add_objectClass(\'sambaAccount\');'), E_USER_ERROR); $this->base = $base; // sambaAccount is only a valid objectClass for user and host if (!($_SESSION[$this->base]->get_type() == 'user') && !($_SESSION[$this->base]->get_type() == 'host')) trigger_error(_('sambaAccount can only be used for users or hosts.'), E_USER_WARNING); /* Check if ldap conatiner is in array and set type * users are using inetOrgPerson-, hosts account-container */ if (!isset($_SESSION[$this->base]->module['posixAccount'])) $_SESSION[$this->base]->add_objectClass('posixAccount'); // Add Array with all attributes and type $this->attributes = $_SESSION[$this->base]->get_module_attributes('sambaAccount'); $_SESSION[$this->base]->add_attributes ('sambaAccount'); $this->alias = _('sambaAccount'); // Make references to attributes which already esists in ldap $newattributes = array_keys($this->attributes); $module = array_keys($_SESSION[$this->base]->module); // fixme *** do we have to unset module sambaAccount itself for ($i=0; $ibase]->module[$module[$i]]->attributes[$attribute])) $this->attributes[$attribute] =& $_SESSION[$this->base]->module[$module[$i]]->attributes[$attribute]; } $this->orig = $this->attributes ; $this->attributes['objectClass'][0] = 'sambaAccount'; $this->useunixpwd=false; // List of well known rids $this->rids = array ( _('Domain Admins') => 512, _('Domain Users') => 513, _('Domain Guests') => 514, _('Domain Computers') => 515, _('Domain Controllers') => 516, _('Domain Certificate Admins') => 517, _('Domain Schema Admins') => 518, _('Domain Enterprise Admins') => 519, _('Domain Policy Admins') => 520 ); } // Variables // Alias Name. This name is shown in the menu instead of sambaAccount var $alias; // name of accountContainer so we can read other classes in accuontArray var $base; // This variable contains all inetOrgPerson attributes var $attributes; /* If an account was loaded all attributes are kept in this array * to compare it with new changed attributes */ var $orig; // use unix password as samba password? var $useunixpwd; // Array of well known rids var $rids; /* This function returns a list with all required modules */ function dependencies() { return array('posixAccount'); } function module_ready() { if ($_SESSION[$this->base]->module['posixAccount']->attributes['gidNumber'][0]=='') return false; if ($_SESSION[$this->base]->module['posixAccount']->attributes['uidNumber'][0]=='') return false; if ($this->attributes['uid'][0]=='') return false; return true; } /* $attribute['lmPassword'] and ntPassword can't accessed directly because it's enrcypted * To read / write password function userPassword is needed * This function will return the unencrypted password when * called without a variable * If it's called with a new password, the * new password will be stored encrypted */ function lmPassword($newpassword=false) { if (is_string($newpassword)) { // Write new password $iv = base64_decode($_COOKIE["IV"]); $key = base64_decode($_COOKIE["Key"]); $this->attributes['lmPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv)); return 0; } else { if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword(); if ($this->attributes['lmPassword'][0]!='') { // Read existing password if set $iv = base64_decode($_COOKIE["IV"]); $key = base64_decode($_COOKIE["Key"]); $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['lmPassword'][0]), MCRYPT_MODE_ECB, $iv); $password = str_replace(chr(00), '', $password); return $password; } else return ''; } } /* Write variables into object and do some regexp checks */ function proccess_attributes($post) { $this->attributes['domain'][0] = $post['form_sambaAccount_domain']; // Start character $flag = "["; if ($post['form_sambaAccount_acctFlagsD']) $flag .= "D"; if ($post['form_sambaAccount_acctFlagsX']) $flag .= "X"; if ($post['form_sambaAccount_acctFlagsN']) $flag .= "N"; if ($post['form_sambaAccount_acctFlagsS']) $flag .= "S"; if ($post['form_sambaAccount_acctFlagsH']) $flag .= "H"; if ($post['form_sambaAccount_acctFlagsW']) $flag .= "W"; if ($post['form_sambaAccount_acctFlagsU']) $flag .= "U"; // Expand string to fixed length $flag = str_pad($flag, 12); // End character $flag = $flag. "]"; $this->attributes['acctFlags'][0] = $flag; if ($_SESSION[$this->base]->type=='host') { $this->attributes['primaryGroupID'][0] = $this->rids[_('Domain Computers')]; if ($post['form_sambaAccount_ResetSambaPassword']) { // *** fixme. What is the default password? $this->lmPassword(''); $_SESSION[$this->base]->module['posixAccount']->userPassword(''); } } // Check values if ($_SESSION[$this->base]->type=='user') { $this->attributes['pwdCanChange'][0] = mktime($post['form_sambaAccount_pwdCanChange_h'], $post['form_sambaAccount_pwdCanChange_m'], $post['form_sambaAccount_pwdCanChange_s'], $post['form_sambaAccount_pwdCanChange_mon'], $post['form_sambaAccount_pwdCanChange_day'], $post['form_sambaAccount_pwdCanChange_yea']); $this->attributes['pwdMustChange'][0] = mktime($post['form_sambaAccount_pwdMustChange_h'], $post['form_sambaAccount_pwdMustChange_m'], $post['form_sambaAccount_pwdMustChange_s'], $post['form_sambaAccount_pwdMustChange_mon'], $post['form_sambaAccount_pwdMustChange_day'], $post['form_sambaAccount_pwdMustChange_yea']); $this->attributes['smbHome'][0] = stripslashes($post['form_sambaAccount_smbHome']); $this->attributes['homeDrive'][0] = $post['form_sambaAccount_homeDrive']; $this->attributes['scriptPath'][0] = stripslashes($post['form_sambaAccount_scriptPath']); $this->attributes['profilePath'][0] = stripslashes($post['form_sambaAccount_profilePath']); $rids = array_keys($this->rids); $wrid = false; for ($i=0; $iattributes['primaryGroupID'][0] = $this->rids[$rids[$i]]; } } if (!$wrid) $this->attributes['primaryGroupID'][0] = ($_SESSION[$this->base]->module['posixAccount']->attributes['gidNumber'][0]*2)+1001; if (isset($post['form_sambaAccount_lmPassword'])) { if ($post['form_sambaAccount_lmPassword'] != $post['form_sambaAccount_lmPassword2']) { $errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.')); unset ($post['form_sambaAccount_lmPassword2']); } else $this->lmPassword($post['form_sambaAccount_lmPassword']); } if ($post['form_sambaAccount_useunixpwd']) $this->useunixpwd = true; else $this->useunixpwd = false; if ($post['form_sambaAccount_rid']== _('Administrator')) { $this->attributes['rid'][0] = "500"; // Do a check if an administrator already exists if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache("500", 'rid', 'user')) $errors[] = array('ERROR', _('Special user'), _('There can be only one administrator per domain.')); } if ($post['form_sambaAccount_rid']== _('Guest')) { $this->attributes['rid'][0] = "501"; // Do a check if an administrator already exists if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache("501", 'rid', 'user')) $errors[] = array('ERROR', _('Special user'), _('There can be only one guest per domain.')); } $this->attributes['smbHome'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['smbHome'][0]); $this->attributes['smbHome'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['smbHome'][0]); if ($this->attributes['smbHome'][0] != stripslashes($post['form_sambaAccount_smbHome'])) $errors[] = array('INFO', _('Home path'), _('Inserted user- or groupname in HomePath.')); $this->attributes['scriptPath'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['scriptPath'][0]); $this->attributes['scriptPath'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['scriptPath'][0]); if ($this->attributes['scriptPath'][0] != stripslashes($post['form_sambaAccount_scriptPath'])) $errors[] = array('INFO', _('Script path'), _('Inserted user- or groupname in scriptpath.')); $this->attributes['profilePath'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['profilePath'][0]); $this->attributes['profilePath'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['profilePath'][0]); if ($this->attributes['profiletPath'][0] != stripslashes($post['form_sambaAccount_profilePath'])) $errors[] = array('INFO', _('Profile path'), _('Inserted user- or groupname in profilepath.')); if ( (!$this->attributes['smbHome'][0]=='') && (!ereg('^[\][\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%])+([\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])+)+$', $this->attributes['smbHome'][0]))) $errors[] = array('ERROR', _('Home path'), _('Home path is invalid.')); if ( !ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $this->lmPassword())) $errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !')); if ( (!$this->attributes['scriptPath'][0]=='') && (!ereg('^([/])*([a-z]|[0-9]|[.]|[-]|[_]|[%]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])+([a-z]|[0-9]|[.]|[-]|[_]|[%]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])*'. '([/]([a-z]|[0-9]|[.]|[-]|[_]|[%]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])+([a-z]|[0-9]|[.]|[-]|[_]|[%]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])*)*(([.][b][a][t])|([.][c][m][d]))$', $this->attributes['scriptPath'][0]))) $errors[] = array('ERROR', _('Script path'), _('Script path is invalid!')); if ( (!$this->attributes['profilePath'][0]=='') && (!ereg('^[/][a-z]([a-z]|[0-9]|[.]|[-]|[_]|[%])*([/][a-z]([a-z]|[0-9]|[.]|[-]|[_]|[%])*)*$', $this->attributes['profilePath'][0])) && (!ereg('^[\][\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%])+([\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%])+)+$', $this->attributes['profilePath'][0]))) $errors[] = array('ERROR', _('Profile path'), _('Profile path is invalid!')); } if ((!$this->attributes['domain'][0]=='') && !ereg('^([a-z]|[A-Z]|[0-9]|[-])+$', $this->attributes['domain'][0])) $errors[] = array('ERROR', _('Domain name'), _('Domain name contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and -.')); if (is_array($errors)) return $errors; if ($post['form_sambaAccount_userWorkstations']) return 'userWorkstations'; return 0; } /* Write variables into object and do some regexp checks */ function proccess_userWorkstations($post) { // Load attributes do { // X-Or, only one if() can be true if (isset($post['form_sambaAccount_availableUserWorkstations']) && isset($post['form_sambaAccount_userWorkstations_add'])) { // Add workstations to list $temp = str_replace(' ', '', $this->attributes['userWorkstations'][0]); $workstations = explode (',', $temp); for ($i=0; $iattributes['userWorkstations'][0] = $workstations[0]; for ($i=1; $iattributes['userWorkstations'][0] = $this->attributes['userWorkstations'][0] . "," . $workstations[$i]; } break; } if (isset($post['form_sambaAccount_userWorkstations']) && isset($post['form_sambaAccount_userWorkstations_remove'])) { // remove // Add workstations from list // Put all workstations in array $temp = str_replace(' ', '', $this->attributes['userWorkstations'][0]); $workstations = explode (',', $temp); for ($i=0; $iattributes['userWorkstations'][0] = $workstations[0]; for ($i=1; $iattributes['userWorkstations'][0] = $this->attributes['userWorkstations'][0] . "," . $workstations[$i]; } break; } } while(0); if ($post['form_sambaAccount_attributes']) return 'attributes'; return 0; } /* This function loads all attributes into the object * $attr is an array as it's retured from ldap_get_attributes */ function load_attributes($attr) { // Load attributes which are displayed // unset count entries unset ($attr['count']); $attributes = array_keys($attr); foreach ($attributes as $attribute) unset ($attr[$attribute]['count']); // unset double entries for ($i=0; $iattributes[$attribute])) { // decode as unicode $this->attributes[$attribute] = $attr[$attribute]; for ($i=0; $iattributes[$attribute]); $i++) $this->attributes[$attribute][$i] = utf8_decode ($this->attributes[$attribute][$i]); } } // Values are kept as copy so we can compare old attributes with new attributes $this->attributes['objectClass'][0] = 'sambaAccount'; $this->orig = $this->attributes; $this->lmPassword(''); // Remove old password so it won't displayed as hash return 0; } /* This function returns an array with 3 entries: * array( DN1 ('add' => array($attr), 'remove' => array($attr), 'modify' => array($attr)), DN2 .... ) * DN is the DN to change. It may be possible to change several DNs, * e.g. create a new user and add him to some groups via attribute memberUid * add are attributes which have to be added to ldap entry * remove are attributes which have to be removed from ldap entry * modify are attributes which have to been modified in ldap entry */ function save_attributes() { /* Create sambaSID. Can't create it while loading attributes because * it's psssible uidNumber has changed */ $special = false; if ($this->attributes['rid'][0] == "500") $special = true; if ($this->attributes['rid'][0] == "501") $special = true; if ($this->attributes['rid'][0] == "515") $special = true; if (!$special) $this->attributes['rid'][0] == $_SESSION[$this->base]->module['posixAccount']->attributes['uidNumber'][0]*2+1000; $return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig); // Set password if (isset($return[$_SESSION[$this->base]->dn]['modify']['lmPassword'])) unset($return[$_SESSION[$this->base]->dn]['modify']['lmPassword']); if (isset($return[$_SESSION[$this->base]->dn]['modify']['ntPassword'])) unset($return[$_SESSION[$this->base]->dn]['modify']['ntPassword']); if (!isset($this->orig['lmPassword'][0])) { $return[$_SESSION[$this->base]->dn]['modify']['lmPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($this->lmPassword())); $return[$_SESSION[$this->base]->dn]['modify']['ntPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($this->lmPassword())); $return[$_SESSION[$this->base]->dn]['modify']['pwdLastSet'][0] = time(); } if ($this->lmPassword()!='') { $return[$_SESSION[$this->base]->dn]['modify']['lmPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($this->lmPassword())); $return[$_SESSION[$this->base]->dn]['modify']['ntPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($this->lmPassword())); $return[$_SESSION[$this->base]->dn]['modify']['pwdLastSet'][0] = time(); } return $return; } /* This function returns all ldap attributes * which are part of sambaAccount and returns * also their values. */ function get_attributes() { return $this->attributes; } /* This function will create the html-page * to show a page with all attributes. * It will output a complete html-table */ function display_html_attributes($post) { if ($_SESSION[$this->base]->type=='user') { $canchangedate = getdate($this->attributes['pwdCanChange'][0]); $mustchangedate = getdate($this->attributes['pwdMustChange'][0]); echo ''. ''. ''. ''. ''. ''. ''; echo "\n\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; if ($_SESSION[$this->base]->module['posixAccount']->orig['userPassword'][0] != $_SESSION[$this->base]->module['posixAccount']->attributes['userPassword'][0]) { echo "\n"; echo "\n"; echo "\n"; echo ""; echo "\n"; } echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "
" . _('Samba password') . "lmPassword() . "\">
" . _('Repeat password') . "lmPassword(); echo "\">
" . _('Use unix password') . "useunixpwd) echo " checked "; echo ">" . _('Help') . "
" . _('Use no password') . "attributes['acctFlags'][0], "N")) echo " checked "; echo ">" . _('Help' ) ."
" . _('Password does not expire') . "attributes['acctFlags'][0], "X")) echo " checked "; echo ">" . _('Help') . "
" . _('User can change password') . "" . _('Help') . "
" . _('User must change password') . "" . _('Help') . "
" . _('Account is deactivated') . "attributes['acctFlags'][0], "D")) echo " checked "; echo ">" . _('Help') . "
" . _('Home drive') . "" . _('Help') . "
" . _('Home path') . "attributes['smbHome'][0] . "\">" . _('Help') . "
" . _('Profile path') . "attributes['profilePath'][0] . "\">" . _('Help') . "
" . _('Script path') . "attributes['scriptPath'][0] . "\">" . _('Help') . "
" . _('Samba workstations') . "" . _('Help') . "
" . _('Windows group') . "" . _('Help') . "
" . _('Special user') . "" . _('Help-XX') . "
" . _('Domain') . "attributes['domain'][0] . "\">" . _('Help') . "
\n"; } if ($_SESSION[$this->base]->type=='host') { echo ''; echo "\n\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "
" . _('Reset password') . "
" . _('Domain') . "attributes['domain'][0] . "\">" . _('Help') . "
\n"; } return 0; } /* This function will create the html-page * to show a page with all attributes. * It will output a complete html-table */ function display_html_userWorkstations($post) { // Get list of all hosts. $result = $_SESSION[$_SESSION[$this->base]->cache]->get_cache('uid', 'sambaAccount', 'host'); if (is_array($result)) { foreach ($result as $host) $availableUserWorkstations[] = str_replace("$", '', $host[0]); sort($availableUserWorkstations, SORT_STRING); $result = str_replace(' ', '', $this->attributes['userWorkstations'][0]); $userWorkstations = explode (',', $result); $availableUserWorkstations = array_delete($userWorkstations, $availableUserWorkstations); } echo "\n\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "
"; echo "
base]->type."edit-bright\">base]->type."edit-bright\">"; echo _("Allowed workstations"); echo "\n"; // display all workstations the user is allowed to login if (count($userWorkstations)!=0) { echo "\n"; } echo "
"; echo " "; echo "\">

"; echo ""._('Help')."
"; echo "
base]->type."edit-bright\">base]->type."edit-bright\">"; echo _('Available workstations'); echo "\n"; // Display all workstations without these the user is allowed to login if (count($availableUserWorkstations)!=0) { echo "\n"; } echo "
\n"; } } ?>