/** * Global static method which can be used to Authenticates an user against * an LDAP server without further usage of the class. * * @param string $host * @param int $port * @param string $username The DN of the user. * @param string $password The password to the specified user. * @param int $protocolVersion * * @return bool true/false */ public static function authenticateUser($host, $port, $username, $password, $protocolVersion = 3) { $auth = new IF_AbstractLdapConnector(); if (!$auth->connect($host, $port, $protocolVersion)) { return false; } if (!$auth->bind($username, $password)) { return false; } $auth->close(); return true; }
case "SvnAdminExecutable": if (file_exists($pSvnAdminExecutable)) { if (is_executable($pSvnAdminExecutable)) { $msgOk = $appTR->tr("Test passed."); } else { $msgErr = $appTR->tr("The file exists but is not executable."); } } else { $msgErr = $appTR->tr("The file does not exist."); } break; case "LdapConnection": if (IF_AbstractLdapConnector::isLdapExtensionEnabled()) { $connector = new IF_AbstractLdapConnector(); if ($connector->connect($pLdapHostAddress, 0, $pLdapProtocolVersion)) { if ($connector->bind($pLdapBindDN, $pLdapBindPassword)) { $msgOk = tr("Test passed."); } else { $msgErr = tr("Connection failed:") . " " . ldap_error($connector->connection); } } else { $msgErr = tr("Connection failed:") . " " . ldap_error($connector->connection); } } else { $msgErr = tr("PHP LDAP extension is not available."); } break; case "LdapUser": if (IF_AbstractLdapConnector::isLdapExtensionEnabled()) { include_once "./classes/providers/ldap/LdapUserViewProvider.class.php"; $up = new \svnadmin\providers\ldap\LdapUserViewProvider();
/** * Updates the SVNAuthFile with Users and Groups from LDAP server. */ public function updateSvnAuthFile($autoRemoveUsers = true, $autoRemoveGroups = true) { $this->init(); $E = \svnadmin\core\Engine::getInstance(); // Increase max_execution_time for big LDAP structures. $maxTime = intval(ini_get('max_execution_time')); if ($maxTime != 0 && $maxTime < 300) { @ini_set('max_execution_time', 300); } // Check connection before doing the update. $connector = new \IF_AbstractLdapConnector(); if (!$connector->connect($this->host_address, 0, $this->host_protocol_version)) { throw new \Exception("Can not connect.", 0); } else { if (!$connector->bind($this->bind_dn, $this->bind_password)) { throw new \Exception("Can not connect. Authentication failed."); } } try { // @todo Backup file. // Step 1 // Load the current SVNAuthFile and remove/reset all existing groups. // Load file. $svnAuthFilePath = $E->getConfig()->getValue("Subversion", "SVNAuthFile"); $svnAuthFile = new \IF_SVNAuthFileC($svnAuthFilePath); $svnAuthFileOld = new \IF_SVNAuthFileC($svnAuthFilePath); // Remove groups. $svnAuthFileGroups = $svnAuthFile->groups(); foreach ($svnAuthFileGroups as $g) { $svnAuthFile->deleteGroup($g); } // Step 2 // Get all users and groups from LDAP server. // Users. $users = array(); $users = $this->p_getUserEntries(); // Groups. $groups = array(); $groups = $this->p_getGroupEntries(true); // Step 3 // Iterate all groups which has been fetched from LDAP server // and create them in the SVNAuthFile. Addionally associate // all users to a group which are defined as member of a it. // // @todo Add the Realname or DN of a user as Alias to the SVNAuthFile. // Property name of a Group-Entry which holds the group's name. $gp_name = strtolower($this->groups_attributes[0]); // Property name of a Group-Entry which holds the member-id (DN). $gp_member_id = strtolower($this->groups_to_users_attribute); // Property name of a User-Entry which holds the user's name. $up_name = strtolower($this->users_attributes[0]); // Property name of a User-Entry which holds the value which is assigned in a Group-Entry as Member-ID. $up_id = strtolower($this->groups_to_users_attribute_value); foreach ($groups as $g) { if (!property_exists($g, $gp_name)) { continue; } // The group-name property doesn't exist. try { // Create group in SVNAuthFile. (throws Exception) $svnAuthFile->createGroup($g->{$gp_name}); } catch (\Exception $except) { $E->addException($except); continue; } // Find members. if (!property_exists($g, $gp_member_id)) { // No members. // @todo Should we delete empty groups from overview? } elseif (is_array($g->{$gp_member_id})) { // Multiple members. foreach ($g->{$gp_member_id} as $member_id) { // Get name of the member. foreach ($users as $u) { if ($u->{$up_id} == $member_id) { // Add user to SVNAuthFile-Group. $svnAuthFile->addUserToGroup($g->{$gp_name}, $u->{$up_name}); break; } } } } elseif (is_string($g->{$gp_member_id})) { // One member. $member_id = $g->{$gp_member_id}; // Get name of the member. foreach ($users as $u) { if ($u->{$up_id} == $member_id) { // Add user to SVNAuthFile-Group. $svnAuthFile->addUserToGroup($g->{$gp_name}, $u->{$up_name}); break; } } } } // foreach($groups) // Step 4 // Save new SVNAuthFile to disk. $svnAuthFile->save(); // Step 5 // Compare with previous file to revoke AccessPath permissions of // deleted groups and users. // // We need to reset the Provider object, because it holds the // SVNAuthFile and should be reloaded, because of the cahnges // above. $apEditProvider = $E->getProvider(PROVIDER_ACCESSPATH_EDIT); $apEditProvider->reset(); $removedUsers = array(); $removedGroups = array(); // Collect removed groups. // Groups which are in the old file but not in the new one. foreach ($svnAuthFileOld->groups() as $g) { if (!$svnAuthFile->groupExists($g)) { // The group $g is not in the new configuration (Removed from LDAP). $removedGroups[] = $g; if ($autoRemoveGroups) { try { $apEditProvider->removeGroupFromAllAccessPaths(new \svnadmin\core\entities\Group($g, $g)); $E->addMessage(tr("The group <b>%0</b> has been removed from LDAP. Removed all assigned permissions.", array($g))); } catch (\Exception $e) { $E->addException($e); } } } } // Collect removed users and groups with direct associated // Access-Path permissions and revoke the permissions. foreach ($svnAuthFile->repositories() as $r) { // Users. foreach ($svnAuthFile->usersOfRepository($r) as $u) { if ($u === "*") { continue; } // #87 Do not check for * user in LDAP.. if (!$this->userExists(new \svnadmin\core\entities\User($u, $u))) { // The user has direct AccessPath permissions but does // not exist on LDAP server. $removedUsers[] = $u; if ($autoRemoveUsers) { // Revoke permissions. try { $apEditProvider->removeUserFromAccessPath(new \svnadmin\core\entities\User($u, $u), new \svnadmin\core\entities\AccessPath($r)); $E->addMessage(tr("The user <b>%0</b> doesn't exist anymore. Removed direct Access-Path permission to <b>%1</b>", array($u, $r))); } catch (\Exception $e) { $E->addException($e); } } } } // foreach (users) // Groups. foreach ($svnAuthFile->groupsOfRepository($r) as $g) { // We can check against the new SVNAuthFile, because the // containing groups are updated from LDAP. //if (!$this->groupExists(new \svnadmin\core\entities\Group($g, $g))) if (!$svnAuthFile->groupExists($g)) { $removedGroups[] = $g; if ($autoRemoveGroups) { // Revoke permissions. try { $apEditProvider->removeGroupFromAccessPath(new \svnadmin\core\entities\Group($g, $g), new \svnadmin\core\entities\AccessPath($r)); $E->addMessage(tr("The group <b>%0</b> doesn't exist anymore. Removed direct Access-Path permission to <b>%1</b>", array($g, $r))); } catch (\Exception $e) { $E->addException($e); } } } } // foreach (groups) } // foreach (repositories) // Save changes made to "$apEditProvider". $apEditProvider->save(); } catch (\Exception $ex) { throw $ex; } }
/** * (non-PHPdoc) * @see svnadmin\core\interfaces.IProvider::init() */ public function init() { if (!$this->m_init_done) { $this->m_init_done = true; if (parent::connect($this->host_address, $this->host_port, $this->host_protocol_version) === false) { return false; } if (parent::bind($this->bind_dn, $this->bind_password) === false) { return false; } } return true; }