allow to disable Unix group membership management

lam/HISTORY

@@ -1,3 +1,7 @@
+June 2014 4.6
+  - Unix groups: allow to disable membership management
+
+
 18.03.2014 4.5
   - IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
   - Personal: allow to set fields read-only

lam/docs/manual-sources/howto.xml

@@ -3229,10 +3229,23 @@ Have fun!
 
         <para>This module is used to manage Unix group entries. This is the
         default module to manage Unix groups and uses the nis.schema. Suse
-        users who use the rfc2307bis.schema need to use LAM Pro.</para>
+        users who use the <link
+        linkend="rfc2307bisPosixGroup">rfc2307bis.schema</link> need to use
+        LAM Pro.</para>
 
         <para><emphasis role="bold">Configuration</emphasis></para>
 
+        <para>Please add the account type "Groups" and then select account
+        module "Unix (posixGroup)".</para>
+
+        <screenshot>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/mod_unixGroupConfig1.png" />
+            </imageobject>
+          </mediaobject>
+        </screenshot>
+
         <para>GID generator: LAM will suggest GID numbers for your accounts.
         Please note that it may happen that there are duplicate IDs assigned
         if users create groups at the same time. Use an <ulink
@@ -3255,6 +3268,12 @@ Have fun!
             note that this requires that you install the Samba schema and
             create an LDAP entry of object class "sambaUnixIdPool".</para>
           </listitem>
+
+          <listitem>
+            <para>Disable membership management: Disables group membership
+            management. This is useful if memberships are e.g. managed via
+            group of names.</para>
+          </listitem>
         </itemizedlist>
 
         <screenshot>
@@ -3286,7 +3305,7 @@ Have fun!
         </screenshot>
       </section>
 
-      <section>
+      <section id="rfc2307bisPosixGroup">
         <title>Unix groups with rfc2307bis schema (LAM Pro)</title>
 
         <para>Some applications (e.g. Suse Linux) use the rfc2307bis schema

lam/lib/modules/posixGroup.inc

@@ -102,7 +102,7 @@ class posixGroup extends baseModule implements passwordService {
 				}
 			}
 			// group members
-			if ($rawAccounts[$i][$ids['posixGroup_members']] != "") {
+			if (!$this->isBooleanConfigOptionSet('posixGroup_hidememberUid') && ($rawAccounts[$i][$ids['posixGroup_members']] != "")) {
 				if (get_preg($rawAccounts[$i][$ids['posixGroup_members']], 'usernameList')) {
 					$partialAccounts[$i]['memberUid'] = explode(",", $rawAccounts[$i][$ids['posixGroup_members']]);
 				}
@@ -218,26 +218,28 @@ class posixGroup extends baseModule implements passwordService {
 				$return->addElement(new htmlTableExtendedInputCheckbox('changegids', $this->changegids, _('Change GID number of users and hosts'), 'changegids'), true);
 			}
 			// group members
-			$return->addElement(new htmlOutputText(_("Group members")));
-			$return->addElement(new htmlAccountPageButton(get_class($this), 'user', 'open', _('Edit members')));
-			$return->addElement(new htmlHelpLink('members'), true);
-			$return->addElement(new htmlOutputText(''));
-			$users = $this->getUsers();
-			$members = array();
-			if (isset($this->attributes['memberUid'][0])) {
-				foreach ($this->attributes['memberUid'] as $uid) {
-					if (isset($users[$uid]) && isset($users[$uid]['cn'])) {
-						$members[] = $uid . ' (' . $users[$uid]['cn'] . ')';
-					}
-					else {
-						$members[] = $uid;
+			if (!$this->isBooleanConfigOptionSet('posixGroup_hidememberUid')) {
+				$return->addElement(new htmlOutputText(_("Group members")));
+				$return->addElement(new htmlAccountPageButton(get_class($this), 'user', 'open', _('Edit members')));
+				$return->addElement(new htmlHelpLink('members'), true);
+				$return->addElement(new htmlOutputText(''));
+				$users = $this->getUsers();
+				$members = array();
+				if (isset($this->attributes['memberUid'][0])) {
+					foreach ($this->attributes['memberUid'] as $uid) {
+						if (isset($users[$uid]) && isset($users[$uid]['cn'])) {
+							$members[] = $uid . ' (' . $users[$uid]['cn'] . ')';
+						}
+						else {
+							$members[] = $uid;
+						}
 					}
 				}
+				$members = array_unique($members);
+				natcasesort($members);
+				$members = array_map('htmlspecialchars', $members);
+				$return->addElement(new htmlOutputText(implode('<br>', $members), false), true);
 			}
-			$members = array_unique($members);
-			natcasesort($members);
-			$members = array_map('htmlspecialchars', $members);
-			$return->addElement(new htmlOutputText(implode('<br>', $members), false), true);
 			// remove button
 			if (!$this->autoAddObjectClasses) {
 				$return->addElement(new htmlSpacer(null, '20px'), true);
@@ -371,7 +373,10 @@ class posixGroup extends baseModule implements passwordService {
 		// LDAP aliases
 		$return['LDAPaliases'] = array('commonName' => 'cn');
 		// managed attributes
-		$return['attributes'] = array('gidNumber', $this->passwordAttrName, 'memberUid');
+		$return['attributes'] = array('gidNumber', $this->passwordAttrName);
+		if (!$this->isBooleanConfigOptionSet('posixGroup_hidememberUid')) {
+			$return['attributes'][] = 'memberUid';
+		}
 		if ($this->manageCnAttribute) {
 			$return['attributes'][] = 'cn';
 		}
@@ -402,12 +407,15 @@ class posixGroup extends baseModule implements passwordService {
 		$gidGeneratorDN->setRequired(true);
 		$configContainer->addElement($gidGeneratorDN, true);
 		$configContainer->addElement(new htmlTableExtendedInputField(_('Suffix for GID/group name check'), 'posixGroup_gidCheckSuffix', '', 'gidCheckSuffix'), true);
+		$configContainer->addElement(new htmlTableExtendedInputCheckbox('posixGroup_hidememberUid', false, _('Disable membership management'), 'hidememberUid'), true);
 		$return['config_options']['group'] = $configContainer;
 		// available PDF fields
 		$return['PDF_fields'] = array(
 			'gidNumber' => _('GID number'),
-			'memberUid' => _('Group members')
 		);
+		if (!$this->isBooleanConfigOptionSet('posixGroup_hidememberUid')) {
+			$return['PDF_fields']['memberUid'] = _('Group members');
+		}
 		if ($this->manageCnAttribute) {
 			$return['PDF_fields']['cn'] = _('Group name');
 		}
@@ -422,12 +430,6 @@ class posixGroup extends baseModule implements passwordService {
 			'help' => 'gidNumber',
 			'example' => '2034'
 		),
-		array(
-			'name' => 'posixGroup_members',
-			'description' => _('Group members'),
-			'help' => 'upload_members',
-			'example' => _('user01,user02,user03')
-		),
 		array(
 			'name' => 'posixGroup_password',
 			'description' => _('Group password'),
@@ -435,6 +437,14 @@ class posixGroup extends baseModule implements passwordService {
 			'example' => _('secret')
 		)
 		);
+		if (!$this->isBooleanConfigOptionSet('posixGroup_hidememberUid')) {
+			$return['upload_columns'][] = array(
+				'name' => 'posixGroup_members',
+				'description' => _('Group members'),
+				'help' => 'upload_members',
+				'example' => _('user01,user02,user03')
+			);
+		}
 		if ($this->manageCnAttribute) {
 			array_unshift($return['upload_columns'], 
 				array(
@@ -512,6 +522,10 @@ class posixGroup extends baseModule implements passwordService {
 				"Text" => _("Here you can enter a filter value. Only entries which contain the filter text will be shown.")
 					. ' ' . _('Possible wildcards are: "*" = any character, "^" = line start, "$" = line end')
 			),
+			'hidememberUid' => array(
+				"Headline" => _('Disable membership management'), 'attr' => 'memberUid',
+				"Text" => _('Disables the group membership management.')
+			),
 			'autoAdd' => array(
 				"Headline" => _("Automatically add this extension"),
 				"Text" => _("This will enable the extension automatically if this profile is loaded.")