' => 'samaccountname', // do NOT remove!
// '%n' => 'uidnumber',
// '%h' => 'mailmessagestore',
'%q' => '{quota:}proxyaddresses',
'%x' => 'dn',
);
$user_name = '%u'; // '%u@%d';
$user_home = '/var/dovecot/imap/gruene/%u'; //'/var/dovecot/imap/%d/%u'; // mailbox location
$extra = array(
'userdb_quota_rule' => '*:bytes=%q',
/* only for director
'proxy' => 'Y',
'nologin' => 'Y',
'nopassword' => 'Y',
*/
);
// get host by not set l attribute
/* only for director
$host_filter = 'o=%d';
$host_base = 'dc=egroupware';
$host_attr = 'l';
$host_default = '10.40.8.200';
*/
// to return Dovecot extra system_groups_user
$group_base = $ldap_base;
$group_filter = '(&(objectCategory=group)(member=%x))';
$group_attr = 'cn';
$group_append = ''; //'@%d';
$master_dn = $bind_dn; //"cn=admin,dc=egroupware";
//$domain_master_dn = "cn=admin,o=%d,dc=egroupware";
ini_set('display_errors',false);
error_reporting(E_ALL & ~E_NOTICE);
if ($log) ini_set('error_log',$log);
if ($_SERVER['argc'] < 2)
{
fwrite(STDERR,"\nUsage: {$_SERVER['argv'][0]} prog-to-exec\n\n");
fwrite(STDERR,"To test run:\n");
fwrite(STDERR,"echo -en 'username\\0000''password\\0000' | {$_SERVER['argv'][0]} env 3<&0 ; echo $?\n");
fwrite(STDERR,"echo -en 'username\\0000' | AUTHORIZED=1 {$_SERVER['argv'][0]} env 3<&0 ; echo $?\n");
fwrite(STDERR,"echo -en '(dovecode-admin@domain|dovecot|cyrus)\\0000''master-password\\0000' | AUTH_LOGIN_USER=username {$_SERVER['argv'][0]} env 3<&0 ; echo $?\n\n");
exit(2);
}
list($username,$password) = explode("\0",file_get_contents('php://fd/3'));
if (isset($_SERVER['AUTH_LOGIN_USER']))
{
$master = $username;
$username = $_SERVER['AUTH_LOGIN_USER'];
}
//error_log("dovecot_checkpassword '{$_SERVER['argv'][1]}': username='$username', password='$password', master='$master'");
$ds = ldap_connect($ldap_uri);
if ($version) ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version);
if ($use_tls) ldap_start_tls($ds);
if (!@ldap_bind($ds, $bind_dn, $bind_pw))
{
error_log("Can't connect to LDAP server $ldap_uri!");
exit(111); // 111 = temporary problem
}
list(,$domain) = explode('@',$username);
if (preg_match('/^(.*)\.imapc$/',$domain,$matches))
{
$domain = $matches[1];
$username = explode('.', $username);
array_pop($username);
$username = implode('.',$username);
$user_home = '/var/tmp/imapc-%d/%s';
$extra = array(
'userdb_mail' => 'imapc:/var/tmp/imapc-'.$domain.'/'.$username,
//'userdb_imapc_password' => $password,
//'userdb_imapc_host' => 'hugo.de',
);
}
$replace = array(
'%d' => $domain,
'%s' => $username,
);
$base = strtr($search_base, $replace);
if (($passdb_query = !isset($_SERVER['AUTHORIZED']) || $_SERVER['AUTHORIZED'] != 1))
{
$filter = $passdb_filter;
// authenticate with master user/password
// master user name is hardcoded "dovecot", "cyrus" or "dovecot-admin@domain" and mapped currently to cn=admin,[o=domain,]dc=egroupware
if (isset($master))
{
list($n,$d) = explode('@', $master);
if (!($n === 'dovecot-admin' && $d === $domain || in_array($master,array('dovecot','cyrus'))))
{
// no valid master-user for given domain
exit(1);
}
$dn = $d ? strtr($domain_master_dn,array('%d'=>$domain)) : $master_dn;
if (!@ldap_bind($ds, $dn, $password))
{
if ($log_verbose) error_log("Can't bind as '$dn' with password '$password'! Authentication as master '$master' for user '$username' failed!");
exit(111); // 111 = temporary problem
}
if ($log_verbose) error_log("Authentication as master '$master' for user '$username' succeeded!");
$passdb_query = false;
$filter = $userdb_filter;
}
}
else
{
$filter = $userdb_filter;
putenv('AUTHORIZED=2');
}
$filter = strtr($filter, quote($replace));
// remove prefixes eg. "{quota:}proxyaddresses"
$attrs = $user_attrs;
foreach($attrs as &$a) if ($a[0] == '{') list(,$a) = explode('}', $a);
if (!($sr = ldap_search($ds, $base, $filter, array_values($attrs))))
{
error_log("Error ldap_search(\$ds, '$base', '$filter')!");
exit(111); // 111 = temporary problem
}
$entries = ldap_get_entries($ds, $sr);
if (!$entries['count'])
{
if ($log_verbose) error_log("User '$username' NOT found!");
exit(3);
}
if ($entries['count'] > 1)
{
// should not happen for passdb, but could happen for aliases ...
error_log("Error ldap_search(\$ds, '$base', '$filter') returned more then one user!");
exit(111); // 111 = temporary problem
}
//print_r($entries);
if ($passdb_query)
{
// now authenticate user by trying to bind to found dn with given password
if (!@ldap_bind($ds, $entries[0]['dn'], $password))
{
if ($log_verbose) error_log("Can't bind as '{$entries[0]['dn']}' with password '$password'! Authentication for user '$username' failed!");
exit(1);
}
if ($log_verbose) error_log("Successfull authentication user '$username' dn='{$entries[0]['dn']}'.");
}
else // user-db query, no authentication
{
if ($log_verbose) error_log("User-db query for user '$username' dn='{$entries[0]['dn']}'.");
}
// add additional placeholders from $user_attrs
foreach($user_attrs as $placeholder => $attr)
{
if ($attr[0] == '{') // prefix given --> ignore all values without and remove it
{
list($prefix, $attr) = explode('}', substr($attr, 1));
foreach($entries[0][$attr] as $key => $value)
{
if ($key === 'count') continue;
if (strpos($value, $prefix) !== 0) continue;
$replace[$placeholder] = substr($value, strlen($prefix));
break;
}
}
else
{
$replace[$placeholder] = is_array($entries[0][$attr]) ? $entries[0][$attr][0] : $entries[0][$attr];
}
}
// search memberships
if (isset($group_base) && $group_filter && $group_attr)
{
$base = strtr($group_base, $replace);
$filter = strtr($group_filter, quote($replace));
$append = strtr($group_append, $replace);
if (($sr = ldap_search($ds, $base, $filter, array($group_attr))) &&
($groups = ldap_get_entries($ds, $sr)) && $groups['count'])
{
//print_r($groups);
$system_groups_user = array();
foreach($groups as $key => $group)
{
if ($key === 'count') continue;
$system_groups_user[] = $group[$group_attr][0].$append;
}
$extra['system_groups_user'] = implode(',', $system_groups_user); // todo: check separator
}
else
{
error_log("Error searching for memberships ldap_search(\$ds, '$base', '$filter')!");
}
}
// set host attribute for director to old imap
if (isset($host_base) && isset($host_filter))
{
if (!($sr = ldap_search($ds, $host_base, $filter=strtr($host_filter, quote($replace)), array($host_attr))))
{
error_log("Error ldap_search(\$ds, '$host_base', '$filter')!");
exit(111); // 111 = temporary problem
}
$entries = ldap_get_entries($ds, $sr);
if ($entries['count'] && !isset($entries[0][$host_attr]))
{
$extra['host'] = $host_default;
}
}
// close ldap connection
ldap_unbind($ds);
// build command to run
array_shift($_SERVER['argv']);
$cmd = array_shift($_SERVER['argv']);
foreach($_SERVER['argv'] as $arg)
{
$cmd .= ' '.escapeshellarg($arg);
}
// setting USER, HOME, EXTRA
putenv('USER='.strtr($user_name, $replace));
if ($user_home) putenv('HOME='.strtr($user_home, $replace));
if ($extra)
{
foreach($extra as $name => $value)
{
if (($pos = strpos($value,'%')) !== false)
{
// check if replacement is set, otherwise skip whole extra-value
if (!isset($replace[substr($value,$pos,2)]))
{
unset($extra[$name]);
continue;
}
$value = strtr($value,$replace);
}
putenv($name.'='.$value);
}
putenv('EXTRA='.implode(' ', array_keys($extra)));
}
// call given command and exit with it's exit-status
passthru($cmd, $ret);
exit($ret);
/**
* escapes a string for use in searchfilters meant for ldap_search.
*
* Escaped Characters are: '*', '(', ')', ' ', '\', NUL
* It's actually a PHP-Bug, that we have to escape space.
* For all other Characters, refer to RFC2254.
*
* @param string|array $string either a string to be escaped, or an array of values to be escaped
* @return string
*/
function quote($string)
{
return str_replace(array('\\','*','(',')','\0',' '),array('\\\\','\*','\(','\)','\\0','\20'),$string);
}