/** * @return void */ function fetchGroupInfo($refreshCache = true) { global $wgAuth; global $wgOpenStackManagerLDAPServiceGroupBaseDN; global $wgMemc; # Load service group entry $dn = $wgOpenStackManagerLDAPServiceGroupBaseDN; $query = '(cn=' . $this->groupName . ')'; $key = wfMemcKey('openstackmanager', 'servicegroup', $this->groupName); if ($refreshCache) { $wgMemc->delete($key); $groupInfo = null; } else { $groupInfo = $wgMemc->get($key); } if (is_array($groupInfo)) { $this->groupInfo = $groupInfo; } else { $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $dn, $query); $this->groupInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); $wgMemc->set($key, $this->groupInfo, 3600 * 24); } if ($this->groupInfo['count'] != "0") { $this->groupDN = $this->groupInfo[0]['dn']; } $this->usersDN = "ou=people" . "," . $wgOpenStackManagerLDAPServiceGroupBaseDN; }
/** * Fetch the host from LDAP and initialize the object * * @return void */ function fetchHostInfo() { global $wgAuth; global $wgOpenStackManagerLDAPInstanceBaseDN; $this->ip = $wgAuth->getLdapEscapedString($this->ip); $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPInstanceBaseDN, '(dc=' . $this->ip . ')'); $this->hostInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ($this->hostInfo["count"] == "0") { $this->hostInfo = null; } else { $this->hostDN = $this->hostInfo[0]['dn']; } }
/** * @return void */ function fetchRoleInfo() { global $wgAuth; $dn = $this->project->projectDN; if (!$dn) { return; } $query = '(cn=' . $this->rolename . ')'; $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $dn, $query); $this->roleInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ($this->roleInfo['count'] != "0") { $this->roleDN = $this->roleInfo[0]['dn']; } }
/** * Fetch the project group from LDAP and initialize the object * @return void */ function fetchProjectGroupInfo($refresh = true) { global $wgAuth; global $wgOpenStackManagerLDAPProjectGroupBaseDN; if ($this->loaded and !$refresh) { return; } $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectGroupBaseDN, '(&(cn=' . $this->getProjectGroupName() . ')(objectclass=groupofnames))'); $this->projectGroupInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if (!isset($this->projectGroupInfo[0])) { $this->loaded = false; return; } $this->projectGroupDN = $this->projectGroupInfo[0]['dn']; $this->loaded = true; }
/** * Fetch the host from LDAP and initialize the object * * @return void */ function fetchHostInfo() { global $wgAuth; global $wgOpenStackManagerLDAPInstanceBaseDN; if ($this->getDomain()) { $fqdn = $this->instancename . '.' . $this->instanceproject . '.' . $this->getDomain()->getFullyQualifiedDomainName(); } else { # No domain means no instance! $this->hostInfo = null; return; } $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPInstanceBaseDN, '(dc=' . $fqdn . ')'); $this->hostInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ($this->hostInfo["count"] == "0") { $this->hostInfo = null; } else { $this->hostDN = $this->hostInfo[0]['dn']; } }
/** * @return void */ function fetchRoleInfo() { global $wgAuth; global $wgOpenStackManagerLDAPGlobalRoles; $query = ''; if ($this->global) { if (isset($wgOpenStackManagerLDAPGlobalRoles["{$this->rolename}"])) { $dn = $wgOpenStackManagerLDAPGlobalRoles["{$this->rolename}"]; $query = '(objectclass=groupofnames)'; } else { # This condition would be a bug... $dn = ''; } } else { $dn = $this->project->projectDN; $query = '(cn=' . $this->rolename . ')'; } $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $dn, $query); $this->roleInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ($this->roleInfo['count'] != "0") { $this->roleDN = $this->roleInfo[0]['dn']; } }
/** * Get all sudo policies * * @static * @return array of OpenStackNovaSudoer */ static function getAllSudoers() { global $wgAuth, $wgOpenStackManagerLDAPSudoerBaseDN; OpenStackNovaLdapConnection::connect(); $sudoers = array(); $result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $wgOpenStackManagerLDAPSudoerBaseDN, '(&(cn=*)(objectclass=sudorole))' ); if ( $result ) { $entries = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result ); if ( $entries ) { # First entry is always a count array_shift( $entries ); foreach ( $entries as $entry ) { $sudoer = new OpenStackNovaSudoer( $entry['cn'][0] ); array_push( $sudoers, $sudoer ); } } } return $sudoers; }
/** * Get all sudo policies * * @param $projectName * @return array of OpenStackNovaSudoer */ static function getAllSudoersByProject($projectName) { global $wgAuth; OpenStackNovaLdapConnection::connect(); $sudoers = array(); $project = OpenStackNovaProject::getProjectByName($projectName); $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $project->getSudoersDN(), '(&(cn=*)(objectclass=sudorole))'); if ($result) { $entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ($entries) { # First entry is always a count array_shift($entries); foreach ($entries as $entry) { $sudoer = new OpenStackNovaSudoer($entry['cn'][0], $project); $sudoers[] = $sudoer; } } } return $sudoers; }
/** * Search groups for the supplied DN * * @param string $dn * @return array */ private function searchGroups($dn) { $this->printDebug("Entering searchGroups", NONSENSITIVE); $base = $this->getBaseDN(GROUPDN); $objectclass = $this->getConf('GroupObjectclass'); $attribute = $this->getConf('GroupAttribute'); $nameattribute = $this->getConf('GroupNameAttribute'); // We actually want to search for * not \2a, ensure we don't escape * $value = $dn; if ($value != "*") { $value = $this->getLdapEscapedString($value); } $proxyagent = $this->getConf('ProxyAgent'); if ($proxyagent) { // We'll try to bind as the proxyagent as the proxyagent should normally have more // rights than the user. If the proxyagent fails to bind, we will still be able // to search as the normal user (which is why we don't return on fail). $this->printDebug("Binding as the proxyagent", NONSENSITIVE); $this->bindAs($proxyagent, $this->getConf('ProxyAgentPassword')); } $groups = array("short" => array(), "dn" => array()); // AD does not include the primary group in the list of groups, we have to find it ourselves. // TODO: find a way to only do this search for AD domains. if ($dn != "*") { $PGfilter = "(&(distinguishedName={$value})(objectclass=user))"; $this->printDebug("User Filter: {$PGfilter}", SENSITIVE); $PGinfo = LdapAuthenticationPlugin::ldap_search($this->ldapconn, $base, $PGfilter); $PGentries = LdapAuthenticationPlugin::ldap_get_entries($this->ldapconn, $PGinfo); if ($PGentries) { $Usid = $PGentries[0]['objectsid'][0]; $PGrid = $PGentries[0]['primarygroupid'][0]; $PGsid = bin2hex($Usid); $PGSID = array(); for ($i = 0; $i < 56; $i += 2) { $PGSID[] = substr($PGsid, $i, 2); } $dPGrid = dechex($PGrid); $dPGrid = str_pad($dPGrid, 8, '0', STR_PAD_LEFT); $PGRID = array(); for ($i = 0; $i < 8; $i += 2) { array_push($PGRID, substr($dPGrid, $i, 2)); } for ($i = 24; $i < 28; $i++) { $PGSID[$i] = array_pop($PGRID); } $PGsid_string = ''; foreach ($PGSID as $PGsid_bit) { $PGsid_string .= "\\" . $PGsid_bit; } $PGfilter = "(&(objectSid={$PGsid_string})(objectclass={$objectclass}))"; $this->printDebug("Primary Group Filter: {$PGfilter}", SENSITIVE); $info = LdapAuthenticationPlugin::ldap_search($this->ldapconn, $base, $PGfilter); $PGentries = LdapAuthenticationPlugin::ldap_get_entries($this->ldapconn, $info); array_shift($PGentries); $dnMember = strtolower($PGentries[0]['dn']); $groups["dn"][] = $dnMember; // Get short name of group $memAttrs = explode(',', strtolower($dnMember)); if (isset($memAttrs[0])) { $memAttrs = explode('=', $memAttrs[0]); if (isset($memAttrs[0])) { $groups["short"][] = strtolower($memAttrs[1]); } } } } $filter = "(&({$attribute}={$value})(objectclass={$objectclass}))"; $this->printDebug("Search string: {$filter}", SENSITIVE); $info = LdapAuthenticationPlugin::ldap_search($this->ldapconn, $base, $filter); if (!$info) { $this->printDebug("No entries returned from search.", SENSITIVE); // Return an array so that other functions // don't error out. return array("short" => array(), "dn" => array()); } $entries = LdapAuthenticationPlugin::ldap_get_entries($this->ldapconn, $info); if ($entries) { // We need to shift because the first entry will be a count array_shift($entries); // Let's get a list of both full dn groups and shortname groups foreach ($entries as $entry) { $shortMember = strtolower($entry[$nameattribute][0]); $dnMember = strtolower($entry['dn']); $groups["short"][] = $shortMember; $groups["dn"][] = $dnMember; } } $this->printDebug("Returned groups:", SENSITIVE, $groups["dn"]); return $groups; }
/** * Hook to add objectclasses and attributes for users being created. * * @static * @param $auth * @param $username * @param $values * @param $writeloc * @param $userdn * @param $result * @return bool */ static function LDAPSetCreationValues( $auth, $username, &$values, $writeloc, &$userdn, &$result ) { global $wgOpenStackManagerLDAPDefaultGid; global $wgOpenStackManagerLDAPDefaultShell; global $wgOpenStackManagerLDAPUseUidAsNamingAttribute; global $wgRequest; $values['objectclass'][] = 'person'; $values['objectclass'][] = 'novauser'; $values['objectclass'][] = 'ldappublickey'; $values['objectclass'][] = 'posixaccount'; $values['objectclass'][] = 'shadowaccount'; $values['accesskey'] = OpenStackNovaUser::uuid4(); $values['secretkey'] = OpenStackNovaUser::uuid4(); $values['isnovaadmin'] = 'FALSE'; $uidnumber = OpenStackNovaUser::getNextIdNumber( $auth, 'uidnumber' ); if ( ! $uidnumber ) { $result = false; return false; } $values['cn'] = $username; if ( '' != $auth->realname ) { $values['displayname'] = $auth->realname; } $username = $wgRequest->getText( 'shellaccountname' ); if ( ! preg_match( "/^[a-z][a-z0-9\-_]*$/", $username ) ) { $result = false; return false; } $values['uid'] = $username; $base = $auth->getBaseDN( USERDN ); # Though the LDAP plugin checks to see if the user account exists, # it does not check to see if the uid attribute is already used. $result = LdapAuthenticationPlugin::ldap_search( $auth->ldapconn, $base, "(uid=$username)" ); if ( $result ) { $entries = LdapAuthenticationPlugin::ldap_get_entries( $auth->ldapconn, $result ); if ( (int)$entries['count'] > 0 ) { $auth->printDebug( "User $username already exists.", NONSENSITIVE ); # uid attribute is already in use, fail. $result = false; return false; } } $values['uidnumber'] = $uidnumber; $values['gidnumber'] = $wgOpenStackManagerLDAPDefaultGid; $values['homedirectory'] = '/home/' . $username; $values['loginshell'] = $wgOpenStackManagerLDAPDefaultShell; if ( $wgOpenStackManagerLDAPUseUidAsNamingAttribute ) { if ( $writeloc == '' ) { $auth->printDebug( "Trying to set the userdn, but write location isn't set.", NONSENSITIVE ); return false; } else { $userdn = 'uid=' . $username . ',' . $writeloc; $auth->printDebug( "Using uid as the naming attribute, dn is: $userdn", NONSENSITIVE ); } } $auth->printDebug( "User account's objectclasses: ", NONSENSITIVE, $values['objectclass'] ); $auth->printDebug( "User account's attributes: ", HIGHLYSENSITIVE, $values ); return true; }
static function AbortNewAccount($user, &$message) { global $wgRequest; global $wgAuth; global $wgUser; $shellaccountname = $wgRequest->getText('shellaccountname'); if (!preg_match("/^[a-z][a-z0-9\\-_]*\$/", $shellaccountname)) { $wgAuth->printDebug("Invalid shell name {$shellaccountname}", NONSENSITIVE); $message = wfMessage('openstackmanager-shellaccountvalidationfail')->parse(); return false; } $base = USERDN; $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $base, "(uid={$shellaccountname})"); if ($result) { $entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ((int) $entries['count'] > 0) { $wgAuth->printDebug("User {$shellaccountname} already exists.", NONSENSITIVE); $message = wfMessage('openstackmanager-shellaccountexists')->parse(); return false; } } if (class_exists('TitleBlacklist')) { return TitleBlacklistHooks::acceptNewUserName($shellaccountname, $wgUser, $message, $override = false, $log = true); } else { return true; } }
/** * Pulls all projects from LDAP and adds them as MediaWiki namespaces. Also adds * associated talk namespaces. This function must be called from LocalSettings. * * @static * @return void */ static function addNamespaces() { global $wgAuth; global $wgOpenStackManagerLDAPProjectBaseDN; global $wgExtraNamespaces; OpenStackNovaLdapConnection::connect(); $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectBaseDN, 'owner=*'); $entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if ($entries) { array_shift($entries); foreach ($entries as $entry) { $id = (int) $entry['gidnumber'][0]; $talkid = $id + 1; $name = ucwords($entry['cn'][0]); $wgAuth->printDebug("Adding namespace {$name}", NONSENSITIVE); $wgExtraNamespaces[$id] = $name; $wgExtraNamespaces[$talkid] = $name . '_talk'; } } else { $wgAuth->printDebug("Failed to find projects", NONSENSITIVE); } }
public function execute() { global $wgOpenStackManagerLDAPUsername; global $wgAuth; $user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername); $projects = OpenStackNovaProject::getAllProjects(); $failedSync = false; $attempt_count = 0; $synced_count = 0; $failed_count = 0; /** * @var $project OpenStackNovaProject */ foreach ($projects as $project) { // actually load the project info from ldap // (getAllProjects() doesn't do this) $project->fetchProjectInfo(); $projectName = $project->getProjectName(); $oldServiceGroupOUDN = 'ou=groups,' . $project->getProjectDN(); $oldServiceUserOUDN = 'ou=people,' . $project->getProjectDN(); $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $oldServiceGroupOUDN, '(objectclass=groupofnames)'); if ($result) { $this->serviceGroups = array(); $groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if (isset($groupList)) { array_shift($groupList); foreach ($groupList as $groupEntry) { $deleteme = "cn=" . $groupEntry['cn'][0] . "," . $oldServiceGroupOUDN; print "needs deleting: " . $deleteme . "..."; $attempt_count++; $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme); if ($success) { $synced_count++; print "done.\n"; } else { $failed_count++; print "FAILED\n"; } } } } $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $oldServiceUserOUDN, '(objectclass=person)'); if ($result) { $this->serviceGroups = array(); $groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if (isset($groupList)) { array_shift($groupList); foreach ($groupList as $groupEntry) { $deleteme = "uid=" . $groupEntry['cn'][0] . "," . $oldServiceUserOUDN; print "user needs deleting: " . $deleteme . "..."; $attempt_count++; $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme); if ($success) { $synced_count++; print "done.\n"; } else { $failed_count++; print "FAILED\n"; } } } } $deleteme = $oldServiceGroupOUDN; print "ou needs deleting: " . $deleteme . "..."; $attempt_count++; $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme); if ($success) { $synced_count++; print "done.\n"; } else { $failed_count++; print "FAILED\n"; } $deleteme = $oldServiceUserOUDN; print "ou needs deleting: " . $deleteme . "..."; $attempt_count++; $success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme); if ($success) { $synced_count++; print "done.\n"; } else { $failed_count++; print "FAILED\n"; } } $this->output("{$attempt_count} items needed cleanup. {$synced_count} removed, {$failed_count} failed.\n"); $this->output("Done.\n"); return $failed_count == 0; }
/** * Get a domain by an instance's ID. Return null if the instance ID entry * does not exist. * * @static * @param $instanceid * @return null|OpenStackNovaDomain */ static function getDomainByInstanceId( $instanceid ) { global $wgAuth; global $wgOpenStackManagerLDAPInstanceBaseDN; OpenStackNovaLdapConnection::connect(); $result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $wgOpenStackManagerLDAPInstanceBaseDN, '(associateddomain=' . $instanceid . '.*)' ); $hostInfo = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result ); if ( $hostInfo['count'] == "0" ) { return null; } $fqdn = $hostInfo[0]['associateddomain'][0]; $domainname = explode( '.', $fqdn ); $domainname = $domainname[1]; $domain = new OpenStackNovaDomain( $domainname ); if ( $domain->domainInfo ) { return $domain; } else { return null; } }
/** * Get all host entries in the specified domain. Returns an empty array * if no entries are found. * * @static * @param $domain OpenStackNovaDomain * @return array */ static function getAllHosts( $domain ) { global $wgAuth; OpenStackNovaLdapConnection::connect(); $hosts = array(); $result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $domain->domainDN, '(dc=*)' ); if ( $result ) { $entries = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result ); if ( $entries ) { # First entry is always a count array_shift( $entries ); foreach ( $entries as $entry ) { $hosts[] = new OpenStackNovaHost( $entry['dc'][0], $domain ); } } } return $hosts; }
function fetchServiceGroups() { global $wgAuth; global $wgOpenStackManagerLDAPServiceGroupBaseDN; $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPServiceGroupBaseDN, '(objectclass=groupofnames)'); if ($result) { $this->serviceGroups = array(); $groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if (isset($groupList)) { array_shift($groupList); foreach ($groupList as $groupEntry) { # Now we have every group. Check if this one belongs to us. $matchstring = $this->projectname . "."; if (strpos($groupEntry['cn'][0], $matchstring) === 0) { $this->serviceGroups[] = new OpenStackNovaServiceGroup($groupEntry['cn'][0], $this); } } } } else { $this->serviceGroups = array(); } $serviceUserBaseDN = "ou=people" . "," . $wgOpenStackManagerLDAPServiceGroupBaseDN; $result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $serviceUserBaseDN, '(objectclass=person)'); if ($result) { $this->serviceUsers = array(); $userList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result); if (isset($userList)) { array_shift($userList); foreach ($userList as $userEntry) { # Now we have every user. Check if this one belongs to us. $matchstring = $this->projectname . "."; if (strpos($userEntry['cn'][0], $matchstring) === 0) { $wgAuth->printDebug("adding " . $userEntry['cn'][0], NONSENSITIVE); $this->serviceUsers[] = $userEntry['cn'][0]; } } } } else { $this->serviceUsers = array(); } }