‹ádoMðEèá¥wË÷˜C}êªrvR¢µµ][-?š;n´Ñ&‡ñÃè~+ª &í™¤f‡c!g¾¶@4Öê4ä~0Q³/b7ùRKÒnZ!2½N“(_h}{Ly¸È<ñú¹9uñá6×ã–,\¦Œ0Ýe'•½Í)I6¼ a?üw™gÐ+¦*œÄr”†Ý¤ÿÑ ù”Jyô- ¹Éóm‘K¤+Ð£ÿdÁàãßGîÚþp¾¢%AÑÁ;ßO»pñ×”cdÿ9”5
•ÓtOblü0»€ð{‹Ð¾ö le]”‘ãÕ6GÏ8jâÒ2b.ÐkágTIß`p8ZkiúžÝOå¯ù®’æäVœÓ÷9¯J÷Õ¬·)¥ÛíØÌmÜ2¦çÏZÅ*V‹³h×BæÈú¸ˆÊó0 ¡]ÔÀ=êk”Ù(¡,:d5tïu–ûUú7AY7ŒÉÇ>0p<tV\A—¬9Ô@­•ÝÏGnX4å)l¥~ˆÛ-»×û}ÛÒ;BÚ­/Û3z•îcÕj’ÒçßÚ—Uo³øåÖ2–8éÊàžÛ™5æ"‘8è½Ð¶Ä¾Ú@I]¿6–ÐJû
—ÖçŒU8V§¬NœpüÍôÙ&7RHŽ‹òÂWkàkVEÊø²0‹²gE8Gx°àÒà&.Îh$jzöáî™fÛqyñ‰@°ÍF1™I/Fxáž2ûãõnÒµ®Þ˜³ÿzf¤Ðtúë]^sAøÁø×ñ¼¬l5¨áßF] ÏŠ.ZÛõÃö‘00‰/óƒ™	Áº÷ãå
E`®k·b“ïz~ÅædhìGîÜ=$Ø</cçÞßË%mð‹PS²CÆÿfNÑ¢KÑ%;„‘éžåv‰ÎCs(#Ç=˜y”a;~®ñ¾A<ÿ€DMÝ	RnþüÏ’ÂðÚ¸¼ÜÑ3áòŠ“Ô¸ÄX{Ä}B‹¶s8¤"YO?¬Ýb
ØÏ¤Mgh1ø¿Ãz\Ù½R‡+øÕP'V³TµüJúÈð(‚Ã&ªÄ4h³ À¢ÕcPs‚–³…)ˆ-¼‹hÕ
wI)zñ²º}këoVHI—‡¹­¦nëºrì×!+U`EíN6Ð™È²–3Qmúëº*TÅÀeVÐå£v0 Ýó:M^*8(B¿Æõ§F—ðÐ(BWWÁ`K¹ÊæÚ¬²µÙœÓ 2ÈGC”`’ké€ºßü ó=\hŠ>X„6,þ6®QÌõÎðe¦§t^ä9 æoTjLBóüöÉ;TñÒ]ŒûqE:é)ô~H<×tf#ÙîäÞ9Ñ^Ò“òŒþQéÐŠá{©úÚwš-üûš¡ÈSvx+Òómß~™š™=°g3·~ÀÇq^ÖÀ%FõruÌo÷owÒ¶`d(Y}z}=/ÇÊŽ©UÀ(Ë5ØsK7öºà¼˜Ed«ÚSÍxâsl#¸©¡WáØrý­\»¢é²Ã†„dOÇÚ©J#¯ëBbžsZÀU·‹pú#SÀ!‚S·FaïÃ=E,ùÑŒéÙñ¼žø°'ÕÅ]6„{Ô{¡ÚC±Eÿµ!lÅ#ÑÂzbìjËìXr­ÞmîYƒˆ¶Ë tŸÂ‚Š	¢Jx½·Øæ+»!ÿ‰X&ÈfÃ(¯‡„YÁ¯û	Yg¿¶Á6<Y½ÁÊvÀ¶³I˜cz}.Â9³ÏA®ÒßÃKßvxöÕ*¬ûúÖtacÕcÇpcž¸ø\#‘ž€LIgEÕÛ& [©K`_ï“Ç[&
ôq×viM„£!Ç°ÜEÈáih°l€%¨{>¤ž—Žáÿ lR&œM(½'ã}]q‹H’Vab·²™níO÷†;îÕü§ú¥„kˆÝ”ËÍÅ;U Ó>~ä?Æ;=™Êk±Òõ²¯çLßäixŽ‹¦èåDS=z˜h±vïÂN+%ÖÛøÅp–•+ò(êAóY:d¦#"¹Û÷ ¥ìl¨ö÷Þ­Ñg:8ùNŠ¶¦†"³X5DPÞ}Ù§²Ý©’©~¤œcš½Ã°õ<²{­I´ÞÞ« ÀôS¿DÒ6PÇïSóåðQÄz=ÆD4yÏÅ‚iâ½ÒZp$Z÷õ«J¼C]¤
y=¬ëz˜•“£áûN¨‡Ž¶êü
k„ªRLãD¬y xü>î¥OßàâÉ›TÓ^ë¯ÛF‰Ð>ˆëR°Ì*1ÝR.–ˆg‘aµku™¶Ùè¹Ë•3NrÌVû,w K†'„Ç²ç¹Å°¿–×jŸÈõæVmÉÕ_:3ÂCM¯ž;l˜ƒYjI6Ð@—wyð‘§¼ðÍÙlÃ{’¼¨Ê5µ>n(šªµ/³ø´‰¼?p/ÓXdTt£¾™EÒH´póðK¦òŒ—þÞq·šŒª¦š/Bp‹Ç<©lx/\¶æméF[éKÇB#AP6l}7Žˆs›ålº˜JüŠõ¶ï@OÓšE×bd‡(©ì³£
î-lÉ]‰-º–‡‚•-êv§Y˜H“XEìû²Q'½¢’ËÒ=I'íO±È.˜sE‡¶ó –õÄuý•2Æ&9û¸ý]µS9Oºmù£qçøOg,¤jÐØå!Ö˜GÓÄP/=m—?7Ë6víLsZÖ1m&údH]‰-º–‡‚•-êv§Y˜H“XEìû²Q'½¢’ËÒ=I'í¬ÔƒAÑôK–2#$~FÓhí¦‚ÆÊ©w:`¡GXä~ófÌGR[ùõÐ5pì­´Qðâ‰hcé`žfçPN·¼á‹˜øð7ÏÒþÊ6‡ã:kr
åŸ¡Í¥Bà“ØJYw@Cç‘Ï'©»ÐØå!Ö˜GÓÄP/=m—?7Ë6víLsZÖ1m&údH]‰-º–‡‚•-êv§Y˜H“îõºn1!UmN»œÉ##Çž´+b¬>+cÅÃSš!68CÑ¹¼µ@eÏ}ªÔxB"
"ü]—h×Ô´\œ]³Š˜’ßNˆÖ ,gš<ñÚ§f!¡‚ã¼0bgû®&AÍr¥2K$qøt# P„Ôb¦®ºë_¨AraÛÆ©Ê¶ ‡m<®ÄÌß¸,Ïs‰Å´ºyßiJ’ÊÿŠKÄÊ¸`ƒt5q#Y8Í®K·Ö˜°½bFq/ŽIO•Êñ87u€ø`¬Cjƒ±$¨Õäh¹©%qZ©!HðU¿„H÷ÓçÁjcCÀwƒIœØ«±»ü³²—Mã*î§ƒ¤Ê‚á°›7Õª¥Q(€dß×ònâ~ªl‰wTÉ¹U&%´}•âaô¼,I‹[&'}:H9þ–¡‰é7ý~Ža–²{^“eÜ¬oâêQÕèÜ··ÑÕ“,Æ@¦‚ÆÊ©w:`¡GXä~ºûVYs„²ç3ÿœ×c¶ú…D|Ùa(%ÎÃpÍÏ¨¯ˆþ‘¨JOúzŠ‚”¡ü—% ÙÜy³BðcB;YWI} À#b-š¦I¦øb/^A€@<íWí8œÒðÝíjpÔ°
N_¦‚ÆÊ©w:`¡GXä~xáÑ À›N#{"g¹@m·Iê®æg Ÿ~nMåùÀ…rÜ	ÖvÝô¨¸Ùô¯Qšþ™í»µ¯ ¥vª”õÜQŒ2GÿþßOúB­IUš¢.¡…±ƒÝ'Â55
cöö^
n0¥C°7-v¼ö¼‡U½º´E1eŠÅ¡^Í•6ká'‹,X\;ÇxÖa³9‹š¶5â×¨Éû3P+îÁ¨.¡]XL7ê#ªg‹ótã„Ÿ"Š‚¬'rcŒ¹nÄNÉø®bÞx¤ÛÃ”Þ€²®›‚Y³h\6gtoÚÊIà‹ã5p¡‘Oê_—¿­«c=6ôhPð%'ä³o^n:éÈÒO:çJÂä¡SÅ9f8h{’/¦:$iIÇáš
ZX€r«eg‰èøI^™¯£ÌGŸÓýh¦3•Z…¦½/»ÂpÊ˜¼EOÉW,Ss¢»fí4ì{¡ÏªstB„8;tJ›±1tZ4¹°lÑÐAñGéoƒ>Ð?Àd¯µshìz¶_B‰ý®XM9áuù(†®&°{ˆ‹
ê~ýjöˆ4½æ—Ú»|@{bìíª¾[°ï@†XCÅ½x¼ÚÇ°Ï¦3Z\¹ÓÃì“÷1À‚¦î«Fåaö|”'ÿNZè‚!uJÉ	]Ç9{¶Øf;løVì’'Yò….éä5˜{x@åï_£ud=™¥2VÝ»a6ûÄœhMtTHk)5AV@µ7Éæ^ÚF{ú…>ˆvUq2½§mŠS?}(7þé¦å±ô¤Ì9Tµ¶§¥H#Æ”wÎ/™õI}™JÂÅª—õ Ìß€=eà‘p(“°8:‡E4ë~,2ºNv#ísW²®…y`l§‰†da¯Þç†˜q¹>å˜êËûô#•°£RJÄü¢Û~;`Ô›Žfu±$9PFBû	M»ð \ÿ~1Ï
`ìn‘e•)OTü³¡•¸egf¹¨8[o4ûÅ.F¿aCü2Z —â„Výœ(ÙƒdBTWSW1'ÀŠ!½:œó¡JÃÛüUz¡´xûAÜy,ùÂ0>™of(Œ};Áø®Jîq©¦´t(î‡R¶%)cEÓWŽþ;xÂI#…ø…øgû+²0D]3Óï­ÙË5fOPf+þ¨¢?øw„‹Û 	äaäÜìÅtÉÖÜ|Õ¥hñöÔ·_bŽaµž§"Äï\®(d¶Ïf¬$PI#…ø…øgû+²0D]3Óï­ÙË5fOPf+þ¨¢?øKHn¡ê›˜,K~XL nÏ‰¨¡ ?xÜ—ª«¯­€ò|ÿè{«‡G©éÄãÌ:©wT0¾\|¤"<î¡û÷	ÿÛç›”<‡”§9\—öŠø/ÍBø¿Ø|ª³Šú%W¾ÙÖh77T-¤
x¾j/-D_Ý.^öí jX‰ƒÁÚpÆJñû«€ÆémÿÉ0ÃäÌòž0‹pLË_p—Mÿ|Îˆ¶º†^roLR´KÀ$µj”
ðO«$íÔà¢‹×nÈZ¡Õ1ÝªÖ±¥Êq¢‰29ø0†úfÖ•¹1~RòÙÖ@úØÏ˜Ú-›6AÐ€o¡ûa< ®ßi¦ ÷JÙ(ÏYX«øEø#iãú]€¹ûìk†àÛpjÁa¼Ù%'ÏÇvå×°”nCÏ]ê_®_|‚—+Å¿EÉ­Ea.ÉÔ\ÉKœŽÿöjÃ1RDÂØ},­	¸¥Gëdeß…âª¸Vwý©À«È_ Ýêä®__,
                    'message' => "Could not connect to LDAP server"
                ],
                true
            );

            return PASSWORD_CONNECT_ERROR;
        }

        $this->_debug("S: OK");

        // Set protocol version
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION,
            $rcmail->config->get('password_ldap_version', '3'));

        // Start TLS
        if ($rcmail->config->get('password_ldap_starttls')) {
            if (!ldap_start_tls($ds)) {
                ldap_unbind($ds);
                return PASSWORD_CONNECT_ERROR;
            }
        }

        // other plugins might want to modify user DN
        $plugin = $rcmail->plugins->exec_hook('password_ldap_bind',
            ['user_dn' => '', 'conn' => $ds]
        );

        // Build user DN
        if (!empty($plugin['user_dn'])) {
            $user_dn = $plugin['user_dn'];
        }
        else if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) {
            $user_dn = self::substitute_vars($user_dn);
        }
        else {
            $user_dn = $this->search_userdn($rcmail, $ds);
        }

        if (empty($user_dn)) {
            ldap_unbind($ds);
            return PASSWORD_CONNECT_ERROR;
        }

        // Connection method
        switch ($rcmail->config->get('password_ldap_method')) {
        case 'admin':
            $binddn = $rcmail->config->get('password_ldap_adminDN');
            $bindpw = $rcmail->config->get('password_ldap_adminPW');
            break;
        case 'user':
        default:
            $binddn = $user_dn;
            $bindpw = $curpass;
            break;
        }

        $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]");

        // Bind
        if (!ldap_bind($ds, $binddn, $bindpw)) {
            $this->_debug("S: ".ldap_error($ds));

            ldap_unbind($ds);

            return PASSWORD_CONNECT_ERROR;
        }

        $this->_debug("S: OK");

        $this->conn = $ds;
        $this->user = $user_dn;

        return true;
    }

    /**
     * Bind with searchDN and searchPW and search for the user's DN
     * Use search_base and search_filter defined in config file
     * Return the found DN
     */
    function search_userdn($rcmail, $ds)
    {
        $search_user   = $rcmail->config->get('password_ldap_searchDN');
        $search_pass   = $rcmail->config->get('password_ldap_searchPW');
        $search_base   = $rcmail->config->get('password_ldap_search_base');
        $search_filter = $rcmail->config->get('password_ldap_search_filter');

        if (empty($search_filter)) {
            return false;
        }

        $this->_debug("C: Bind " . ($search_user ? $search_user : '[anonymous]'));

        // Bind
        if (!ldap_bind($ds, $search_user, $search_pass)) {
            $this->_debug("S: ".ldap_error($ds));
            return false;
        }

        $this->_debug("S: OK");

        $search_base   = self::substitute_vars($search_base);
        $search_filter = self::substitute_vars($search_filter);

        $this->_debug("C: Search $search_base for $search_filter");

        // Search for the DN
        if (!($sr = ldap_search($ds, $search_base, $search_filter))) {
            $this->_debug("S: ".ldap_error($ds));
            return false;
        }

        $found = ldap_count_entries($ds, $sr);

        $this->_debug("S: OK [found $found records]");

        // If no or more entries were found, return false
        if ($found != 1) {
            return false;
        }

        return ldap_get_dn($ds, ldap_first_entry($ds, $sr));
    }

    /**
     * Substitute %login, %name, %domain, %dc in $str
     * See plugin config for details
     */
    public static function substitute_vars($str)
    {
        $str = str_replace('%login', $_SESSION['username'], $str);
        $str = str_replace('%l', $_SESSION['username'], $str);

        $parts = explode('@', $_SESSION['username']);

        if (count($parts) == 2) {
            $dc = 'dc='.strtr($parts[1], ['.' => ',dc=']); // hierarchal domain string

            $str = str_replace('%name', $parts[0], $str);
            $str = str_replace('%n', $parts[0], $str);
            $str = str_replace('%dc', $dc, $str);
            $str = str_replace('%domain', $parts[1], $str);
            $str = str_replace('%d', $parts[1], $str);
        }
        else if (count($parts) == 1) {
            $str = str_replace('%name', $parts[0], $str);
            $str = str_replace('%n', $parts[0], $str);
        }

        return $str;
    }

    /**
     * Prints debug info to the log
     */
    protected function _debug($str)
    {
        if ($this->debug) {
            rcube::write_log('ldap', $str);
        }
    }

    /**
     * Convert LDAP host/port into URI
     */
    private static function _host2uri($host, $port = null)
    {
        if (stripos($host, 'ldapi://') === 0) {
            return $host;
        }

        if (strpos($host, '://') === false) {
            $host = ($port == 636 ? 'ldaps' : 'ldap') . '://' . $host;
        }

        if ($port && !preg_match('/:[0-9]+$/', $host)) {
            $host .= ':' . $port;
        }

        return $host;
    }
}