/** * Prune users from users table who aren't in LDAP * * @param TBGRequest $request */ public function runPruneUsers(TBGRequest $request) { $validgroups = TBGContext::getModule('auth_ldap')->getSetting('groups'); $base_dn = TBGContext::getModule('auth_ldap')->getSetting('b_dn'); $dn_attr = TBGContext::getModule('auth_ldap')->getSetting('dn_attr'); $username_attr = TBGContext::getModule('auth_ldap')->getSetting('u_attr'); $fullname_attr = TBGContext::getModule('auth_ldap')->getSetting('f_attr'); $email_attr = TBGContext::getModule('auth_ldap')->getSetting('e_attr'); $groups_members_attr = TBGContext::getModule('auth_ldap')->getSetting('g_attr'); $user_class = TBGContext::getModule('auth_ldap')->getSetting('u_type'); $group_class = TBGContext::getModule('auth_ldap')->getSetting('g_type'); $users = TBGUser::getAll(); $deletecount = 0; try { $connection = TBGContext::getModule('auth_ldap')->connect(); TBGContext::getModule('auth_ldap')->bind($connection, TBGContext::getModule('auth_ldap')->getSetting('control_user'), TBGContext::getModule('auth_ldap')->getSetting('control_pass')); $default = TBGSettings::getDefaultUserID(); foreach ($users as $user) { if ($user->getID() == $default) { continue; } $username = $user->getUsername(); $fields = array($fullname_attr, $email_attr, 'cn', $dn_attr); $filter = '(&(objectClass=' . TBGLDAPAuthentication::getModule()->escape($user_class) . ')(' . $username_attr . '=' . TBGLDAPAuthentication::getModule()->escape($username) . '))'; $results = ldap_search($connection, $base_dn, $filter, $fields); if (!$results) { TBGLogging::log('failed to search for user: '******'ldap', TBGLogging::LEVEL_FATAL); throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection)); } $data = ldap_get_entries($connection, $results); /* * If a user is not found, delete it */ if ($data['count'] != 1) { $user->delete(); $deletecount++; continue; } if ($validgroups != '') { if (strstr($validgroups, ',')) { $groups = explode(',', $validgroups); } else { $groups = array(); $groups[] = $validgroups; } $allowed = false; foreach ($groups as $group) { $fields2 = array($groups_members_attr); $filter2 = '(&(objectClass=' . TBGLDAPAuthentication::getModule()->escape($group_class) . ')(cn=' . TBGLDAPAuthentication::getModule()->escape($group) . '))'; $results2 = ldap_search($connection, $base_dn, $filter2, $fields2); if (!$results2) { TBGLogging::log('failed to search for user: '******'ldap', TBGLogging::LEVEL_FATAL); throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection)); } $data2 = ldap_get_entries($connection, $results2); if ($data2['count'] != 1) { continue; } foreach ($data2[0][$groups_members_attr] as $member) { $member = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $member); $user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($dn_attr)][0]); if (!is_numeric($member) && strtolower($member) == strtolower($user_dn)) { $allowed = true; } } } /* * If a user is not allowed access, delete it */ if ($allowed == false) { $user->delete(); $deletecount++; continue; } } } } catch (Exception $e) { ldap_unbind($connection); TBGContext::setMessage('module_error', TBGContext::getI18n()->__('Pruning failed')); TBGContext::setMessage('module_error_details', $e->getMessage()); $this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap'))); } ldap_unbind($connection); TBGContext::setMessage('module_message', TBGContext::getI18n()->__('Pruning successful! %del users deleted', array('%del' => $deletecount))); $this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap'))); }