diff options
Diffstat (limited to 'mayor-orig/www/include/backend')
44 files changed, 7811 insertions, 0 deletions
diff --git a/mayor-orig/www/include/backend/ads/auth/login.php b/mayor-orig/www/include/backend/ads/auth/login.php new file mode 100644 index 00000000..59cbf3e5 --- /dev/null +++ b/mayor-orig/www/include/backend/ads/auth/login.php @@ -0,0 +1,358 @@ +<?php +/* + Auth-ADS + + A név-jelszó pár ellenőrzése Active Directory adatbázis alapján +*/ + +/* -------------------------------------------------------------- + + Felhasználók azonosítása az AD-ban tárolt person (konfigurálható) + osztályok alapján történik. + + A függvény az előre definiált _AUTH_SUCCESS, _AUTH_EXPIRED, _AUTH_FAILURE + konstansok valamelyikével tér vissza. (include/modules/auth/base/config.php) + + Sikeres hitelesítés esetén + az egyéb account információkat (minimálisan a 'cn', azaz 'common name' + attribútumot) a cím szerint átadott $accountInformation tömbbe helyezi el. + + Sikertelen azonosítás esetén a globális $_SESSION['alert'] változóban jelzi az + elutasítás okát. + +-------------------------------------------------------------- */ + +###################################################################### +# Az LDAP protocol version 3 kötelező, +# referals=0 nélkül használhatatlanul lassú +###################################################################### + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option(NULL, LDAP_OPT_REFERRALS, 0); + + /** + * A userAccountControl pár fontos flag-e: + * + * Forrás: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx + * + * 512 Enabled Account + * 514 Disabled Account + * 544 Enabled, Password Not Required + * 546 Disabled, Password Not Required + * 66048 Enabled, Password Doesn't Expire + * 66050 Disabled, Password Doesn't Expire + * 66080 Enabled, Password Doesn't Expire & Not Required + * 66082 Disabled, Password Doesn't Expire & Not Required + * 590336 Enabled, User Cannot Change Password, Password Never Expires + * + * Ha pwdLastSet=0 és UF_DONT_EXPIRE_PASSWD=0, akkor következő bejelentkezéskor jelszót _kell_ változtatni. + **/ + define('ADS_UF_ACCOUNTDISABLE',0x00000002); // The user account is disabled. + define('ADS_UF_PASSWD_NOTREQD',0x00000020); // No password is required. + define('ADS_UF_PASSWD_CANT_CHANGE',0x00000040); // The user cannot change the password. + define('ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED',0x00000080); // The user can send an encrypted password. + define('ADS_UF_NORMAL_ACCOUNT',0x00000200); // This is a default account type that represents a typical user. + define('ADS_UF_DONT_EXPIRE_PASSWD',0x00010000); // The password for this account will never expire. + define('ADS_UF_PASSWORD_EXPIRED',0x00800000); // The user password has expired. + + /** + * Ha az accountExpires = 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807), akkor az account sose jár le. (nem a jelszó! az account.) + **/ + define('ADS_ACCOUNTEXPIRES_NEVER','9223372036854775807'); + + /** + * Forrás: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=VS.85%29.aspx + * - unixDays - Az eltelt napok száma 1970-01-01-től + * - unixTimestamp - Az eltelt másodpercek száma 1970-01-01 00:00:00-től + * - msFileTime - A 1601-01-01 00:00:00-tól elteltt 100 nanosecundum-os intervallumok száma (1/10000000 sec) + **/ + function msFileTime2unixDays($pwdLastSet) { + return floor((($pwdLastSet / 10000000) - 11644406783) / 86400); + } + function msFileTime2unixTimestamp($pwdLastSet) { + return bcsub(bcdiv($pwdLastSet, '10000000'), '11644473600'); + } + + function getAccountStatus($userAccount, $toPolicy, $userinfo, $ds) { + + /** + * Meghatározza a felhasználói jelszó lejárati dátumát és az account egyéb fontos jellemzőit + * + * @params: $userAccount - a lekérdezendő account + * @params: $userinfo - A user adatait tartalmazó korábbi LDAP lekérdezés eredménye (useraccountcontrol, pwdlastchange) + * @params: $ds - LDAP csatlakozás azonosító + * @requires: bcmath http://www.php.net/manual/en/book.bc.php + * MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx - a pwdLastSet 64 bites integer + * @return: array + * @param book $isGUID Is the username passed a GUID or a samAccountName + **/ + global $AUTH; + + if ($toPolicy == '') $toPolicy = _POLICY; + if (!function_exists('bcmod')) { + $_SESSION['alert'][] = 'message:system_error:Nem támogatott függvényhívás [bcmod]! http://www.php.net/manual/en/book.bc.php'; + return false; + }; + + if (!$ds) { + $closeLDAP = true; + // Csatlakozzunk az LDAP kiszolgálóhoz! + // Kapcsolódás a szerverhez + $ds = ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['adsUser'],$AUTH[$toPolicy]['adsPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + } + + if (!is_array($userinfo)) { + // Kérdezzük le az account adatait! + $filter="(&(sAMAccountName=$userAccount)(objectClass=".$AUTH[$toPolicy]['adsUserObjectClass']."))"; + $justthese = array("sn","cn",$AUTH[$toPolicy]['adsStudyIdAttr'],"shadowexpire","shadowwarning","shadowinactive","shadowlastchange","shadowmax","pwdlastset","accountexpires","useraccountcontrol"); + $sr = ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + if ($closeLDAP) ldap_close($ds); + return false; + } + $userinfo = ldap_get_entries($ds,$sr); + if ( $userinfo['count'] === 0 || is_null($userinfo)) { // http://bugs.php.net/50185 ha nincs megfelelő elem, akkor - hibásan - null-al tér vissza! (~ PHP 5.2.10) + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + if ($closeLDAP) ldap_close($ds); + return false; + } + if ( $userinfo['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid"; + if ($closeLDAP) ldap_close($ds); + return false; + } + } + $pwdlastset = $userinfo[0]['pwdlastset'][0]; + $userAccountControl = $userinfo[0]['useraccountcontrol'][0]; + + $status = array(); + + $status['pwdLastSet'] = $pwdlastset; + $status['pwdLastSetDt'] = date('Y-m-d H:i:s',msFileTime2unixTimestamp($pwdlastset)); + $status['accountExpires'] = $userinfo[0]['accountexpires'][0]; + $status['accountNeverExpires'] = (ADS_ACCOUNTEXPIRES_NEVER==$userinfo[0]['accountexpires'][0]) || ($userinfo[0]['accountexpires'][0] == 0); + if (!$status['accountNeverExpires']) { + $status['accountExpiresDt'] = date('Y-m-d H:i:s',msFileTime2unixTimestamp($userinfo[0]['accountexpires'][0])); + $status['accountExpiresTimestamp'] = msFileTime2unixTimestamp($userinfo[0]['accountexpires'][0]); + } + $status['accountDisabled'] = (bool)($userAccountControl & ADS_UF_ACCOUNTDISABLE); + $status['noPasswordRequired'] = (bool)($userAccountControl & ADS_UF_PASSWD_NOTREQD); + $status['cannotChangePassword'] = (bool)($userAccountControl & ADS_UF_PASSWD_CANT_CHANGE); + $status['normalAccount'] = (bool)($userAccountControl & ADS_UF_NORMAL_ACCOUNT); + $status['passwordNeverExpire'] = (bool)($userAccountControl & ADS_UF_DONT_EXPIRE_PASSWD); + $status['passwordExpired'] = (bool)($userAccountControl & ADS_UF_PASSWORD_EXPIRED); // Ez mintha nem működne... + $status['mustChangePassword'] = ($pwdlastset === '0' && $status['passwordNeverExpire']); + + // A jelszó lejárati dátum az AD-ben két értékből számítható ki: + // - A felhasználó saját pwdLastSet atribútuma: ez tárolja a jelszó utolsó módosításának időpontját + // - A tartomány maxPwdAge atribútuma: milyen hosszú ideig lehet érvényes a jelszó a tartományban + // + // A Microsoft persze saját kiindulási időpontot és lépési egységet használ az idő tárolására. + // Ez a függvény konvertálja ezt az értéket Unix időbélyeggé + + // Kérdezzük le a tartomány maxPwdAge attribútumát! + $sr = ldap_read($ds, $AUTH[$toPolicy]['adsBaseDn'], 'objectclass=domain', array('maxPwdAge')); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:getAccountStatus (ads backend)"; + if ($closeLDAP) ldap_close($ds); + return false; + } + $info = ldap_get_entries($ds, $sr); + $maxpwdage = $info[0]['maxpwdage'][0]; + + // Lásd MSDN: http://msdn.microsoft.com/en-us/library/ms974598.aspx + // + // pwdLastSet tartalmazza az 1601 (UTC) január 1 óta eltelt 100 nanoszekundumos időintervallumok számát + // 64 bit-es integer típusú értékként + // + // Ettől az időponttól a Unix időszámítás kezdetéig eltelt másodpercek száma 11644473600. + // + // maxPwdAge szintén large integer, ami a jelszóváltoztatás és a jelszó lejárat közötti 100 nanoszekundumos időintervallumok számát tárolja + + $status['maxPwdAgeInDays'] = bcdiv(bcsub(0,$maxpwdage),'36000000000')/24; + + // Ezt az étéket át kell váltanunk másodpercekre, de ez egy negatív mennyiség! + // + // Ha a maxPwdAge alsó 32 bites része 0, akkor a jelszavak nem járnak le + // + // Sajnos ezek a számok túl nagyok a PHP integer típusához, ezért kell a BCMath függvényeit használnunk + + $status['passwordsDoNotExpireInDomain'] = (bcmod($maxpwdage, 4294967296) === '0'); + + // Adjuk össze a pwdlastset és maxpwdage értékeket (pontosabban az utóbbi negatív értéket + // vonjuk ki az előbbiből), így megkapjuk a jelszó lejáratának időpontját a Microsoft féle + // egységekben. + $pwdexpire = bcsub($pwdlastset, $maxpwdage); + + // Konvertáljuk az MS féle időt unix időre + $status['expiryTimestamp'] = bcsub(bcdiv($pwdexpire, '10000000'), '11644473600'); + $status['expiryDate'] = date('Y-m-d H:i:s', bcsub(bcdiv($pwdexpire, '10000000'), '11644473600')); + + if ($closeLDAP) ldap_close($ds); + + $status['userAccount'] = $userAccount; + $status['usetAccountControl'] = $userAccountControl; + $status['shadowLastChange'] = $userinfo[0]['shadowlastchange'][0]; + $status['shadowWarning'] = $userinfo[0]['shadowwarning'][0]; + $status['shadowInactive'] = $userinfo[0]['shadowinactive'][0]; + return array_merge($status); + + + } + + function adsUserAuthentication($userAccount, $userPassword, &$accountInformation, $toPolicy) { + + global $AUTH; + + if ($toPolicy == '') { + if ($accountInformation['policy'] != '') $toPolicy = $accountInformation['policy']; +// elseif ($_REQUEST['toPolicy'] != '') $toPolicy = $_REQUEST['toPolicy']; + else $toPolicy = _POLICY; + } + + // Kapcsolódás a szerverhez + $ds = ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return _AUTH_FAILURE; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['adsUser'],$AUTH[$toPolicy]['adsPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return _AUTH_FAILURE; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(sAMAccountName=$userAccount)(objectClass=".$AUTH[$toPolicy]['adsUserObjectClass']."))"; + $justthese = array("sn","cn",$AUTH[$toPolicy]['adsStudyIdAttr'],"shadowexpire","shadowwarning","shadowinactive","shadowlastchange","shadowmax","pwdlastset","accountexpires","useraccountcontrol"); + $sr = ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return _AUTH_FAILURE; + } + $info = ldap_get_entries($ds,$sr); + if ( $info['count'] === 0 || is_null($info)) { // http://bugs.php.net/50185 ha nincs megfelelő elem, akkor - hibásan - null-al tér vissza! (~ PHP 5.2.10) + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + ldap_close($ds); + return _AUTH_FAILURE_1; + } + + if ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid"; + ldap_close($ds); + return _AUTH_FAILURE_2; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + + $status = getAccountStatus($userAccount, $toPolicy, $info, $ds); + // Lejárt-e + // A lejárat ideje a shadowExpire és shadowLastChange+shadowMax kötül a kisebbik + // Esetünkben + if ($info[0]['pwdlastset'][0] != '') { // A pwdLastSet és shadowLastChange közül a kisebbiket használjuk + $info[0]['shadowlastchange'][0] = msFileTime2unixDays($info[0]['pwdlastset'][0]); + } + + // A globális beállítással kikényszeríthető a nagyobb warning időszak + $shadowWarning = ($status['shadowWarning']<$AUTH[$toPolicy]['shadowWarning']) ? $AUTH[$toPolicy]['shadowWarning'] : $status['shadowWarning']; + + + $disabled = ( // Ha az jelszavak lejárhatnak a domain-ben és a user jellszava is lejárhat és le is járt... + !$status['passwordNeverExpire'] + && !$status['passwordsDoNotExpireInDomain'] + && $status['expiryTimestamp'] < time() + ) || ( // vagy az account lejárhat és le is járt + !$status['accountNeverExpires'] + && $status['accountExpiresTimestamp']<time() + ); // Akkor már nem lehet belépni/jelszót változtatni... + $expired = ( // Ha a jelszavak lejárhatnak és a user jelszava is lejárhat, és shadowwarning-on belül le fog járni a jelszó + !$status['passwordNeverExpire'] + && !$status['passwordsDoNotExpireInDomain'] + && $status['expiryTimestamp'] - ($shadowWarning*24*60*60) < time() + ) || ( // Ha az account lejárhat és shadow warning-on belül le is fog járni az account + !$status['accountNeverExpires'] + && $status['accountExpiresTimestamp'] - ($shadowWarning*24*60*60) < time() + ); // ... + + /** + * Más backend-ben csak $AUTH[$toPolicy]['onDisabled'] == 'refuse' esetén utasítanánk el, de itt nincs más lehetőség... + **/ + if ($disabled) { + $_SESSION['alert'][] = 'message:account_disabled'; + ldap_close($ds); + return _AUTH_FAILURE_4; + } + + $accountInformation['cn'] = $info[0]['cn'][0]; + $accountInformation['studyId'] = $info[0][ $AUTH[$toPolicy]['adsStudyIdAttr'] ][0]; + $accountInformation['dn'] = $info[0]['dn']; + $accountInformation['account'] = $userAccount; + // Jelszó ellenőrzés - lehet-e csatlakozni + if (!@ldap_bind($ds, $accountInformation['dn'], $userPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + } + + ldap_close($ds); + if (!$expired || $AUTH[$toPolicy]['onExpired'] == 'none') { + return _AUTH_SUCCESS; + } else { + $pwLejar = floor(($status['expiryTimestamp'] - time()) / 86400); + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + $_SESSION['alert'][] = 'info:warn_account_disable:'.$pwLejar; // más backend esetén csak onDisable=refuse esetén szoktuk... + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } else { + return _AUTH_FAILURE; + } + } + +/* + // Lejárt-e az azonosító + if ($AUTH[$toPolicy]['onExpired'] != 'none' && isset($expireTimestamp)) { // onExpired: none | warning | force update + // Lejárt-e + $pwLejar = $expireTimestamp - floor(time()/(60*60*24)); + if (0 < $pwLejar && $pwLejar < $info[0]['shadowwarning'][0]) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') $_SESSION['alert'][] = 'info:warn_account_disable:'.($info[0]['shadowinactive'][0]+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } else { + return _AUTH_FAILURE; + } + } + } // onExpired + // Ha idáig eljut, akkor minden rendben. + return _AUTH_SUCCESS; +*/ + } // count == 1 + + } + +?> diff --git a/mayor-orig/www/include/backend/ads/base/attrs.php b/mayor-orig/www/include/backend/ads/base/attrs.php new file mode 100644 index 00000000..e01aa00c --- /dev/null +++ b/mayor-orig/www/include/backend/ads/base/attrs.php @@ -0,0 +1,160 @@ +<?php +/* + Module: useradmin +*/ + + if (file_exists('lang/'._LANG.'/backend/ads/attrs.php')) { + require('lang/'._LANG.'/backend/ads/attrs.php'); + } elseif (file_exists('lang/'._DEFAULT_LANG.'/backend/ads/attrs.php')) { + require('lang/'._DEFAULT_LANG.'/backend/ads/attrs.php'); + } + +###################################################### +# Alapértelmezett jogosultságok +# +# w - Írható/olvasható +# r - olvasható +# - - egyik sem +# +# Három karakter: admin, self, other jogai +###################################################### + + define('_DEFAULT_ADS_RIGHTS','wr-'); + +###################################################### +# Az LDAP account attribútumok +###################################################### + + global $adsAccountAttrs; + $adsAccountAttrs = array( + 'cn', + 'sn', + 'serialnumber', + 'givenname', + 'displayname', + 'name', + 'padpwdcount', + 'badpasswordtime', + 'lastlogon', + 'pwdlastset', // ~ shadowLastChane + 'accountexpires', // != shadowExpired - henme mi? 1601.01.01-től (60*60*24*1000*1000*10)*napok száma + 'samaccountname', + 'userprincipalname', + 'useraccountcontrol', + 'objectcategory', + 'uid', + 'mssfu30name', + 'uidnumber', + 'gidnumber', + 'unixhomedirectory', + 'loginshell', + + 'shadowlastchange', + 'shadowexpire', + 'shadowwarning', + 'shadowmin', + 'shadowmax', + 'shadowinactive', + +/* + 'gecos', + 'mail', + 'telephonenumber', + 'mobile', + 'l', + 'street', + 'postaladdress', + 'postalcode', + 'homedirectory', +*/ + ); + + global $adsGroupAttrs; + $adsGroupAttrs = array( + 'cn', + 'description', + 'member', + 'name', + 'samaccountname', + 'objectcategory', + 'gidnumber', // ennek kellene lennie - mitől lesz? +/* 'memberuid' */ + ); + + global $accountAttrToADS; // Kis és nagybetű számít!!! + $accountAttrToADS = array( + 'userAccount' => 'sAMAccountName', + 'userCn' => 'displayName', + 'mail' => 'mail', + 'studyId' => 'serialNumber', // Ez konfig-ban külön van állítva, az itteni érték irreleváns + 'shadowLastChange' => 'shadowLastChange', + 'shadowWarning' => 'shadowWarning', + 'shadowMin' => 'shadowMin', + 'shadowMax' => 'shadowMax', + 'shadowExpire' => 'shadowExpire', + 'shadowInactive' => 'shadowInactive', + ); + + global $groupAttrToADS; + $groupAttrToADS = array( + 'groupCn' => 'cn', + 'groupDesc' => 'description', + 'member' => 'member', + ); + + global $adsAccountAttrDef; + $adsAccountAttrDef = array( + 'dn' => array('desc' => _ADSDN, 'type' => 'text', 'rights' => 'rrr'), + 'cn' => array('desc' => _ADSCN, 'type' => 'text', 'rights' => 'rrr'), + 'sn' => array('desc' => _ADSSN, 'type' => 'text', 'rights' => 'wrr'), + 'givenname' => array('desc' => _ADSGIVENNAME, 'type' => 'text'), + 'serialnumber' => array('desc' => _ADSSERIALNUMBER, 'type' => 'int', 'rights' => 'wrr'), + 'displayname' => array('desc' => _ADSCN, 'type' => 'text', 'rights' => 'wrr'), + 'name' => array('desc' => _ADSNAME, 'type' => 'text', 'rights' => 'r--'), + 'padpwdcount' => array('desc' => _ADSBADPWDCOUNT, 'type' => 'int', 'rights' => 'wrr'), + 'badpasswordtime' => array('desc' => _ADSBADPASSWORDTIME, 'type' => 'int', 'rights' => 'r--'), + 'lastlogon' => array('desc' => _ADSLASTLOGON, 'type' => 'int', 'rights' => 'r--'), + 'pwdlastset' => array('desc' => _ADSPWDLASTSET, 'type' => 'int', 'rights' => 'r--'), + 'accountexpires' => array('desc' => _ADSACCOUNTEXPIRES, 'type' => 'int', 'rights' => 'wrr'), + 'samaccountname' => array('desc' => _ADSSAMACCOUNTNAME, 'type' => 'text', 'rights' => 'wrr'), + 'useraccountcontrol' => array('desc' => _USERACCOUNTCONTROL, 'type' => 'text', 'rights' => 'wrr'), + 'userprincipalname' => array('desc' => _ADSUSERPRINCIPALNAME, 'type' => 'text', 'rights' => 'wrr'), + 'objectcategory' => array('desc' => _ADSOBJECTCATEGORY, 'type' => 'text', 'rights' => 'r--'), + 'uid' => array('desc' => _ADSUID, 'type' => 'text', 'rights' => 'rrr'), + 'uidnumber' => array('desc' => _ADSUIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'gidnumber' => array('desc' => _ADSGIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'mssfu30name' => array('desc' => _ADSUID, 'type' => 'text', 'rights' => 'r--'), + 'unixhomedirectory' => array('desc' => _ADSUNIXHOMEDIRECTORY, 'type' => 'text', 'rights' => 'wrr'), + 'loginshell' => array('desc' => _ADSLOGINSHELL, 'type' => 'text', 'rights' => 'wrr'), + 'shadowlastchange' => array('desc' => _ADSSHADOWLASTCHANGE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowexpire' => array('desc' => _ADSSHADOWEXPIRE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowwarning' => array('desc' => _ADSSHADOWWARNING, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmin' => array('desc' => _ADSSHADOWMIN, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmax' => array('desc' => _ADSSHADOWMAX, 'type' => 'text', 'rights' => 'wrr'), + 'shadowinactive' => array('desc' => _ADSSHADOWINACTICE, 'type' => 'text', 'rights' => 'wrr'), +/* + 'gecos' => array('desc' => _ADSGECOS, 'type' => 'text', 'rights' => 'w--'), + 'mail' => array('desc' => _ADSMAIL, 'type' => 'text', 'rights' => 'wwr'), + 'telephonenumber' => array('desc' => _ADSTELEPHONENUMBER, 'type' => 'text', 'rights' => 'ww-'), + 'mobile' => array('desc' => _ADSMOBILE, 'type' => 'text', 'rights' => 'ww-'), + 'l' => array('desc' => _ADSL, 'type' => 'text'), + 'street' => array('desc' => _ADSSTREET, 'type' => 'text'), + 'postaladdress' => array('desc' => _ADSPOSTALADDRESS, 'type' => 'text'), + 'postalcode' => array('desc' => _ADSPOSTALCODE, 'type' => 'text'), +*/ + ); + + global $adsGroupAttrDef; + $adsGroupAttrDef = array( + 'cn' => array('desc' => _ADSCN, 'type' => 'text','rights' => 'rrr'), + 'name' => array('desc' => _ADSNAME, 'type' => 'text','rights' => 'rrr'), + 'samaccountname' => array('desc' => _ADSSAMACCOUNTNAME, 'type' => 'text','rights' => 'wrr'), + 'description' => array('desc' => _ADSDESCRIPTION, 'type' => 'text'), + 'gidnumber' => array('desc' => _ADSGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'member' => array('desc' => _ADSMEMBER, 'type' => 'select'), + 'objectcategory' => array('desc' => _ADSOBJECTCATEGORY, 'type' => 'text','rights' => 'rrr'), + + 'memberuid' => array('desc' => _ADSMEMBERUID, 'type' => 'select'), + ); + +?> diff --git a/mayor-orig/www/include/backend/ads/password/changePassword.php b/mayor-orig/www/include/backend/ads/password/changePassword.php new file mode 100644 index 00000000..6d686b34 --- /dev/null +++ b/mayor-orig/www/include/backend/ads/password/changePassword.php @@ -0,0 +1,165 @@ +<?php +/* + + Module: base/password + + Active Directory-ban csak ldaps-sel lehet megváltoztatni a jelszót! + Az AD a shadow attribútumokat nem kezeli, helyettük más attribútumokat állít automatikusan. + De azért beállítjuk őket, abból baj nem lehet... + + function changeMyPassword($userAccount, $userPassword, $newPassword, $verification) + A függvény nem vizsgálja, hogy jogosultak vagyunk-e a jelszó megváltoztatására. + Ennek eldöntése a függvényt hívó program feladata +*/ + +############################################################################ +# Jelszó kódolása az Active Directory számára +############################################################################ + +function ADSEncodePassword($password) { + + return mb_convert_encoding("\"".$password."\"", "UTF-16LE", "UTF-8"); + +} + +############################################################################ +# Saját jelszó megváltoztatása +############################################################################ + +/* ************************************************************************* + A leírások szerint a felhasználó maga is megváltoztathatja jelszavát. + Ennek módja az unicodePw attribútum törlése (a régi jelszó értéke szerint), + és felvétele új értékkel - mindenz elvileg egy lépésben. + + A PHP ldap_mod* függvények ezt az egy lépésben kétféle módosítást nem + támogatják. De a helyzet az, hogy a módosítás perl-ből és parancssorból + sem működik... +************************************************************************* */ + +function changeMyPassword($userAccount, $userPassword, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = $_REQUEST['toPolicy']; + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + + // Csatlakozzás az AD kiszolgálóhoz (SSL szükséges!) + $ds = ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + // nem sikerült csatlakozni + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } + + // Az eredeti jelszó ellenőrzése - csatlakozással + $b_ok = ldap_bind($ds,$userDn,$userPassword); + if (!$b_ok) { + // Talán a régi jelszót elgépelte, vagy le van tiltva... + $_SESSION['alert'][] = 'message:ldap_bind_failure:'.$userDn.':changeMyPassword - hibás a régi jelszó?'; + ldap_close($ds); + return false; + } + + // A régi és új jelszavak átkódolása + $newUnicodePwd = base64_encode(ADSEncodePassword($newPassword)); + $oldUnicodePwd = base64_encode(ADSEncodePassword($userPassword)); + // A php ldap_mod* függvényei nem tudnak egy lépésben többféle módosítást elküldeni + // ezért a parancssoros ldapmodify-t kell meghívnunk... + $ldif=<<<EOT +dn: $userDn +changetype: modify +delete: unicodePwd +unicodePwd:: $oldUnicodePwd +- +add: unicodePwd +unicodePwd:: $newUnicodePwd +- +EOT; + $cmd = sprintf("/usr/bin/ldapmodify -H %s -D '%s' -x -w %s", $AUTH[$toPolicy]['adsHostname'], $userDn, $userPassword); + // KHM! + if (($fh = popen($cmd, 'w')) === false ) { + // Nem sikerült megnyitni a csatornát - mikor is lehet ilyen? Ha nincs ldapmodify? + $_SESSION['alert'][] = 'message:popen_failure'; + return false; + } + fwrite($fh, "$ldif\n"); + pclose($fh); + + // Sikeres volt-e a jelszóváltoztatás? Próbáljunk újra csatlakozni az új jelszóval! + if (!@ldap_bind($ds, $userDn, $newPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return false; + } + + // Shadow attribútumok beállítása + // Ezekre nincs jogosultsága a felhasználónak, így csak AccountOperator-ként módosítható + // Ráadásul Windoes alatt változtatva a jelszót ezek nem változnak, így nem lehet számítani rájuk... + if (isset($AUTH[$toPolicy]['adsAccountOperatorUser'])) { + $shadowLastChange = floor(time()/(60*60*24)); + $info['shadowLastChange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowExpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowExpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + + $b_ok = ldap_bind($ds,$AUTH[$toPolicy]['adsAccountOperatorUser'],$AUTH[$toPolicy]['adsAccountOperatorPw']); + if (!$b_ok) { $_SESSION['alert'][] = 'message:ldap_bind_failure'; return false; } + $r = @ldap_mod_replace($ds, $userDn, $info); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_modify_failure:changeMyPassword'; + return false; + } + } + ldap_close($ds); + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + +} + +############################################################################ +# Adminisztrátori jelszó változtatás +############################################################################ + +function changePassword($userAccount, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = _POLICY; + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + $shadowLastChange = floor(time()/(60*60*24)); + + $ds = ldap_connect($AUTH[$toPolicy]['adsHostname']); + if ($ds) { + $b_ok = ldap_bind($ds,BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if ($b_ok) { + $info['unicodePwd'][0] = ADSEncodePassword($newPassword); + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowLastChange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowExpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowExpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $r = @ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure:changePassword'; + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_bind_failure:'._USERDN.':changePassword'; + ldap_close($ds); + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } +} + +?> diff --git a/mayor-orig/www/include/backend/ads/session/accountInfo.php b/mayor-orig/www/include/backend/ads/session/accountInfo.php new file mode 100644 index 00000000..eef90fd4 --- /dev/null +++ b/mayor-orig/www/include/backend/ads/session/accountInfo.php @@ -0,0 +1,416 @@ +<?php +/* + Module: base/auth-ads + Backend: ads + + function getADSInfo($userDn, $attrList=array('cn'), $toPolicy = '') + function adsGetAccountInfo($userAccount, $toPolicy = _POLICY) + function adsGetUserInfo($userAccount, $toPolicy = _POLICY) + function adsChangeAccountInfo($userAccount, $toPolicy = _POLICY) + function adsGetGroupInfo($groupCn, $toPolicy = _POLICY) + +*/ + +###################################################### +# getADSInfo - általános ADS lekérdezés +###################################################### + + + function getADSInfo($userDn, $attrList=array('cn'), $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = '(objectclass=*)'; + $sr = @ldap_search($ds, $userDn, $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +########################################################### +# adsGetAccountInfo - felhasználói információk (backend) +########################################################### + + function adsGetAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $backendAttrs, $backendAttrDef; + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Account', $toPolicy); + + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + + $result = getADSInfo($userDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // ADS schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + } + return $return[0]; + + } + + } + +############################################################# +# adsGetUserInfo - felhasználói információk (keretrendszer) +############################################################# + + function adsGetUserInfo($userAccount, $toPolicy = _POLICY) { + + global $accountAttrToADS, $adsAttrDef; + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + + $result = getADSInfo($userDn, array_values($accountAttrToADS), $toPolicy); + if ($result === false) { + return false; + } else { + + $result[0]['dn'] = array('count' => 1, 0 => $result[0]['dn']); + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + ADS --> MaYoR schema + foreach ($accountAttrToADS as $attr => $adsAttr) { + $adsAttr = kisbetus($adsAttr); + if (isset($result[0][$adsAttr])) $return[$attr] = $result[0][$adsAttr]; + else $return[$attr] = array('count' => 0); + } + return $return; + + } + + } + +############################################################### +# adsChangeAccountInfo - felhasználói információk módosítása +############################################################### + + function adsChangeAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_ADS_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '' ) $values[0] = $_POST[$attr]; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if ($_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if ($_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$userDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@$r = ldap_mod_replace($ds,$userDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$userDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i = 0;$i < count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + +########################################################### +# adsGetGroupInfo - csoport információk (backend) +########################################################### + + function adsGetGroupInfo($groupCn, $toPolicy = _POLICY, $SET = array()) { + + global $backendAttrs, $backendAttrDef; + + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Group', $toPolicy); + + $groupDn = ADSgroupCnToDn($groupCn, $toPolicy); + + $result = getADSInfo($groupDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // Accountok lekérdezése + $info = getADSaccounts($toPolicy); + for ($i = 0; $i < $info['count']; $i++) { + $accountUid[] = array( + 'value' => $info[$i]['uid'][0], + 'txt' => $info[$i]['displayname'][0] + ); + $accountDn[] = array( + 'value' => $info[$i]['dn'], + 'txt' => $info[$i]['displayname'][0] + ); + $DN2CN[$info[$i]['dn']] = $info[$i]['displayname'][0]; + } + + // ADS schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif($attr == 'member') { + $_TMP = array(); + for ($j=0; $j<$result[$i][$attr]['count']; $j++) { + $_dn = $result[$i][$attr][$j]; + $_TMP[] = array( + 'type'=>'member', + 'value'=>$_dn, + 'txt'=>($DN2CN[$_dn]==''?str_replace(',',' ',$_dn):$DN2CN[$_dn]) + ); + } + $return[$i][$attr] = $_TMP; + } + + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + + if ($SET['withNewAccounts']===true) { + $return[$i]['member']['new'] = $accountDn; + $return[$i]['memberuid']['new'] = $accountUid; + } + } + + return $return[0]; + + } + + } + +############################################################### +# adsChangeGroupInfo - csoport információk módosítása +############################################################### + + function adsChangeGroupInfo($groupCn, $toPolicy = _POLICY) { + +// !!!! A memberuid / member szinkronjára nem figyel!! + + global $AUTH, $backendAttrs, $backendAttrDef; + $groupDn = ADSgroupCnToDn($groupCn, $toPolicy); + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_ADS_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '') + if (isset($_POST[$attr])) $values[0] = $_POST[$attr]; + else $values[0] = ''; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if (isset($_POST['new-'.$attr][0]) && $_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if (isset($_POST['del-'.$attr][0]) && $_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$groupDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@ldap_mod_replace($ds,$groupDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$groupDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i=0;$i<count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + + function getADSaccounts($toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $attrList = array('cn','uid','displayName','samaccountname'); + $filter = '(&(objectclass=person)(!(objectclass=computer)))'; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } + + ldap_sort($ds, $sr, 'displayname'); + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + + +?> diff --git a/mayor-orig/www/include/backend/ads/session/base.php b/mayor-orig/www/include/backend/ads/session/base.php new file mode 100644 index 00000000..3a727c3b --- /dev/null +++ b/mayor-orig/www/include/backend/ads/session/base.php @@ -0,0 +1,188 @@ +<?php +/* + Module: base/session + Backend: ads (for Active Directory) + + function ADSuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) + function adsMemberOf($userAccount, $group, $toPolicy = _POLICY) + +*/ + + require('include/backend/ads/base/attrs.php'); + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option(NULL, LDAP_OPT_REFERRALS, 0); + + if ($AUTH[_POLICY]['backend'] == 'ads') { + /* why not put into session cache */ + if ($AUTH[_POLICY]['cacheable']=='yes') { + $userDn = _queryCache('RDN',_POLICY,'value'); + } + if (!isset($userDn)) $userDn = ADSuserAccountToDn(); + define('_USERDN', $userDn); // --TODO DEPRECATED + define('BACKEND_CONNECT_DN', $AUTH[_POLICY]['adsUser']); + define('BACKEND_CONNECT_PASSWORD', $AUTH[_POLICY]['adsPw']); + if ($AUTH[_POLICY]['cacheable']=='yes') _registerToCache('RDN',$userDn,_POLICY); + unset($userDn); + } + +###################################################### +# A _USERACCOUNT(uid)-hoz tartozó dn lekérdezése +###################################################### + + function ADSuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['adsUser'],$AUTH[$toPolicy]['adsPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(sAMAccountName=$userAccount)(objectClass=".$AUTH[$toPolicy]['adsUserObjectClass']."))"; + $justthese=array('cn','sn','givenName'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid:$userAccount"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + return $info[0]['dn']; + } + + } + + +###################################################### +# A groupCn(cn)-hez tartozó dn lekérdezése +###################################################### + + function ADSgroupCnToDn($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['adsUser'],$AUTH[$toPolicy]['adsPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e ilyen csoport? + $filter="(&(cn=$groupCn)(objectClass=".$AUTH[$toPolicy]['adsGroupObjectClass']."))"; + $justthese=array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen groupCn (cn) - hibaüzenet csak akkor, ha nem kategóriáról van szó... + if (!in_array($groupCn, array_map('ekezettelen', $AUTH[$toPolicy]['categories']))) $_SESSION['alert'][] = "message:no_group:$groupCn"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen cn is van + $_SESSION['alert'][] = "message:multi_gid:$groupCn"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen csoport + return $info[0]['dn']; + } + + } + +###################################################### +# memberOf - csoport tag-e +###################################################### + + function adsMemberOf($userAccount, $group, $toPolicy = _POLICY) { + + global $AUTH; + //global $ADS2Mayor; + + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + if (in_array($group, $AUTH[$toPolicy]['categories'])) { + if (strpos($userDn, ',ou='.ekezettelen($group).',') !== false) return true; +# Ha nincs megfelelő ou-ban, akkor nézzük a csoport tagságot - így berakható időszakosan akárki pl a titkárság kategóriába... +# else return false; + } + + if (substr($group,0,3) != 'cn=') { + $groupDn = ADSgroupCnToDn(ekezettelen($group)); + if (!$groupDn) return false; // Ha nincs ilyen csoport az ADS fában + } else { + $groupDn = $group; + } + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['adsUser'],$AUTH[$toPolicy]['adsPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $justthese = array('cn'); // valamit le kell kérdezni... + $filter = "(&(objectClass=".$AUTH[$toPolicy]['adsGroupObjectClass'].")(member=$userDn))"; + $sr = @ldap_search($ds, $groupDn, $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = ldap_get_entries($ds, $sr); + ldap_close($ds); + + if ($info['count'] > 0) { + return true; + } else { + return false; + } + + } + +?> diff --git a/mayor-orig/www/include/backend/ads/session/createAccount.php b/mayor-orig/www/include/backend/ads/session/createAccount.php new file mode 100644 index 00000000..02809f07 --- /dev/null +++ b/mayor-orig/www/include/backend/ads/session/createAccount.php @@ -0,0 +1,157 @@ +<?php +/* + Modules: base/session +*/ + + require_once('include/backend/ads/password/changePassword.php'); + + /* + $SET = array( + container => a konténer elem - ha nincs, akkor CN=Users alá rakja + category => tanár, diák... egy kiemelt fontosságú csoport tagság + groups => egyéb csoportok + policyAttrs => policy függő attribútumok + ) + */ + function adsCreateAccount( + $userCn, $userAccount, $userPassword, $toPolicy, $SET + ) { + + global $AUTH; + + $shadowLastChange = floor(time() / (60*60*24)); + + // $toPolicy --> ads backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ads') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // uid ütközés ellenőrzése + $filter = "(sAMAccountName=$userAccount)"; + $justthese = array('sAMAccountName'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + $uinfo = ldap_get_entries($ds, $sr); + $uidCount = $uinfo['count']; + ldap_free_result($sr); + if ($uidCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$userAccount; + return false; + } + + // Az következő uidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['adsUserObjectClass'].")(uidNumber=*))"; + $justthese = array('uidNumber', 'msSFU30UidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'uidNumber'); + $uinfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($uinfo['count']) && $uinfo['count'] > 0) $info['uidNumber'] = array($uinfo[ $uinfo['count']-1 ]['uidnumber'][0]+1); + else $info['uidNumber'] = array(1001); + + // shadow attributumok... + // A shadowLastChange a mai nap // if (isset($AUTH[$toPolicy]['shadowlastchange']) && $AUTH[$toPolicy]['shadowlastchange'] != '') + $info['shadowLastChange'] = array($shadowLastChange); + if (isset($AUTH[$toPolicy]['shadowMin']) && $AUTH[$toPolicy]['shadowMin'] != '') $info['shadowMin'] = array($AUTH[$toPolicy]['shadowMin']); + if (isset($AUTH[$toPolicy]['shadowMax']) && $AUTH[$toPolicy]['shadowMax'] != '') $info['shadowMax'] = array($AUTH[$toPolicy]['shadowMax']); + if (isset($AUTH[$toPolicy]['shadowWarning']) && $AUTH[$toPolicy]['shadowWarning'] != '') $info['shadowWarning'] = array($AUTH[$toPolicy]['shadowWarning']); + if (isset($AUTH[$toPolicy]['shadowInactive']) && $AUTH[$toPolicy]['shadowInactive'] != '') $info['shadowInactive'] = array($AUTH[$toPolicy]['shadowInactive']); + if (isset($AUTH[$toPolicy]['shadowExpire']) && $AUTH[$toPolicy]['shadowWxpire'] != '') $info['shadowExpire'] = array($AUTH[$toPolicy]['shadowExpire']); + + // A szokásos attribútumok + $Name = explode(' ',$userCn); + $Dn = ldap_explode_dn($AUTH[$toPolicy]['adsBaseDn'], 1); unset($Dn['count']); + $info['userPrincipalName'] = array( $userAccount.'@'.implode('.', $Dn)); + $info['msSFU30Name'] = $info['sAMAccountName'] = $info['cn'] = array($userAccount); + $info['displayName'] = array($userCn); + $info['sn'] = array($Name[0]); + $info['givenName'] = array($Name[ count($Name)-1 ]); + $info['unixUserPassword'] = array('ABCD!efgh12345$67890'); + $info['unixHomeDirectory'] = array(ekezettelen("/home/$userAccount")); + $info['loginShell'] = array('/bin/bash'); + $info['objectClass'] = array($AUTH[$toPolicy]['adsUserObjectClass'], 'user'); + + $policyAccountAttrs = $SET['policyAttrs']; + if (isset($policyAccountAttrs['studyId'])) $info[ $AUTH[$toPolicy]['adsStudyIdAttr'] ] = array($policyAccountAttrs['studyId']); + foreach ($policyAccountAttrs as $attr => $value) + if ($attr != 'studyId' && isset($accountAttrToADS[$attr])) + $info[ $accountAttrToADS[$attr] ] = array($value); + + if (isset($SET['container'])) $dn = "CN=$userAccount,".$SET['container']; + else $dn = "CN=$userAccount,CN=Users,".$AUTH[$toPolicy]['adsBaseDn']; + + // user felvétel + $_r1 = @ldap_add($ds,$dn,$info); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Add user:'.ldap_error($ds); + //echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // Jelszó beállítás + if (!changePassword($userAccount, $userPassword, $toPolicy)) $_SESSION['alert'][] = 'message:ldap_error:changePassword failed:'.$userAccount; + + // Engedélyezés + $einfo = array('userAccountControl' => array(512)); /* Normal account = 512 */ + $_r1 = @ldap_mod_replace($ds,$dn,$einfo); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Enable user:'.ldap_error($ds); + //echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // Kategória csoportba és egyéb csoportokba rakás + if (isset($SET['category'])) { + if (is_array($SET['groups'])) array_unshift($SET['groups'], $SET['category']); + else $SET['groups'] = array($SET['category']); + + $ginfo['member'] = $dn; + + for ($i = 0; $i < count($SET['groups']); $i++) { + $groupDn = ADSgroupCnToDn($SET['groups'][$i], $toPolicy); + if ($groupDn !== false) { + $_r3 = @ldap_mod_add($ds, $groupDn, $ginfo); + if (!$_r3) { + $_SESSION['alert'][] = 'message:ldap_error:Add to group '.$SET['groups'][$i].':'.ldap_error($ds); + //echo $SET['groups'][$i].'<pre>'; var_dump($ginfo); echo '</pre>'; + } + } + } + } + + ldap_close($ds); + + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['createAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['createAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount létrehozása: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"createAccount.sh '$userAccount' '".$info['uidNumber'][0]."' '".$info['unixHomeDirectory'][0]."'\n"); + fclose($sfp); + } + } + $_SESSION['alert'][] = 'info:create_uid_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ads/session/createGroup.php b/mayor-orig/www/include/backend/ads/session/createGroup.php new file mode 100644 index 00000000..0a0a8c1d --- /dev/null +++ b/mayor-orig/www/include/backend/ads/session/createGroup.php @@ -0,0 +1,82 @@ +<?php +/* + Modules: base/session +*/ + + + function adsCreateGroup($groupCn, $groupDesc, $toPolicy = _POLICY, $SET = array()) { + + global $AUTH; + $category = ekezettelen($SET['category']); + + // $toPolicy --> ads backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ads') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // cn ütközés ellenőrzése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['adsGroupObjectClass'].")(cn=$groupCn))"; + $justthese = array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + $ginfo = ldap_get_entries($ds, $sr); + $gCount = $ginfo['count']; + ldap_free_result($sr); + if ($gCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$groupCn; + return false; + } + + // Az következő gidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['adsGroupObjectClass'].")(gidNumber=*))"; + $justthese = array('gidNumber', 'msSFU30GidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['adsBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'gidNumber'); + $ginfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($ginfo['count']) && $ginfo['count'] > 0) $info['gidNumber'] = array($ginfo[ $ginfo['count']-1 ]['gidnumber'][0]+1); + else $info['gidNumber'] = array(1001); + + // A szokásos attribútumok + $info['sAMAccountName'] = $info['cn'] = array($groupCn); + $info['description'] = array($groupDesc); + + // A kategória függő attribútumok + if (isset($SET['container'])) $dn = "CN=$groupCn,".$SET['container']; + else $dn = "CN=$groupCn,OU=$category,".$AUTH[$toPolicy]['adsBaseDn']; + + // objectum osztályok + $info['objectClass'] = array($AUTH[$toPolicy]['adsGroupObjectClass']); + + // csoport felvétel + $_r1 = ldap_add($ds,$dn,$info); + if (!$_r1) { + printf("ADS-Error: %s<br>\n", ldap_error($ds)); + var_dump($info); + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:create_group_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ads/session/search/searchAccount.php b/mayor-orig/www/include/backend/ads/session/search/searchAccount.php new file mode 100644 index 00000000..01298382 --- /dev/null +++ b/mayor-orig/www/include/backend/ads/session/search/searchAccount.php @@ -0,0 +1,277 @@ +<?php +/* + Module: base/session + Backend: ads + + ! -- Csak publikus mezőkre lehet keresni! -- ! + function ADSSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)') + function adsSearchAccount($attr, $pattern, $searchAttrs = array('userCn')) + function adsSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = '') { + +*/ + +###################################################### +# Általános ADS kereső függvény +###################################################### + + function ADSSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)', $toPolicy = _POLICY) { + + global $AUTH; + + if ($pattern == '') { + $_SESSION['alert'][] = 'message:empty_field'; + return false; + } + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure:ADSSearch'; + ldap_close($ds); + return false; + } + + // Keresés + if ( + strpos(kisbetus($attr),'number') !== false + && $attr != 'serialNumber' + ) $filter = "(&$filter($attr=$pattern))"; + else $filter = "(&$filter($attr=*$pattern*))"; + + $filter = "(&$filter($attr=*$pattern*))"; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['adsBaseDn'], $filter, $searchAttrs); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +###################################################### +# adsSearchAccount - felhasználó kereső függvény +###################################################### + + function adsSearchAccount($attr, $pattern, $searchAttrs = array('userCn'), $toPolicy = _POLICY) { + + global $accountAttrToADS; + + // A keresendő attribútum konvertálása ADS attribútummá + if ($accountAttrToADS[ $attr ] != '') $attrADS = $accountAttrToADS[ $attr ]; + else $attrADS = $attr; + if ($attrADS == 'dn') $attrADS = 'uid'; // dn-re nem megy a keresés!! + + // A lekérendő attribútumok konvertálása ADS attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($accountAttrToADS[ $searchAttrs[$i] ] != '') $searchAttrsADS[$i] = $accountAttrToADS[ $searchAttrs[$i] ]; + else $searchAttrsADS[$i] = $searchAttrs[$i]; + } + $result = ADSSearch($attrADS, $pattern, $searchAttrsADS, '(&(objectclass=person)(!(objectclass=computer)))', $toPolicy); + if ($result === false) { + return false; + } else { + + // ADS schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['userAccount'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (isset($result[$i][ kisbetus($accountAttrToADS[$a]) ])) { + if ($accountAttrToADS[$a] != '') $return[$i][$a] = $result[$i][ kisbetus($accountAttrToADS[$a]) ]; + else $return[$i][$a] = $result[$i][$a]; + } else { + $return[$i][$a] = array('count' => 0) ; + } + } + $return[$i]['category'] = getAccountCategories($return[$i]['userAccount'][0], $toPolicy); + $return[$i]['category']['count'] = count($return[$i]['category']); + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# adsSearchGroup - csoport kereső függvény +###################################################### + + function adsSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = _POLICY) { + + global $groupAttrToADS; + + // A keresendő attribútum konvertálása ADS attribútummá + if ($groupAttrToADS[ $attr ] != '') $attrADS = $groupAttrToADS[ $attr ]; + else $attrADS = $attr; + if ($attrADS == 'dn') $attrADS = 'cn'; // dn-re nem megy a keresés!! + + // A lekérendő adtibútumok konvertálása ADS attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($groupAttrToADS[ $searchAttrs[$i] ] != '') $searchAttrsADS[$i] = $groupAttrToADS[ $searchAttrs[$i] ]; + else $searchAttrsADS[$i] = $searchAttrs[$i]; + } + + $result = ADSSearch($attrADS, $pattern, $searchAttrsADS, '(objectclass=group)', $toPolicy); + if ($result === false) { + return false; + } else { + + // ADS schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['groupCn'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (!isset($groupAttrToADS[$a]) || $groupAttrToADS[$a] != '') { + if (isset($result[$i][ $groupAttrToADS[$a] ])) $return[$i][$a] = $result[$i][ $groupAttrToADS[$a] ]; + else $return[$i][$a] = ''; + } else { + $return[$i][$a] = $result[$i][$a]; + } + } + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# adsDeleteAccount - account törlése +###################################################### + + function adsDeleteAccount($userAccount, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ads backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ads') { + $_SESSION['alert'][] = 'page:wrong_backend:ads!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $userDn = ADSuserAccountToDn($userAccount, $toPolicy); + if ($userDn === false) return false; + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Az uidNumber, a unixHomeDirectory lekerdezése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['adsUserObjectClass'].")(!(objectclass=computer)))"; + $justthese = array('uidNumber','unixHomedirectory'); + $sr = @ldap_search($ds,$userDn,$filter,$justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } ; + + $info = @ldap_get_entries($ds,$sr); + $uidNumber = $info[0]['uidnumber'][0]; + $homeDirectory = $info[0]['unixhomedirectory'][0]; + $uid=$userAccount; + + // user törlése + if (!@ldap_delete($ds,$userDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:user:'.$userAccount; + } + + ldap_close($ds); + + /* + Ha van megadva deleteAccountScript paraméter, akkor abba bejegyzi a törölt felhasználó adatait. + A meghívott deleteAccount.sh nincs definiálva, testreszabható, megkötés egyedül a paraméter + lista: userAccount, uidNumber, homeDirectory + */ + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['deleteAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['deleteAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount törlése: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"deleteAccount.sh '$userAccount' '$uidNumber' '$homeDirectory'\n"); + fclose($sfp); + } + } + + $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + return true; + + } + +###################################################### +# adsDeleteGroup - account törlése +###################################################### + + function adsDeleteGroup($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ads backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ads') { + $_SESSION['alert'][] = 'page:wrong_backend:ads!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $groupDn = ADSgroupCnToDn($groupCn, $toPolicy); + if ($groupDn === false) return false; + + // Kapcsolódás az ADS szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['adsHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, BACKEND_CONNECT_DN,BACKEND_CONNECT_PASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + if (!@ldap_delete($ds, $groupDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:group:'.$groupCn; + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:delete_group_success:'.$groupCn; + return true; + + } + + +?> diff --git a/mayor-orig/www/include/backend/file/auth/login.php b/mayor-orig/www/include/backend/file/auth/login.php new file mode 100644 index 00000000..bc77f9f7 --- /dev/null +++ b/mayor-orig/www/include/backend/file/auth/login.php @@ -0,0 +1,121 @@ +<?php +/* + Auth-File + + A név-jelszó pár ellenőrzése file-ból történik +*/ + +/* -------------------------------------------------------------- + + Felhasználók azonosítása egyszerű szöveges file-ból + + A file szerkezete: + Soronként egy account adatai, egymástól kettősponttal elválasztott mezők: + azonosító:név:jelszó:oktAzon:shadowLastChange:shadowMin:shadowMax:shadowWarning:shadowInactive:shadowExpire + + A függvény az előre definiált _AUTH_SUCCESS, _AUTH_EXPIRED, _AUTH_FAILURE + konstansok valamelyikével tér vissza. + + Sikeres hitelesítés esetén + az egyéb account információkat (minimálisan a 'cn', azaz 'teljes név' + attribútumot) a cím szerint átadott $accountInformation tömbbe helyezi el. + + Sikertelen azonosítás esetén a globális $_SESSION['alert'] változóban jelzi az + elutasítás okát. + +-------------------------------------------------------------- */ + function fileUserAuthentication($userAccount, $userPassword, &$accountInformation) { + + global $AUTH; + + $toPolicy = $accountInformation['policy']; + $fp = @fopen($AUTH[$toPolicy]['file account file'],'r'); + if (!$fp) { + // nem lehet megnyitni a file-t + $_SESSION['alert'][] = 'message:file_open_failure:'.$AUTH[$toPolicy]['file account file']; + return _AUTH_FAILURE; + } + + $valid = false; + while (!$valid and $sor = chop(fgets($fp, 1024))) { + + list( + $_userAccount, + $_userCn, + $_userPassword, + $_studyId, + $shadowLastChange, + $shadowMin, + $shadowMax, + $shadowWarning, + $shadowInactive, + $shadowExpire + ) = explode(':',$sor); + $valid = ($_userAccount == $userAccount and $_userPassword == $userPassword); // itt lehetne a kódolt jelszót eltárolni és azzal hasonlítani + + } + + fclose($fp); + + if ($valid) { + + $accountInformation['cn'] = $_userCn; + $accountInformation['studyId'] = $_studyId; + + if ( // onDisabled: none | refuse + $AUTH[$toPolicy]['onDisabled'] == 'refuse' && + ( + ( + $shadowExpire != '' && + $shadowExpire <= floor(time()/(60*60*24)) + ) || + ( + $shadowLastChange != '' && + $shadowMax != '' && + $shadowInactive != '' && + ( $shadowLastChange + + $shadowMax + + $shadowInactive ) <= floor(time()/(60*60*24)) + ) + ) + ) { + // Le van tiltva + $_SESSION['alert'][] = 'message:account_disabled'; + return _AUTH_FAILURE_4; + } // onDisabled + + // Lejárt-e az azonosító + if ( + $AUTH[$toPolicy]['onExpired'] != 'none' && // onExpired: none | warning | force update + $shadowLastChange != '' && + $shadowMax != '' + ) { + // Lejárt-e + $pwLejar = ($shadowLastChange + $shadowMax) - floor(time()/(60*60*24)); + if (0 < $pwLejar && $shadowWarning != '' && $pwLejar < $shadowWarning) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') + $_SESSION['alert'][] = 'info:warn_account_disable:'.($shadowInactive+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } + } + } // onExpired + + return _AUTH_SUCCESS; + + } else { + + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + + } + + } + +?> diff --git a/mayor-orig/www/include/backend/file/session/base.php b/mayor-orig/www/include/backend/file/session/base.php new file mode 100644 index 00000000..4902e9c8 --- /dev/null +++ b/mayor-orig/www/include/backend/file/session/base.php @@ -0,0 +1,6 @@ +<?php + + function fileMemberOf() { + return false; + } +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/auth/login.php b/mayor-orig/www/include/backend/ldap-ng/auth/login.php new file mode 100644 index 00000000..3eb9854e --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/auth/login.php @@ -0,0 +1,163 @@ +<?php +/* + Auth-LDAP-NG + + A név-jelszó pár ellenőrzése LDAP adatbázis alapján +*/ + +/* -------------------------------------------------------------- + + Felhasználók azonosítása az LDAP-ban tárolt konfigurálható + osztályok alapján történik. + + A függvény az előre definiált _AUTH_SUCCESS, _AUTH_EXPIRED, _AUTH_FAILURE + konstansok valamelyikével tér vissza. (include/modules/auth/base/config.php) + + Sikeres hitelesítés esetén + az egyéb account információkat (minimálisan a 'cn', azaz 'common name' + attribútumot) a cím szerint átadott $accountInformation tömbbe helyezi el. + + Sikertelen azonosítás esetén a globális $_SESSION['alert'] változóban jelzi az + elutasítás okát (ldap_connect_failure, ldap_bind_failure, ldap_search_failure, no_account, multi_uid, + account_disabled, bad_pw, account_warning, account_expired, warn_account_disable. + +-------------------------------------------------------------- */ + +###################################################################### +# Az LDAP protocol version 3 kötelező, +# referals=0 nélkül használhatatlanul lassú +###################################################################### + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option(NULL, LDAP_OPT_REFERRALS, 0); + + + function ldap_ngUserAuthentication($userAccount, $userPassword, &$accountInformation, $toPolicy) { + + global $AUTH; + + if ($toPolicy == '') { + if ($accountInformation['policy'] != '') $toPolicy = $accountInformation['policy']; +// elseif ($_REQUEST['toPolicy'] != '') $toPolicy = $_REQUEST['toPolicy']; + else $toPolicy = _POLICY; + } + + // Kapcsolódás a szerverhez + $ds = ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return _AUTH_FAILURE; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return _AUTH_FAILURE; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(".$AUTH[$toPolicy]['ldapUserAccountAttr']."=$userAccount)(objectClass=".$AUTH[$toPolicy]['ldapUserObjectClass']."))"; + $justthese = array("sn",$AUTH[$toPolicy]['ldapCnAttr'],$AUTH[$toPolicy]['ldapStudyIdAttr'],"shadowexpire","shadowwarning","shadowinactive","shadowlastchange","shadowmax"); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return _AUTH_FAILURE; + } + $info = ldap_get_entries($ds,$sr); + + if ( $info['count'] === 0 || is_null($info)) { // http://bugs.php.net/50185 ha nincs megfelelő elem, akkor - hibásan - null-al tér vissza! (~ PHP 5.2.10) + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + ldap_close($ds); + return _AUTH_FAILURE_1; + } + + if ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid"; + ldap_close($ds); + return _AUTH_FAILURE_2; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + + + $accountInformation['cn'] = $info[0][ $AUTH[$toPolicy]['ldapCnAttr'] ][0]; + $accountInformation['studyId'] = $info[0][ $AUTH[$toPolicy]['ldapStudyIdAttr'] ][0]; + + $accountInformation['dn'] = $info[0]['dn']; + $accountInformation['account'] = $userAccount; + // Lejárt-e + // A lejárat ideje a shadowExpire és shadowLastChange+shadowMax kötül a kisebbik + if ($info[0]['pwdlastset'][0] != '') { // A pwdLastSet és shadowLastChange közül a kisebbiket használjuk +// if ($info[0]['shadowlastchange'][0] != '') +// $info[0]['shadowlastchange'][0] = min(pwdLastSet2shadowLastChange($info[0]['pwdlastset'][0]), $info[0]['shadowlastchange'][0]); +// else + $info[0]['shadowlastchange'][0] = pwdLastSet2shadowLastChange($info[0]['pwdlastset'][0]); + } + if ($info[0]['accountexpires'][0] != '') { // Az accountExpires és a shadowExpire közül a kisebbiket használjuk +// if ($info[0]['shadowexpire'][0] != '') +// $info[0]['shadowexpire'][0] = min(pwdLastSet2shadowLastChange($info[0]['accountexpires'][0]), $info[0]['shadowexpire'][0]); +// else + $info[0]['shadowexpire'][0] = pwdLastSet2shadowLastChange($info[0]['accountexpires'][0]); + } + if ($info[0]['shadowexpire'][0] != '') $expireTimestamp = $info[0]['shadowexpire'][0]; + if ( + $info[0]['shadowmax'][0] != '' && + ( + !isset($expireTimestamp) || + $expireTimestamp > $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0] + ) + ) $expireTimestamp = $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0]; + // lejárt, ha lejárat ideje már elmúlt + $accountExpired = (isset($expireTimestamp) && ($expireTimestamp <= floor(time()/(60*60*24)))); + + // Le van-e tiltva + // Ha több mint shadowInactive napja lejárt + if ( // onDisabled: none | refuse + $AUTH[$toPolicy]['onDisabled'] == 'refuse' && + isset($expireTimestamp) && + $expireTimestamp + $info[0]['shadowinactive'][0] <= floor(time()/(60*60*24)) + ) { + // Le van tiltva + $_SESSION['alert'][] = 'message:account_disabled'; + ldap_close($ds); + return _AUTH_FAILURE_4; + } // onDisabled + + // Jelszó ellenőrzés - lehet-e csatlakozni + if (!@ldap_bind($ds, $accountInformation['dn'], $userPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + } + + ldap_close($ds); + // Lejárt-e az azonosító + if ($AUTH[$toPolicy]['onExpired'] != 'none' && isset($expireTimestamp)) { // onExpired: none | warning | force update + // Lejárt-e + $pwLejar = $expireTimestamp - floor(time()/(60*60*24)); + if (0 < $pwLejar && $pwLejar < $info[0]['shadowwarning'][0]) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') $_SESSION['alert'][] = 'info:warn_account_disable:'.($info[0]['shadowinactive'][0]+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } else { + return _AUTH_FAILURE; + } + } + } // onExpired + // Ha idáig eljut, akkor minden rendben. + return _AUTH_SUCCESS; + + } // count == 1 + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/base/attrs.php b/mayor-orig/www/include/backend/ldap-ng/base/attrs.php new file mode 100644 index 00000000..2a2f327a --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/base/attrs.php @@ -0,0 +1,146 @@ +<?php +/* + Module: useradmin +*/ + + if (file_exists('lang/'._LANG.'/backend/ldap-ng/attrs.php')) { + require('lang/'._LANG.'/backend/ldap-ng/attrs.php'); + } elseif (file_exists('lang/'._DEFAULT_LANG.'/backend/ldap-ng/attrs.php')) { + require('lang/'._DEFAULT_LANG.'/backend/ldap-ng/attrs.php'); + } + +###################################################### +# Alapértelmezett jogosultságok +# +# w - Írható/olvasható +# r - olvasható +# - - egyik sem +# +# Három karakter: admin, self, other jogai +###################################################### + + define('_DEFAULT_LDAP_RIGHTS','wr-'); + +###################################################### +# Az LDAP account attribútumok +###################################################### + + global $ldapAccountAttrs; + $ldapAccountAttrs = array( + 'cn', + 'serialnumber', + 'uid', + 'uidnumber', + 'gidnumber', + 'unixhomedirectory', + 'loginshell', + + 'shadowlastchange', + 'shadowexpire', + 'shadowwarning', + 'shadowmin', + 'shadowmax', + 'shadowinactive', + +/* + 'gecos', + 'mail', + 'telephonenumber', + 'mobile', + 'l', + 'street', + 'postaladdress', + 'postalcode', + 'homedirectory', +*/ + ); + + global $ldapGroupAttrs; + $ldapGroupAttrs = array( + 'cn', + 'description', + 'member', + 'name', + 'samaccountname', + 'objectcategory', + 'gidnumber', // ennek kellene lennie - mitől lesz? +/* 'memberuid' */ + ); + + global $accountAttrToLDAP; // Kis és nagybetű számít!!! + $accountAttrToLDAP = array( + 'userAccount' => 'sAMAccountName', + 'userCn' => 'displayName', + 'mail' => 'mail', + 'studyId' => 'serialNumber', // Ez konfig-ban külön van állítva, az itteni érték irreleváns + 'shadowLastChange' => 'shadowLastChange', + 'shadowWarning' => 'shadowWarning', + 'shadowMin' => 'shadowMin', + 'shadowMax' => 'shadowMax', + 'shadowExpire' => 'shadowExpire', + 'shadowInactive' => 'shadowInactive', + ); + + global $groupAttrToLDAP; + $groupAttrToLDAP = array( + 'groupCn' => 'cn', + 'groupDesc' => 'description', + 'member' => 'member', + ); + + global $ldapAccountAttrDef; + $ldapAccountAttrDef = array( + 'dn' => array('desc' => _LDAPDN, 'type' => 'text', 'rights' => 'rrr'), + 'cn' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'rrr'), + 'sn' => array('desc' => _LDAPSN, 'type' => 'text', 'rights' => 'wrr'), + 'givenname' => array('desc' => _LDAPGIVENNAME, 'type' => 'text'), + 'serialnumber' => array('desc' => _LDAPSERIALNUMBER, 'type' => 'int', 'rights' => 'wrr'), + 'displayname' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'wrr'), + 'name' => array('desc' => _LDAPNAME, 'type' => 'text', 'rights' => 'r--'), + 'padpwdcount' => array('desc' => _LDAPBADPWDCOUNT, 'type' => 'int', 'rights' => 'wrr'), + 'badpasswordtime' => array('desc' => _LDAPBADPASSWORDTIME, 'type' => 'int', 'rights' => 'r--'), + 'lastlogon' => array('desc' => _LDAPLASTLOGON, 'type' => 'int', 'rights' => 'r--'), + 'pwdlastset' => array('desc' => _LDAPPWDLASTSET, 'type' => 'int', 'rights' => 'r--'), + 'accountexpires' => array('desc' => _LDAPACCOUNTEXPIRES, 'type' => 'int', 'rights' => 'wrr'), + 'samaccountname' => array('desc' => _LDAPSAMACCOUNTNAME, 'type' => 'text', 'rights' => 'wrr'), + 'useraccountcontrol' => array('desc' => _USERACCOUNTCONTROL, 'type' => 'text', 'rights' => 'wrr'), + 'userprincipalname' => array('desc' => _LDAPUSERPRINCIPALNAME, 'type' => 'text', 'rights' => 'wrr'), + 'objectcategory' => array('desc' => _LDAPOBJECTCATEGORY, 'type' => 'text', 'rights' => 'r--'), + 'uid' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'rrr'), + 'uidnumber' => array('desc' => _LDAPUIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'mssfu30name' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'r--'), + 'unixhomedirectory' => array('desc' => _LDAPUNIXHOMEDIRECTORY, 'type' => 'text', 'rights' => 'wrr'), + 'loginshell' => array('desc' => _LDAPLOGINSHELL, 'type' => 'text', 'rights' => 'wrr'), + 'shadowlastchange' => array('desc' => _LDAPSHADOWLASTCHANGE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowexpire' => array('desc' => _LDAPSHADOWEXPIRE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowwarning' => array('desc' => _LDAPSHADOWWARNING, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmin' => array('desc' => _LDAPSHADOWMIN, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmax' => array('desc' => _LDAPSHADOWMAX, 'type' => 'text', 'rights' => 'wrr'), + 'shadowinactive' => array('desc' => _LDAPSHADOWINACTICE, 'type' => 'text', 'rights' => 'wrr'), +/* + 'gecos' => array('desc' => _LDAPGECOS, 'type' => 'text', 'rights' => 'w--'), + 'mail' => array('desc' => _LDAPMAIL, 'type' => 'text', 'rights' => 'wwr'), + 'telephonenumber' => array('desc' => _LDAPTELEPHONENUMBER, 'type' => 'text', 'rights' => 'ww-'), + 'mobile' => array('desc' => _LDAPMOBILE, 'type' => 'text', 'rights' => 'ww-'), + 'l' => array('desc' => _LDAPL, 'type' => 'text'), + 'street' => array('desc' => _LDAPSTREET, 'type' => 'text'), + 'postaladdress' => array('desc' => _LDAPPOSTALADDRESS, 'type' => 'text'), + 'postalcode' => array('desc' => _LDAPPOSTALCODE, 'type' => 'text'), +*/ + ); + + global $ldapGroupAttrDef; + $ldapGroupAttrDef = array( + 'cn' => array('desc' => _LDAPCN, 'type' => 'text','rights' => 'rrr'), + 'name' => array('desc' => _LDAPNAME, 'type' => 'text','rights' => 'rrr'), + 'samaccountname' => array('desc' => _LDAPSAMACCOUNTNAME, 'type' => 'text','rights' => 'wrr'), + 'description' => array('desc' => _LDAPDESCRIPTION, 'type' => 'text'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'member' => array('desc' => _LDAPMEMBER, 'type' => 'select'), + 'objectcategory' => array('desc' => _LDAPOBJECTCATEGORY, 'type' => 'text','rights' => 'rrr'), + + 'memberuid' => array('desc' => _LDAPMEMBERUID, 'type' => 'select'), + ); + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/password/changePassword.php b/mayor-orig/www/include/backend/ldap-ng/password/changePassword.php new file mode 100644 index 00000000..aa4cd91d --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/password/changePassword.php @@ -0,0 +1,161 @@ +<?php +/* + + Module: base/password + + function changeMyPassword($userAccount, $userPassword, $newPassword, $verification) + A függvény nem vizsgálja, hogy jogosultak vagyunk-e a jelszó megváltoztatására. + Ennek eldöntése a függvényt hívó program feladata +*/ + +############################################################################ +# Jelszó kódolása (az Active Directory ezt használja....) +############################################################################ + +function LDAPEncodePassword($password) { + + return mb_convert_encoding("\"".$password."\"", "UTF-16LE", "UTF-8"); + +} + +############################################################################ +# Saját jelszó megváltoztatása +############################################################################ + +/* ************************************************************************* + A leírások szerint a felhasználó maga is megváltoztathatja jelszavát. + Ennek módja az unicodePw attribútum törlése (a régi jelszó értéke szerint), + és felvétele új értékkel - mindenz elvileg egy lépésben. + + A PHP ldap_mod* függvények ezt az egy lépésben kétféle módosítást nem + támogatják. De a helyzet az, hogy a módosítás perl-ből és parancssorból + sem működik... +************************************************************************* */ + +function changeMyPassword($userAccount, $userPassword, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = $_REQUEST['toPolicy']; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + // Csatlakozzás az AD kiszolgálóhoz (SSL szükséges!) + $ds = ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + // nem sikerült csatlakozni + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } + + // Az eredeti jelszó ellenőrzése - csatlakozással + $b_ok = ldap_bind($ds,$userDn,$userPassword); + if (!$b_ok) { + // Talán a régi jelszót elgépelte, vagy le van tiltva... + $_SESSION['alert'][] = 'message:ldap_bind_failure:'.$userDn.':changeMyPassword - hibás a régi jelszó?'; + ldap_close($ds); + return false; + } + + // A régi és új jelszavak átkódolása + $newUnicodePwd = base64_encode(LDAPEncodePassword($newPassword)); + $oldUnicodePwd = base64_encode(LDAPEncodePassword($userPassword)); + // A php ldap_mod* függvényei nem tudnak egy lépésben többféle módosítást elküldeni + // ezért a parancssoros ldapmodify-t kell meghívnunk... + $ldif=<<<EOT +dn: $userDn +changetype: modify +delete: unicodePwd +unicodePwd:: $oldUnicodePwd +- +add: unicodePwd +unicodePwd:: $newUnicodePwd +- +EOT; + $cmd = sprintf("/usr/bin/ldapmodify -H %s -D '%s' -x -w %s", $AUTH[$toPolicy]['ldapHostname'], $userDn, $userPassword); + + if (($fh = popen($cmd, 'w')) === false ) { + // Nem sikerült megnyitni a csatornát - mikor is lehet ilyen? Ha nincs ldapmodify? + $_SESSION['alert'][] = 'message:popen_failure'; + return false; + } + fwrite($fh, "$ldif\n"); + pclose($fh); + + // Sikeres volt-e a jelszóváltoztatás? Próbáljunk újra csatlakozni az új jelszóval! + if (!@ldap_bind($ds, $userDn, $newPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return false; + } + + // Shadow attribútumok beállítása + // Ezekre nincs jogosultsága a felhasználónak, így csak AccountOperator-ként módosítható + // Ráadásul Windoes alatt változtatva a jelszót ezek nem változnak, így nem lehet számítani rájuk... + if (isset($AUTH[$toPolicy]['ldapAccountOperatorUser'])) { + $shadowLastChange = floor(time()/(60*60*24)); + $info['shadowLastChange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowExpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowExpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + + $b_ok = ldap_bind($ds,$AUTH[$toPolicy]['ldapAccountOperatorUser'],$AUTH[$toPolicy]['ldapAccountOperatorPw']); + if (!$b_ok) { $_SESSION['alert'][] = 'message:ldap_bind_failure'; return false; } + $r = @ldap_mod_replace($ds, $userDn, $info); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_modify_failure:changeMyPassword'; + return false; + } + } + ldap_close($ds); + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + +} + +############################################################################ +# Adminisztrátori jelszó változtatás +############################################################################ + +function changePassword($userAccount, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = _POLICY; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + $shadowLastChange = floor(time()/(60*60*24)); + + $ds = ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if ($ds) { + $b_ok = ldap_bind($ds,_USERDN,_USERPASSWORD); + if ($b_ok) { + $info['unicodePwd'][0] = LDAPEncodePassword($newPassword); + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowLastChange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowExpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowExpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $r = @ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure:changePassword'; + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_bind_failure:'._USERDN.':changePassword'; + ldap_close($ds); + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } +} + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php b/mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php new file mode 100644 index 00000000..d3733ba2 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php @@ -0,0 +1,401 @@ +<?php +/* + Module: base/auth-ldap-ng + Backend: ldap-ng + + function getLDAPInfo($userDn, $attrList=array('cn'), $toPolicy = '') + function ldapGetAccountInfo($userAccount, $toPolicy = _POLICY) + function ldapGetUserInfo($userAccount, $toPolicy = _POLICY) + function ldapChangeAccountInfo($userAccount, $toPolicy = _POLICY) + function ldapGetGroupInfo($groupCn, $toPolicy = _POLICY) + +*/ + +###################################################### +# getLDAPInfo - általános LDAP lekérdezés +###################################################### + + + function getLDAPInfo($Dn, $attrList=array('cn'), $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = '(objectclass=*)'; + $sr = @ldap_search($ds, $Dn, $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$Dn; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +########################################################### +# ldapGetAccountInfo - felhasználói információk (backend) +########################################################### + + function ldapGetAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $backendAttrs, $backendAttrDef; + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Account', $toPolicy); + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + } + return $return[0]; + + } + + } + +############################################################# +# ldapGetUserInfo - felhasználói információk (keretrendszer) +############################################################# + + function ldapGetUserInfo($userAccount, $toPolicy = _POLICY) { + + global $accountAttrToLDAP, $ldapAttrDef; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, array_values($accountAttrToLDAP), $toPolicy); + if ($result === false) { + return false; + } else { + + $result[0]['dn'] = array('count' => 1, 0 => $result[0]['dn']); + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + LDAP --> MaYoR schema + foreach ($accountAttrToLDAP as $attr => $ldapAttr) { + $ldapAttr = kisbetus($ldapAttr); + if (isset($result[0][$ldapAttr])) $return[$attr] = $result[0][$ldapAttr]; + else $return[$attr] = array('count' => 0); + } + return $return; + + } + + } + +############################################################### +# ldapChangeAccountInfo - felhasználói információk módosítása +############################################################### + + function ldapChangeAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '' ) $values[0] = $_POST[$attr]; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if ($_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if ($_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$userDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@$r = ldap_mod_replace($ds,$userDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$userDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i = 0;$i < count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + +########################################################### +# ldapGetGroupInfo - csoport információk (backend) +########################################################### + + function ldapGetGroupInfo($groupCn, $toPolicy = _POLICY) { + + global $backendAttrs, $backendAttrDef; + + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Group', $toPolicy); + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + $result = getLDAPInfo($groupDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // Accountok lekérdezése + $info = getLDAPaccounts($toPolicy); + for ($i = 0; $i < $info['count']; $i++) { + $accountUid[] = array( + 'value' => $info[$i]['uid'][0], + 'txt' => $info[$i]['displayname'][0] + ); + $accountDn[] = array( + 'value' => $info[$i]['dn'], + 'txt' => $info[$i]['displayname'][0] + ); + } + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + $return[$i]['member']['new'] = $accountDn; + $return[$i]['memberuid']['new'] = $accountUid; + } + + return $return[0]; + + } + + } + +############################################################### +# ldapChangeGroupInfo - csoport információk módosítása +############################################################### + + function ldapChangeGroupInfo($groupCn, $toPolicy = _POLICY) { + +// !!!! A memberuid / member szinkronjára nem figyel!! + + global $AUTH, $backendAttrs, $backendAttrDef; + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '') + if (isset($_POST[$attr])) $values[0] = $_POST[$attr]; + else $values[0] = ''; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if (isset($_POST['new-'.$attr][0]) && $_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if (isset($_POST['del-'.$attr][0]) && $_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$groupDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@ldap_mod_replace($ds,$groupDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$groupDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i=0;$i<count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + + function getLDAPaccounts($toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $attrList = array('cn','uid','displayName','samaccountname'); + $filter = '(&(objectclass=person)(!(objectclass=computer)))'; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } + + ldap_sort($ds, $sr, 'displayname'); + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/base.php b/mayor-orig/www/include/backend/ldap-ng/session/base.php new file mode 100644 index 00000000..196e431c --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/base.php @@ -0,0 +1,184 @@ +<?php +/* + Module: base/session + Backend: ldap-ng + + function LDAPuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) + function ldapMemberOf($userAccount, $group, $toPolicy = _POLICY) + +*/ + + require('include/backend/ldap-ng/base/attrs.php'); + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option(NULL, LDAP_OPT_REFERRALS, 0); + + if ($AUTH[_POLICY]['backend'] == 'ldap-ng') { + /* why not put into session cache */ + if ($AUTH[_POLICY]['cacheable']=='yes') { + $userDn = _queryCache('RDN',_POLICY,'value'); + } + if (!isset($userDn)) $userDn = LDAPuserAccountToDn(); + define('_USERDN', $userDn); + if ($AUTH[_POLICY]['cacheable']=='yes') _registerToCache('RDN',$userDn,_POLICY); + unset($userDn); + } + +###################################################### +# A _USERACCOUNT(uid)-hoz tartozó dn lekérdezése +###################################################### + + function LDAPuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(".$AUTH[$toPolicy]['ldapUserAccountAttr']."=$userAccount)(objectClass=".$AUTH[$toPolicy]['ldapUserObjectClass']."))"; + $justthese=array($AUTH[$toPolicy]['ldapCnAttr']); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid:$userAccount"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + return $info[0]['dn']; + } + + } + + +###################################################### +# A groupCn(cn)-hez tartozó dn lekérdezése +###################################################### + + function LDAPgroupCnToDn($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e ilyen csoport? + $filter="(&(".$AUTH[$toPolicy]['ldapGroupCnAttr']."=$groupCn)(objectClass=".$AUTH[$toPolicy]['ldapGroupObjectClass']."))"; + $justthese=array($AUTH[$toPolicy]['ldapGroupCnAttr']); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen groupCn (cn) - hibaüzenet csak akkor, ha nem kategóriáról van szó... + if (!in_array($groupCn, array_map('ekezettelen', $AUTH[$toPolicy]['categories']))) $_SESSION['alert'][] = "message:no_group:$groupCn"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen cn is van + $_SESSION['alert'][] = "message:multi_gid:$groupCn"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen csoport + return $info[0]['dn']; + } + + } + +###################################################### +# memberOf - csoport tag-e +###################################################### + + function ldapMemberOf($userAccount, $group, $toPolicy = _POLICY) { + + global $AUTH; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + /* Kis hack: csoport-tagság helyett vizsgáljuk előbb a megfelelő szervezeti egységet... de ezt nem biztos, hogy érdemes... */ + if (in_array($group, $AUTH[$toPolicy]['categories'])) { + if (strpos($userDn, ',ou='.ekezettelen($group).',') !== false) return true; + } + + if (substr($group,0,3) != 'cn=') { + $groupDn = LDAPgroupCnToDn(ekezettelen($group)); + if (!$groupDn) return false; // Ha nincs ilyen csoport az LDAP fában + } else { + $groupDn = $group; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $justthese = array('cn'); // valamit le kell kérdezni... + $filter = "(&(objectClass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(member=$userDn))"; + $sr = @ldap_search($ds, $groupDn, $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = ldap_get_entries($ds, $sr); + ldap_close($ds); + + if ($info['count'] > 0) { + return true; + } else { + return false; + } + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/createAccount.php b/mayor-orig/www/include/backend/ldap-ng/session/createAccount.php new file mode 100644 index 00000000..db62a348 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/createAccount.php @@ -0,0 +1,157 @@ +<?php +/* + Modules: base/session +*/ + + require_once('include/backend/ldap-ng/password/changePassword.php'); + + /* + $SET = array( + container => a konténer elem - ha nincs, akkor CN=Users alá rakja + category => tanár, diák... egy kiemelt fontosságú csoport tagság + groups => egyéb csoportok + policyAttrs => policy függő attribútumok + ) + */ + function ldapCreateAccount( + $userCn, $userAccount, $userPassword, $toPolicy, $SET + ) { + + global $AUTH; + + $shadowLastChange = floor(time() / (60*60*24)); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // uid ütközés ellenőrzése + $filter = "(sAMAccountName=$userAccount)"; + $justthese = array('sAMAccountName'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + $uinfo = ldap_get_entries($ds, $sr); + $uidCount = $uinfo['count']; + ldap_free_result($sr); + if ($uidCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$userAccount; + return false; + } + + // Az következő uidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapUserObjectClass'].")(uidNumber=*))"; + $justthese = array('uidNumber', 'msSFU30UidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'uidNumber'); + $uinfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($uinfo['count']) && $uinfo['count'] > 0) $info['uidNumber'] = array($uinfo[ $uinfo['count']-1 ]['uidnumber'][0]+1); + else $info['uidNumber'] = array(1001); + + // shadow attributumok... + // A shadowLastChange a mai nap // if (isset($AUTH[$toPolicy]['shadowlastchange']) && $AUTH[$toPolicy]['shadowlastchange'] != '') + $info['shadowLastChange'] = array($shadowLastChange); + if (isset($AUTH[$toPolicy]['shadowMin']) && $AUTH[$toPolicy]['shadowMin'] != '') $info['shadowMin'] = array($AUTH[$toPolicy]['shadowMin']); + if (isset($AUTH[$toPolicy]['shadowMax']) && $AUTH[$toPolicy]['shadowMax'] != '') $info['shadowMax'] = array($AUTH[$toPolicy]['shadowMax']); + if (isset($AUTH[$toPolicy]['shadowWarning']) && $AUTH[$toPolicy]['shadowWarning'] != '') $info['shadowWarning'] = array($AUTH[$toPolicy]['shadowWarning']); + if (isset($AUTH[$toPolicy]['shadowInactive']) && $AUTH[$toPolicy]['shadowInactive'] != '') $info['shadowInactive'] = array($AUTH[$toPolicy]['shadowInactive']); + if (isset($AUTH[$toPolicy]['shadowExpire']) && $AUTH[$toPolicy]['shadowWxpire'] != '') $info['shadowExpire'] = array($AUTH[$toPolicy]['shadowExpire']); + + // A szokásos attribútumok + $Name = explode(' ',$userCn); + $Dn = ldap_explode_dn($AUTH[$toPolicy]['ldapBaseDn'], 1); unset($Dn['count']); + $info['userPrincipalName'] = array( $userAccount.'@'.implode('.', $Dn)); + $info['msSFU30Name'] = $info['sAMAccountName'] = $info['cn'] = array($userAccount); + $info['displayName'] = array($userCn); + $info['sn'] = array($Name[0]); + $info['givenName'] = array($Name[ count($Name)-1 ]); + $info['unixUserPassword'] = array('ABCD!efgh12345$67890'); + $info['unixHomeDirectory'] = array(ekezettelen("/home/$userAccount")); + $info['loginShell'] = array('/bin/bash'); + $info['objectClass'] = array($AUTH[$toPolicy]['ldapUserObjectClass'], 'user'); + + $policyAccountAttrs = $SET['policyAttrs']; + if (isset($policyAccountAttrs['studyId'])) $info[ $AUTH[$toPolicy]['ldapStudyIdAttr'] ] = array($policyAccountAttrs['studyId']); + foreach ($policyAccountAttrs as $attr => $value) + if ($attr != 'studyId' && isset($accountAttrToLDAP[$attr])) + $info[ $accountAttrToLDAP[$attr] ] = array($value); + + if (isset($SET['container'])) $dn = "CN=$userAccount,".$SET['container']; + else $dn = "CN=$userAccount,CN=Users,".$AUTH[$toPolicy]['ldapBaseDn']; + + // user felvétel + $_r1 = @ldap_add($ds,$dn,$info); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Add user:'.ldap_error($ds); + //echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // Jelszó beállítás + if (!changePassword($userAccount, $userPassword, $toPolicy)) $_SESSION['alert'][] = 'message:ldap_error:changePassword failed:'.$userAccount; + + // Engedélyezés + $einfo = array('userAccountControl' => array(512)); /* Normal account = 512 */ + $_r1 = @ldap_mod_replace($ds,$dn,$einfo); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Enable user:'.ldap_error($ds); + //echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // Kategória csoportba és egyéb csoportokba rakás + if (isset($SET['category'])) { + if (is_array($SET['groups'])) array_unshift($SET['groups'], $SET['category']); + else $SET['groups'] = array($SET['category']); + + $ginfo['member'] = $dn; + + for ($i = 0; $i < count($SET['groups']); $i++) { + $groupDn = LDAPgroupCnToDn($SET['groups'][$i], $toPolicy); + if ($groupDn !== false) { + $_r3 = @ldap_mod_add($ds, $groupDn, $ginfo); + if (!$_r3) { + $_SESSION['alert'][] = 'message:ldap_error:Add to group '.$SET['groups'][$i].':'.ldap_error($ds); + //echo $SET['groups'][$i].'<pre>'; var_dump($ginfo); echo '</pre>'; + } + } + } + } + + ldap_close($ds); + + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['createAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['createAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount létrehozása: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"createAccount.sh '$userAccount' '".$info['uidNumber'][0]."' '".$info['unixHomeDirectory'][0]."'\n"); + fclose($sfp); + } + } + $_SESSION['alert'][] = 'info:create_uid_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/createGroup.php b/mayor-orig/www/include/backend/ldap-ng/session/createGroup.php new file mode 100644 index 00000000..59c77c92 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/createGroup.php @@ -0,0 +1,82 @@ +<?php +/* + Modules: base/session +*/ + + + function ldapCreateGroup($groupCn, $groupDesc, $toPolicy = _POLICY, $SET = array()) { + + global $AUTH; + $category = ekezettelen($SET['category']); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // cn ütközés ellenőrzése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(cn=$groupCn))"; + $justthese = array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + $ginfo = ldap_get_entries($ds, $sr); + $gCount = $ginfo['count']; + ldap_free_result($sr); + if ($gCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$groupCn; + return false; + } + + // Az következő gidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(gidNumber=*))"; + $justthese = array('gidNumber', 'msSFU30GidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'gidNumber'); + $ginfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($ginfo['count']) && $ginfo['count'] > 0) $info['gidNumber'] = array($ginfo[ $ginfo['count']-1 ]['gidnumber'][0]+1); + else $info['gidNumber'] = array(1001); + + // A szokásos attribútumok + $info['sAMAccountName'] = $info['cn'] = array($groupCn); + $info['description'] = array($groupDesc); + + // A kategória függő attribútumok + if (isset($SET['container'])) $dn = "CN=$groupCn,".$SET['container']; + else $dn = "CN=$groupCn,OU=$category,".$AUTH[$toPolicy]['ldapBaseDn']; + + // objectum osztályok + $info['objectClass'] = array($AUTH[$toPolicy]['ldapGroupObjectClass']); + + // csoport felvétel + $_r1 = ldap_add($ds,$dn,$info); + if (!$_r1) { + printf("LDAP-Error: %s<br>\n", ldap_error($ds)); + var_dump($info); + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:create_group_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php b/mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php new file mode 100644 index 00000000..70be6ed5 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php @@ -0,0 +1,271 @@ +<?php +/* + Module: base/session + Backend: ldap-ng + + ! -- Csak publikus mezőkre lehet keresni! -- ! + function LDAPSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)') + function ldapSearchAccount($attr, $pattern, $searchAttrs = array('userCn')) + function ldapSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = '') { + +*/ + +###################################################### +# Általános LDAP kereső függvény +###################################################### + + function LDAPSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)', $toPolicy = _POLICY) { + + global $AUTH; + + if ($pattern == '') { + $_SESSION['alert'][] = 'message:empty_field'; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = "(&$filter($attr=*$pattern*))"; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $searchAttrs); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +###################################################### +# ldapSearchAccount - felhasználó kereső függvény +###################################################### + + function ldapSearchAccount($attr, $pattern, $searchAttrs = array('userCn'), $toPolicy = _POLICY) { + + global $accountAttrToLDAP; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($accountAttrToLDAP[ $attr ] != '') $attrLDAP = $accountAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'uid'; // dn-re nem megy a keresés!! + + // A lekérendő attribútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($accountAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $accountAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(&(objectclass=person)(!(objectclass=computer)))', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['userAccount'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (isset($result[$i][ kisbetus($accountAttrToLDAP[$a]) ])) { + if ($accountAttrToLDAP[$a] != '') $return[$i][$a] = $result[$i][ kisbetus($accountAttrToLDAP[$a]) ]; + else $return[$i][$a] = $result[$i][$a]; + } else { + $return[$i][$a] = array('count' => 0) ; + } + } + $return[$i]['category'] = getAccountCategories($return[$i]['userAccount'][0], $toPolicy); + $return[$i]['category']['count'] = count($return[$i]['category']); + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapSearchGroup - csoport kereső függvény +###################################################### + + function ldapSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = _POLICY) { + + global $groupAttrToLDAP; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($groupAttrToLDAP[ $attr ] != '') $attrLDAP = $groupAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'cn'; // dn-re nem megy a keresés!! + + // A lekérendő adtibútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($groupAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $groupAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(objectclass=group)', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['groupCn'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (!isset($groupAttrToLDAP[$a]) || $groupAttrToLDAP[$a] != '') { + if (isset($result[$i][ $groupAttrToLDAP[$a] ])) $return[$i][$a] = $result[$i][ $groupAttrToLDAP[$a] ]; + else $return[$i][$a] = ''; + } else { + $return[$i][$a] = $result[$i][$a]; + } + } + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapDeleteAccount - account törlése +###################################################### + + function ldapDeleteAccount($userAccount, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ldap-ng backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:ldap-ng!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + if ($userDn === false) return false; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Az uidNumber, a unixHomeDirectory lekerdezése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapUserObjectClass'].")(!(objectclass=computer)))"; + $justthese = array('uidNumber','unixHomedirectory'); + $sr = @ldap_search($ds,$userDn,$filter,$justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } ; + + $info = @ldap_get_entries($ds,$sr); + $uidNumber = $info[0]['uidnumber'][0]; + $homeDirectory = $info[0]['unixhomedirectory'][0]; + $uid=$userAccount; + + // user törlése + if (!@ldap_delete($ds,$userDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:user:'.$userAccount; + } + + ldap_close($ds); + + /* + Ha van megadva deleteAccountScript paraméter, akkor abba bejegyzi a törölt felhasználó adatait. + A meghívott deleteAccount.sh nincs definiálva, testreszabható, megkötés egyedül a paraméter + lista: userAccount, uidNumber, homeDirectory + */ + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['deleteAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['deleteAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount törlése: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"deleteAccount.sh '$userAccount' '$uidNumber' '$homeDirectory'\n"); + fclose($sfp); + } + } + + $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + return true; + + } + +###################################################### +# ldapDeleteGroup - account törlése +###################################################### + + function ldapDeleteGroup($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ldap-ng backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:ldap-ng!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + if ($groupDn === false) return false; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + if (!@ldap_delete($ds, $groupDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:group:'.$groupCn; + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:delete_group_success:'.$groupCn; + return true; + + } + + +?> diff --git a/mayor-orig/www/include/backend/ldap/auth/login.php b/mayor-orig/www/include/backend/ldap/auth/login.php new file mode 100644 index 00000000..2165371d --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/auth/login.php @@ -0,0 +1,144 @@ +<?php +/* + Auth-LDAP + + A név-jelszó pár ellenőrzése LDAP adatbázis alapján +*/ + +/* -------------------------------------------------------------- + + Felhasználók azonosítása LDAP-ban tárolt posixAccount + osztályok alapján történik. + + A függvény az előre definiált _AUTH_SUCCESS, _AUTH_EXPIRED, _AUTH_FAILURE + konstansok valamelyikével tér vissza. (include/modules/auth/base/config.php) + + Sikeres hitelesítés esetén + az egyéb account információkat (minimálisan a 'cn', azaz 'teljes név' + attribútumot) a cím szerint átadott $accountInformation tömbbe helyezi el. + + Sikertelen azonosítás esetén a globális $_SESSION['alert'] változóban jelzi az + elutasítás okát. + +-------------------------------------------------------------- */ + +###################################################################### +# Az LDAP protocol version szerinti csatlakozás +###################################################################### + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + + function ldapUserAuthentication($userAccount, $userPassword, &$accountInformation, $toPolicy) { + + global $AUTH; + + if ($toPolicy == '') { + if ($accountInformation['policy'] != '') $toPolicy = $accountInformation['policy']; +// elseif ($_REQUEST['toPolicy'] != '') $toPolicy = $_REQUEST['toPolicy']; + else $toPolicy = _POLICY; + } + + // Kapcsolódás a szerverhez + $ds = ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return _AUTH_FAILURE; + } + + // Csatlakozás a szerverhez + $r = ldap_bind($ds); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return _AUTH_FAILURE; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(uid=$userAccount)(objectClass=posixAccount))"; + $justthese = array("sn","cn","studyId","shadowexpire","shadowwarning","shadowinactive","shadowlastchange","shadowmax"); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return _AUTH_FAILURE; + } + $info=ldap_get_entries($ds,$sr); + + if ( $info['count'] === 0 ) { + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + ldap_close($ds); + return _AUTH_FAILURE_1; + } + + if ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid"; + ldap_close($ds); + return _AUTH_FAILURE_2; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + + $accountInformation['cn'] = $info[0]['cn'][0]; + $accountInformation['studyId'] = $info[0]['studyid'][0]; + $accountInformation['dn'] = $info[0]['dn']; + $accountInformation['account'] = $userAccount; + // Lejárt-e + // A lejárat ideje a shadowExpire és shadowLastChange+shadowMax kötül a kisebbik + if ($info[0]['shadowexpire'][0] != '') $expireTimestamp = $info[0]['shadowexpire'][0]; + if ( + $info[0]['shadowmax'][0] != '' && + ( + !isset($expireTimestamp) || + $expireTimestamp > $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0] + ) + ) $expireTimestamp = $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0]; + // lejárt, ha lejárat ideje már elmúlt + $accountExpired = (isset($expireTimestamp) && ($expireTimestamp <= floor(time()/(60*60*24)))); + + // Le van-e tiltva + // Ha több mint shadowInactive napja lejárt + if ( // onDisabled: none | refuse + $AUTH[$toPolicy]['onDisabled'] == 'refuse' && + isset($expireTimestamp) && + $expireTimestamp + $info[0]['shadowinactive'][0] <= floor(time()/(60*60*24)) + ) { + // Le van tiltva + $_SESSION['alert'][] = 'message:account_disabled'; + ldap_close($ds); + return _AUTH_FAILURE_4; + } // onDisabled + + // Jelszó ellenőrzés - lehet-e csatlakozni + if (!@ldap_bind($ds, $accountInformation['dn'], $userPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + } + + ldap_close($ds); + // Lejárt-e az azonosító + if ($AUTH[$toPolicy]['onExpired'] != 'none' && isset($expireTimestamp)) { // onExpired: none | warning | force update + // Lejárt-e + $pwLejar = $expireTimestamp - floor(time()/(60*60*24)); + if (0 < $pwLejar && $pwLejar < $info[0]['shadowwarning'][0]) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') + $_SESSION['alert'][] = 'info:warn_account_disable:'.($info[0]['shadowinactive'][0]+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } + } + } // onExpired + + // Ha idáig eljut, akkor minden rendben. + return _AUTH_SUCCESS; + + } // count == 1 + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap/base/attrs.php b/mayor-orig/www/include/backend/ldap/base/attrs.php new file mode 100644 index 00000000..bf86d0d2 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/base/attrs.php @@ -0,0 +1,120 @@ +<?php +/* + Module: useradmin +*/ + + if (file_exists('lang/'._LANG.'/backend/ldap/attrs.php')) { + require('lang/'._LANG.'/backend/ldap/attrs.php'); + } elseif (file_exists('lang/'._DEFAULT_LANG.'/backend/ldap/attrs.php')) { + require('lang/'._DEFAULT_LANG.'/backend/ldap/attrs.php'); + } + +###################################################### +# Alapértelmezett jogosultságok +# +# w - Írható/olvasható +# r - olvasható +# - - egyik sem +# +# Három karakter: admin, self, other jogai +###################################################### + + define('_DEFAULT_LDAP_RIGHTS','wr-'); + +###################################################### +# Az LDAP account attribútumok +###################################################### + + global $ldapAccountAttrs; + $ldapAccountAttrs = array( + 'uid', + 'uidnumber', + 'gidnumber', + 'gecos', + 'cn', + 'studyid', + 'sn', + 'givenname', + 'mail', + 'telephonenumber', + 'mobile', + 'l', + 'street', + 'postaladdress', + 'postalcode', + 'homedirectory', + 'shadowlastchange', + 'shadowexpire', + 'shadowwarning', + 'shadowmin', + 'shadowmax', + 'shadowinactive', + ); + + global $ldapGroupAttrs; + $ldapGroupAttrs = array( + 'gidnumber', + 'cn', + 'description', + 'member', + 'memberuid' + ); + + global $accountAttrToLDAP; + $accountAttrToLDAP = array( + 'userAccount' => 'uid', + 'userCn' => 'cn', + 'mail' => 'mail', + 'studyId' => 'studyId', + 'shadowLastChange' => 'shadowLastChange', + 'shadowWarning' => 'shadowWarning', + 'shadowMin' => 'shadowMin', + 'shadowMax' => 'shadowMax', + 'shadowExpire' => 'shadowExpire', + 'shadowInactive' => 'shadowInactive', + ); + + global $groupAttrToLDAP; + $groupAttrToLDAP = array( + 'groupCn' => 'cn', + 'groupDesc' => 'description', + 'member' => 'member' + ); + + global $ldapAccountAttrDef; + $ldapAccountAttrDef = array( + 'dn' => array('desc' => _LDAPDN, 'type' => 'text', 'rights' => 'rrr'), + 'uid' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'rrr'), + 'uidnumber' => array('desc' => _LDAPUIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'gecos' => array('desc' => _LDAPGECOS, 'type' => 'text', 'rights' => 'w--'), + 'cn' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'wrr'), + 'studyid' => array('desc' => _LDAPSTUDYID, 'type' => 'int', 'rights' => 'wrr'), + 'sn' => array('desc' => _LDAPSN, 'type' => 'text'), + 'givenname' => array('desc' => _LDAPGIVENNAME, 'type' => 'text'), + 'mail' => array('desc' => _LDAPMAIL, 'type' => 'text', 'rights' => 'wwr'), + 'telephonenumber' => array('desc' => _LDAPTELEPHONENUMBER, 'type' => 'text', 'rights' => 'ww-'), + 'mobile' => array('desc' => _LDAPMOBILE, 'type' => 'text', 'rights' => 'ww-'), + 'l' => array('desc' => _LDAPL, 'type' => 'text'), + 'street' => array('desc' => _LDAPSTREET, 'type' => 'text'), + 'postaladdress' => array('desc' => _LDAPPOSTALADDRESS, 'type' => 'text'), + 'postalcode' => array('desc' => _LDAPPOSTALCODE, 'type' => 'text'), + 'homedirectory' => array('desc' => _LDAPHOMEDIRECTORY, 'type' => 'text'), + 'shadowlastchange' => array('desc' => _LDAPSHADOWLASTCHANGE, 'type' => 'text'), + 'shadowexpire' => array('desc' => _LDAPSHADOWEXPIRE, 'type' => 'text'), + 'shadowwarning' => array('desc' => _LDAPSHADOWWARNING, 'type' => 'text'), + 'shadowmin' => array('desc' => _LDAPSHADOWMIN, 'type' => 'text'), + 'shadowmax' => array('desc' => _LDAPSHADOWMAX, 'type' => 'text'), + 'shadowinactive' => array('desc' => _LDAPSHADOWINACTICE, 'type' => 'text'), + ); + + global $ldapGroupAttrDef; + $ldapGroupAttrDef = array( + 'cn' => array('desc' => _LDAPCN, 'type' => 'text','rights' => 'wrr'), + 'description' => array('desc' => _LDAPDESCRIPTION, 'type' => 'text'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'memberuid' => array('desc' => _LDAPMEMBERUID, 'type' => 'select'), + 'member' => array('desc' => _LDAPMEMBER, 'type' => 'select'), + ); + +?> diff --git a/mayor-orig/www/include/backend/ldap/base/attrs.php.orig b/mayor-orig/www/include/backend/ldap/base/attrs.php.orig new file mode 100644 index 00000000..658dfa1c --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/base/attrs.php.orig @@ -0,0 +1,175 @@ +<?php +/* + Module: useradmin +*/ + + if (file_exists('lang/'._LANG.'/backend/ldap/attrs.php')) { + require('lang/'._LANG.'/backend/ldap/attrs.php'); + } elseif (file_exists('lang/'._DEFAULT_LANG.'/backend/ldap/attrs.php')) { + require('lang/'._DEFAULT_LANG.'/backend/ldap/attrs.php'); + } + +###################################################### +# Alapértelmezett jogosultságok +# +# w - Írható/olvasható +# r - olvasható +# - - egyik sem +# +# Három karakter: admin, self, other jogai +###################################################### + + define('_DEFAULT_LDAP_RIGHTS','wr-'); + +###################################################### +# Az LDAP account attribútumok +###################################################### + + global $ldapAccountAttrs; + $ldapAccountAttrs = array( + 'uid', + 'uidnumber', + 'gidnumber', + 'gecos', + 'cn', + 'sn', + 'givenname', + 'mail', + 'homepage', + 'url', + 'telephonenumber', + 'mobile', + 'year', + 'class', + 'l', + 'street', + 'postaladdress', + 'postalcode', + 'homedirectory', + 'owner', + 'leader', + 'description', + 'roomnumber', + 'registertimestamp', + 'primaryschoolomcode', + 'classtimestamp', + 'studentcardnumber', + 'studentcardtimestamp', + 'taxid', + 'birthtimestamp', + 'birthlocality', + 'registernumber', + 'diarynumber', + 'sex', + 'guardiancn', + 'mothercn', + 'localitytimestamp', + 'tajnumber', + 'member', + 'studentmember', + 'exemptmember', + 'examermember', + 'memberuid', + 'shadowlastchange', + 'shadowexpire', + 'shadowwarning', + 'shadowmin', + 'shadowmax', + 'shadowinactive', + 'parentpassword' + ); + + global $ldapGroupAttrs; + $ldapGroupAttrs = array( + 'gidnumber', + 'cn', + 'description', + 'owner', + 'member', + 'memberuid' + ); + + global $accountAttrToLDAP; + $accountAttrToLDAP = array( + 'userAccount' => 'uid', + 'userCn' => 'cn', + 'mail' => 'mail', + 'studyId' => 'studyId', + 'shadowLastChange' => 'shadowLastChange', + 'shadowWarning' => 'shadowWarning', + 'shadowMin' => 'shadowMin', + 'shadowMax' => 'shadowMax', + 'shadowExpire' => 'shadowExpire', + 'shadowInactive' => 'shadowInactive', + ); + + global $groupAttrToLDAP; + $groupAttrToLDAP = array( + 'groupId' => 'cn', + 'groupName' => 'description', +// 'leader' => 'leader', + 'owner' => 'owner', + 'member' => 'member' + ); + + global $ldapAccountAttrDef; + $ldapAccountAttrDef = array( + 'dn' => array('desc' => _LDAPDN, 'type' => 'text','rights' => 'rrr'), + 'uid' => array('desc' => _LDAPUID, 'type' => 'text','rights' => 'rrr'), + 'uidnumber' => array('desc' => _LDAPUIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'gecos' => array('desc' => _LDAPGECOS, 'type' => 'text','rights' => 'w--'), + 'cn' => array('desc' => _LDAPCN, 'type' => 'text','rights' => 'wrr'), + 'sn' => array('desc' => _LDAPSN, 'type' => 'text'), + 'givenname' => array('desc' => _LDAPGIVENNAME, 'type' => 'text'), + 'mail' => array('desc' => _LDAPMAIL, 'type' => 'text','rights' => 'wwr'), + 'homepage' => array('desc' => _LDAPHOMEPAGE, 'type' => 'text','rights' => 'wwr'), + 'url' => array('desc' => _LDAPURL, 'type' => 'text'), + 'telephonenumber' => array('desc' => _LDAPTELEPHONENUMBER, 'type' => 'text','rights' => 'ww-'), + 'mobile' => array('desc' => _LDAPMOBILE, 'type' => 'text','rights' => 'ww-'), + 'year' => array('desc' => _LDAPYEAR, 'type' => 'int'), + 'class' => array('desc' => _LDAPCLASS, 'type' => 'text'), + 'l' => array('desc' => _LDAPL, 'type' => 'text'), + 'street' => array('desc' => _LDAPSTREET, 'type' => 'text'), + 'postaladdress' => array('desc' => _LDAPPOSTALADDRESS, 'type' => 'text'), + 'postalcode' => array('desc' => _LDAPPOSTALCODE, 'type' => 'text'), + 'homedirectory' => array('desc' => _LDAPHOMEDIRECTORY, 'type' => 'text'), + 'roomnumber' => array('desc' => _LDAPROOMNUMBER, 'type' => 'int'), + 'registertimestamp' => array('desc' => _LDAPREGISTERTIMESTAMP, 'type' => 'timestamp'), + 'primaryschoolomcode' => array('desc' => _LDAPPRIMARYSCHOOLOMCODE, 'type' => 'text'), + 'classtimestamp' => array('desc' => _LDAPCLASSTIMESTAMP, 'type' => 'timestamp'), + 'studentcardnumber' => array('desc' => _LDAPSTUDENTCARDNUMBER, 'type' => 'text'), + 'studentcardtimestamp' => array('desc' => _LDAPSTUDENTCARDTIMESTAMP, 'type' => 'timestamp'), + 'taxid' => array('desc' => _LDAPTAXID, 'type' => 'text'), + 'birthtimestamp' => array('desc' => _LDAPBIRTHTIMESTAMP, 'type' => 'timestamp'), + 'birthlocality' => array('desc' => _LDAPBIRTHLOCALITY, 'type' => 'text'), + 'registernumber' => array('desc' => _LDAPREGISTERNUMBER, 'type' => 'text'), + 'diarynumber' => array('desc' => _LDAPDIARYNUMBER, 'type' => 'text'), + 'sex' => array('desc' => _LDAPSEX, 'type' => 'radio', 'options' => array(_FIU, _LANY)), + 'guardiancn' => array('desc' => _LDAPGUARDIANCN, 'type' => 'text'), + 'mothercn' => array('desc' => _LDAPMOTHERCN, 'type' => 'text'), + 'localitytimestamp' => array('desc' => _LDAPLOCALITYTIMESTAMP, 'type' => 'timestamp'), + 'tajnumber' => array('desc' => _LDAPTAJNUMBER, 'type' => 'text'), + 'shadowlastchange' => array('desc' => _LDAPSHADOWLASTCHANGE, 'type' => 'text'), + 'shadowexpire' => array('desc' => _LDAPSHADOWEXPIRE, 'type' => 'text'), + 'shadowwarning' => array('desc' => _LDAPSHADOWWARNING, 'type' => 'text'), + 'shadowmin' => array('desc' => _LDAPSHADOWMIN, 'type' => 'text'), + 'shadowmax' => array('desc' => _LDAPSHADOWMAX, 'type' => 'text'), + 'shadowinactive' => array('desc' => _LDAPSHADOWINACTICE, 'type' => 'text'), + ); + + global $ldapGroupAttrDef; + $ldapGroupAttrDef = array( + 'cn' => array('desc' => _LDAPCN, 'type' => 'text','rights' => 'wrr'), + 'description' => array('desc' => _LDAPDESCRIPTION, 'type' => 'text'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'memberuid' => array('desc' => _LDAPMEMBERUID, 'type' => 'select'), + 'member' => array('desc' => _LDAPMEMBER, 'type' => 'select'), + 'owner' => array('desc' => _LDAPOWNER, 'type' => 'select'), +// 'studentmember' => array('desc' => _LDAPSTUDENTMEMBER, 'type' => 'text'), +// 'exemptmember' => array('desc' => _LDAPEXEMPTMEMBER, 'type' => 'text'), +// 'examermember' => array('desc' => _LDAPEXAMERMEMBER, 'type' => 'text'), +// 'leader' => array('desc' => _LDAPLEADER, 'type' => 'text'), + ); + +?>
\ No newline at end of file diff --git a/mayor-orig/www/include/backend/ldap/base/str.php b/mayor-orig/www/include/backend/ldap/base/str.php new file mode 100644 index 00000000..2ef3ad1c --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/base/str.php @@ -0,0 +1,53 @@ +<?php +/* + Module: useradmin + + function date2timestamp($date) + function timestamp2date($stamp) + !! -- function ldap_cn_cmp($a,$b) -- !! Kell ez? + !! -- function tanar_cn_cmp($a,$b) -- !! Használjuk ezt? + + // - fuggoseg - // require_once('include/share/ldap/attrs.php'); + +*/ + +// ------------------------------------- +// Date2Timestamp +// ------------------------------------- + + function date2timestamp($date) { + $date = str_replace('-','',$date); + $date = str_replace('.','',$date).'010101Z'; + if (strlen($date) == 15) return $date; + else return ''; + } + +// ------------------------------------- +// Timestamp2Date +// ------------------------------------- + + function timestamp2date($stamp) { + $date = substr($stamp,0,4).'-'.substr($stamp,4,2).'-'.substr($stamp,6,2); + if (strlen($date) == 10) return $date; + else return ''; + } + +/* +// --------------------------------------------------------------------------- +// LDAP eredmény elemeinek összehasonlítása cn-alapján (Már latin2-es kódolású!!!) +// --------------------------------------------------------------------------- + + function ldap_cn_cmp($a,$b) { + return str_cmp($a['cn'][0],$b['cn'][0]); + } + +// --------------------------------------------------------------------------- +// $TANAROK tömb rendezéséhez (include/naplo/helyettesít.php) (Már latin2-es kódolású!!!) +// --------------------------------------------------------------------------- + + function tanar_cn_cmp($a,$b) { + return str_cmp($a['cn'],$b['cn']); + } +*/ + +?> diff --git a/mayor-orig/www/include/backend/ldap/password/changePassword.php b/mayor-orig/www/include/backend/ldap/password/changePassword.php new file mode 100644 index 00000000..22ace5ca --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/password/changePassword.php @@ -0,0 +1,102 @@ +<?php +/* + Module: base/password + + function changeMyPassword($userAccount, $userPassword, $newPassword, $verification) + A függvény nem vizsgálja, hogy jogosultak vagyunk-e a jelszó megváltoztatására. + Ennek eldöntése a függvényt hívó program feladata + */ + +############################################################################ +# Saját jelszó megváltoztatása +############################################################################ + +function changeMyPassword($userAccount, $userPassword, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = $_REQUEST['toPolicy']; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + $shadowLastChange = floor(time()/(60*60*24)); + + $ds = ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if ($ds) { + $b_ok = ldap_bind($ds,$userDn,$userPassword); + if ($b_ok) { + $info['userPassword'][0] = '{crypt}' . crypt($newPassword); + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowlastchange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowexpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowexpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $r = ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure'; + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_bind_failure:'.$userDn; + ldap_close($ds); + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } + +} + +############################################################################ +# Adminisztrátori jelszó változtatás +############################################################################ + +function changePassword($userAccount, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = _POLICY; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + $shadowLastChange = floor(time()/(60*60*24)); + + $ds = ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if ($ds) { + $b_ok = ldap_bind($ds,_USERDN,_USERPASSWORD); + if ($b_ok) { + $info['userPassword'][0] = '{crypt}' . crypt($newPassword); + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowlastchange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowexpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowexpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $r = @ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure'; + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_bind_failure:'._USERDN; + ldap_close($ds); + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } + +} + +?> diff --git a/mayor-orig/www/include/backend/ldap/session/accountInfo.php b/mayor-orig/www/include/backend/ldap/session/accountInfo.php new file mode 100644 index 00000000..24f5234b --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/session/accountInfo.php @@ -0,0 +1,401 @@ +<?php +/* + Module: base/auth-ldap + Backend: ldap + + function getLDAPInfo($userDn, $attrList=array('cn'), $toPolicy = '') + function ldapGetAccountInfo($userAccount, $toPolicy = _POLICY) + function ldapGetUserInfo($userAccount, $toPolicy = _POLICY) + function ldapChangeAccountInfo($userAccount, $toPolicy = _POLICY) + function ldapGetGroupInfo($groupCn, $toPolicy = _POLICY) + +*/ + +###################################################### +# getLDAPInfo - általános LDAP lekérdezés +###################################################### + + function getLDAPInfo($userDn, $attrList=array('cn'), $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = '(objectclass=*)'; + $sr = @ldap_search($ds, $userDn, $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +########################################################### +# ldapGetAccountInfo - felhasználói információk (backend) +########################################################### + + function ldapGetAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Account', $toPolicy); + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + } + + return $return[0]; + + } + + } + +############################################################# +# ldapGetUserInfo - felhasználói információk (keretrendszer) +############################################################# + + function ldapGetUserInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $accountAttrToLDAP, $ldapAttrDef; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, array_values($accountAttrToLDAP), $toPolicy); + if ($result === false) { + return false; + } else { + + $result[0]['dn'] = array('count' => 1, 0 => $result[0]['dn']); + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($accountAttrToLDAP as $attr => $ldapAttr) { + if (isset($result[0][$ldapAttr])) $return[$attr] = $result[0][$ldapAttr]; + else $return[$attr] = array('count' => 0); + } + + return $return; + + } + + } + +############################################################### +# ldapChangeAccountInfo - felhasználói információk módosítása +############################################################### + + function ldapChangeAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '' ) $values[0] = $_POST[$attr]; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if ($_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if ($_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + } + + $_alert = array(); + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$userDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@ldap_mod_replace($ds,$userDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$userDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i = 0;$i < count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + +########################################################### +# ldapGetGroupInfo - csoport információk (backend) +########################################################### + + function ldapGetGroupInfo($groupCn, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Group', $toPolicy); + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + $result = getLDAPInfo($groupDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // Accountok lekérdezése + $info = getLDAPaccounts($toPolicy); + for ($i = 0; $i < $info['count']; $i++) { + $accountUid[] = array( + 'value' => $info[$i]['uid'][0], + 'txt' => $info[$i]['cn'][0] + ); + $accountDn[] = array( + 'value' => $info[$i]['dn'], + 'txt' => $info[$i]['cn'][0] + ); + } + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + $return[$i]['member']['new'] = $accountDn; + $return[$i]['memberuid']['new'] = $accountUid; + } + + return $return[0]; + + } + + } + +############################################################### +# ldapChangeGroupInfo - csoport információk módosítása +############################################################### + + function ldapChangeGroupInfo($groupCn, $toPolicy = _POLICY) { + +// !!!! A memberuid / member szinkronjára nem figyel!! + + global $AUTH, $backendAttrs, $backendAttrDef; + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '') + if (isset($_POST[$attr])) $values[0] = $_POST[$attr]; + else $values[0] = ''; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if (isset($_POST['new-'.$attr][0]) && $_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if (isset($_POST['del-'.$attr][0]) && $_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + } + + $_alert = array(); + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$groupDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@ldap_mod_replace($ds,$groupDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$groupDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i=0;$i<count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + + function getLDAPaccounts($toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $attrList = array('cn','uid'); +// $filter = '(objectclass=mayorPerson)'; + $filter = '(objectclass=posixAccount)'; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } + + ldap_sort($ds, $sr, 'cn'); + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + + +?> diff --git a/mayor-orig/www/include/backend/ldap/session/base.php b/mayor-orig/www/include/backend/ldap/session/base.php new file mode 100644 index 00000000..b8529cc2 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/session/base.php @@ -0,0 +1,255 @@ +<?php +/* + Module: base/session + Backend: ldap + + function LDAPuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) + function ldapMemberOf($userAccount, $group, $toPolicy = _POLICY) + +*/ + + require('include/backend/ldap/base/attrs.php'); + require('include/backend/ldap/base/str.php'); + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + + if ($AUTH[_POLICY]['backend'] == 'ldap') { + /* why not put into session cache */ + if ($AUTH[_POLICY]['cacheable']=='yes') { + $userDn = _queryCache('RDN',_POLICY,'value'); + } + if (!isset($userDn)) $userDn = LDAPuserAccountToDn(); + define('_USERDN', $userDn); + if ($AUTH[_POLICY]['cacheable']=='yes') _registerToCache('RDN',$userDn,_POLICY); + unset($userDn); + } + +###################################################### +# A _USERACCOUNT(uid)-hoz tartozó dn lekérdezése +###################################################### + + function LDAPuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(uid=$userAccount)(objectClass=posixAccount))"; + $justthese=array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid:$userAccount"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + return $info[0]['dn']; + } + + } + + +###################################################### +# A groupCn(cn)-hez tartozó dn lekérdezése +###################################################### + + function LDAPgroupCnToDn($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(cn=$groupCn)(objectClass=posixGroup))"; + $justthese=array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen groupCn (cn) - hibaüzenet csak akkor, ha nem kategóriáról van szó... + if (!in_array($groupCn, array_map('ekezettelen', $AUTH[$toPolicy]['categories']))) $_SESSION['alert'][] = "message:no_group:$groupCn"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen cn is van + $_SESSION['alert'][] = "message:multi_gid:$groupCn"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen csoport + return $info[0]['dn']; + } + + } + + + +###################################################### +# memberOf - csoport tag-e +###################################################### + + function ldapMemberOf($userAccount, $group, $toPolicy = _POLICY) { + + global $AUTH, $LDAP2Mayor; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + if (in_array($group, $AUTH[$toPolicy]['categories'])) { + if (strpos($userDn, ',ou='.ekezettelen($group).',') !== false) return true; +# Ha nincs megfelelő ou-ban, akkor nézzük a csoport tagságot - így berakható időszakosan akárki pl a titkárság kategóriába... +# else return false; + } + + if (substr($group,0,3) != 'cn=') { + $groupDn = LDAPgroupCnToDn(ekezettelen($group)); + if (!$groupDn) return false; // Ha nincs ilyen csoport az LDAP fában + } else { + $groupDn = $group; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $justthese = array('cn'); // valamit le kell kérdezni... +/* $filter = "(& (objectClass=mayorGroup) + (member=$userDn) + )"; +*/ + $filter = "(& (objectClass=posixGroup) + (memberUid=$userAccount) + )"; + $sr = @ldap_search($ds, $groupDn, $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = ldap_get_entries($ds, $sr); + ldap_close($ds); + + if ($info['count'] > 0) { + return true; + } else { + return false; + } + + } + +###################################################### +# LDAPcreateContainer - tároló létrehozása +###################################################### + + function LDAPcreateContainer($containerDn, $toPolicy) { + + global $AUTH; + + $pos = strpos($containerDn, ',ou='); + $container = substr($containerDn, 3, $pos-3); + $rdn = substr($containerDn, $pos+1); + $cat = substr($containerDn, 3, strlen($containerDn)-4-strlen($AUTH[$toPolicy]['ldap base dn'])); + + error_reporting(1); + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // OU létrehozása + $info['ou'][0] = $container; + $info['objectclass'][0] = 'organizationalUnit'; + $info['description'][0] = $container; + + $_r1 = ldap_add($ds, $containerDn, $info); + if (!$_r1) { +// $_SESSION['alert'][] = 'message:ldap_add_failure:'.$containerDn; + return false; +// printf("LDAP-Error: %s<br>\n", ldap_error($ds)); +// echo '<pre>'; var_dump($info); echo '</pre>'; + } + + // az OU-hoz tartozó csoportok OU-ja + $info['ou'][0] = 'Groups'; + $info['objectclass'][0] = 'organizationalUnit'; + $info['description'][0] = "$container csoportjai"; + + $containerDn = "ou=Groups,$containerDn"; + $_r1 = ldap_add($ds, $containerDn, $info); + if (!$_r1) { + printf("LDAP-Error: %s<br>\n", ldap_error($ds)); + echo '<pre>'; var_dump($info); echo '</pre>'; + } + + // Az osztály csoport létrehozása + require_once('include/modules/session/createGroup.php'); + createGroup($container, "$container csoport", "$cat", $toPolicy); + + ldap_close($ds); + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap/session/createAccount.php b/mayor-orig/www/include/backend/ldap/session/createAccount.php new file mode 100644 index 00000000..79f40530 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/session/createAccount.php @@ -0,0 +1,204 @@ +<?php +/* + Modules: base/session + + UNTESTED!!!! +*/ + + function ldapCreateAccount( + $userCn, $userAccount, $userPassword, $toPolicy, $SET + ) { + + global $AUTH; + + $category = ekezettelen($SET['category']); + $shadowLastChange = floor(time() / (60*60*24)); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldap') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $groupinfo = $oinfo = Array(); + + // uid ütközés ellenőrzése + $filter = "(uid=$userAccount)"; + $justthese = array('uid'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + $uinfo = ldap_get_entries($ds, $sr); + $uidCount = $uinfo['count']; + ldap_free_result($sr); + if ($uidCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$userAccount; + return false; + } + + // Az következő uidNumber megállapítása + $filter = '(objectClass=mayorOrganization)'; + $justthese = array('nextuid', 'freeuid'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + $uidinfo = ldap_get_entries($ds,$sr); + ldap_free_result($sr); + if (isset($uidinfo[0]['freeuid']['count'])) $freeUidCount = $uidinfo[0]['freeuid']['count']; + else $freeUidCount = 0; + if ($freeUidCount == 0) { + $info['uidnumber'] = array($uidinfo[0]['nextuid'][0]); + $info['gidnumber'] = $info['uidnumber']; + $oinfo['nextuid'] = $info['uidnumber'][0]+1; + } else { + $info['uidnumber'] = array($uidinfo[0]['freeuid'][$freeUidCount-1]); + $info['gidnumber'] = $info['uidnumber']; + $oinfo['freeuid'] = $uidinfo[0]['freeuid'][$freeUidCount-1]; + } + + // shadow attributumok... + // A shadowLastChange a mai nap // if (isset($AUTH[$toPolicy]['shadowlastchange']) && $AUTH[$toPolicy]['shadowlastchange'] != '') + $info['shadowlastchange'] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowmin']) && $AUTH[$toPolicy]['shadowmin'] != '') $info['shadowmin'] = $AUTH[$toPolicy]['shadowmin']; + if (isset($AUTH[$toPolicy]['shadowmax']) && $AUTH[$toPolicy]['shadowmax'] != '') $info['shadowmax'] = $AUTH[$toPolicy]['shadowmax']; + if (isset($AUTH[$toPolicy]['shadowwarning']) && $AUTH[$toPolicy]['shadowwarning'] != '') $info['shadowwarning'] = $AUTH[$toPolicy]['shadowwarning']; + if (isset($AUTH[$toPolicy]['shadowinactive']) && $AUTH[$toPolicy]['shadowinactive'] != '') $info['shadowinactive'] = $AUTH[$toPolicy]['shadowinactive']; + if (isset($AUTH[$toPolicy]['shadowexpire']) && $AUTH[$toPolicy]['shadowexpire'] != '') $info['shadowexpire'] = $AUTH[$toPolicy]['shadowexpire']; + + // A szokásos attribútumok + $info['uid'] = array($userAccount); + $info['cn'] = array($userCn); + $info['sn'] = array('-'); + $info['userpassword'] = array('{crypt}' . crypt($userPassword)); + if (is_array($SET['policyAttrs'])) foreach ($SET['policyAttrs'] as $attr => $value) $info[kisbetus($attr)] = $value; + if (($pos = strpos($category,',')) !== false) + $info['homedirectory'] = "/home/diak/".substr($category,0,$pos)."/$userAccount"; + else + $info['homedirectory'] = "/home/$category/$userAccount"; + + // A kategória függő attribútumok + if (isset($SET['container']) && $SET['container'] != '') { + $dn = "uid=$userAccount,".$SET['container']; + $group = "cn=$userAccount,ou=Groups,".$SET['container']; + $ouDn = $SET['container']; + } else { + $dn = "uid=$userAccount,ou=".$category.','.$AUTH[$toPolicy]['ldap base dn']; + $group = "cn=$userAccount,ou=Groups,ou=".$category.','.$AUTH[$toPolicy]['ldap base dn']; + $ouDn = "ou=".$category.",".$AUTH[$toPolicy]['ldap base dn']; + } + + if ($SET['createContainer']) { // Létrehozza a tároló elemet, benne az OU=Groups tárolót, benne a megfelelő csoportot + LDAPcreateContainer($ouDn, $toPolicy); + } + // objectum osztályok + // a mayorPerson a posixAccount és shadowAccount leszármazottja, + // de kell egy structural object is - ez a person - aminek kötelező paramétere az sn! + $info['objectclass'] = array('person', 'mayorPerson'); + + // user felvétel + $info['homedirectory'] = ekezettelen($info['homedirectory']); // Nem lehet ékezetes :o( + + $_r1 = ldap_add($ds,$dn,$info); + if (!$_r1) { + printf("LDAP-Error: %s<br>\n", ldap_error($ds)); + echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // user csoportja + $groupinfo['cn'] = $userAccount; + $groupinfo['gidnumber'] = $info['uidnumber']; + $groupinfo['memberuid'] = ekezettelen($userAccount); // Nem lehet ékezetes :o( + $groupinfo['description'] = 'A felhasználó saját csoportja'; + $groupinfo['objectclass'] = 'posixGroup'; + $_r2 = ldap_add($ds, $group, $groupinfo); + if (!$_r2) { + printf("LDAP-Error (userGroup): %s<br>\n", ldap_error($ds)); + echo $group.'<pre>'; var_dump($groupinfo); echo '</pre>'; + return false; + } + + // Kategória csoportba rakás vagy tanár csoportba rakás ugye... + // És nincs diák csoport! + $ginfo['memberuid'] = ekezettelen($userAccount); // Nem lehet ékezetes :o( + $ginfo['member'] = $dn; + + // Kategória csoportba és egyéb csoportokba rakás + if (isset($SET['category'])) { + if (is_array($SET['groups'])) array_unshift($SET['groups'], $category); + else $SET['groups'] = array($category); + + for ($i = 0; $i < count($SET['groups']); $i++) { + + $filter = "(&(objectClass=mayorGroup)(cn=".$SET['groups'][$i]."))"; + $justthese = array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + if (ldap_count_entries($ds, $sr)) { + $grpInfo = ldap_get_entries($ds, $sr); + $groupDn = $grpInfo[0]['dn']; + $_r3 = ldap_mod_add($ds, $groupDn, $ginfo); + if (!$_r3) { + printf("LDAP-Error (category): %s<br>\n", ldap_error($ds)); + echo $groupDn.'<pre>'; var_dump($ginfo); echo '</pre>'; + } + } + + } + + } + + + // nextuid növelés + if ($freeUidCount == 0) { + $_r4 = ldap_mod_replace($ds,$AUTH[$toPolicy]['ldap base dn'],$oinfo); + } else { + $_r4 = ldap_mod_del($ds,$AUTH[$toPolicy]['ldap base dn'],$oinfo); + } + if (!$_r4) { + printf("LDAP-Error (freeUid): %s<br>\n", ldap_error($ds)); + return false; + } + + ldap_close($ds); + + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['createAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['createAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount l.trehoz.sa\n"); + fwrite($sfp,'/bin/mkdir -p '.$info['homedirectory']."\n"); + fwrite($sfp,'/bin/chmod 2755 '.$info['homedirectory']."\n"); + fwrite($sfp,"/bin/chown $userAccount.$userAccount ".$info['homedirectory']."\n"); + + fwrite($sfp,'/bin/mkdir '.$info['homedirectory']."/private\n"); + fwrite($sfp,"/bin/chown $userAccount.$userAccount ".$info['homedirectory']."/private\n"); + fwrite($sfp,'/bin/chmod 0770 '.$info['homedirectory']."/private\n"); + + fwrite($sfp,'/bin/mkdir '.$info['homedirectory']."/public_html\n"); + fwrite($sfp,"/bin/chown $userAccount.$userAccount ".$info['homedirectory']."/public_html\n"); + fwrite($sfp,'/bin/chmod 0755 '.$info['homedirectory']."/public_html\n"); + + fwrite($sfp,'/bin/ln -s '.$info['homedirectory']." /home\n"); +// chmod($scriptFile,0770); + fclose($sfp); + } + } + $_SESSION['alert'][] = 'info:create_uid_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap/session/createGroup.php b/mayor-orig/www/include/backend/ldap/session/createGroup.php new file mode 100644 index 00000000..df2de812 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/session/createGroup.php @@ -0,0 +1,103 @@ +<?php +/* + Modules: base/session +*/ + + function ldapCreateGroup($groupCn, $groupDesc, $toPolicy = _POLICY, $SET) { + + global $AUTH; + $category = ekezettelen($SET['category']); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldap') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $groupinfo = $oinfo = Array(); + + // cn ütközés ellenőrzése + $filter = "(&(objectclass=posixgroup)(cn=$groupCn))"; + $justthese = array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + $ginfo = ldap_get_entries($ds, $sr); + $gCount = $ginfo['count']; + ldap_free_result($sr); + if ($gCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$groupCn; + return false; + } + + // Az következő gidNumber megállapítása + $filter = '(objectClass=mayorOrganization)'; + $justthese = array('nextgid', 'freegid'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldap base dn'], $filter, $justthese); + $ginfo = ldap_get_entries($ds,$sr); + ldap_free_result($sr); + if (isset($ginfo[0]['freegid']['count'])) $freeGidCount = $ginfo[0]['freegid']['count']; + else $freeGidCount = 0; + if ($freeGidCount == 0) { + $info['gidnumber'] = array($ginfo[0]['nextgid'][0]); + $oinfo['nextgid'] = $info['gidnumber'][0]+1; + } else { + $info['gidnumber'] = array($ginfo[0]['freegid'][$freeGidCount-1]); + $oinfo['freegid'] = $ginfo[0]['freegid'][$freeGidCount-1]; + } + + // A szokásos attribútumok + $info['cn'] = array($groupCn); + $info['description'] = array($groupDesc); + + // A kategória függő attribútumok + if (isset($SET['container'])) $dn = "cn=$groupCn,".$SET['container']; + else $dn = "cn=$groupCn,ou=Groups,ou=$category,".$AUTH[$toPolicy]['ldap base dn']; + + // objectum osztályok + $info['objectclass'] = array('posixGroup', 'mayorGroup'); + + // Policy függő attribútumok - LDAP esetén pl a member kötelező + if (is_array($SET['policyAttrs'])) foreach ($SET['policyAttrs'] as $attr => $value) $info[kisbetus($attr)] = $value; + + // csoport felvétel + $_r1 = ldap_add($ds,$dn,$info); + if (!$_r1) { + printf("LDAP-Error: %s<br>\n", ldap_error($ds)); + echo $dn.'<hr>'; + var_dump($info); + echo '<hr>'; + var_dump($SET); + } + + // nextuid növelés + if ($freeGidCount == 0) { + $_r4 = ldap_mod_replace($ds,$AUTH[$toPolicy]['ldap base dn'],$oinfo); + } else { + $_r4 = ldap_mod_del($ds,$AUTH[$toPolicy]['ldap base dn'],$oinfo); + } +// if (!$_r4) { +// printf("LDAP-Error: %s<br>\n", ldap_error($_r4)); +// } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:create_group_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap/session/search/searchAccount.php b/mayor-orig/www/include/backend/ldap/session/search/searchAccount.php new file mode 100644 index 00000000..62e19c5f --- /dev/null +++ b/mayor-orig/www/include/backend/ldap/session/search/searchAccount.php @@ -0,0 +1,311 @@ +<?php +/* + Module: base/session + Backend: ldap + + ! -- Csak publikus mezőkre lehet keresni! -- ! + function LDAPSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)') + function ldapSearchAccount($attr, $pattern, $searchAttrs = array('userCn')) + function ldapSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = '') { + +*/ + +###################################################### +# Általános LDAP kereső függvény +###################################################### + + function LDAPSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)', $toPolicy = _POLICY) { + + global $AUTH; + + if ($pattern == '') { + $_SESSION['alert'][] = 'message:empty_field'; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = "(&$filter($attr=*$pattern*))"; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['ldap base dn'], $filter, $searchAttrs); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +###################################################### +# ldapSearchAccount - felhasználó kereső függvény +###################################################### + + function ldapSearchAccount($attr, $pattern, $searchAttrs = array('userCn'), $toPolicy = _POLICY) { + + global $accountAttrToLDAP; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($accountAttrToLDAP[ $attr ] != '') $attrLDAP = $accountAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'uid'; // dn-re nem megy a keresés!! + + // A lekérendő attribútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($accountAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $accountAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(objectclass=posixaccount)', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['userAccount'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (isset($result[$i][ $accountAttrToLDAP[$a] ])) { + if ($accountAttrToLDAP[$a] != '') $return[$i][$a] = $result[$i][ $accountAttrToLDAP[$a] ]; + else $return[$i][$a] = $result[$i][$a]; + } else { + $return[$i][$a] = array('count' => 0) ; + } + } + $return[$i]['category'] = getAccountCategories($result[$i]['uid'][0], $toPolicy); + $return[$i]['category']['count'] = count($return[$i]['category']); + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapSearchGroup - csoport kereső függvény +###################################################### + + function ldapSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = _POLICY) { + + global $groupAttrToLDAP; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($groupAttrToLDAP[ $attr ] != '') $attrLDAP = $groupAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'cn'; // dn-re nem megy a keresés!! + + // A lekérendő adtibútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($groupAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $groupAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(objectclass=posixgroup)', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['groupCn'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (!isset($groupAttrToLDAP[$a]) || $groupAttrToLDAP[$a] != '') { + if (isset($result[$i][ $groupAttrToLDAP[$a] ])) $return[$i][$a] = $result[$i][ $groupAttrToLDAP[$a] ]; + else $return[$i][$a] = ''; + } else { + $return[$i][$a] = $result[$i][$a]; + } + } + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapDeleteAccount - account törlése +###################################################### + + function ldapDeleteAccount($userAccount, $toPolicy = _POLICY) { + + global $AUTH; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + // $toPolicy --> ldap backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldap') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Az uidNumber, a homeDirectory lekerdezése + $filter = "(objectclass=posixAccount)"; + $justthese = array('uidNumber','homedirectory'); + $sr = @ldap_search($ds,$userDn,$filter,$justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } ; + + $uidinfo = @ldap_get_entries($ds,$sr); + $uidNumber = $uidinfo[0]['uidnumber'][0]; + if (isset($uidinfo[0]['homedirectory'][0])) $homeDirectory = $uidinfo[0]['homedirectory'][0]; + else $homeDirectory = ''; + $uid=$userAccount; + + // GroupDn, freeuid + $groupDn = "cn=$uid,ou=Groups".strstr($userDn,','); + $oinfo['freeuid'] = $uidNumber; + + // user törlése + if (!@ldap_delete($ds,$userDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:user:'.$userAccount; + } + + // freeuid felvétele + if (!@ldap_mod_add($ds,$AUTH[$toPolicy]['ldap base dn'],$oinfo)) { + $_SESSION['alert'][] = 'message:ldap_modify_failure:freeuid:'.$oinfo['freeuid']; + } + + // csoport törlése + if (!@ldap_delete($ds,$groupDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:group:'.$groupDn; + } + + // törlés a csoportból + $filter = "(memberuid=$uid)"; + $justthese = array('cn','objectclass','member'); + $sr = @ldap_search($ds,$AUTH[$toPolicy]['ldap base dn'],$filter,$justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:groups:".$userAccount; + ldap_close($ds); + return false; + } ; + + $groupinfo = ldap_get_entries($ds,$sr); + + for ($i = 0; $i < $groupinfo['count']; $i++) { + $grpinfo = array('memberuid' => $uid); + if (@in_array($userDn,$groupinfo[$i]['member'])) { + $grpinfo['member']=$userDn; + } + if (!@ldap_mod_del($ds,$groupinfo[$i]['dn'],$grpinfo)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:member:'.$groupinfo[$i]['dn']; + } + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + return true; + + } + +###################################################### +# ldapDeleteGroup - account törlése +###################################################### + + function ldapDeleteGroup($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + // $toPolicy --> ldap backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldap') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldap hostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Az uidNumber, a homeDirectory lekerdezése + $filter = '(objectclass=posixGroup)'; + $justthese = array('gidNumber'); + $sr = @ldap_search($ds, $groupDn, $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = 'message:ldap_search_failure:'.$userDn; + ldap_close($ds); + return false; + } ; + + $gidinfo = ldap_get_entries($ds, $sr); + $gidNumber = $gidinfo[0]['gidnumber'][0]; + + // freeGid + $oinfo['freegid'] = $gidNumber; + + if (!@ldap_delete($ds, $groupDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:group:'.$groupCn; + } + + // freeuid felvétele + if (!@ldap_mod_add($ds, $AUTH[$toPolicy]['ldap base dn'], $oinfo)) { + $_SESSION['alert'][] = 'message:ldap_modify_failure:freeGid:'.$oinfo['freegid']; + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:delete_group_success:'.$groupCn; + return true; + + } + + + +?> diff --git a/mayor-orig/www/include/backend/ldapng/auth/login.php b/mayor-orig/www/include/backend/ldapng/auth/login.php new file mode 100644 index 00000000..b24b4b96 --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/auth/login.php @@ -0,0 +1,163 @@ +<?php +/* + Auth-ldapng + + A név-jelszó pár ellenőrzése LDAP adatbázis alapján +*/ + +/* -------------------------------------------------------------- + + Felhasználók azonosítása az LDAP-ban tárolt konfigurálható + osztályok alapján történik. + + A függvény az előre definiált _AUTH_SUCCESS, _AUTH_EXPIRED, _AUTH_FAILURE + konstansok valamelyikével tér vissza. (include/modules/auth/base/config.php) + + Sikeres hitelesítés esetén + az egyéb account információkat (minimálisan a 'cn', azaz 'common name' + attribútumot) a cím szerint átadott $accountInformation tömbbe helyezi el. + + Sikertelen azonosítás esetén a globális $_SESSION['alert'] változóban jelzi az + elutasítás okát (ldap_connect_failure, ldap_bind_failure, ldap_search_failure, no_account, multi_uid, + account_disabled, bad_pw, account_warning, account_expired, warn_account_disable. + +-------------------------------------------------------------- */ + +###################################################################### +# Az LDAP protocol version 3 kötelező, +# referals=0 nélkül használhatatlanul lassú +###################################################################### + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option(NULL, LDAP_OPT_REFERRALS, 0); + + + function ldapngUserAuthentication($userAccount, $userPassword, &$accountInformation, $toPolicy) { + + global $AUTH; + + if ($toPolicy == '') { + if ($accountInformation['policy'] != '') $toPolicy = $accountInformation['policy']; +// elseif ($_REQUEST['toPolicy'] != '') $toPolicy = $_REQUEST['toPolicy']; + else $toPolicy = _POLICY; + } + + // Kapcsolódás a szerverhez + $ds = ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return _AUTH_FAILURE; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure:userAuthentication:'.$AUTH[$toPolicy]['ldapUser']; + return _AUTH_FAILURE; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(".$AUTH[$toPolicy]['ldapUserAccountAttr']."=$userAccount)(objectClass=".$AUTH[$toPolicy]['ldapUserObjectClass']."))"; + $justthese = array("sn",$AUTH[$toPolicy]['ldapCnAttr'],$AUTH[$toPolicy]['ldapStudyIdAttr'],"shadowexpire","shadowwarning","shadowinactive","shadowlastchange","shadowmax"); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return _AUTH_FAILURE; + } + $info = ldap_get_entries($ds,$sr); + + if ( $info['count'] === 0 || is_null($info)) { // http://bugs.php.net/50185 ha nincs megfelelő elem, akkor - hibásan - null-al tér vissza! (~ PHP 5.2.10) + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + ldap_close($ds); + return _AUTH_FAILURE_1; + } + + if ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid"; + ldap_close($ds); + return _AUTH_FAILURE_2; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + + + $accountInformation['cn'] = $info[0][ $AUTH[$toPolicy]['ldapCnAttr'] ][0]; + $accountInformation['studyId'] = $info[0][ $AUTH[$toPolicy]['ldapStudyIdAttr'] ][0]; + + $accountInformation['dn'] = $info[0]['dn']; + $accountInformation['account'] = $userAccount; + // Lejárt-e + // A lejárat ideje a shadowExpire és shadowLastChange+shadowMax kötül a kisebbik + if ($info[0]['pwdlastset'][0] != '') { // A pwdLastSet és shadowLastChange közül a kisebbiket használjuk +// if ($info[0]['shadowlastchange'][0] != '') +// $info[0]['shadowlastchange'][0] = min(pwdLastSet2shadowLastChange($info[0]['pwdlastset'][0]), $info[0]['shadowlastchange'][0]); +// else + $info[0]['shadowlastchange'][0] = pwdLastSet2shadowLastChange($info[0]['pwdlastset'][0]); + } + if ($info[0]['accountexpires'][0] != '') { // Az accountExpires és a shadowExpire közül a kisebbiket használjuk +// if ($info[0]['shadowexpire'][0] != '') +// $info[0]['shadowexpire'][0] = min(pwdLastSet2shadowLastChange($info[0]['accountexpires'][0]), $info[0]['shadowexpire'][0]); +// else + $info[0]['shadowexpire'][0] = pwdLastSet2shadowLastChange($info[0]['accountexpires'][0]); + } + if ($info[0]['shadowexpire'][0] != '') $expireTimestamp = $info[0]['shadowexpire'][0]; + if ( + $info[0]['shadowmax'][0] != '' && + ( + !isset($expireTimestamp) || + $expireTimestamp > $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0] + ) + ) $expireTimestamp = $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0]; + // lejárt, ha lejárat ideje már elmúlt + $accountExpired = (isset($expireTimestamp) && ($expireTimestamp <= floor(time()/(60*60*24)))); + + // Le van-e tiltva + // Ha több mint shadowInactive napja lejárt + if ( // onDisabled: none | refuse + $AUTH[$toPolicy]['onDisabled'] == 'refuse' && + isset($expireTimestamp) && + $expireTimestamp + $info[0]['shadowinactive'][0] <= floor(time()/(60*60*24)) + ) { + // Le van tiltva + $_SESSION['alert'][] = 'message:account_disabled'; + ldap_close($ds); + return _AUTH_FAILURE_4; + } // onDisabled + + // Jelszó ellenőrzés - lehet-e csatlakozni + if (!@ldap_bind($ds, $accountInformation['dn'], $userPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + } + + ldap_close($ds); + // Lejárt-e az azonosító + if ($AUTH[$toPolicy]['onExpired'] != 'none' && isset($expireTimestamp)) { // onExpired: none | warning | force update + // Lejárt-e + $pwLejar = $expireTimestamp - floor(time()/(60*60*24)); + if (0 < $pwLejar && $pwLejar < $info[0]['shadowwarning'][0]) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') $_SESSION['alert'][] = 'info:warn_account_disable:'.($info[0]['shadowinactive'][0]+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } else { + return _AUTH_FAILURE; + } + } + } // onExpired + // Ha idáig eljut, akkor minden rendben. + return _AUTH_SUCCESS; + + } // count == 1 + + } + +?> diff --git a/mayor-orig/www/include/backend/ldapng/base/attrs.php b/mayor-orig/www/include/backend/ldapng/base/attrs.php new file mode 100644 index 00000000..2ea07778 --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/base/attrs.php @@ -0,0 +1,137 @@ +<?php +/* + Module: useradmin +*/ + + if (file_exists('lang/'._LANG.'/backend/ldapng/attrs.php')) { + require('lang/'._LANG.'/backend/ldapng/attrs.php'); + } elseif (file_exists('lang/'._DEFAULT_LANG.'/backend/ldapng/attrs.php')) { + require('lang/'._DEFAULT_LANG.'/backend/ldapng/attrs.php'); + } + +###################################################### +# Alapértelmezett jogosultságok +# +# w - Írható/olvasható +# r - olvasható +# - - egyik sem +# +# Három karakter: admin, self, other jogai +###################################################### + + define('_DEFAULT_LDAP_RIGHTS','wr-'); + +###################################################### +# Az LDAP account attribútumok +###################################################### + + global $ldapngAccountAttrs; + $ldapngAccountAttrs = array( + 'cn', + 'serialnumber', + 'uid', + 'uidnumber', + 'gidnumber', + 'unixhomedirectory', + 'loginshell', + + 'shadowlastchange', + 'shadowexpire', + 'shadowwarning', + 'shadowmin', + 'shadowmax', + 'shadowinactive', + +/* + 'gecos', + 'mail', + 'telephonenumber', + 'mobile', + 'l', + 'street', + 'postaladdress', + 'postalcode', + 'homedirectory', +*/ + ); + + global $ldapngGroupAttrs; + $ldapngGroupAttrs = array( + 'cn', + 'description', + 'member', + 'name', + 'samaccountname', + 'objectcategory', + 'gidnumber', // ennek kellene lennie - mitől lesz? +/* 'memberuid' */ + ); + + global $accountAttrToLDAP; // Kis és nagybetű számít!!! + $accountAttrToLDAP = array( + 'userAccount' => 'uid', + 'userCn' => 'displayName', + 'mail' => 'mail', + 'studyId' => 'employeeNumber', // Ez konfig-ban külön van állítva, az itteni érték irreleváns + 'shadowLastChange' => 'shadowLastChange', + 'shadowWarning' => 'shadowWarning', + 'shadowMin' => 'shadowMin', + 'shadowMax' => 'shadowMax', + 'shadowExpire' => 'shadowExpire', + 'shadowInactive' => 'shadowInactive', + ); + + global $groupAttrToLDAP; + $groupAttrToLDAP = array( + 'groupCn' => 'cn', + 'groupDesc' => 'description', + 'member' => 'member', + ); + + global $ldapngAccountAttrDef; + $ldapngAccountAttrDef = array( + 'dn' => array('desc' => _LDAPDN, 'type' => 'text', 'rights' => 'rrr'), + 'cn' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'rrr'), + 'sn' => array('desc' => _LDAPSN, 'type' => 'text', 'rights' => 'wrr'), + 'givenname' => array('desc' => _LDAPGIVENNAME, 'type' => 'text'), + 'employeenumber' => array('desc' => _LDAPEMPLOYEENUMBER, 'type' => 'int', 'rights' => 'wrr'), + 'displayname' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'wrr'), + 'name' => array('desc' => _LDAPNAME, 'type' => 'text', 'rights' => 'r--'), + 'uid' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'rrr'), + 'uidnumber' => array('desc' => _LDAPUIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'mssfu30name' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'r--'), + 'unixhomedirectory' => array('desc' => _LDAPUNIXHOMEDIRECTORY, 'type' => 'text', 'rights' => 'wrr'), + 'loginshell' => array('desc' => _LDAPLOGINSHELL, 'type' => 'text', 'rights' => 'wrr'), + 'shadowlastchange' => array('desc' => _LDAPSHADOWLASTCHANGE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowexpire' => array('desc' => _LDAPSHADOWEXPIRE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowwarning' => array('desc' => _LDAPSHADOWWARNING, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmin' => array('desc' => _LDAPSHADOWMIN, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmax' => array('desc' => _LDAPSHADOWMAX, 'type' => 'text', 'rights' => 'wrr'), + 'shadowinactive' => array('desc' => _LDAPSHADOWINACTICE, 'type' => 'text', 'rights' => 'wrr'), +/* + 'gecos' => array('desc' => _LDAPGECOS, 'type' => 'text', 'rights' => 'w--'), + 'mail' => array('desc' => _LDAPMAIL, 'type' => 'text', 'rights' => 'wwr'), + 'telephonenumber' => array('desc' => _LDAPTELEPHONENUMBER, 'type' => 'text', 'rights' => 'ww-'), + 'mobile' => array('desc' => _LDAPMOBILE, 'type' => 'text', 'rights' => 'ww-'), + 'l' => array('desc' => _LDAPL, 'type' => 'text'), + 'street' => array('desc' => _LDAPSTREET, 'type' => 'text'), + 'postaladdress' => array('desc' => _LDAPPOSTALADDRESS, 'type' => 'text'), + 'postalcode' => array('desc' => _LDAPPOSTALCODE, 'type' => 'text'), +*/ + ); + + global $ldapngGroupAttrDef; + $ldapngGroupAttrDef = array( + 'cn' => array('desc' => _LDAPCN, 'type' => 'text','rights' => 'rrr'), + 'name' => array('desc' => _LDAPNAME, 'type' => 'text','rights' => 'rrr'), + 'samaccountname' => array('desc' => _LDAPSAMACCOUNTNAME, 'type' => 'text','rights' => 'wrr'), + 'description' => array('desc' => _LDAPDESCRIPTION, 'type' => 'text'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'member' => array('desc' => _LDAPMEMBER, 'type' => 'select'), + 'objectcategory' => array('desc' => _LDAPOBJECTCATEGORY, 'type' => 'text','rights' => 'rrr'), + + 'memberuid' => array('desc' => _LDAPMEMBERUID, 'type' => 'select'), + ); + +?> diff --git a/mayor-orig/www/include/backend/ldapng/password/changePassword.php b/mayor-orig/www/include/backend/ldapng/password/changePassword.php new file mode 100644 index 00000000..039dda5d --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/password/changePassword.php @@ -0,0 +1,160 @@ +<?php +/* + + Module: base/password + + function changeMyPassword($userAccount, $userPassword, $newPassword, $verification) + A függvény nem vizsgálja, hogy jogosultak vagyunk-e a jelszó megváltoztatására. + Ennek eldöntése a függvényt hívó program feladata +*/ + +############################################################################ +# Jelszó kódolása (az Active Directory ezt használja....) +############################################################################ + +function LDAPEncodePassword($password) { + + return mb_convert_encoding("\"".$password."\"", "UTF-16LE", "UTF-8"); + +} + +############################################################################ +# Saját jelszó megváltoztatása +############################################################################ + +/* ************************************************************************* + A leírások szerint a felhasználó maga is megváltoztathatja jelszavát. + Ennek módja az unicodePw attribútum törlése (a régi jelszó értéke szerint), + és felvétele új értékkel - mindenz elvileg egy lépésben. + + A PHP ldap_mod* függvények ezt az egy lépésben kétféle módosítást nem + támogatják. De a helyzet az, hogy a módosítás perl-ből és parancssorból + sem működik... +************************************************************************* */ + +function changeMyPassword($userAccount, $userPassword, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = $_REQUEST['toPolicy']; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + $shadowLastChange = floor(time()/(60*60*24)); + + // Csatlakozzás az AD kiszolgálóhoz (SSL szükséges!) + $ds = ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + // nem sikerült csatlakozni + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } + + // Az eredeti jelszó ellenőrzése - csatlakozással + $b_ok = ldap_bind($ds,$userDn,$userPassword); + if (!$b_ok) { + // Talán a régi jelszót elgépelte, vagy le van tiltva... + $_SESSION['alert'][] = 'message:ldap_bind_failure:'.$userDn.':changeMyPassword - hibás a régi jelszó?'; + ldap_close($ds); + return false; + } + $salt = generateSalt(8); + $info['userPassword'][0] = "{smd5}".base64_encode(md5($newPassword.$salt, true).$salt); // Az LDAP ezt majd még egyszer base64 encod-olja... + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowlastchange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowexpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowexpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + + $r = ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure'; + return false; + } +} + +############################################################################ +# Adminisztrátori jelszó változtatás +############################################################################ + +function generateSalt($len=8) { +// https://github.com/splitbrain/dokuwiki/blob/master/inc/PassHash.class.php +// Ez adja vissza a salt-ot (ha nincs benne sortörés...): +// echo e3NtZDV9U3lNbnNGQ05OUHV6L2J4dHovekpzVVpFUVZGQw== | base64 -d | sed s/{smd5}// | base64 -d | cut -f 15- + $salt = ''; + //$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; + //for($i=0;$i<$len;$i++) $salt .= $chars[mt_rand(0,61)]; + $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; + for($i=0;$i<$len;$i++) $salt .= $chars[mt_rand(0,25)]; + return $salt; +} + +function changePassword($userAccount, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = _POLICY; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + $shadowLastChange = floor(time()/(60*60*24)); + + $ds = ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if ($ds) { + $b_ok = ldap_bind($ds,_USERDN,_USERPASSWORD); + if ($b_ok) { + $salt = generateSalt(8); + $info['userPassword'][0] = "{smd5}".base64_encode(md5($newPassword.$salt, true).$salt); // Az LDAP ezt majd még egyszer base64 encod-olja... + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowlastchange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowexpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowexpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $r = @ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure'; + return false; + } + + /* *************** */ +/* $info['unicodePwd'][0] = LDAPEncodePassword($newPassword); + // Ezekre nincs jogosultsága a felhasználónak, nem változnak: + // _SHADOWMIN, _SHADOWMAX, _SHADOWWARNING, _SHADOWINACTIVE + $info['shadowLastChange'][0] = $shadowLastChange; + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $info['shadowExpire'][0] = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $info['shadowExpire'][0] = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $r = @ldap_mod_replace($ds,$userDn,$info); + ldap_close($ds); + if ($r) { + $_SESSION['alert'][] = 'info:pw_change_success'; + return true; + } else { + $_SESSION['alert'][] = 'message:ldap_modify_failure:changePassword'; + return false; + } +*/ + } else { + $_SESSION['alert'][] = 'message:ldap_bind_failure:'._USERDN.':changePassword'; + ldap_close($ds); + return false; + } + } else { + $_SESSION['alert'][] = 'message:ldap_failure'; + return false; + } +} + +?> diff --git a/mayor-orig/www/include/backend/ldapng/session/accountInfo.php b/mayor-orig/www/include/backend/ldapng/session/accountInfo.php new file mode 100644 index 00000000..03761dca --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/session/accountInfo.php @@ -0,0 +1,399 @@ +<?php +/* + Module: base/auth-ldapng + Backend: ldapng + + function getLDAPInfo($userDn, $attrList=array('cn'), $toPolicy = '') + function ldapGetAccountInfo($userAccount, $toPolicy = _POLICY) + function ldapGetUserInfo($userAccount, $toPolicy = _POLICY) + function ldapChangeAccountInfo($userAccount, $toPolicy = _POLICY) + function ldapGetGroupInfo($groupCn, $toPolicy = _POLICY) + +*/ + +###################################################### +# getLDAPInfo - általános LDAP lekérdezés +###################################################### + + + function getLDAPInfo($Dn, $attrList=array('cn'), $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = '(objectclass=*)'; + $sr = @ldap_search($ds, $Dn, $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$Dn; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + +########################################################### +# ldapGetAccountInfo - felhasználói információk (backend) +########################################################### + + function ldapngGetAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $backendAttrs, $backendAttrDef; + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Account', $toPolicy); + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + } + return $return[0]; + + } + + } + +############################################################# +# ldapGetUserInfo - felhasználói információk (keretrendszer) +############################################################# + + function ldapngGetUserInfo($userAccount, $toPolicy = _POLICY) { + + global $accountAttrToLDAP, $ldapAttrDef; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, array_values($accountAttrToLDAP), $toPolicy); + if ($result === false) { + return false; + } else { + + $result[0]['dn'] = array('count' => 1, 0 => $result[0]['dn']); + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + LDAP --> MaYoR schema + foreach ($accountAttrToLDAP as $attr => $ldapAttr) { + $ldapAttr = kisbetus($ldapAttr); + if (isset($result[0][$ldapAttr])) $return[$attr] = $result[0][$ldapAttr]; + else $return[$attr] = array('count' => 0); + } + return $return; + + } + + } + +############################################################### +# ldapChangeAccountInfo - felhasználói információk módosítása +############################################################### + + function ldapngChangeAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '' ) $values[0] = $_POST[$attr]; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if ($_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if ($_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$userDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@$r = ldap_mod_replace($ds,$userDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$userDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i = 0;$i < count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + +########################################################### +# ldapGetGroupInfo - csoport információk (backend) +########################################################### + + function ldapngGetGroupInfo($groupCn, $toPolicy = _POLICY) { + + global $backendAttrs, $backendAttrDef; + + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Group', $toPolicy); + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + $result = getLDAPInfo($groupDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // Accountok lekérdezése + $info = getLDAPaccounts($toPolicy); + for ($i = 0; $i < $info['count']; $i++) { + $accountUid[] = array( + 'value' => $info[$i]['uid'][0], + 'txt' => $info[$i]['displayname'][0] + ); + $accountDn[] = array( + 'value' => $info[$i]['dn'], + 'txt' => $info[$i]['displayname'][0] + ); + } + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + $return[$i]['member']['new'] = $accountDn; + $return[$i]['memberuid']['new'] = $accountUid; + } + + return $return[0]; + + } + + } + +############################################################### +# ldapChangeGroupInfo - csoport információk módosítása +############################################################### + + function ldapngChangeGroupInfo($groupCn, $toPolicy = _POLICY) { + +// !!!! A memberuid / member szinkronjára nem figyel!! + + global $AUTH, $backendAttrs, $backendAttrDef; + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '') + if (isset($_POST[$attr])) $values[0] = $_POST[$attr]; + else $values[0] = ''; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if (isset($_POST['new-'.$attr][0]) && $_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if (isset($_POST['del-'.$attr][0]) && $_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$groupDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@ldap_mod_replace($ds,$groupDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$groupDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i=0;$i<count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + + function getLDAPaccounts($toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Keresés + $attrList = array('cn','uid','displayName','samaccountname'); + $filter = '(&(objectclass=person)(!(objectclass=computer)))'; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $attrList); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } + + ldap_sort($ds, $sr, 'displayname'); + $info = @ldap_get_entries($ds,$sr); + ldap_close($ds); + + return $info; + + } + + +?> diff --git a/mayor-orig/www/include/backend/ldapng/session/base.php b/mayor-orig/www/include/backend/ldapng/session/base.php new file mode 100644 index 00000000..a4eff43d --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/session/base.php @@ -0,0 +1,190 @@ +<?php +/* + Module: base/session + Backend: ldapng + + function LDAPuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) + function ldapMemberOf($userAccount, $group, $toPolicy = _POLICY) + +*/ + + require('include/backend/ldapng/base/attrs.php'); + + ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option(NULL, LDAP_OPT_REFERRALS, 0); + + if ($AUTH[_POLICY]['backend'] == 'ldapng') { + /* why not put into session cache */ + if ($AUTH[_POLICY]['cacheable']=='yes') { + $userDn = _queryCache('RDN',_POLICY,'value'); + } + if (!isset($userDn)) $userDn = LDAPuserAccountToDn(); + define('_USERDN', $userDn); + if ($AUTH[_POLICY]['cacheable']=='yes') _registerToCache('RDN',$userDn,_POLICY); + unset($userDn); + } + +###################################################### +# A _USERACCOUNT(uid)-hoz tartozó dn lekérdezése +###################################################### + + function LDAPuserAccountToDn($userAccount = _USERACCOUNT, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e adott azonosítójú felhasználó? + $filter="(&(".$AUTH[$toPolicy]['ldapUserAccountAttr']."=$userAccount)(objectClass=".$AUTH[$toPolicy]['ldapUserObjectClass']."))"; + $justthese=array($AUTH[$toPolicy]['ldapCnAttr']); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen userAccount (uid) + $_SESSION['alert'][] = "message:no_account:$userAccount"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid:$userAccount"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + return $info[0]['dn']; + } + + } + + +###################################################### +# A groupCn(cn)-hez tartozó dn lekérdezése +###################################################### + + function LDAPgroupCnToDn($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // Nézzük, hogy van-e át"map"-elt csoport! + if (isset($AUTH[$toPolicy]['categoryMap'][ekezettelen($groupCn)])) { + return $AUTH[$toPolicy]['categoryMap'][ekezettelen($groupCn)]; + } + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e ilyen csoport? + $filter="(&(".$AUTH[$toPolicy]['ldapGroupCnAttr']."=$groupCn)(objectClass=".$AUTH[$toPolicy]['ldapGroupObjectClass']."))"; + $justthese=array($AUTH[$toPolicy]['ldapGroupCnAttr']); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen groupCn (cn) - hibaüzenet csak akkor, ha nem kategóriáról van szó... + if (!in_array($groupCn, array_map('ekezettelen', $AUTH[$toPolicy]['categories']))) $_SESSION['alert'][] = "message:no_group:$groupCn"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen cn is van + $_SESSION['alert'][] = "message:multi_gid:$groupCn"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen csoport + return $info[0]['dn']; + } + + } + +###################################################### +# memberOf - csoport tag-e +###################################################### + + function ldapngMemberOf($userAccount, $group, $toPolicy = _POLICY) { + + global $AUTH; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + /* Kis hack: csoport-tagság helyett vizsgáljuk előbb a megfelelő szervezeti egységet... de ezt nem biztos, hogy érdemes... */ + if (in_array($group, $AUTH[$toPolicy]['categories'])) { + if (strpos($userDn, ',ou='.ekezettelen($group).',') !== false) return true; + } + + if (substr($group,0,3) != 'cn=') { + $groupDn = LDAPgroupCnToDn(ekezettelen($group)); + if (!$groupDn) return false; // Ha nincs ilyen csoport az LDAP fában + } else { + $groupDn = $group; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $justthese = array('cn'); // valamit le kell kérdezni... + // OpenLDAP a tagok azonosítóját tárolja el (memberUid), más rendszerek a dn-t (member) + $filter = "(&(objectClass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(|(member=$userDn)(memberUid=$userAccount)))"; + $sr = @ldap_search($ds, $groupDn, $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:group=$group; filter=".$filter; + ldap_close($ds); + return false; + } + + $info = ldap_get_entries($ds, $sr); + ldap_close($ds); + + if ($info['count'] > 0) { + return true; + } else { + return false; + } + + } + +?> diff --git a/mayor-orig/www/include/backend/ldapng/session/createAccount.php b/mayor-orig/www/include/backend/ldapng/session/createAccount.php new file mode 100644 index 00000000..96a5b557 --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/session/createAccount.php @@ -0,0 +1,157 @@ +<?php +/* + Modules: base/session +*/ + + require_once('include/backend/ldapng/password/changePassword.php'); + + /* + $SET = array( + container => a konténer elem - ha nincs, akkor CN=Users alá rakja + category => tanár, diák... egy kiemelt fontosságú csoport tagság + groups => egyéb csoportok + policyAttrs => policy függő attribútumok + ) + */ + function ldapngCreateAccount( + $userCn, $userAccount, $userPassword, $toPolicy, $SET + ) { + + global $AUTH; + + $shadowLastChange = floor(time() / (60*60*24)); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldapng') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // uid ütközés ellenőrzése + $filter = "(sAMAccountName=$userAccount)"; + $justthese = array('sAMAccountName'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + $uinfo = ldap_get_entries($ds, $sr); + $uidCount = $uinfo['count']; + ldap_free_result($sr); + if ($uidCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$userAccount; + return false; + } + + // Az következő uidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapUserObjectClass'].")(uidNumber=*))"; + $justthese = array('uidNumber', 'msSFU30UidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'uidNumber'); + $uinfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($uinfo['count']) && $uinfo['count'] > 0) $info['uidNumber'] = array($uinfo[ $uinfo['count']-1 ]['uidnumber'][0]+1); + else $info['uidNumber'] = array(1001); + + // shadow attributumok... + // A shadowLastChange a mai nap // if (isset($AUTH[$toPolicy]['shadowlastchange']) && $AUTH[$toPolicy]['shadowlastchange'] != '') + $info['shadowLastChange'] = array($shadowLastChange); + if (isset($AUTH[$toPolicy]['shadowMin']) && $AUTH[$toPolicy]['shadowMin'] != '') $info['shadowMin'] = array($AUTH[$toPolicy]['shadowMin']); + if (isset($AUTH[$toPolicy]['shadowMax']) && $AUTH[$toPolicy]['shadowMax'] != '') $info['shadowMax'] = array($AUTH[$toPolicy]['shadowMax']); + if (isset($AUTH[$toPolicy]['shadowWarning']) && $AUTH[$toPolicy]['shadowWarning'] != '') $info['shadowWarning'] = array($AUTH[$toPolicy]['shadowWarning']); + if (isset($AUTH[$toPolicy]['shadowInactive']) && $AUTH[$toPolicy]['shadowInactive'] != '') $info['shadowInactive'] = array($AUTH[$toPolicy]['shadowInactive']); + if (isset($AUTH[$toPolicy]['shadowExpire']) && $AUTH[$toPolicy]['shadowWxpire'] != '') $info['shadowExpire'] = array($AUTH[$toPolicy]['shadowExpire']); + + // A szokásos attribútumok + $Name = explode(' ',$userCn); + $Dn = ldap_explode_dn($AUTH[$toPolicy]['ldapBaseDn'], 1); unset($Dn['count']); + $info['userPrincipalName'] = array( $userAccount.'@'.implode('.', $Dn)); + $info['msSFU30Name'] = $info['sAMAccountName'] = $info['cn'] = array($userAccount); + $info['displayName'] = array($userCn); + $info['sn'] = array($Name[0]); + $info['givenName'] = array($Name[ count($Name)-1 ]); + $info['unixUserPassword'] = array('ABCD!efgh12345$67890'); + $info['unixHomeDirectory'] = array(ekezettelen("/home/$userAccount")); + $info['loginShell'] = array('/bin/bash'); + $info['objectClass'] = array($AUTH[$toPolicy]['ldapUserObjectClass'], 'user'); + + $policyAccountAttrs = $SET['policyAttrs']; + if (isset($policyAccountAttrs['studyId'])) $info[ $AUTH[$toPolicy]['ldapStudyIdAttr'] ] = array($policyAccountAttrs['studyId']); + foreach ($policyAccountAttrs as $attr => $value) + if ($attr != 'studyId' && isset($accountAttrToLDAP[$attr])) + $info[ $accountAttrToLDAP[$attr] ] = array($value); + + if (isset($SET['container'])) $dn = "CN=$userAccount,".$SET['container']; + else $dn = "CN=$userAccount,CN=Users,".$AUTH[$toPolicy]['ldapBaseDn']; + + // user felvétel + $_r1 = @ldap_add($ds,$dn,$info); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Add user:'.ldap_error($ds); + //echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // Jelszó beállítás + if (!changePassword($userAccount, $userPassword, $toPolicy)) $_SESSION['alert'][] = 'message:ldap_error:changePassword failed:'.$userAccount; + + // Engedélyezés + $einfo = array('userAccountControl' => array(512)); /* Normal account = 512 */ + $_r1 = @ldap_mod_replace($ds,$dn,$einfo); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Enable user:'.ldap_error($ds); + //echo $dn.'<pre>'; var_dump($info); echo '</pre>'; + return false; + } + + // Kategória csoportba és egyéb csoportokba rakás + if (isset($SET['category'])) { + if (is_array($SET['groups'])) array_unshift($SET['groups'], $SET['category']); + else $SET['groups'] = array($SET['category']); + + $ginfo['member'] = $dn; + + for ($i = 0; $i < count($SET['groups']); $i++) { + $groupDn = LDAPgroupCnToDn($SET['groups'][$i], $toPolicy); + if ($groupDn !== false) { + $_r3 = @ldap_mod_add($ds, $groupDn, $ginfo); + if (!$_r3) { + $_SESSION['alert'][] = 'message:ldap_error:Add to group '.$SET['groups'][$i].':'.ldap_error($ds); + //echo $SET['groups'][$i].'<pre>'; var_dump($ginfo); echo '</pre>'; + } + } + } + } + + ldap_close($ds); + + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['createAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['createAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount létrehozása: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"createAccount.sh '$userAccount' '".$info['uidNumber'][0]."' '".$info['unixHomeDirectory'][0]."'\n"); + fclose($sfp); + } + } + $_SESSION['alert'][] = 'info:create_uid_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldapng/session/createGroup.php b/mayor-orig/www/include/backend/ldapng/session/createGroup.php new file mode 100644 index 00000000..78def54d --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/session/createGroup.php @@ -0,0 +1,82 @@ +<?php +/* + Modules: base/session +*/ + + + function ldapngCreateGroup($groupCn, $groupDesc, $toPolicy = _POLICY, $SET = array()) { + + global $AUTH; + $category = ekezettelen($SET['category']); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldapng') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // cn ütközés ellenőrzése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(cn=$groupCn))"; + $justthese = array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + $ginfo = ldap_get_entries($ds, $sr); + $gCount = $ginfo['count']; + ldap_free_result($sr); + if ($gCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$groupCn; + return false; + } + + // Az következő gidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(gidNumber=*))"; + $justthese = array('gidNumber', 'msSFU30GidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'gidNumber'); + $ginfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($ginfo['count']) && $ginfo['count'] > 0) $info['gidNumber'] = array($ginfo[ $ginfo['count']-1 ]['gidnumber'][0]+1); + else $info['gidNumber'] = array(1001); + + // A szokásos attribútumok + $info['sAMAccountName'] = $info['cn'] = array($groupCn); + $info['description'] = array($groupDesc); + + // A kategória függő attribútumok + if (isset($SET['container'])) $dn = "CN=$groupCn,".$SET['container']; + else $dn = "CN=$groupCn,OU=$category,".$AUTH[$toPolicy]['ldapBaseDn']; + + // objectum osztályok + $info['objectClass'] = array($AUTH[$toPolicy]['ldapGroupObjectClass']); + + // csoport felvétel + $_r1 = ldap_add($ds,$dn,$info); + if (!$_r1) { + printf("LDAP-Error: %s<br>\n", ldap_error($ds)); + var_dump($info); + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:create_group_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldapng/session/search/searchAccount.php b/mayor-orig/www/include/backend/ldapng/session/search/searchAccount.php new file mode 100644 index 00000000..74d285e6 --- /dev/null +++ b/mayor-orig/www/include/backend/ldapng/session/search/searchAccount.php @@ -0,0 +1,271 @@ +<?php +/* + Module: base/session + Backend: ldapng + + ! -- Csak publikus mezőkre lehet keresni! -- ! + function LDAPSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)') + function ldapSearchAccount($attr, $pattern, $searchAttrs = array('userCn')) + function ldapSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = '') { + +*/ + +###################################################### +# Általános LDAP kereső függvény +###################################################### + + function LDAPSearch($attr, $pattern, $searchAttrs=array('cn'), $filter='(objectclass=*)', $toPolicy = _POLICY) { + + global $AUTH; + + if ($pattern == '') { + $_SESSION['alert'][] = 'message:empty_field'; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure:LDAPSearch'; + ldap_close($ds); + return false; + } + + // Keresés + $filter = "(&$filter($attr=*$pattern*))"; + $sr = @ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $searchAttrs); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = @ldap_get_entries($ds,$sr); + + ldap_close($ds); + + return $info; + + } + +###################################################### +# ldapSearchAccount - felhasználó kereső függvény +###################################################### + + function ldapngSearchAccount($attr, $pattern, $searchAttrs = array('userCn'), $toPolicy = _POLICY) { + + global $accountAttrToLDAP, $AUTH; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($accountAttrToLDAP[ $attr ] != '') $attrLDAP = $accountAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'uid'; // dn-re nem megy a keresés!! + + // A lekérendő attribútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($accountAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $accountAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(objectclass='.$AUTH[$toPolicy]['ldapUserObjectClass'].')', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['userAccount'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (isset($result[$i][ kisbetus($accountAttrToLDAP[$a]) ])) { + if ($accountAttrToLDAP[$a] != '') $return[$i][$a] = $result[$i][ kisbetus($accountAttrToLDAP[$a]) ]; + else $return[$i][$a] = $result[$i][$a]; + } else { + $return[$i][$a] = array('count' => 0) ; + } + } + $return[$i]['category'] = getAccountCategories($return[$i]['userAccount'][0], $toPolicy); + $return[$i]['category']['count'] = count($return[$i]['category']); + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapSearchGroup - csoport kereső függvény +###################################################### + + function ldapngSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = _POLICY) { + + global $groupAttrToLDAP, $AUTH; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($groupAttrToLDAP[ $attr ] != '') $attrLDAP = $groupAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'cn'; // dn-re nem megy a keresés!! + + // A lekérendő adtibútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($groupAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $groupAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(objectclass='.$AUTH[$toPolicy]['ldapGroupObjectClass'].')', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['groupCn'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (!isset($groupAttrToLDAP[$a]) || $groupAttrToLDAP[$a] != '') { + if (isset($result[$i][ $groupAttrToLDAP[$a] ])) $return[$i][$a] = $result[$i][ $groupAttrToLDAP[$a] ]; + else $return[$i][$a] = ''; + } else { + $return[$i][$a] = $result[$i][$a]; + } + } + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapDeleteAccount - account törlése +###################################################### + + function ldapngDeleteAccount($userAccount, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ldapng backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldapng') { + $_SESSION['alert'][] = 'page:wrong_backend:ldapng!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + if ($userDn === false) return false; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Az uidNumber, a unixHomeDirectory lekerdezése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapUserObjectClass'].")(!(objectclass=computer)))"; + $justthese = array('uidNumber','unixHomedirectory'); + $sr = @ldap_search($ds,$userDn,$filter,$justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } ; + + $info = @ldap_get_entries($ds,$sr); + $uidNumber = $info[0]['uidnumber'][0]; + $homeDirectory = $info[0]['unixhomedirectory'][0]; + $uid=$userAccount; + + // user törlése + if (!@ldap_delete($ds,$userDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:user:'.$userAccount; + } + + ldap_close($ds); + + /* + Ha van megadva deleteAccountScript paraméter, akkor abba bejegyzi a törölt felhasználó adatait. + A meghívott deleteAccount.sh nincs definiálva, testreszabható, megkötés egyedül a paraméter + lista: userAccount, uidNumber, homeDirectory + */ + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['deleteAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['deleteAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount törlése: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"deleteAccount.sh '$userAccount' '$uidNumber' '$homeDirectory'\n"); + fclose($sfp); + } + } + + $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + return true; + + } + +###################################################### +# ldapDeleteGroup - account törlése +###################################################### + + function ldapngDeleteGroup($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ldapng backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldapng') { + $_SESSION['alert'][] = 'page:wrong_backend:ldapng!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + if ($groupDn === false) return false; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + if (!@ldap_delete($ds, $groupDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:group:'.$groupCn; + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:delete_group_success:'.$groupCn; + return true; + + } + + +?> diff --git a/mayor-orig/www/include/backend/mysql/auth/login.php b/mayor-orig/www/include/backend/mysql/auth/login.php new file mode 100644 index 00000000..caa7929d --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/auth/login.php @@ -0,0 +1,144 @@ +<?php +/* + Auth-MySQL + + A név-jelszó pár ellenőrzése MySQL adattábla alapján + */ + +/* -------------------------------------------------------------- + +Az adattábla szerkezete: + +create table userAccounts ( +userId int unsigned primary key auto_increment not null, +userAccount varchar(32), +policy varchar(10), +userPassword varchar(32), +userCn varchar(64) +); + +A függvény az előre definiált _AUTH_SUCCESS, _AUTH_EXPIRED, _AUTH_FAILURE +konstansok valamelyikével tér vissza. + +Sikeres hitelesítés esetén +az egyéb account információkat (minimálisan a 'cn', azaz 'teljes név +attribútumot) a cím szerint átadott $accountInformation tömbbe helyezi el. + +Sikertelen azonosítás esetén a globális $_SESSION['alert'] változóban jelzi az +elutasítás okát. + +Shadow attribútumok: + +Login name +Encrypted password +shadowLastChanged +1970. január 1-étől az utolsó jelszó módosításig eltelt napok száma +Days since Jan 1, 1970 that password was last changed +shadowMin +Jelszóváltoztatás után ennyi napig nem lehet ismét jelszót változtatni +Days before password may be changed +shadowMax +Jelszóváltoztatás után ennyi nappal már kötelező a jelszóváltoztatás +Days after which password must be changed +shadowWarning +A jelszó érvényességének lejártát ennyi nappal előbb jelezi a rendsze +Days before password is to expire that user is warned +shadowInactive +A jelszó érvényességének lejárta után ennyi nappal az felhasználói fiók letiltásra kerül +Days after password expires that account is disabled +shadowExpire +Az előzőektől függetlenül a felhasználói fiók letiltásra kerül 1970. január 1-étől számított ennyiedik napo +Days since Jan 1, 1970 that account is disabled + +-------------------------------------------------------------- */ + +function mysqlUserAuthentication($userAccount, $userPassword, &$accountInformation, $toPolicy = _POLICY) { + + global $AUTH; + + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'userAuthentication/sql')); + if (!$lr) return _AUTH_FAILURE; + + // Van-e ilyen azonosító + $q = "SELECT COUNT(*) FROM accounts WHERE userAccount='%s' AND policy='%s'"; + $num = db_query($q, array('fv' => 'userAuthentication', 'modul' => $modul, 'result' => 'value', 'values' => array($userAccount, $toPolicy)), $lr); + if ($num == 0) { + // Nincs ilyen azonosító + $_SESSION['alert'][] = 'message:no_account:'."$userAccount:$toPolicy"; + db_close($lr); + return _AUTH_FAILURE_1; + } elseif ($num > 1) { + // Több ilyen azonosító is va + $_SESSION['alert'][] = 'message:multy_uid'; + db_close($lr); + return _AUTH_FAILURE_2; + } + + // Ha csak egy van, akkor jó-e a jelszava + $q = "SELECT userCn, studyId, shadowLastChange, shadowMin, shadowMax, shadowWarning, shadowInactive, shadowExpire + FROM accounts WHERE userAccount='%s' AND userPassword=sha('%s') AND policy='%s'"; + $ret = db_query($q, array('fv' => 'userAuthentication', 'modul' => 'login', 'result' => 'record', 'values' => array($userAccount, $userPassword, $toPolicy)), $lr); + db_close($lr); + if (!is_array($ret) || count($ret) == 0) { + // Nincs ilyen rekord => rossz a jelszó + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + } else { + // Ha van, akkor csak egy ilyen sor lehet + $accountInformation['cn'] = $ret['userCn']; + $accountInformation['studyId'] = $ret['studyId']; + $shadowLastChange = $ret['shadowLastChange']; + $shadowMin = $ret['shadowMin']; + $shadowMax = $ret['shadowMax']; + $shadowWarning = $ret['shadowWarning']; + $shadowInactive = $ret['shadowInactive']; + $shadowExpire = $ret['shadowExpire']; + + // A lejárat ideje a shadowExpire és shadowLastChange+shadowMax kötül a kisebbik + if (intval($shadowExpire) != 0) $expireTimestamp = $shadowExpire; + if ( + intval($shadowMax) != 0 && + ( + !isset($expireTimestamp) || + $expireTimestamp > $shadowLastChange + $shadowMax + ) + ) $expireTimestamp = $shadowLastChange + $shadowMax; + // lejárt, ha lejárat ideje már elmúlt + $accountExpired = (isset($expireTimestamp) && ($expireTimestamp <= floor(time()/(60*60*24)))); + + // Le van-e tiltva + if ( // onDisabled: none | refuse + $AUTH[$toPolicy]['onDisabled'] == 'refuse' && + isset($expireTimestamp) && + $expireTimestamp + $shadowInactive <= floor(time()/(60*60*24)) + ) { + // Le van tiltva + $_SESSION['alert'][] = 'message:account_disabled:'.strval(floor(time()/(60*60*24))); + return _AUTH_FAILURE_4; + } // onDisabled + + // Lejárt-e az azonosító + if ($AUTH[$toPolicy]['onExpired'] != 'none' && isset($expireTimestamp)) { // onExpired: none | warning | force update + // Lejárt-e + $pwLejar = $expireTimestamp - floor(time()/(60*60*24)); + if (0 < $pwLejar && $pwLejar < $shadowWarning) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') + $_SESSION['alert'][] = 'info:warn_account_disable:'.($shadowInactive+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } + } + } // onExpired + return _AUTH_SUCCESS; + + } +} + +?> diff --git a/mayor-orig/www/include/backend/mysql/base/attrs.php b/mayor-orig/www/include/backend/mysql/base/attrs.php new file mode 100644 index 00000000..b945d764 --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/base/attrs.php @@ -0,0 +1,48 @@ +<?php + + if (file_exists('lang/'._LANG.'/backend/mysql/attrs.php')) { + require('lang/'._LANG.'/backend/mysql/attrs.php'); + } elseif (file_exists('lang/'._DEFAULT_LANG.'/backend/mysql/attrs.php')) { + require('lang/'._DEFAULT_LANG.'/backend/mysql/attrs.php'); + } + +###################################################### +# Alapértelmezett jogosultságok +# +# w - Írható/olvasható +# r - olvasható +# - - egyik sem +# +# Három karakter: admin, self, other jogai +###################################################### + + define('_DEFAULT_MYSQL_RIGHTS','wr-'); + + global $mysqlAccountAttrDef; + $mysqlAccountAttrDef = array( + 'uid' => array('desc' => _MYSQLUID, 'type' => 'text', 'rights' => 'rrr'), + 'policy' => array('desc' => _MYSQLPOLICY, 'type' => 'text', 'rights' => 'r--'), + 'useraccount' => array('desc' => _MYSQLUIDNUMBER, 'type' => 'text','rights' => 'r--'), + 'userCn' => array('desc' => _MYSQLCN, 'type' => 'text', 'rights' => 'wrr'), + 'studyId' => array('desc' => _MYSQLSTUDYID, 'type' => 'int', 'rights' => 'wrr'), + 'mail' => array('desc' => _MYSQLMAIL, 'type' => 'text', 'rights' => 'wwr'), + 'telephoneNumber' => array('desc' => _MYSQLTELEPHONENUMBER, 'type' => 'text', 'rights' => 'ww-'), +// 'userPassword' => array('desc' => _MYSQLUSERPASSWORD, 'type' => 'text', 'rights' => 'r--'), + 'shadowLastChange' => array('desc' => _MYSQLSHADOWLASTCHANGE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowExpire' => array('desc' => _MYSQLSHADOWEXPIRE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowWarning' => array('desc' => _MYSQLSHADOWWARNING, 'type' => 'text', 'rights' => 'wrr'), + 'shadowMin' => array('desc' => _MYSQLSHADOWMIN, 'type' => 'text', 'rights' => 'wrr'), + 'shadowMax' => array('desc' => _MYSQLSHADOWMAX, 'type' => 'text', 'rights' => 'wrr'), + 'shadowInactive' => array('desc' => _MYSQLSHADOWINACTICE, 'type' => 'text', 'rights' => 'wrr'), + ); + + global $mysqlGroupAttrDef; + $mysqlGroupAttrDef = array( + 'gid' => array('desc' => _MYSQLGID, 'type' => 'text', 'rights' => 'rrr'), + 'groupDesc' => array('desc' => _MYSQLGROUPDESC, 'type' => 'text', 'rights' => 'wrr'), + 'policy' => array('desc' => _MYSQLPOLICY, 'type' => 'int', 'rights' => 'r--'), + 'member' => array('desc' => _MYSQLMEMBER, 'type' => 'select', 'rights' => 'w--'), + ); + + +?> diff --git a/mayor-orig/www/include/backend/mysql/password/changePassword.php b/mayor-orig/www/include/backend/mysql/password/changePassword.php new file mode 100644 index 00000000..2875bace --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/password/changePassword.php @@ -0,0 +1,75 @@ +<?php +/* + Module: base/password + + function changeMyPassword($userAccount, $userPassword, $newPassword, $verification) + A függvény nem vizsgálja, hogy jogosultak vagyunk-e a jelszó megváltoztatására. + Ennek eldöntése a függvényt hívó program feladata + */ + +############################################################################ +# Saját jelszó megváltoztatása +############################################################################ + +function changeMyPassword($userAccount, $userPassword, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = $_REQUEST['toPolicy']; + $shadowLastChange = floor(time()/(60*60*24)); + + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'changeMyPassword')); + + if (!$lr) return false; + + // Stimmel-e az azonosító/jelszó/policy hármas + $q = "SELECT COUNT(*) FROM accounts WHERE userAccount='%s' AND userPassword=sha('%s') AND policy='%s'"; + $num = db_query($q, array('fv' => 'changeMyPassword', 'modul' => $modul, 'result' => 'value', 'values' => array($userAccount, $userPassword, $toPolicy)), $lr); + if ($num != 1) { + $_SESSION['alert'][] = 'message:bad_pw:changeMyPassword'; + db_close($lr); + return false; + } + + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $shadowExpire = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $shadowExpire = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $q = "UPDATE accounts SET userPassword=sha('%s'), shadowLastChange=%u, shadowExpire=%u + WHERE userAccount='%s' and policy='%s'"; + $v = array($newPassword, $shadowLastChange, $shadowExpire, $userAccount, $toPolicy); + $r = db_query($q, array('fv' => 'changeMyPassword', 'modul' => $modul, 'values' => $v), $lr); + db_close($lr); + if ($r) $_SESSION['alert'][] = 'info:pw_change_success'; + return $r; + +} + +############################################################################ +# Adminisztrátori jelszó változtatás +############################################################################ + +function changePassword($userAccount, $newPassword, $toPolicy = '') { + + global $AUTH; + + if ($toPolicy == '') $toPolicy = _POLICY; + $shadowLastChange = floor(time()/(60*60*24)); + if (isset($AUTH[$toPolicy]['shadowExpire']) and $AUTH[$toPolicy]['shadowExpire'] != '') { + $shadowExpire = $AUTH[$toPolicy]['shadowExpire']; + } elseif (isset($AUTH[$toPolicy]['shadowMax']) and $AUTH[$toPolicy]['shadowMax'] != '') { + $shadowExpire = $shadowLastChange + intval($AUTH[$toPolicy]['shadowMax']); + } + $shadowExpire = intval($shadowExpire); + $q = "UPDATE accounts SET userPassword=sha('%s'), shadowLastChange=%u, shadowExpire=%u + WHERE userAccount='%s' and policy='%s'"; + $v = array($newPassword, $shadowLastChange, $shadowExpire, $userAccount, $toPolicy); + $r = db_query($q, array('fv' => 'changePassword', 'modul' => "$toPolicy auth", 'values' => $v)); + if ($r) $_SESSION['alert'][] = 'info:pw_change_success'; + return $r; + +} + +?> diff --git a/mayor-orig/www/include/backend/mysql/session/accountInfo.php b/mayor-orig/www/include/backend/mysql/session/accountInfo.php new file mode 100644 index 00000000..113e380b --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/session/accountInfo.php @@ -0,0 +1,258 @@ +<?php +/* + Module: base/auth-mysql + Backend: mysql + + function mysqlGetAccountInfo($userAccount, $toPolicy = _POLICY) + function mysqlGetUserInfo($userAccount, $toPolicy = _POLICY) + function mysqlChangeAccountInfo($userAccount, $toPolicy = _POLICY) + function mysqlGetGroupInfo($groupCn, $toPolicy = _POLICY) + +*/ + +########################################################### +# mysqlGetAccountInfo - felhasználói információk (backend) +########################################################### + + function mysqlGetAccountInfo($userAccount, $toPolicy = _POLICY, $SET = array()) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + // Keresés + if (is_array($SET['justThese']) && count($SET['justThese']) > 0) { + $_THESE = '`'.implode('`,`', array_fill(0, count($SET['justThese']), '%s')).'`'; + $v = $SET['justThese']; + } else { + $_THESE = '*'; + $v = array(); + } + $q = "SELECT $_THESE FROM accounts WHERE userAccount='%s' AND policy='%s'"; + array_push($v, $userAccount, $toPolicy); + $A = db_query($q, array('fv' => 'mysqlGetAccountInfo', 'modul' => "$toPolicy auth", 'result' => 'record', 'values' => $v), $lr); + if (!is_array($A) || count($A) == 0) return false; + + $data = array(); + foreach ($A as $attr => $value) $data[$attr][] = $value; + foreach ($data as $attr => $array) $data[$attr]['count'] = count($array); + + return $data; + + } + +############################################################# +# mysqlGetUserInfo - felhasználói információk (keretrendszer) +############################################################# + + function mysqlGetUserInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Account', $toPolicy); + + // Keresés + $q = "SELECT userAccount,userCn FROM accounts WHERE userAccount='%s' AND policy='%s'"; + $A = db_query($q, array('fv' => 'mysqlGetUserInfo', 'modul' => "$toPolicy auth", 'result' => 'record', 'values' => array($userAccount, $toPolicy))); + if (!is_array($A) || count($A) == 0) return false; + $ret = array(); + foreach ($A as $attr => $value) $ret[$attr][] = $value; + return $ret; + + } + +############################################################### +# mysqlChangeAccountInfo - felhasználói információk módosítása +############################################################### + + function mysqlChangeAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'mysqlChangeAccountInfo')); + if (!$lr) return false; + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_MYSQL_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $value = ''; + + if ($backendAttrDef[$attr]['type'] == 'int') { + if ($backendAttrDef[$attr]['type'] != '' ) $value = readVariable($_POST[$attr], 'number'); + } else { + if ($backendAttrDef[$attr]['type'] != '' ) $value = readVariable($_POST[$attr], 'string'); // html túl erős: pl email címben a @ fent akad... + } + + if (in_array($attr,$emptyAttrs)) { + if ($value != '') { + $q = "UPDATE accounts SET `%s`='%s' WHERE userAccount='%s' AND policy='%s'"; + $v = array($attr, $value, $userAccount, $toPolicy); + } + } else { + if ($value != '') { + $q = "UPDATE accounts SET `%s`='%s' WHERE userAccount='%s' AND policy='%s'"; + $v = array($attr, $value, $userAccount, $toPolicy); + } else { + $q = "UPDATE accounts SET `%s`=NULL WHERE userAccount='%s' AND policy='%s'"; + $v = array($attr, $userAccount, $toPolicy); + } + } + db_query($q, array('fv' => 'mysqlChangeAccountInfo', 'modul' => $modul, 'values' => $v), $lr); + + } else { + // $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + db_close($lr); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i = 0; $i < count($_alert); $i++) $_SESSION['alert'][] = $_alert[$i]; + + } + +########################################################### +# mysqlGetGroupInfo - csoport információk (backend) +########################################################### + + function mysqlGetGroupInfo($groupCn, $toPolicy = _POLICY, $SET = array()) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Group', $toPolicy); + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'mysqlGetGroupInfo')); + if (!$lr) return false; + + // Keresés + if (is_array($SET['justThese']) && count($SET['justThese']) > 0) { + $_THESE = '`'.implode('`,`', array_fill(0, count($SET['justThese']), '%s')).'`'; + $v = $SET['justThese']; + } else { + $_THESE = '*'; + $v = array(); + } + $q = "SELECT $_THESE FROM groups WHERE groupCn='%s' AND policy='%s'"; + + array_push($v, $groupCn, $toPolicy); + $A = db_query($q, array('fv' => 'mysqlGetGroupInfo', 'modul' => $modul, 'result' => 'record', 'values' => $v), $lr); + if (!is_array($A) || count($A) == 0) { db_close($lr); return false; } + // Megfelelő formátum kialakítása + foreach ($A as $attr => $value) $data[$attr][] = $value; + foreach ($data as $attr => $array) $data[$attr]['count'] = count($array); + + // tagok lekérdezése + $q = "SELECT 'member' AS type, uid AS value, userCn AS txt FROM members LEFT JOIN accounts USING (uid) WHERE gid = '%s'"; + $v = array($A['gid']); + $data2 = db_query($q, array('fv' => 'mysqlGetGroupInfo', 'modul' => $modul, 'result' => 'multiassoc', 'keyfield' => 'type', 'values' => $v), $lr); + if ($data2 === false) { db_close($lr); return false; } + $data = array_merge($data, $data2); + + // Lehetséges tagok + if ($SET['withNewAccounts']===true) { + $q = "SELECT userCn AS txt, uid AS value FROM accounts WHERE policy='%s' ORDER BY userCn"; + $data['member']['new'] = db_query($q, array( + 'fv' => 'mysqlGetGroupInfo', 'modul' => $modul, 'result' => 'indexed', 'values' => array($toPolicy) + ), $lr); + } + + db_close($lr); + return $data; + + } + + +############################################################### +# mysqlChangeGroupInfo - csoport információk módosítása +############################################################### + + function mysqlChangeGroupInfo($groupCn, $toPolicy = _POLICY) { + +// !!!! A memberuid / member szinkronjára nem figyel!! + + global $AUTH, $backendAttrs, $backendAttrDef; + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'mysqlChangeGroupInfo')); + if (!$lr) return false; + + $q = "SELECT gid FROM groups WHERE groupCn='%s' AND policy='%s'"; + $v = array($groupCn, $toPolicy); + $gid = db_query($q, array('fv' => 'mysqlChangeGroupInfo', 'modul' => $modul, 'result' => 'value', 'values' => $v), $lr); + if ($gid === false) { db_close($lr); return false; } + + $emptyAttrs = explode(':', $_POST['emptyAttrs']); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $Mod = $Add = $Del = $V = $v = array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] != '') + if (isset($_POST[$attr])) $values[0] = readVariable($_POST[$attr],'html'); + else $values[0] = ''; + + if ($backendAttrDef[$attr]['type'] == 'select') { + if ($attr == 'member') { + if (isset($_POST['new-'.$attr][0]) && $_POST['new-'.$attr][0] != '') { + for ($i = 0; $i < count($_POST['new-'.$attr]); $i++) { + $V[] = "(%u, %u)"; + array_push($v, $_POST['new-'.$attr][$i], $gid); + } + $q = "INSERT INTO members (uid, gid) VALUES ".implode(',', $V); + db_query($q, array('fv' => 'mysqlChangeGroupInfo', 'modul' => $modul, 'values' => $v), $lr); + } + if (isset($_POST['del-'.$attr][0]) && $_POST['del-'.$attr][0] != '') { + $q = "DELETE FROM members WHERE gid=%u + AND uid IN (".implode(',', array_fill(0, count($_POST['del-'.$attr]), '%u')).")"; + $v = array_merge(array($gid), $_POST['del-'.$attr]); + $r = db_query($q, array('fv' => 'mysqlChangeGroupInfo', 'modul' => $modul, 'values' => $v), $lr); + } + } else { + $_SESSION['alert'][] = 'message:invalid_type:select:'.$attr; + } + } else { + if (in_array($attr, $emptyAttrs)) { + if ($values[0] != '') { + $W = "`%s`='%s'"; + $v = array($attr, $values[0]); + } + } else { + if ($values[0] != '') { + $W = "`%s`='%s'"; + $v = array($attr, $values[0]); + } else { + $W = "`%s`=NULL"; + $v = array($attr); + } + } + $q = "UPDATE groups SET $W WHERE groupCn='%s' AND policy='%s'"; + array_push($v, $groupCn, $toPolicy); + db_query($q, array('fv' => 'mysqlChangeGroupInfo', 'modul' => $modul, 'values' => $v), $lr); + } + } else { + $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + db_close($lr); + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/mysql/session/base.php b/mayor-orig/www/include/backend/mysql/session/base.php new file mode 100644 index 00000000..35272ff8 --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/session/base.php @@ -0,0 +1,52 @@ +<?php +/* + Module: base/session + Backend: mysql + + function mysqlMemberOf($userAccount, $groupCn, $toPolicy = _POLICY) +*/ + + require_once('include/backend/mysql/base/attrs.php'); + + + function mysqlMemberOf($userAccount, $groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'mysqlMemberOf')); + if (!$lr) return _AUTH_FAILURE; + + // Az uid lekérdezése + if (!defined(('__'.$toPolicy.'_UID')) || _USERACCOUNT != $userAccount) { // egy policy-hez csak egy uid tartozik + $q = "SELECT uid FROM accounts WHERE userAccount = '%s' AND policy = '%s'"; + $v = array($userAccount, $toPolicy); + $uid = db_query($q, array('fv' => 'mysqlMemberOf', 'modul' => $modul, 'result' => 'value', 'values' => $v), $lr); + if ($uid === false) { + $_SESSION['alert'][] = 'message:no_account:'."$userAccount:$toPolicy"; + db_close($lr); return false; + } + if (!defined('__'.$toPolicy.'_UID')) define('__'.$toPolicy.'_UID',$uid); + } else { + $uid=constant('__'.$toPolicy.'_UID'); + } + + // Az gid lekérdezése + $q = "SELECT gid FROM groups WHERE groupCn = '%s' AND policy = '%s'"; + $v = array($groupCn, $toPolicy); + $gid = db_query($q, array('fv' => 'mysqlMemberOf', 'modul' => $modul, 'result' => 'value', 'values' => $v), $lr); + if ($gid === false) { + $_SESSION['alert'][] = 'message:no_group:'."$groupCn:$toPolicy"; + db_close($lr); return false; + } + + // Benne van-e a csoportban + $q = "SELECT COUNT(*) FROM members WHERE uid = %u AND gid = %u"; + $v = array($uid, $gid); + $num = db_query($q, array('fv' => 'mysqlMemberOf', 'modul' => $modul, 'result' => 'value', 'values' => $v), $lr); + db_close($lr); + return ($num > 0); + + } + +?> diff --git a/mayor-orig/www/include/backend/mysql/session/createAccount.php b/mayor-orig/www/include/backend/mysql/session/createAccount.php new file mode 100644 index 00000000..25ff9132 --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/session/createAccount.php @@ -0,0 +1,106 @@ +<?php +/* + Module: base/session + Backend: mysql + + function mysqlCreateAccount($userCn, $userAccount, $studyId, $userPassword, $category, $toPolicy = _POLICY) { + +*/ + + /* + $SET = array( + container => a konténer elem - MySQL backend esetén nincs értelme + category => tanár, diák... egy kiemelt fontosságú csoport tagság + groups => egyéb csoportok + policyAttrs => policy függő attribútumok + createGroup => létrehozza az adott nevű csoportokat, ha nincsenek + ) + + */ + function mysqlCreateAccount( + $userCn, $userAccount, $userPassword, $toPolicy, $SET + ) { + + global $AUTH; + + $shadowlastchange = floor(time() / (60*60*24)); + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'mysqlCreateAccount')); + if (!$lr) return _AUTH_FAILURE; + + // ütközés ellenőrzése + $q = "SELECT COUNT(userCn) FROM accounts WHERE userAccount = '%s' AND policy = '%s'"; + $v = array($userAccount, $toPolicy); + $num = db_query($q, array('fv' => 'mysqlCreateAccount', 'modul' => $modul, 'result' => 'value', 'values' => $v), $lr); + if ($num > 0) { + db_close($lr); + $_SESSION['alert'][] = 'message:multi_uid'.":$userAccount:$toPolicy"; + return false; + } + + // A shadowLastChange a mai nap // if (isset($AUTH[$toPolicy]['shadowlastchange']) && $AUTH[$toPolicy]['shadowlastchange'] != '') $shadowlastchange = $AUTH[$toPolicy]['shadowlastchange']; + $shadowmin = readVariable($AUTH[$toPolicy]['shadowmin'], 'numeric unsigned', 'null'); // null szöveg + $shadowmax = readVariable($AUTH[$toPolicy]['shadowmax'], 'numeric unsigned', 'null'); // null szöveg + $shadowwarning = readVariable($AUTH[$toPolicy]['shadowwarning'], 'numeric unsigned', 'null'); // null szöveg + $shadowinactive = readVariable($AUTH[$toPolicy]['shadowinactive'], 'numeric unsigned', 'null'); // null szöveg + $shadowexpire = readVariable($AUTH[$toPolicy]['shadowexpire'], 'numeric unsigned', 'null'); // null szöveg + + // A $SET['policyAttrs'] feldolgozása + $attrList = array_keys($SET['policyAttrs']); + $valueList = array_values($SET['policyAttrs']); + + // user felvétele + if (count($attrList) > 0) { + $q = "INSERT INTO accounts ( + policy, userAccount, userCn, userPassword, shadowLastChange, shadowMin, shadowMax, shadowWarning, shadowInactive, shadowExpire, + `".implode('`, `', array_fill(0, count($attrList), '%s'))."` + ) VALUES ( + '%s', '%s', '%s', sha('%s'), %u, %u, %u, %u, %u, %u, '".implode("', '", array_fill(0, count($valueList), '%s'))."' + )"; + } else{ + $q = "INSERT INTO accounts ( + policy, userAccount, userCn, userPassword, shadowLastChange, shadowMin, shadowMax, shadowWarning, shadowInactive, shadowExpire + ) VALUES ('%s', '%s', '%s', sha('%s'), %u, %u, %u, %u, %u, %u)"; + } + $v = array_merge( + $attrList, + array($toPolicy, $userAccount, $userCn, $userPassword, $shadowlastchange, $shadowmin, $shadowmax, $shadowwarning, $shadowinactive, $shadowexpire), + $valueList + ); + $uid = db_query($q, array('fv' => 'mysqlCreateAccount', 'modul' => $modul, 'result' => 'insert', 'values' => $v), $lr); + if ($uid === false) { db_close($lr); return false; } + // user berakása a kategóriájának megfelelő csoportokba + + if (isset($SET['category'])) { + if (is_array($SET['groups'])) array_unshift($SET['groups'], $SET['category']); + else $SET['groups'] = array($SET['category']); + + for ($i = 0; $i < count($SET['groups']); $i++) { + $category = $SET['groups'][$i]; + $groupCn = kisbetus(ekezettelen($category)); + if ($category == '') continue; + $q = "SELECT gid FROM groups WHERE groupCn='%s'"; + $gid = db_query($q, array('fv' => 'mysqlCreateAccount', 'modul' => $modul, 'result' => 'value', 'values' => array($groupCn)), $lr); + if ($gid === false || is_null($gid)) { // --FIXME -- ez jó így BENCE radyx + if ($SET['createGroup']) { + require_once('include/modules/session/createGroup.php'); + //createGroup($groupCn, "$category csoport", $category, $toPolicy = _POLICY); + createGroup($groupCn, "$category csoport", $toPolicy = _POLICY, array('category'=>$category)); + $gid = db_query($q, array('fv' => 'mysqlCreateAccount', 'modul' => $modul, 'result' => 'value', 'values' => array($groupCn)), $lr); + } else { + $_SESSION['alert'][] = 'message:wrong_data:mysqlCreateAccount - nincsmegadva/hibás kategória:'.$category.':'.$groupCn; + db_close($lr); return false; + } + } + $q = "INSERT INTO members (uid,gid) VALUES (%u, %u)"; + $r = db_query($q, array('fv' => 'mysqlCreateAccount', 'modul' => $modul, 'values' => array($uid, $gid)), $lr); + if (!$r) { db_close($lr); return false; } + } + } + $_SESSION['alert'][] = 'info:create_account_success:'.$userAccount; + db_close($lr); + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/mysql/session/createGroup.php b/mayor-orig/www/include/backend/mysql/session/createGroup.php new file mode 100644 index 00000000..d1bc4f7b --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/session/createGroup.php @@ -0,0 +1,37 @@ +<?php + + function mysqlCreateGroup($groupCn, $groupDesc, $toPolicy = _POLICY, $SET = null) { + + global $AUTH; + + // $toPolicy --> backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'mysql') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = @db_connect($modul, array('fv' => 'mysqlCreateGroup')); + if (!$lr) return false; + + // cn ütközés ellenőrzése + $q = "SELECT COUNT(*) FROM groups WHERE policy='%s' AND groupCn='%s'"; + $v = array($toPolicy, $groupCn); + $num = db_query($q, array('fv' => 'mysqlCreateGroup', 'modul' => $modul, 'result' => 'value', 'values' => $v), $lr); + if ($num === false) { db_close($lr); return false; } + if ($num > 0) { $_SESSION['alert'][] = 'message:multi_uid:'.$groupCn; db_close($lr); return false; } + + // csoport felvétel + $q = "INSERT INTO groups (groupCn, groupDesc, policy) VALUES ('%s', '%s','%s')"; + $v = array($groupCn, $groupDesc, $toPolicy); + $gid = db_query($q, array('fv' => 'mysqlCreateGroup', 'modul' => $modul, 'result' => 'insert', 'values' => $v), $lr); + if ($gid === false) { db_close($lr); return false; } + + $_SESSION['alert'][] = 'info:create_group_success:'.$dn; + db_close($lr); + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/mysql/session/search/searchAccount.php b/mayor-orig/www/include/backend/mysql/session/search/searchAccount.php new file mode 100644 index 00000000..fa4584b0 --- /dev/null +++ b/mayor-orig/www/include/backend/mysql/session/search/searchAccount.php @@ -0,0 +1,169 @@ +<?php +/* + Module: base/session + Backend: mysql + +*/ + +###################################################### +# MySQL account kereső függvény +###################################################### + + function mysqlSearchAccount($attr, $pattern, $searchAttrs = array('userCn'), $toPolicy = _POLICY) { + + global $AUTH; + + if ($pattern == '') { + $_SESSION['alert'][] = 'message:empty_field:mysqlSerachAccount, pattern'; + return false; + } + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = @db_connect($modul, array('fv' => 'mysqlSearchAccount')); + if (!$lr) return false; + + // Keresés + $q = "SELECT `".implode('`,`', array_fill(0, count($searchAttrs), '%s'))."` FROM accounts WHERE `%s` LIKE '%%%s%%' AND policy='%s'"; + $v = array_merge($searchAttrs, array($attr, $pattern, $toPolicy)); + $r = db_query($q, array('fv' => 'mysqlSearchAccount', 'modul' => $modul, 'result' => 'indexed', 'values' => $v), $lr); + db_close($lr); + if ($r === false) return false; + $ret = array('count' => count($r)); + foreach ($r as $key => $A) { + $data = array(); + foreach ($A as $attr => $value) { + $data[$attr] = array($value); + $data[$attr]['count']++; + } + $data['category'] = getAccountCategories($data['userAccount'][0], $toPolicy); + $data['category']['count'] = count($data['category']); + $ret[] = $data; + } + + return $ret; + + } + +###################################################### +# MySQL group kereső függvény +###################################################### + + function mysqlSearchGroup($attr, $pattern, $searchAttrs = array('userCn'), $toPolicy = _POLICY) { + + global $AUTH; + + if ($pattern == '') { + $_SESSION['alert'][] = 'message:empty_field:mysqlSearchGroup, pattern'; + return false; + } + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = db_connect($modul, array('fv' => 'mysqlSearchGroup')); + if (!$lr) return false; + // Keresés + if ($attr == 'member') { + $q = "SELECT `".implode('`,`', array_fill(0, count($searchAttrs), '%s'))."` FROM groups LEFT JOIN members + ON members.gid=groups.gid + LEFT JOIN accounts USING (uid) + WHERE gid IN + (SELECT DISTINCT gid FROM accounts LEFT JOIN members USING(uid) WHERE userAccount LIKE '%%%s%%' AND policy='%s') + AND groups.policy='%s'"; + $v = array_merge($searchAttrs, array($pattern, $toPolicy, $toPolicy)); + } else { + $q = "SELECT DISTINCT `".implode('`,`', array_fill(0, count($searchAttrs), '%s'))."` FROM groups LEFT JOIN members + ON members.gid=groups.gid + LEFT JOIN accounts USING (uid) + WHERE `%s` LIKE '%%%s%%' AND groups.policy='%s'"; + $v = array_merge($searchAttrs, array($attr, $pattern, $toPolicy)); + } + $r = db_query($q, array('fv' => 'mysqlSearchGroup', 'modul' => $modul, 'result' => 'indexed', 'values' => $v), $lr); + db_close($lr); + if ($r === false) return false; + $ret = array('count' => count($r)); + foreach ($r as $key => $A) { + $data = array(); + foreach ($A as $attr => $value) { + $data[$attr] = array($value); + } + $ret[] = $data; + } + + return $ret; + + } + +###################################################### +# mysqlDeleteAccount - account törlése +###################################################### + + function mysqlDeleteAccount($userAccount, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> mysql backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'mysql') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az MySQL szerverhez + $modul = "$toPolicy auth"; + $lr = @db_connect($modul, array('fv' => 'mysqlDeleteAccount')); + if (!$lr) return false; + + // Az uidNumber, a homeDirectory lekerdezése - és mire használjuk, ha szabad kérdeznem??? + if ($AUTH[$toPolicy]['createHomeDir']) { + $q = "SELECT homeDirectory, uid FROM accounts WHERE policy='%s' AND userAccount='%s'"; + $v = array($toPolicy, $userAccount); + $ret = db_query($q, array('fv' => 'mysqlDeleteAccount', 'modul' => $modul, 'result' => 'record', 'values' => $v), $lr); + if ($ret === false) { db_close($lr); return false; } + + $homeDirectory = $ret['homeDirectory']; // de nem használjuk semmire... + // A user csoport törlése + $q = "DELETE FROM groups WHERE gid=%u"; + $v = array($ret['uid']); + $r = db_query($q, array('fv' => 'mysqlDeleteAccount', 'modul' => $modul, 'values' => $v), $lr); + if (!$r) { db_close($lr); return false; } + } + + // user törlése + $q = "DELETE FROM accounts WHERE policy='%s' AND userAccount='%s'"; + $v = array($toPolicy, $userAccount); + $r = db_query($q, array('fv' => 'mysqlDeleteAccount', 'modul' => $modul, 'values' => $v), $lr); + db_close($lr); + // törlés a csoportból - Ha innoDb - akkor nincs ezzel tennivaló!! + if ($r) $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + + return $r; + + } + +###################################################### +# mysqlDeleteGroup - group törlése +###################################################### + + function mysqlDeleteGroup($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> mysql backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'mysql') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // csoport törlése + $q = "DELETE FROM groups WHERE policy='%s' AND groupCn='%s'"; + $v = array($toPolicy, $groupCn); + $r = db_query($q, array('fv' => 'mysqlDeleteGroup', 'modul' => "$toPolicy auth", 'values' => $v)); + + if ($r) $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + + // tagok törlése a csoportból - Ha innoDb - akkor nincs ezzel tennivaló!! + return $r; + + } + +?> |