From 43de9af71f7f4ca5731b94a06d688ae8412ba427 Mon Sep 17 00:00:00 2001 From: M.Gergo Date: Fri, 6 Jul 2018 11:14:41 +0200 Subject: 2018/Feb/28 -i állapot hozzáadva, mint a módosítások kiindulási állapota --- .../www/include/backend/ldap-ng/auth/login.php | 163 +++++++++ .../www/include/backend/ldap-ng/base/attrs.php | 146 ++++++++ .../backend/ldap-ng/password/changePassword.php | 161 +++++++++ .../backend/ldap-ng/session/accountInfo.php | 401 +++++++++++++++++++++ .../www/include/backend/ldap-ng/session/base.php | 184 ++++++++++ .../backend/ldap-ng/session/createAccount.php | 157 ++++++++ .../backend/ldap-ng/session/createGroup.php | 82 +++++ .../ldap-ng/session/search/searchAccount.php | 271 ++++++++++++++ 8 files changed, 1565 insertions(+) create mode 100644 mayor-orig/www/include/backend/ldap-ng/auth/login.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/base/attrs.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/password/changePassword.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/session/base.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/session/createAccount.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/session/createGroup.php create mode 100644 mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php (limited to 'mayor-orig/www/include/backend/ldap-ng') diff --git a/mayor-orig/www/include/backend/ldap-ng/auth/login.php b/mayor-orig/www/include/backend/ldap-ng/auth/login.php new file mode 100644 index 00000000..3eb9854e --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/auth/login.php @@ -0,0 +1,163 @@ + 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid"; + ldap_close($ds); + return _AUTH_FAILURE_2; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + + + $accountInformation['cn'] = $info[0][ $AUTH[$toPolicy]['ldapCnAttr'] ][0]; + $accountInformation['studyId'] = $info[0][ $AUTH[$toPolicy]['ldapStudyIdAttr'] ][0]; + + $accountInformation['dn'] = $info[0]['dn']; + $accountInformation['account'] = $userAccount; + // Lejárt-e + // A lejárat ideje a shadowExpire és shadowLastChange+shadowMax kötül a kisebbik + if ($info[0]['pwdlastset'][0] != '') { // A pwdLastSet és shadowLastChange közül a kisebbiket használjuk +// if ($info[0]['shadowlastchange'][0] != '') +// $info[0]['shadowlastchange'][0] = min(pwdLastSet2shadowLastChange($info[0]['pwdlastset'][0]), $info[0]['shadowlastchange'][0]); +// else + $info[0]['shadowlastchange'][0] = pwdLastSet2shadowLastChange($info[0]['pwdlastset'][0]); + } + if ($info[0]['accountexpires'][0] != '') { // Az accountExpires és a shadowExpire közül a kisebbiket használjuk +// if ($info[0]['shadowexpire'][0] != '') +// $info[0]['shadowexpire'][0] = min(pwdLastSet2shadowLastChange($info[0]['accountexpires'][0]), $info[0]['shadowexpire'][0]); +// else + $info[0]['shadowexpire'][0] = pwdLastSet2shadowLastChange($info[0]['accountexpires'][0]); + } + if ($info[0]['shadowexpire'][0] != '') $expireTimestamp = $info[0]['shadowexpire'][0]; + if ( + $info[0]['shadowmax'][0] != '' && + ( + !isset($expireTimestamp) || + $expireTimestamp > $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0] + ) + ) $expireTimestamp = $info[0]['shadowlastchange'][0] + $info[0]['shadowmax'][0]; + // lejárt, ha lejárat ideje már elmúlt + $accountExpired = (isset($expireTimestamp) && ($expireTimestamp <= floor(time()/(60*60*24)))); + + // Le van-e tiltva + // Ha több mint shadowInactive napja lejárt + if ( // onDisabled: none | refuse + $AUTH[$toPolicy]['onDisabled'] == 'refuse' && + isset($expireTimestamp) && + $expireTimestamp + $info[0]['shadowinactive'][0] <= floor(time()/(60*60*24)) + ) { + // Le van tiltva + $_SESSION['alert'][] = 'message:account_disabled'; + ldap_close($ds); + return _AUTH_FAILURE_4; + } // onDisabled + + // Jelszó ellenőrzés - lehet-e csatlakozni + if (!@ldap_bind($ds, $accountInformation['dn'], $userPassword)) { + $_SESSION['alert'][] = 'message:bad_pw'; + return _AUTH_FAILURE_3; + } + + ldap_close($ds); + // Lejárt-e az azonosító + if ($AUTH[$toPolicy]['onExpired'] != 'none' && isset($expireTimestamp)) { // onExpired: none | warning | force update + // Lejárt-e + $pwLejar = $expireTimestamp - floor(time()/(60*60*24)); + if (0 < $pwLejar && $pwLejar < $info[0]['shadowwarning'][0]) { + $_SESSION['alert'][] = 'info:account_warning:'.$pwLejar; + return _AUTH_SUCCESS; + } elseif ($pwLejar <= 0) { + $_SESSION['alert'][] = 'info:account_expired:'.abs($pwLejar); + if ($AUTH[$toPolicy]['onDisabled'] == 'refuse') $_SESSION['alert'][] = 'info:warn_account_disable:'.($info[0]['shadowinactive'][0]+$pwLejar); + if ($AUTH[$toPolicy]['onExpired'] == 'warning') { + return _AUTH_SUCCESS; + } elseif ($AUTH[$toPolicy]['onExpired'] == 'force update') { + return _AUTH_EXPIRED; + } else { + return _AUTH_FAILURE; + } + } + } // onExpired + // Ha idáig eljut, akkor minden rendben. + return _AUTH_SUCCESS; + + } // count == 1 + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/base/attrs.php b/mayor-orig/www/include/backend/ldap-ng/base/attrs.php new file mode 100644 index 00000000..2a2f327a --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/base/attrs.php @@ -0,0 +1,146 @@ + 'sAMAccountName', + 'userCn' => 'displayName', + 'mail' => 'mail', + 'studyId' => 'serialNumber', // Ez konfig-ban külön van állítva, az itteni érték irreleváns + 'shadowLastChange' => 'shadowLastChange', + 'shadowWarning' => 'shadowWarning', + 'shadowMin' => 'shadowMin', + 'shadowMax' => 'shadowMax', + 'shadowExpire' => 'shadowExpire', + 'shadowInactive' => 'shadowInactive', + ); + + global $groupAttrToLDAP; + $groupAttrToLDAP = array( + 'groupCn' => 'cn', + 'groupDesc' => 'description', + 'member' => 'member', + ); + + global $ldapAccountAttrDef; + $ldapAccountAttrDef = array( + 'dn' => array('desc' => _LDAPDN, 'type' => 'text', 'rights' => 'rrr'), + 'cn' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'rrr'), + 'sn' => array('desc' => _LDAPSN, 'type' => 'text', 'rights' => 'wrr'), + 'givenname' => array('desc' => _LDAPGIVENNAME, 'type' => 'text'), + 'serialnumber' => array('desc' => _LDAPSERIALNUMBER, 'type' => 'int', 'rights' => 'wrr'), + 'displayname' => array('desc' => _LDAPCN, 'type' => 'text', 'rights' => 'wrr'), + 'name' => array('desc' => _LDAPNAME, 'type' => 'text', 'rights' => 'r--'), + 'padpwdcount' => array('desc' => _LDAPBADPWDCOUNT, 'type' => 'int', 'rights' => 'wrr'), + 'badpasswordtime' => array('desc' => _LDAPBADPASSWORDTIME, 'type' => 'int', 'rights' => 'r--'), + 'lastlogon' => array('desc' => _LDAPLASTLOGON, 'type' => 'int', 'rights' => 'r--'), + 'pwdlastset' => array('desc' => _LDAPPWDLASTSET, 'type' => 'int', 'rights' => 'r--'), + 'accountexpires' => array('desc' => _LDAPACCOUNTEXPIRES, 'type' => 'int', 'rights' => 'wrr'), + 'samaccountname' => array('desc' => _LDAPSAMACCOUNTNAME, 'type' => 'text', 'rights' => 'wrr'), + 'useraccountcontrol' => array('desc' => _USERACCOUNTCONTROL, 'type' => 'text', 'rights' => 'wrr'), + 'userprincipalname' => array('desc' => _LDAPUSERPRINCIPALNAME, 'type' => 'text', 'rights' => 'wrr'), + 'objectcategory' => array('desc' => _LDAPOBJECTCATEGORY, 'type' => 'text', 'rights' => 'r--'), + 'uid' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'rrr'), + 'uidnumber' => array('desc' => _LDAPUIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int', 'rights' => 'w--'), + 'mssfu30name' => array('desc' => _LDAPUID, 'type' => 'text', 'rights' => 'r--'), + 'unixhomedirectory' => array('desc' => _LDAPUNIXHOMEDIRECTORY, 'type' => 'text', 'rights' => 'wrr'), + 'loginshell' => array('desc' => _LDAPLOGINSHELL, 'type' => 'text', 'rights' => 'wrr'), + 'shadowlastchange' => array('desc' => _LDAPSHADOWLASTCHANGE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowexpire' => array('desc' => _LDAPSHADOWEXPIRE, 'type' => 'text', 'rights' => 'wrr'), + 'shadowwarning' => array('desc' => _LDAPSHADOWWARNING, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmin' => array('desc' => _LDAPSHADOWMIN, 'type' => 'text', 'rights' => 'wrr'), + 'shadowmax' => array('desc' => _LDAPSHADOWMAX, 'type' => 'text', 'rights' => 'wrr'), + 'shadowinactive' => array('desc' => _LDAPSHADOWINACTICE, 'type' => 'text', 'rights' => 'wrr'), +/* + 'gecos' => array('desc' => _LDAPGECOS, 'type' => 'text', 'rights' => 'w--'), + 'mail' => array('desc' => _LDAPMAIL, 'type' => 'text', 'rights' => 'wwr'), + 'telephonenumber' => array('desc' => _LDAPTELEPHONENUMBER, 'type' => 'text', 'rights' => 'ww-'), + 'mobile' => array('desc' => _LDAPMOBILE, 'type' => 'text', 'rights' => 'ww-'), + 'l' => array('desc' => _LDAPL, 'type' => 'text'), + 'street' => array('desc' => _LDAPSTREET, 'type' => 'text'), + 'postaladdress' => array('desc' => _LDAPPOSTALADDRESS, 'type' => 'text'), + 'postalcode' => array('desc' => _LDAPPOSTALCODE, 'type' => 'text'), +*/ + ); + + global $ldapGroupAttrDef; + $ldapGroupAttrDef = array( + 'cn' => array('desc' => _LDAPCN, 'type' => 'text','rights' => 'rrr'), + 'name' => array('desc' => _LDAPNAME, 'type' => 'text','rights' => 'rrr'), + 'samaccountname' => array('desc' => _LDAPSAMACCOUNTNAME, 'type' => 'text','rights' => 'wrr'), + 'description' => array('desc' => _LDAPDESCRIPTION, 'type' => 'text'), + 'gidnumber' => array('desc' => _LDAPGIDNUMBER, 'type' => 'int','rights' => 'w--'), + 'member' => array('desc' => _LDAPMEMBER, 'type' => 'select'), + 'objectcategory' => array('desc' => _LDAPOBJECTCATEGORY, 'type' => 'text','rights' => 'rrr'), + + 'memberuid' => array('desc' => _LDAPMEMBERUID, 'type' => 'select'), + ); + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/password/changePassword.php b/mayor-orig/www/include/backend/ldap-ng/password/changePassword.php new file mode 100644 index 00000000..aa4cd91d --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/password/changePassword.php @@ -0,0 +1,161 @@ + diff --git a/mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php b/mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php new file mode 100644 index 00000000..d3733ba2 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/accountInfo.php @@ -0,0 +1,401 @@ + mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + } + return $return[0]; + + } + + } + +############################################################# +# ldapGetUserInfo - felhasználói információk (keretrendszer) +############################################################# + + function ldapGetUserInfo($userAccount, $toPolicy = _POLICY) { + + global $accountAttrToLDAP, $ldapAttrDef; + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + $result = getLDAPInfo($userDn, array_values($accountAttrToLDAP), $toPolicy); + if ($result === false) { + return false; + } else { + + $result[0]['dn'] = array('count' => 1, 0 => $result[0]['dn']); + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + LDAP --> MaYoR schema + foreach ($accountAttrToLDAP as $attr => $ldapAttr) { + $ldapAttr = kisbetus($ldapAttr); + if (isset($result[0][$ldapAttr])) $return[$attr] = $result[0][$ldapAttr]; + else $return[$attr] = array('count' => 0); + } + return $return; + + } + + } + +############################################################### +# ldapChangeAccountInfo - felhasználói információk módosítása +############################################################### + + function ldapChangeAccountInfo($userAccount, $toPolicy = _POLICY) { + + global $AUTH, $backendAttrs, $backendAttrDef; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '' ) $values[0] = $_POST[$attr]; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if ($_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if ($_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$userDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@$r = ldap_mod_replace($ds,$userDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$userDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i = 0;$i < count($_alert);$i++) $_SESSION['alert'][] = $_alert[$i]; + + } + +########################################################### +# ldapGetGroupInfo - csoport információk (backend) +########################################################### + + function ldapGetGroupInfo($groupCn, $toPolicy = _POLICY) { + + global $backendAttrs, $backendAttrDef; + + + if (!isset($backendAttrs)) list($backendAttrs, $backendAttrDef) = getBackendAttrs('Group', $toPolicy); + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + $result = getLDAPInfo($groupDn, $backendAttrs, $toPolicy); + if ($result === false) { + return false; + } else { + + // Accountok lekérdezése + $info = getLDAPaccounts($toPolicy); + for ($i = 0; $i < $info['count']; $i++) { + $accountUid[] = array( + 'value' => $info[$i]['uid'][0], + 'txt' => $info[$i]['displayname'][0] + ); + $accountDn[] = array( + 'value' => $info[$i]['dn'], + 'txt' => $info[$i]['displayname'][0] + ); + } + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + foreach ($backendAttrDef as $attr => $def) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + if ($attr == 'dn') $return[$i]['dn'] = array('count' => 1, 0 => $result[$i]['dn']); + elseif (isset($result[$i][$attr])) $return[$i][$attr] = $result[$i][$attr]; + else $return[$i][$attr] = array('count' => 0); + } + $return[$i]['member']['new'] = $accountDn; + $return[$i]['memberuid']['new'] = $accountUid; + } + + return $return[0]; + + } + + } + +############################################################### +# ldapChangeGroupInfo - csoport információk módosítása +############################################################### + + function ldapChangeGroupInfo($groupCn, $toPolicy = _POLICY) { + +// !!!! A memberuid / member szinkronjára nem figyel!! + + global $AUTH, $backendAttrs, $backendAttrDef; + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $emptyAttrs = explode(':',$_POST['emptyAttrs']); + $_alert = array(); + + // Attribútumonként módosítunk + foreach ($backendAttrs as $attr) { + + if ($backendAttrDef[$attr]['rights'] == '') $rigths = _DEFAULT_LDAP_RIGHTS; + else $rights = $backendAttrDef[$attr]['rights']; + + if ($rights[_ACCESS_AS] == 'w') { + + $mod_info = $add_info = $del_info = Array(); + $values = array(); + + if ($backendAttrDef[$attr]['type'] == 'image') { + $file = $_FILES[$attr]['tmp_name']; + if (file_exists($file)) { + $fd = fopen($file,'r'); + $values[0]=fread($fd,filesize($file)); + fclose($fd); + } else { + // Sose töröljük! + $emptyAttrs[] = $attr; + } + } elseif ($backendAttrDef[$attr]['type'] == 'timestamp') { + if ($_POST[$attr][0] != '' and $_POST[$attr][1] != '' and $_POST[$attr][2] != '') { + $values[0] = $_POST[$attr][0].$_POST[$attr][1].$_POST[$attr][2].'010101Z'; + } + } else { + if ($backendAttrDef[$attr]['type'] != '') + if (isset($_POST[$attr])) $values[0] = $_POST[$attr]; + else $values[0] = ''; + } + + if ($backendAttrDef[$attr]['type'] == 'select') { + if (isset($_POST['new-'.$attr][0]) && $_POST['new-'.$attr][0] != '') $add_info[$attr] = $_POST['new-'.$attr]; + if (isset($_POST['del-'.$attr][0]) && $_POST['del-'.$attr][0] != '') $del_info[$attr] = $_POST['del-'.$attr]; + } elseif (in_array($attr,$emptyAttrs)) { + if ($values[0] != '') $add_info[$attr] = $values; + } else { + if ($values[0] != '') { + $mod_info[$attr] = $values; + } else { + $del_info[$attr] = Array(); + } + + } + + if (count($add_info)!=0) { + if (!@ldap_mod_add($ds,$groupDn,$add_info)) { + $_alert[] = 'message:insufficient_access:add:'.$attr; + } + } + if (count($mod_info)!=0) { + if (!@ldap_mod_replace($ds,$groupDn,$mod_info)) { + $_alert[] = 'message:insufficient_access:mod:'.$attr; + } + } + if (count($del_info)!=0) { + if (!@ldap_mod_del($ds,$groupDn,$del_info)) { + $_alert[] = 'message:insufficient_access:del:'.$attr; + } + } + + } else { +// $_alert[] = 'message:insufficient_access:'.$attr; + } + } // foreach + + ldap_close($ds); + if (count($_alert) == 0) $_SESSION['alert'][] = 'info:change_success'; + else for ($i=0;$i diff --git a/mayor-orig/www/include/backend/ldap-ng/session/base.php b/mayor-orig/www/include/backend/ldap-ng/session/base.php new file mode 100644 index 00000000..196e431c --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/base.php @@ -0,0 +1,184 @@ + 1 ) { + // Több ilyen uid is van + $_SESSION['alert'][] = "message:multi_uid:$userAccount"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen felhasználó + return $info[0]['dn']; + } + + } + + +###################################################### +# A groupCn(cn)-hez tartozó dn lekérdezése +###################################################### + + function LDAPgroupCnToDn($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // Kapcsolódás a szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + return false; + } + + // Van-e ilyen csoport? + $filter="(&(".$AUTH[$toPolicy]['ldapGroupCnAttr']."=$groupCn)(objectClass=".$AUTH[$toPolicy]['ldapGroupObjectClass']."))"; + $justthese=array($AUTH[$toPolicy]['ldapGroupCnAttr']); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure"; + ldap_close($ds); + return false; + } + $info=ldap_get_entries($ds,$sr); + ldap_close($ds); + + if ( $info['count'] === 0 ) { + // Nincs ilyen groupCn (cn) - hibaüzenet csak akkor, ha nem kategóriáról van szó... + if (!in_array($groupCn, array_map('ekezettelen', $AUTH[$toPolicy]['categories']))) $_SESSION['alert'][] = "message:no_group:$groupCn"; + return false; + } elseif ( $info['count'] > 1 ) { + // Több ilyen cn is van + $_SESSION['alert'][] = "message:multi_gid:$groupCn"; + return false; + } + + if ($info['count']==1) { // Van - egy - ilyen csoport + return $info[0]['dn']; + } + + } + +###################################################### +# memberOf - csoport tag-e +###################################################### + + function ldapMemberOf($userAccount, $group, $toPolicy = _POLICY) { + + global $AUTH; + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + /* Kis hack: csoport-tagság helyett vizsgáljuk előbb a megfelelő szervezeti egységet... de ezt nem biztos, hogy érdemes... */ + if (in_array($group, $AUTH[$toPolicy]['categories'])) { + if (strpos($userDn, ',ou='.ekezettelen($group).',') !== false) return true; + } + + if (substr($group,0,3) != 'cn=') { + $groupDn = LDAPgroupCnToDn(ekezettelen($group)); + if (!$groupDn) return false; // Ha nincs ilyen csoport az LDAP fában + } else { + $groupDn = $group; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds,$AUTH[$toPolicy]['ldapUser'],$AUTH[$toPolicy]['ldapPw']); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $justthese = array('cn'); // valamit le kell kérdezni... + $filter = "(&(objectClass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(member=$userDn))"; + $sr = @ldap_search($ds, $groupDn, $filter, $justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$filter; + ldap_close($ds); + return false; + } + + $info = ldap_get_entries($ds, $sr); + ldap_close($ds); + + if ($info['count'] > 0) { + return true; + } else { + return false; + } + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/createAccount.php b/mayor-orig/www/include/backend/ldap-ng/session/createAccount.php new file mode 100644 index 00000000..db62a348 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/createAccount.php @@ -0,0 +1,157 @@ + a konténer elem - ha nincs, akkor CN=Users alá rakja + category => tanár, diák... egy kiemelt fontosságú csoport tagság + groups => egyéb csoportok + policyAttrs => policy függő attribútumok + ) + */ + function ldapCreateAccount( + $userCn, $userAccount, $userPassword, $toPolicy, $SET + ) { + + global $AUTH; + + $shadowLastChange = floor(time() / (60*60*24)); + + // $toPolicy --> ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // uid ütközés ellenőrzése + $filter = "(sAMAccountName=$userAccount)"; + $justthese = array('sAMAccountName'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + $uinfo = ldap_get_entries($ds, $sr); + $uidCount = $uinfo['count']; + ldap_free_result($sr); + if ($uidCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$userAccount; + return false; + } + + // Az következő uidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapUserObjectClass'].")(uidNumber=*))"; + $justthese = array('uidNumber', 'msSFU30UidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'uidNumber'); + $uinfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($uinfo['count']) && $uinfo['count'] > 0) $info['uidNumber'] = array($uinfo[ $uinfo['count']-1 ]['uidnumber'][0]+1); + else $info['uidNumber'] = array(1001); + + // shadow attributumok... + // A shadowLastChange a mai nap // if (isset($AUTH[$toPolicy]['shadowlastchange']) && $AUTH[$toPolicy]['shadowlastchange'] != '') + $info['shadowLastChange'] = array($shadowLastChange); + if (isset($AUTH[$toPolicy]['shadowMin']) && $AUTH[$toPolicy]['shadowMin'] != '') $info['shadowMin'] = array($AUTH[$toPolicy]['shadowMin']); + if (isset($AUTH[$toPolicy]['shadowMax']) && $AUTH[$toPolicy]['shadowMax'] != '') $info['shadowMax'] = array($AUTH[$toPolicy]['shadowMax']); + if (isset($AUTH[$toPolicy]['shadowWarning']) && $AUTH[$toPolicy]['shadowWarning'] != '') $info['shadowWarning'] = array($AUTH[$toPolicy]['shadowWarning']); + if (isset($AUTH[$toPolicy]['shadowInactive']) && $AUTH[$toPolicy]['shadowInactive'] != '') $info['shadowInactive'] = array($AUTH[$toPolicy]['shadowInactive']); + if (isset($AUTH[$toPolicy]['shadowExpire']) && $AUTH[$toPolicy]['shadowWxpire'] != '') $info['shadowExpire'] = array($AUTH[$toPolicy]['shadowExpire']); + + // A szokásos attribútumok + $Name = explode(' ',$userCn); + $Dn = ldap_explode_dn($AUTH[$toPolicy]['ldapBaseDn'], 1); unset($Dn['count']); + $info['userPrincipalName'] = array( $userAccount.'@'.implode('.', $Dn)); + $info['msSFU30Name'] = $info['sAMAccountName'] = $info['cn'] = array($userAccount); + $info['displayName'] = array($userCn); + $info['sn'] = array($Name[0]); + $info['givenName'] = array($Name[ count($Name)-1 ]); + $info['unixUserPassword'] = array('ABCD!efgh12345$67890'); + $info['unixHomeDirectory'] = array(ekezettelen("/home/$userAccount")); + $info['loginShell'] = array('/bin/bash'); + $info['objectClass'] = array($AUTH[$toPolicy]['ldapUserObjectClass'], 'user'); + + $policyAccountAttrs = $SET['policyAttrs']; + if (isset($policyAccountAttrs['studyId'])) $info[ $AUTH[$toPolicy]['ldapStudyIdAttr'] ] = array($policyAccountAttrs['studyId']); + foreach ($policyAccountAttrs as $attr => $value) + if ($attr != 'studyId' && isset($accountAttrToLDAP[$attr])) + $info[ $accountAttrToLDAP[$attr] ] = array($value); + + if (isset($SET['container'])) $dn = "CN=$userAccount,".$SET['container']; + else $dn = "CN=$userAccount,CN=Users,".$AUTH[$toPolicy]['ldapBaseDn']; + + // user felvétel + $_r1 = @ldap_add($ds,$dn,$info); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Add user:'.ldap_error($ds); + //echo $dn.'
'; var_dump($info); echo '
'; + return false; + } + + // Jelszó beállítás + if (!changePassword($userAccount, $userPassword, $toPolicy)) $_SESSION['alert'][] = 'message:ldap_error:changePassword failed:'.$userAccount; + + // Engedélyezés + $einfo = array('userAccountControl' => array(512)); /* Normal account = 512 */ + $_r1 = @ldap_mod_replace($ds,$dn,$einfo); + if (!$_r1) { + $_SESSION['alert'][] = 'message:ldap_error:Enable user:'.ldap_error($ds); + //echo $dn.'
'; var_dump($info); echo '
'; + return false; + } + + // Kategória csoportba és egyéb csoportokba rakás + if (isset($SET['category'])) { + if (is_array($SET['groups'])) array_unshift($SET['groups'], $SET['category']); + else $SET['groups'] = array($SET['category']); + + $ginfo['member'] = $dn; + + for ($i = 0; $i < count($SET['groups']); $i++) { + $groupDn = LDAPgroupCnToDn($SET['groups'][$i], $toPolicy); + if ($groupDn !== false) { + $_r3 = @ldap_mod_add($ds, $groupDn, $ginfo); + if (!$_r3) { + $_SESSION['alert'][] = 'message:ldap_error:Add to group '.$SET['groups'][$i].':'.ldap_error($ds); + //echo $SET['groups'][$i].'
'; var_dump($ginfo); echo '
'; + } + } + } + } + + ldap_close($ds); + + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['createAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['createAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount létrehozása: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"createAccount.sh '$userAccount' '".$info['uidNumber'][0]."' '".$info['unixHomeDirectory'][0]."'\n"); + fclose($sfp); + } + } + $_SESSION['alert'][] = 'info:create_uid_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/createGroup.php b/mayor-orig/www/include/backend/ldap-ng/session/createGroup.php new file mode 100644 index 00000000..59c77c92 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/createGroup.php @@ -0,0 +1,82 @@ + ldap backend - ellenőrzés! + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:'.$AUTH[$toPolicy]['backend']; + return false; + } + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + $info = $ginfo = Array(); + + // cn ütközés ellenőrzése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(cn=$groupCn))"; + $justthese = array('cn'); + $sr = ldap_search($ds, $AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + $ginfo = ldap_get_entries($ds, $sr); + $gCount = $ginfo['count']; + ldap_free_result($sr); + if ($gCount > 0) { + $_SESSION['alert'][] = 'message:multi_uid:'.$groupCn; + return false; + } + + // Az következő gidNumber megállapítása + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapGroupObjectClass'].")(gidNumber=*))"; + $justthese = array('gidNumber', 'msSFU30GidNumber'); + $sr = ldap_search($ds,$AUTH[$toPolicy]['ldapBaseDn'], $filter, $justthese); + ldap_sort($ds, $sr, 'gidNumber'); + $ginfo = ldap_get_entries($ds, $sr); + ldap_free_result($sr); + if (isset($ginfo['count']) && $ginfo['count'] > 0) $info['gidNumber'] = array($ginfo[ $ginfo['count']-1 ]['gidnumber'][0]+1); + else $info['gidNumber'] = array(1001); + + // A szokásos attribútumok + $info['sAMAccountName'] = $info['cn'] = array($groupCn); + $info['description'] = array($groupDesc); + + // A kategória függő attribútumok + if (isset($SET['container'])) $dn = "CN=$groupCn,".$SET['container']; + else $dn = "CN=$groupCn,OU=$category,".$AUTH[$toPolicy]['ldapBaseDn']; + + // objectum osztályok + $info['objectClass'] = array($AUTH[$toPolicy]['ldapGroupObjectClass']); + + // csoport felvétel + $_r1 = ldap_add($ds,$dn,$info); + if (!$_r1) { + printf("LDAP-Error: %s
\n", ldap_error($ds)); + var_dump($info); + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:create_group_success:'.$dn; + return true; + + } + +?> diff --git a/mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php b/mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php new file mode 100644 index 00000000..70be6ed5 --- /dev/null +++ b/mayor-orig/www/include/backend/ldap-ng/session/search/searchAccount.php @@ -0,0 +1,271 @@ + mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['userAccount'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (isset($result[$i][ kisbetus($accountAttrToLDAP[$a]) ])) { + if ($accountAttrToLDAP[$a] != '') $return[$i][$a] = $result[$i][ kisbetus($accountAttrToLDAP[$a]) ]; + else $return[$i][$a] = $result[$i][$a]; + } else { + $return[$i][$a] = array('count' => 0) ; + } + } + $return[$i]['category'] = getAccountCategories($return[$i]['userAccount'][0], $toPolicy); + $return[$i]['category']['count'] = count($return[$i]['category']); + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapSearchGroup - csoport kereső függvény +###################################################### + + function ldapSearchGroup($attr, $pattern, $searchAttrs = array('groupCn, groupDesc'), $toPolicy = _POLICY) { + + global $groupAttrToLDAP; + + // A keresendő attribútum konvertálása LDAP attribútummá + if ($groupAttrToLDAP[ $attr ] != '') $attrLDAP = $groupAttrToLDAP[ $attr ]; + else $attrLDAP = $attr; + if ($attrLDAP == 'dn') $attrLDAP = 'cn'; // dn-re nem megy a keresés!! + + // A lekérendő adtibútumok konvertálása LDAP attribútummá + for ($i = 0; $i < count($searchAttrs); $i++) { + if ($groupAttrToLDAP[ $searchAttrs[$i] ] != '') $searchAttrsLDAP[$i] = $groupAttrToLDAP[ $searchAttrs[$i] ]; + else $searchAttrsLDAP[$i] = $searchAttrs[$i]; + } + + $result = LDAPSearch($attrLDAP, $pattern, $searchAttrsLDAP, '(objectclass=group)', $toPolicy); + if ($result === false) { + return false; + } else { + + // LDAP schema --> mayor schema konverzió + for ($i = 0; $i < $result['count']; $i++) { + // Egységes szerkezetre alakítjuk, azaz a dn is indexelt + $result[$i]['dn'] = $return[$i]['groupCn'] = array('count' => 1, 0 => $result[$i]['dn']); + for ($j = 0; $j < count($searchAttrs); $j++) { + $a = $searchAttrs[$j]; + if (!isset($groupAttrToLDAP[$a]) || $groupAttrToLDAP[$a] != '') { + if (isset($result[$i][ $groupAttrToLDAP[$a] ])) $return[$i][$a] = $result[$i][ $groupAttrToLDAP[$a] ]; + else $return[$i][$a] = ''; + } else { + $return[$i][$a] = $result[$i][$a]; + } + } + } + $return['count'] = $result['count']; + + return $return; + + } + + } + +###################################################### +# ldapDeleteAccount - account törlése +###################################################### + + function ldapDeleteAccount($userAccount, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ldap-ng backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:ldap-ng!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $userDn = LDAPuserAccountToDn($userAccount, $toPolicy); + if ($userDn === false) return false; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + // Az uidNumber, a unixHomeDirectory lekerdezése + $filter = "(&(objectclass=".$AUTH[$toPolicy]['ldapUserObjectClass'].")(!(objectclass=computer)))"; + $justthese = array('uidNumber','unixHomedirectory'); + $sr = @ldap_search($ds,$userDn,$filter,$justthese); + if (!$sr) { + $_SESSION['alert'][] = "message:ldap_search_failure:".$userDn; + ldap_close($ds); + return false; + } ; + + $info = @ldap_get_entries($ds,$sr); + $uidNumber = $info[0]['uidnumber'][0]; + $homeDirectory = $info[0]['unixhomedirectory'][0]; + $uid=$userAccount; + + // user törlése + if (!@ldap_delete($ds,$userDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:user:'.$userAccount; + } + + ldap_close($ds); + + /* + Ha van megadva deleteAccountScript paraméter, akkor abba bejegyzi a törölt felhasználó adatait. + A meghívott deleteAccount.sh nincs definiálva, testreszabható, megkötés egyedül a paraméter + lista: userAccount, uidNumber, homeDirectory + */ + if (defined('_DATADIR') + && isset($AUTH[$toPolicy]['deleteAccountScript']) + && file_exists(_DATADIR) + ) { + $sfp = fopen(_DATADIR.'/'.$AUTH[$toPolicy]['deleteAccountScript'],'a+'); + if ($sfp) { + fwrite($sfp,"\n# $userAccount törlése: userAccount uidNumber homeDirectory\n"); + fwrite($sfp,"deleteAccount.sh '$userAccount' '$uidNumber' '$homeDirectory'\n"); + fclose($sfp); + } + } + + $_SESSION['alert'][] = 'info:delete_uid_success:'.$userDn; + return true; + + } + +###################################################### +# ldapDeleteGroup - account törlése +###################################################### + + function ldapDeleteGroup($groupCn, $toPolicy = _POLICY) { + + global $AUTH; + + // $toPolicy --> ldap-ng backend - ellenőrzés + if ($AUTH[$toPolicy]['backend'] != 'ldap-ng') { + $_SESSION['alert'][] = 'page:wrong_backend:ldap-ng!='.$AUTH[$toPolicy]['backend']; + return false; + } + + $groupDn = LDAPgroupCnToDn($groupCn, $toPolicy); + if ($groupDn === false) return false; + + // Kapcsolódás az LDAP szerverhez + $ds = @ldap_connect($AUTH[$toPolicy]['ldapHostname']); + if (!$ds) { + $_SESSION['alert'][] = 'alert:ldap_connect_failure'; + return false; + } + + // Csatlakozás a szerverhez + $r = @ldap_bind($ds, _USERDN, _USERPASSWORD); + if (!$r) { + $_SESSION['alert'][] = 'message:ldap_bind_failure'; + ldap_close($ds); + return false; + } + + if (!@ldap_delete($ds, $groupDn)) { + $_SESSION['alert'][] = 'message:ldap_delete_failure:group:'.$groupCn; + } + + ldap_close($ds); + + $_SESSION['alert'][] = 'info:delete_group_success:'.$groupCn; + return true; + + } + + +?> -- cgit v1.2.3