2016-07-22 11:46:29 +03:00
|
|
|
<?php
|
|
|
|
/**
|
2016-07-28 10:13:00 +03:00
|
|
|
* @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de)
|
2016-07-22 11:46:29 +03:00
|
|
|
*
|
2019-12-03 21:57:53 +03:00
|
|
|
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
2017-11-06 17:56:42 +03:00
|
|
|
* @author Joas Schilling <coding@schilljs.com>
|
2019-12-03 21:57:53 +03:00
|
|
|
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
2017-11-02 15:40:38 +03:00
|
|
|
* @author Roger Szabo <roger.szabo@web.de>
|
2017-11-06 17:56:42 +03:00
|
|
|
* @author root <root@localhost.localdomain>
|
|
|
|
* @author Vinicius Cubas Brand <vinicius@eita.org.br>
|
2017-11-02 15:40:38 +03:00
|
|
|
*
|
2016-07-28 10:13:00 +03:00
|
|
|
* @license GNU AGPL version 3 or any later version
|
|
|
|
*
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License as
|
|
|
|
* published by the Free Software Foundation, either version 3 of the
|
|
|
|
* License, or (at your option) any later version.
|
2016-07-22 11:46:29 +03:00
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
2016-07-28 10:13:00 +03:00
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2016-07-22 11:46:29 +03:00
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
*
|
2016-07-28 10:13:00 +03:00
|
|
|
* You should have received a copy of the GNU Affero General Public License
|
2019-12-03 21:57:53 +03:00
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2016-07-22 11:46:29 +03:00
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
namespace OCA\User_LDAP;
|
|
|
|
|
|
|
|
use OCA\User_LDAP\User\DeletedUsersIndex;
|
2019-11-22 22:52:10 +03:00
|
|
|
use OCP\IServerContainer;
|
|
|
|
use OCP\LDAP\IDeletionFlagSupport;
|
|
|
|
use OCP\LDAP\ILDAPProvider;
|
2016-07-22 11:46:29 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* LDAP provider for pulic access to the LDAP backend.
|
|
|
|
*/
|
|
|
|
class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport {
|
|
|
|
|
2017-11-02 15:40:38 +03:00
|
|
|
private $userBackend;
|
|
|
|
private $groupBackend;
|
2016-07-22 11:46:29 +03:00
|
|
|
private $logger;
|
|
|
|
private $helper;
|
|
|
|
private $deletedUsersIndex;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create new LDAPProvider
|
|
|
|
* @param \OCP\IServerContainer $serverContainer
|
2017-11-03 01:19:03 +03:00
|
|
|
* @param Helper $helper
|
|
|
|
* @param DeletedUsersIndex $deletedUsersIndex
|
2016-07-22 11:46:29 +03:00
|
|
|
* @throws \Exception if user_ldap app was not enabled
|
|
|
|
*/
|
|
|
|
public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) {
|
|
|
|
$this->logger = $serverContainer->getLogger();
|
|
|
|
$this->helper = $helper;
|
|
|
|
$this->deletedUsersIndex = $deletedUsersIndex;
|
2017-11-02 15:40:38 +03:00
|
|
|
$userBackendFound = false;
|
|
|
|
$groupBackendFound = false;
|
2016-07-22 11:46:29 +03:00
|
|
|
foreach ($serverContainer->getUserManager()->getBackends() as $backend){
|
2017-11-02 15:40:38 +03:00
|
|
|
$this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']);
|
2016-07-22 11:46:29 +03:00
|
|
|
if ($backend instanceof IUserLDAP) {
|
2017-11-02 15:40:38 +03:00
|
|
|
$this->userBackend = $backend;
|
|
|
|
$userBackendFound = true;
|
|
|
|
break;
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
2020-04-09 10:22:29 +03:00
|
|
|
}
|
2017-11-02 15:40:38 +03:00
|
|
|
foreach ($serverContainer->getGroupManager()->getBackends() as $backend){
|
|
|
|
$this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']);
|
|
|
|
if ($backend instanceof IGroupLDAP) {
|
|
|
|
$this->groupBackend = $backend;
|
|
|
|
$groupBackendFound = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-09 10:22:29 +03:00
|
|
|
if (!$userBackendFound or !$groupBackendFound) {
|
2017-11-02 15:40:38 +03:00
|
|
|
throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled');
|
|
|
|
}
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2016-07-27 10:10:35 +03:00
|
|
|
* Translate an user id to LDAP DN
|
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
* @return string with the LDAP DN
|
|
|
|
* @throws \Exception if translation was unsuccessful
|
|
|
|
*/
|
|
|
|
public function getUserDN($uid) {
|
2017-11-02 15:40:38 +03:00
|
|
|
if(!$this->userBackend->userExists($uid)){
|
2016-07-22 11:46:29 +03:00
|
|
|
throw new \Exception('User id not found in LDAP');
|
|
|
|
}
|
2017-11-02 15:40:38 +03:00
|
|
|
$result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid);
|
2016-07-22 11:46:29 +03:00
|
|
|
if(!$result){
|
|
|
|
throw new \Exception('Translation to LDAP DN unsuccessful');
|
|
|
|
}
|
|
|
|
return $result;
|
|
|
|
}
|
2017-11-02 15:40:38 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Translate a group id to LDAP DN.
|
|
|
|
* @param string $gid group id
|
|
|
|
* @return string
|
|
|
|
* @throws \Exception
|
|
|
|
*/
|
|
|
|
public function getGroupDN($gid) {
|
|
|
|
if(!$this->groupBackend->groupExists($gid)){
|
|
|
|
throw new \Exception('Group id not found in LDAP');
|
|
|
|
}
|
|
|
|
$result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid);
|
|
|
|
if(!$result){
|
|
|
|
throw new \Exception('Translation to LDAP DN unsuccessful');
|
|
|
|
}
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
2016-07-22 11:46:29 +03:00
|
|
|
/**
|
2016-07-27 10:10:35 +03:00
|
|
|
* Translate a LDAP DN to an internal user name. If there is no mapping between
|
2016-07-22 11:46:29 +03:00
|
|
|
* the DN and the user name, a new one will be created.
|
|
|
|
* @param string $dn LDAP DN
|
2016-07-27 10:10:35 +03:00
|
|
|
* @return string with the internal user name
|
2016-07-22 11:46:29 +03:00
|
|
|
* @throws \Exception if translation was unsuccessful
|
|
|
|
*/
|
|
|
|
public function getUserName($dn) {
|
2017-11-02 15:40:38 +03:00
|
|
|
$result = $this->userBackend->dn2UserName($dn);
|
2016-07-22 11:46:29 +03:00
|
|
|
if(!$result){
|
2016-07-27 10:10:35 +03:00
|
|
|
throw new \Exception('Translation to internal user name unsuccessful');
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Convert a stored DN so it can be used as base parameter for LDAP queries.
|
|
|
|
* @param string $dn the DN in question
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public function DNasBaseParameter($dn) {
|
|
|
|
return $this->helper->DNasBaseParameter($dn);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Sanitize a DN received from the LDAP server.
|
|
|
|
* @param array $dn the DN in question
|
|
|
|
* @return array the sanitized DN
|
|
|
|
*/
|
|
|
|
public function sanitizeDN($dn) {
|
|
|
|
return $this->helper->sanitizeDN($dn);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return a new LDAP connection resource for the specified user.
|
|
|
|
* The connection must be closed manually.
|
2016-07-27 10:10:35 +03:00
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
* @return resource of the LDAP connection
|
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getLDAPConnection($uid) {
|
2017-11-02 15:40:38 +03:00
|
|
|
if(!$this->userBackend->userExists($uid)){
|
2016-07-22 11:46:29 +03:00
|
|
|
throw new \Exception('User id not found in LDAP');
|
|
|
|
}
|
2017-11-02 15:40:38 +03:00
|
|
|
return $this->userBackend->getNewLDAPConnection($uid);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return a new LDAP connection resource for the specified user.
|
|
|
|
* The connection must be closed manually.
|
|
|
|
* @param string $gid group id
|
|
|
|
* @return resource of the LDAP connection
|
|
|
|
* @throws \Exception if group id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getGroupLDAPConnection($gid) {
|
|
|
|
if(!$this->groupBackend->groupExists($gid)){
|
|
|
|
throw new \Exception('Group id not found in LDAP');
|
|
|
|
}
|
|
|
|
return $this->groupBackend->getNewLDAPConnection($gid);
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the LDAP base for users.
|
2016-07-27 10:10:35 +03:00
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
* @return string the base for users
|
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getLDAPBaseUsers($uid) {
|
2017-11-02 15:40:38 +03:00
|
|
|
if(!$this->userBackend->userExists($uid)){
|
2016-07-22 11:46:29 +03:00
|
|
|
throw new \Exception('User id not found in LDAP');
|
2019-06-19 14:39:15 +03:00
|
|
|
}
|
|
|
|
$access = $this->userBackend->getLDAPAccess($uid);
|
|
|
|
$bases = $access->getConnection()->ldapBaseUsers;
|
|
|
|
$dn = $this->getUserDN($uid);
|
|
|
|
foreach ($bases as $base) {
|
|
|
|
if($access->isDNPartOfBase($dn, [$base])) {
|
|
|
|
return $base;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// should not occur, because the user does not qualify to use NC in this case
|
|
|
|
$this->logger->info(
|
|
|
|
'No matching user base found for user {dn}, available: {bases}.',
|
|
|
|
[
|
|
|
|
'app' => 'user_ldap',
|
|
|
|
'dn' => $dn,
|
|
|
|
'bases' => $bases,
|
|
|
|
]
|
|
|
|
);
|
|
|
|
return array_shift($bases);
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the LDAP base for groups.
|
2016-07-27 10:10:35 +03:00
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
* @return string the base for groups
|
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getLDAPBaseGroups($uid) {
|
2017-11-02 15:40:38 +03:00
|
|
|
if(!$this->userBackend->userExists($uid)){
|
2016-07-22 11:46:29 +03:00
|
|
|
throw new \Exception('User id not found in LDAP');
|
|
|
|
}
|
2019-06-19 14:39:15 +03:00
|
|
|
$bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups;
|
|
|
|
return array_shift($bases);
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Clear the cache if a cache is used, otherwise do nothing.
|
2016-07-27 10:10:35 +03:00
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function clearCache($uid) {
|
2017-11-02 15:40:38 +03:00
|
|
|
if(!$this->userBackend->userExists($uid)){
|
2016-07-22 11:46:29 +03:00
|
|
|
throw new \Exception('User id not found in LDAP');
|
|
|
|
}
|
2017-11-02 15:40:38 +03:00
|
|
|
$this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Clear the cache if a cache is used, otherwise do nothing.
|
|
|
|
* Acts on the LDAP connection of a group
|
|
|
|
* @param string $gid group id
|
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function clearGroupCache($gid) {
|
|
|
|
if(!$this->groupBackend->groupExists($gid)){
|
|
|
|
throw new \Exception('Group id not found in LDAP');
|
|
|
|
}
|
|
|
|
$this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache();
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check whether a LDAP DN exists
|
|
|
|
* @param string $dn LDAP DN
|
|
|
|
* @return bool whether the DN exists
|
|
|
|
*/
|
|
|
|
public function dnExists($dn) {
|
2017-11-02 15:40:38 +03:00
|
|
|
$result = $this->userBackend->dn2UserName($dn);
|
2016-07-22 11:46:29 +03:00
|
|
|
return !$result ? false : true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Flag record for deletion.
|
2016-07-27 10:10:35 +03:00
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
*/
|
|
|
|
public function flagRecord($uid) {
|
|
|
|
$this->deletedUsersIndex->markUser($uid);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Unflag record for deletion.
|
2016-07-27 10:10:35 +03:00
|
|
|
* @param string $uid user id
|
2016-07-22 11:46:29 +03:00
|
|
|
*/
|
|
|
|
public function unflagRecord($uid) {
|
|
|
|
//do nothing
|
|
|
|
}
|
2017-11-02 15:40:38 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the LDAP attribute name for the user's display name
|
|
|
|
* @param string $uid user id
|
|
|
|
* @return string the display name field
|
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getLDAPDisplayNameField($uid) {
|
|
|
|
if(!$this->userBackend->userExists($uid)){
|
|
|
|
throw new \Exception('User id not found in LDAP');
|
|
|
|
}
|
|
|
|
return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name'];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the LDAP attribute name for the email
|
|
|
|
* @param string $uid user id
|
|
|
|
* @return string the email field
|
|
|
|
* @throws \Exception if user id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getLDAPEmailField($uid) {
|
|
|
|
if(!$this->userBackend->userExists($uid)){
|
|
|
|
throw new \Exception('User id not found in LDAP');
|
|
|
|
}
|
|
|
|
return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr'];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get the LDAP type of association between users and groups
|
|
|
|
* @param string $gid group id
|
2019-05-17 17:19:23 +03:00
|
|
|
* @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', ''
|
2017-11-02 15:40:38 +03:00
|
|
|
* @throws \Exception if group id was not found in LDAP
|
|
|
|
*/
|
|
|
|
public function getLDAPGroupMemberAssoc($gid) {
|
|
|
|
if(!$this->groupBackend->groupExists($gid)){
|
|
|
|
throw new \Exception('Group id not found in LDAP');
|
|
|
|
}
|
|
|
|
return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute'];
|
|
|
|
}
|
|
|
|
|
2016-07-22 11:46:29 +03:00
|
|
|
}
|