Merge pull request #3302 from owncloud/ldap_configurable_username_n_uuid

Ldap configurable username n uuid
This commit is contained in:
blizzz 2013-05-16 05:40:31 -07:00
commit 2d51eefcb8
9 changed files with 143 additions and 4 deletions

View File

@ -0,0 +1,35 @@
<?php
/**
* ownCloud - user_ldap
*
* @author Arthur Schiwon
* @copyright 2013 Arthur Schiwon blizzz@owncloud.com
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
*
*/
// Check user and app status
OCP\JSON::checkAdminUser();
OCP\JSON::checkAppEnabled('user_ldap');
OCP\JSON::callCheck();
$subject = $_POST['ldap_clear_mapping'];
if(\OCA\user_ldap\lib\Helper::clearMapping($subject)) {
OCP\JSON::success();
} else {
$l=OC_L10N::get('user_ldap');
OCP\JSON::error(array('message' => $l->t('Failed to clear the mappings.')));
}

View File

@ -11,6 +11,10 @@
display: inline-block; display: inline-block;
} }
.ldapIndent {
margin-left: 50px;
}
.ldapwarning { .ldapwarning {
margin-left: 1.4em; margin-left: 1.4em;
color: #FF3B3B; color: #FF3B3B;

View File

@ -99,6 +99,26 @@ var LdapConfiguration = {
} }
} }
); );
},
clearMappings: function(mappingSubject) {
$.post(
OC.filePath('user_ldap','ajax','clearMappings.php'),
'ldap_clear_mapping='+mappingSubject,
function(result) {
if(result.status == 'success') {
OC.dialogs.info(
t('user_ldap', 'mappings cleared'),
t('user_ldap', 'Success')
);
} else {
OC.dialogs.alert(
result.message,
t('user_ldap', 'Error')
);
}
}
);
} }
} }
@ -166,6 +186,16 @@ $(document).ready(function() {
); );
}); });
$('#ldap_action_clear_user_mappings').click(function(event) {
event.preventDefault();
LdapConfiguration.clearMappings('user');
});
$('#ldap_action_clear_group_mappings').click(function(event) {
event.preventDefault();
LdapConfiguration.clearMappings('group');
});
$('#ldap_serverconfig_chooser').change(function(event) { $('#ldap_serverconfig_chooser').change(function(event) {
value = $('#ldap_serverconfig_chooser option:selected:first').attr('value'); value = $('#ldap_serverconfig_chooser option:selected:first').attr('value');
if(value === 'NEW') { if(value === 'NEW') {

View File

@ -317,7 +317,19 @@ abstract class Access {
} }
$ldapname = $ldapname[0]; $ldapname = $ldapname[0];
} }
$intname = $isUser ? $this->sanitizeUsername($uuid) : $ldapname;
if($isUser) {
$usernameAttribute = $this->connection->ldapExpertUsernameAttr;
if(!emptY($usernameAttribute)) {
$username = $this->readAttribute($dn, $usernameAttribute);
$username = $username[0];
} else {
$username = $uuid;
}
$intname = $this->sanitizeUsername($username);
} else {
$intname = $ldapname;
}
//a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups
//disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check //disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check
@ -897,6 +909,12 @@ abstract class Access {
return true; return true;
} }
$fixedAttribute = $this->connection->ldapExpertUUIDAttr;
if(!empty($fixedAttribute)) {
$this->connection->ldapUuidAttribute = $fixedAttribute;
return true;
}
//for now, supported (known) attributes are entryUUID, nsuniqueid, objectGUID //for now, supported (known) attributes are entryUUID, nsuniqueid, objectGUID
$testAttributes = array('entryuuid', 'nsuniqueid', 'objectguid', 'guid'); $testAttributes = array('entryuuid', 'nsuniqueid', 'objectguid', 'guid');

View File

@ -65,6 +65,8 @@ class Connection {
'ldapAttributesForGroupSearch' => null, 'ldapAttributesForGroupSearch' => null,
'homeFolderNamingRule' => null, 'homeFolderNamingRule' => null,
'hasPagedResultSupport' => false, 'hasPagedResultSupport' => false,
'ldapExpertUsernameAttr' => null,
'ldapExpertUUIDAttr' => null,
); );
/** /**
@ -265,6 +267,10 @@ class Connection {
= preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_user_search')); = preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_user_search'));
$this->config['ldapAttributesForGroupSearch'] $this->config['ldapAttributesForGroupSearch']
= preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_group_search')); = preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_group_search'));
$this->config['ldapExpertUsernameAttr']
= $this->$v('ldap_expert_username_attr');
$this->config['ldapExpertUUIDAttr']
= $this->$v('ldap_expert_uuid_attr');
$this->configured = $this->validateConfiguration(); $this->configured = $this->validateConfiguration();
} }
@ -290,7 +296,6 @@ class Connection {
'ldap_group_filter'=>'ldapGroupFilter', 'ldap_group_filter'=>'ldapGroupFilter',
'ldap_display_name'=>'ldapUserDisplayName', 'ldap_display_name'=>'ldapUserDisplayName',
'ldap_group_display_name'=>'ldapGroupDisplayName', 'ldap_group_display_name'=>'ldapGroupDisplayName',
'ldap_tls'=>'ldapTLS', 'ldap_tls'=>'ldapTLS',
'ldap_nocase'=>'ldapNoCase', 'ldap_nocase'=>'ldapNoCase',
'ldap_quota_def'=>'ldapQuotaDefault', 'ldap_quota_def'=>'ldapQuotaDefault',
@ -302,7 +307,9 @@ class Connection {
'ldap_turn_off_cert_check' => 'turnOffCertCheck', 'ldap_turn_off_cert_check' => 'turnOffCertCheck',
'ldap_configuration_active' => 'ldapConfigurationActive', 'ldap_configuration_active' => 'ldapConfigurationActive',
'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch', 'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch',
'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch' 'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch',
'ldap_expert_username_attr' => 'ldapExpertUsernameAttr',
'ldap_expert_uuid_attr' => 'ldapExpertUUIDAttr',
); );
return $array; return $array;
} }
@ -505,6 +512,10 @@ class Connection {
$configurationOK = false; $configurationOK = false;
} }
if(!empty($this->config['ldapExpertUUIDAttr'])) {
$this->config['ldapUuidAttribute'] = $this->config['ldapExpertUUIDAttr'];
}
return $configurationOK; return $configurationOK;
} }
@ -543,6 +554,8 @@ class Connection {
'ldap_configuration_active' => 1, 'ldap_configuration_active' => 1,
'ldap_attributes_for_user_search' => '', 'ldap_attributes_for_user_search' => '',
'ldap_attributes_for_group_search' => '', 'ldap_attributes_for_group_search' => '',
'ldap_expert_username_attr' => '',
'ldap_expert_uuid_attr' => '',
); );
} }

View File

@ -102,4 +102,29 @@ class Helper {
return true; return true;
} }
/**
* Truncate's the given mapping table
*
* @param string $mapping either 'user' or 'group'
* @return boolean true on success, false otherwise
*/
static public function clearMapping($mapping) {
if($mapping === 'user') {
$table = '`*PREFIX*ldap_user_mapping`';
} else if ($mapping === 'group') {
$table = '`*PREFIX*ldap_group_mapping`';
} else {
return false;
}
$query = \OCP\DB::prepare('TRUNCATE '.$table);
$res = $query->execute();
if(\OCP\DB::isError($res)) {
return false;
}
return true;
}
} }

View File

@ -4,7 +4,9 @@
* ownCloud - user_ldap * ownCloud - user_ldap
* *
* @author Dominik Schmidt * @author Dominik Schmidt
* @author Arthur Schiwon
* @copyright 2011 Dominik Schmidt dev@dominik-schmidt.de * @copyright 2011 Dominik Schmidt dev@dominik-schmidt.de
* @copyright 2012-2013 Arthur Schiwon blizzz@owncloud.com
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE

View File

@ -3,6 +3,7 @@
<ul> <ul>
<li><a href="#ldapSettings-1">LDAP Basic</a></li> <li><a href="#ldapSettings-1">LDAP Basic</a></li>
<li><a href="#ldapSettings-2">Advanced</a></li> <li><a href="#ldapSettings-2">Advanced</a></li>
<li><a href="#ldapSettings-3">Expert</a></li>
</ul> </ul>
<?php if(OCP\App::isEnabled('user_webdavauth')) { <?php if(OCP\App::isEnabled('user_webdavauth')) {
print_unescaped('<p class="ldapwarning">'.$l->t('<b>Warning:</b> Apps user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour. Please ask your system administrator to disable one of them.').'</p>'); print_unescaped('<p class="ldapwarning">'.$l->t('<b>Warning:</b> Apps user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour. Please ask your system administrator to disable one of them.').'</p>');
@ -96,6 +97,17 @@
</div> </div>
</div> </div>
</fieldset> </fieldset>
<fieldset id="ldapSettings-3">
<p><strong><?php p($l->t('Internal Username'));?></strong></p>
<p class="ldapIndent"><?php p($l->t('By default the internal username will be created from the UUID attribute. It makes sure that the username is unique and characters do not need to be converted. The internal username has the restriction that only these characters are allowed: [ a-zA-Z0-9_.@- ]. Other characters are replaced with their ASCII correspondence or simply omitted. On collisions a number will be added/increased. The internal username is used to identify a user internally. It is also the default name for the user home folder in ownCloud. It is also a port of remote URLs, for instance for all *DAV services. With this setting, the default behaviour can be overriden. To achieve a similar behaviour as before ownCloud 5 enter the user display name attribute in the following field. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users.'));?></p>
<p class="ldapIndent"><label for="ldap_expert_username_attr"><?php p($l->t('Internal Username Attribute:'));?></label><input type="text" id="ldap_expert_username_attr" name="ldap_expert_username_attr" data-default="<?php p($_['ldap_expert_username_attr_default']); ?>" /></p>
<p><strong><?php p($l->t('Override UUID detection'));?></strong></p>
<p class="ldapIndent"><?php p($l->t('By default, ownCloud autodetects the UUID attribute. The UUID attribute is used to doubtlessly identify LDAP users and groups. Also, the internal username will be created based on the UUID, if not specified otherwise above. You can override the setting and pass an attribute of your choice. You must make sure that the attribute of your choice can be fetched for both users and groups and it is unique. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users and groups.'));?></p>
<p class="ldapIndent"><label for="ldap_expert_uuid_attr"><?php p($l->t('UUID Attribute:'));?></label><input type="text" id="ldap_expert_uuid_attr" name="ldap_expert_uuid_attr" data-default="<?php p($_['ldap_expert_uuid_attr_default']); ?>" /></p>
<p><strong><?php p($l->t('Username-LDAP User Mapping'));?></strong></p>
<p class="ldapIndent"><?php p($l->t('ownCloud uses usernames to store and assign (meta) data. In order to precisely identify and recognize users, each LDAP user will have a internal username. This requires a mapping from ownCloud username to LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally the DN is cached as well to reduce LDAP interaction, but it is not used for identification. If the DN changes, the changes will be found by ownCloud. The internal ownCloud name is used all over in ownCloud. Clearing the Mappings will have leftovers everywhere. Clearing the Mappings is not configuration sensitive, it affects all LDAP configurations! Do never clear the mappings in a production environment. Only clear mappings in a testing or experimental stage.'));?></p>
<p class="ldapIndent"><button id="ldap_action_clear_user_mappings" name="ldap_action_clear_user_mappings"><?php p($l->t('Clear Username-LDAP User Mapping'));?></button><br/><button id="ldap_action_clear_group_mappings" name="ldap_action_clear_group_mappings"><?php p($l->t('Clear Groupname-LDAP Group Mapping'));?></button></p>
</fieldset>
<input id="ldap_submit" type="submit" value="Save" /> <button id="ldap_action_test_connection" name="ldap_action_test_connection"><?php p($l->t('Test Configuration'));?></button> <a href="http://doc.owncloud.org/server/5.0/admin_manual/auth_ldap.html" target="_blank"><img src="<?php print_unescaped(OCP\Util::imagePath('', 'actions/info.png')); ?>" style="height:1.75ex" /> <?php p($l->t('Help'));?></a> <input id="ldap_submit" type="submit" value="Save" /> <button id="ldap_action_test_connection" name="ldap_action_test_connection"><?php p($l->t('Test Configuration'));?></button> <a href="http://doc.owncloud.org/server/5.0/admin_manual/auth_ldap.html" target="_blank"><img src="<?php print_unescaped(OCP\Util::imagePath('', 'actions/info.png')); ?>" style="height:1.75ex" /> <?php p($l->t('Help'));?></a>
</div> </div>

View File

@ -174,7 +174,7 @@ class User_Proxy extends lib\Proxy implements \OCP\UserInterface {
foreach($this->backends as $backend) { foreach($this->backends as $backend) {
$backendUsers = $backend->getDisplayNames($search, $limit, $offset); $backendUsers = $backend->getDisplayNames($search, $limit, $offset);
if (is_array($backendUsers)) { if (is_array($backendUsers)) {
$users = array_merge($users, $backendUsers); $users = $users + $backendUsers;
} }
} }
return $users; return $users;