/**
* Check if the password is correct
* @param string $uid The username
* @param string $password The password
* @return false|string
*
* Check if the password is correct without logging in the user
*/
public function checkPassword($uid, $password) {
$uid = $this->access->escapeFilterPart($uid);
//find out dn of the user name
$attrs = array($this->access->connection->ldapUserDisplayName, 'dn',
'uid', 'samaccountname');
$filter = \OCP\Util::mb_str_replace(
'%uid', $uid, $this->access->connection->ldapLoginFilter, 'UTF-8');
$users = $this->access->fetchListOfUsers($filter, $attrs);
if(count($users) < 1) {
return false;
}
$dn = $users[0]['dn'];
$user = $this->access->userManager->get($dn);
if(!$user instanceof User) {
\OCP\Util::writeLog('user_ldap',
'LDAP Login: Could not get user object for DN ' . $dn .
'. Maybe the LDAP entry has no set display name attribute?',
\OCP\Util::WARN);
return false;
}
if($user->getUsername() !== false) {
//are the credentials OK?
if(!$this->access->areCredentialsValid($dn, $password)) {
return false;
}
$user->markLogin();
if(isset($users[0][$this->access->connection->ldapUserDisplayName])) {
$dpn = $users[0][$this->access->connection->ldapUserDisplayName];
$user->storeDisplayName($dpn);
}
if(isset($users[0]['uid'])) {
$user->storeLDAPUserName($users[0]['uid']);
} else if(isset($users[0]['samaccountname'])) {
$user->storeLDAPUserName($users[0]['samaccountname']);
}
return $user->getUsername();
}
return false;
}
/**
* @brief Check if the password is correct
* @param $uid The username
* @param $password The password
* @returns true/false
*
* Check if the password is correct without logging in the user
*/
public function checkPassword($uid, $password)
{
//find out dn of the user name
$filter = \OCP\Util::mb_str_replace('%uid', $uid, $this->connection->ldapLoginFilter, 'UTF-8');
$ldap_users = $this->fetchListOfUsers($filter, 'dn');
if (count($ldap_users) < 1) {
return false;
}
$dn = $ldap_users[0];
//are the credentials OK?
if (!$this->areCredentialsValid($dn, $password)) {
return false;
}
//do we have a username for him/her?
$ocname = $this->dn2username($dn);
if ($ocname) {
//update some settings, if necessary
$this->updateQuota($dn);
$this->updateEmail($dn);
//give back the display name
return $ocname;
}
return false;
}
/**
* @param string $name
* @return bool|mixed|string
*/
public function sanitizeUsername($name)
{
if ($this->connection->ldapIgnoreNamingRules) {
return $name;
}
// Transliteration
// latin characters to ASCII
$name = iconv('UTF-8', 'ASCII//TRANSLIT', $name);
// Replacements
$name = \OCP\Util::mb_str_replace(' ', '_', $name, 'UTF-8');
// Every remaining disallowed characters will be removed
$name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name);
return $name;
}
/**
* counts the users in LDAP
*
* @return int|bool
*/
public function countUsers()
{
$filter = \OCP\Util::mb_str_replace('%uid', '*', $this->access->connection->ldapLoginFilter, 'UTF-8');
$cacheKey = 'countUsers-' . $filter;
if (!is_null($entries = $this->access->connection->getFromCache($cacheKey))) {
return $entries;
}
$entries = $this->access->countUsers($filter);
$this->access->connection->writeToCache($cacheKey, $entries);
return $entries;
}
/**
* counts the users in LDAP
*
* @return int | bool
*/
public function countUsers()
{
$filter = \OCP\Util::mb_str_replace('%uid', '*', $this->access->connection->ldapLoginFilter, 'UTF-8');
$entries = $this->access->countUsers($filter);
return $entries;
}
/**
* @return bool|WizardResult
* @param string $loginName
* @throws \Exception
*/
public function testLoginName($loginName)
{
if (!$this->checkRequirements(array('ldapHost', 'ldapPort', 'ldapBase', 'ldapLoginFilter'))) {
return false;
}
$cr = $this->access->connection->getConnectionResource();
if (!$this->ldap->isResource($cr)) {
throw new \Exception('connection error');
}
if (mb_strpos($this->access->connection->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
throw new \Exception('missing placeholder');
}
$users = $this->access->fetchUsersByLoginName($loginName);
if ($this->ldap->errno($cr) !== 0) {
throw new \Exception($this->ldap->error($cr));
}
$filter = \OCP\Util::mb_str_replace('%uid', $loginName, $this->access->connection->ldapLoginFilter, 'UTF-8');
$this->result->addChange('ldap_test_loginname', count($users));
$this->result->addChange('ldap_test_effective_filter', $filter);
return $this->result;
}
/**
* @brief get a list of all users in a group
* @returns array with user ids
*/
public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0)
{
if (!$this->enabled) {
return array();
}
$cachekey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
// check for cache of the exact query
$groupUsers = $this->connection->getFromCache($cachekey);
if (!is_null($groupUsers)) {
return $groupUsers;
}
// check for cache of the query without limit and offset
$groupUsers = $this->connection->getFromCache('usersInGroup-' . $gid . '-' . $search);
if (!is_null($groupUsers)) {
$groupUsers = array_slice($groupUsers, $offset, $limit);
$this->connection->writeToCache($cachekey, $groupUsers);
return $groupUsers;
}
if ($limit == -1) {
$limit = null;
}
$groupDN = $this->groupname2dn($gid);
if (!$groupDN) {
// group couldn't be found, return empty resultset
$this->connection->writeToCache($cachekey, array());
return array();
}
$members = $this->readAttribute($groupDN, $this->connection->ldapGroupMemberAssocAttr);
if (!$members) {
//in case users could not be retrieved, return empty resultset
$this->connection->writeToCache($cachekey, array());
return array();
}
$search = empty($search) ? '*' : '*' . $search . '*';
$groupUsers = array();
$isMemberUid = strtolower($this->connection->ldapGroupMemberAssocAttr) == 'memberuid';
foreach ($members as $member) {
if ($isMemberUid) {
//we got uids, need to get their DNs to 'tranlsate' them to usernames
$filter = $this->combineFilterWithAnd(array(\OCP\Util::mb_str_replace('%uid', $member, $this->connection > ldapLoginFilter, 'UTF-8'), $this->connection->ldapUserDisplayName . '=' . $search));
$ldap_users = $this->fetchListOfUsers($filter, 'dn');
if (count($ldap_users) < 1) {
continue;
}
$groupUsers[] = $this->dn2username($ldap_users[0]);
} else {
//we got DNs, check if we need to filter by search or we can give back all of them
if ($search != '*') {
if (!$this->readAttribute($member, $this->connection->ldapUserDisplayName, $this->connection->ldapUserDisplayName . '=' . $search)) {
continue;
}
}
// dn2username will also check if the users belong to the allowed base
if ($ocname = $this->dn2username($member)) {
$groupUsers[] = $ocname;
}
}
}
natsort($groupUsers);
$this->connection->writeToCache('usersInGroup-' . $gid . '-' . $search, $groupUsers);
$groupUsers = array_slice($groupUsers, $offset, $limit);
$this->connection->writeToCache($cachekey, $groupUsers);
return $groupUsers;
}
/**
* returns the number of users in a group, who match the search term
* @param string $gid the internal group name
* @param string $search optional, a search string
* @return int|bool
*/
public function countUsersInGroup($gid, $search = '')
{
$cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
if (!$this->enabled || !$this->groupExists($gid)) {
return false;
}
$groupUsers = $this->access->connection->getFromCache($cacheKey);
if (!is_null($groupUsers)) {
return $groupUsers;
}
$groupDN = $this->access->groupname2dn($gid);
if (!$groupDN) {
// group couldn't be found, return empty result set
$this->access->connection->writeToCache($cacheKey, false);
return false;
}
$members = array_keys($this->_groupMembers($groupDN));
if (!$members) {
//in case users could not be retrieved, return empty result set
$this->access->connection->writeToCache($cacheKey, false);
return false;
}
if (empty($search)) {
$groupUsers = count($members);
$this->access->connection->writeToCache($cacheKey, $groupUsers);
return $groupUsers;
}
$isMemberUid = strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid';
//we need to apply the search filter
//alternatives that need to be checked:
//a) get all users by search filter and array_intersect them
//b) a, but only when less than 1k 10k ?k users like it is
//c) put all DNs|uids in a LDAP filter, combine with the search string
// and let it count.
//For now this is not important, because the only use of this method
//does not supply a search string
$groupUsers = array();
foreach ($members as $member) {
if ($isMemberUid) {
//we got uids, need to get their DNs to 'translate' them to user names
$filter = $this->access->combineFilterWithAnd(array(\OCP\Util::mb_str_replace('%uid', $member, $this->access->connection->ldapLoginFilter, 'UTF-8'), $this->access->getFilterPartForUserSearch($search)));
$ldap_users = $this->access->fetchListOfUsers($filter, 'dn');
if (count($ldap_users) < 1) {
continue;
}
$groupUsers[] = $this->access->dn2username($ldap_users[0]);
} else {
//we need to apply the search filter now
if (!$this->access->readAttribute($member, $this->access->connection->ldapUserDisplayName, $this->access->getFilterPartForUserSearch($search))) {
continue;
}
// dn2username will also check if the users belong to the allowed base
if ($ocname = $this->access->dn2username($member)) {
$groupUsers[] = $ocname;
}
}
}
//and get users that have the group as primary
$primaryUsers = $this->getUsersInPrimaryGroup($groupDN);
$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers));
return count($groupUsers);
}
public function initializeUser($uuid)
{
//check backend status
if (!$this->enabled) {
return false;
}
$this->connect();
$uuid = $this->access->escapeFilterPart($uuid);
$filter = \OCP\Util::mb_str_replace('%uid', $uuid, $this->access->connection->ldapLoginFilter, 'UTF-8');
$users = $this->getUsers($filter, 'dn');
if (count($users) === 1 && $users[0]['count'] === 1) {
$dn = $users[0][0];
$this->ldap->dn2ocname($dn);
//creates table entries and folders
return true;
}
return false;
}
/**
* @brief get a list of all users in a group
* @returns array with user ids
*/
public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0)
{
if (!$this->enabled) {
return array();
}
$this->groupSearch = $search;
if ($this->connection->isCached('usersInGroup' . $gid)) {
$groupUsers = $this->connection->getFromCache('usersInGroup' . $gid);
if (!empty($this->groupSearch)) {
$groupUsers = array_filter($groupUsers, array($this, 'groupMatchesFilter'));
}
if ($limit == -1) {
$limit = null;
}
return array_slice($groupUsers, $offset, $limit);
}
$groupDN = $this->groupname2dn($gid);
if (!$groupDN) {
$this->connection->writeToCache('usersInGroup' . $gid, array());
return array();
}
$members = $this->readAttribute($groupDN, $this->connection->ldapGroupMemberAssocAttr);
if (!$members) {
$this->connection->writeToCache('usersInGroup' . $gid, array());
return array();
}
$result = array();
$isMemberUid = strtolower($this->connection->ldapGroupMemberAssocAttr) == 'memberuid';
foreach ($members as $member) {
if ($isMemberUid) {
$filter = \OCP\Util::mb_str_replace('%uid', $member, $this->connection->ldapLoginFilter, 'UTF-8');
$ldap_users = $this->fetchListOfUsers($filter, 'dn');
if (count($ldap_users) < 1) {
continue;
}
$result[] = $this->dn2username($ldap_users[0]);
continue;
} else {
if ($ocname = $this->dn2username($member)) {
$result[] = $ocname;
}
}
}
if (!$isMemberUid) {
$result = array_intersect($result, \OCP\User::getUsers());
}
$groupUsers = array_unique($result, SORT_LOCALE_STRING);
$this->connection->writeToCache('usersInGroup' . $gid, $groupUsers);
if (!empty($this->groupSearch)) {
$groupUsers = array_filter($groupUsers, array($this, 'groupMatchesFilter'));
}
if ($limit == -1) {
$limit = null;
}
return array_slice($groupUsers, $offset, $limit);
}
