sabre-io · El-Virus · Jul 4, 2022 · Jul 19, 2022 · Jul 19, 2022 · Jul 20, 2022
diff --git a/Core/Frameworks/Baikal/Core/LDAP.php b/Core/Frameworks/Baikal/Core/LDAP.php
@@ -0,0 +1,229 @@
+<?php
+
+namespace Baikal\Core;
+
+use Baikal\Model\Principal\LDAP as Principal;
+
+#################################################################
+#  Copyright notice
+#
+#  (c) 2022      Aisha Tammy <[email protected]>
+#  (c) 2022-2025 El-Virus <[email protected]>
+#  All rights reserved
+#
+#  http://sabre.io/baikal
+#
+#  This script is part of the Baïkal Server project. The Baïkal
+#  Server project is free software; you can redistribute it
+#  and/or modify it under the terms of the GNU General Public
+#  License as published by the Free Software Foundation; either
+#  version 2 of the License, or (at your option) any later version.
+#
+#  The GNU General Public License can be found at
+#  http://www.gnu.org/copyleft/gpl.html.
+#
+#  This script is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  This copyright notice MUST APPEAR in all copies of the script!
+#################################################################
+
+/**
+ * This is an authentication backend that uses ldap.
+ */
+class LDAP extends \Sabre\DAV\Auth\Backend\AbstractBasic {
+    /**
+     * Reference to PDO connection.
+     *
+     * @var PDO
+     */
+    protected $pdo;
+
+    /**
+     * PDO table name we'll be using.
+     *
+     * @var string
+     */
+    protected $table_name;
+
+    /**
+     * LDAP Config.
+     * LDAP Config Struct.
+     *
+     * @var \Baikal\Model\Structs\LDAPConfig
+     */
+    protected $ldap_config;
+
+    /**
+     * Replaces patterns for their assigned value using the
+     * given username, using cyrus-sasl style replacements.
+     *
+     * %u   - gets replaced by full username
+     * %U   - gets replaced by user part when the
+     *        username is an email address
+     * %d   - gets replaced by domain part when the
+     *        username is an email address
+     * %%   - gets replaced by %
+     * %1-9 - gets replaced by parts of the the domain
+     *        split by '.' in reverse order
+     *
+     * full example for [email protected]:
+     *        %u = [email protected]
+     *        %U = jane.doe
+     *        %d = mail.example.org
+     *        %1 = org
+     *        %2 = example
+     *        %3 = mail
+     *
+     * @param string $line
+     * @param string $username
+     *
+     * @return string
+     */
+    public static function patternReplace($line, $username) {
+        $user_split = [$username];
+        $user = $username;
+        $domain = '';
+        try {
+            $user_split = explode('@', $username, 2);
+            $user = $user_split[0];
+            if (2 == count($user_split)) {
+                $domain = $user_split[1];
+            }
+        } catch (\Exception $ignored) {
+        }
+        $domain_split = [];
+        try {
+            $domain_split = array_reverse(explode('.', $domain));
+        } catch (\Exception $ignored) {
+            $domain_split = [];
+        }
+
+        $parsed_line = '';
+        for ($i = 0; $i < strlen($line); ++$i) {
+            if ('%' == $line[$i]) {
+                ++$i;
+                $next_char = $line[$i];
+                if ('u' == $next_char) {
+                    $parsed_line .= $username;
+                } elseif ('U' == $next_char) {
+                    $parsed_line .= $user;
+                } elseif ('d' == $next_char) {
+                    $parsed_line .= $domain;
+                } elseif ('%' == $next_char) {
+                    $parsed_line .= '%';
+                } else {
+                    for ($j = 1; $j <= count($domain_split) && $j <= 9; ++$j) {
+                        if ($next_char == '' . $j) {
+                            $parsed_line .= $domain_split[$j - 1];
+                        }
+                    }
+                }
+            } else {
+                $parsed_line .= $line[$i];
+            }
+        }
+
+        return $parsed_line;
+    }
+
+    /**
+     * Checks if a user can bind with a password.
+     * If an error is produced, it will be logged.
+     *
+     * @param \LDAP\Connection &$conn
+     * @param string $dn
+     * @param string $password
+     *
+     * @return bool
+     */
+    public static function doesBind(&$conn, $dn, $password) {
+        try {
+            $bind = ldap_bind($conn, $dn, $password);
+            if ($bind) {
+                return true;
+            }
+        } catch (\ErrorException $e) {
+            error_log($e->getMessage());
+            error_log(ldap_error($conn));
+        }
+
+        return false;
+    }
+
+    /**
+     * Creates the backend object.
+     *
+     * @param \PD0 $pdo
+     * @param string $table_name
+     * @param \Baikal\Model\Structs\LDAPConfig $ldap_config
+     */
+    public function __construct(\PDO $pdo, $table_name, $ldap_config) {
+        $this->pdo          = $pdo;
+        $this->table_name   = $table_name;
+        $this->ldap_config  = $ldap_config;
+    }
+
+    /**
+     * Connects to an LDAP server and tries to authenticate.
+     *
+     * @param string $username
+     * @param string $password
+     *
+     * @return bool
+     */
+    protected function ldapOpen($username, $password) {
+        try {
+            $principal = new Principal($username, $this->ldap_config);
+        } catch (\Exception $ignored) {
+            return false;
+        }
+
+        $conn = ldap_connect($this->ldap_config->ldap_uri);
+        if (!$conn) {
+            return false;
+        }
+        if (!ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+            return false;
+        }
+
+        $success = $this->doesBind($conn, $principal->dn, $password);
+
+        ldap_close($conn);
+
+        if ($success) {
+            $stmt = $this->pdo->prepare('SELECT 1 FROM ' . $this->table_name . ' WHERE username = ?');
+            $stmt->execute([$username]);
+            $result = $stmt->fetchAll();
+
+            if (empty($result)) {
+                $user = new \Baikal\Model\User();
+                $user->set('federation', 'LDAP');
+                $user->set('username', $username);
+                $user->persist();
+            }
+        }
+
+        return $success;
+    }
+
+    /**
+     * Validates a username and password by trying to authenticate against LDAP.
+     *
+     * @param string $username
+     * @param string $password
+     *
+     * @return bool
+     */
+    protected function validateUserPass($username, $password) {
+        if (!extension_loaded("ldap")) {
+            error_log('PHP LDAP extension not enabled');
+
+            return false;
+        }
+
+        return $this->ldapOpen($username, $password);
+    }
+}
diff --git a/Core/Frameworks/Baikal/Core/Server.php b/Core/Frameworks/Baikal/Core/Server.php
@@ -27,6 +27,7 @@
 
 namespace Baikal\Core;
 
+use Baikal\Model\Structs\LDAPConfig;
 use Symfony\Component\Yaml\Yaml;
 
 /**
@@ -134,6 +135,8 @@ protected function initServer() {
             $authBackend = new \Baikal\Core\PDOBasicAuth($this->pdo, $this->authRealm);
         } elseif ($this->authType === 'Apache') {
             $authBackend = new \Sabre\DAV\Auth\Backend\Apache();
+        } elseif ($this->authType === 'LDAP') {
+            $authBackend = new \Baikal\Core\LDAP($this->pdo, 'users', LDAPConfig::fromArray($config['system']));
         } else {
             $authBackend = new \Sabre\DAV\Auth\Backend\PDO($this->pdo);
             $authBackend->setRealm($this->authRealm);

diff --git a/Core/Frameworks/Baikal/Model/Config/Standard.php b/Core/Frameworks/Baikal/Model/Config/Standard.php
@@ -32,17 +32,28 @@
 class Standard extends \Baikal\Model\Config {
     # Default values
     protected $aData = [
-        "configured_version"    => BAIKAL_VERSION,
-        "timezone"              => "Europe/Paris",
-        "card_enabled"          => true,
-        "cal_enabled"           => true,
-        "dav_auth_type"         => "Digest",
-        "admin_passwordhash"    => "",
-        "failed_access_message" => "user %u authentication failure for Baikal",
+        "configured_version"     => BAIKAL_VERSION,
+        "timezone"               => "Europe/Paris",
+        "card_enabled"           => true,
+        "cal_enabled"            => true,
+        "admin_passwordhash"     => "",
+        "dav_auth_type"          => "Digest",
+        "ldap_mode"              => "None",
+        "ldap_uri"               => "ldap://127.0.0.1",
+        "ldap_bind_dn"           => "cn=baikal,ou=apps,dc=example,dc=com",
+        "ldap_bind_password"     => "",
+        "ldap_dn"                => "mail=%u",
+        "ldap_cn"                => "cn",
+        "ldap_mail"              => "mail",
+        "ldap_search_base"       => "ou=users,dc=example,dc=com",
+        "ldap_search_attribute"  => "uid=%U",
+        "ldap_search_filter"     => "(objectClass=*)",
+        "ldap_group"             => "cn=baikal,ou=groups,dc=example,dc=com",
+        "failed_access_message"  => "user %u authentication failure for Baikal",
         // While not editable as will change admin & any existing user passwords,
         // could be set to different value when migrating from legacy config
-        "auth_realm"            => "BaikalDAV",
-        "base_uri"              => "",
+        "auth_realm"             => "BaikalDAV",
+        "base_uri"               => "",
     ];
 
     function __construct() {
@@ -76,12 +87,6 @@ function formMorphologyForThisModelInstance() {
             "help"  => "Leave empty to disable sending invite emails",
         ]));
 
-        $oMorpho->add(new \Formal\Element\Listbox([
-            "prop"    => "dav_auth_type",
-            "label"   => "WebDAV authentication type",
-            "options" => ["Digest", "Basic", "Apache"],
-        ]));
-
         $oMorpho->add(new \Formal\Element\Password([
             "prop"  => "admin_passwordhash",
             "label" => "Admin password",
@@ -93,6 +98,72 @@ function formMorphologyForThisModelInstance() {
             "validation" => "sameas:admin_passwordhash",
         ]));
 
+        $oMorpho->add(new \Formal\Element\Listbox([
+            "prop"    => "dav_auth_type",
+            "label"   => "WebDAV authentication type",
+            "options" => ["Digest", "Basic", "Apache", "LDAP"],
+            "refreshonchange" => true,
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Listbox([
+            "prop"    => "ldap_mode",
+            "label"   => "LDAP authentication mode",
+            "options" => ["DN", "Attribute", "Filter", "Group"],
+            "refreshonchange" => true,
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_uri",
+            "label"   => "URI of the LDAP server",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_bind_dn",
+            "label"   => "DN which Baikal will use to bind to the LDAP server",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Password([
+            "prop"    => "ldap_bind_password",
+            "label"   => "Password of the bind DN user",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_dn",
+            "label"   => "User DN for bind",
+            "help"    => "Replacments: %u => username, %U => user part, %d => domain part of username, %1-9 parts of the domain in reverse order",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_cn",
+            "label"   => "LDAP-attribute for displayname",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_mail",
+            "label"   => "LDAP-attribute for email",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_search_base",
+            "label"   => "Base of the LDAP search",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_search_attribute",
+            "label"   => "Attribute to match the user with",
+            "help"    => "Replacments: %u => username, %U => user part, %d => domain part of username, %1-9 parts of the domain in reverse order",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_search_filter",
+            "label"   => "LDAP filter to be applied to the search",
+        ]));
+
+        $oMorpho->add(new \Formal\Element\Text([
+            "prop"    => "ldap_group",
+            "label"   => "Group DN that contains the member atribute of the user",
+        ]));
+
         try {
             $config = Yaml::parseFile(PROJECT_PATH_CONFIG . "baikal.yaml");
         } catch (\Exception $e) {
@@ -106,6 +177,7 @@ function formMorphologyForThisModelInstance() {
             $sNotice = "-- Leave empty to keep current password --";
             $oMorpho->element("admin_passwordhash")->setOption("placeholder", $sNotice);
             $oMorpho->element("admin_passwordhash_confirm")->setOption("placeholder", $sNotice);
+            $oMorpho->element("ldap_bind_password")->setOption("placeholder", "-- Not Shown --");
         }
 
         return $oMorpho;
@@ -129,11 +201,19 @@ function set($sProp, $sValue) {
             return $this;
         }
 
+        if ($sProp === "ldap_bind_password" && $sValue === "") {
+            return;
+        }
+
+        if (!isset($sValue)) {
+            return;
+        }
+
         parent::set($sProp, $sValue);
     }
 
     function get($sProp) {
-        if ($sProp === "admin_passwordhash" || $sProp === "admin_passwordhash_confirm") {
+        if ($sProp === "admin_passwordhash" || $sProp === "admin_passwordhash_confirm" || $sProp === "ldap_bind_password") {
             return "";
         }