Example #1
0
 /**
  * Asserts that valid login shell commands are accepted as valid.
  */
 public function test_valid_shells()
 {
     $good_shells = array('/bin/bash', '/bin/sh');
     // Loop throguh each shell, asserting that the shell is returned as valid
     foreach ($good_shells as $shell) {
         $this->assertEquals(CifShells::validate_shell($shell), $shell);
     }
 }
Example #2
0
 /**
  * Creates a new CIF LDAP entry for the given attributes.
  * If the user already exists in CIF LDAP, this method does nothing.
  * @param array $attributes A CifLdap attributes array. See CifUser::parse_attributes().
  * @param string $password The user's password.
  */
 public function create_user($attributes, $password)
 {
     $cifid = $attributes[self::CIFID_FIELD];
     // Do nothing because the user exists
     if ($this->user_exists($cifid)) {
         return;
     }
     // Get the user's class year and unset it from the LDAP attributes
     // This is because CIF LDAP doesn't have a class year field
     $class_year = $attributes[self::YEAR_FIELD];
     unset($attributes[self::YEAR_FIELD]);
     // Ensure that the user's loginshell value is a valid loginshell command
     $shell = array_key_exists(self::LOGINSHELL_FIELD, $attributes) ? $attributes[self::LOGINSHELL_FIELD] : null;
     $attributes[self::LOGINSHELL_FIELD] = CifShells::validate_shell($shell);
     // Generate the DN for the new user
     $dn = $this->get_user_dn($cifid);
     // The LDAP object's classes
     $attributes[self::OBJECT_CLASS_FIELD] = array('top', 'person', 'organizationalPerson', 'user', 'inetOrgPerson');
     // Set the user's home directory to their AFS space
     $attributes[self::HOME_DIR_FIELD] = CifAfs::get_path_for($cifid);
     // Alternate fields for their cifID
     $attributes[self::ACCOUNT_NAME_FIELD] = $cifid;
     $attributes[self::COMMON_NAME_FIELD] = $cifid;
     // Encrypt their student ID for storage
     // This is necessary because the card reader
     // was written to expect the student ID to be encrypted
     $sid = $attributes[self::STUDENT_ID_FIELD];
     $attributes[self::STUDENT_ID_FIELD] = $this->encode_student_id($sid);
     // Kerberos principal name
     $attributes[self::PRINCIPAL_FIELD] = CifKerberos::get_principal_for_user($cifid);
     // Whether the user's account is enabled or disabled
     $attributes[self::UAC_FIELD] = ADS_UF_NORMAL_ACCOUNT | ADS_UF_ACCOUNTDISABLE;
     // Set the user's NIS domain (this might be picked up by Kerberos or AFS)
     $attributes[self::NIS_DOMAIN_FIELD] = 'cif';
     // Set the user's group id to 1000 and user id to a temporary value (it will be set once their account is created)
     $attributes[self::UID_FIELD] = -1;
     $attributes[self::GID_FIELD] = 1000;
     // Allows users to be secured under our User Sub-CA.
     // This may have been used for CIF wireless in the past where a user certificate was needed.
     $attributes[self::ALT_SECURITY_FIELD] = "X509:<I>C=US,S=New York,O=University of Rochester,";
     $attributes[self::ALT_SECURITY_FIELD] .= "OU=Computer Interest Floor,CN=CIF User Sub-CA<S>C=US,";
     $attributes[self::ALT_SECURITY_FIELD] .= "S=New York,L=Rochester,O=University of Rochester,";
     $attributes[self::ALT_SECURITY_FIELD] .= "OU=Computer Interest Floor,CN={$cifid}";
     $this->log("Creating user `{$dn}` with attributes:\n" . print_r($attributes, true));
     if (!ldap_add(self::$connection, $dn, $attributes)) {
         $this->log_and_except("Unable to create LDAP user `{$dn}`");
     }
     // Give the user a unique UID for file permissions on Linux and UNIX systems
     // This must be done after the user is created because a unique SID will be generated by Active Directory for them
     $this->update_user($cifid, array(self::UID_FIELD => $this->generate_user_uid($cifid)));
     // Add the user to the appropriate class year group (must be done before enabling the account)
     $this->add_user_to_year_group($cifid, $class_year);
     // Set the user's password
     $this->change_password($cifid, $password);
     // The account must be enabled after the password is set
     $this->enable_account($cifid);
 }