/** * Checks if a group exists in LDAP * @auther Paul Heaney * @param string $dn the DN of the group to check it exists * @param string $mapping the LDAP name mapping to use * @return bool TRUE for exists, FALSE otherwise */ function ldapCheckGroupExists($dn, $mapping) { global $CONFIG, $ldap_vars; $toReturn = false; $ldap_conn = ldapOpen(); // Need to get an admin thread $mapping = strtoupper($mapping); // $CONFIG[strtolower("ldap_{$var}")] = constant("LDAP_{$CONFIG['ldap_type']}_{$var}"); $o = constant("LDAP_{$mapping}_GRPOBJECTTYPE"); $filter = "(ObjectClass={$o})"; debug_log("Filter: {$filter}", TRUE); debug_log("Object: {$dn}", TRUE); $sr = ldap_search($ldap_conn, $dn, $filter); if (ldap_count_entries($ldap_conn, $sr) != 1) { // Multiple or zero $toReturn = false; } else { // just one $toReturn = true; } return $toReturn; }
break; case 'storedashboard': $id = $_REQUEST['id']; $val = $_REQUEST['val']; if ($id == $_SESSION['userid']) { //check you're changing your own $sql = "UPDATE `{$dbUsers}` SET dashboard = '{$val}' WHERE id = '{$id}'"; $contactresult = mysql_query($sql); if (mysql_error()) { trigger_error("MySQL Query Error " . mysql_error(), E_USER_ERROR); } } break; case 'checkldap': $ldap_host = cleanvar($_REQUEST['ldap_host']); $ldap_port = cleanvar($_REQUEST['ldap_port']); $ldap_protocol = cleanvar($_REQUEST['ldap_protocol']); $ldap_security = cleanvar($_REQUEST['ldap_security']); $ldap_user = cleanvar($_REQUEST['ldap_bind_user']); $ldap_password = cleanvar($_REQUEST['ldap_bind_pass']); $r = ldapOpen($ldap_host, $ldap_port, $ldap_protocol, $ldap_security, $ldap_user, $ldap_password); if ($r == -1) { echo "0"; } else { echo "1"; } // Success break; default: break; }
/** * Perform the periodic sync of existing user and contact details from LDAP * @author Paul Heaney * @note This function does not create users or contacts it simply updates existing * @note details. */ function saction_ldapSync() { global $CONFIG; $success = FALSE; if ($CONFIG['use_ldap']) { $ldap_conn = ldapOpen(); if ($ldap_conn) { // NOTE TODO FIXME would be more optimal to pass the user type into the create as in the case where the group membership isn't stored its looked up again // Search for members of each group and then unique the members and loop through // Populate an array ($users) with a list of SIT users in LDAP // Only want GROUPS $filter = "(objectClass={$CONFIG['ldap_grpobjecttype']})"; $attributesToGet = array($CONFIG['ldap_grpattributegrp']); $users = array(); $userGrps = array($CONFIG['ldap_admin_group'], $CONFIG['ldap_manager_group'], $CONFIG['ldap_user_group']); foreach ($userGrps as $grp) { if (!empty($grp)) { $sr = ldap_search($ldap_conn, $grp, $filter, $attributesToGet); if (ldap_count_entries($ldap_conn, $sr) != 1) { trigger_error("Group {$grp} not found in LDAP"); } else { $entry = ldap_first_entry($ldap_conn, $sr); $attributes = ldap_get_attributes($ldap_conn, $entry); for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) { $member = $attributes[$CONFIG['ldap_grpattributegrp']][$i]; if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) { $users[$member] = $member; } elseif (!$CONFIG['ldap_grpfulldn']) { $users[$member] = $member; } } } } } // Populate an array with the LDAP users already in the SiT database $sit_db_users = array(); $sql = "SELECT id, username, status FROM `{$GLOBALS['dbUsers']}` WHERE user_source = 'ldap'"; $result = mysql_query($sql); if (mysql_error()) { trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING); } if (mysql_num_rows($result) > 0) { while ($obj = mysql_fetch_object($result)) { $user_obj = new User(); $user_obj->id = $obj->id; $user_obj->username = $obj->username; $user_obj->status = $obj->status; $sit_db_users[$obj->username] = $user_obj; } } foreach ($users as $u) { $e = ldap_getDetails($u, FALSE, $ldap_conn); if ($e) { $user_attributes = ldap_get_attributes($ldap_conn, $e); debug_log("user attributes: " . print_r($user_attributes, true), TRUE); debug_log("db users: " . print_r($sit_db_users, true), TRUE); // If the directory supports disabling of users if (!empty($CONFIG['ldap_logindisabledattribute'])) { if ($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status === USERSTATUS_ACCOUNT_DISABLED) { // User is disabled in the SIT db, check to see if we need to re-enable if (!empty($user_attributes[$CONFIG['ldap_logindisabledattribute']])) { if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) { // The user is enabled in LDAP so we want to enable debug_log("Re-enabling user '{$u}' in the SiT users database", TRUE); $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status = $CONFIG['ldap_default_user_status']; $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->edit(); } } } else { // User is not disabled in the SiT database, check to see if we need to disable if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) { // User is disabled in LDAP so we want to disable $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->disable(); } } } $userid = 0; if (!empty($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]])) { $userid = $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->id; unset($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]); } if (!ldap_storeDetails('', $userid, TRUE, TRUE, $ldap_conn, $user_attributes)) { trigger_error("Failed to store details for userid {$userid}", E_USER_WARNING); $success = FALSE; } else { $success = TRUE; } } else { debug_log("Failed to get details for {$u}"); } } // Disable users we no longer know about // TODO reassign incidents? foreach ($sit_db_users as $u) { debug_log("Disabling {$u->username}"); $u->disable(); } /** CONTACTS */ $contacts = array(); if (!empty($CONFIG["ldap_customer_group"])) { debug_log("CONTACTS"); $sr = ldap_search($ldap_conn, $CONFIG["ldap_customer_group"], $filter, $attributesToGet); if (ldap_count_entries($ldap_conn, $sr) != 1) { trigger_error("No contact group found in LDAP"); } else { $entry = ldap_first_entry($ldap_conn, $sr); $attributes = ldap_get_attributes($ldap_conn, $entry); for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) { $member = $attributes[$CONFIG['ldap_grpattributegrp']][$i]; if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) { $contacts[$member] = $member; } elseif (!$CONFIG['ldap_grpfulldn']) { $contacts[$member] = $member; } } } $sit_db_contacts = array(); $sql = "SELECT id, username, active FROM `{$GLOBALS['dbContacts']}` WHERE contact_source = 'ldap'"; $result = mysql_query($sql); if (mysql_error()) { trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING); } if (mysql_num_rows($result) > 0) { while ($obj = mysql_fetch_object($result)) { $c = new Contact(); $c->id = $obj->id; $c->username = $obj->username; $c->status = $obj->active; $sit_db_contacts[$c->username] = $c; } } foreach ($contacts as $c) { $e = ldap_getDetails($c, FALSE, $ldap_conn); if ($e) { $contact_attributes = ldap_get_attributes($ldap_conn, $e); if (isset($CONFIG['ldap_logindisabledattribute'])) { // Directory supports disabling if ($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->status == 'false') { // User disabled in SIT check if needs renameding if (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) { if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) { // We want to enable $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->active = 'true'; $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->edit(); } } } elseif (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) { // User not disabled in SiT though attribite is available to us if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) { // We want to disable $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->disable(); } } } $contactid = 0; if (!empty($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]])) { $contactid = $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->id; unset($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]); } if (!ldap_storeDetails('', $contactid, FALSE, TRUE, $ldap_conn, $contact_attributes)) { trigger_error("Failed to store details for userid {$contactid}", E_USER_WARNING); $success = FALSE; } } } // Disable users we no longer know about // TODO reassign incidents? foreach ($sit_db_contacts as $c) { debug_log("Disabling {$c->username}", TRUE); $c->disable(); } } } } else { $success = TRUE; } return $success; }