/**
* Global static method which can be used to Authenticates an user against
* an LDAP server without further usage of the class.
*
* @param string $host
* @param int $port
* @param string $username The DN of the user.
* @param string $password The password to the specified user.
* @param int $protocolVersion
*
* @return bool true/false
*/
public static function authenticateUser($host, $port, $username, $password, $protocolVersion = 3)
{
$auth = new IF_AbstractLdapConnector();
if (!$auth->connect($host, $port, $protocolVersion)) {
return false;
}
if (!$auth->bind($username, $password)) {
return false;
}
$auth->close();
return true;
}
}
break;
case "SvnAdminExecutable":
if (file_exists($pSvnAdminExecutable)) {
if (is_executable($pSvnAdminExecutable)) {
$msgOk = $appTR->tr("Test passed.");
} else {
$msgErr = $appTR->tr("The file exists but is not executable.");
}
} else {
$msgErr = $appTR->tr("The file does not exist.");
}
break;
case "LdapConnection":
if (IF_AbstractLdapConnector::isLdapExtensionEnabled()) {
$connector = new IF_AbstractLdapConnector();
if ($connector->connect($pLdapHostAddress, 0, $pLdapProtocolVersion)) {
if ($connector->bind($pLdapBindDN, $pLdapBindPassword)) {
$msgOk = tr("Test passed.");
} else {
$msgErr = tr("Connection failed:") . " " . ldap_error($connector->connection);
}
} else {
$msgErr = tr("Connection failed:") . " " . ldap_error($connector->connection);
}
} else {
$msgErr = tr("PHP LDAP extension is not available.");
}
break;
case "LdapUser":
if (IF_AbstractLdapConnector::isLdapExtensionEnabled()) {
/**
* Searches for a user-entry based on the member-id from the group.
*
* @param string The member id which is associated to a group (mostyl the DN)
*
* @return stdClass User-entry or NULL
*/
protected function p_resolveGroupMemberId($memberId)
{
// Create filter.
$filter = $this->groups_to_users_attribute_value . '=' . $memberId;
$filter = '(&(' . $filter . ')' . $this->users_search_filter . ')';
// Execute search.
$found = parent::objectSearch($this->connection, $this->users_base_dn, $filter, $this->users_attributes, 1);
if (!is_array($found) || count($found) <= 0) {
error_log("Can not resolve member ID. member-id={$memberId}; filter={$filter};");
return null;
}
return $found[0];
}
/**
* Updates the SVNAuthFile with Users and Groups from LDAP server.
*/
public function updateSvnAuthFile($autoRemoveUsers = true, $autoRemoveGroups = true)
{
$this->init();
$E = \svnadmin\core\Engine::getInstance();
// Increase max_execution_time for big LDAP structures.
$maxTime = intval(ini_get('max_execution_time'));
if ($maxTime != 0 && $maxTime < 300) {
@ini_set('max_execution_time', 300);
}
// Check connection before doing the update.
$connector = new \IF_AbstractLdapConnector();
if (!$connector->connect($this->host_address, 0, $this->host_protocol_version)) {
throw new \Exception("Can not connect.", 0);
} else {
if (!$connector->bind($this->bind_dn, $this->bind_password)) {
throw new \Exception("Can not connect. Authentication failed.");
}
}
try {
// @todo Backup file.
// Step 1
// Load the current SVNAuthFile and remove/reset all existing groups.
// Load file.
$svnAuthFilePath = $E->getConfig()->getValue("Subversion", "SVNAuthFile");
$svnAuthFile = new \IF_SVNAuthFileC($svnAuthFilePath);
$svnAuthFileOld = new \IF_SVNAuthFileC($svnAuthFilePath);
// Remove groups.
$svnAuthFileGroups = $svnAuthFile->groups();
foreach ($svnAuthFileGroups as $g) {
$svnAuthFile->deleteGroup($g);
}
// Step 2
// Get all users and groups from LDAP server.
// Users.
$users = array();
$users = $this->p_getUserEntries();
// Groups.
$groups = array();
$groups = $this->p_getGroupEntries(true);
// Step 3
// Iterate all groups which has been fetched from LDAP server
// and create them in the SVNAuthFile. Addionally associate
// all users to a group which are defined as member of a it.
//
// @todo Add the Realname or DN of a user as Alias to the SVNAuthFile.
// Property name of a Group-Entry which holds the group's name.
$gp_name = strtolower($this->groups_attributes[0]);
// Property name of a Group-Entry which holds the member-id (DN).
$gp_member_id = strtolower($this->groups_to_users_attribute);
// Property name of a User-Entry which holds the user's name.
$up_name = strtolower($this->users_attributes[0]);
// Property name of a User-Entry which holds the value which is assigned in a Group-Entry as Member-ID.
$up_id = strtolower($this->groups_to_users_attribute_value);
foreach ($groups as $g) {
if (!property_exists($g, $gp_name)) {
continue;
}
// The group-name property doesn't exist.
try {
// Create group in SVNAuthFile. (throws Exception)
$svnAuthFile->createGroup($g->{$gp_name});
} catch (\Exception $except) {
$E->addException($except);
continue;
}
// Find members.
if (!property_exists($g, $gp_member_id)) {
// No members.
// @todo Should we delete empty groups from overview?
} elseif (is_array($g->{$gp_member_id})) {
// Multiple members.
foreach ($g->{$gp_member_id} as $member_id) {
// Get name of the member.
foreach ($users as $u) {
if ($u->{$up_id} == $member_id) {
// Add user to SVNAuthFile-Group.
$svnAuthFile->addUserToGroup($g->{$gp_name}, $u->{$up_name});
break;
}
}
}
} elseif (is_string($g->{$gp_member_id})) {
// One member.
$member_id = $g->{$gp_member_id};
// Get name of the member.
foreach ($users as $u) {
if ($u->{$up_id} == $member_id) {
// Add user to SVNAuthFile-Group.
$svnAuthFile->addUserToGroup($g->{$gp_name}, $u->{$up_name});
break;
}
}
}
}
// foreach($groups)
// Step 4
// Save new SVNAuthFile to disk.
$svnAuthFile->save();
// Step 5
// Compare with previous file to revoke AccessPath permissions of
// deleted groups and users.
//
// We need to reset the Provider object, because it holds the
// SVNAuthFile and should be reloaded, because of the cahnges
// above.
$apEditProvider = $E->getProvider(PROVIDER_ACCESSPATH_EDIT);
$apEditProvider->reset();
$removedUsers = array();
$removedGroups = array();
// Collect removed groups.
// Groups which are in the old file but not in the new one.
foreach ($svnAuthFileOld->groups() as $g) {
if (!$svnAuthFile->groupExists($g)) {
// The group $g is not in the new configuration (Removed from LDAP).
$removedGroups[] = $g;
if ($autoRemoveGroups) {
try {
$apEditProvider->removeGroupFromAllAccessPaths(new \svnadmin\core\entities\Group($g, $g));
$E->addMessage(tr("The group <b>%0</b> has been removed from LDAP. Removed all assigned permissions.", array($g)));
} catch (\Exception $e) {
$E->addException($e);
}
}
}
}
// Collect removed users and groups with direct associated
// Access-Path permissions and revoke the permissions.
foreach ($svnAuthFile->repositories() as $r) {
// Users.
foreach ($svnAuthFile->usersOfRepository($r) as $u) {
if ($u === "*") {
continue;
}
// #87 Do not check for * user in LDAP..
if (!$this->userExists(new \svnadmin\core\entities\User($u, $u))) {
// The user has direct AccessPath permissions but does
// not exist on LDAP server.
$removedUsers[] = $u;
if ($autoRemoveUsers) {
// Revoke permissions.
try {
$apEditProvider->removeUserFromAccessPath(new \svnadmin\core\entities\User($u, $u), new \svnadmin\core\entities\AccessPath($r));
$E->addMessage(tr("The user <b>%0</b> doesn't exist anymore. Removed direct Access-Path permission to <b>%1</b>", array($u, $r)));
} catch (\Exception $e) {
$E->addException($e);
}
}
}
}
// foreach (users)
// Groups.
foreach ($svnAuthFile->groupsOfRepository($r) as $g) {
// We can check against the new SVNAuthFile, because the
// containing groups are updated from LDAP.
//if (!$this->groupExists(new \svnadmin\core\entities\Group($g, $g)))
if (!$svnAuthFile->groupExists($g)) {
$removedGroups[] = $g;
if ($autoRemoveGroups) {
// Revoke permissions.
try {
$apEditProvider->removeGroupFromAccessPath(new \svnadmin\core\entities\Group($g, $g), new \svnadmin\core\entities\AccessPath($r));
$E->addMessage(tr("The group <b>%0</b> doesn't exist anymore. Removed direct Access-Path permission to <b>%1</b>", array($g, $r)));
} catch (\Exception $e) {
$E->addException($e);
}
}
}
}
// foreach (groups)
}
// foreach (repositories)
// Save changes made to "$apEditProvider".
$apEditProvider->save();
} catch (\Exception $ex) {
throw $ex;
}
}
/**
* Searches for a user-entry based on the member-id from the group.
*
* @param string The member id which is associated to a group (mostyl the DN)
*
* @return stdClass User-entry or NULL
*/
protected function p_resolveGroupMemberId($memberId)
{
// Execute search.
$found = parent::objectSearch($this->connection, $memberId, $this->users_search_filter, $this->users_attributes, 1);
if (!is_array($found) || count($found) <= 0) {
error_log("Can not resolve member ID. member-id={$memberId}; filter={$filter};");
return null;
}
return $found[0];
}
