Overview

Packages

  • awl
    • caldav-client-v2
    • RRule
  • davical
    • authentication
      • drivers
    • caldav
    • DAViCalSession
    • DAVTicket
    • external-bind
    • feed
    • HTTPAuthSession
    • iSchedule
    • iSchedule-POST
    • logging
    • metrics
    • Principal
    • propfind
    • PublicSession
    • Request
    • Resource
    • tzservice
  • None

Classes

  • AtomEntry
  • AtomFeed
  • AtomXHTMLContent
  • CalDAVClient
  • CalDAVRequest
  • CalendarInfo
  • CheckResult
  • DAViCalSession
  • DAVPrincipal
  • DAVResource
  • DAVTicket
  • FakeSession
  • HTTPAuthSession
  • imapPamDriver
  • iSchedule
  • ldapDriver
  • Principal
  • PublicSession
  • pwauthPamDriver
  • RepeatRule
  • RepeatRuleDateRange
  • RepeatRuleDateTime
  • RepeatRuleTimeZone
  • Rfc5545Duration
  • rimapPamDriver
  • setupFakeSession
  • squidPamDriver
  • Tools
  • VCard
  • VTimezone
  • WritableCollection

Functions

  • access_ticket_browser
  • add_failure
  • add_proxy_response
  • array_values_mapping
  • auth_functions_deprecated
  • AuthExternalAWL
  • binding_row_editor
  • bindings_to_other_browser
  • bindings_to_us_browser
  • bits_to_privilege
  • build_dependencies_table
  • build_privileges_html
  • build_site_statistics
  • BuildSqlFilter
  • caldav_get_feed
  • calquery_apply_filter
  • cardquery_apply_filter
  • catch_setup_errors
  • check_awl_version
  • check_calendar
  • check_curl
  • check_database_connection
  • check_datetime
  • check_davical_version
  • check_for_expansion
  • check_gettext
  • check_iconv
  • check_ldap
  • check_magic_quotes_gpc
  • check_magic_quotes_runtime
  • check_pdo
  • check_pdo_pgsql
  • check_pgsql
  • check_real_php
  • check_schema_version
  • check_string
  • check_suhosin_server_strip
  • check_xml
  • checkiSchedule
  • collection_privilege_format_function
  • component_to_xml
  • confirm_delete_bind_in
  • confirm_delete_binding
  • confirm_delete_collection
  • confirm_delete_principal
  • confirm_delete_ticket
  • ConstructURL
  • controlRequestContainer
  • create_external
  • CreateDefaultRelationships
  • CreateHomeCalendar
  • CreateHomeCollections
  • DateToISODate
  • DeconstructURL
  • delete_collection
  • deliverItipCancel
  • display_status
  • do_error
  • do_scheduling_for_delete
  • do_scheduling_reply
  • do_scheduling_requests
  • doImipMessage
  • doItipAttendeeReply
  • doItipOrganizerCancel
  • early_catch_fatal_error
  • early_exception_handler
  • edit_binding_row
  • edit_grant_row_collection
  • edit_grant_row_principal
  • edit_group_row
  • edit_ticket_row
  • errorResponse
  • expand_event_instances
  • expand_properties
  • expand_timezone_onsets
  • export_iCalendar
  • fetch_external
  • fix_unique_member
  • generateKeys
  • get_address_properties
  • get_collection_contents
  • get_freebusy
  • get_href_containers
  • get_phpinfo
  • getComponentRange
  • GetItip
  • getPrincipalByID
  • getStaticLdap
  • getStatusMessage
  • GetTZID
  • getUserByEMail
  • getUserByID
  • getUserByName
  • getVCalendarRange
  • grant_row_editor
  • group_members_browser
  • group_memberships_browser
  • group_row_editor
  • handle_cancel_request
  • handle_freebusy_request
  • handle_schedule_reply
  • handle_schedule_request
  • handle_subaction
  • hyperlink
  • i18n
  • IMAP_PAM_check
  • import_addressbook_collection
  • import_calendar_collection
  • import_collection
  • ischedule_cancel
  • ischedule_freebusy_request
  • ischedule_get
  • ischedule_request
  • ISODateToHTTPDate
  • late_catch_fatal_error
  • LDAP_check
  • local_session_sql
  • log_caldav_action
  • log_setup_error
  • logRequestHeaders
  • make_help_link
  • obfuscated_event
  • olson_from_vtimezone
  • principal_collection_browser
  • principal_editor
  • principal_grants_browser
  • principal_privilege_format_function
  • print_metric
  • privilege_to_bits
  • privileges_to_XML
  • process_ace
  • processItipCancel
  • property_response
  • public_events_only
  • PWAUTH_PAM_check
  • rdate_expand
  • RIMAP_check
  • rollback
  • rollback_on_error
  • rrule_expand
  • send_dav_header
  • send_page_header
  • simple_write_resource
  • SqlFilterCardDAV
  • SqlFilterFragment
  • SQUID_PAM_check
  • SRVFormat
  • SRVOk
  • sync_LDAP
  • sync_LDAP_groups
  • sync_user_from_LDAP
  • ticket_row_editor
  • unicodeToUtf8
  • update_external
  • UpdateCollectionTimezones
  • UpdateUserFromExternal
  • utf8ToUnicode
  • write_alarms
  • write_attendees
  • write_resource
  • Overview
  • Package
  • Class
  • Tree
  • Deprecated
  • Todo
  1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448: 449: 450: 451: 452: 453: 454: 455: 456: 457: 458: 459: 460: 461: 462: 463: 464: 465: 466: 467: 468: 469: 470: 471: 472: 473: 474: 475: 476: 477: 478: 479: 480: 481: 482: 483: 484: 485: 486: 487: 488: 489: 490: 491: 492: 493: 494: 495: 496: 497: 498: 499: 500: 501: 502: 503: 504: 505: 506: 507: 508: 509: 510: 511: 512: 513: 514: 515: 516: 517: 518: 519: 520: 521: 522: 523: 524: 525: 526: 527: 528: 529: 530: 531: 532: 533: 534: 535: 536: 537: 538: 539: 540: 541: 542: 543: 544: 545: 546: 547: 548: 549: 550: 551: 552: 553: 554: 555: 556: 557: 558: 559: 560: 561: 562: 563: 564: 565: 566: 567: 568: 569: 570: 571: 572: 573: 574: 575: 576: 577: 578: 579: 580: 581: 582: 583: 584: 585: 586: 587: 588: 589: 590: 591: 592: 593: 594: 595: 596: 597: 598: 599: 600: 601: 602: 603: 604: 605: 606: 607: 608: 609: 610: 611: 612: 613: 614: 615: 616: 617: 618: 619: 620: 621: 622: 623: 624: 625: 626: 627: 628: 629: 630: 631: 632: 633: 634: 635: 636: 637: 638: 639: 640: 641: 642: 643: 644: 645: 646: 647: 648: 649: 650: 651: 652: 653: 654: 655: 656: 657: 658: 659: 660: 661: 662: 663: 664: 665: 666: 667: 668: 669: 670: 671: 672: 673: 674: 675: 676: 677: 678: 679: 680: 681: 682: 683: 684: 685: 686: 687: 688: 689: 690: 691: 692: 693: 694: 695: 696: 697: 698: 699: 700: 701: 702: 703: 704: 705: 706: 707: 708: 709: 710: 711: 712: 713: 714: 715: 716: 717: 
<?php
/**
* Manages LDAP repository connection
*
* @package   davical
* @category  Technical
* @subpackage authentication/drivers
* @author    Maxime Delorme <mdelorme@tennaxia.net>,
*            Andrew McMillan <andrew@mcmillan.net.nz>
* @copyright Maxime Delorme
* @license   http://gnu.org/copyleft/gpl.html GNU GPL v2 or later
*/

require_once("auth-functions.php");

/**
 * Plugin to authenticate and sync with LDAP
 */
class ldapDriver
{
  /**#@+
  * @access private
  */

  /**
  * Holds the LDAP connection parameters
  */
  var $connect;

  /**#@-*/


  /**
  * Initializes the LDAP connection
  *
  * @param array $config The configuration data
  */
  function __construct($config)
  {
      global $c;
      $host=$config['host'];
      $port=$config['port'];
      if(!function_exists('ldap_connect')){
          $c->messages[] = i18n("drivers_ldap : function ldap_connect not defined, check your php_ldap module");
          $this->valid=false;
          return ;
      }

      //Set LDAP protocol version
      if (isset($config['protocolVersion']))
          ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, $config['protocolVersion']);
      if (isset($config['optReferrals']))
          ldap_set_option($this->connect, LDAP_OPT_REFERRALS, $config['optReferrals']);
      if (isset($config['networkTimeout']))
          ldap_set_option($this->connect, LDAP_OPT_NETWORK_TIMEOUT, $config['networkTimeout']);

      if ($port)
          $this->connect=ldap_connect($host, $port);
      else
          $this->connect=ldap_connect($host);

      if (! $this->connect){
          $c->messages[] = sprintf(translate( 'drivers_ldap : Unable to connect to LDAP with port %s on host %s'), $port, $host );
          $this->valid=false;
          return ;
      }

      dbg_error_log( "LDAP", "drivers_ldap : Connected to LDAP server %s",$host );

      // Start TLS if desired (requires protocol version 3)
      if (isset($config['startTLS'])) {
        if (!ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, 3)) {
          $c->messages[] = i18n('drivers_ldap : Failed to set LDAP to use protocol version 3, TLS not supported');
          $this->valid=false;
          return;
        }
        if (!ldap_start_tls($this->connect)) {
          $c->messages[] = i18n('drivers_ldap : Could not start TLS: ldap_start_tls() failed');
          $this->valid=false;
          return;
        }
      }

      //Set the search scope to be used, default to subtree.  This sets the functions to be called later.
      if (!isset($config['scope'])) $config['scope'] = 'subtree';
      switch (strtolower($config['scope'])) {
      case "base":
        $this->ldap_query_one = 'ldap_read';
        $this->ldap_query_all = 'ldap_read';
        break;
      case "onelevel":
        $this->ldap_query_one = 'ldap_list';
        $this->ldap_query_all = 'ldap_search';
        break;
      default:
        $this->ldap_query_one = 'ldap_search';
        $this->ldap_query_all = 'ldap_search';
        break;
      }

      //connect as root
      if (!ldap_bind($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) ) ){
          $bindDN = isset($config['bindDN']) ? $config['bindDN'] : 'anonymous';
          $passDN = isset($config['passDN']) ? $config['passDN'] : 'anonymous';
          dbg_error_log( "LDAP", i18n('drivers_ldap : Failed to bind to host %1$s on port %2$s with bindDN of %3$s'), $host, $port, $bindDN );
          $c->messages[] = i18n( 'drivers_ldap : Unable to bind to LDAP - check your configuration for bindDN and passDN, and that your LDAP server is reachable');
          $this->valid=false;
          return ;
      }
      $this->valid = true;
      //root to start search
      $this->baseDNUsers  = is_string($config['baseDNUsers']) ? array($config['baseDNUsers']) : $config['baseDNUsers'];
      $this->filterUsers  = (isset($config['filterUsers'])  ? $config['filterUsers']  : null);
      $this->baseDNGroups = is_string($config['baseDNGroups']) ? array($config['baseDNGroups']) : $config['baseDNGroups'];
      $this->filterGroups = (isset($config['filterGroups']) ? $config['filterGroups'] : null);
  }

  /**
  * Retrieve all users from the LDAP directory
  */
  function getAllUsers($attributes){
    global $c;

    $query = $this->ldap_query_all;
    $ret = array();

    foreach($this->baseDNUsers as $baseDNUsers) {
      $entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);

      if (!ldap_first_entry($this->connect,$entry)) {
        $c->messages[] = sprintf(translate('Error NoUserFound with filter >%s<, attributes >%s< , dn >%s<'),
                                 $this->filterUsers,
                                 join(', ', $attributes),
                                 $baseDNUsers);
      }
      $row = array();
      for($i = ldap_first_entry($this->connect,$entry);
          $i && $arr = ldap_get_attributes($this->connect,$i);
          $i = ldap_next_entry($this->connect,$i) ) {
        $row = array();
        for ($j=0; $j < $arr['count']; $j++) {
          $row[$arr[$j]] = $arr[$arr[$j]][0];
        }
        $ret[]=$row;
      }
    }
    return $ret;
  }

  /**
  * Retrieve all groups from the LDAP directory
  */
  function getAllGroups($attributes){
    global $c;

    $query = $this->ldap_query_all;
    $ret = array();

    foreach($this->baseDNGroups as $baseDNGroups) {
      $entry = $query($this->connect,$baseDNGroups,$this->filterGroups,$attributes);

      if (!ldap_first_entry($this->connect,$entry)) {
        $c->messages[] = sprintf(translate('Error NoGroupFound with filter >%s<, attributes >%s< , dn >%s<'),
                                 $this->filterGroups,
                                 join(', ', $attributes),
                                 $baseDNGroups);
      }
      $row = array();
      for($i = ldap_first_entry($this->connect,$entry);
          $i && $arr = ldap_get_attributes($this->connect,$i);
          $i = ldap_next_entry($this->connect,$i) ) {
        for ($j=0; $j < $arr['count']; $j++) {
          $row[$arr[$j]] = count($arr[$arr[$j]])>2?$arr[$arr[$j]]:$arr[$arr[$j]][0];
        }
        $ret[]=$row;
        unset($row);
      }
    }
    return $ret;
  }

  /**
    * Returns the result of the LDAP query
    *
    * @param string $filter The filter used to search entries
    * @param array $attributes Attributes to be returned
    * @param string $passwd password to check
    * @return array Contains selected attributes from all entries corresponding to the given filter
    */
  function requestUser( $filter, $attributes=NULL, $username, $passwd) {
    global $c;

    $entry=NULL;
    // We get the DN of the USER
    $query = $this->ldap_query_one;

    foreach($this->baseDNUsers as $baseDNUsers) {
      $entry = $query($this->connect, $baseDNUsers, $filter, $attributes);

      if (ldap_first_entry($this->connect,$entry) )
        break;

      dbg_error_log( "LDAP", "drivers_ldap : Failed to find user with baseDN: %s", $baseDNUsers );
    }

    if ( !ldap_first_entry($this->connect, $entry) ){
      dbg_error_log( "ERROR", "drivers_ldap : Unable to find the user with filter %s",$filter );
      return false;
    } else {
      dbg_error_log( "LDAP", "drivers_ldap : Found a user using filter %s",$filter );
    }

    $dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));

    if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
      if (isset($_SERVER["REMOTE_USER"])) {
        dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
        if ($username != $_SERVER["REMOTE_USER"]) {
          return false;
        }
      } else {
        dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
        if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) {
          return false;
        }
      }
    }
    else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
      // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
      dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
      return false;
    }
    else {
      if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
        dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
        return false;
      }
    }

    dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,
          (isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') );

    $i = ldap_first_entry($this->connect,$entry);
    $arr = ldap_get_attributes($this->connect,$i);
    for( $i=0; $i<$arr['count']; $i++ ) {
      $ret[$arr[$i]]=$arr[$arr[$i]][0];
    }
    return $ret;

  }
}


/**
* A generic function to create and fetch static objects
*/
function getStaticLdap() {
  global $c;
  // Declare a static variable to hold the object instance
  static $instance;

  // If the instance is not there, create one
  if(!isset($instance)) {
    $ldapDriver = new ldapDriver($c->authenticate_hook['config']);

    if ($ldapDriver->valid) {
        $instance = $ldapDriver;
    }
  }
  else {
      $ldapDriver = $instance;
  }
  return $ldapDriver;
}


/**
* Synchronise a cached user with one from LDAP
* @param object $principal A Principal object to be updated (or created)
*/
function sync_user_from_LDAP( Principal &$principal, $mapping, $ldap_values ) {
  global $c;

  dbg_error_log( "LDAP", "Going to sync the user from LDAP" );

  $fields_to_set = array();
  $updateable_fields = Principal::updateableFields();
  foreach( $updateable_fields AS $field ) {
    if ( isset($mapping[$field]) ) {
      $tab_part_fields = explode(',',$mapping[$field]);
      foreach( $tab_part_fields as $part_field ) {
        if ( isset($ldap_values[$part_field]) ) {
          if (isset($fields_to_set[$field]) ) {
            $fields_to_set[$field] .= ' '.$ldap_values[$part_field];
          }
          else {
            $fields_to_set[$field] = $ldap_values[$part_field];
          }
        }
      }
      dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $fields_to_set[$field], $mapping[$field] );
    }
    else if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value'])
              && isset($c->authenticate_hook['config']['default_value'][$field] ) ) {
      $fields_to_set[$field] = $c->authenticate_hook['config']['default_value'][$field];
      dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $c->authenticate_hook['config']['default_value'][$field] );
    }
  }

  if ( $principal->Exists() ) {
    $principal->Update($fields_to_set);
  }
  else {
    $principal->Create($fields_to_set);
    CreateHomeCollections($principal->username(), $c->default_timezone);
    CreateDefaultRelationships($principal->username());
  }
}

/**
* explode the multipart mapping
*/
function array_values_mapping($mapping){
  $attributes=array();
  foreach ( $mapping as $field ) {
    $tab_part_field = explode(",",$field);
    foreach( $tab_part_field as $part_field ) {
      $attributes[] = $part_field;
    }
  }
  return $attributes;
}

/**
* Check the username / password against the LDAP server
*/
function LDAP_check($username, $password ){
  global $c;

  $ldapDriver = getStaticLdap();
  if ( !$ldapDriver->valid ) {
    sleep(1);  // Sleep very briefly to try and survive intermittent issues
    $ldapDriver = getStaticLdap();
    if ( !$ldapDriver->valid ) {
      dbg_error_log( "ERROR", "Couldn't contact LDAP server for authentication" );
      foreach($c->messages as $msg) {
          dbg_error_log( "ERROR", "-> ".$msg );
      }
      header( sprintf("HTTP/1.1 %d %s", 503, translate("Authentication server unavailable.")) );
      exit(0);
    }
  }

  $mapping = $c->authenticate_hook['config']['mapping_field'];
  if ( isset($mapping['active']) && !isset($mapping['user_active']) ) {
    // Backward compatibility: now 'user_active'
    $mapping['user_active'] = $mapping['active'];
    unset($mapping['active']);
  }
  if ( isset($mapping['updated']) && !isset($mapping['modified']) ) {
    // Backward compatibility: now 'modified'
    $mapping['modified'] = $mapping['updated'];
    unset($mapping['updated']);
  }
  $attributes = array_values_mapping($mapping);

  /**
  * If the config contains a filter that starts with a ( then believe
  * them and don't modify it, otherwise wrap the filter.
  */
  $filter_munge = "";
  if ( preg_match( '/^\(/', $ldapDriver->filterUsers ) ) {
    $filter_munge = $ldapDriver->filterUsers;
  }
  else if ( isset($ldapDriver->filterUsers) && $ldapDriver->filterUsers != '' ) {
    $filter_munge = "($ldapDriver->filterUsers)";
  }

  $filter = "(&$filter_munge(".$mapping['username']."=$username))";
  $valid = $ldapDriver->requestUser( $filter, $attributes, $username, $password );

  // is a valid user or not
  if ( !$valid ) {
    dbg_error_log( "LDAP", "user %s is not a valid user",$username );
    return false;
  }

  if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
    $ldap_timestamp = $valid[$mapping['modified']];
  } else {
    $ldap_timestamp = '19700101000000';
  }

  /**
  * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
  */
  foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
    $$k = substr($ldap_timestamp,$v[0],$v[1]);

  $ldap_timestamp = "$Y"."$m"."$d"."$H"."$M"."$S";
  if ($mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
    $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
  }

  $principal = new Principal('username',$username);
  if ( $principal->Exists() ) {
    // should we update it ?
    $db_timestamp = $principal->modified;
    $db_timestamp = substr(strtr($db_timestamp, array(':' => '',' '=>'','-'=>'')),0,14);
    if( $ldap_timestamp <= $db_timestamp ) {
        return $principal; // no need to update
    }
    // we will need to update the user record
  }
  else {
    dbg_error_log( "LDAP", "user %s doesn't exist in local DB, we need to create it",$username );
  }
  $principal->setUsername($username);

  // The local cached user doesn't exist, or is older, so we create/update their details
  sync_user_from_LDAP( $principal, $mapping, $valid );

  return $principal;

}

/**
* turn a list of uniqueMember into member strings
*/
function fix_unique_member($list) {
  $fixed_list = array();
  foreach ( $list as $member ){
    list( $mem, $rest ) = explode(",", $member );
    $member = str_replace( 'uid=', '', $mem );
    array_unshift( $fixed_list, $member );
  }
  return $fixed_list;
}

/**
* sync LDAP Groups against the DB
*/
function sync_LDAP_groups(){
  global $c;
  $ldapDriver = getStaticLdap();
  if ( ! $ldapDriver->valid ) return;

  $mapping = $c->authenticate_hook['config']['group_mapping_field'];
  //$attributes = array('cn','modifyTimestamp','memberUid');
  $attributes = array_values_mapping($mapping);
  $ldap_groups_tmp = $ldapDriver->getAllGroups($attributes);

  if ( sizeof($ldap_groups_tmp) == 0 ) return;

  $member_field = $mapping['members'];
  $dnfix = isset($c->authenticate_hook['config']['group_member_dnfix']) && $c->authenticate_hook['config']['group_member_dnfix'];

  foreach($ldap_groups_tmp as $key => $ldap_group){
    $group_mapping = $ldap_group[$mapping['username']];
    $ldap_groups_info[$group_mapping] = $ldap_group;
    if ( is_array($ldap_groups_info[$group_mapping][$member_field]) ) {
      unset( $ldap_groups_info[$group_mapping][$member_field]['count'] );
    }
    else {
      $ldap_groups_info[$group_mapping][$member_field] = array($ldap_groups_info[$group_mapping][$member_field]);
    }
    unset($ldap_groups_tmp[$key]);
  }
  $db_groups = array();
  $db_group_members = array();
  $qry = new AwlQuery( "SELECT g.username AS group_name, member.username AS member_name FROM dav_principal g LEFT JOIN group_member ON (g.principal_id=group_member.group_id) LEFT JOIN dav_principal member  ON (member.principal_id=group_member.member_id) WHERE g.type_id = 3");
  $qry->Exec('sync_LDAP',__LINE__,__FILE__);
  while($db_group = $qry->Fetch()) {
    $db_groups[$db_group->group_name] = $db_group->group_name;
    $db_group_members[$db_group->group_name][] = $db_group->member_name;
  }

  $ldap_groups = array_keys($ldap_groups_info);
  // users only in ldap
  $groups_to_create = array_diff($ldap_groups,$db_groups);
  // users only in db
  $groups_to_deactivate = array_diff($db_groups,$ldap_groups);
  // users present in ldap and in the db
  $groups_to_update = array_intersect($db_groups,$ldap_groups);

  if ( sizeof ( $groups_to_create ) ){
    $c->messages[] = sprintf(i18n('- creating groups : %s'),join(', ',$groups_to_create));
    $validUserFields = awl_get_fields('usr');
    foreach ( $groups_to_create as $k => $group ){
      $user = (object) array();

      if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value']) ) {
        foreach ( $c->authenticate_hook['config']['default_value'] as $field => $value ) {
          if ( isset($validUserFields[$field]) ) {
            $user->{$field} =  $value;
            dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $value );
          }
        }
      }
      $user->user_no = 0;
      $ldap_values = $ldap_groups_info[$group];
      foreach ( $mapping as $field => $value ) {
        dbg_error_log( "LDAP", "Considering copying %s", $field );
        if ( isset($validUserFields[$field]) ) {
          $user->{$field} =  $ldap_values[$value];
          dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$value], $value );
        }
      }
      if ($user->fullname=="") {
        $user->fullname = $group;
      }
      if ($user->displayname=="") {
        $user->displayname = $group;
      }
      $user->username = $group;
      $user->updated = "now";  /** @todo Use the 'updated' timestamp from LDAP for groups too */

      $principal = new Principal('username',$group);
      if ( $principal->Exists() ) {
        $principal->Update($user);
      }
      else {
        $principal->Create($user);
      }

      $qry = new AwlQuery( "UPDATE dav_principal set type_id = 3 WHERE username=:group ",array(':group'=>$group) );
      $qry->Exec('sync_LDAP',__LINE__,__FILE__);
      Principal::cacheDelete('username', $group);
      $c->messages[] = sprintf(i18n('- adding users %s to group : %s'),join(',',$ldap_groups_info[$group][$mapping['members']]),$group);
      foreach ( $ldap_groups_info[$group][$mapping['members']] as $member ){
        if ( $member_field == 'uniqueMember' || $dnfix ) {
          list( $mem, $rest ) = explode(",", $member );
          $member = str_replace( 'uid=', '', $mem );
        }
        $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member;",array (':group'=>$group,':member'=>$member) );
        $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
        Principal::cacheDelete('username', $member);
      }
    }
  }

  if ( sizeof ( $groups_to_update ) ){
    $c->messages[] = sprintf(i18n('- updating groups : %s'),join(', ',$groups_to_update));
    foreach ( $groups_to_update as $group ){
      $db_members = array_values ( $db_group_members[$group] );
      $ldap_members = array_values ( $ldap_groups_info[$group][$member_field] );
      if ( $member_field == 'uniqueMember' || $dnfix ) {
        $ldap_members = fix_unique_member( $ldap_members );
      }
      $add_users = array_diff ( $ldap_members, $db_members );
      if ( sizeof ( $add_users ) ){
        $c->messages[] = sprintf(i18n('- adding %s to group : %s'),join(', ', $add_users ), $group);
        foreach ( $add_users as $member ){
          $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member",array (':group'=>$group,':member'=>$member) );
          $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
          Principal::cacheDelete('username', $member);
        }
      }
      $remove_users = @array_flip( @array_flip( array_diff( $db_members, $ldap_members ) ));
      if ( sizeof ( $remove_users ) ){
        $c->messages[] = sprintf(i18n('- removing %s from group : %s'),join(', ', $remove_users ), $group);
        foreach ( $remove_users as $member ){
          $qry = new AwlQuery( "DELETE FROM group_member USING dav_principal g,dav_principal m WHERE group_id=g.principal_id AND member_id=m.principal_id AND g.username=:group AND m.username=:member",array (':group'=>$group,':member'=>$member) );
          $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
          Principal::cacheDelete('username', $member);
        }
      }
    }
  }

  if ( sizeof ( $groups_to_deactivate ) ){
    $c->messages[] = sprintf(i18n('- deactivate groups : %s'),join(', ',$groups_to_deactivate));
    foreach ( $groups_to_deactivate as $group ){
      $qry = new AwlQuery( 'UPDATE dav_principal SET user_active=FALSE WHERE username=:group AND type_id = 3',array(':group'=>$group) );
      $qry->Exec('sync_LDAP',__LINE__,__FILE__);
      Principal::cacheFlush('username=:group AND type_id = 3', array(':group'=>$group) );
    }
  }

}

/**
* sync LDAP against the DB
*/
function sync_LDAP(){
  global $c;
  $ldapDriver = getStaticLdap();
  if ( ! $ldapDriver->valid ) return;

  $mapping = $c->authenticate_hook['config']['mapping_field'];
  $attributes = array_values_mapping($mapping);
  $ldap_users_tmp = $ldapDriver->getAllUsers($attributes);

  if ( sizeof($ldap_users_tmp) == 0 ) return;

  foreach($ldap_users_tmp as $key => $ldap_user){
    $ldap_users_info[$ldap_user[$mapping['username']]] = $ldap_user;
    unset($ldap_users_tmp[$key]);
  }
  $qry = new AwlQuery( "SELECT username, user_no, modified as updated FROM dav_principal where type_id=1");
  $qry->Exec('sync_LDAP',__LINE__,__FILE__);
  while($db_user = $qry->Fetch()) {
    $db_users[] = $db_user->username;
    $db_users_info[$db_user->username] = array('user_no' => $db_user->user_no, 'updated' => $db_user->updated);
  }

  // all users from ldap
  $ldap_users = array_keys($ldap_users_info);
  // users only in ldap
  $users_to_create = array_diff($ldap_users,$db_users);
  // users only in db
  $users_to_deactivate = array_diff($db_users,$ldap_users);
  // users present in ldap and in the db
  $users_to_update = array_intersect($db_users,$ldap_users);

  // creation of all users;
  if ( sizeof($users_to_create) ) {
    $c->messages[] = sprintf(i18n('- creating record for users :  %s'),join(', ',$users_to_create));

    foreach( $users_to_create as $username ) {
      $principal = new Principal( 'username', $username );
      $valid = $ldap_users_info[$username];
      if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
        $ldap_timestamp = $valid[$mapping['modified']];
      } else {
        $ldap_timestamp = '19700101000000';
      }

      if ( !empty($c->authenticate_hook['config']['format_updated']) ) {
        /**
        * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
        */
        foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
            $$k = substr($ldap_timestamp,$v[0],$v[1]);
        $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
      }
      else if ( preg_match('{^(\d{8})(\d{6})(Z)?$', $ldap_timestamp, $matches ) ) {
        $ldap_timestamp = $matches[1].'T'.$matches[2].$matches[3];
      }
      else if ( empty($ldap_timestamp) ) {
        $ldap_timestamp = date('c');
      }
      if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
        $valid[$mapping['modified']] = $ldap_timestamp;
      }

      sync_user_from_LDAP( $principal, $mapping, $valid );
    }
  }

  // deactivating all users
  $params = array();
  $i = 0;
  $paramstring = '';
  foreach( $users_to_deactivate AS $v ) {
    if ( isset($c->do_not_sync_from_ldap) && isset($c->do_not_sync_from_ldap[$v]) ) continue;
    if ( $i > 0 ) $paramstring .= ',';
    $paramstring .= ':u'.$i.'::text';
    $params[':u'.$i++] = strtolower($v);
  }
  if ( count($params) > 0 ) {
    $c->messages[] = sprintf(i18n('- deactivating users : %s'),join(', ',$users_to_deactivate));
    $qry = new AwlQuery( 'UPDATE usr SET active = FALSE WHERE lower(username) IN ('.$paramstring.')', $params);
    $qry->Exec('sync_LDAP',__LINE__,__FILE__);

    Principal::cacheFlush('lower(username) IN ('.$paramstring.')', $params);
  }

  // updating all users
  if ( sizeof($users_to_update) ) {
    foreach ( $users_to_update as $key=> $username ) {
      $principal = new Principal( 'username', $username );
      $valid=$ldap_users_info[$username];
      if ( $mapping['modified'] != "" && array_key_exists($mapping['modified'], $valid)) {
        $ldap_timestamp = $valid[$mapping['modified']];
      } else {
        $ldap_timestamp = '19700101000000';
      }

      $valid['user_no'] = $db_users_info[$username]['user_no'];
      $mapping['user_no'] = 'user_no';

      /**
      * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
      */
      foreach($c->authenticate_hook['config']['format_updated'] as $k => $v) {
        $$k = substr($ldap_timestamp,$v[0],$v[1]);
      }
      $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
      $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";

      $db_timestamp = substr(strtr($db_users_info[$username]['updated'], array(':' => '',' '=>'','-'=>'')),0,14);
      if ( $ldap_timestamp > $db_timestamp ) {
        sync_user_from_LDAP($principal, $mapping, $valid );
      }
      else {
        unset($users_to_update[$key]);
        $users_nothing_done[] = $username;
      }
    }
    if ( sizeof($users_to_update) )
      $c->messages[] = sprintf(i18n('- updating user records : %s'),join(', ',$users_to_update));
    if ( sizeof($users_nothing_done) )
      $c->messages[] = sprintf(i18n('- nothing done on : %s'),join(', ', $users_nothing_done));
  }

  $admins = 0;
  $qry = new AwlQuery( "SELECT count(*) AS admins FROM usr JOIN role_member USING ( user_no ) JOIN roles USING (role_no) WHERE usr.active=TRUE AND role_name='Admin'");
  $qry->Exec('sync_LDAP',__LINE__,__FILE__);
  while ( $db_user = $qry->Fetch() ) {
    $admins = $db_user->admins;
  }
  if ( $admins == 0 ) {
    $c->messages[] = sprintf(i18n('Warning: there are no active admin users! You should fix this before logging out.  Consider using the $c->do_not_sync_from_ldap configuration setting.'));
  }
}
DAViCal API documentation generated by ApiGen