/** * Authenticate against a different PostgreSQL database which contains a usr table in * the AWL format. * * Use this as in the following example config snippet: * * require_once('auth-functions.php'); * $c->authenticate_hook = array( * 'call' => 'AuthExternalAwl', * 'config' => array( * // A PgSQL database connection string for the database containing user records * 'connection[]' => 'dbname=wrms host=otherhost port=5433 user=general', * // Which columns should be fetched from the database * 'columns' => "user_no, active, email_ok, joined, last_update AS updated, last_used, username, password, fullname, email", * // a WHERE clause to limit the records returned. * 'where' => "active AND org_code=7" * ) * ); * */ function AuthExternalAWL($username, $password) { global $c; $persistent = isset($c->authenticate_hook['config']['use_persistent']) && $c->authenticate_hook['config']['use_persistent']; if (isset($c->authenticate_hook['config']['columns'])) { $cols = $c->authenticate_hook['config']['columns']; } else { $cols = '*'; } if (isset($c->authenticate_hook['config']['where'])) { $andwhere = ' AND ' . $c->authenticate_hook['config']['where']; } else { $andwhere = ''; } $qry = new AwlQuery('SELECT ' . $cols . ' FROM usr WHERE lower(username) = :username ' . $andwhere, array(':username' => strtolower($username))); $authconn = $qry->SetConnection($c->authenticate_hook['config']['connection'], $persistent ? array(PDO::ATTR_PERSISTENT => true) : null); if (!$authconn) { echo <<<EOERRMSG <html><head><title>Database Connection Failure</title></head><body> <h1>Database Error</h1> <h3>Could not connect to PostgreSQL database</h3> </body> </html> EOERRMSG; @ob_flush(); exit(1); } if ($qry->Exec('Login', __LINE__, __FILE__) && $qry->rows() == 1) { $usr = $qry->Fetch(); if (session_validate_password($password, $usr->password)) { $principal = new Principal('username', $username); if ($principal->Exists()) { if ($principal->modified <= $usr->updated) { $principal->Update($usr); } } else { $principal->Create($usr); CreateHomeCollections($username); } /** * We disallow login by inactive users _after_ we have updated the local copy */ if (isset($usr->active) && $usr->active == 'f') { return false; } return $principal; } } return false; }
/** * sync LDAP Groups against the DB */ function sync_LDAP_groups() { global $c; $ldapDriver = getStaticLdap(); if (!$ldapDriver->valid) { return; } $mapping = $c->authenticate_hook['config']['group_mapping_field']; //$attributes = array('cn','modifyTimestamp','memberUid'); $attributes = array_values_mapping($mapping); $ldap_groups_tmp = $ldapDriver->getAllGroups($attributes); if (sizeof($ldap_groups_tmp) == 0) { return; } $member_field = $mapping['members']; foreach ($ldap_groups_tmp as $key => $ldap_group) { $group_mapping = $ldap_group[$mapping['username']]; $ldap_groups_info[$group_mapping] = $ldap_group; if (is_array($ldap_groups_info[$group_mapping][$member_field])) { unset($ldap_groups_info[$group_mapping][$member_field]['count']); } else { $ldap_groups_info[$group_mapping][$member_field] = array($ldap_groups_info[$group_mapping][$member_field]); } unset($ldap_groups_tmp[$key]); } $db_groups = array(); $db_group_members = array(); $qry = new AwlQuery("SELECT g.username AS group_name, member.username AS member_name FROM dav_principal g LEFT JOIN group_member ON (g.principal_id=group_member.group_id) LEFT JOIN dav_principal member ON (member.principal_id=group_member.member_id) WHERE g.type_id = 3"); $qry->Exec('sync_LDAP', __LINE__, __FILE__); while ($db_group = $qry->Fetch()) { $db_groups[$db_group->group_name] = $db_group->group_name; $db_group_members[$db_group->group_name][] = $db_group->member_name; } $ldap_groups = array_keys($ldap_groups_info); // users only in ldap $groups_to_create = array_diff($ldap_groups, $db_groups); // users only in db $groups_to_deactivate = array_diff($db_groups, $ldap_groups); // users present in ldap and in the db $groups_to_update = array_intersect($db_groups, $ldap_groups); if (sizeof($groups_to_create)) { $c->messages[] = sprintf(i18n('- creating groups : %s'), join(', ', $groups_to_create)); $validUserFields = get_fields('usr'); foreach ($groups_to_create as $k => $group) { $user = (object) array(); if (isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value'])) { foreach ($c->authenticate_hook['config']['default_value'] as $field => $value) { if (isset($validUserFields[$field])) { $user->{$field} = $value; dbg_error_log("LDAP", "Setting usr->%s to %s from configured defaults", $field, $value); } } } $user->user_no = 0; $ldap_values = $ldap_groups_info[$group]; foreach ($mapping as $field => $value) { dbg_error_log("LDAP", "Considering copying %s", $field); if (isset($validUserFields[$field])) { $user->{$field} = $ldap_values[$value]; dbg_error_log("LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$value], $value); } } if ($user->fullname == "") { $user->fullname = $group; } if ($user->displayname == "") { $user->displayname = $group; } $user->username = $group; $user->updated = "now"; /** @todo Use the 'updated' timestamp from LDAP for groups too */ $principal = new Principal('username', $group); if ($principal->Exists()) { $principal->Update($user); } else { $principal->Create($user); } $qry = new AwlQuery("UPDATE dav_principal set type_id = 3 WHERE username=:group ", array(':group' => $group)); $qry->Exec('sync_LDAP', __LINE__, __FILE__); Principal::cacheDelete('username', $group); $c->messages[] = sprintf(i18n('- adding users %s to group : %s'), join(',', $ldap_groups_info[$group][$mapping['members']]), $group); foreach ($ldap_groups_info[$group][$mapping['members']] as $member) { $qry = new AwlQuery("INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member;", array(':group' => $group, ':member' => $member)); $qry->Exec('sync_LDAP_groups', __LINE__, __FILE__); Principal::cacheDelete('username', $member); } } } if (sizeof($groups_to_update)) { $c->messages[] = sprintf(i18n('- updating groups : %s'), join(', ', $groups_to_update)); foreach ($groups_to_update as $group) { $db_members = array_values($db_group_members[$group]); $ldap_members = array_values($ldap_groups_info[$group][$member_field]); $add_users = array_diff($ldap_members, $db_members); if (sizeof($add_users)) { $c->messages[] = sprintf(i18n('- adding %s to group : %s'), join(', ', $add_users), $group); foreach ($add_users as $member) { $qry = new AwlQuery("INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member", array(':group' => $group, ':member' => $member)); $qry->Exec('sync_LDAP_groups', __LINE__, __FILE__); Principal::cacheDelete('username', $member); } } $remove_users = @array_flip(@array_flip(array_diff($db_members, $ldap_members))); if (sizeof($remove_users)) { $c->messages[] = sprintf(i18n('- removing %s from group : %s'), join(', ', $remove_users), $group); foreach ($remove_users as $member) { $qry = new AwlQuery("DELETE FROM group_member USING dav_principal g,dav_principal m WHERE group_id=g.principal_id AND member_id=m.principal_id AND g.username=:group AND m.username=:member", array(':group' => $group, ':member' => $member)); $qry->Exec('sync_LDAP_groups', __LINE__, __FILE__); Principal::cacheDelete('username', $member); } } } } if (sizeof($groups_to_deactivate)) { $c->messages[] = sprintf(i18n('- deactivate groups : %s'), join(', ', $groups_to_deactivate)); foreach ($groups_to_deactivate as $group) { $qry = new AwlQuery('UPDATE dav_principal SET user_active=FALSE WHERE username=:group AND type_id = 3', array(':group' => $group)); $qry->Exec('sync_LDAP', __LINE__, __FILE__); Principal::cacheFlush('username=:group AND type_id = 3', array(':group' => $group)); } } }