function winbindd_monit()
{
if (is_file("/etc/monit/conf.d/winbindd.monitrc")) {
progress_logs(20, "{join_activedirectory_domain}", "winbindd monit: Already set");
return;
}
$unix = new unix();
$monit = $unix->find_program("monit");
if (!is_file($monit)) {
xsyslog("winbindd monit: no such binary");
return;
}
$nohup = $unix->find_program("nohup");
$fs[] = "#!/bin/sh";
$fs[] = "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin";
$fs[] = "/etc/init.d/winbind start";
$fs[] = "exit 0\n";
$fk[] = "#!/bin/sh";
$fk[] = "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin";
$fk[] = "/etc/init.d/winbind stop";
$fk[] = "exit 0\n";
@file_put_contents("/usr/sbin/winbindd-monit-start", @implode("\n", $fs));
@file_put_contents("/usr/sbin/winbindd-monit-stop", @implode("\n", $fs));
@chmod("/usr/sbin/winbindd-monit-start", 0777);
@chmod("/usr/sbin/winbindd-monit-stop", 0777);
$fm[] = "check process winbindd";
$fm[] = "with pidfile /var/run/samba/winbindd.pid";
$fm[] = "start program = \"/usr/sbin/winbindd-monit-start\"";
$fm[] = "stop program = \"/usr/sbin/winbindd-monit-stop\"";
$fm[] = "if totalmem > 900 MB for 5 cycles then alert";
$fm[] = "if cpu > 95% for 5 cycles then alert";
$fm[] = "if 5 restarts within 5 cycles then timeout";
progress_logs(20, "{join_activedirectory_domain}", "winbindd monit: creating winbindd.monitrc");
@file_put_contents("/etc/monit/conf.d/winbindd.monitrc", @implode("\n", $fm));
progress_logs(20, "{join_activedirectory_domain}", "winbindd monit: restarting monit");
shell_exec("{$nohup} /usr/share/artica-postfix/bin/artica-install --monit-check >/dev/null 2>&1 &");
}
function Parseline($buffer)
{
$buffer = trim($buffer);
if ($buffer == null) {
return null;
}
$mdbuff = md5($buffer);
if (isset($GLOBALS['MDBUFF'][$mdbuff])) {
return;
}
$GLOBALS['MDBUFF'][$mdbuff] = true;
if (count($GLOBALS['MDBUFF']) > 1000) {
$GLOBALS['MDBUFF'] = array();
}
if (strpos($buffer, "] PASS ") > 0) {
return;
}
if (strpos($buffer, "UFDBinitHTTPSchecker") > 0) {
return;
}
if (strpos($buffer, "IP socket port") > 0) {
return;
}
if (strpos($buffer, "listening on interface") > 0) {
return;
}
if (strpos($buffer, "yielding") > 0) {
return;
}
if (strpos($buffer, "system:") > 0) {
return;
}
if (strpos($buffer, "URL verification threads and") > 0) {
return;
}
if (strpos($buffer, "worker threads") > 0) {
return;
}
if (strpos($buffer, "license status") > 0) {
return;
}
if (strpos($buffer, "redirect-fatal-error") > 0) {
return;
}
if (strpos($buffer, "using OpenSSL library") > 0) {
return;
}
if (strpos($buffer, "CA certificates are") > 0) {
return;
}
if (strpos($buffer, "Failure to load the CA database") > 0) {
return;
}
if (strpos($buffer, "CA file is") > 0) {
return;
}
if (strpos($buffer, "ufdbHandleAlarmForTimeEvents") > 0) {
return;
}
if (strpos($buffer, "Changing daemon status") > 0) {
return;
}
if (strpos($buffer, "UFDBchangeStatus") > 0) {
return;
}
if (strpos($buffer, "url-lookup-delay-during-database-reload") > 0) {
return;
}
if (strpos($buffer, "url-lookup-result-during-database-reload") > 0) {
return;
}
if (strpos($buffer, "url-lookup-result-when-fatal-error") > 0) {
return;
}
if (strpos($buffer, "no http-server") > 0) {
return;
}
if (strpos($buffer, "upload-stats") > 0) {
return;
}
if (strpos($buffer, "analyse-uncategorised-urls") > 0) {
return;
}
if (strpos($buffer, "redirect-loading-database") > 0) {
return;
}
if (strpos($buffer, "ufdb-expression-debug") > 0) {
return;
}
if (strpos($buffer, "ufdb-debug-filter") > 0) {
return;
}
if (strpos($buffer, "database status: up to date") > 0) {
return;
}
if (strpos($buffer, "ufdbGenTable should be called with the") > 0) {
return;
}
if (strpos($buffer, "is deprecated and ignored") > 0) {
return;
}
if (strpos($buffer, "init domainlist") > 0) {
return;
}
if (strpos($buffer, "is empty !") > 0) {
return;
}
if (strpos($buffer, "init expressionlist") > 0) {
return;
}
if (strpos($buffer, "is optimised to one expression") > 0) {
return;
}
if (strpos($buffer, "be analysed since there is no proper database") > 0) {
return;
}
if (strpos($buffer, "REDIRECT 302") > 0) {
return;
}
if (strpos($buffer, "close fd") > 0) {
return;
}
if (strpos($buffer, ": open fd ") > 0) {
return;
}
if (strpos($buffer, "acl {") > 0) {
return;
}
if (strpos($buffer, "URL verifications") > 0) {
return;
}
if (strpos($buffer, "must be part of the security") > 0) {
return;
}
if (strpos($buffer, "}") > 0) {
return;
}
if (strpos($buffer, "finished retrieving") > 0) {
return;
}
if (strpos($buffer, "loading URL table from") > 0) {
return;
}
if (strpos($buffer, "] option") > 0) {
return;
}
if (strpos($buffer, "{") > 0) {
return;
}
if (strpos($buffer, "] category \"") > 0) {
return;
}
if (strpos($buffer, "] domainlist \"") > 0) {
return;
}
if (strpos($buffer, "] pass ") > 0) {
return;
}
if (strpos($buffer, "] safe-search") > 0) {
return;
}
if (strpos($buffer, "configuration file") > 0) {
return;
}
if (strpos($buffer, "refreshdomainlist") > 0) {
return;
}
if (strpos($buffer, "software suite is free and Open Source Software") > 0) {
return;
}
if (strpos($buffer, "by URLfilterDB") > 0) {
return;
}
if (strpos($buffer, "] configuration status") > 0) {
return;
}
if (strpos($buffer, 'expressionlist "') > 0) {
return;
}
if (strpos($buffer, 'is newer than') > 0) {
return;
}
if (strpos($buffer, 'source "') > 0) {
return;
}
if (strpos($buffer, 'youtube-edufilter-id') > 0) {
return;
}
if (trim($buffer) == null) {
return;
}
if (strpos($buffer, 'max-logfile-size') > 0) {
return;
}
if (strpos($buffer, 'check-proxy-tunnels') > 0) {
return;
}
if (strpos($buffer, 'seconds to allow worker') > 0) {
return;
}
if (strpos($buffer, '] loading URL category') > 0) {
return;
}
if (preg_match("#\\] REDIR\\s+#", $buffer)) {
return;
}
if (strpos($buffer, 'execdomainlist for') > 0) {
return;
}
if (strpos($buffer, 'dynamic_domainlist_updater_main') > 0) {
return;
}
if (preg_match("#FATAL ERROR: connection queue is full#", $buffer)) {
$TimeFile = "/etc/artica-postfix/pids/webfiltering-connection.queue.full";
if (!IfFileTime($TimeFile, 5)) {
return;
}
$Threads = intval(@file_get_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads"));
$ThreadNew = $Threads + 5;
if ($ThreadNew > 128) {
$ThreadNew = 128;
}
squid_admin_mysql(0, "Webfiltering Service connection queue is full increase Threads from {$Threads} to {$ThreadNew} [action=restart]", $buffer, __FILE__, __LINE__);
@file_put_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads", $ThreadNew);
shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb restart --force >/dev/null 2>&1 &");
return;
}
if (stripos(" {$buffer}", "HUP signal received to reload the configuration") > 0) {
squid_admin_mysql(1, "Webfiltering Service was reloaded - reloading databases [action=notify]", $buffer, __FILE__, __LINE__);
events_ufdb_exec("Webfiltering Service was reloaded, wait 15 seconds");
return;
}
if (stripos(" {$buffer}", "ufdbGuard daemon stopped") > 0) {
squid_admin_mysql(1, "Webfiltering Service was stopped [action=notify]", $buffer, __FILE__, __LINE__);
events_ufdb_exec("Webfiltering Service was stopped, wait 15 seconds");
return;
}
if (stripos(" {$buffer}", 'Changing daemon status to "started"') > 0) {
squid_admin_mysql(1, "Webfiltering Service was started [action=notify]", $buffer, __FILE__, __LINE__);
events_ufdb_exec("Webfiltering Service was started, wait 15 seconds");
return;
}
if (preg_match("#thread socket-handler caught signal 11#", $buffer, $re)) {
$TimeFile = "/etc/artica-postfix/pids/webfiltering-emergency";
if (!IfFileTime($TimeFile, 5)) {
return;
}
squid_admin_mysql(0, "Webfiltering crash [action=Webfiltering Emergency]", $buffer, __FILE__, __LINE__);
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squid.urgency.remove.php --ufdb-on >/dev/null 2>&1 &");
return;
}
if (preg_match("#Changing daemon status to \"error\"#", $buffer, $re)) {
$TimeFile = "/etc/artica-postfix/pids/webfiltering-emergency";
if (!IfFileTime($TimeFile, 5)) {
return;
}
squid_admin_mysql(0, "Webfiltering service error [action=Webfiltering Emergency]", $buffer, __FILE__, __LINE__);
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.ufdb.emergency.php --ufdb-on >/dev/null 2>&1 &");
return;
}
if (preg_match("#FATAL ERROR: cannot open configuration file\\s+\\/etc\\/squid3\\/ufdbGuard\\.conf#i", $buffer, $re)) {
squid_admin_mysql(0, "Webfiltering error, Open Configuration File failed [action=restart service]", $buffer, __FILE__, __LINE__);
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.ufdb.php --restart --force --ufdbtail --fatal-error >/dev/null 2>&1 &");
return;
}
if (preg_match("#FATAL.*?read failed on \"(.+?)\".*?Bad address#i", $buffer, $re)) {
squid_admin_mysql(0, "Webfiltering service error on database: {$re[1]} [action=Webfiltering Emergency]", $buffer, __FILE__, __LINE__);
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.ufdb.emergency.php --ufdb-on >/dev/null 2>&1 &");
return;
}
if (preg_match("#FATAL ERROR: cannot read from.*?No such file or directory#", $buffer, $re)) {
squid_admin_mysql(0, "Webfiltering error: a database is missing [action=reconfigure]", $buffer, __FILE__, __LINE__);
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
return;
}
if (preg_match("#There are no sources and there is no default ACL#i", $buffer)) {
events("Seems not to be defined -> build compilation.");
xsyslog("{reconfigure} ufdb service...");
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
return;
}
if (preg_match("#ERROR: cannot write to PID file\\s+(.+)#i", $buffer, $re)) {
xsyslog("Apply permissions on {$re[1]}");
$pidfile = $re[1];
$pidpath = dirname($pidfile);
@mkdir($pidpath, 0755, true);
@chown($pidpath, "squid");
@chmod($pidpath, 0755);
return;
}
if (preg_match("#\\] Changing daemon status to.*?error#", $buffer, $re)) {
squid_admin_mysql(0, "Fatal! Webfilter daemon is turned to error", $buffer, __FILE__, __LINE__);
return;
}
if (preg_match("#\\] Changing daemon status to.*?terminated#", $buffer, $re)) {
squid_admin_mysql(1, "Webfilter daemon is turned to OFF", $buffer, __FILE__, __LINE__);
return;
}
if (preg_match("#can't execute command of execdomainlist.*?popen failed: Cannot allocate memory#", $buffer, $re)) {
@file_put_contents("/etc/artica-postfix/settings/Daemons/UfdbExecDomainList", 0);
squid_admin_mysql(0, "Not Enough memory to use execdomainlist feature [action=reconfigure]", "{$buffer}\nexecdomainlist feature will be disabled..", __FILE__, __LINE__);
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
return;
}
if (preg_match('#FATAL ERROR: table "(.+?)"\\s+could not be parsed.*?error code = [0-9]+#', $buffer, $re)) {
$direname = dirname($re[1]);
squid_admin_mysql(0, "Database {$direname} corrupted", $buffer . "\nReconfigure ufdb service after removing {$direname}...", __FILE__, __LINE__);
events("Webfiltering engine error on {$direname}");
if (!is_dir($direname)) {
return;
}
shell_exec("{$GLOBALS["SBIN_RM"]} -rf {$direname} >/dev/null 2>&1");
xsyslog("{reconfigure} ufdb service after removing {$direname}...");
shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.squidguard.php --build --force >/dev/null 2>&1 &");
return;
}
if (preg_match("#BLOCK-FATAL\\s+#", $buffer, $re)) {
$TimeFile = "/etc/artica-postfix/pids/UFDB_BLOCK_FATAL";
if (!IfFileTime($TimeFile, 10)) {
return;
}
events("Webfiltering engine error, reload service");
events_ufdb_exec("service was restarted, {$buffer}");
squid_admin_mysql(0, "Fatal, Web filtering engine error", $buffer . "\nThe service will be reloaded", __FILE__, __LINE__);
xsyslog("Reloading ufdb service...");
shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb reload >/dev/null 2>&1 &");
return;
}
if (preg_match("#FATAL ERROR: connection queue is full#", $buffer, $re)) {
$TimeFile = "/etc/artica-postfix/pids/UFDB_QUEUE_IS_FULL";
$Threads = @file_get_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads");
if (!is_numeric($Threads)) {
$Threads = 48;
}
$Threads = $Threads + 1;
if ($Threads > 140) {
$Threads = 140;
}
@file_put_contents("/etc/artica-postfix/settings/Daemons/UfdbGuardThreads", $Threads);
if (!IfFileTime($TimeFile, 2)) {
return;
}
squid_admin_mysql(0, "Fatal, Web filtering connection queue is full", $buffer . "\nThe service will be restarted and threads are increased to {$Threads}", __FILE__, __LINE__);
xsyslog("Restarting ufdb service after connection queue is full...");
shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb restart >/dev/null 2>&1 &");
return;
}
if (preg_match('#FATAL\\*\\s+table\\s+"(.+?)"\\s+could not be parsed.+?14#', $buffer, $re)) {
events("Table on {$re[1]} crashed");
squid_admin_mysql(0, "Database {$re[1]} corrupted", $buffer, __FILE__, __LINE__);
ufdbguard_admin_events("Table on {$re[1]} crashed\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "ufdbguard-service");
events_ufdb_exec("{$buffer}");
$GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} could not be parsed", "Ufdbguard claim: {$buffer}\n\n\t\tYou need to compile this database", "proxy");
return;
}
if (preg_match("#FATAL ERROR: cannot bind daemon socket: Address already in use#", $buffer)) {
events_ufdb_exec("ERROR DETECTED : {$buffer} `cannot bind daemon socket`");
squid_admin_mysql(1, "Fatal ERROR: cannot bind daemon socket: Address already in use [action=restart]", $buffer, __FILE__, __LINE__);
ufdbguard_admin_events("Fatal ERROR: cannot bind daemon socket: Address already in use", __FUNCTION__, __FILE__, __LINE__, "ufdbguard-service");
xsyslog("Restarting ufdb service...");
shell_exec("{$GLOBALS["nohup"]} /etc/init.d/ufdb restart >/dev/null 2>&1 &");
return;
}
if (preg_match('#\\] FATAL ERROR: cannot read from "(.+?)".*?No such file or directory#', $buffer, $re)) {
squid_admin_mysql(0, "Database {$re[1]} missing", $buffer, __FILE__, __LINE__);
events("cannot read '{$re[1]}' -> \"{$buffer}\"");
squid_admin_mysql(2, "Web filtering issue on {$re[1]}", "Launch recover_a_database()", __FILE__, __LINE__);
recover_a_database($re[1]);
return;
}
if (preg_match('#\\*FATAL.+? cannot read from "(.+?)".+?: No such file or directory#', $buffer, $re)) {
squid_admin_mysql(0, "Database {$re[1]} missing", $buffer, __FILE__, __LINE__);
events("cannot read '{$re[1]}' -> \"{$buffer}\"");
squid_admin_mysql(2, "Web filtering issue on {$re[1]}", "Launch recover_a_database()", __FILE__, __LINE__);
recover_a_database($re[1]);
return;
}
if (preg_match('#\\*FATAL\\*\\s+cannot read from\\s+"(.+?)"#', $buffer, $re)) {
squid_admin_mysql(0, "Database {$re[1]} missing", $buffer, __FILE__, __LINE__);
events("Problem on {$re[1]}");
events_ufdb_exec("{$buffer}");
squid_admin_mysql(2, "Web filtering issue on {$re[1]}", "Launch recover_a_database()", __FILE__, __LINE__);
recover_a_database($re[1]);
$GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} Not compiled..", "Ufdbguard claim: {$buffer}\nYou need to compile your databases");
return;
}
if (preg_match("#\\*FATAL\\*\\s+cannot read from\\s+\"(.+?)\\.ufdb\".+?No such file or directory#", $buffer, $re)) {
squid_admin_mysql(0, "Database {$re[1]} missing", $buffer . "\n Problem on {$re[1]}\n\nYou need to compile your databases", __FILE__, __LINE__);
events("UFDB database missing : Problem on {$re[1]}");
if (!is_file($re[1])) {
@mkdir(dirname($re[1]), 666, true);
shell_exec("/bin/touch {$re[1]}");
}
$GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} Not compiled..", "Ufdbguard claim: {$buffer}\nYou need to compile your databases", "ufdbguard-service");
return;
}
if (preg_match("#thread worker-[0-1]+.+?caught signal\\s+[0-1]+#", $buffer, $re)) {
squid_admin_mysql(0, "Webfiltering Daemon as crashed - Start a new one", $buffer, __FILE__, __LINE__);
$GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: crashed", "Ufdbguard claim: {$buffer}\n", "proxy");
shell_exec("/etc/init.d/ufdb start &");
}
if (preg_match("#\\*FATAL\\*\\s+expression list\\s+(.+?): Permission denied#", $buffer, $re)) {
squid_admin_mysql(0, "Database {$re[1]} permission denied", $buffer . "\nProblem on '{$re[1]}' -> chown squid:squid", __FILE__, __LINE__);
events("UFDB expression permission issue : Problem on '{$re[1]}' -> chown squid:squid");
shell_exec("{$GLOBALS["chown"]} -R squid:squid " . dirname($re[1]));
return;
}
if (preg_match("#\\*FATAL.+?expression list\\s+(.+?):\\s+No such file or directory#", $buffer, $re)) {
squid_admin_mysql(0, "Database {$re[1]} missing", $buffer . "\nProblem on '{$re[1]}' -> Try to repair", __FILE__, __LINE__);
events("Expression list: Problem on {$re[1]} -> \"{$buffer}\"");
events("Creating directory " . dirname($re[1]));
@mkdir(dirname($re[1]), 0755, true);
events("Creating empty file '" . $re[1] . "'");
@file_put_contents($re[1], "\n");
events("ufdbguard tail: Service will be reloaded");
$GLOBALS["CLASS_UNIX"]->send_email_events(basename(__FILE__) . ":Service ufdb will be reloaded ", "Cause:{$buffer}", "ufdbguard-service");
squid_admin_mysql(2, "Ask to reload the Web filtering service", "Cause:{$buffer}");
ufdbguard_admin_events("ufdbguard tail: Service will be reloaded", __FUNCTION__, __FILE__, __LINE__, "watchdog");
shell_exec("{$GLOBALS["RELOADCMD"]} --function==" . __FUNCTION__ . " --line=" . __LINE__ . " " . "--filename=" . basename(__FILE__) . " >/dev/null 2>&1 &");
return;
}
if (preg_match("#database table \\/var\\/lib\\/squidguard\\/(.+?)\\/domains\\s+is empty#", $buffer, $re)) {
//ufdbguard_admin_events("Database {$re[1]} as no datas, you should recompile your databases",__FUNCTION__,__FILE__,__LINE__,"ufdbguard-service");
//$GLOBALS["CLASS_UNIX"]->send_email_events("ufdbguard: {$re[1]} database is empty, please compile your databases","Ufdbguard claim: $buffer\nYou need to compile your databases","proxy");
return;
}
if (preg_match("#the new configuration and database are loaded for ufdbguardd ([0-9\\.]+)#", $buffer, $re)) {
squid_admin_mysql(2, "Web Filtering engine service v{$re[1]} has reloaded new configuration and databases", "");
$GLOBALS["CLASS_UNIX"]->send_email_events("UfdbGuard v{$re[1]} has reloaded new configuration and databases", null, "ufdbguard-service");
return;
}
if (preg_match("#statistics:(.+)#", $buffer, $re)) {
if (preg_match("#blocked ([0-9]+) times#", $re[1], $ri)) {
if ($ri[1] > 0) {
//squid_admin_mysql(2, "{$re[1]}","");
}
}
return;
}
if (preg_match("#BLOCK (.*?)\\s+(.+?)\\s+(.+?)\\s+(.+?)\\s+(|http|https|ftp|ftps)://(.+?)myip=(.+)\$#", $buffer, $re)) {
$user = trim($re[1]);
$local_ip = $re[2];
$rulename = $re[3];
$category = $re[4];
$www = $re[6];
$public_ip = $re[7];
//events("BLOCK[".__LINE__."]: $user/$local_ip - $www");
if (strpos($www, "/") > 0) {
$tb = explode("/", $www);
$www = $tb[0];
}
if (preg_match("#^www\\.(.+)#", $www, $re)) {
$www = $re[1];
}
if (preg_match("#([0-9]+)\\.addr#", $www)) {
$www = long2ip($re[1]);
}
if (preg_match("#^([0-9\\.]+)#", $local_ip, $re)) {
$local_ip = $re[1];
}
$date = time();
$table = date('Ymd') . "_blocked";
$category = CategoryCodeToCatName($category);
if ($user == "-") {
$user = null;
}
$MAC = $GLOBALS["CLASS_UNIX"]->IpToMac($local_ip);
$time = time();
if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $www)) {
$public_ip = $www;
$www = $GLOBALS["CLASS_UNIX"]->IpToHostname($www);
}
$Clienthostname = $GLOBALS["CLASS_UNIX"]->IpToHostname($local_ip);
if ($Clienthostname == null) {
$Clienthostname = $local_ip;
}
paranoidmode($local_ip, $www);
$q = new influx();
if ($GLOBALS["UfdbguardSMTPNotifs"]["BLOCK_NOTIFS"] == 1) {
events("Write notif");
$line_notif = date("H:i:s") . " [{$www}]: blocked domain: User: {$user}/{$local_ip}/{$Clienthostname}, Category: {$category}, Rule: {$rulename}";
$q->insert_ufdb_notif($line_notif);
}
if ($GLOBALS["SQUID_PERFORMANCE"] > 2) {
return;
}
$line = "{$time}:::{$user}:::{$category}:::{$rulename}:::{$public_ip}:::blocked domain:::blocked domain:::{$Clienthostname}:::{$www}:::{$local_ip}";
$q->insert_ufdb($line);
return;
}
if (preg_match("#BLOCK\\s+(.*?)\\s+(.+?)\\s+(.*?)\\s+(.+?)\\s+(.+?)\\s+[A-Z]+#", $buffer, $re)) {
$date = time();
$user = trim($re[1]);
$local_ip = $re[2];
$rulename = $re[3];
$category = $re[4];
$uri = $re[5];
//events("BLOCK[".__LINE__."]: $user/$local_ip - $www Notif:{$GLOBALS["UfdbguardSMTPNotifs"]["BLOCK_NOTIFS"]}");
if (preg_match("#^([0-9\\.]+)#", $local_ip, $re)) {
$local_ip = $re[1];
}
$time = time();
$array = parse_url($uri);
$www = $array["host"];
if (strpos($www, ":") > 0) {
$t = explode(":", $www);
$www = $t[0];
}
if (preg_match("#([0-9]+)\\.addr#", $www)) {
$www = long2ip($re[1]);
}
$category = CategoryCodeToCatName($category);
$MAC = $GLOBALS["CLASS_UNIX"]->IpToMac($local_ip);
if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $www)) {
$public_ip = $www;
$www = $GLOBALS["CLASS_UNIX"]->IpToHostname($www);
} else {
$public_ip = HostnameToIp($www);
}
if (preg_match("#^www\\.(.+)#", $www, $re)) {
$www = $re[1];
}
$Clienthostname = $GLOBALS["CLASS_UNIX"]->IpToHostname($local_ip);
if ($Clienthostname == null) {
$Clienthostname = $local_ip;
}
if ($user == "-") {
$user = null;
}
CreateCounter($www, $local_ip, $user, $category);
paranoidmode($local_ip, $www);
$q = new influx();
if ($GLOBALS["UfdbguardSMTPNotifs"]["BLOCK_NOTIFS"] == 1) {
$line_notif = date("H:i:s") . " [{$www}]: blocked domain: User: {$user}/{$local_ip}/{$Clienthostname}, Category: {$category}, Rule: {$rulename}";
$q->insert_ufdb_notif($line_notif);
}
if ($GLOBALS["SQUID_PERFORMANCE"] > 2) {
return;
}
$q = new influx();
$line = "{$time}:::{$user}:::{$category}:::{$rulename}:::{$public_ip}:::blocked domain:::blocked domain:::{$Clienthostname}:::{$www}:::{$local_ip}";
$q->insert_ufdb($line);
return;
}
events("Not filtered: {$buffer}");
}
function winbindd_set_acls_mainpart()
{
if (winbindd_set_acls_is_xattr()) {
if ($GLOBALS["VERBOSE"]) {
progress_logs(20, "{join_activedirectory_domain}", "winbindd_set_acls_is_xattr() -> winbindd_set_acls_is_xattr_var()");
}
winbindd_set_acls_is_xattr_var();
return;
}
$unix = new unix();
$setfacl = $unix->find_program("setfacl");
$mount = $unix->find_program("mount");
if (!is_file($setfacl)) {
xsyslog("winbindd_priv setfacl no such binary");
return;
}
if (!is_file($mount)) {
xsyslog("winbindd_priv mount no such binary");
return;
}
$mustchange = false;
$f = explode("\n", @file_get_contents("/etc/fstab"));
while (list($num, $ligne) = each($f)) {
if (preg_match("#^(.*?)\\s+\\/\\s+(.*?)\\s+(.*?)\\s+([0-9]+)\\s+([0-9]+)#", $ligne, $re)) {
$options = explode(",", $re[3]);
while (list($a, $b) = each($options)) {
$b = trim(strtolower($b));
if ($b == null) {
continue;
}
progress_logs(20, "{join_activedirectory_domain}", "winbindd_priv found main partition {$re[1]} with option `{$b}`");
$MAINOPTIONS[trim($b)] = true;
}
if (!isset($MAINOPTIONS["acl"])) {
$mustchange = true;
$options[] = "acl";
$options[] = "user_xattr";
}
if (!$mustchange) {
progress_logs(20, "{join_activedirectory_domain}", "winbindd_priv found main partition {$re[1]} ACL user_xattr,acl");
} else {
progress_logs(20, "{join_activedirectory_domain}", "winbindd_priv found main partition {$re[1]} Add ACL user_xattr options was " . @implode(";", $options) . "");
$f[$num] = "{$re[1]}\t/\t{$re[2]}\t" . @implode(",", $options) . "\t{$re[4]}\t{$re[5]}";
reset($f);
while (list($c, $d) = each($f)) {
if (trim($d) == null) {
continue;
}
$cc[] = $d;
}
if (count($cc) > 1) {
@file_put_contents("/etc/fstab", @implode("\n", $cc) . "\n");
xsyslog("winbindd_priv remount system partition...");
shell_exec("{$mount} -o remount /");
}
}
}
}
if ($GLOBALS["VERBOSE"]) {
progress_logs(20, "{join_activedirectory_domain}", "winbindd_set_acls_is_xattr() -> winbindd_set_acls_is_xattr_var()");
}
winbindd_set_acls_is_xattr_var();
}
function stop_ldap($aspid = false)
{
if ($GLOBALS["MONIT"]) {
xsyslog("Not accept a stop order from MONIT process");
return;
}
$sock = new sockets();
$users = new usersMenus();
$ldaps = array();
$unix = new unix();
$kill = $unix->find_program("kill");
$slapd = $unix->find_program("slapd");
$pgrep = $unix->find_program("pgrep");
$SLAPD_PID_FILE = $unix->SLAPD_PID_PATH();
$MYPID_FILE = "/etc/artica-postfix/pids/stop_ldap.pid";
if ($users->ZARAFA_INSTALLED) {
stop_zarafa();
}
if (!$aspid) {
$pid = $unix->get_pid_from_file($MYPID_FILE);
if ($unix->process_exists($pid, basename(__FILE__))) {
$pidtime = $unix->PROCCESS_TIME_MIN($pid);
echo "slapd: [INFO] Artica task already running pid {$pid} since {$pidtime}mn\n";
if ($pidtime > 10) {
echo "slapd: [INFO] Killing this Artica task...\n";
unix_system_kill_force($pid);
} else {
die;
}
}
@unlink($MYPID_FILE);
@file_put_contents($MYPID_FILE, getmypid());
}
$pid = $unix->get_pid_from_file($SLAPD_PID_FILE);
$pid = $unix->get_pid_from_file($SLAPD_PID_FILE);
if ($unix->process_exists($pid)) {
$timeDaemon = $unix->PROCESS_TTL($pid);
$unix->ToSyslog("Stopping the OpenLDAP daemon running since {$timeDaemon}Mn", false, basename(__FILE__));
echo "slapd: [INFO] slapd shutdown ldap server PID:{$pid}...\n";
unix_system_kill($pid);
} else {
$pid = $unix->PIDOF($slapd);
if ($unix->process_exists($pid)) {
echo "slapd: [INFO] slapd shutdown ldap server PID:{$pid}...\n";
unix_system_kill($pid);
}
}
for ($i = 0; $i < 10; $i++) {
$pid = intval($unix->get_pid_from_file($SLAPD_PID_FILE));
if ($pid == 0) {
break;
}
restart_ldap_progress("{stopping_service} stop PID:{$pid}", 20);
if ($unix->process_exists($pid)) {
echo "slapd: [INFO] slapd waiting the server to stop PID:{$pid}...\n";
sleep(1);
continue;
}
$pid = $unix->PIDOF($slapd);
if ($unix->process_exists($pid)) {
echo "slapd: [INFO] slapd waiting the server to stop PID:{$pid}...\n";
sleep(1);
continue;
}
}
$pid = $unix->get_pid_from_file($SLAPD_PID_FILE);
if ($unix->process_exists($pid)) {
echo "slapd: [INFO] slapd PID:{$pid} still exists, kill it...\n";
unix_system_kill_force($pid);
}
$pid = $unix->get_pid_from_file($SLAPD_PID_FILE);
if ($unix->process_exists($pid)) {
echo "slapd: [INFO] slapd PID:{$pid} still exists, start the force kill procedure...\n";
}
restart_ldap_progress("{stopping_service} Checking {$slapd}", 25);
$pid = $unix->PIDOF($slapd);
if ($unix->process_exists($pid)) {
echo "slapd: [INFO] slapd PID:{$pid} still exists, kill it...\n";
unix_system_kill_force($pid);
return;
}
restart_ldap_progress("{stopping_service} Checking {$slapd}", 28);
exec("{$pgrep} -l -f {$slapd} 2>&1", $results);
while (list($num, $line) = each($results)) {
if (preg_match("#pgrep#", $line)) {
continue;
}
if (preg_match("^([0-9]+)\\s+", $line, $re)) {
echo "slapd: [INFO] slapd PID:{$re[1]} still exists, kill it\n";
unix_system_kill_force($re[1]);
}
}
restart_ldap_progress("{stopping_service} {success}", 30);
echo "slapd: [INFO] slapd stopped, success...\n";
}
function ldap_conf($aspid = false)
{
$unix = new unix();
$kill = $unix->find_program("kill");
$MYPID_FILE = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".pid";
if (!$aspid) {
$pid = $unix->get_pid_from_file($MYPID_FILE);
if ($unix->process_exists($pid, basename(__FILE__))) {
$pidtime = $unix->PROCCESS_TIME_MIN($pid);
echo "slapd: [INFO] Artica task already running pid {$pid} since {$pidtime}mn\n";
if ($pidtime > 10) {
echo "slapd: [INFO] Killing this Artica task...\n";
unix_system_kill_force($pid);
} else {
die;
}
}
}
@unlink($MYPID_FILE);
@file_put_contents($MYPID_FILE, getmypid());
$ASLOCAL = false;
$admin = @file_get_contents("/etc/artica-postfix/ldap_settings/admin");
$password = @file_get_contents("/etc/artica-postfix/ldap_settings/password");
$port = @file_get_contents("/etc/artica-postfix/ldap_settings/port");
$server = @file_get_contents("/etc/artica-postfix/ldap_settings/server");
$suffix = @file_get_contents("/etc/artica-postfix/ldap_settings/suffix");
$chmod = $unix->find_program("chmod");
if ($server == null) {
$server = "127.0.0.1";
}
if ($server == "localhost") {
$server = "127.0.0.1";
}
if (!is_numeric($port)) {
$port = 389;
}
$binddn = "cn={$admin},{$suffix}";
echo "Starting......: " . date("H:i:s") . " pam.d LDAP slapd set system to {$server}:{$port}/{$suffix}\n";
echo "Starting......: " . date("H:i:s") . " pam.d LDAP slapd set root DN {$binddn}\n";
$ARRAY = $unix->ldap_GET_CONFS();
@file_put_contents("/usr/share/artica-postfix/ressources/local_ldap.php", "<?php \$GLOBALS[\"MAIN_LOCAL_LDAP_SETTINGS\"]=\"" . base64_encode(serialize($ARRAY)) . "\";?>");
@chmod("/usr/share/artica-postfix/ressources/local_ldap.php", 0755);
if ($server != "127.0.0.1") {
$fp = @fsockopen($server, $port, $errno, $errstr, 2);
if (!$fp) {
xsyslog("{$errno} {$errstr} Return to local ldap server");
echo "Starting......: " . date("H:i:s") . " pam.d LDAP {$errno} {$errstr}\n";
echo "Starting......: " . date("H:i:s") . " pam.d LDAP Return to local ldap server\n";
$server = "127.0.0.1";
$port = 389;
$binddn = $ARRAY["DN"];
$password = $ARRAY["PWD"];
$suffix = $ARRAY["SUFFIX"];
echo "Starting......: " . date("H:i:s") . " pam.d LDAP set system to {$server}:{$port}/{$suffix}\n";
echo "Starting......: " . date("H:i:s") . " pam.d LDAP set root DN {$binddn}\n";
}
}
$ldap_uri = "ldap://{$server}:{$port}/";
if ($server == "127.0.0.1") {
$ASLOCAL = true;
$ldap_uri = "ldapi://" . urlencode("/var/run/slapd/slapd.sock");
}
if (!$ASLOCAL) {
$f[] = "host {$server}";
$f[] = "port {$port}";
}
$f[] = "uri {$ldap_uri}";
$f[] = "ldap_version 3";
$f[] = "binddn {$binddn}";
$f[] = "rootbinddn {$binddn}";
$f[] = "bindpw {$password}";
$f[] = "bind_policy soft";
$f[] = "scope sub";
$f[] = "base {$suffix}";
$f[] = "pam_password clear";
$f[] = "pam_lookup_policy yes";
$f[] = "pam_filter objectclass=posixAccount";
$f[] = "pam_login_attribute uid";
$f[] = "nss_reconnect_maxconntries 5";
$f[] = "idle_timelimit 3600";
$f[] = "nss_base_group {$suffix}?sub";
$f[] = "nss_base_passwd {$suffix}?sub";
$f[] = "nss_base_shadow {$suffix}?sub";
// $f[]="debug 255";
$f[] = "";
@file_put_contents("/etc/ldap.secret", "{$password}");
@file_put_contents("/etc/libnss-ldap.secret", $password);
@chmod("/etc/libnss-ldap.secret", 0600);
shell_exec("{$chmod} 0600 /etc/ldap.secret >/dev/null 2>&1");
echo "Starting......: " . date("H:i:s") . " pam.d LDAP /etc/ldap.secret, success...\n";
@file_put_contents("/etc/pam_ldap.conf", @implode("\n", $f));
@file_put_contents("/etc/nss_ldap.conf", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d LDAP /etc/pam_ldap.conf, success...\n";
echo "Starting......: " . date("H:i:s") . " pam.d LDAP /etc/nss_ldap.conf, success...\n";
if (is_dir('/usr/share/libnss-ldap')) {
@file_put_contents("/usr/share/libnss-ldap/ldap.conf", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d LDAP /usr/share/libnss-ldap/ldap.conf, success...\n";
}
if (is_dir('/etc/openldap')) {
@file_put_contents("/etc/openldap/ldap.conf", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d LDAP /etc/openldap/ldap.conf, success...\n";
}
echo "Starting......: " . date("H:i:s") . " pam.d LDAP Suffix....: {$suffix}\n";
$f[] = "## Your LDAP server. Must be resolvable without using LDAP.";
$f[] = "# Multiple hosts may be specified, each separated by a ";
$f[] = "# space. How long nss_ldap takes to failover depends on";
$f[] = "# whether your LDAP client library supports configurable";
$f[] = "# network or connect timeouts (see bind_timelimit).";
if (!$ASLOCAL) {
$f[] = "host {$server}";
$f[] = "port {$port}";
}
$f[] = "base {$suffix}";
$f[] = "";
$f[] = "# Another way to specify your LDAP server is to provide an";
$f[] = "#uri ldap://127.0.0.1/";
$f[] = "# Unix Domain Sockets to connect to a local LDAP Server.";
$f[] = "#uri ldap://127.0.0.1/";
$f[] = "#uri ldaps://127.0.0.1/ ";
$f[] = "uri {$ldap_uri}";
$f[] = "# Note: %2f encodes the '/' used as directory separator";
$f[] = "";
$f[] = "# The LDAP version to use (defaults to 3";
$f[] = "# if supported by client library)";
$f[] = "ldap_version 3";
$f[] = "";
$f[] = "# The distinguished name to bind to the server with.";
$f[] = "# Optional: default is to bind anonymously.";
$f[] = "# Please do not put double quotes around it as they";
$f[] = "# would be included literally.";
$f[] = "binddn {$binddn}";
$f[] = "";
$f[] = "# The credentials to bind with. ";
$f[] = "# Optional: default is no credential.";
$f[] = "bindpw {$password}";
$f[] = "";
$f[] = "# The distinguished name to bind to the server with";
$f[] = "# if the effective user ID is root. Password is";
$f[] = "# stored in /etc/libnss-ldap.secret (mode 600)";
$f[] = "# Use 'echo -n \"mypassword\" > /etc/libnss-ldap.secret' instead";
$f[] = "# of an editor to create the file.";
$f[] = "rootbinddn {$binddn}";
$f[] = "";
$f[] = "";
$f[] = "# The search scope.";
$f[] = "scope sub";
$f[] = "#scope one";
$f[] = "#scope base";
$f[] = "";
$f[] = "# Search timelimit";
$f[] = "#timelimit 30";
$f[] = "";
$f[] = "# Bind/connect timelimit";
$f[] = "#bind_timelimit 30";
$f[] = "";
$f[] = "# Reconnect policy:";
$f[] = "# hard_open: reconnect to DSA with exponential backoff if";
$f[] = "# opening connection failed";
$f[] = "# hard_init: reconnect to DSA with exponential backoff if";
$f[] = "# initializing connection failed";
$f[] = "# hard: alias for hard_open";
$f[] = "# soft: return immediately on server failure";
$f[] = "#bind_policy hard";
$f[] = "";
$f[] = "# Connection policy:";
$f[] = "# persist: DSA connections are kept open (default)";
$f[] = "# oneshot: DSA connections destroyed after request";
$f[] = "#nss_connect_policy persist";
$f[] = "";
$f[] = "# Idle timelimit; client will close connections";
$f[] = "# (nss_ldap only) if the server has not been contacted";
$f[] = "# for the number of seconds specified below.";
$f[] = "#idle_timelimit 3600";
$f[] = "";
$f[] = "# Use paged rseults";
$f[] = "#nss_paged_results yes";
$f[] = "";
$f[] = "# Pagesize: when paged results enable, used to set the";
$f[] = "# pagesize to a custom value";
$f[] = "#pagesize 1000";
$f[] = "";
$f[] = "# Filter to AND with uid=%s";
$f[] = "pam_filter objectclass=posixAccount";
$f[] = "";
$f[] = "# The user ID attribute (defaults to uid)";
$f[] = "pam_login_attribute uid";
$f[] = "";
$f[] = "# Search the root DSE for the password policy (works";
$f[] = "# with Netscape Directory Server)";
$f[] = "#pam_lookup_policy yes";
$f[] = "";
$f[] = "# Check the 'host' attribute for access control";
$f[] = "# Default is no; if set to yes, and user has no";
$f[] = "# value for the host attribute, and pam_ldap is";
$f[] = "# configured for account management (authorization)";
$f[] = "# then the user will not be allowed to login.";
$f[] = "#pam_check_host_attr yes";
$f[] = "";
$f[] = "# Check the 'authorizedService' attribute for access";
$f[] = "# control";
$f[] = "# Default is no; if set to yes, and the user has no";
$f[] = "# value for the authorizedService attribute, and";
$f[] = "# pam_ldap is configured for account management";
$f[] = "# (authorization) then the user will not be allowed";
$f[] = "# to login.";
$f[] = "#pam_check_service_attr yes";
$f[] = "";
$f[] = "# Group to enforce membership of";
$f[] = "#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com";
$f[] = "";
$f[] = "# Group member attribute";
$f[] = "#pam_member_attribute uniquemember";
$f[] = "";
$f[] = "# Specify a minium or maximum UID number allowed";
$f[] = "pam_min_uid 1";
$f[] = "#pam_max_uid 0";
$f[] = "";
$f[] = "# Template login attribute, default template user";
$f[] = "# (can be overriden by value of former attribute";
$f[] = "# in user's entry)";
$f[] = "#pam_login_attribute userPrincipalName";
$f[] = "pam_template_login_attribute uid";
$f[] = "#pam_template_login nobody";
$f[] = "";
$f[] = "# HEADS UP: the pam_crypt, pam_nds_passwd,";
$f[] = "# and pam_ad_passwd options are no";
$f[] = "# longer supported.";
$f[] = "#";
$f[] = "# Do not hash the password at all; presume";
$f[] = "# the directory server will do it, if";
$f[] = "# necessary. This is the default.";
$f[] = "#pam_password clear";
$f[] = "";
$f[] = "# Hash password locally; required for University of";
$f[] = "# Michigan LDAP server, and works with Netscape";
$f[] = "# Directory Server if you're using the UNIX-Crypt";
$f[] = "# hash mechanism and not using the NT Synchronization";
$f[] = "# service. ";
$f[] = "#pam_password crypt";
$f[] = "";
$f[] = "# Remove old password first, then update in";
$f[] = "# cleartext. Necessary for use with Novell";
$f[] = "# Directory Services (NDS)";
$f[] = "#pam_password nds";
$f[] = "";
$f[] = "# RACF is an alias for the above. For use with";
$f[] = "# IBM RACF";
$f[] = "#pam_password racf";
$f[] = "";
$f[] = "# Update Active Directory password, by";
$f[] = "# creating Unicode password and updating";
$f[] = "# unicodePwd attribute.";
$f[] = "#pam_password ad";
$f[] = "";
$f[] = "# Use the OpenLDAP password change";
$f[] = "# extended operation to update the password.";
$f[] = "#pam_password exop";
$f[] = "";
$f[] = "# Redirect users to a URL or somesuch on password";
$f[] = "# changes.";
$f[] = "#pam_password_prohibit_message Please visit http://internal to change your password.";
$f[] = "";
$f[] = "# Use backlinks for answering initgroups()";
$f[] = "#nss_initgroups backlink";
$f[] = "";
$f[] = "# Enable support for RFC2307bis (distinguished names in group";
$f[] = "# members)";
$f[] = "#nss_schema rfc2307bis";
$f[] = "";
$f[] = "# RFC2307bis naming contexts";
$f[] = "# Syntax:";
$f[] = "# nss_base_XXX\t\tbase?scope?filter";
$f[] = "# where scope is {base,one,sub}";
$f[] = "# and filter is a filter to be &'d with the";
$f[] = "# default filter.";
$f[] = "# You can omit the suffix eg:";
$f[] = "# nss_base_passwd\tou=People,";
$f[] = "# to append the default base DN but this";
$f[] = "# may incur a small performance impact.";
$f[] = "#nss_base_passwd\tou=People,dc=padl,dc=com?one";
$f[] = "#nss_base_shadow\tou=People,dc=padl,dc=com?one";
$f[] = "#nss_base_group\t\tou=Group,dc=padl,dc=com?one";
$f[] = "#nss_base_hosts\t\tou=Hosts,dc=padl,dc=com?one";
$f[] = "#nss_base_services\tou=Services,dc=padl,dc=com?one";
$f[] = "#nss_base_networks\tou=Networks,dc=padl,dc=com?one";
$f[] = "#nss_base_protocols\tou=Protocols,dc=padl,dc=com?one";
$f[] = "#nss_base_rpc\t\tou=Rpc,dc=padl,dc=com?one";
$f[] = "#nss_base_ethers\tou=Ethers,dc=padl,dc=com?one";
$f[] = "#nss_base_netmasks\tou=Networks,dc=padl,dc=com?ne";
$f[] = "#nss_base_bootparams\tou=Ethers,dc=padl,dc=com?one";
$f[] = "#nss_base_aliases\tou=Aliases,dc=padl,dc=com?one";
$f[] = "#nss_base_netgroup\tou=Netgroup,dc=padl,dc=com?one";
$f[] = "";
$f[] = "# attribute/objectclass mapping";
$f[] = "# Syntax:";
$f[] = "#nss_map_attribute\trfc2307attribute\tmapped_attribute";
$f[] = "#nss_map_objectclass\trfc2307objectclass\tmapped_objectclass";
$f[] = "";
$f[] = "# configure --enable-nds is no longer supported.";
$f[] = "# NDS mappings";
$f[] = "#nss_map_attribute uniqueMember member";
$f[] = "";
$f[] = "# Services for UNIX 3.5 mappings";
$f[] = "#nss_map_objectclass posixAccount User";
$f[] = "#nss_map_objectclass shadowAccount User";
$f[] = "#nss_map_attribute uid msSFU30Name";
$f[] = "#nss_map_attribute uniqueMember msSFU30PosixMember";
$f[] = "#nss_map_attribute userPassword msSFU30Password";
$f[] = "#nss_map_attribute homeDirectory msSFU30HomeDirectory";
$f[] = "#nss_map_attribute homeDirectory msSFUHomeDirectory";
$f[] = "#nss_map_objectclass posixGroup Group";
$f[] = "#pam_login_attribute msSFU30Name";
$f[] = "#pam_filter objectclass=User";
$f[] = "#pam_password ad";
$f[] = "";
$f[] = "# configure --enable-mssfu-schema is no longer supported.";
$f[] = "# Services for UNIX 2.0 mappings";
$f[] = "#nss_map_objectclass posixAccount User";
$f[] = "#nss_map_objectclass shadowAccount user";
$f[] = "#nss_map_attribute uid msSFUName";
$f[] = "#nss_map_attribute uniqueMember posixMember";
$f[] = "#nss_map_attribute userPassword msSFUPassword";
$f[] = "#nss_map_attribute homeDirectory msSFUHomeDirectory";
$f[] = "#nss_map_attribute shadowLastChange pwdLastSet";
$f[] = "#nss_map_objectclass posixGroup Group";
$f[] = "#nss_map_attribute cn msSFUName";
$f[] = "#pam_login_attribute msSFUName";
$f[] = "#pam_filter objectclass=User";
$f[] = "#pam_password ad";
$f[] = "";
$f[] = "# RFC 2307 (AD) mappings";
$f[] = "#nss_map_objectclass posixAccount user";
$f[] = "#nss_map_objectclass shadowAccount user";
$f[] = "#nss_map_attribute uid sAMAccountName";
$f[] = "#nss_map_attribute homeDirectory unixHomeDirectory";
$f[] = "#nss_map_attribute shadowLastChange pwdLastSet";
$f[] = "#nss_map_objectclass posixGroup group";
$f[] = "#nss_map_attribute uniqueMember member";
$f[] = "#pam_login_attribute sAMAccountName";
$f[] = "#pam_filter objectclass=User";
$f[] = "#pam_password ad";
$f[] = "";
$f[] = "# configure --enable-authpassword is no longer supported";
$f[] = "# AuthPassword mappings";
$f[] = "#nss_map_attribute userPassword authPassword";
$f[] = "";
$f[] = "# AIX SecureWay mappings";
$f[] = "#nss_map_objectclass posixAccount aixAccount";
$f[] = "#nss_base_passwd ou=aixaccount,?one";
$f[] = "#nss_map_attribute uid userName";
$f[] = "#nss_map_attribute gidNumber gid";
$f[] = "#nss_map_attribute uidNumber uid";
$f[] = "#nss_map_attribute userPassword passwordChar";
$f[] = "#nss_map_objectclass posixGroup aixAccessGroup";
$f[] = "#nss_base_group ou=aixgroup,?one";
$f[] = "#nss_map_attribute cn groupName";
$f[] = "#nss_map_attribute uniqueMember member";
$f[] = "#pam_login_attribute userName";
$f[] = "#pam_filter objectclass=aixAccount";
$f[] = "#pam_password clear";
$f[] = "";
$f[] = "# For pre-RFC2307bis automount schema";
$f[] = "#nss_map_objectclass automountMap nisMap";
$f[] = "#nss_map_attribute automountMapName nisMapName";
$f[] = "#nss_map_objectclass automount nisObject";
$f[] = "#nss_map_attribute automountKey cn";
$f[] = "#nss_map_attribute automountInformation nisMapEntry";
$f[] = "";
$f[] = "# Netscape SDK LDAPS";
$f[] = "#ssl on";
$f[] = "";
$f[] = "# Netscape SDK SSL options";
$f[] = "#sslpath /etc/ssl/certs";
$f[] = "";
$f[] = "# OpenLDAP SSL mechanism";
$f[] = "# start_tls mechanism uses the normal LDAP port, LDAPS typically 636";
$f[] = "#ssl start_tls";
$f[] = "#ssl on";
$f[] = "";
$f[] = "# OpenLDAP SSL options";
$f[] = "# Require and verify server certificate (yes/no)";
$f[] = "# Default is to use libldap's default behavior, which can be configured in";
$f[] = "# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for";
$f[] = "# OpenLDAP 2.0 and earlier is \"no\", for 2.1 and later is \"yes\".";
$f[] = "#tls_checkpeer yes";
$f[] = "";
$f[] = "# CA certificates for server certificate verification";
$f[] = "# At least one of these are required if tls_checkpeer is \"yes\"";
$f[] = "#tls_cacertfile /etc/ssl/ca.cert";
$f[] = "#tls_cacertdir /etc/ssl/certs";
$f[] = "";
$f[] = "# Seed the PRNG if /dev/urandom is not provided";
$f[] = "#tls_randfile /var/run/egd-pool";
$f[] = "";
$f[] = "# SSL cipher suite";
$f[] = "# See man ciphers for syntax";
$f[] = "#tls_ciphers TLSv1";
$f[] = "";
$f[] = "# Client certificate and key";
$f[] = "# Use these, if your server requires client authentication.";
$f[] = "#tls_cert";
$f[] = "#tls_key";
$f[] = "";
$f[] = "# Disable SASL security layers. This is needed for AD.";
$f[] = "#sasl_secprops maxssf=0";
$f[] = "";
$f[] = "# Override the default Kerberos ticket cache location.";
$f[] = "#krb5_ccname FILE:/etc/.ldapcache";
$f[] = "";
@file_put_contents("/etc/libnss-ldap.conf", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d /etc/libnss-ldap.conf done\n";
}
