diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index a8eede58..fea6e699 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -601,6 +601,20 @@ Have fun!
Version specific upgrade instructions +
+ 3.0.0 -> 3.1.0 + + LAM supported to set a list of valid workstations on the + "Personal" page. This required to change the LDAP schema. Since + 3.1.0 this is replaced by the new "Hosts" module for users. +
+ +
+ 2.3.0 -> 3.0.0 + + No changes. +
+
2.2.0 -> 2.3.0 @@ -1157,6 +1171,26 @@ Have fun!
+
+ Hosts + + You can specify a list of valid host names where the user may + login. If you add the value "*" then the user may login to any host. + This can be further restricted by adding explicit deny entries which + are prefixed with "!" (e.g. "!hr_server"). + + Please note that your PAM settings need to support host + restrictions. + + + + + + + + +
+
Samba 3 @@ -2335,11 +2369,13 @@ Have fun! Unix accounts - posixAccount, shadowAccount, posixGroup + posixAccount, shadowAccount, hostObject, posixGroup - nis.schema, rfc2307bis.schema + nis.schema, rfc2307bis.schema, ldapns.schema + (hostObject) - Part of OpenLDAP installation + Part of OpenLDAP installation, part of libpam-ldap + (ldapns.schema) The rfc2307bis.schema is only supported by LAM Pro. Use the nis.schema if you do not want to upgrade to LAM Pro. @@ -3089,34 +3125,4 @@ Have fun! all required packages.
- - - InetOrgPerson and the host attribute - - The attribute "host" is only in objectclass account. Unfortunatly - "account" conflicts with "inetorgperson". so there's no perfect way to use - both. - - In order to get attribute host working you have to modify - schema/inetorgperson and include host: - - # inetOrgPerson -# The inetOrgPerson represents people who are associated with an -# organization in some way. It is a structural class and is derived -# from the organizationalPerson which is defined in X.521 [X521]. -objectclass ( 2.16.840.1.113730.3.2.2 - NAME 'inetOrgPerson' - DESC 'RFC2798: Internet Organizational Person' - SUP organizationalPerson - STRUCTURAL - MAY ( - audio $ businessCategory $ carLicense $ departmentNumber $ - displayName $ employeeNumber $ employeeType $ givenName $ - homePhone $ homePostalAddress $ initials $ jpegPhoto $ - labeledURI $ mail $ manager $ mobile $ o $ pager $ - photo $ roomNumber $ secretary $ uid $ userCertificate $ - x500uniqueIdentifier $ preferredLanguage $ - userSMIMECertificate $ userPKCS12 $ host ) - ) - diff --git a/lam/docs/manual-sources/images/hostObject.png b/lam/docs/manual-sources/images/hostObject.png new file mode 100644 index 00000000..f43d9c8b Binary files /dev/null and b/lam/docs/manual-sources/images/hostObject.png differ diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc index ab7f23fe..0babfb63 100644 --- a/lam/lib/modules/inetOrgPerson.inc +++ b/lam/lib/modules/inetOrgPerson.inc @@ -37,39 +37,10 @@ $Id$ */ class inetOrgPerson extends baseModule implements passwordService { - private static $unix_hosts_supported = 'unknown'; - - /** - * Returns if the host attribute is supported by the schema. - * - * @return boolean true if supported - */ - private function supportUnixHosts() { - if (inetOrgPerson::$unix_hosts_supported === 'unknown') { - inetOrgPerson::$unix_hosts_supported = 'no'; - get_schema_objectclasses(); - $classes = get_cached_schema('objectclasses'); - if (isset($classes['inetorgperson'])) { - $mayAttrs = $classes['inetorgperson']->getMayAttrs(); - if (is_array($mayAttrs)) { - for ($i = 0; $i < sizeof($mayAttrs); $i++) { - if ($mayAttrs[$i]->getName() === 'host') { - inetOrgPerson::$unix_hosts_supported = 'yes'; - break; - } - } - } - } - } - return (inetOrgPerson::$unix_hosts_supported === 'yes'); - } - /** * This function fills the message array. **/ function load_Messages() { - $this->messages['host'][0] = array('ERROR', _('Unix workstations'), _('Unix workstations are invalid!')); - $this->messages['host'][1] = array('ERROR', _('Account %s:') . ' inetOrgPerson_hosts', _('Unix workstations are invalid!')); $this->messages['givenName'][0] = array('ERROR', _('First name'), _('First name contains invalid characters!')); $this->messages['givenName'][1] = array('ERROR', _('Account %s:') . ' inetOrgPerson_lastName', _('First name contains invalid characters!')); $this->messages['lastname'][0] = array('ERROR', _('Last name'), _('Last name contains invalid characters or is empty!')); @@ -139,9 +110,6 @@ class inetOrgPerson extends baseModule implements passwordService { 'title', 'telephoneNumber', 'facsimileTelephoneNumber', 'street', 'postOfficeBox', 'postalCode', 'postalAddress', 'sn', 'userPassword', 'description', 'homePhone', 'roomNumber', 'businessCategory', 'l', 'st', 'physicalDeliveryOfficeName', 'carLicense', 'departmentNumber'); - if (isset($_SESSION['loggedIn']) && ($_SESSION['loggedIn'] === true) && $this->supportUnixHosts()) { - $return['attributes'][] = 'host'; - } // self service search attributes $return['selfServiceSearchAttributes'] = array('uid', 'mail', 'cn', 'surname', 'givenName'); // self service field settings @@ -472,20 +440,8 @@ class inetOrgPerson extends baseModule implements passwordService { 'example' => _('YourCompany, Human Resources') ); } - // Unix workstations for upload - if (isset($_SESSION['loggedIn']) && ($_SESSION['loggedIn'] === true)) { - if ($this->supportUnixHosts()) { - $return['upload_columns'][] = array( - 'name' => 'inetOrgPerson_hosts', - 'description' => _('Unix workstations'), - 'help' => 'workstations', - 'example' => _('pc01,pc02') - ); - } - } // available PDF fields $return['PDF_fields'] = array( - 'host', 'givenName', 'sn' ); @@ -623,10 +579,6 @@ class inetOrgPerson extends baseModule implements passwordService { "Headline" => _("User name"), "Text" => _("User name of the user who should be created. Valid characters are: a-z,A-Z,0-9, .-_. If user name is already used user name will be expanded with a number. The next free number will be used. Warning: Older systems have problems with user names longer than 8 characters. You can not log in to Windows if user name is longer than 16 characters.") ), - 'workstations' => array ( - "Headline" => _("Unix workstations"), - "Text" => _("Please enter a comma separated list of host names where this user is allowed to log in. If you enable host restrictions for your servers then \"*\" means every host and an empty field means no host.") - ), 'photoUpload' => array( "Headline" => _("Add photo"), "Text" => _("Please select an image file to upload. It must be in JPG format (.jpg/.jpeg).") @@ -878,20 +830,6 @@ class inetOrgPerson extends baseModule implements passwordService { } } - // handle host-attribute in on epice because it's not set by default - if ($this->supportUnixHosts()) { - $host = $_POST['host']; - if (!get_preg($host,'unixhost')) { - $errors[] = $this->messages['host'][0]; - } - $hosts = explode(",", $host); - $this->attributes['host'] = array(); - for ($i = 0; $i < sizeof($hosts); $i++) { - if ($hosts[$i] != "") { - $this->attributes['host'][] = $hosts[$i]; - } - } - } if (isset($_POST['delPhoto'])) { $this->attributes['jpegPhoto'] = array(); } @@ -1116,17 +1054,6 @@ class inetOrgPerson extends baseModule implements passwordService { 'maxlength' => '255', 'value' => $departmentNumber), array('kind' => 'help', 'value' => 'departmentNumber')); } - if ($this->supportUnixHosts()) { - $hostvalue = ""; - if (isset($this->attributes['host']) && is_array($this->attributes['host'])) { - $hostvalue .= implode(",", $this->attributes['host']); - } - $return[] = array( - array('kind' => 'text', 'text' => _('Unix workstations')), - array('kind' => 'input', 'name' => 'host', 'type' => 'text', 'size' => '30', - 'maxlength' => '255', 'value' => $hostvalue ), - array('kind' => 'help', 'value' => 'workstations')); - } if (!$this->isBooleanConfigOptionSet('inetOrgPerson_hideManager')) { // get list of existing users for manager attribute $dnUsers = $_SESSION['cache']->get_cache('uid', 'inetOrgPerson', 'user'); @@ -1218,7 +1145,6 @@ class inetOrgPerson extends baseModule implements passwordService { function get_pdfEntries() { $return = array( get_class($this) . '_description' => array('' . _('Description') . '' . $this->attributes['description'][0] . ''), - get_class($this) . '_host' => array('' . _('Unix workstations') . '' . $this->attributes['host'][0] . ''), get_class($this) . '_title' => array('' . _('Job title') . '' . $this->attributes['title'][0] . ''), get_class($this) . '_givenName' => array('' . _('First name') . '' . $this->attributes['givenName'][0] . ''), get_class($this) . '_sn' => array('' . _('Last name') . '' . $this->attributes['sn'][0] . ''), @@ -1511,17 +1437,6 @@ class inetOrgPerson extends baseModule implements passwordService { $errors[] = $errMsg; } } - // Unix workstations - if ($rawAccounts[$i][$ids['inetOrgPerson_hosts']] != "") { - if (get_preg($rawAccounts[$i][$ids['inetOrgPerson_hosts']], 'unixhost')) { - $partialAccounts[$i]['host'] = explode(",", $rawAccounts[$i][$ids['inetOrgPerson_hosts']]); - } - else { - $errMsg = $this->messages['host'][1]; - array_push($errMsg, array($i)); - $errors[] = $errMsg; - } - } if (!in_array('posixAccount', $selectedModules)) { // cn if ($rawAccounts[$i][$ids['inetOrgPerson_cn']] != "") {