simplesamlphp
diff --git a/‎docs/ldap.md‎
Lines changed: 9 additions & 0 deletions b/‎docs/ldap.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎lib/Auth/InvalidCredentialResult.php‎
Lines changed: 209 additions & 0 deletions b/‎lib/Auth/InvalidCredentialResult.php‎
Lines changed: 209 additions & 0 deletions
diff --git a/‎lib/Auth/Process/AttributeAddFromLDAP.php‎
Lines changed: 3 additions & 7 deletions b/‎lib/Auth/Process/AttributeAddFromLDAP.php‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎lib/Auth/Process/AttributeAddUsersGroups.php‎
Lines changed: 7 additions & 11 deletions b/‎lib/Auth/Process/AttributeAddUsersGroups.php‎
Lines changed: 7 additions & 11 deletions
@@ -61,6 +61,15 @@ authentication source:
             'network_timeout' => 3,
         ],
 
+        /**
+         * The connector to use.
+         * Defaults to '\SimpleSAML\Module\ldap\Connector\Ldap', but can be set
+         * to '\SimpleSAML\Module\ldap\Connector\ActiveDirectory' when
+         * authenticating against Microsoft Active Directory. This will
+         * provide you with more specific error messages.
+         */
+        'connector' => '\SimpleSAML\Module\ldap\Connector\Ldap',
+
         /**
          * Which attributes should be retrieved from the LDAP server.
          * This can be an array of attribute names, or NULL, in which case
 
@@ -0,0 +1,209 @@
+<?php
+
+namespace SimpleSAML\Module\ldap\Auth;
+
+use function array_merge_recursive;
+use function explode;
+use function in_array;
+use function preg_match;
+use function strpos;
+use function str_replace;
+
+/**
+ * Class representing an InvalidCredential Result
+ *
+ * This is used for extended diagnostic information
+ *
+ * @package simplesamlphp/simplesamlphp-module-ldap
+ */
+class InvalidCredentialResult
+{
+    /**
+     * List of Active Directory Bind Error Short Description's
+     *
+     * @see https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
+     */
+    public const LDAP_NO_SUCH_OBJECT = '525';
+    public const ERROR_LOGON_FAILURE = '52e';
+    public const ERROR_ACCOUNT_RESTRICTION = '52f';
+    public const ERROR_INVALID_LOGON_HOURS = '530';
+    public const ERROR_INVALID_WORKSTATION = '531';
+    public const ERROR_PASSWORD_EXPIRED = '532';
+    public const ERROR_ACCOUNT_DISABLED = '533';
+    public const ERROR_TOO_MANY_CONTEXT_IDS = '568';
+    public const ERROR_ACCOUNT_EXPIRED = '701';
+    public const ERROR_PASSWORD_MUST_CHANGE = '773';
+    public const ERROR_ACCOUNT_LOCKED_OUT = '775';
+
+    /**
+     * List of Simple Bind error codes
+     *
+     * N.B. - This is an incomplete list
+     */
+    public const NT_STATUS_PASSWORD_EXPIRED = 'PASSWORD_EXPIRED';
+    public const NT_STATUS_PASSWORD_MUST_CHANGE = 'PASSWORD_MUST_CHANGE';
+    public const NT_STATUS_LOGON_FAILURE = 'LOGON_FAILURE';
+
+    /**
+     * List of keys for the code mapping
+     */
+    public const KEY_INVALID_CREDENTIAL = 'invalid_credential';
+    public const KEY_PASSWORD_ERROR = 'password_error';
+    public const KEY_ACCOUNT_ERROR = 'account_error';
+    public const KEY_RESTRICTION = 'restriction';
+
+    /**
+     * Map of keys to check the code against when using is* methods
+     *
+     * @var array
+     */
+    protected array $codeMap = [
+        self::KEY_INVALID_CREDENTIAL => [
+            self::ERROR_LOGON_FAILURE,
+            self::LDAP_NO_SUCH_OBJECT,
+            self::NT_STATUS_LOGON_FAILURE,
+        ],
+        self::KEY_PASSWORD_ERROR => [
+            self::ERROR_PASSWORD_EXPIRED,
+            self::ERROR_PASSWORD_MUST_CHANGE,
+            self::NT_STATUS_PASSWORD_EXPIRED,
+            self::NT_STATUS_PASSWORD_MUST_CHANGE,
+        ],
+        self::KEY_ACCOUNT_ERROR => [
+            self::ERROR_ACCOUNT_DISABLED,
+            self::ERROR_ACCOUNT_EXPIRED,
+            self::ERROR_ACCOUNT_LOCKED_OUT,
+        ],
+        self::KEY_RESTRICTION => [
+            self::ERROR_ACCOUNT_RESTRICTION,
+            self::ERROR_INVALID_LOGON_HOURS,
+            self::ERROR_INVALID_WORKSTATION,
+            self::ERROR_TOO_MANY_CONTEXT_IDS,
+        ],
+    ];
+
+    /**
+     * For Simple Binds this is the part after NT_STATUS_
+     * Otherwise it is the HEX code from `data ([0-9a-f]+)`
+     *
+     * @var string The error code.
+     */
+    protected string $code;
+
+    /**
+     * @var string the message as it came from LDAP
+     */
+    protected string $rawMessage;
+
+
+    /**
+     * Parses the message when possible to determine what the actual error is
+     *
+     * @param string $message
+     *
+     * @return \SimpleSAML\Module\ldap\Auth\InvalidCredentialResult
+     */
+    public static function fromDiagnosticMessage(string $message): self
+    {
+        if (strpos($message, 'Simple Bind Failed:') === 0) {
+            list(, $tmp) = explode(':', $message, 2);
+            $code = str_replace('NT_STATUS_', '', $tmp);
+        } elseif (preg_match('/data\s(.*)?,/', $message, $match)) {
+            $code = $match[1];
+        }
+
+        return new self($code, $message);
+    }
+
+
+    /**
+     * @param string $code
+     * @param string $rawMessage
+     */
+    protected function __construct(string $code, string $rawMessage)
+    {
+        $this->code = $code;
+        $this->rawMessage = $rawMessage;
+    }
+
+
+    /**
+     * Returns the code that was pulled from the raw message
+     *
+     * @return string
+     */
+    public function getCode(): string
+    {
+        return $this->code;
+    }
+
+
+    /**
+     * Returns the raw message
+     *
+     * @return string
+     */
+    public function getRawMessage(): string
+    {
+        return $this->rawMessage;
+    }
+
+
+    /**
+     * Allows the default code mappings to be updated
+     * @param array $codes
+     * @return void
+     */
+    public function updateCodeMap(array $codes): void
+    {
+        $this->codeMap = array_merge_recursive($this->codeMap, $codes);
+    }
+
+
+    /**
+     * Allows the default code mappings to be replaced
+     *
+     * @param array $codes
+     * @return void
+     */
+    public function replaceCodeMap(array $codes): void
+    {
+        $this->codeMap = $codes;
+    }
+
+
+    /**
+     * @return bool Whether or not the password had an error
+     */
+    public function isPasswordError(): bool
+    {
+        return in_array($this->code, $this->codeMap[self::KEY_PASSWORD_ERROR]);
+    }
+
+
+    /**
+     * @return bool Whether or not the account had an error
+     */
+    public function isAccountError(): bool
+    {
+        return in_array($this->code, $this->codeMap[self::KEY_ACCOUNT_ERROR]);
+    }
+
+
+    /**
+     * @return bool Whether or not there was an auth problem
+     */
+    public function isInvalidCredential(): bool
+    {
+        return in_array($this->code, $this->codeMap[self::KEY_INVALID_CREDENTIAL]);
+    }
+
+
+    /**
+     * @return bool Whether or not there is a restriction in place
+     */
+    public function isRestricted(): bool
+    {
+        return in_array($this->code, $this->codeMap[self::KEY_RESTRICTION]);
+    }
+}
@@ -13,7 +13,6 @@
 use Exception;
 use SimpleSAML\Assert\Assert;
 use SimpleSAML\Logger;
-use SimpleSAML\Module\ldap\Utils\Ldap as LdapUtils;
 use Symfony\Component\Ldap\Adapter\ExtLdap\Query;
 
 class AttributeAddFromLDAP extends BaseFilter
@@ -90,16 +89,14 @@ public function process(array &$state): void
         Assert::keyExists($state, 'Attributes');
         $attributes = &$state['Attributes'];
 
-        $ldapUtils = new LdapUtils();
-
         // perform a merge on the ldap_search_filter
         // loop over the attributes and build the search and replace arrays
         $arrSearch = $arrReplace = [];
         foreach ($attributes as $attr => $val) {
             $arrSearch[] = '%' . $attr . '%';
 
             if (strlen($val[0]) > 0) {
-                $arrReplace[] = $ldapUtils->escapeFilterValue($val[0], true);
+                $arrReplace[] = $this->connector->escapeFilterValue($val[0], true);
             } else {
                 $arrReplace[] = '';
             }
@@ -117,15 +114,14 @@ public function process(array &$state): void
             return;
         }
 
-        $ldapUtils->bind($this->ldapObject, $this->searchUsername, $this->searchPassword);
+        $this->connector->bind($this->searchUsername, $this->searchPassword);
 
         $options = [
             'scope' => $this->config->getOptionalString('search.scope', Query::SCOPE_SUB),
             'timeout' => $this->config->getOptionalInteger('timeout', 3),
         ];
 
-        $entries = $ldapUtils->searchForMultiple(
-            $this->ldapObject,
+        $entries = $this->connector->searchForMultiple(
             $this->searchBase,
             $filter,
             $options,
 
@@ -15,7 +15,6 @@
 use SimpleSAML\Assert\Assert;
 use SimpleSAML\Error;
 use SimpleSAML\Logger;
-use SimpleSAML\Module\ldap\Utils\Ldap as LdapUtils;
 use SimpleSAML\Utils;
 use Symfony\Component\Ldap\Adapter\ExtLdap\Query;
 
@@ -136,8 +135,7 @@ protected function getGroups(array $attributes): array
             $this->title
         ));
 
-        $ldapUtils = new LdapUtils();
-        $ldapUtils->bind($this->ldapObject, $this->searchUsername, $this->searchPassword);
+        $this->connector->bind($this->searchUsername, $this->searchPassword);
 
         $options = [
             'scope' => $this->config->getOptionalString('search.scope', Query::SCOPE_SUB),
@@ -208,8 +206,7 @@ protected function getGroups(array $attributes): array
                     $attributes[$dn_attribute][0],
                 );
 
-                $entries = $ldapUtils->searchForMultiple(
-                    $this->ldapObject,
+                $entries = $this->connector->searchForMultiple(
                     $this->searchBase,
                     $filter,
                     $options,
@@ -239,8 +236,7 @@ protected function getGroups(array $attributes): array
                     $attributes[$map['username']][0]
                 );
 
-                $entries = $ldapUtils->searchForMultiple(
-                    $this->ldapObject,
+                $entries = $this->connector->searchForMultiple(
                     $this->searchBase,
                     $filter,
                     $options,
@@ -353,8 +349,9 @@ protected function search(array $memberOf, array $options): array
 
         // Init the groups variable
         $entries = [];
-        $ldapUtils = new LdapUtils();
-        $options['scope'] = 'base';
+
+        // Set scope to 'base'
+        $options['scope'] = Query::SCOPE_BASE;
 
         // Check each DN of the passed memberOf
         foreach ($memberOf as $dn) {
@@ -368,8 +365,7 @@ protected function search(array $memberOf, array $options): array
             $searched[$dn] = $dn;
 
             // Query LDAP for the attribute values for the DN
-            $entry = $ldapUtils->search(
-                $this->ldapObject,
+            $entry = $this->connector->search(
                 [$dn],
                 sprintf("(%s=%s)", $map['type'], $this->type_map['group']),
                 $options,