From a73103a576de1847de614341731290b6c70798da Mon Sep 17 00:00:00 2001
From: Benjamin Renard <brenard@easter-eggs.com>
Date: Tue, 18 Nov 2014 13:16:38 +0100
Subject: [PATCH] LSsession : Add useUserCredentials parameter

---
 doc/conf/srv-ldap.docbook                     | 15 +++++++
 public_html/includes/class/class.LSauth.php   | 13 ++++++
 .../includes/class/class.LSauthMethod.php     | 20 ++++++++-
 public_html/includes/class/class.LSldap.php   | 40 +++++++++++++++---
 .../includes/class/class.LSsession.php        | 42 +++++++++++++++----
 5 files changed, 117 insertions(+), 13 deletions(-)

diff --git a/doc/conf/srv-ldap.docbook b/doc/conf/srv-ldap.docbook
index 558edb93..8890317d 100644
--- a/doc/conf/srv-ldap.docbook
+++ b/doc/conf/srv-ldap.docbook
@@ -16,6 +16,7 @@ serveur LDAP.</para>
       'ldap_config'=> array(
         // Définition des paramètres de connexion à l'annuaire
       ),
+      'useUserCredentials' => [boolean],
       'LSauth' => array (
         'method' => [LSauth method]
       ),
@@ -71,6 +72,20 @@ serveur LDAP.</para>
   </listitem>
 </varlistentry>
 
+<varlistentry>
+  <term>useUserCredentials</term>
+  <listitem>
+    <simpara>Booléen définissant si il faut utiliser les identifiants de l'utilisateur pour
+    se connecter à l'annuaire (<emphasis>false</emphasis> par défaut). Si cette option est
+    activée, la connexion à l'annuaire LDAP sera établie avec la configuration fournie dans
+    le paramètre <emphasis>ldap_config</emphasis> en écrasant les informations de connexion
+    (<emphasis>binddn</emphasis> et <emphasis>bindpwd</emphasis>) par ceux de l'utilisateur.
+    Si l'utilisateur n'est pas encore connecté, la connexion sera étalie sans modifier la
+    configuration fournie.
+    </simpara>
+  </listitem>
+</varlistentry>
+
 
 <varlistentry>
   <term>LSprofiles</term>
diff --git a/public_html/includes/class/class.LSauth.php b/public_html/includes/class/class.LSauth.php
index dd16be5b..4bfd735f 100644
--- a/public_html/includes/class/class.LSauth.php
+++ b/public_html/includes/class/class.LSauth.php
@@ -85,6 +85,19 @@ class LSauth {
 		return;
 	}
 
+  /**
+   * Get LDAP credentials
+   *
+   * Return LDAP credentials or false
+   *
+   * @params[in] $user The LSldapObject of the user authificated
+   *
+   * @retval Array|false Array of LDAP credentials array('dn','pwd') or False
+   **/
+  public function getLDAPcredentials($user) {
+    return self :: $provider -> getLDAPcredentials($user);
+  }
+
  /**
   * Logout
   * 
diff --git a/public_html/includes/class/class.LSauthMethod.php b/public_html/includes/class/class.LSauthMethod.php
index 8c0ac211..745be780 100644
--- a/public_html/includes/class/class.LSauthMethod.php
+++ b/public_html/includes/class/class.LSauthMethod.php
@@ -93,7 +93,25 @@ class LSauthMethod {
      // Do nothing in the standard LSauthMethod class
      return true;
   }
-  
+
+  /**
+   * Get LDAP credentials
+   *
+   * Return LDAP credentials or false
+   *
+   * @params[in] $user The LSldapObject of the user authificated
+   *
+   * @retval Array|false Array of LDAP credentials array('dn','pwd') or False
+   **/
+  public function getLDAPcredentials($user) {
+	if (isset($this -> authData['password'])) {
+	  return array(
+	    'dn' => $user -> getDn(),
+	    'pwd' => $this -> authData['password']
+	  );
+	}
+    return false;
+  }
 }
 
 ?>
diff --git a/public_html/includes/class/class.LSldap.php b/public_html/includes/class/class.LSldap.php
index 45247a85..8b3de809 100644
--- a/public_html/includes/class/class.LSldap.php
+++ b/public_html/includes/class/class.LSldap.php
@@ -39,7 +39,7 @@ class LSldap {
    *
    * @author Benjamin Renard <brenard@easter-eggs.com>
    *
-   * @param[in] $config array Tableau de configuration au formar Net_LDAP2
+   * @param[in] $config array Tableau de configuration au format Net_LDAP2
    *
    * @retval void
    */
@@ -48,15 +48,15 @@ class LSldap {
   }
   
   /**
-   * Connection
+   * Connect to LDAP server
    *
-   * Cette methode établie la connexion à l'annuaire Ldap
+   * This method  establish connection to LDAP server
    *
    * @author Benjamin Renard <brenard@easter-eggs.com>
    * 
-   * @param[in] $config array Tableau de configuration au formar Net_LDAP2
+   * @param[in] $config array LDAP configuration array in format of Net_LDAP2
    *
-   * @retval boolean true si la connection est établie, false sinon
+   * @retval boolean true if connected, false instead
    */
   public static function connect($config = null) {
     if ($config) {
@@ -71,6 +71,36 @@ class LSldap {
     return true;
   }
   
+  /**
+   * Reconnect (or connect) with other credentials
+   *
+   * @author Benjamin Renard <brenard@easter-eggs.com>
+   *
+   * @param[in] $dn string Bind DN
+   * @param[in] $pwd array Bind password
+   * @param[in] $config array LDAP configuration array in format of Net_LDAP2
+   *
+   * @retval boolean true if connected, false instead
+   */
+  public static function reconnectAs($dn,$pwd,$config) {
+    if ($config) {
+      self :: setConfig($config);
+    }
+	if (self :: $cnx) {
+	  self :: $cnx -> done();
+	}
+	$config=self :: $config;
+	$config['binddn']=$dn;
+	$config['bindpw']=$pwd;
+	self :: $cnx = Net_LDAP2::connect($config);
+	if (Net_LDAP2::isError(self :: $cnx)) {
+	  LSerror :: addErrorCode('LSldap_01',self :: $cnx -> getMessage());
+	  self :: $cnx = NULL;
+	  return;
+	}
+	return true;
+  }
+
   /**
    * Déconnection
    *
diff --git a/public_html/includes/class/class.LSsession.php b/public_html/includes/class/class.LSsession.php
index d581f572..2e0fe94f 100644
--- a/public_html/includes/class/class.LSsession.php
+++ b/public_html/includes/class/class.LSsession.php
@@ -84,6 +84,9 @@ class LSsession {
   // The LSauht object of the session
   private static $LSauthObject = false;
 
+  // User LDAP credentials
+  private static $userLDAPcreds = false;
+
  /**
   * Include un fichier PHP
   *
@@ -475,11 +478,12 @@ class LSsession {
     if(isset($_SESSION['LSsession']['dn']) && !isset($_GET['LSsession_recoverPassword'])) {
       LSdebug('LSsession : Session existente'); 
       // --------------------- Session existante --------------------- //
-      self :: $topDn        = $_SESSION['LSsession']['topDn'];
-      self :: $dn           = $_SESSION['LSsession']['dn'];
-      self :: $rdn          = $_SESSION['LSsession']['rdn'];
-      self :: $ldapServerId = $_SESSION['LSsession']['ldapServerId'];
-      self :: $tmp_file     = $_SESSION['LSsession']['tmp_file'];
+      self :: $topDn         = $_SESSION['LSsession']['topDn'];
+      self :: $dn            = $_SESSION['LSsession']['dn'];
+      self :: $rdn           = $_SESSION['LSsession']['rdn'];
+      self :: $ldapServerId  = $_SESSION['LSsession']['ldapServerId'];
+      self :: $tmp_file      = $_SESSION['LSsession']['tmp_file'];
+      self :: $userLDAPcreds = $_SESSION['LSsession']['userLDAPcreds'];
       
       if ( self :: cacheLSprofiles() && !isset($_REQUEST['LSsession_refresh']) ) {
         self :: setLdapServer(self :: $ldapServerId);
@@ -584,6 +588,18 @@ class LSsession {
             self :: $LSuserObject = $LSuserObject;
             self :: $dn = $LSuserObject->getValue('dn');
             self :: $rdn = $LSuserObject->getValue('rdn');
+            if (isset(self :: $ldapServer['useUserCredentials']) && self :: $ldapServer['useUserCredentials']) {
+              self :: $userLDAPcreds = LSauth :: getLDAPcredentials($LSuserObject);
+              if (!is_array(self :: $userLDAPcreds)) {
+                LSerror :: addErrorCode('LSsession_14');
+                self :: $userLDAPcreds = false;
+                return;
+              }
+              if (!LSldap :: reconnectAs(self :: $userLDAPcreds['dn'],self :: $userLDAPcreds['pwd'])) {
+                LSerror :: addErrorCode('LSsession_15');
+                return;
+              }
+            }
             self :: loadLSprofiles();
             self :: loadLSaccess();
             LStemplate :: assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
@@ -851,6 +867,7 @@ class LSsession {
       'topDn' => self :: $topDn,
       'dn' => self :: $dn,
       'rdn' => self :: $rdn,
+      'userLDAPcreds' => self :: $userLDAPcreds,
       'ldapServerId' => self :: $ldapServerId,
       'ldapServer' => self :: $ldapServer,
       'LSprofiles' => self :: $LSprofiles,
@@ -955,7 +972,12 @@ class LSsession {
       if (!self :: loadLSclass('LSldap')) {
         return;
       }
-      LSldap :: connect(self :: $ldapServer['ldap_config']);
+      if (self :: $dn && isset(self :: $ldapServer['useUserCredentials']) && self :: $ldapServer['useUserCredentials']) {
+        LSldap :: reconnectAs(self :: $userLDAPcreds['dn'], self :: $userLDAPcreds['pwd'],self :: $ldapServer['ldap_config']);
+      }
+      else {
+        LSldap :: connect(self :: $ldapServer['ldap_config']);
+      }
       if (LSldap :: isConnected()) {
         return true;
       }
@@ -2223,7 +2245,13 @@ class LSsession {
     LSerror :: defineError('LSsession_13',
     _("LSsession : The function of the custom action %{name} does not exists or is not configured.")
     );
-    // 14 -> 16 : not yet used
+    LSerror :: defineError('LSsession_14',
+    _("LSsession : Fail to retreive user's LDAP credentials from LSauth.")
+    );
+    LSerror :: defineError('LSsession_15',
+    _("LSsession : Fail to reconnect to LDAP server with user's LDAP credentials.")
+    );
+    // 16 : not yet used
     LSerror :: defineError('LSsession_17',
     _("LSsession : Error during creation of list of levels. Contact administrators. (Code : %{code})")
     );