mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1708 from owncloud/style-cleanup-user_ldap 

Style cleanup user_ldap
This commit is contained in:
Bernhard Posselt 2013-02-17 07:02:45 -08:00
parent c0fafe8199 925de78cec
commit 90939c8f12
9 changed files with 205 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/user_ldap/ajax/testConfiguration.php
View File

@ -32,10 +32,13 @@ $connection = new \OCA\user_ldap\lib\Connection('', null);
if($connection->setConfiguration($_POST)) { if($connection->setConfiguration($_POST)) {
//Configuration is okay //Configuration is okay
if($connection->bind()) { if($connection->bind()) {
OCP\JSON::success(array('message' => $l->t('The configuration is valid and the connection could be established!'))); OCP\JSON::success(array('message'
=> $l->t('The configuration is valid and the connection could be established!')));
} else { } else {
OCP\JSON::error(array('message' => $l->t('The configuration is valid, but the Bind failed. Please check the server settings and credentials.'))); OCP\JSON::error(array('message'
=> $l->t('The configuration is valid, but the Bind failed. Please check the server settings and credentials.')));
} }
} else { } else {
OCP\JSON::error(array('message' => $l->t('The configuration is invalid. Please look in the ownCloud log for further details.'))); OCP\JSON::error(array('message'
=> $l->t('The configuration is invalid. Please look in the ownCloud log for further details.')));
} }

4
apps/user_ldap/appinfo/app.php
View File

@ -51,5 +51,7 @@ $entry = array(
OCP\Backgroundjob::addRegularTask('OCA\user_ldap\lib\Jobs', 'updateGroups'); OCP\Backgroundjob::addRegularTask('OCA\user_ldap\lib\Jobs', 'updateGroups');
if(OCP\App::isEnabled('user_webdavauth')) { if(OCP\App::isEnabled('user_webdavauth')) {
OCP\Util::writeLog('user_ldap', 'user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour', OCP\Util::WARN); OCP\Util::writeLog('user_ldap',
'user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour',
OCP\Util::WARN);
} }

4
apps/user_ldap/appinfo/update.php
View File

@ -58,7 +58,9 @@ foreach($objects as $object) {
try { try {
$updateQuery->execute(array($newDN, $uuid, $dn['ldap_dn'])); $updateQuery->execute(array($newDN, $uuid, $dn['ldap_dn']));
} catch(Exception $e) { } catch(Exception $e) {
\OCP\Util::writeLog('user_ldap', 'Could not update '.$object.' '.$dn['ldap_dn'].' in the mappings table. ', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'Could not update '.$object.' '.$dn['ldap_dn'].' in the mappings table. ',
\OCP\Util::WARN);
} }
} }

18
apps/user_ldap/group_ldap.php
View File

@ -177,7 +177,8 @@ class GROUP_LDAP extends lib\Access implements \OCP\GroupInterface {
if($isMemberUid) { if($isMemberUid) {
//we got uids, need to get their DNs to 'tranlsate' them to usernames //we got uids, need to get their DNs to 'tranlsate' them to usernames
$filter = $this->combineFilterWithAnd(array( $filter = $this->combineFilterWithAnd(array(
\OCP\Util::mb_str_replace('%uid', $member, $this->connection>ldapLoginFilter, 'UTF-8'), \OCP\Util::mb_str_replace('%uid', $member,
$this->connection>ldapLoginFilter, 'UTF-8'),
$this->getFilterPartForUserSearch($search) $this->getFilterPartForUserSearch($search)
)); ));
$ldap_users = $this->fetchListOfUsers($filter, 'dn'); $ldap_users = $this->fetchListOfUsers($filter, 'dn');
@ -188,7 +189,9 @@ class GROUP_LDAP extends lib\Access implements \OCP\GroupInterface {
} else { } else {
//we got DNs, check if we need to filter by search or we can give back all of them //we got DNs, check if we need to filter by search or we can give back all of them
if(!empty($search)) { if(!empty($search)) {
if(!$this->readAttribute($member, $this->connection->ldapUserDisplayName, $this->getFilterPartForUserSearch($search))) { if(!$this->readAttribute($member,
$this->connection->ldapUserDisplayName,
$this->getFilterPartForUserSearch($search))) {
continue; continue;
} }
} }
@ -225,7 +228,8 @@ class GROUP_LDAP extends lib\Access implements \OCP\GroupInterface {
return $ldap_groups; return $ldap_groups;
} }
// if we'd pass -1 to LDAP search, we'd end up in a Protocol error. With a limit of 0, we get 0 results. So we pass null. // if we'd pass -1 to LDAP search, we'd end up in a Protocol
// error. With a limit of 0, we get 0 results. So we pass null.
if($limit <= 0) { if($limit <= 0) {
$limit = null; $limit = null;
} }
@ -234,7 +238,8 @@ class GROUP_LDAP extends lib\Access implements \OCP\GroupInterface {
$this->getFilterPartForGroupSearch($search) $this->getFilterPartForGroupSearch($search)
)); ));
\OCP\Util::writeLog('user_ldap', 'getGroups Filter '.$filter, \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap', 'getGroups Filter '.$filter, \OCP\Util::DEBUG);
$ldap_groups = $this->fetchListOfGroups($filter, array($this->connection->ldapGroupDisplayName, 'dn'), $limit, $offset); $ldap_groups = $this->fetchListOfGroups($filter, array($this->connection->ldapGroupDisplayName, 'dn'),
$limit, $offset);
$ldap_groups = $this->ownCloudGroupNames($ldap_groups); $ldap_groups = $this->ownCloudGroupNames($ldap_groups);
$this->connection->writeToCache($cachekey, $ldap_groups); $this->connection->writeToCache($cachekey, $ldap_groups);
@ -282,7 +287,8 @@ class GROUP_LDAP extends lib\Access implements \OCP\GroupInterface {
* compared with OC_USER_BACKEND_CREATE_USER etc. * compared with OC_USER_BACKEND_CREATE_USER etc.
*/ */
public function implementsActions($actions) { public function implementsActions($actions) {
//always returns false, because possible actions are modifying actions. We do not write to LDAP, at least for now. //always returns false, because possible actions are modifying
// actions. We do not write to LDAP, at least for now.
return false; return false;
} }
} }

60
apps/user_ldap/lib/access.php
View File

@ -48,7 +48,9 @@ abstract class Access {
*/ */
public function readAttribute($dn, $attr, $filter = 'objectClass=*') { public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
if(!$this->checkConnection()) { if(!$this->checkConnection()) {
\OCP\Util::writeLog('user_ldap', 'No LDAP Connector assigned, access impossible for readAttribute.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'No LDAP Connector assigned, access impossible for readAttribute.',
\OCP\Util::WARN);
return false; return false;
} }
$cr = $this->connection->getConnectionResource(); $cr = $this->connection->getConnectionResource();
@ -123,7 +125,8 @@ abstract class Access {
return $result; return $result;
} }
//OID sometimes gives back DNs with whitespace after the comma a la "uid=foo, cn=bar, dn=..." We need to tackle this! //OID sometimes gives back DNs with whitespace after the comma
// a la "uid=foo, cn=bar, dn=..." We need to tackle this!
$dn = preg_replace('/([^\\\]),(\s+)/u', '\1,', $dn); $dn = preg_replace('/([^\\\]),(\s+)/u', '\1,', $dn);
//make comparisons and everything work //make comparisons and everything work
@ -218,7 +221,8 @@ abstract class Access {
* @param $ldapname optional, the display name of the object * @param $ldapname optional, the display name of the object
* @returns string with with the name to use in ownCloud, false on DN outside of search DN * @returns string with with the name to use in ownCloud, false on DN outside of search DN
* *
* returns the internal ownCloud name for the given LDAP DN of the group, false on DN outside of search DN or failure * returns the internal ownCloud name for the given LDAP DN of the
* group, false on DN outside of search DN or failure
*/ */
public function dn2groupname($dn, $ldapname = null) { public function dn2groupname($dn, $ldapname = null) {
//To avoid bypassing the base DN settings under certain circumstances //To avoid bypassing the base DN settings under certain circumstances
@ -646,7 +650,9 @@ abstract class Access {
$sr = ldap_search($linkResources, $base, $filter, $attr); $sr = ldap_search($linkResources, $base, $filter, $attr);
$error = ldap_errno($link_resource); $error = ldap_errno($link_resource);
if(!is_array($sr) || $error > 0) { if(!is_array($sr) || $error > 0) {
\OCP\Util::writeLog('user_ldap', 'Error when searching: '.ldap_error($link_resource).' code '.ldap_errno($link_resource), \OCP\Util::ERROR); \OCP\Util::writeLog('user_ldap',
'Error when searching: '.ldap_error($link_resource).' code '.ldap_errno($link_resource),
\OCP\Util::ERROR);
\OCP\Util::writeLog('user_ldap', 'Attempt for Paging? '.print_r($pagedSearchOK, true), \OCP\Util::ERROR); \OCP\Util::writeLog('user_ldap', 'Attempt for Paging? '.print_r($pagedSearchOK, true), \OCP\Util::ERROR);
return array(); return array();
} }
@ -668,7 +674,9 @@ abstract class Access {
if($skipHandling) { if($skipHandling) {
return; return;
} }
//if count is bigger, then the server does not support paged search. Instead, he did a normal search. We set a flag here, so the callee knows how to deal with it. // if count is bigger, then the server does not support
// paged search. Instead, he did a normal search. We set a
// flag here, so the callee knows how to deal with it.
if($findings['count'] <= $limit) { if($findings['count'] <= $limit) {
$this->pagedSearchedSuccessful = true; $this->pagedSearchedSuccessful = true;
} }
@ -702,7 +710,9 @@ abstract class Access {
$key = mb_strtolower($key, 'UTF-8'); $key = mb_strtolower($key, 'UTF-8');
if(isset($item[$key])) { if(isset($item[$key])) {
if($key != 'dn') { if($key != 'dn') {
$selection[$i][$key] = $this->resemblesDN($key) ? $this->sanitizeDN($item[$key][0]) : $item[$key][0]; $selection[$i][$key] = $this->resemblesDN($key) ?
$this->sanitizeDN($item[$key][0])
: $item[$key][0];
} else { } else {
$selection[$i][$key] = $this->sanitizeDN($item[$key]); $selection[$i][$key] = $this->sanitizeDN($item[$key]);
} }
@ -806,7 +816,9 @@ abstract class Access {
* @return string the final filter part to use in LDAP searches * @return string the final filter part to use in LDAP searches
*/ */
public function getFilterPartForUserSearch($search) { public function getFilterPartForUserSearch($search) {
return $this->getFilterPartForSearch($search, $this->connection->ldapAttributesForUserSearch, $this->connection->ldapUserDisplayName); return $this->getFilterPartForSearch($search,
$this->connection->ldapAttributesForUserSearch,
$this->connection->ldapUserDisplayName);
} }
/** /**
@ -815,7 +827,9 @@ abstract class Access {
* @return string the final filter part to use in LDAP searches * @return string the final filter part to use in LDAP searches
*/ */
public function getFilterPartForGroupSearch($search) { public function getFilterPartForGroupSearch($search) {
return $this->getFilterPartForSearch($search, $this->connection->ldapAttributesForGroupSearch, $this->connection->ldapGroupDisplayName); return $this->getFilterPartForSearch($search,
$this->connection->ldapAttributesForGroupSearch,
$this->connection->ldapGroupDisplayName);
} }
/** /**
@ -874,13 +888,15 @@ abstract class Access {
foreach($testAttributes as $attribute) { foreach($testAttributes as $attribute) {
\OCP\Util::writeLog('user_ldap', 'Testing '.$attribute.' as UUID attr', \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap', 'Testing '.$attribute.' as UUID attr', \OCP\Util::DEBUG);
$value = $this->readAttribute($dn, $attribute); $value = $this->readAttribute($dn, $attribute);
if(is_array($value) && isset($value[0]) && !empty($value[0])) { if(is_array($value) && isset($value[0]) && !empty($value[0])) {
\OCP\Util::writeLog('user_ldap', 'Setting '.$attribute.' as UUID attr', \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap', 'Setting '.$attribute.' as UUID attr', \OCP\Util::DEBUG);
$this->connection->ldapUuidAttribute = $attribute; $this->connection->ldapUuidAttribute = $attribute;
return true; return true;
} }
\OCP\Util::writeLog('user_ldap', 'The looked for uuid attr is not '.$attribute.', result was '.print_r($value, true), \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap',
'The looked for uuid attr is not '.$attribute.', result was '.print_r($value, true),
\OCP\Util::DEBUG);
} }
return false; return false;
@ -888,7 +904,9 @@ abstract class Access {
public function getUUID($dn) { public function getUUID($dn) {
if($this->detectUuidAttribute($dn)) { if($this->detectUuidAttribute($dn)) {
\OCP\Util::writeLog('user_ldap', 'UUID Checking \ UUID for '.$dn.' using '. $this->connection->ldapUuidAttribute, \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap',
'UUID Checking \ UUID for '.$dn.' using '. $this->connection->ldapUuidAttribute,
\OCP\Util::DEBUG);
$uuid = $this->readAttribute($dn, $this->connection->ldapUuidAttribute); $uuid = $this->readAttribute($dn, $this->connection->ldapUuidAttribute);
if(!is_array($uuid) && $this->connection->ldapOverrideUuidAttribute) { if(!is_array($uuid) && $this->connection->ldapOverrideUuidAttribute) {
$this->detectUuidAttribute($dn, true); $this->detectUuidAttribute($dn, true);
@ -1027,13 +1045,18 @@ abstract class Access {
$pagedSearchOK = false; $pagedSearchOK = false;
if($this->connection->hasPagedResultSupport && !is_null($limit)) { if($this->connection->hasPagedResultSupport && !is_null($limit)) {
$offset = intval($offset); //can be null $offset = intval($offset); //can be null
\OCP\Util::writeLog('user_ldap', 'initializing paged search for Filter'.$filter.' base '.print_r($bases, true).' attr '.print_r($attr, true). ' limit ' .$limit.' offset '.$offset, \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'initializing paged search for Filter'.$filter.' base '.print_r($bases, true)
.' attr '.print_r($attr, true). ' limit ' .$limit.' offset '.$offset,
\OCP\Util::INFO);
//get the cookie from the search for the previous search, required by LDAP //get the cookie from the search for the previous search, required by LDAP
foreach($bases as $base) { foreach($bases as $base) {
$cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset); $cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset);
if(empty($cookie) && ($offset > 0)) { if(empty($cookie) && ($offset > 0)) {
//no cookie known, although the offset is not 0. Maybe cache run out. We need to start all over *sigh* (btw, Dear Reader, did you need LDAP paged searching was designed by MSFT?) // no cookie known, although the offset is not 0. Maybe cache run out. We need
// to start all over *sigh* (btw, Dear Reader, did you need LDAP paged
// searching was designed by MSFT?)
$reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit; $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit;
//a bit recursive, $offset of 0 is the exit //a bit recursive, $offset of 0 is the exit
\OCP\Util::writeLog('user_ldap', 'Looking for cookie L/O '.$limit.'/'.$reOffset, \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap', 'Looking for cookie L/O '.$limit.'/'.$reOffset, \OCP\Util::INFO);
@ -1049,13 +1072,16 @@ abstract class Access {
if($offset > 0) { if($offset > 0) {
\OCP\Util::writeLog('user_ldap', 'Cookie '.$cookie, \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap', 'Cookie '.$cookie, \OCP\Util::INFO);
} }
$pagedSearchOK = ldap_control_paged_result($this->connection->getConnectionResource(), $limit, false, $cookie); $pagedSearchOK = ldap_control_paged_result($this->connection->getConnectionResource(),
$limit, false, $cookie);
if(!$pagedSearchOK) { if(!$pagedSearchOK) {
return false; return false;
} }
\OCP\Util::writeLog('user_ldap', 'Ready for a paged search', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap', 'Ready for a paged search', \OCP\Util::INFO);
} else { } else {
\OCP\Util::writeLog('user_ldap', 'No paged search for us, Cpt., Limit '.$limit.' Offset '.$offset, \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'No paged search for us, Cpt., Limit '.$limit.' Offset '.$offset,
\OCP\Util::INFO);
} }
} }

84
apps/user_ldap/lib/connection.php
View File

@ -76,7 +76,8 @@ class Connection {
$this->configPrefix = $configPrefix; $this->configPrefix = $configPrefix;
$this->configID = $configID; $this->configID = $configID;
$this->cache = \OC_Cache::getGlobalCache(); $this->cache = \OC_Cache::getGlobalCache();
$this->config['hasPagedResultSupport'] = (function_exists('ldap_control_paged_result') && function_exists('ldap_control_paged_result_response')); $this->config['hasPagedResultSupport'] = (function_exists('ldap_control_paged_result')
&& function_exists('ldap_control_paged_result_response'));
} }
public function __destruct() { public function __destruct() {
@ -274,9 +275,36 @@ class Connection {
* @return returns an array that maps internal variable names to database fields * @return returns an array that maps internal variable names to database fields
*/ */
private function getConfigTranslationArray() { private function getConfigTranslationArray() {
static $array = array('ldap_host'=>'ldapHost', 'ldap_port'=>'ldapPort', 'ldap_backup_host'=>'ldapBackupHost', 'ldap_backup_port'=>'ldapBackupPort', 'ldap_override_main_server' => 'ldapOverrideMainServer', 'ldap_dn'=>'ldapAgentName', 'ldap_agent_password'=>'ldapAgentPassword', 'ldap_base'=>'ldapBase', 'ldap_base_users'=>'ldapBaseUsers', 'ldap_base_groups'=>'ldapBaseGroups', 'ldap_userlist_filter'=>'ldapUserFilter', 'ldap_login_filter'=>'ldapLoginFilter', 'ldap_group_filter'=>'ldapGroupFilter', 'ldap_display_name'=>'ldapUserDisplayName', 'ldap_group_display_name'=>'ldapGroupDisplayName', static $array = array(
'ldap_host'=>'ldapHost',
'ldap_port'=>'ldapPort',
'ldap_backup_host'=>'ldapBackupHost',
'ldap_backup_port'=>'ldapBackupPort',
'ldap_override_main_server' => 'ldapOverrideMainServer',
'ldap_dn'=>'ldapAgentName',
'ldap_agent_password'=>'ldapAgentPassword',
'ldap_base'=>'ldapBase',
'ldap_base_users'=>'ldapBaseUsers',
'ldap_base_groups'=>'ldapBaseGroups',
'ldap_userlist_filter'=>'ldapUserFilter',
'ldap_login_filter'=>'ldapLoginFilter',
'ldap_group_filter'=>'ldapGroupFilter',
'ldap_display_name'=>'ldapUserDisplayName',
'ldap_group_display_name'=>'ldapGroupDisplayName',
'ldap_tls'=>'ldapTLS', 'ldap_nocase'=>'ldapNoCase', 'ldap_quota_def'=>'ldapQuotaDefault', 'ldap_quota_attr'=>'ldapQuotaAttribute', 'ldap_email_attr'=>'ldapEmailAttribute', 'ldap_group_member_assoc_attribute'=>'ldapGroupMemberAssocAttr', 'ldap_cache_ttl'=>'ldapCacheTTL', 'home_folder_naming_rule' => 'homeFolderNamingRule', 'ldap_turn_off_cert_check' => 'turnOffCertCheck', 'ldap_configuration_active' => 'ldapConfigurationActive', 'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch', 'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch'); 'ldap_tls'=>'ldapTLS',
'ldap_nocase'=>'ldapNoCase',
'ldap_quota_def'=>'ldapQuotaDefault',
'ldap_quota_attr'=>'ldapQuotaAttribute',
'ldap_email_attr'=>'ldapEmailAttribute',
'ldap_group_member_assoc_attribute'=>'ldapGroupMemberAssocAttr',
'ldap_cache_ttl'=>'ldapCacheTTL',
'home_folder_naming_rule' => 'homeFolderNamingRule',
'ldap_turn_off_cert_check' => 'turnOffCertCheck',
'ldap_configuration_active' => 'ldapConfigurationActive',
'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch',
'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch'
);
return $array; return $array;
} }
@ -388,7 +416,8 @@ class Connection {
* @returns true if configuration seems OK, false otherwise * @returns true if configuration seems OK, false otherwise
*/ */
private function validateConfiguration() { private function validateConfiguration() {
//first step: "soft" checks: settings that are not really necessary, but advisable. If left empty, give an info message // first step: "soft" checks: settings that are not really
// necessary, but advisable. If left empty, give an info message
if(empty($this->config['ldapBaseUsers'])) { if(empty($this->config['ldapBaseUsers'])) {
\OCP\Util::writeLog('user_ldap', 'Base tree for Users is empty, using Base DN', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap', 'Base tree for Users is empty, using Base DN', \OCP\Util::INFO);
$this->config['ldapBaseUsers'] = $this->config['ldapBase']; $this->config['ldapBaseUsers'] = $this->config['ldapBase'];
@ -398,11 +427,16 @@ class Connection {
$this->config['ldapBaseGroups'] = $this->config['ldapBase']; $this->config['ldapBaseGroups'] = $this->config['ldapBase'];
} }
if(empty($this->config['ldapGroupFilter']) && empty($this->config['ldapGroupMemberAssocAttr'])) { if(empty($this->config['ldapGroupFilter']) && empty($this->config['ldapGroupMemberAssocAttr'])) {
\OCP\Util::writeLog('user_ldap', 'No group filter is specified, LDAP group feature will not be used.', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'No group filter is specified, LDAP group feature will not be used.',
\OCP\Util::INFO);
} }
if(!in_array($this->config['ldapUuidAttribute'], array('auto', 'entryuuid', 'nsuniqueid', 'objectguid')) && (!is_null($this->configID))) { if(!in_array($this->config['ldapUuidAttribute'], array('auto', 'entryuuid', 'nsuniqueid', 'objectguid'))
&& (!is_null($this->configID))) {
\OCP\Config::setAppValue($this->configID, $this->configPrefix.'ldap_uuid_attribute', 'auto'); \OCP\Config::setAppValue($this->configID, $this->configPrefix.'ldap_uuid_attribute', 'auto');
\OCP\Util::writeLog('user_ldap', 'Illegal value for the UUID Attribute, reset to autodetect.', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'Illegal value for the UUID Attribute, reset to autodetect.',
\OCP\Util::INFO);
} }
if(empty($this->config['ldapBackupPort'])) { if(empty($this->config['ldapBackupPort'])) {
//force default //force default
@ -418,7 +452,9 @@ class Connection {
if((strpos($this->config['ldapHost'], 'ldaps') === 0) if((strpos($this->config['ldapHost'], 'ldaps') === 0)
&& $this->config['ldapTLS']) { && $this->config['ldapTLS']) {
$this->config['ldapTLS'] = false; $this->config['ldapTLS'] = false;
\OCP\Util::writeLog('user_ldap', 'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
\OCP\Util::INFO);
} }
@ -435,20 +471,28 @@ class Connection {
} }
if((empty($this->config['ldapAgentName']) && !empty($this->config['ldapAgentPassword'])) if((empty($this->config['ldapAgentName']) && !empty($this->config['ldapAgentPassword']))
|| (!empty($this->config['ldapAgentName']) && empty($this->config['ldapAgentPassword']))) { || (!empty($this->config['ldapAgentName']) && empty($this->config['ldapAgentPassword']))) {
\OCP\Util::writeLog('user_ldap', 'Either no password given for the user agent or a password is given, but no LDAP agent; won`t connect.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'Either no password given for the user agent or a password is given, but no LDAP agent; won`t connect.',
\OCP\Util::WARN);
$configurationOK = false; $configurationOK = false;
} }
//TODO: check if ldapAgentName is in DN form //TODO: check if ldapAgentName is in DN form
if(empty($this->config['ldapBase']) && (empty($this->config['ldapBaseUsers']) && empty($this->config['ldapBaseGroups']))) { if(empty($this->config['ldapBase'])
&& (empty($this->config['ldapBaseUsers'])
&& empty($this->config['ldapBaseGroups']))) {
\OCP\Util::writeLog('user_ldap', 'No Base DN given, won`t connect.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap', 'No Base DN given, won`t connect.', \OCP\Util::WARN);
$configurationOK = false; $configurationOK = false;
} }
if(empty($this->config['ldapUserDisplayName'])) { if(empty($this->config['ldapUserDisplayName'])) {
\OCP\Util::writeLog('user_ldap', 'No user display name attribute specified, won`t connect.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'No user display name attribute specified, won`t connect.',
\OCP\Util::WARN);
$configurationOK = false; $configurationOK = false;
} }
if(empty($this->config['ldapGroupDisplayName'])) { if(empty($this->config['ldapGroupDisplayName'])) {
\OCP\Util::writeLog('user_ldap', 'No group display name attribute specified, won`t connect.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'No group display name attribute specified, won`t connect.',
\OCP\Util::WARN);
$configurationOK = false; $configurationOK = false;
} }
if(empty($this->config['ldapLoginFilter'])) { if(empty($this->config['ldapLoginFilter'])) {
@ -456,7 +500,9 @@ class Connection {
$configurationOK = false; $configurationOK = false;
} }
if(mb_strpos($this->config['ldapLoginFilter'], '%uid', 0, 'UTF-8') === false) { if(mb_strpos($this->config['ldapLoginFilter'], '%uid', 0, 'UTF-8') === false) {
\OCP\Util::writeLog('user_ldap', 'Login filter does not contain %uid place holder, won`t connect.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'Login filter does not contain %uid place holder, won`t connect.',
\OCP\Util::WARN);
\OCP\Util::writeLog('user_ldap', 'Login filter was ' . $this->config['ldapLoginFilter'], \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap', 'Login filter was ' . $this->config['ldapLoginFilter'], \OCP\Util::DEBUG);
$configurationOK = false; $configurationOK = false;
} }
@ -520,13 +566,17 @@ class Connection {
if(!$this->ldapConnectionRes) { if(!$this->ldapConnectionRes) {
if(!function_exists('ldap_connect')) { if(!function_exists('ldap_connect')) {
$phpLDAPinstalled = false; $phpLDAPinstalled = false;
\OCP\Util::writeLog('user_ldap', 'function ldap_connect is not available. Make sure that the PHP ldap module is installed.', \OCP\Util::ERROR); \OCP\Util::writeLog('user_ldap',
'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
\OCP\Util::ERROR);
return false; return false;
} }
if($this->config['turnOffCertCheck']) { if($this->config['turnOffCertCheck']) {
if(putenv('LDAPTLS_REQCERT=never')) { if(putenv('LDAPTLS_REQCERT=never')) {
\OCP\Util::writeLog('user_ldap', 'Turned off SSL certificate validation successfully.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap',
'Turned off SSL certificate validation successfully.',
\OCP\Util::WARN);
} else { } else {
\OCP\Util::writeLog('user_ldap', 'Could not turn off SSL certificate validation.', \OCP\Util::WARN); \OCP\Util::writeLog('user_ldap', 'Could not turn off SSL certificate validation.', \OCP\Util::WARN);
} }
@ -584,7 +634,9 @@ class Connection {
} }
$ldapLogin = @ldap_bind($cr, $this->config['ldapAgentName'], $this->config['ldapAgentPassword']); $ldapLogin = @ldap_bind($cr, $this->config['ldapAgentName'], $this->config['ldapAgentPassword']);
if(!$ldapLogin) { if(!$ldapLogin) {
\OCP\Util::writeLog('user_ldap', 'Bind failed: ' . ldap_errno($cr) . ': ' . ldap_error($cr), \OCP\Util::ERROR); \OCP\Util::writeLog('user_ldap',
'Bind failed: ' . ldap_errno($cr) . ': ' . ldap_error($cr),
\OCP\Util::ERROR);
$this->ldapConnectionRes = null; $this->ldapConnectionRes = null;
return false; return false;
} }

34
apps/user_ldap/lib/jobs.php
View File

@ -42,7 +42,9 @@ class Jobs {
$actualGroups = self::getGroupBE()->getGroups(); $actualGroups = self::getGroupBE()->getGroups();
if(empty($actualGroups) && empty($knownGroups)) { if(empty($actualGroups) && empty($knownGroups)) {
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" groups do not seem to be configured properly, aborting.', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" groups do not seem to be configured properly, aborting.',
\OCP\Util::INFO);
\OCP\Config::setAppValue('user_ldap', 'bgjUpdateGroupsLastRun', time()); \OCP\Config::setAppValue('user_ldap', 'bgjUpdateGroupsLastRun', time());
return; return;
} }
@ -75,19 +77,25 @@ class Jobs {
$hasChanged = false; $hasChanged = false;
foreach(array_diff($knownUsers, $actualUsers) as $removedUser) { foreach(array_diff($knownUsers, $actualUsers) as $removedUser) {
\OCP\Util::emitHook('OC_User', 'post_removeFromGroup', array('uid' => $removedUser, 'gid' => $group)); \OCP\Util::emitHook('OC_User', 'post_removeFromGroup', array('uid' => $removedUser, 'gid' => $group));
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" "'.$removedUser.'" removed from "'.$group.'".', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" "'.$removedUser.'" removed from "'.$group.'".',
\OCP\Util::INFO);
$hasChanged = true; $hasChanged = true;
} }
foreach(array_diff($actualUsers, $knownUsers) as $addedUser) { foreach(array_diff($actualUsers, $knownUsers) as $addedUser) {
\OCP\Util::emitHook('OC_User', 'post_addFromGroup', array('uid' => $addedUser, 'gid' => $group)); \OCP\Util::emitHook('OC_User', 'post_addFromGroup', array('uid' => $addedUser, 'gid' => $group));
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" "'.$addedUser.'" added to "'.$group.'".', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" "'.$addedUser.'" added to "'.$group.'".',
\OCP\Util::INFO);
$hasChanged = true; $hasChanged = true;
} }
if($hasChanged) { if($hasChanged) {
$query->execute(array(serialize($actualUsers), $group)); $query->execute(array(serialize($actualUsers), $group));
} }
} }
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" FINISHED dealing with known Groups.', \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" FINISHED dealing with known Groups.',
\OCP\Util::DEBUG);
} }
static private function handleCreatedGroups($createdGroups) { static private function handleCreatedGroups($createdGroups) {
@ -98,11 +106,15 @@ class Jobs {
VALUES (?, ?) VALUES (?, ?)
'); ');
foreach($createdGroups as $createdGroup) { foreach($createdGroups as $createdGroup) {
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" new group "'.$createdGroup.'" found.', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" new group "'.$createdGroup.'" found.',
\OCP\Util::INFO);
$users = serialize(self::getGroupBE()->usersInGroup($createdGroup)); $users = serialize(self::getGroupBE()->usersInGroup($createdGroup));
$query->execute(array($createdGroup, $users)); $query->execute(array($createdGroup, $users));
} }
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" FINISHED dealing with created Groups.', \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" FINISHED dealing with created Groups.',
\OCP\Util::DEBUG);
} }
static private function handleRemovedGroups($removedGroups) { static private function handleRemovedGroups($removedGroups) {
@ -113,10 +125,14 @@ class Jobs {
WHERE `owncloudname` = ? WHERE `owncloudname` = ?
'); ');
foreach($removedGroups as $removedGroup) { foreach($removedGroups as $removedGroup) {
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" group "'.$removedGroup.'" was removed.', \OCP\Util::INFO); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" group "'.$removedGroup.'" was removed.',
\OCP\Util::INFO);
$query->execute(array($removedGroup)); $query->execute(array($removedGroup));
} }
\OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" FINISHED dealing with removed groups.', \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap',
'bgJ "updateGroups" FINISHED dealing with removed groups.',
\OCP\Util::DEBUG);
} }
static private function getConnector() { static private function getConnector() {
@ -154,4 +170,4 @@ class Jobs {
return self::$groupsFromDB; return self::$groupsFromDB;
} }
} }

42
apps/user_ldap/templates/settings.php
View File

@ -12,19 +12,43 @@
} }
?> ?>
<fieldset id="ldapSettings-1"> <fieldset id="ldapSettings-1">
<p><label for="ldap_serverconfig_chooser"><?php echo $l->t('Server configuration');?></label><select id="ldap_serverconfig_chooser" name="ldap_serverconfig_chooser"> <p><label for="ldap_serverconfig_chooser"><?php echo $l->t('Server configuration');?></label>
<select id="ldap_serverconfig_chooser" name="ldap_serverconfig_chooser">
<?php echo $_['serverConfigurationOptions']; ?> <?php echo $_['serverConfigurationOptions']; ?>
<option value="NEW"><?php echo $l->t('Add Server Configuration');?></option> <option value="NEW"><?php echo $l->t('Add Server Configuration');?></option>
</select> </select>
<button id="ldap_action_delete_configuration" name="ldap_action_delete_configuration">Delete Configuration</button> <button id="ldap_action_delete_configuration"
name="ldap_action_delete_configuration">Delete Configuration</button>
</p> </p>
<p><label for="ldap_host"><?php echo $l->t('Host');?></label><input type="text" id="ldap_host" name="ldap_host" data-default="<?php echo $_['ldap_host_default']; ?>" title="<?php echo $l->t('You can omit the protocol, except you require SSL. Then start with ldaps://');?>"></p> <p><label for="ldap_host"><?php echo $l->t('Host');?></label>
<p><label for="ldap_base"><?php echo $l->t('Base DN');?></label><textarea id="ldap_base" name="ldap_base" placeholder="<?php echo $l->t('One Base DN per line');?>" title="<?php echo $l->t('You can specify Base DN for users and groups in the Advanced tab');?>" data-default="<?php echo $_['ldap_base_default']; ?>" ></textarea></p> <input type="text" id="ldap_host" name="ldap_host" data-default="<?php echo $_['ldap_host_default']; ?>"
<p><label for="ldap_dn"><?php echo $l->t('User DN');?></label><input type="text" id="ldap_dn" name="ldap_dn" data-default="<?php echo $_['ldap_dn_default']; ?>" title="<?php echo $l->t('The DN of the client user with which the bind shall be done, e.g. uid=agent,dc=example,dc=com. For anonymous access, leave DN and Password empty.');?>" /></p> title="<?php echo $l->t('You can omit the protocol, except you require SSL. Then start with ldaps://');?>"></p>
<p><label for="ldap_agent_password"><?php echo $l->t('Password');?></label><input type="password" id="ldap_agent_password" name="ldap_agent_password" data-default="<?php echo $_['ldap_agent_password_default']; ?>" title="<?php echo $l->t('For anonymous access, leave DN and Password empty.');?>" /></p> <p><label for="ldap_base"><?php echo $l->t('Base DN');?></label>
<p><label for="ldap_login_filter"><?php echo $l->t('User Login Filter');?></label><input type="text" id="ldap_login_filter" name="ldap_login_filter" data-default="<?php echo $_['ldap_login_filter_default']; ?>" title="<?php echo $l->t('Defines the filter to apply, when login is attempted. %%uid replaces the username in the login action.');?>" /><br /><small><?php echo $l->t('use %%uid placeholder, e.g. "uid=%%uid"');?></small></p> <textarea id="ldap_base" name="ldap_base" placeholder="<?php echo $l->t('One Base DN per line');?>"
<p><label for="ldap_userlist_filter"><?php echo $l->t('User List Filter');?></label><input type="text" id="ldap_userlist_filter" name="ldap_userlist_filter" data-default="<?php echo $_['ldap_userlist_filter_default']; ?>" title="<?php echo $l->t('Defines the filter to apply, when retrieving users.');?>" /><br /><small><?php echo $l->t('without any placeholder, e.g. "objectClass=person".');?></small></p> title="<?php echo $l->t('You can specify Base DN for users and groups in the Advanced tab');?>"
<p><label for="ldap_group_filter"><?php echo $l->t('Group Filter');?></label><input type="text" id="ldap_group_filter" name="ldap_group_filter" data-default="<?php echo $_['ldap_group_filter_default']; ?>" title="<?php echo $l->t('Defines the filter to apply, when retrieving groups.');?>" /><br /><small><?php echo $l->t('without any placeholder, e.g. "objectClass=posixGroup".');?></small></p> data-default="<?php echo $_['ldap_base_default']; ?>" ></textarea></p>
<p><label for="ldap_dn"><?php echo $l->t('User DN');?></label>
<input type="text" id="ldap_dn" name="ldap_dn" data-default="<?php echo $_['ldap_dn_default']; ?>"
title="<?php echo $l->t('The DN of the client user with which the bind shall be done, e.g. uid=agent,dc=example,dc=com. For anonymous access, leave DN and Password empty.');?>" /></p>
<p><label for="ldap_agent_password"><?php echo $l->t('Password');?></label>
<input type="password" id="ldap_agent_password" name="ldap_agent_password"
data-default="<?php echo $_['ldap_agent_password_default']; ?>"
title="<?php echo $l->t('For anonymous access, leave DN and Password empty.');?>" /></p>
<p><label for="ldap_login_filter"><?php echo $l->t('User Login Filter');?></label>
<input type="text" id="ldap_login_filter" name="ldap_login_filter"
data-default="<?php echo $_['ldap_login_filter_default']; ?>"
title="<?php echo $l->t('Defines the filter to apply, when login is attempted. %%uid replaces the username in the login action.');?>" />
<br /><small><?php echo $l->t('use %%uid placeholder, e.g. "uid=%%uid"');?></small></p>
<p><label for="ldap_userlist_filter"><?php echo $l->t('User List Filter');?></label>
<input type="text" id="ldap_userlist_filter" name="ldap_userlist_filter"
data-default="<?php echo $_['ldap_userlist_filter_default']; ?>"
title="<?php echo $l->t('Defines the filter to apply, when retrieving users.');?>" />
<br /><small><?php echo $l->t('without any placeholder, e.g. "objectClass=person".');?></small></p>
<p><label for="ldap_group_filter"><?php echo $l->t('Group Filter');?></label>
<input type="text" id="ldap_group_filter" name="ldap_group_filter"
data-default="<?php echo $_['ldap_group_filter_default']; ?>"
title="<?php echo $l->t('Defines the filter to apply, when retrieving groups.');?>" />
<br /><small><?php echo $l->t('without any placeholder, e.g. "objectClass=posixGroup".');?></small></p>
</fieldset> </fieldset>
<fieldset id="ldapSettings-2"> <fieldset id="ldapSettings-2">
<div id="ldapAdvancedAccordion"> <div id="ldapAdvancedAccordion">

18
apps/user_ldap/user_ldap.php
View File

@ -112,7 +112,8 @@ class USER_LDAP extends lib\Access implements \OCP\UserInterface {
return $ldap_users; return $ldap_users;
} }
// if we'd pass -1 to LDAP search, we'd end up in a Protocol error. With a limit of 0, we get 0 results. So we pass null. // if we'd pass -1 to LDAP search, we'd end up in a Protocol
// error. With a limit of 0, we get 0 results. So we pass null.
if($limit <= 0) { if($limit <= 0) {
$limit = null; $limit = null;
} }
@ -121,9 +122,12 @@ class USER_LDAP extends lib\Access implements \OCP\UserInterface {
$this->getFilterPartForUserSearch($search) $this->getFilterPartForUserSearch($search)
)); ));
\OCP\Util::writeLog('user_ldap', 'getUsers: Options: search '.$search.' limit '.$limit.' offset '.$offset.' Filter: '.$filter, \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap',
'getUsers: Options: search '.$search.' limit '.$limit.' offset '.$offset.' Filter: '.$filter,
\OCP\Util::DEBUG);
//do the search and translate results to owncloud names //do the search and translate results to owncloud names
$ldap_users = $this->fetchListOfUsers($filter, array($this->connection->ldapUserDisplayName, 'dn'), $limit, $offset); $ldap_users = $this->fetchListOfUsers($filter, array($this->connection->ldapUserDisplayName, 'dn'),
$limit, $offset);
$ldap_users = $this->ownCloudUserNames($ldap_users); $ldap_users = $this->ownCloudUserNames($ldap_users);
\OCP\Util::writeLog('user_ldap', 'getUsers: '.count($ldap_users). ' Users found', \OCP\Util::DEBUG); \OCP\Util::writeLog('user_ldap', 'getUsers: '.count($ldap_users). ' Users found', \OCP\Util::DEBUG);
@ -189,11 +193,13 @@ class USER_LDAP extends lib\Access implements \OCP\UserInterface {
//check for / at the beginning or pattern c:\ resp. c:/ //check for / at the beginning or pattern c:\ resp. c:/
if( if(
'/' == $path[0] '/' == $path[0]
|| (3 < strlen($path) && ctype_alpha($path[0]) && $path[1] == ':' && ('\\' == $path[2] || '/' == $path[2])) || (3 < strlen($path) && ctype_alpha($path[0])
&& $path[1] == ':' && ('\\' == $path[2] || '/' == $path[2]))
) { ) {
$homedir = $path; $homedir = $path;
} else { } else {
$homedir = \OCP\Config::getSystemValue('datadirectory', \OC::$SERVERROOT.'/data' ) . '/' . $homedir[0]; $homedir = \OCP\Config::getSystemValue('datadirectory',
\OC::$SERVERROOT.'/data' ) . '/' . $homedir[0];
} }
$this->connection->writeToCache($cacheKey, $homedir); $this->connection->writeToCache($cacheKey, $homedir);
return $homedir; return $homedir;
@ -270,4 +276,4 @@ class USER_LDAP extends lib\Access implements \OCP\UserInterface {
public function hasUserListings() { public function hasUserListings() {
return true; return true;
} }
} }