DAViCal
Loading...
Searching...
No Matches
drivers_ldap.php
1<?php
14require_once("auth-functions.php");
15
20{
29
38 function __construct($config)
39 {
40 global $c;
41 $host=$config['host'];
42 $port=$config['port'];
43 if(!function_exists('ldap_connect')){
44 $c->messages[] = i18n("drivers_ldap : function ldap_connect not defined, check your php_ldap module");
45 $this->valid=false;
46 return ;
47 }
48
49 //Set LDAP protocol version
50 if (isset($config['protocolVersion']))
51 ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, $config['protocolVersion']);
52 if (isset($config['optReferrals']))
53 ldap_set_option($this->connect, LDAP_OPT_REFERRALS, $config['optReferrals']);
54 if (isset($config['networkTimeout']))
55 ldap_set_option($this->connect, LDAP_OPT_NETWORK_TIMEOUT, $config['networkTimeout']);
56
57 if ($port)
58 $this->connect=ldap_connect($host, $port);
59 else
60 $this->connect=ldap_connect($host);
61
62 if (! $this->connect){
63 $c->messages[] = sprintf(translate( 'drivers_ldap : Unable to connect to LDAP with port %s on host %s'), $port, $host );
64 $this->valid=false;
65 return ;
66 }
67
68 dbg_error_log( "LDAP", "drivers_ldap : Connected to LDAP server %s",$host );
69
70 // Start TLS if desired (requires protocol version 3)
71 if (isset($config['startTLS'])) {
72 if (!ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, 3)) {
73 $c->messages[] = i18n('drivers_ldap : Failed to set LDAP to use protocol version 3, TLS not supported');
74 $this->valid=false;
75 return;
76 }
77 if (!ldap_start_tls($this->connect)) {
78 $c->messages[] = i18n('drivers_ldap : Could not start TLS: ldap_start_tls() failed');
79 $this->valid=false;
80 return;
81 }
82 }
83
84 //Set the search scope to be used, default to subtree. This sets the functions to be called later.
85 if (!isset($config['scope'])) $config['scope'] = 'subtree';
86 switch (strtolower($config['scope'])) {
87 case "base":
88 $this->ldap_query_one = 'ldap_read';
89 $this->ldap_query_all = 'ldap_read';
90 break;
91 case "onelevel":
92 $this->ldap_query_one = 'ldap_list';
93 $this->ldap_query_all = 'ldap_search';
94 break;
95 default:
96 $this->ldap_query_one = 'ldap_search';
97 $this->ldap_query_all = 'ldap_search';
98 break;
99 }
100
101 //connect as root
102 if (!ldap_bind($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) ) ){
103 $bindDN = isset($config['bindDN']) ? $config['bindDN'] : 'anonymous';
104 $passDN = isset($config['passDN']) ? $config['passDN'] : 'anonymous';
105 dbg_error_log( "LDAP", i18n('drivers_ldap : Failed to bind to host %1$s on port %2$s with bindDN of %3$s'), $host, $port, $bindDN );
106 $c->messages[] = i18n( 'drivers_ldap : Unable to bind to LDAP - check your configuration for bindDN and passDN, and that your LDAP server is reachable');
107 $this->valid=false;
108 return ;
109 }
110 $this->valid = true;
111 //root to start search
112 $this->baseDNUsers = is_string($config['baseDNUsers']) ? array($config['baseDNUsers']) : $config['baseDNUsers'];
113 $this->filterUsers = (isset($config['filterUsers']) ? $config['filterUsers'] : null);
114 $this->baseDNGroups = (isset($config['baseDNGroups']) ? (is_string($config['baseDNGroups']) ? array($config['baseDNGroups']) : $config['baseDNGroups']) : null);
115 $this->filterGroups = (isset($config['filterGroups']) ? $config['filterGroups'] : null);
116 }
117
121 function getAllUsers($attributes){
122 global $c;
123
124 $query = $this->ldap_query_all;
125 $ret = array();
126
127 foreach($this->baseDNUsers as $baseDNUsers) {
128 $entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);
129
130 if (!ldap_first_entry($this->connect,$entry)) {
131 $c->messages[] = sprintf(translate('Error NoUserFound with filter >%s<, attributes >%s< , dn >%s<'),
132 $this->filterUsers,
133 join(', ', $attributes),
134 $baseDNUsers);
135 }
136 $row = array();
137 for($i = ldap_first_entry($this->connect,$entry);
138 $i && $arr = ldap_get_attributes($this->connect,$i);
139 $i = ldap_next_entry($this->connect,$i) ) {
140 $row = array();
141 for ($j=0; $j < $arr['count']; $j++) {
142 $row[$arr[$j]] = $arr[$arr[$j]][0];
143 }
144 $ret[]=$row;
145 }
146 }
147 return $ret;
148 }
149
153 function getAllGroups($attributes){
154 global $c;
155
156 $query = $this->ldap_query_all;
157 $ret = array();
158
159 foreach($this->baseDNGroups as $baseDNGroups) {
160 $entry = $query($this->connect,$baseDNGroups,$this->filterGroups,$attributes);
161
162 if (!ldap_first_entry($this->connect,$entry)) {
163 $c->messages[] = sprintf(translate('Error NoGroupFound with filter >%s<, attributes >%s< , dn >%s<'),
164 $this->filterGroups,
165 join(', ', $attributes),
166 $baseDNGroups);
167 }
168 $row = array();
169 for($i = ldap_first_entry($this->connect,$entry);
170 $i && $arr = ldap_get_attributes($this->connect,$i);
171 $i = ldap_next_entry($this->connect,$i) ) {
172 for ($j=0; $j < $arr['count']; $j++) {
173 $row[$arr[$j]] = count($arr[$arr[$j]])>2?$arr[$arr[$j]]:$arr[$arr[$j]][0];
174 }
175 $ret[]=$row;
176 unset($row);
177 }
178 }
179 return $ret;
180 }
181
192 function requestUser( $filter, $attributes, $username, $passwd) {
193 global $c;
194
195 $entry=NULL;
196 // We get the DN of the USER
197 $query = $this->ldap_query_one;
198 # ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
199
200 foreach($this->baseDNUsers as $baseDNUsers) {
201 $entry = $query($this->connect, $baseDNUsers, $filter, $attributes);
202
203 if (ldap_first_entry($this->connect,$entry) )
204 break;
205
206 dbg_error_log( "LDAP", "drivers_ldap : Failed to find user with baseDN: %s", $baseDNUsers );
207 }
208
209 if ( !ldap_first_entry($this->connect, $entry) ){
210 dbg_error_log( "ERROR", "drivers_ldap : Unable to find the user with filter %s",$filter );
211 return false;
212 } else {
213 dbg_error_log( "LDAP", "drivers_ldap : Found a user using filter %s",$filter );
214 }
215
216 $dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));
217
218 if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
219 if (isset($_SERVER["REMOTE_USER"])) {
220 dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
221 if ($username != $_SERVER["REMOTE_USER"]) {
222 return false;
223 }
224 } else {
225 dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
226 if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) {
227 return false;
228 }
229 }
230 }
231 else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
232 // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
233 dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
234 return false;
235 }
236 else {
237 if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
238 dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
239 return false;
240 }
241 }
242
243 dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,
244 (isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') );
245
246 $i = ldap_first_entry($this->connect,$entry);
247 $arr = ldap_get_attributes($this->connect,$i);
248 for( $i=0; $i<$arr['count']; $i++ ) {
249 $ret[$arr[$i]]=$arr[$arr[$i]][0];
250 }
251 return $ret;
252
253 }
254}
255
256
260function getStaticLdap() {
261 global $c;
262 // Declare a static variable to hold the object instance
263 static $instance;
264
265 // If the instance is not there, create one
266 if(!isset($instance)) {
267 $ldapDriver = new ldapDriver($c->authenticate_hook['config']);
268
269 if ($ldapDriver->valid) {
270 $instance = $ldapDriver;
271 }
272 }
273 else {
274 $ldapDriver = $instance;
275 }
276 return $ldapDriver;
277}
278
279
284function sync_user_from_LDAP( Principal &$principal, $mapping, $ldap_values ) {
285 global $c;
286
287 dbg_error_log( "LDAP", "Going to sync the user from LDAP" );
288
289 $fields_to_set = array();
290 $updateable_fields = Principal::updateableFields();
291 foreach( $updateable_fields AS $field ) {
292 if ( isset($mapping[$field]) ) {
293 $tab_part_fields = explode(',',$mapping[$field]);
294 foreach( $tab_part_fields as $part_field ) {
295 if ( isset($ldap_values[$part_field]) ) {
296 if (isset($fields_to_set[$field]) ) {
297 $fields_to_set[$field] .= ' '.$ldap_values[$part_field];
298 }
299 else {
300 $fields_to_set[$field] = $ldap_values[$part_field];
301 }
302 }
303 }
304 dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $fields_to_set[$field], $mapping[$field] );
305 }
306 else if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value'])
307 && isset($c->authenticate_hook['config']['default_value'][$field] ) ) {
308 $fields_to_set[$field] = $c->authenticate_hook['config']['default_value'][$field];
309 dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $c->authenticate_hook['config']['default_value'][$field] );
310 }
311 }
312
313 if ( $principal->Exists() ) {
314 $principal->Update($fields_to_set);
315 }
316 else {
317 $principal->Create($fields_to_set);
318 CreateHomeCollections($principal->username());
319 CreateDefaultRelationships($principal->username());
320 }
321}
322
326function array_values_mapping($mapping){
327 $attributes=array();
328 foreach ( $mapping as $field ) {
329 $tab_part_field = explode(",",$field);
330 foreach( $tab_part_field as $part_field ) {
331 $attributes[] = $part_field;
332 }
333 }
334 return $attributes;
335}
336
340function LDAP_check($username, $password ){
341 global $c;
342
343 $ldapDriver = getStaticLdap();
344 if ( !$ldapDriver->valid ) {
345 sleep(1); // Sleep very briefly to try and survive intermittent issues
346 $ldapDriver = getStaticLdap();
347 if ( !$ldapDriver->valid ) {
348 dbg_error_log( "ERROR", "Couldn't contact LDAP server for authentication" );
349 foreach($c->messages as $msg) {
350 dbg_error_log( "ERROR", "-> ".$msg );
351 }
352 header( sprintf("HTTP/1.1 %d %s", 503, translate("Authentication server unavailable.")) );
353 exit(0);
354 }
355 }
356
357 $mapping = $c->authenticate_hook['config']['mapping_field'];
358 if ( isset($mapping['active']) && !isset($mapping['user_active']) ) {
359 // Backward compatibility: now 'user_active'
360 $mapping['user_active'] = $mapping['active'];
361 unset($mapping['active']);
362 }
363 if ( isset($mapping['updated']) && !isset($mapping['modified']) ) {
364 // Backward compatibility: now 'modified'
365 $mapping['modified'] = $mapping['updated'];
366 unset($mapping['updated']);
367 }
368 $attributes = array_values_mapping($mapping);
369
374 $filter_munge = "";
375 if ( preg_match( '/^\‍(/', $ldapDriver->filterUsers ) ) {
376 $filter_munge = $ldapDriver->filterUsers;
377 }
378 else if ( isset($ldapDriver->filterUsers) && $ldapDriver->filterUsers != '' ) {
379 $filter_munge = "($ldapDriver->filterUsers)";
380 }
381
382 $filter = "(&$filter_munge(".$mapping['username']."=$username))";
383 $valid = $ldapDriver->requestUser( $filter, $attributes, $username, $password );
384
385 // is a valid user or not
386 if ( !$valid ) {
387 dbg_error_log( "LDAP", "user %s is not a valid user",$username );
388 return false;
389 }
390
391 if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
392 $ldap_timestamp = $valid[$mapping['modified']];
393 } else {
394 $ldap_timestamp = '19700101000000';
395 }
396
400 foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
401 $$k = substr($ldap_timestamp,$v[0],$v[1]);
402
403 $ldap_timestamp = "$Y"."$m"."$d"."$H"."$M"."$S";
404 if ($mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
405 $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
406 }
407
408 $principal = new Principal('username',$username);
409 if ( $principal->Exists() ) {
410 // should we update it ?
411 $db_timestamp = $principal->modified;
412 $db_timestamp = substr(strtr($db_timestamp, array(':' => '',' '=>'','-'=>'')),0,14);
413 if( $ldap_timestamp <= $db_timestamp ) {
414 return $principal; // no need to update
415 }
416 // we will need to update the user record
417 }
418 else {
419 dbg_error_log( "LDAP", "user %s doesn't exist in local DB, we need to create it",$username );
420 }
421 $principal->setUsername($username);
422
423 // The local cached user doesn't exist, or is older, so we create/update their details
424 sync_user_from_LDAP( $principal, $mapping, $valid );
425
426 return $principal;
427
428}
429
433function fix_unique_member($list) {
434 $fixed_list = array();
435 foreach ( $list as $member ){
436 array_unshift( $fixed_list, ldap_explode_dn($member,1)[0]);
437 }
438 return $fixed_list;
439}
440
444function sync_LDAP_groups(){
445 global $c;
446 $ldapDriver = getStaticLdap();
447 if ( ! $ldapDriver->valid ) return;
448
449 $mapping = $c->authenticate_hook['config']['group_mapping_field'];
450 //$attributes = array('cn','modifyTimestamp','memberUid');
451 $attributes = array_values_mapping($mapping);
452 $ldap_groups_tmp = $ldapDriver->getAllGroups($attributes);
453
454 if ( sizeof($ldap_groups_tmp) == 0 ) return;
455
456 $member_field = $mapping['members'];
457 $dnfix = isset($c->authenticate_hook['config']['group_member_dnfix']) && $c->authenticate_hook['config']['group_member_dnfix'];
458
459 foreach($ldap_groups_tmp as $key => $ldap_group){
460 $group_mapping = $ldap_group[$mapping['username']];
461 $ldap_groups_info[$group_mapping] = $ldap_group;
462 if ( is_array($ldap_groups_info[$group_mapping][$member_field]) ) {
463 unset( $ldap_groups_info[$group_mapping][$member_field]['count'] );
464 }
465 else {
466 $ldap_groups_info[$group_mapping][$member_field] = array($ldap_groups_info[$group_mapping][$member_field]);
467 }
468 unset($ldap_groups_tmp[$key]);
469 }
470 $db_groups = array();
471 $db_group_members = array();
472 $qry = new AwlQuery( "SELECT g.username AS group_name, member.username AS member_name FROM dav_principal g LEFT JOIN group_member ON (g.principal_id=group_member.group_id) LEFT JOIN dav_principal member ON (member.principal_id=group_member.member_id) WHERE g.type_id = 3");
473 $qry->Exec('sync_LDAP',__LINE__,__FILE__);
474 while($db_group = $qry->Fetch()) {
475 $db_groups[$db_group->group_name] = $db_group->group_name;
476 $db_group_members[$db_group->group_name][] = $db_group->member_name;
477 }
478
479 $ldap_groups = array_keys($ldap_groups_info);
480
481 // users only in ldap
482 $groups_to_create = array_diff($ldap_groups,$db_groups);
483
484 // users only in db
485 $groups_to_deactivate = array_diff($db_groups,$ldap_groups);
486
487 // users present in ldap and in the db
488 $groups_to_update = array_intersect($db_groups,$ldap_groups);
489
490 // groups where nothing was done
491 $groups_nothing_done[] = null;
492
493 if ( sizeof ( $groups_to_create ) ){
494 $validUserFields = awl_get_fields('usr');
495 foreach ( $groups_to_create as $k => $group ){
496 if ( isset($c->do_not_sync_group_from_ldap) && isset($c->do_not_sync_group_from_ldap[$group]) ){
497 unset($groups_to_create[$k]);
498 $groups_nothing_done[] = $group;
499 continue;
500 }
501
502 $user = (object) array();
503
504 if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value']) ) {
505 foreach ( $c->authenticate_hook['config']['default_value'] as $field => $value ) {
506 if ( isset($validUserFields[$field]) ) {
507 $user->{$field} = $value;
508 dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $value );
509 }
510 }
511 }
512 $user->user_no = 0;
513 $ldap_values = $ldap_groups_info[$group];
514 foreach ( $mapping as $field => $value ) {
515 dbg_error_log( "LDAP", "Considering copying %s", $field );
516 if ( isset($validUserFields[$field]) ) {
517 $user->{$field} = $ldap_values[$value];
518 dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$value], $value );
519 }
520 }
521 if ($user->fullname=="") {
522 $user->fullname = $group;
523 }
524 if ($user->displayname=="") {
525 $user->displayname = $group;
526 }
527 $user->username = $group;
528 $user->updated = "now";
530 $principal = new Principal('username',$group);
531 if ( $principal->Exists() ) {
532 $principal->Update($user);
533 }
534 else {
535 $principal->Create($user);
536 }
537
538 $qry = new AwlQuery( "UPDATE dav_principal set type_id = 3 WHERE username=:group ",array(':group'=>$group) );
539 $qry->Exec('sync_LDAP',__LINE__,__FILE__);
540 Principal::cacheDelete('username', $group);
541 // mark group for updating, so users get synced
542 $groups_to_update[] = $group;
543 }
544 $c->messages[] = sprintf( i18n('- creating groups : %s'), join(', ',$groups_to_create) );
545 }
546
547 if ( sizeof ( $groups_to_update ) ){
548 $c->messages[] = sprintf(i18n('- updating groups : %s'),join(', ',$groups_to_update));
549 foreach ( $groups_to_update as $group ){
550 $db_members = array_values ( $db_group_members[$group] );
551 $ldap_members = array_values ( $ldap_groups_info[$group][$member_field] );
552 if ( $member_field == 'uniqueMember' || $dnfix ) {
553 $ldap_members = fix_unique_member( $ldap_members );
554 }
555 $add_users = array_diff ( $ldap_members, $db_members );
556 if ( sizeof ( $add_users ) ){
557 $c->messages[] = sprintf(i18n('- adding %s to group : %s'),join(', ', $add_users ), $group);
558 foreach ( $add_users as $member ){
559 $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member",array (':group'=>$group,':member'=>$member) );
560 $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
561 Principal::cacheDelete('username', $member);
562 }
563 }
564 $remove_users = @array_flip( @array_flip( array_diff( $db_members, $ldap_members ) ));
565 if ( sizeof ( $remove_users ) ){
566 $c->messages[] = sprintf(i18n('- removing %s from group : %s'),join(', ', $remove_users ), $group);
567 foreach ( $remove_users as $member ){
568 $qry = new AwlQuery( "DELETE FROM group_member USING dav_principal g,dav_principal m WHERE group_id=g.principal_id AND member_id=m.principal_id AND g.username=:group AND m.username=:member",array (':group'=>$group,':member'=>$member) );
569 $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
570 Principal::cacheDelete('username', $member);
571 }
572 }
573 }
574 }
575
576 if ( sizeof ( $groups_to_deactivate ) ){
577 foreach ( $groups_to_deactivate as $k => $group ){
578 if ( isset($c->do_not_sync_group_from_ldap) && isset($c->do_not_sync_group_from_ldap[$group]) ){
579 unset($groups_to_deactivate[$k]);
580 $groups_nothing_done[] = $group;
581 } else {
582 $qry = new AwlQuery( 'UPDATE dav_principal SET user_active=FALSE WHERE username=:group AND type_id = 3',array(':group'=>$group) );
583 $qry->Exec('sync_LDAP',__LINE__,__FILE__);
584 Principal::cacheFlush('username=:group AND type_id = 3', array(':group'=>$group) );
585 }
586 }
587 if ( sizeof($groups_to_deactivate) )
588 $c->messages[] = sprintf(i18n('- deactivated groups : %s'), join(', ',$groups_to_deactivate));
589 }
590 if ( sizeof($groups_nothing_done) )
591 $c->messages[] = sprintf( i18n('- nothing done on : %s'), join(', ',$groups_nothing_done) );
592
593}
594
598function sync_LDAP(){
599 global $c;
600 $ldapDriver = getStaticLdap();
601 if ( ! $ldapDriver->valid ) return;
602
603 $mapping = $c->authenticate_hook['config']['mapping_field'];
604 $attributes = array_values_mapping($mapping);
605 $ldap_users_tmp = $ldapDriver->getAllUsers($attributes);
606
607 if ( sizeof($ldap_users_tmp) == 0 ) return;
608
609 foreach($ldap_users_tmp as $key => $ldap_user){
610 if(!isset($ldap_user[$mapping['username']])) continue;
611 $ldap_users_info[$ldap_user[$mapping['username']]] = $ldap_user;
612 unset($ldap_users_tmp[$key]);
613 }
614 $qry = new AwlQuery( "SELECT username, user_no, modified as updated , user_active FROM dav_principal where type_id=1");
615 $qry->Exec('sync_LDAP',__LINE__,__FILE__);
616 while($db_user = $qry->Fetch()) {
617 $db_users[] = $db_user->username;
618 $db_users_info[$db_user->username] = array('user_no' => $db_user->user_no, 'updated' => $db_user->updated, 'user_active' => $db_user->user_active);
619 }
620
621 // all users from ldap
622 $ldap_users = array_keys($ldap_users_info);
623 // users only in ldap
624 $users_to_create = array_diff($ldap_users,$db_users);
625 // users only in db
626 $users_to_deactivate = array_diff($db_users,$ldap_users);
627 // users present in ldap and in the db
628 $users_to_update = array_intersect($db_users,$ldap_users);
629
630 // creation of all users;
631 if ( sizeof($users_to_create) ) {
632 foreach( $users_to_create as $k => $username ) {
633 if ( isset($c->do_not_sync_from_ldap) && isset($c->do_not_sync_from_ldap[$username]) ) {
634 unset( $users_to_create[$k] );
635 $users_nothing_done[] = $username;
636 continue;
637 }
638 $principal = new Principal( 'username', $username );
639 $valid = $ldap_users_info[$username];
640 if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
641 $ldap_timestamp = $valid[$mapping['modified']];
642 } else {
643 $ldap_timestamp = '19700101000000';
644 }
645
646 if ( !empty($c->authenticate_hook['config']['format_updated']) ) {
650 foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
651 $$k = substr($ldap_timestamp,$v[0],$v[1]);
652 $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
653 }
654 else if ( preg_match('{^(\d{8})(\d{6})(Z)?$', $ldap_timestamp, $matches ) ) {
655 $ldap_timestamp = $matches[1].'T'.$matches[2].$matches[3];
656 }
657 else if ( empty($ldap_timestamp) ) {
658 $ldap_timestamp = date('c');
659 }
660 if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
661 $valid[$mapping['modified']] = $ldap_timestamp;
662 }
663
664 sync_user_from_LDAP( $principal, $mapping, $valid );
665 }
666 $c->messages[] = sprintf( i18n('- creating record for users : %s'), join(', ',$users_to_create) );
667 }
668
669 // deactivating all users
670 $params = array();
671 $i = 0;
672 $paramstring = '';
673 foreach( $users_to_deactivate as $k => $v ) {
674 if ( isset($c->do_not_sync_from_ldap) && isset($c->do_not_sync_from_ldap[$v]) ) {
675 unset($users_to_deactivate[$k]);
676 $users_nothing_done[] = $v;
677 continue;
678 }
679 if ( $i > 0 ) $paramstring .= ',';
680 $paramstring .= ':u'.$i.'::text';
681 $params[':u'.$i++] = strtolower($v);
682 }
683 if ( count($params) > 0 ) {
684 $c->messages[] = sprintf(i18n('- deactivating users : %s'),join(', ',$users_to_deactivate));
685 $qry = new AwlQuery( 'UPDATE usr SET active = FALSE WHERE lower(username) IN ('.$paramstring.')', $params);
686 $qry->Exec('sync_LDAP',__LINE__,__FILE__);
687
688 Principal::cacheFlush('lower(username) IN ('.$paramstring.')', $params);
689 }
690
691 // updating all users
692 if ( sizeof($users_to_update) ) {
693 foreach ( $users_to_update as $key=> $username ) {
694 $principal = new Principal( 'username', $username );
695 $valid=$ldap_users_info[$username];
696 if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
697 $ldap_timestamp = $valid[$mapping['modified']];
698 } else {
699 $ldap_timestamp = '19700101000000';
700 }
701
702 $valid['user_no'] = $db_users_info[$username]['user_no'];
703 $mapping['user_no'] = 'user_no';
704
708 foreach($c->authenticate_hook['config']['format_updated'] as $k => $v) {
709 $$k = substr($ldap_timestamp,$v[0],$v[1]);
710 }
711 $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
712 $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
713
714 $db_timestamp = substr(strtr($db_users_info[$username]['updated'], array(':' => '',' '=>'','-'=>'')),0,14);
715 if ( $ldap_timestamp > $db_timestamp || !$db_users_info[$username]['user_active']) {
716 $principal->user_active = true;
717 sync_user_from_LDAP($principal, $mapping, $valid);
718 }
719 else {
720 unset($users_to_update[$key]);
721 $users_nothing_done[] = $username;
722 }
723 }
724 if ( sizeof($users_to_update) )
725 $c->messages[] = sprintf(i18n('- updating user records : %s'),join(', ',$users_to_update));
726 }
727 if ( sizeof($users_nothing_done) )
728 $c->messages[] = sprintf( i18n('- nothing done on : %s'), join(', ',$users_nothing_done) );
729
730 // check for remaining admins
731 $admins = 0;
732 $qry = new AwlQuery( "SELECT count(*) AS admins FROM usr JOIN role_member USING ( user_no ) JOIN roles USING (role_no) WHERE usr.active=TRUE AND role_name='Admin'");
733 $qry->Exec('sync_LDAP',__LINE__,__FILE__);
734 while ( $db_user = $qry->Fetch() ) {
735 $admins = $db_user->admins;
736 }
737 if ( $admins == 0 ) {
738 $c->messages[] = sprintf(i18n('Warning: there are no active admin users! You should fix this before logging out. Consider using the $c->do_not_sync_from_ldap configuration setting.'));
739 }
740}
requestUser( $filter, $attributes, $username, $passwd)
getAllUsers($attributes)
getAllGroups($attributes)
__construct($config)