/**
* Checks if a group exists in LDAP
* @auther Paul Heaney
* @param string $dn the DN of the group to check it exists
* @param string $mapping the LDAP name mapping to use
* @return bool TRUE for exists, FALSE otherwise
*/
function ldapCheckGroupExists($dn, $mapping)
{
global $CONFIG, $ldap_vars;
$toReturn = false;
$ldap_conn = ldapOpen();
// Need to get an admin thread
$mapping = strtoupper($mapping);
// $CONFIG[strtolower("ldap_{$var}")] = constant("LDAP_{$CONFIG['ldap_type']}_{$var}");
$o = constant("LDAP_{$mapping}_GRPOBJECTTYPE");
$filter = "(ObjectClass={$o})";
debug_log("Filter: {$filter}", TRUE);
debug_log("Object: {$dn}", TRUE);
$sr = ldap_search($ldap_conn, $dn, $filter);
if (ldap_count_entries($ldap_conn, $sr) != 1) {
// Multiple or zero
$toReturn = false;
} else {
// just one
$toReturn = true;
}
return $toReturn;
}
break;
case 'storedashboard':
$id = $_REQUEST['id'];
$val = $_REQUEST['val'];
if ($id == $_SESSION['userid']) {
//check you're changing your own
$sql = "UPDATE `{$dbUsers}` SET dashboard = '{$val}' WHERE id = '{$id}'";
$contactresult = mysql_query($sql);
if (mysql_error()) {
trigger_error("MySQL Query Error " . mysql_error(), E_USER_ERROR);
}
}
break;
case 'checkldap':
$ldap_host = cleanvar($_REQUEST['ldap_host']);
$ldap_port = cleanvar($_REQUEST['ldap_port']);
$ldap_protocol = cleanvar($_REQUEST['ldap_protocol']);
$ldap_security = cleanvar($_REQUEST['ldap_security']);
$ldap_user = cleanvar($_REQUEST['ldap_bind_user']);
$ldap_password = cleanvar($_REQUEST['ldap_bind_pass']);
$r = ldapOpen($ldap_host, $ldap_port, $ldap_protocol, $ldap_security, $ldap_user, $ldap_password);
if ($r == -1) {
echo "0";
} else {
echo "1";
}
// Success
break;
default:
break;
}
/**
* Perform the periodic sync of existing user and contact details from LDAP
* @author Paul Heaney
* @note This function does not create users or contacts it simply updates existing
* @note details.
*/
function saction_ldapSync()
{
global $CONFIG;
$success = FALSE;
if ($CONFIG['use_ldap']) {
$ldap_conn = ldapOpen();
if ($ldap_conn) {
// NOTE TODO FIXME would be more optimal to pass the user type into the create as in the case where the group membership isn't stored its looked up again
// Search for members of each group and then unique the members and loop through
// Populate an array ($users) with a list of SIT users in LDAP
// Only want GROUPS
$filter = "(objectClass={$CONFIG['ldap_grpobjecttype']})";
$attributesToGet = array($CONFIG['ldap_grpattributegrp']);
$users = array();
$userGrps = array($CONFIG['ldap_admin_group'], $CONFIG['ldap_manager_group'], $CONFIG['ldap_user_group']);
foreach ($userGrps as $grp) {
if (!empty($grp)) {
$sr = ldap_search($ldap_conn, $grp, $filter, $attributesToGet);
if (ldap_count_entries($ldap_conn, $sr) != 1) {
trigger_error("Group {$grp} not found in LDAP");
} else {
$entry = ldap_first_entry($ldap_conn, $sr);
$attributes = ldap_get_attributes($ldap_conn, $entry);
for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) {
$member = $attributes[$CONFIG['ldap_grpattributegrp']][$i];
if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) {
$users[$member] = $member;
} elseif (!$CONFIG['ldap_grpfulldn']) {
$users[$member] = $member;
}
}
}
}
}
// Populate an array with the LDAP users already in the SiT database
$sit_db_users = array();
$sql = "SELECT id, username, status FROM `{$GLOBALS['dbUsers']}` WHERE user_source = 'ldap'";
$result = mysql_query($sql);
if (mysql_error()) {
trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING);
}
if (mysql_num_rows($result) > 0) {
while ($obj = mysql_fetch_object($result)) {
$user_obj = new User();
$user_obj->id = $obj->id;
$user_obj->username = $obj->username;
$user_obj->status = $obj->status;
$sit_db_users[$obj->username] = $user_obj;
}
}
foreach ($users as $u) {
$e = ldap_getDetails($u, FALSE, $ldap_conn);
if ($e) {
$user_attributes = ldap_get_attributes($ldap_conn, $e);
debug_log("user attributes: " . print_r($user_attributes, true), TRUE);
debug_log("db users: " . print_r($sit_db_users, true), TRUE);
// If the directory supports disabling of users
if (!empty($CONFIG['ldap_logindisabledattribute'])) {
if ($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status === USERSTATUS_ACCOUNT_DISABLED) {
// User is disabled in the SIT db, check to see if we need to re-enable
if (!empty($user_attributes[$CONFIG['ldap_logindisabledattribute']])) {
if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) {
// The user is enabled in LDAP so we want to enable
debug_log("Re-enabling user '{$u}' in the SiT users database", TRUE);
$sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status = $CONFIG['ldap_default_user_status'];
$sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->edit();
}
}
} else {
// User is not disabled in the SiT database, check to see if we need to disable
if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) {
// User is disabled in LDAP so we want to disable
$sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->disable();
}
}
}
$userid = 0;
if (!empty($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]])) {
$userid = $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->id;
unset($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]);
}
if (!ldap_storeDetails('', $userid, TRUE, TRUE, $ldap_conn, $user_attributes)) {
trigger_error("Failed to store details for userid {$userid}", E_USER_WARNING);
$success = FALSE;
} else {
$success = TRUE;
}
} else {
debug_log("Failed to get details for {$u}");
}
}
// Disable users we no longer know about
// TODO reassign incidents?
foreach ($sit_db_users as $u) {
debug_log("Disabling {$u->username}");
$u->disable();
}
/** CONTACTS */
$contacts = array();
if (!empty($CONFIG["ldap_customer_group"])) {
debug_log("CONTACTS");
$sr = ldap_search($ldap_conn, $CONFIG["ldap_customer_group"], $filter, $attributesToGet);
if (ldap_count_entries($ldap_conn, $sr) != 1) {
trigger_error("No contact group found in LDAP");
} else {
$entry = ldap_first_entry($ldap_conn, $sr);
$attributes = ldap_get_attributes($ldap_conn, $entry);
for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) {
$member = $attributes[$CONFIG['ldap_grpattributegrp']][$i];
if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) {
$contacts[$member] = $member;
} elseif (!$CONFIG['ldap_grpfulldn']) {
$contacts[$member] = $member;
}
}
}
$sit_db_contacts = array();
$sql = "SELECT id, username, active FROM `{$GLOBALS['dbContacts']}` WHERE contact_source = 'ldap'";
$result = mysql_query($sql);
if (mysql_error()) {
trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING);
}
if (mysql_num_rows($result) > 0) {
while ($obj = mysql_fetch_object($result)) {
$c = new Contact();
$c->id = $obj->id;
$c->username = $obj->username;
$c->status = $obj->active;
$sit_db_contacts[$c->username] = $c;
}
}
foreach ($contacts as $c) {
$e = ldap_getDetails($c, FALSE, $ldap_conn);
if ($e) {
$contact_attributes = ldap_get_attributes($ldap_conn, $e);
if (isset($CONFIG['ldap_logindisabledattribute'])) {
// Directory supports disabling
if ($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->status == 'false') {
// User disabled in SIT check if needs renameding
if (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) {
if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) {
// We want to enable
$sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->active = 'true';
$sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->edit();
}
}
} elseif (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) {
// User not disabled in SiT though attribite is available to us
if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) {
// We want to disable
$sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->disable();
}
}
}
$contactid = 0;
if (!empty($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]])) {
$contactid = $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->id;
unset($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]);
}
if (!ldap_storeDetails('', $contactid, FALSE, TRUE, $ldap_conn, $contact_attributes)) {
trigger_error("Failed to store details for userid {$contactid}", E_USER_WARNING);
$success = FALSE;
}
}
}
// Disable users we no longer know about
// TODO reassign incidents?
foreach ($sit_db_contacts as $c) {
debug_log("Disabling {$c->username}", TRUE);
$c->disable();
}
}
}
} else {
$success = TRUE;
}
return $success;
}
