1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448: 449: 450: 451: 452: 453: 454: 455: 456: 457: 458: 459: 460: 461: 462: 463: 464: 465: 466: 467: 468: 469: 470: 471: 472: 473: 474: 475: 476: 477: 478: 479: 480: 481: 482: 483: 484: 485: 486: 487: 488: 489: 490: 491: 492: 493: 494: 495: 496: 497: 498: 499: 500: 501: 502: 503: 504: 505: 506: 507: 508: 509: 510: 511: 512: 513: 514: 515: 516: 517: 518: 519: 520: 521: 522: 523: 524: 525: 526: 527: 528: 529: 530: 531: 532: 533: 534: 535: 536: 537: 538: 539: 540: 541: 542: 543: 544: 545: 546: 547: 548: 549: 550: 551: 552: 553: 554: 555: 556: 557: 558: 559: 560: 561: 562: 563: 564: 565: 566: 567: 568: 569: 570: 571: 572: 573: 574: 575: 576: 577: 578: 579: 580: 581: 582: 583: 584: 585: 586: 587: 588: 589: 590: 591: 592: 593: 594: 595: 596: 597: 598: 599: 600: 601: 602: 603: 604: 605: 606: 607: 608: 609: 610: 611: 612: 613: 614: 615: 616: 617: 618: 619: 620: 621: 622: 623: 624: 625: 626: 627: 628: 629: 630: 631: 632: 633: 634: 635: 636: 637: 638: 639: 640: 641: 642: 643: 644: 645: 646: 647: 648: 649: 650: 651: 652: 653: 654: 655: 656: 657: 658: 659: 660: 661: 662: 663: 664: 665: 666: 667: 668: 669: 670: 671: 672: 673: 674: 675: 676: 677: 678: 679: 680: 681: 682: 683: 684: 685: 686: 687: 688: 689: 690: 691: 692: 693: 694: 695: 696: 697: 698: 699: 700: 701: 702: 703: 704: 705: 706: 707: 708: 709: 710: 711: 712: 713: 714: 715: 716: 717:
<?php
require_once("auth-functions.php");
class ldapDriver
{
var $connect;
function __construct($config)
{
global $c;
$host=$config['host'];
$port=$config['port'];
if(!function_exists('ldap_connect')){
$c->messages[] = i18n("drivers_ldap : function ldap_connect not defined, check your php_ldap module");
$this->valid=false;
return ;
}
if (isset($config['protocolVersion']))
ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, $config['protocolVersion']);
if (isset($config['optReferrals']))
ldap_set_option($this->connect, LDAP_OPT_REFERRALS, $config['optReferrals']);
if (isset($config['networkTimeout']))
ldap_set_option($this->connect, LDAP_OPT_NETWORK_TIMEOUT, $config['networkTimeout']);
if ($port)
$this->connect=ldap_connect($host, $port);
else
$this->connect=ldap_connect($host);
if (! $this->connect){
$c->messages[] = sprintf(translate( 'drivers_ldap : Unable to connect to LDAP with port %s on host %s'), $port, $host );
$this->valid=false;
return ;
}
dbg_error_log( "LDAP", "drivers_ldap : Connected to LDAP server %s",$host );
if (isset($config['startTLS'])) {
if (!ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, 3)) {
$c->messages[] = i18n('drivers_ldap : Failed to set LDAP to use protocol version 3, TLS not supported');
$this->valid=false;
return;
}
if (!ldap_start_tls($this->connect)) {
$c->messages[] = i18n('drivers_ldap : Could not start TLS: ldap_start_tls() failed');
$this->valid=false;
return;
}
}
if (!isset($config['scope'])) $config['scope'] = 'subtree';
switch (strtolower($config['scope'])) {
case "base":
$this->ldap_query_one = 'ldap_read';
$this->ldap_query_all = 'ldap_read';
break;
case "onelevel":
$this->ldap_query_one = 'ldap_list';
$this->ldap_query_all = 'ldap_search';
break;
default:
$this->ldap_query_one = 'ldap_search';
$this->ldap_query_all = 'ldap_search';
break;
}
if (!ldap_bind($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) ) ){
$bindDN = isset($config['bindDN']) ? $config['bindDN'] : 'anonymous';
$passDN = isset($config['passDN']) ? $config['passDN'] : 'anonymous';
dbg_error_log( "LDAP", i18n('drivers_ldap : Failed to bind to host %1$s on port %2$s with bindDN of %3$s'), $host, $port, $bindDN );
$c->messages[] = i18n( 'drivers_ldap : Unable to bind to LDAP - check your configuration for bindDN and passDN, and that your LDAP server is reachable');
$this->valid=false;
return ;
}
$this->valid = true;
$this->baseDNUsers = is_string($config['baseDNUsers']) ? array($config['baseDNUsers']) : $config['baseDNUsers'];
$this->filterUsers = (isset($config['filterUsers']) ? $config['filterUsers'] : null);
$this->baseDNGroups = is_string($config['baseDNGroups']) ? array($config['baseDNGroups']) : $config['baseDNGroups'];
$this->filterGroups = (isset($config['filterGroups']) ? $config['filterGroups'] : null);
}
function getAllUsers($attributes){
global $c;
$query = $this->ldap_query_all;
$ret = array();
foreach($this->baseDNUsers as $baseDNUsers) {
$entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);
if (!ldap_first_entry($this->connect,$entry)) {
$c->messages[] = sprintf(translate('Error NoUserFound with filter >%s<, attributes >%s< , dn >%s<'),
$this->filterUsers,
join(', ', $attributes),
$baseDNUsers);
}
$row = array();
for($i = ldap_first_entry($this->connect,$entry);
$i && $arr = ldap_get_attributes($this->connect,$i);
$i = ldap_next_entry($this->connect,$i) ) {
$row = array();
for ($j=0; $j < $arr['count']; $j++) {
$row[$arr[$j]] = $arr[$arr[$j]][0];
}
$ret[]=$row;
}
}
return $ret;
}
function getAllGroups($attributes){
global $c;
$query = $this->ldap_query_all;
$ret = array();
foreach($this->baseDNGroups as $baseDNGroups) {
$entry = $query($this->connect,$baseDNGroups,$this->filterGroups,$attributes);
if (!ldap_first_entry($this->connect,$entry)) {
$c->messages[] = sprintf(translate('Error NoGroupFound with filter >%s<, attributes >%s< , dn >%s<'),
$this->filterGroups,
join(', ', $attributes),
$baseDNGroups);
}
$row = array();
for($i = ldap_first_entry($this->connect,$entry);
$i && $arr = ldap_get_attributes($this->connect,$i);
$i = ldap_next_entry($this->connect,$i) ) {
for ($j=0; $j < $arr['count']; $j++) {
$row[$arr[$j]] = count($arr[$arr[$j]])>2?$arr[$arr[$j]]:$arr[$arr[$j]][0];
}
$ret[]=$row;
unset($row);
}
}
return $ret;
}
function requestUser( $filter, $attributes=NULL, $username, $passwd) {
global $c;
$entry=NULL;
$query = $this->ldap_query_one;
foreach($this->baseDNUsers as $baseDNUsers) {
$entry = $query($this->connect, $baseDNUsers, $filter, $attributes);
if (ldap_first_entry($this->connect,$entry) )
break;
dbg_error_log( "LDAP", "drivers_ldap : Failed to find user with baseDN: %s", $baseDNUsers );
}
if ( !ldap_first_entry($this->connect, $entry) ){
dbg_error_log( "ERROR", "drivers_ldap : Unable to find the user with filter %s",$filter );
return false;
} else {
dbg_error_log( "LDAP", "drivers_ldap : Found a user using filter %s",$filter );
}
$dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));
if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
if (isset($_SERVER["REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
if ($username != $_SERVER["REMOTE_USER"]) {
return false;
}
} else {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) {
return false;
}
}
}
else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
return false;
}
else {
if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
return false;
}
}
dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,
(isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') );
$i = ldap_first_entry($this->connect,$entry);
$arr = ldap_get_attributes($this->connect,$i);
for( $i=0; $i<$arr['count']; $i++ ) {
$ret[$arr[$i]]=$arr[$arr[$i]][0];
}
return $ret;
}
}
function getStaticLdap() {
global $c;
static $instance;
if(!isset($instance)) {
$ldapDriver = new ldapDriver($c->authenticate_hook['config']);
if ($ldapDriver->valid) {
$instance = $ldapDriver;
}
}
else {
$ldapDriver = $instance;
}
return $ldapDriver;
}
function sync_user_from_LDAP( Principal &$principal, $mapping, $ldap_values ) {
global $c;
dbg_error_log( "LDAP", "Going to sync the user from LDAP" );
$fields_to_set = array();
$updateable_fields = Principal::updateableFields();
foreach( $updateable_fields AS $field ) {
if ( isset($mapping[$field]) ) {
$tab_part_fields = explode(',',$mapping[$field]);
foreach( $tab_part_fields as $part_field ) {
if ( isset($ldap_values[$part_field]) ) {
if (isset($fields_to_set[$field]) ) {
$fields_to_set[$field] .= ' '.$ldap_values[$part_field];
}
else {
$fields_to_set[$field] = $ldap_values[$part_field];
}
}
}
dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $fields_to_set[$field], $mapping[$field] );
}
else if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value'])
&& isset($c->authenticate_hook['config']['default_value'][$field] ) ) {
$fields_to_set[$field] = $c->authenticate_hook['config']['default_value'][$field];
dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $c->authenticate_hook['config']['default_value'][$field] );
}
}
if ( $principal->Exists() ) {
$principal->Update($fields_to_set);
}
else {
$principal->Create($fields_to_set);
CreateHomeCollections($principal->username(), $c->default_timezone);
CreateDefaultRelationships($principal->username());
}
}
function array_values_mapping($mapping){
$attributes=array();
foreach ( $mapping as $field ) {
$tab_part_field = explode(",",$field);
foreach( $tab_part_field as $part_field ) {
$attributes[] = $part_field;
}
}
return $attributes;
}
function LDAP_check($username, $password ){
global $c;
$ldapDriver = getStaticLdap();
if ( !$ldapDriver->valid ) {
sleep(1);
$ldapDriver = getStaticLdap();
if ( !$ldapDriver->valid ) {
dbg_error_log( "ERROR", "Couldn't contact LDAP server for authentication" );
foreach($c->messages as $msg) {
dbg_error_log( "ERROR", "-> ".$msg );
}
header( sprintf("HTTP/1.1 %d %s", 503, translate("Authentication server unavailable.")) );
exit(0);
}
}
$mapping = $c->authenticate_hook['config']['mapping_field'];
if ( isset($mapping['active']) && !isset($mapping['user_active']) ) {
$mapping['user_active'] = $mapping['active'];
unset($mapping['active']);
}
if ( isset($mapping['updated']) && !isset($mapping['modified']) ) {
$mapping['modified'] = $mapping['updated'];
unset($mapping['updated']);
}
$attributes = array_values_mapping($mapping);
$filter_munge = "";
if ( preg_match( '/^\(/', $ldapDriver->filterUsers ) ) {
$filter_munge = $ldapDriver->filterUsers;
}
else if ( isset($ldapDriver->filterUsers) && $ldapDriver->filterUsers != '' ) {
$filter_munge = "($ldapDriver->filterUsers)";
}
$filter = "(&$filter_munge(".$mapping['username']."=$username))";
$valid = $ldapDriver->requestUser( $filter, $attributes, $username, $password );
if ( !$valid ) {
dbg_error_log( "LDAP", "user %s is not a valid user",$username );
return false;
}
if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
$ldap_timestamp = $valid[$mapping['modified']];
} else {
$ldap_timestamp = '19700101000000';
}
foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
$$k = substr($ldap_timestamp,$v[0],$v[1]);
$ldap_timestamp = "$Y"."$m"."$d"."$H"."$M"."$S";
if ($mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
$valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
}
$principal = new Principal('username',$username);
if ( $principal->Exists() ) {
$db_timestamp = $principal->modified;
$db_timestamp = substr(strtr($db_timestamp, array(':' => '',' '=>'','-'=>'')),0,14);
if( $ldap_timestamp <= $db_timestamp ) {
return $principal;
}
}
else {
dbg_error_log( "LDAP", "user %s doesn't exist in local DB, we need to create it",$username );
}
$principal->setUsername($username);
sync_user_from_LDAP( $principal, $mapping, $valid );
return $principal;
}
function fix_unique_member($list) {
$fixed_list = array();
foreach ( $list as $member ){
list( $mem, $rest ) = explode(",", $member );
$member = str_replace( 'uid=', '', $mem );
array_unshift( $fixed_list, $member );
}
return $fixed_list;
}
function sync_LDAP_groups(){
global $c;
$ldapDriver = getStaticLdap();
if ( ! $ldapDriver->valid ) return;
$mapping = $c->authenticate_hook['config']['group_mapping_field'];
$attributes = array_values_mapping($mapping);
$ldap_groups_tmp = $ldapDriver->getAllGroups($attributes);
if ( sizeof($ldap_groups_tmp) == 0 ) return;
$member_field = $mapping['members'];
$dnfix = isset($c->authenticate_hook['config']['group_member_dnfix']) && $c->authenticate_hook['config']['group_member_dnfix'];
foreach($ldap_groups_tmp as $key => $ldap_group){
$group_mapping = $ldap_group[$mapping['username']];
$ldap_groups_info[$group_mapping] = $ldap_group;
if ( is_array($ldap_groups_info[$group_mapping][$member_field]) ) {
unset( $ldap_groups_info[$group_mapping][$member_field]['count'] );
}
else {
$ldap_groups_info[$group_mapping][$member_field] = array($ldap_groups_info[$group_mapping][$member_field]);
}
unset($ldap_groups_tmp[$key]);
}
$db_groups = array();
$db_group_members = array();
$qry = new AwlQuery( "SELECT g.username AS group_name, member.username AS member_name FROM dav_principal g LEFT JOIN group_member ON (g.principal_id=group_member.group_id) LEFT JOIN dav_principal member ON (member.principal_id=group_member.member_id) WHERE g.type_id = 3");
$qry->Exec('sync_LDAP',__LINE__,__FILE__);
while($db_group = $qry->Fetch()) {
$db_groups[$db_group->group_name] = $db_group->group_name;
$db_group_members[$db_group->group_name][] = $db_group->member_name;
}
$ldap_groups = array_keys($ldap_groups_info);
$groups_to_create = array_diff($ldap_groups,$db_groups);
$groups_to_deactivate = array_diff($db_groups,$ldap_groups);
$groups_to_update = array_intersect($db_groups,$ldap_groups);
if ( sizeof ( $groups_to_create ) ){
$c->messages[] = sprintf(i18n('- creating groups : %s'),join(', ',$groups_to_create));
$validUserFields = awl_get_fields('usr');
foreach ( $groups_to_create as $k => $group ){
$user = (object) array();
if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value']) ) {
foreach ( $c->authenticate_hook['config']['default_value'] as $field => $value ) {
if ( isset($validUserFields[$field]) ) {
$user->{$field} = $value;
dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $value );
}
}
}
$user->user_no = 0;
$ldap_values = $ldap_groups_info[$group];
foreach ( $mapping as $field => $value ) {
dbg_error_log( "LDAP", "Considering copying %s", $field );
if ( isset($validUserFields[$field]) ) {
$user->{$field} = $ldap_values[$value];
dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$value], $value );
}
}
if ($user->fullname=="") {
$user->fullname = $group;
}
if ($user->displayname=="") {
$user->displayname = $group;
}
$user->username = $group;
$user->updated = "now";
$principal = new Principal('username',$group);
if ( $principal->Exists() ) {
$principal->Update($user);
}
else {
$principal->Create($user);
}
$qry = new AwlQuery( "UPDATE dav_principal set type_id = 3 WHERE username=:group ",array(':group'=>$group) );
$qry->Exec('sync_LDAP',__LINE__,__FILE__);
Principal::cacheDelete('username', $group);
$c->messages[] = sprintf(i18n('- adding users %s to group : %s'),join(',',$ldap_groups_info[$group][$mapping['members']]),$group);
foreach ( $ldap_groups_info[$group][$mapping['members']] as $member ){
if ( $member_field == 'uniqueMember' || $dnfix ) {
list( $mem, $rest ) = explode(",", $member );
$member = str_replace( 'uid=', '', $mem );
}
$qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member;",array (':group'=>$group,':member'=>$member) );
$qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
Principal::cacheDelete('username', $member);
}
}
}
if ( sizeof ( $groups_to_update ) ){
$c->messages[] = sprintf(i18n('- updating groups : %s'),join(', ',$groups_to_update));
foreach ( $groups_to_update as $group ){
$db_members = array_values ( $db_group_members[$group] );
$ldap_members = array_values ( $ldap_groups_info[$group][$member_field] );
if ( $member_field == 'uniqueMember' || $dnfix ) {
$ldap_members = fix_unique_member( $ldap_members );
}
$add_users = array_diff ( $ldap_members, $db_members );
if ( sizeof ( $add_users ) ){
$c->messages[] = sprintf(i18n('- adding %s to group : %s'),join(', ', $add_users ), $group);
foreach ( $add_users as $member ){
$qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member",array (':group'=>$group,':member'=>$member) );
$qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
Principal::cacheDelete('username', $member);
}
}
$remove_users = @array_flip( @array_flip( array_diff( $db_members, $ldap_members ) ));
if ( sizeof ( $remove_users ) ){
$c->messages[] = sprintf(i18n('- removing %s from group : %s'),join(', ', $remove_users ), $group);
foreach ( $remove_users as $member ){
$qry = new AwlQuery( "DELETE FROM group_member USING dav_principal g,dav_principal m WHERE group_id=g.principal_id AND member_id=m.principal_id AND g.username=:group AND m.username=:member",array (':group'=>$group,':member'=>$member) );
$qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
Principal::cacheDelete('username', $member);
}
}
}
}
if ( sizeof ( $groups_to_deactivate ) ){
$c->messages[] = sprintf(i18n('- deactivate groups : %s'),join(', ',$groups_to_deactivate));
foreach ( $groups_to_deactivate as $group ){
$qry = new AwlQuery( 'UPDATE dav_principal SET user_active=FALSE WHERE username=:group AND type_id = 3',array(':group'=>$group) );
$qry->Exec('sync_LDAP',__LINE__,__FILE__);
Principal::cacheFlush('username=:group AND type_id = 3', array(':group'=>$group) );
}
}
}
function sync_LDAP(){
global $c;
$ldapDriver = getStaticLdap();
if ( ! $ldapDriver->valid ) return;
$mapping = $c->authenticate_hook['config']['mapping_field'];
$attributes = array_values_mapping($mapping);
$ldap_users_tmp = $ldapDriver->getAllUsers($attributes);
if ( sizeof($ldap_users_tmp) == 0 ) return;
foreach($ldap_users_tmp as $key => $ldap_user){
$ldap_users_info[$ldap_user[$mapping['username']]] = $ldap_user;
unset($ldap_users_tmp[$key]);
}
$qry = new AwlQuery( "SELECT username, user_no, modified as updated FROM dav_principal where type_id=1");
$qry->Exec('sync_LDAP',__LINE__,__FILE__);
while($db_user = $qry->Fetch()) {
$db_users[] = $db_user->username;
$db_users_info[$db_user->username] = array('user_no' => $db_user->user_no, 'updated' => $db_user->updated);
}
$ldap_users = array_keys($ldap_users_info);
$users_to_create = array_diff($ldap_users,$db_users);
$users_to_deactivate = array_diff($db_users,$ldap_users);
$users_to_update = array_intersect($db_users,$ldap_users);
if ( sizeof($users_to_create) ) {
$c->messages[] = sprintf(i18n('- creating record for users : %s'),join(', ',$users_to_create));
foreach( $users_to_create as $username ) {
$principal = new Principal( 'username', $username );
$valid = $ldap_users_info[$username];
if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
$ldap_timestamp = $valid[$mapping['modified']];
} else {
$ldap_timestamp = '19700101000000';
}
if ( !empty($c->authenticate_hook['config']['format_updated']) ) {
foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
$$k = substr($ldap_timestamp,$v[0],$v[1]);
$ldap_timestamp = $Y.$m.$d.$H.$M.$S;
}
else if ( preg_match('{^(\d{8})(\d{6})(Z)?$', $ldap_timestamp, $matches ) ) {
$ldap_timestamp = $matches[1].'T'.$matches[2].$matches[3];
}
else if ( empty($ldap_timestamp) ) {
$ldap_timestamp = date('c');
}
if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
$valid[$mapping['modified']] = $ldap_timestamp;
}
sync_user_from_LDAP( $principal, $mapping, $valid );
}
}
$params = array();
$i = 0;
$paramstring = '';
foreach( $users_to_deactivate AS $v ) {
if ( isset($c->do_not_sync_from_ldap) && isset($c->do_not_sync_from_ldap[$v]) ) continue;
if ( $i > 0 ) $paramstring .= ',';
$paramstring .= ':u'.$i.'::text';
$params[':u'.$i++] = strtolower($v);
}
if ( count($params) > 0 ) {
$c->messages[] = sprintf(i18n('- deactivating users : %s'),join(', ',$users_to_deactivate));
$qry = new AwlQuery( 'UPDATE usr SET active = FALSE WHERE lower(username) IN ('.$paramstring.')', $params);
$qry->Exec('sync_LDAP',__LINE__,__FILE__);
Principal::cacheFlush('lower(username) IN ('.$paramstring.')', $params);
}
if ( sizeof($users_to_update) ) {
foreach ( $users_to_update as $key=> $username ) {
$principal = new Principal( 'username', $username );
$valid=$ldap_users_info[$username];
if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
$ldap_timestamp = $valid[$mapping['modified']];
} else {
$ldap_timestamp = '19700101000000';
}
$valid['user_no'] = $db_users_info[$username]['user_no'];
$mapping['user_no'] = 'user_no';
foreach($c->authenticate_hook['config']['format_updated'] as $k => $v) {
$$k = substr($ldap_timestamp,$v[0],$v[1]);
}
$ldap_timestamp = $Y.$m.$d.$H.$M.$S;
$valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
$db_timestamp = substr(strtr($db_users_info[$username]['updated'], array(':' => '',' '=>'','-'=>'')),0,14);
if ( $ldap_timestamp > $db_timestamp ) {
sync_user_from_LDAP($principal, $mapping, $valid );
}
else {
unset($users_to_update[$key]);
$users_nothing_done[] = $username;
}
}
if ( sizeof($users_to_update) )
$c->messages[] = sprintf(i18n('- updating user records : %s'),join(', ',$users_to_update));
if ( sizeof($users_nothing_done) )
$c->messages[] = sprintf(i18n('- nothing done on : %s'),join(', ', $users_nothing_done));
}
$admins = 0;
$qry = new AwlQuery( "SELECT count(*) AS admins FROM usr JOIN role_member USING ( user_no ) JOIN roles USING (role_no) WHERE usr.active=TRUE AND role_name='Admin'");
$qry->Exec('sync_LDAP',__LINE__,__FILE__);
while ( $db_user = $qry->Fetch() ) {
$admins = $db_user->admins;
}
if ( $admins == 0 ) {
$c->messages[] = sprintf(i18n('Warning: there are no active admin users! You should fix this before logging out. Consider using the $c->do_not_sync_from_ldap configuration setting.'));
}
}