/**
* Checks the group membership of the bound user
*
* @param Zend_Ldap $ldap
* @param string $canonicalName
* @param string $dn
* @param array $adapterOptions
* @return string|true
*/
protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions)
{
if ($adapterOptions['group'] === null) {
return true;
}
if ($adapterOptions['memberIsDn'] === false) {
$user = $canonicalName;
} else {
$user = $dn;
}
/**
* @see Zend_Ldap_Filter
*/
require_once 'Zend/Ldap/Filter.php';
$groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']);
$membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user);
$group = Zend_Ldap_Filter::andFilter($groupName, $membership);
$groupFilter = $adapterOptions['groupFilter'];
if (!empty($groupFilter)) {
$group = $group->addAnd($groupFilter);
}
$result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']);
if ($result === 1) {
return true;
} else {
return 'Failed to verify group membership with ' . $group->toString();
}
}
/**
* return gidnumber of group
*
* @param string $_uuid
* @return string
*/
public function resolveGidNumber($_uuid)
{
$filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_groupBaseFilter), Zend_Ldap_Filter::equals($this->_groupUUIDAttribute, $this->_encodeGroupId($_uuid)));
$groupData = $this->getLdap()->search($filter, $this->_options['groupsDn'], $this->_groupSearchScope, array('gidnumber'))->getFirst();
return $groupData['gidnumber'][0];
}
public function testRealFilterString()
{
$f1 = Zend_Ldap_Filter::orFilter(Zend_Ldap_Filter::equals('sn', 'Gehrig'), Zend_Ldap_Filter::equals('sn', 'Goerke'));
$f2 = Zend_Ldap_Filter::orFilter(Zend_Ldap_Filter::equals('givenName', 'Stefan'), Zend_Ldap_Filter::equals('givenName', 'Ingo'));
$f = Zend_Ldap_Filter::andFilter($f1, $f2);
$this->assertEquals('(&(|(sn=Gehrig)(sn=Goerke))(|(givenName=Stefan)(givenName=Ingo)))', $f->toString());
}
/**
* return ldap entry of user
*
* @param string $_uid
* @return array
*/
protected function _getLdapEntry($_property, $_userId)
{
switch ($_property) {
case 'accountId':
$value = $this->_encodeAccountId(Tinebase_Model_User::convertUserIdToInt($_userId));
break;
default:
$value = Zend_Ldap::filterEscape($_userId);
break;
}
$filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_userBaseFilter), Zend_Ldap_Filter::equals($this->_rowNameMapping[$_property], $value));
$attributes = array_values($this->_rowNameMapping);
foreach ($this->_ldapPlugins as $plugin) {
$attributes = array_merge($attributes, $plugin->getSupportedAttributes());
}
$attributes[] = 'objectclass';
$attributes[] = 'uidnumber';
$attributes[] = 'useraccountcontrol';
// needed for account status handling (shadowmax: days after which password must be changed)
$attributes[] = 'shadowmax';
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' filter ' . $filter);
}
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' requested attributes ' . print_r($attributes, true));
}
$accounts = $this->_ldap->search($filter, $this->_baseDn, $this->_userSearchScope, $attributes);
if (count($accounts) !== 1) {
throw new Tinebase_Exception_NotFound('User with ' . $_property . ' = ' . $value . ' not found.');
}
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' current ldap values ' . print_r($accounts->getFirst(), true));
}
return $accounts->getFirst();
}
/**
* read ldap / get users and groups from tine an create mapping
*
* @return array
*/
protected function _getGroupMapping()
{
$this->_logger->info(__METHOD__ . '::' . __LINE__ . ' Fetching user mapping ...');
$filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_groupBaseFilter));
$mapping = array();
$groupNameMapping = $this->_config->groupNameMapping ? $this->_config->groupNameMapping->toArray() : array();
$this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' Group name mapping: ' . print_r($groupNameMapping, TRUE));
$ldapGroups = $this->_ldap->search($filter, $this->_config->ldap->baseDn, $this->_groupSearchScope, array('*', '+'));
foreach ($ldapGroups as $group) {
$groupname = isset($groupNameMapping[$group['cn'][0]]) ? $groupNameMapping[$group['cn'][0]] : $group['cn'][0];
$ldapUuid = $group['entryuuid'][0];
try {
$tineGroup = $this->_tineGroupBackend->getGroupByName($groupname);
$this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' Group ' . $groupname . ' (' . $group['cn'][0] . '): ' . $tineGroup->getId() . ' -> ' . $ldapUuid);
$mapping[$tineGroup->getId()] = $ldapUuid;
} catch (Tinebase_Exception_Record_NotDefined $tenf) {
// @todo should be: Tinebase_Exception_NotFound
$this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' Group ' . $groupname . ' (' . $group['cn'][0] . '): ' . $tenf->getMessage());
}
}
$this->_logger->info(__METHOD__ . '::' . __LINE__ . ' Found ' . count($mapping) . ' groups for the mapping.');
$this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' ' . print_r($mapping, TRUE));
return $mapping;
}
/**
* Checks the group membership of the bound user
*
* @param Zend_Ldap $ldap
* @param string $canonicalName
* @param string $dn
* @param array $adapterOptions
* @return string|true
*/
protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions)
{
if ($adapterOptions['group'] === null) {
return true;
}
if ($adapterOptions['memberIsDn'] === false) {
$user = $canonicalName;
} else {
$user = $dn;
}
/**
* @see Zend_Ldap_Filter
*/
// require_once 'Zend/Ldap/Filter.php';
$groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']);
$membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user);
$group = Zend_Ldap_Filter::andFilter($groupName, $membership);
$groupFilter = $adapterOptions['groupFilter'];
if (!empty($groupFilter)) {
$group = $group->addAnd($groupFilter);
}
/*
* Fixes problem when authenticated user is not allowed to retrieve
* group-membership information.
* This requires that the user specified with "username" and "password"
* in the Zend_Ldap options is able to retrieve the required information.
*/
$ldap->bind();
$result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']);
if ($result === 1) {
return true;
} else {
return 'Failed to verify group membership with ' . $group->toString();
}
}
/**
* get groupmemberships of user from sync backend
*
* @param Tinebase_Model_User|string $_userId
* @return array list of group ids
*/
public function getGroupMembershipsFromSyncBackend($_userId)
{
$metaData = $this->_getUserMetaData($_userId);
$filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_groupBaseFilter), Zend_Ldap_Filter::orFilter(Zend_Ldap_Filter::equals('memberuid', Zend_Ldap::filterEscape($metaData['uid'][0])), Zend_Ldap_Filter::equals('member', Zend_Ldap::filterEscape($metaData['dn']))));
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' ldap search filter: ' . $filter);
}
$groups = $this->_ldap->search($filter, $this->_options['groupsDn'], $this->_groupSearchScope, array('cn', 'description', $this->_groupUUIDAttribute));
$memberships = array();
foreach ($groups as $group) {
$memberships[] = $group[$this->_groupUUIDAttribute][0];
}
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' group memberships: ' . print_r($memberships, TRUE));
}
return $memberships;
}
public function getUserByLogin($login)
{
$f1 = Zend_Ldap_Filter::equals('objectCategory', 'person');
$f2 = Zend_Ldap_Filter::equals('objectCategory', 'user');
$f7 = Zend_Ldap_Filter::equals('samaccountname', $login);
$f8 = Zend_Ldap_Filter::andFilter($f1, $f2);
$f10 = Zend_Ldap_Filter::andFilter($f7, $f8);
$ldap = $this->getLdap();
$attributes = array('displayname', 'dn', 'givenname', 'name', 'samaccountname', 'sn', 'whencreated', 'useraccountcontrol', 'memberof', 'telephoneNumber', 'objectguid');
$adUsers = $ldap->search($f10, null, null, $attributes);
return $adUsers->getFirst();
}
