/** * Asserts that creating new AFS users is functional. * @depends test_cif_afs_authentication */ public function test_cif_afs_create_user() { try { self::$afs->create_user(self::$cifid, self::$ldap->get_user_attribute(self::$cifid, CifLdap::UID_FIELD)); // Set the working directory for the testing instance of CifAfs to the test user's home directory self::$afs->set_working_directory(CifAfs::get_path_for(self::$cifid)); } catch (Exception $e) { echo "\n" . self::$afs->get_log(); $this->fail($e->getMessage()); } }
/** * Creates a new CIF LDAP entry for the given attributes. * If the user already exists in CIF LDAP, this method does nothing. * @param array $attributes A CifLdap attributes array. See CifUser::parse_attributes(). * @param string $password The user's password. */ public function create_user($attributes, $password) { $cifid = $attributes[self::CIFID_FIELD]; // Do nothing because the user exists if ($this->user_exists($cifid)) { return; } // Get the user's class year and unset it from the LDAP attributes // This is because CIF LDAP doesn't have a class year field $class_year = $attributes[self::YEAR_FIELD]; unset($attributes[self::YEAR_FIELD]); // Ensure that the user's loginshell value is a valid loginshell command $shell = array_key_exists(self::LOGINSHELL_FIELD, $attributes) ? $attributes[self::LOGINSHELL_FIELD] : null; $attributes[self::LOGINSHELL_FIELD] = CifShells::validate_shell($shell); // Generate the DN for the new user $dn = $this->get_user_dn($cifid); // The LDAP object's classes $attributes[self::OBJECT_CLASS_FIELD] = array('top', 'person', 'organizationalPerson', 'user', 'inetOrgPerson'); // Set the user's home directory to their AFS space $attributes[self::HOME_DIR_FIELD] = CifAfs::get_path_for($cifid); // Alternate fields for their cifID $attributes[self::ACCOUNT_NAME_FIELD] = $cifid; $attributes[self::COMMON_NAME_FIELD] = $cifid; // Encrypt their student ID for storage // This is necessary because the card reader // was written to expect the student ID to be encrypted $sid = $attributes[self::STUDENT_ID_FIELD]; $attributes[self::STUDENT_ID_FIELD] = $this->encode_student_id($sid); // Kerberos principal name $attributes[self::PRINCIPAL_FIELD] = CifKerberos::get_principal_for_user($cifid); // Whether the user's account is enabled or disabled $attributes[self::UAC_FIELD] = ADS_UF_NORMAL_ACCOUNT | ADS_UF_ACCOUNTDISABLE; // Set the user's NIS domain (this might be picked up by Kerberos or AFS) $attributes[self::NIS_DOMAIN_FIELD] = 'cif'; // Set the user's group id to 1000 and user id to a temporary value (it will be set once their account is created) $attributes[self::UID_FIELD] = -1; $attributes[self::GID_FIELD] = 1000; // Allows users to be secured under our User Sub-CA. // This may have been used for CIF wireless in the past where a user certificate was needed. $attributes[self::ALT_SECURITY_FIELD] = "X509:<I>C=US,S=New York,O=University of Rochester,"; $attributes[self::ALT_SECURITY_FIELD] .= "OU=Computer Interest Floor,CN=CIF User Sub-CA<S>C=US,"; $attributes[self::ALT_SECURITY_FIELD] .= "S=New York,L=Rochester,O=University of Rochester,"; $attributes[self::ALT_SECURITY_FIELD] .= "OU=Computer Interest Floor,CN={$cifid}"; $this->log("Creating user `{$dn}` with attributes:\n" . print_r($attributes, true)); if (!ldap_add(self::$connection, $dn, $attributes)) { $this->log_and_except("Unable to create LDAP user `{$dn}`"); } // Give the user a unique UID for file permissions on Linux and UNIX systems // This must be done after the user is created because a unique SID will be generated by Active Directory for them $this->update_user($cifid, array(self::UID_FIELD => $this->generate_user_uid($cifid))); // Add the user to the appropriate class year group (must be done before enabling the account) $this->add_user_to_year_group($cifid, $class_year); // Set the user's password $this->change_password($cifid, $password); // The account must be enabled after the password is set $this->enable_account($cifid); }