/**
* @return void
*/
function fetchGroupInfo($refreshCache = true)
{
global $wgAuth;
global $wgOpenStackManagerLDAPServiceGroupBaseDN;
global $wgMemc;
# Load service group entry
$dn = $wgOpenStackManagerLDAPServiceGroupBaseDN;
$query = '(cn=' . $this->groupName . ')';
$key = wfMemcKey('openstackmanager', 'servicegroup', $this->groupName);
if ($refreshCache) {
$wgMemc->delete($key);
$groupInfo = null;
} else {
$groupInfo = $wgMemc->get($key);
}
if (is_array($groupInfo)) {
$this->groupInfo = $groupInfo;
} else {
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $dn, $query);
$this->groupInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
$wgMemc->set($key, $this->groupInfo, 3600 * 24);
}
if ($this->groupInfo['count'] != "0") {
$this->groupDN = $this->groupInfo[0]['dn'];
}
$this->usersDN = "ou=people" . "," . $wgOpenStackManagerLDAPServiceGroupBaseDN;
}
/**
* Fetch the host from LDAP and initialize the object
*
* @return void
*/
function fetchHostInfo()
{
global $wgAuth;
global $wgOpenStackManagerLDAPInstanceBaseDN;
$this->ip = $wgAuth->getLdapEscapedString($this->ip);
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPInstanceBaseDN, '(dc=' . $this->ip . ')');
$this->hostInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($this->hostInfo["count"] == "0") {
$this->hostInfo = null;
} else {
$this->hostDN = $this->hostInfo[0]['dn'];
}
}
/**
* @return void
*/
function fetchRoleInfo()
{
global $wgAuth;
$dn = $this->project->projectDN;
if (!$dn) {
return;
}
$query = '(cn=' . $this->rolename . ')';
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $dn, $query);
$this->roleInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($this->roleInfo['count'] != "0") {
$this->roleDN = $this->roleInfo[0]['dn'];
}
}
/**
* Fetch the project group from LDAP and initialize the object
* @return void
*/
function fetchProjectGroupInfo($refresh = true)
{
global $wgAuth;
global $wgOpenStackManagerLDAPProjectGroupBaseDN;
if ($this->loaded and !$refresh) {
return;
}
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectGroupBaseDN, '(&(cn=' . $this->getProjectGroupName() . ')(objectclass=groupofnames))');
$this->projectGroupInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (!isset($this->projectGroupInfo[0])) {
$this->loaded = false;
return;
}
$this->projectGroupDN = $this->projectGroupInfo[0]['dn'];
$this->loaded = true;
}
/**
* Fetch the host from LDAP and initialize the object
*
* @return void
*/
function fetchHostInfo()
{
global $wgAuth;
global $wgOpenStackManagerLDAPInstanceBaseDN;
if ($this->getDomain()) {
$fqdn = $this->instancename . '.' . $this->instanceproject . '.' . $this->getDomain()->getFullyQualifiedDomainName();
} else {
# No domain means no instance!
$this->hostInfo = null;
return;
}
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPInstanceBaseDN, '(dc=' . $fqdn . ')');
$this->hostInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($this->hostInfo["count"] == "0") {
$this->hostInfo = null;
} else {
$this->hostDN = $this->hostInfo[0]['dn'];
}
}
/**
* @return void
*/
function fetchRoleInfo()
{
global $wgAuth;
global $wgOpenStackManagerLDAPGlobalRoles;
$query = '';
if ($this->global) {
if (isset($wgOpenStackManagerLDAPGlobalRoles["{$this->rolename}"])) {
$dn = $wgOpenStackManagerLDAPGlobalRoles["{$this->rolename}"];
$query = '(objectclass=groupofnames)';
} else {
# This condition would be a bug...
$dn = '';
}
} else {
$dn = $this->project->projectDN;
$query = '(cn=' . $this->rolename . ')';
}
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $dn, $query);
$this->roleInfo = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($this->roleInfo['count'] != "0") {
$this->roleDN = $this->roleInfo[0]['dn'];
}
}
/**
* Get all sudo policies
*
* @static
* @return array of OpenStackNovaSudoer
*/
static function getAllSudoers() {
global $wgAuth, $wgOpenStackManagerLDAPSudoerBaseDN;
OpenStackNovaLdapConnection::connect();
$sudoers = array();
$result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $wgOpenStackManagerLDAPSudoerBaseDN, '(&(cn=*)(objectclass=sudorole))' );
if ( $result ) {
$entries = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result );
if ( $entries ) {
# First entry is always a count
array_shift( $entries );
foreach ( $entries as $entry ) {
$sudoer = new OpenStackNovaSudoer( $entry['cn'][0] );
array_push( $sudoers, $sudoer );
}
}
}
return $sudoers;
}
/**
* Get all sudo policies
*
* @param $projectName
* @return array of OpenStackNovaSudoer
*/
static function getAllSudoersByProject($projectName)
{
global $wgAuth;
OpenStackNovaLdapConnection::connect();
$sudoers = array();
$project = OpenStackNovaProject::getProjectByName($projectName);
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $project->getSudoersDN(), '(&(cn=*)(objectclass=sudorole))');
if ($result) {
$entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($entries) {
# First entry is always a count
array_shift($entries);
foreach ($entries as $entry) {
$sudoer = new OpenStackNovaSudoer($entry['cn'][0], $project);
$sudoers[] = $sudoer;
}
}
}
return $sudoers;
}
/**
* Search groups for the supplied DN
*
* @param string $dn
* @return array
*/
private function searchGroups($dn)
{
$this->printDebug("Entering searchGroups", NONSENSITIVE);
$base = $this->getBaseDN(GROUPDN);
$objectclass = $this->getConf('GroupObjectclass');
$attribute = $this->getConf('GroupAttribute');
$nameattribute = $this->getConf('GroupNameAttribute');
// We actually want to search for * not \2a, ensure we don't escape *
$value = $dn;
if ($value != "*") {
$value = $this->getLdapEscapedString($value);
}
$proxyagent = $this->getConf('ProxyAgent');
if ($proxyagent) {
// We'll try to bind as the proxyagent as the proxyagent should normally have more
// rights than the user. If the proxyagent fails to bind, we will still be able
// to search as the normal user (which is why we don't return on fail).
$this->printDebug("Binding as the proxyagent", NONSENSITIVE);
$this->bindAs($proxyagent, $this->getConf('ProxyAgentPassword'));
}
$groups = array("short" => array(), "dn" => array());
// AD does not include the primary group in the list of groups, we have to find it ourselves.
// TODO: find a way to only do this search for AD domains.
if ($dn != "*") {
$PGfilter = "(&(distinguishedName={$value})(objectclass=user))";
$this->printDebug("User Filter: {$PGfilter}", SENSITIVE);
$PGinfo = LdapAuthenticationPlugin::ldap_search($this->ldapconn, $base, $PGfilter);
$PGentries = LdapAuthenticationPlugin::ldap_get_entries($this->ldapconn, $PGinfo);
if ($PGentries) {
$Usid = $PGentries[0]['objectsid'][0];
$PGrid = $PGentries[0]['primarygroupid'][0];
$PGsid = bin2hex($Usid);
$PGSID = array();
for ($i = 0; $i < 56; $i += 2) {
$PGSID[] = substr($PGsid, $i, 2);
}
$dPGrid = dechex($PGrid);
$dPGrid = str_pad($dPGrid, 8, '0', STR_PAD_LEFT);
$PGRID = array();
for ($i = 0; $i < 8; $i += 2) {
array_push($PGRID, substr($dPGrid, $i, 2));
}
for ($i = 24; $i < 28; $i++) {
$PGSID[$i] = array_pop($PGRID);
}
$PGsid_string = '';
foreach ($PGSID as $PGsid_bit) {
$PGsid_string .= "\\" . $PGsid_bit;
}
$PGfilter = "(&(objectSid={$PGsid_string})(objectclass={$objectclass}))";
$this->printDebug("Primary Group Filter: {$PGfilter}", SENSITIVE);
$info = LdapAuthenticationPlugin::ldap_search($this->ldapconn, $base, $PGfilter);
$PGentries = LdapAuthenticationPlugin::ldap_get_entries($this->ldapconn, $info);
array_shift($PGentries);
$dnMember = strtolower($PGentries[0]['dn']);
$groups["dn"][] = $dnMember;
// Get short name of group
$memAttrs = explode(',', strtolower($dnMember));
if (isset($memAttrs[0])) {
$memAttrs = explode('=', $memAttrs[0]);
if (isset($memAttrs[0])) {
$groups["short"][] = strtolower($memAttrs[1]);
}
}
}
}
$filter = "(&({$attribute}={$value})(objectclass={$objectclass}))";
$this->printDebug("Search string: {$filter}", SENSITIVE);
$info = LdapAuthenticationPlugin::ldap_search($this->ldapconn, $base, $filter);
if (!$info) {
$this->printDebug("No entries returned from search.", SENSITIVE);
// Return an array so that other functions
// don't error out.
return array("short" => array(), "dn" => array());
}
$entries = LdapAuthenticationPlugin::ldap_get_entries($this->ldapconn, $info);
if ($entries) {
// We need to shift because the first entry will be a count
array_shift($entries);
// Let's get a list of both full dn groups and shortname groups
foreach ($entries as $entry) {
$shortMember = strtolower($entry[$nameattribute][0]);
$dnMember = strtolower($entry['dn']);
$groups["short"][] = $shortMember;
$groups["dn"][] = $dnMember;
}
}
$this->printDebug("Returned groups:", SENSITIVE, $groups["dn"]);
return $groups;
}
/**
* Hook to add objectclasses and attributes for users being created.
*
* @static
* @param $auth
* @param $username
* @param $values
* @param $writeloc
* @param $userdn
* @param $result
* @return bool
*/
static function LDAPSetCreationValues( $auth, $username, &$values, $writeloc, &$userdn, &$result ) {
global $wgOpenStackManagerLDAPDefaultGid;
global $wgOpenStackManagerLDAPDefaultShell;
global $wgOpenStackManagerLDAPUseUidAsNamingAttribute;
global $wgRequest;
$values['objectclass'][] = 'person';
$values['objectclass'][] = 'novauser';
$values['objectclass'][] = 'ldappublickey';
$values['objectclass'][] = 'posixaccount';
$values['objectclass'][] = 'shadowaccount';
$values['accesskey'] = OpenStackNovaUser::uuid4();
$values['secretkey'] = OpenStackNovaUser::uuid4();
$values['isnovaadmin'] = 'FALSE';
$uidnumber = OpenStackNovaUser::getNextIdNumber( $auth, 'uidnumber' );
if ( ! $uidnumber ) {
$result = false;
return false;
}
$values['cn'] = $username;
if ( '' != $auth->realname ) {
$values['displayname'] = $auth->realname;
}
$username = $wgRequest->getText( 'shellaccountname' );
if ( ! preg_match( "/^[a-z][a-z0-9\-_]*$/", $username ) ) {
$result = false;
return false;
}
$values['uid'] = $username;
$base = $auth->getBaseDN( USERDN );
# Though the LDAP plugin checks to see if the user account exists,
# it does not check to see if the uid attribute is already used.
$result = LdapAuthenticationPlugin::ldap_search( $auth->ldapconn, $base, "(uid=$username)" );
if ( $result ) {
$entries = LdapAuthenticationPlugin::ldap_get_entries( $auth->ldapconn, $result );
if ( (int)$entries['count'] > 0 ) {
$auth->printDebug( "User $username already exists.", NONSENSITIVE );
# uid attribute is already in use, fail.
$result = false;
return false;
}
}
$values['uidnumber'] = $uidnumber;
$values['gidnumber'] = $wgOpenStackManagerLDAPDefaultGid;
$values['homedirectory'] = '/home/' . $username;
$values['loginshell'] = $wgOpenStackManagerLDAPDefaultShell;
if ( $wgOpenStackManagerLDAPUseUidAsNamingAttribute ) {
if ( $writeloc == '' ) {
$auth->printDebug( "Trying to set the userdn, but write location isn't set.", NONSENSITIVE );
return false;
} else {
$userdn = 'uid=' . $username . ',' . $writeloc;
$auth->printDebug( "Using uid as the naming attribute, dn is: $userdn", NONSENSITIVE );
}
}
$auth->printDebug( "User account's objectclasses: ", NONSENSITIVE, $values['objectclass'] );
$auth->printDebug( "User account's attributes: ", HIGHLYSENSITIVE, $values );
return true;
}
static function AbortNewAccount($user, &$message)
{
global $wgRequest;
global $wgAuth;
global $wgUser;
$shellaccountname = $wgRequest->getText('shellaccountname');
if (!preg_match("/^[a-z][a-z0-9\\-_]*\$/", $shellaccountname)) {
$wgAuth->printDebug("Invalid shell name {$shellaccountname}", NONSENSITIVE);
$message = wfMessage('openstackmanager-shellaccountvalidationfail')->parse();
return false;
}
$base = USERDN;
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $base, "(uid={$shellaccountname})");
if ($result) {
$entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ((int) $entries['count'] > 0) {
$wgAuth->printDebug("User {$shellaccountname} already exists.", NONSENSITIVE);
$message = wfMessage('openstackmanager-shellaccountexists')->parse();
return false;
}
}
if (class_exists('TitleBlacklist')) {
return TitleBlacklistHooks::acceptNewUserName($shellaccountname, $wgUser, $message, $override = false, $log = true);
} else {
return true;
}
}
/**
* Pulls all projects from LDAP and adds them as MediaWiki namespaces. Also adds
* associated talk namespaces. This function must be called from LocalSettings.
*
* @static
* @return void
*/
static function addNamespaces()
{
global $wgAuth;
global $wgOpenStackManagerLDAPProjectBaseDN;
global $wgExtraNamespaces;
OpenStackNovaLdapConnection::connect();
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectBaseDN, 'owner=*');
$entries = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if ($entries) {
array_shift($entries);
foreach ($entries as $entry) {
$id = (int) $entry['gidnumber'][0];
$talkid = $id + 1;
$name = ucwords($entry['cn'][0]);
$wgAuth->printDebug("Adding namespace {$name}", NONSENSITIVE);
$wgExtraNamespaces[$id] = $name;
$wgExtraNamespaces[$talkid] = $name . '_talk';
}
} else {
$wgAuth->printDebug("Failed to find projects", NONSENSITIVE);
}
}
public function execute()
{
global $wgOpenStackManagerLDAPUsername;
global $wgAuth;
$user = new OpenStackNovaUser($wgOpenStackManagerLDAPUsername);
$projects = OpenStackNovaProject::getAllProjects();
$failedSync = false;
$attempt_count = 0;
$synced_count = 0;
$failed_count = 0;
/**
* @var $project OpenStackNovaProject
*/
foreach ($projects as $project) {
// actually load the project info from ldap
// (getAllProjects() doesn't do this)
$project->fetchProjectInfo();
$projectName = $project->getProjectName();
$oldServiceGroupOUDN = 'ou=groups,' . $project->getProjectDN();
$oldServiceUserOUDN = 'ou=people,' . $project->getProjectDN();
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $oldServiceGroupOUDN, '(objectclass=groupofnames)');
if ($result) {
$this->serviceGroups = array();
$groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (isset($groupList)) {
array_shift($groupList);
foreach ($groupList as $groupEntry) {
$deleteme = "cn=" . $groupEntry['cn'][0] . "," . $oldServiceGroupOUDN;
print "needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
}
}
}
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $oldServiceUserOUDN, '(objectclass=person)');
if ($result) {
$this->serviceGroups = array();
$groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (isset($groupList)) {
array_shift($groupList);
foreach ($groupList as $groupEntry) {
$deleteme = "uid=" . $groupEntry['cn'][0] . "," . $oldServiceUserOUDN;
print "user needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
}
}
}
$deleteme = $oldServiceGroupOUDN;
print "ou needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
$deleteme = $oldServiceUserOUDN;
print "ou needs deleting: " . $deleteme . "...";
$attempt_count++;
$success = LdapAuthenticationPlugin::ldap_delete($wgAuth->ldapconn, $deleteme);
if ($success) {
$synced_count++;
print "done.\n";
} else {
$failed_count++;
print "FAILED\n";
}
}
$this->output("{$attempt_count} items needed cleanup. {$synced_count} removed, {$failed_count} failed.\n");
$this->output("Done.\n");
return $failed_count == 0;
}
/**
* Get a domain by an instance's ID. Return null if the instance ID entry
* does not exist.
*
* @static
* @param $instanceid
* @return null|OpenStackNovaDomain
*/
static function getDomainByInstanceId( $instanceid ) {
global $wgAuth;
global $wgOpenStackManagerLDAPInstanceBaseDN;
OpenStackNovaLdapConnection::connect();
$result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $wgOpenStackManagerLDAPInstanceBaseDN,
'(associateddomain=' . $instanceid . '.*)' );
$hostInfo = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result );
if ( $hostInfo['count'] == "0" ) {
return null;
}
$fqdn = $hostInfo[0]['associateddomain'][0];
$domainname = explode( '.', $fqdn );
$domainname = $domainname[1];
$domain = new OpenStackNovaDomain( $domainname );
if ( $domain->domainInfo ) {
return $domain;
} else {
return null;
}
}
/**
* Get all host entries in the specified domain. Returns an empty array
* if no entries are found.
*
* @static
* @param $domain OpenStackNovaDomain
* @return array
*/
static function getAllHosts( $domain ) {
global $wgAuth;
OpenStackNovaLdapConnection::connect();
$hosts = array();
$result = LdapAuthenticationPlugin::ldap_search( $wgAuth->ldapconn, $domain->domainDN, '(dc=*)' );
if ( $result ) {
$entries = LdapAuthenticationPlugin::ldap_get_entries( $wgAuth->ldapconn, $result );
if ( $entries ) {
# First entry is always a count
array_shift( $entries );
foreach ( $entries as $entry ) {
$hosts[] = new OpenStackNovaHost( $entry['dc'][0], $domain );
}
}
}
return $hosts;
}
function fetchServiceGroups()
{
global $wgAuth;
global $wgOpenStackManagerLDAPServiceGroupBaseDN;
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $wgOpenStackManagerLDAPServiceGroupBaseDN, '(objectclass=groupofnames)');
if ($result) {
$this->serviceGroups = array();
$groupList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (isset($groupList)) {
array_shift($groupList);
foreach ($groupList as $groupEntry) {
# Now we have every group. Check if this one belongs to us.
$matchstring = $this->projectname . ".";
if (strpos($groupEntry['cn'][0], $matchstring) === 0) {
$this->serviceGroups[] = new OpenStackNovaServiceGroup($groupEntry['cn'][0], $this);
}
}
}
} else {
$this->serviceGroups = array();
}
$serviceUserBaseDN = "ou=people" . "," . $wgOpenStackManagerLDAPServiceGroupBaseDN;
$result = LdapAuthenticationPlugin::ldap_search($wgAuth->ldapconn, $serviceUserBaseDN, '(objectclass=person)');
if ($result) {
$this->serviceUsers = array();
$userList = LdapAuthenticationPlugin::ldap_get_entries($wgAuth->ldapconn, $result);
if (isset($userList)) {
array_shift($userList);
foreach ($userList as $userEntry) {
# Now we have every user. Check if this one belongs to us.
$matchstring = $this->projectname . ".";
if (strpos($userEntry['cn'][0], $matchstring) === 0) {
$wgAuth->printDebug("adding " . $userEntry['cn'][0], NONSENSITIVE);
$this->serviceUsers[] = $userEntry['cn'][0];
}
}
}
} else {
$this->serviceUsers = array();
}
}
