config =& $_SESSION['config']; $this->ldap =& $_SESSION['ldap']; $this->time = 0; $this->attributes = array(); } var $ldapcache; // This variable contains the cache var $attributes; // This variable contains a list and their scope of attributes which should be cached var $config; // This is a reference to the config class in session var $ldap; // This is a reference to the ldap class in session var $time; // This is the laste timestamp ldap cache has been refreshed /* This function adds attributes to cache * syntax of $attributes is array( scope1 => array ( attributes ), scope2 => array ( attributes ), ...) */ function add_cache($attributes) { // Check input variable $allowed_types = array ( 'user', 'group', 'host', 'domain', '*' ); if (!is_array($attributes)) trigger_error(_('Argument of add_cache must be : array ( scope => array(attribute1(string), attribute2(string), ..), scope => ... ).'), E_USER_ERROR); foreach ($attributes as $attribute) { if (!is_array($attribute)) trigger_error(_('Argument of add_cache must be : array ( scope => array(attribute1(string), attribute2(string), ..), scope => ... ).'), E_USER_ERROR); foreach ($attribute as $singleattribute) { if (!is_string($singleattribute)) trigger_error(_('Argument of add_cache must be : array ( scope => array(attribute1(string), attribute2(string), ..), scope => ... ).'), E_USER_ERROR); } } $scopes = array_keys($attributes); foreach ($scopes as $scope) { if (!@in_array($scope, $allowed_types)) trigger_error(sprintf(_('Invalid scope. Valid scopes are %s.'), implode(" ", $allowed_types)), E_USER_ERROR); } // Everything seems to be OK, start processing data foreach ($scopes as $scope) { for ($i=0; $iattributes[$scope])) $this->attributes[$scope][] = $attributes[$scope][$i]; } } // Rebuild cache $this->refresh_cache(true); } /* This function returns an array ( dn1 => array(uidnumber1), dn2 => array(uidnumber2), ... ) * */ function get_cache($attribute, $objectClass, $singlescope) { $this->refresh_cache(); // Check input variables $allowed_types = array ( 'user', 'group', 'host', 'domain', '*' ); if (!in_array($singlescope, $allowed_types)) trigger_error(sprintf(_('Invalid scope. Valid scopes are %s.'), implode(" ", $allowed_types)), E_USER_ERROR); $line=-1; for ($i=0; $iobjectClasses) || $i==-1; $i++) { if (strpos($_SESSION['ldap']->objectClasses[$i], "NAME '$objectClass'")) $line = $i; } // Return error if objectClass isn't found if ($line==-1) trigger_error (sprintf(_("objectClass %s required but not defined in ldap."), $objectClass), E_USER_WARNING); // Create list of all allowed attributes for ($i=0; $ildap->objectClasses); $i++ ) { if (strpos($this->ldap->objectClasses[$i], 'MUST (')) { $string_withtail = substr($this->ldap->objectClasses[$i], strpos($this->ldap->objectClasses[$i], 'MUST (')+6); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $allowed_attributes = array_merge($allowed_attributes, explode(" $ ", $string)); } // create array with may-attributes // Get startposition in string if (strpos($this->ldap->objectClasses[$i], 'MAY (')) { $string_withtail = substr($this->ldap->objectClasses[$i], strpos($this->ldap->objectClasses[$i], 'MAY (')+5); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $allowed_attributes = array_merge($allowed_attributes, explode(" $ ", $string)); } } $allowed_attributes = array_unique($allowed_attributes); if (!in_array($attribute, $allowed_attributes)) trigger_error(_('Attribute not defined in LDAP.'), E_USER_WARNING); // Everything seems to be OK, start processing data $this->refresh_cache(); if ($singlescope == '*') $scopes = $allowed_types; else $scopes = array ( $singlescope ); // Add cache entry dynamic foreach ($scopes as $scope) { if (!@in_array($attribute ,$this->attributes[$scope])) $add[$scope][] = $attribute; } if (count($add)!=0) $this->add_cache($add); foreach ($scopes as $scope) { if (isset($this->ldapcache[$scope])) { $DNs = array_keys($this->ldapcache[$scope]); foreach ($DNs as $dn) { if (isset($this->ldapcache[$scope][$dn][$attribute]) && in_array($objectClass, $this->ldapcache[$scope][$dn]['objectClass'])) { // return string if only attribute exists only once if (count($this->ldapcache[$scope][$dn][$attribute])==1) $return[$dn][] = $this->ldapcache[$scope][$dn][$attribute][0]; else { // else return array with all attributes $return[$dn] = $this->ldapcache[$scope][$dn][$attribute]; } } } } } return $return; } /* This functions returns the dn if a dn with $attribute=$value is found * $values is the value $attribute is set to * $scope is the scope where to search */ function in_cache($value, $attribute, $singlescope) { $this->refresh_cache(); // Check input variables $allowed_types = array ( 'user', 'group', 'host', 'domain', '*' ); if (!in_array($singlescope, $allowed_types)) trigger_error(sprintf(_('Invalid scope. Valid scopes are %s.'), implode(" ", $allowed_types)), E_USER_ERROR); // Create list of all allowed attributes for ($i=0; $ildap->objectClasses); $i++ ) { if (strpos($this->ldap->objectClasses[$i], 'MUST (')) { $string_withtail = substr($this->ldap->objectClasses[$i], strpos($this->ldap->objectClasses[$i], 'MUST (')+6); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $allowed_attributes = array_merge($allowed_attributes, explode(" $ ", $string)); } // create array with may-attributes // Get startposition in string if (strpos($this->ldap->objectClasses[$i], 'MAY (')) { $string_withtail = substr($this->ldap->objectClasses[$i], strpos($this->ldap->objectClasses[$i], 'MAY (')+5); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $allowed_attributes = array_merge($allowed_attributes, explode(" $ ", $string)); } } $allowed_attributes = array_unique($allowed_attributes); if (!in_array($attribute, $allowed_attributes)) trigger_error(_('Attribute not defined in LDAP.'), E_USER_WARNING); // Everything seems to be OK, start processing data $this->refresh_cache(); if ($singlescope == '*') $scopes = $allowed_types; else $scopes = array ( $singlescope ); // Add cache entry dynamic foreach ($scopes as $scope) { if (!@in_array($attribute ,$this->attributes[$scope])) $add[$scope][] = $attribute; } if (count($add)!=0) $this->add_cache($add); foreach ($scopes as $scope) { if (isset($this->ldapcache[$scope])) { $DNs = array_keys($this->ldapcache[$scope]); foreach ($DNs as $dn) { if (is_array($this->ldapcache[$scope][$dn][$attribute])) { if (in_array($value, $this->ldapcache[$scope][$dn][$attribute])) { // Return value if value was found return $dn; } } } } } // Return false if value wasn't found return false; } /* This functions refreshs the cache */ function refresh_cache($rebuild=false) { if ($time + $this->config->get_cacheTimeoutSec() < time() || $rebuild) { // unset old cache unset ($this->ldapcache); $scopes = array_keys($this->attributes); foreach ($scopes as $scope) { // Get Scope $function = '$suffix = $this->config->get_'.ucfirst($scope).'Suffix();'; If ($scope != '*') eval($function); else $suffix = ''; // Get Data from ldap $search = $this->attributes[$scope]; $search[] = 'objectClass'; $result = @ldap_search($this->ldap->server(), $suffix, 'objectClass=*', $search, 0); // Write search result in array $entry = @ldap_first_entry($this->ldap->server(), $result); while ($entry) { $dn = (ldap_get_dn($this->ldap->server(), $entry)); $attr = ldap_get_attributes($this->ldap->server(), $entry); // unset every count entry unset ($attr['count']); $attributes = array_keys($attr); foreach ($attributes as $attribute) unset ($attr[$attribute]['count']); // unset double entries for ($i=0; $ildapcache[$scope][$dn] = $attr; $entry = ldap_next_entry($this->ldap->server(), $entry); } } $this->time = time(); } } /* This function update the cache when changes were * made without refrehing the complete cache */ function update_cache($dn, $mode, $attributes=false) { $allowed_modes = array ( 'add', 'remove', 'modify', 'delete_dn' ); $allowed_types = array ( 'user', 'group', 'host', '*' ); for ($i=0; $i"; // *** fixme, where is get_DomainSuffix If ($scope != '*') eval($function); else $suffix = ''; if (substr($suffix, $dn)) $singlescope = $allowed_types[$i]; } } if (!in_array($singlescope, $allowed_types)) trigger_error(sprintf(_('Invalid scope. Valid scopes are %s.'), implode(" ", $allowed_types)), E_USER_ERROR); if (!in_array($mode, $allowed_modes)) trigger_error(sprintf(_('Invalid mode. Valid modes are %s.'), implode(" ", $allowed_modes)), E_USER_ERROR); // Everything seems to be OK, start processing data // Get Scope foreach ($allowed_types as $scope) { $function = '$suffix = $this->config->get_'.ucfirst($scope).'Suffix();'; eval($function); if (strpos($dn, $suffix)) $singlescope = $scope; } if (!isset($singlescope)) trigger_error(sprintf(_('Invalid dn: %s. DN not covered by any suffix.'), $dn), E_USER_WARN); // Refresh Cache $this->refresh_cache(); if (is_array($attributes)) switch ($mode) { case 'add': $list = array_keys($attributes); for ($i=0; $ildapcache[$singlescope][$dn][$list[$i]][] = $attributes[$list[$i]]; break; case 'remove': $list = array_keys($attributes); for ($i=0; $ildapcache[$singlescope][$dn][$list[$i]][$attributes[$list[$i]]])) unset($this->ldapcache[$singlescope][$dn][$list[$i]][$attributes[$list[$i]]]); break; case 'modify': $list = array_keys($attributes); for ($i=0; $ildapcache[$singlescope][$dn][$list[$i]])) unset($this->ldapcache[$singlescope][$dn][$list[$i]]); foreach ($attributes[$list[$i]] as $attribute) $this->ldapcache[$singlescope][$dn][$list[$i]][] = $attributes[$list[$i]]; } } else { if ($mode=='delete_dn') if (isset($this->ldapcache[$singlescope][$dn])) unset($this->ldapcache[$singlescope][$dn]); } } /* This function will return the gidNumber to an existing groupname * gidNumbers are taken from cache-array */ function getgid($groupname) { $dn_groups = $_SESSION['cache']->get_cache('gidNumber', 'posixGroup', 'group'); $DNs = array_keys($dn_groups); foreach ($DNs as $DN) { if (strpos($DN, $groupname)) return $dn_groups[$DN][0]; } } /* This function will return an array with all groupnames * found in ldap. Groupnames are taken from cache-array. */ function findgroups() { $dn_groups = $_SESSION['cache']->get_cache('cn', 'posixGroup', 'group'); $DNs = array_keys($dn_groups); foreach ($DNs as $DN) $return[] = $dn_groups[$DN][0]; return $return; } /* This function will return the groupname to an existing gidNumber * groupnames are taken from cache-array */ function getgrnam($gidNumber) { $dn_groups = $_SESSION['cache']->get_cache('gidNumber', 'posixGroup', 'group'); $DNs = array_keys($dn_groups); foreach ($DNs as $DN) { if ($dn_groups[$DN][0]==$gidNumber) $return = substr($DN, 3, strpos($DN, ',')-3); } return $return; } } class accountContainer { // Constructor function accountContainer($type, $base) { /* Set the type of account. Valid * types are: user, group, host */ // Check input variable if (!is_string($type)) trigger_error(_('Argument of accountContainer must be string.'), E_USER_ERROR); if (!is_string($base)) trigger_error(_('Argument of accountContainer must be string.'), E_USER_ERROR); // *** fixme use global variable to determine allowed types $allowed_types = array ( 'user', 'group', 'host', 'domain' ); if (!in_array($type, $allowed_types)) trigger_error(_('Account type not recognized.'), E_USER_ERROR); $this->type = $type; $this->base = $base; // Name of variables in session $this->ldap = 'ldap'; $this->config = 'config'; $this->cache = 'cache'; $this->header2 = 'header'; $this->module['main'] = new main($this->base); return 0; } /* Array of all used attributes * Syntax is attribute => array ( objectClass => MUST or MAY, ...) */ var $attributes; /* This variale stores the type * of account. Current unix, group, host are supported */ var $type; var $ldap; // This is a reference to the ldap class in session var $config; // This is a reference to the config class in session // Localized part of HTML-Header var $header2; var $module; // This is an array with all module objects // DN of the account var $dn; var $dn_orig; // this are stores the module order var $order; // name of accountContainer so we can read other classes in accuontArray var $base; /* Get the type of account. Valid * types are: user, group, host */ function get_type() { return $this->type; } /* This function asks $this->module['main'] * what to do next */ function continue_main($post) { if ($this->module['main']->subpage=='') $this->module['main']->subpage='attributes'; if ($post['form_main_reset']) { $this->load_account($this->dn_orig); } else { $function = '$result = $this->module[$this->order[$this->module[\'main\']->current_page]]->proccess_'.$this->module['main']->subpage.'($post);'; eval ($function); } if (is_string($result)) $this->module['main']->subpage = $result; if (is_int($result)) for ($i=0; $iorder); $i++ ) if ($post['form_main_'.$this->order[$i]]) { $this->module['main']->current_page = $i; $this->module['main']->subpage='attributes'; } // Write HTML-Code echo $_SESSION[$this->header2]; echo ""; if ($this->dn_orig!='') echo _("Modify Account"); else echo _("Create new Account"); echo "\n"; echo "\n"; echo "\n"; echo "
type."edit.php\" method=\"post\">\n"; // Display errir-messages if (is_array($result)) for ($i=0; $i\n"; echo ""; echo "\n"; echo "
type."edit-dark\">type."edit-bright\">"; echo _('Please select page:'); echo "\n"; // Loop for module for ($i=0; $iorder); $i++ ) { if ($this->order[$i]==$this->order[$this->module['main']->current_page] || !$this->module[$this->order[$i]]->module_ready() ) { // print disabled button echo "order[$i]."\" type=\"submit\" value=\""; echo $this->module[$this->order[$i]]->get_alias(); echo "\" disabled>\n
"; } else { // print normal button echo "order[$i]."\" type=\"submit\" value=\""; echo $this->module[$this->order[$i]]->get_alias(); echo "\">\n
"; } } if ($this->dn_orig!='') echo "
\n"; echo "
\n"; echo "
type."edit-dark\">type."edit-bright\">"; echo $this->module[$this->order[$this->module['main']->current_page]]->get_alias(); echo "\n"; // display html-code from mdule $function = '$result = $this->module[$this->order[$this->module[\'main\']->current_page]]->display_html_'.$this->module['main']->subpage.'($post);'; eval ($function); echo "\n"; $this->parse_html($this->order[$this->module['main']->current_page], $result); echo "
\n"; // Display rest of html-page echo "
\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; return 0; } function parse_html($module, $input) { if (is_array($input)) { for ($i=0; $i\n"; for ($j=0; $j\n"; echo $input[$i][$j]['text'] . "\n"; break; case 'input': echo "\n"; $output = "\n"; echo "
\n"; if ($input[$i][$j]['legend']!='') echo "" . $input[$i][$j]['legend'] . "\n"; echo "\n"; $this->parse_html($module, $input[$i][$j]['value']); echo "
\n"; echo "
\n"; break; case 'select': echo "\n"; echo "\n"; break; case 'table': echo "\n"; echo "\n"; $this->parse_html($module, $input[$i][$j]['value']); echo "
\n"; echo "\n"; break; case 'help': echo "\n"; echo "" . _('Help') . "\n"; break; default: echo "Unrecognized type: " . $input[$i][$j]['kind'] . "\n"; break; } } echo "\n"; } } } /* Add attributes to variable. Syntax is array( attribute = array ( objectClass1 => MUST|MAX, objectClass2 => MUST|MAY ), ... ) */ function add_attributes($objectClass) { // loop through every existing objectlass and select current objectClass $line=-1; for ($i=0; $ildap]->objectClasses) || $i==-1; $i++) { if (strpos($_SESSION[$this->ldap]->objectClasses[$i], "NAME '$objectClass'")) $line = $i; } // Return error if objectClass isn't found if ($line==-1) trigger_error (sprintf(_("objectClass %s required but not defined in ldap."), $objectClass), E_USER_WARNING); // create array with must-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')+6); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $must = explode(" $ ", $string); // Ad must foreach ($must as $attribute) { if (!isset($this->attributes[$attribute])) $this->attributes[$attribute][$objectClass] = 'MUST'; else $this->attributes[$attribute][$objectClass] = 'MUST'; } } // create array with may-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')+5); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $may = explode(" $ ", $string); // Ad may foreach ($may as $attribute) { if (!isset($this->attributes[$attribute])) $this->attributes[$attribute][$objectClass] = 'MAY'; else $this->attributes[$attribute][$objectClass] = 'MAY'; } } // Get attributes of subclasses while (strpos($_SESSION[$this->ldap]->objectClasses[$line], "SUP ")) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'SUP ')+4); $subclass = substr($string_withtail, 0, strpos($string_withtail, ' ')); // Add account type to object for ($i=0; $ildap]->objectClasses) || $i==-1; $i++) { if (strpos($_SESSION[$this->ldap]->objectClasses[$i], "NAME '$subclass'")) $line = $i; } // Return error if objectClass isn't found if ($line==-1) trigger_error (sprintf(_("objectClass %s required but not defined in ldap."), $objectClass), E_USER_WARNING); // create array with must-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')+6); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $must = explode(" $ ", $string); // Ad must foreach ($must as $attribute) { if (!isset($this->attributes[$attribute])) $this->attributes[$attribute][$objectClass] = 'MUST'; else $this->attributes[$attribute][$objectClass] = 'MUST'; } } // create array with may-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')+5); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); $may = explode(" $ ", $string); // Ad may foreach ($may as $attribute) { if (!isset($this->attributes[$attribute])) $this->attributes[$attribute][$objectClass] = 'MAY'; else $this->attributes[$attribute][$objectClass] = 'MAY'; } } } } /* This function return ldap attributes * Syntax is get_attributes($value, $scope) * $scope = 'objectClass', $value = objectClass return value are all attributes of objectClass * $scope = 'attribute', $value = attribute returns alle objectClasses which are using the attribute */ function get_attributes($value, $scope) { if ($scope=='attribute' && isset($this->attributes[$value])) return $this->attributes[$value]; if ($scope=='objectClass') { $keys = array_keys($this->attributes); foreach ($keys as $attribute) { if (isset($this->attributes[$attribute][$value])) $return[$attribute] = $this->attributes[$attribute][$value]; } return $return; } return 0; } /* This function return ldap attributes which are uses by $objectClass * Syntax is get_attributes($objectClass) * Return is an array with all allowed attributes */ function get_module_attributes($objectClass) { // Add account type to object $line=-1; for ($i=0; $ildap]->objectClasses) || $i==-1; $i++) { if (strpos($_SESSION[$this->ldap]->objectClasses[$i], "NAME '$objectClass'")) $line = $i; } // Return error if objectClass isn't found if ($line==-1) trigger_error (sprintf(_("ObjectClass %s required but not defined in ldap."), $objectClass), E_USER_WARNING); if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')+6); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); // Ad must foreach (explode(" $ ", $string) as $attribute) { $return[$attribute] = ''; } } // create array with may-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')+5); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); // Ad may foreach (explode(" $ ", $string) as $attribute) { $return[$attribute] = ''; } } // Get attributes of subclasses while (strpos($_SESSION[$this->ldap]->objectClasses[$line], "SUP ")) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'SUP ')+4); $subclass = substr($string_withtail, 0, strpos($string_withtail, ' ')); // Add account type to object for ($i=0; $ildap]->objectClasses) || $i==-1; $i++) { if (strpos($_SESSION[$this->ldap]->objectClasses[$i], "NAME '$subclass'")) $line = $i; } // Return error if objectClass isn't found if ($line==-1) trigger_error (sprintf(_("ObjectClass %s required but not defined in ldap."), $subclass), E_USER_WARNING); // create array with must-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MUST (')+6); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); // Ad must foreach (explode(" $ ", $string) as $attribute) { $return[$attribute] = ''; } } // create array with may-attributes // Get startposition in string if (strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')) { $string_withtail = substr($_SESSION[$this->ldap]->objectClasses[$line], strpos($_SESSION[$this->ldap]->objectClasses[$line], 'MAY (')+5); // Now we have a string with all must-attributes $string = substr($string_withtail, 0, strpos($string_withtail, ')')); $string = trim($string); // Ad may foreach (explode(" $ ", $string) as $attribute) { $return[$attribute] = ''; } } } $this->add_attributes($objectClass); return $return; } /* This function return ldap attributes which are uses by $objectClass * Syntax is get_attributes($attributes, $orig) * Return is an array as needed for $this->saveAccount() */ function save_module_attributes($attributes, $orig) { // Get list of all "easy" attributes $attr_names = array_keys($attributes); // Get attributes which should be added for ($i=0; $idn]['add'] = $toadd; if (count($torem)!=0) $return[$this->dn]['remove'] = $torem; if (count($tomodify)!=0) $return[$this->dn]['modify'] = $tomodify; if (count($notchanged)!=0) $return[$this->dn]['notchanged'] = $notchanged; return $return; } /* This function checks if all MUST-attribtues are set. * If not it will return an array with all modules * which have to be set first */ function check_attributes() { $return = array(); // get named list of attributes $attributes = array_keys($this->attributes); for ($i=0; $iattributes[$attributes[$i]]); for ($j=0; $jattributes[$attributes[$i]][$singleattribute[$j]]=='MUST') { // Check if attribute is set if ($this->module[$singleattribute[$j]]->attributes[$attributes[$i]]=='') if (!in_array($singleattribute[$j], $return)) $return[] = $singleattribute[$j]; } } } return $return; } /* This function adds an objectClass class (module) to accountContainer */ function add_objectClass($objectClass) { $line=-1; for ($i=0; $iobjectClasses) || $i==-1; $i++) { if (strpos($_SESSION['ldap']->objectClasses[$i], "NAME '$objectClass'")) $line = $i; } // Return error if objectClass isn't found if ($line==-1) trigger_error (_("objectClass $objectClass required but not defined in ldap."), E_USER_WARNING); else { // Add module if it exists if (class_exists($objectClass)) { $this->module[$objectClass] = new $objectClass($this->base); } else trigger_error (_("objectClass $objectClass required but no module found."), E_USER_WARNING); } return 0; } /* This function will load an account. * $dn is the dn of the account which should be loaded */ function load_account($dn) { $search = substr($dn, 0, strpos($dn, ',')); $result = ldap_search($_SESSION[$this->ldap]->server(), $dn, $search); $entry = ldap_first_entry($_SESSION[$this->ldap]->server(), $result); $this->dn = substr($dn, strpos($dn, ',')+1); $this->dn_orig = $dn; $attr = ldap_get_attributes($_SESSION[$this->ldap]->server(), $entry); if (isset($attr['objectClass']['count'])) unset($attr['objectClass']['count']); // load attributes foreach ($attr['objectClass'] as $objectClass) { $this->add_objectClass($objectClass); if (isset($this->module[$objectClass])) $this->module[$objectClass]->load_attributes($attr); } $this->module['quota'] = new quota($this->base); $this->module['quota']->load_attributes($attr); // sortm modules and make all active because all required attributes should be set $module = array_keys ($this->module); $modulelist = array(); // *** fixme add modules from config which should be used but not yet in loaded account // *** fixme how to handle non ldap modules? // loop until all modules are in order. // We don't want to loop forever $remain = count($module) * count($module); $order = array(); while ( (count($module) != count($modulelist)) && ($remain!=0) ) { $remain--; foreach ($module as $moduleitem) { $required = $this->module[$moduleitem]->get_dependencies($this->type); $everything_found = true; if (is_array($required['require'])) { foreach ($required['require'] as $requireditem) if (!in_array($reuquireditem, $modulelist)) $everthing_found = false; } if ($everything_found && !in_array($moduleitem, $order) ) $order[] = $moduleitem; } } // Write Module-Order in variable $this->order = $order; return 0; } /* This function will prepare the object * for a new account */ function new_account() { $modulelist = array('posixAccount', 'shadowAccount', 'sambaAccount'); // *** fixme add modules from config which should be used but not yet in loaded account foreach ($modulelist as $objectClass) $this->add_objectClass($objectClass); $module = array_keys ($this->module); // loop until all modules are in order. // We don't want to loop forever $remain = count($module) * count($module); $order = array(); while ( (count($module) != count($modulelist)) && ($remain!=0) ) { $remain--; foreach ($module as $moduleitem) { $required = $this->module[$moduleitem]->get_dependencies($this->type); $everything_found = true; if (is_array($required['require'])) { foreach ($required['require'] as $requireditem) if (!in_array($reuquireditem, $modulelist)) $everthing_found = false; } if ($everything_found && !in_array($moduleitem, $order) ) $order[] = $moduleitem; } } // Write Module-Order in variable $this->order = $order; // *** fixme load*Profile must return array in the same way ldap_get_attributes does. $function = '$newattributes = load'.ucfirst($this->type).'Profile(\'default\');'; eval($function); // pass newattributes to each module //foreach ($module as $module2) // $this->module[$module2]->load_attributes($newattributes); return 0; } /* This function will load an account. */ function save_account() { $module = array_keys ($this->module); $attributes = array(); // load attributes foreach ($module as $singlemodule) { // load changes $temp = $this->module[$singlemodule]->save_attributes(); // merge changes $DNs = array_keys($temp); // *** fixme don't include references $attributes = array_merge_recursive($temp, $attributes); for ($i=0; $itype=='group') $search = 'cn'; else $search = 'uid'; $added = false; foreach ($attributes as $DN) { if (isset($DN['modify'][$search][0]) && !$added) { $attributes[$search.'='.$DN['modify'][$search][0].','.$this->dn] = $attributes[$this->dn]; unset ($attributes[$this->dn]); $this->dn = $search.'='.$DN['modify'][$search][0].','.$this->dn; $added = true; } if (isset($DN['add'][$search][0]) && !$added) { $attributes[$search.'='.$DN['add'][$search][0].','.$this->dn] = $attributes[$this->dn]; unset ($attributes[$this->dn]); $this->dn = $search.'='.$DN['add'][$search][0].','.$this->dn; $added = true; } if (isset($DN['notchanged'][$search][0]) && !$added) { $attributes[$search.'='.$DN['notchanged'][$search][0].','.$this->dn] = $attributes[$this->dn]; unset ($attributes[$this->dn]); $this->dn = $search.'='.$DN['notchanged'][$search][0].','.$this->dn; $added = true; } } // Add old dn if dn hasn't changed if (!$added) { $attributes[$this->dn_orig] = $attributes[$this->dn]; unset ($attributes[$this->dn]); $this->dn = $this->dn_orig; } // Set to true if an real error has happened $stopprocessing = false; // Add new DN if (isset($attributes[$DNs[$i]]['errors'])) { foreach ($attributes[$DNs[$i]]['errors'] as $singleerror) { $errors[] = $singleerror; if ($singleerror[0] = 'ERROR') $stopprocessing = true; } } // fixme *** ad update_cache after every ldap-change if (!$stopprocessing) { if ($this->dn != $this->dn_orig) { // move existing DN if ($this->dn_orig!='') { // merge attributes together $attr = array_merge_recursive($attributes[$this->dn]['add'], $attributes[$this->dn]['notchanged'], $attributes[$this->dn]['modify']); $success = @ldap_add($_SESSION[$this->ldap]->server(), $this->dn, $attr); if ($success) { $_SESSION[$this->cache]->update_cache($this->$dn, 'add', $attr); $success = @ldap_delete($_SESSION[$this->ldap]->server(), $this->dn_orig); if (!$success) { $errors[] = array('ERROR', 'LDAP', sprintf(_('Was unable to delete dn: %s.'), $this->dn_orig)); $stopprocessing = true; } if ($success) $_SESSION[$this->cache]->update_cache($this->$dn, 'delete_dn'); } if (!$success) { $errors[] = array('ERROR', 'LDAP', sprintf(_('Was unable to create dn: %s. This is possible a bug. Please check your ldap logs and send a bug report if it is a possible bug.'), $this->dn)); $stopprocessing = true; } } // create complete new dn else { $attr = array_merge_recursive($attributes[$this->dn]['add'], $attributes[$this->dn]['notchanged'], $attributes[$this->dn]['modify']); $success = @ldap_add($_SESSION[$this->ldap]->server(), $this->dn, $attributes[$this->dn]['add']); if (!$success) { $errors[] = array('ERROR', 'LDAP', sprintf(_('Was unable to create dn: %s. This is possible a bug. Please check your ldap logs and send a bug report if it is a possible bug.'), $this->dn)); $stopprocessing = true; } else $_SESSION[$this->cache]->update_cache($this->$dn, 'add', $attributes[$this->dn]['add']); } unset($attributes[$this->dn]); } } $DNs = array_keys($attributes); for ($i=0; $ildap]->server(), $DNs[$i], $attributes[$DNs[$i]]['modify']); if (!$success) { $errors[] = array('ERROR', 'LDAP', sprintf(_('Was unable to modify attribtues from dn: %s. This is possible a bug. Please check your ldap logs and send a bug report if it is a possible bug.'), $DNs[$i])); $stopprocessing = true; } else $_SESSION[$this->cache]->update_cache($this->$dn, 'modify', $attributes[$this->dn]['modify']); } // add attributes if (isset($attributes[$DNs[$i]]['add']) && !$stopprocessing) { $success = @ldap_mod_add($_SESSION[$this->ldap]->server(), $DNs[$i], $attributes[$DNs[$i]]['add']); if (!$success) { $errors[] = array('ERROR', 'LDAP', sprintf(_('Was unable to add attribtues to dn: %s. This is possible a bug. Please check your ldap logs and send a bug report if it is a possible bug.'), $DNs[$i])); $stopprocessing = true; } else $_SESSION[$this->cache]->update_cache($this->$dn, 'add', $attributes[$this->dn]['add']); } // removce attributes if (isset($attributes[$DNs[$i]]['remove']) && !$stopprocessing) { $success = @ldap_mod_del($_SESSION[$this->ldap]->server(), $DNs[$i], $attributes[$DNs[$i]]['remove']); if (!$success) { $errors[] = array('ERROR', 'LDAP', sprintf(_('Was unable to remove attribtues from dn: %s. This is possible a bug. Please check your ldap logs and send a bug report if it is a possible bug.'), $DNs[$i])); $stopprocessing = true; } else $_SESSION[$this->cache]->update_cache($this->$dn, 'remove', $attributes[$this->dn]['remove']); } } } if (!$stopprocessing) { foreach ($attributes as $DN) { if (is_array($DN['lamdaemon']['command'])) $result = $this->lamdaemon($DN['lamdaemon']['command']); // Error somewhere in lamdaemon foreach ($result as $singleresult) { if (is_array($singleresult)) { if ($singleresult[0] = 'ERROR') $stopprocessing = true; $temparray[0] = $singleresult[0]; $temparray[1] = _($singleresult[1]); $temparray[2] = _($singleresult[2]); } } } } if (count($errors)!=0) return $errors; return 0; } function lamdaemon($commands) { // get username and password of the current lam-admin $ldap_q = $_SESSION[$this->ldap]->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, owner of homedir, 'home', operation='add' * use escapeshellarg to make exec() shell-safe */ $towrite = escapeshellarg($_SESSION[$this->config]->scriptServer)." ".escapeshellarg($_SESSION[$this->config]->scriptPath)." ". escapeshellarg($ldap_q[0]).' '.escapeshellarg($ldap_q[1]); $userstring = implode ("\n", $commands); if (function_exists(proc_open)) { // New Code, requires PHP 4.3 $descriptorspec = array( 0 => array("pipe", "r"), // stdin 1 => array("pipe", "w"), // stout 2 => array("file", "/dev/null", "a") // sterr ); $process = proc_open(escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".$towrite, $descriptorspec, $pipes); if (is_resource($process)) { /* perl-script is running * $pipes[0] is writeable handle to child stdin * $pipes[1] is readable handle to child stdout * any error is send to /dev/null */ // Write to stdin fwrite($pipes[0], $userstring); } fclose($pipes[0]); while (!feof($pipes[1])) { $output = fgets($pipes[1], 1024); if ($output!='') $output_array[] = $output; } fclose($pipes[1]); proc_close($process); } else { // PHP 4.3> $command = escapeshellarg($_SESSION['lampath']."lib/lamdaemon.pl")." ".$towrite; $pipe = popen("echo \"$userstring\"|$command" , 'r'); while(!feof($pipe)) { //$output .= fread($pipe, 1024); $output = fgets($pipe, 1024); if ($output!='') $output_array[] = $output; } pclose($pipe); } return $output_array; } } /* Return a list of all shells listed in ../config/shells * Normally ../config/shells is a symbolic link to /etc/shells */ function getshells() { // Load shells from file $shells = file($_SESSION['lampath'].'config/shells'); $i=0; while (count($shells) > $i) { // remove whitespaces trim($shells[$i]); // remove lineend $shells[$i] = substr($shells[$i], 0, strpos($shells[$i], "\n")); // remove comments if ($shells[$i]{0}=='#') unset ($shells[$i]); else $i++; } // $shells is array with all valid shells return $shells; } /* This function will replace umlates with ascci-chars * fixme *** * In order to map all non-ascii characters this function should be changed */ function replace_umlaut($text) { $aTranslate = array("ä"=>"ae", "Ä"=>"Ae", "ö"=>"oe", "Ö"=>"Oe", "ü"=>"ue", "Ü"=>"Ue", "ß"=>"ss" ); return strtr($text, $aTranslate); } /* This function will return all values from $array without values of $values * $values, $array and $return are arrays */ function array_delete($values, $array) { // Loop for every entry and check if it should be removed if (is_array($array)) { $return = array(); foreach ($array as $array_value) if (!@in_array($array_value, $values)) $return[] = $array_value; return $return; } else return array(); } // This function will return a password with max. 8 characters function genpasswd() { // Allowed Characters to generate passwords // I'Ve removed characters like l and 1 because they are too similar $LCase = 'abcdefghjkmnpqrstuvwxyz'; $UCase = 'ABCDEFGHJKMNPQRSTUVWXYZ'; $Integer = '23456789'; // DEFINE CONSTANTS FOR ALGORTTHM define("LEN", '1'); $a = RndInt('letter'); $b = RndInt('letter'); $c = RndInt('letter'); $d = RndInt('letter'); $e = RndInt('number'); $f = RndInt('number'); $g = RndInt('letter'); $h = RndInt('letter'); // EXTRACT 8 CHARACTERS RANDOMLY FROM TH // E DEFINITION STRINGS $L1 = substr($LCase, $a, LEN); $L2 = substr($LCase, $b, LEN); $L3 = substr($LCase, $h, LEN); $U1 = substr($UCase, $c, LEN); $U2 = substr($UCase, $d, LEN); $U3 = substr($UCase, $g, LEN); $I1 = substr($Integer, $e, LEN); $I2 = substr($Integer, $f, LEN); // COMBINE THE CHARACTERS AND DISPLAY TH // E NEW PASSWORD $PW = $L1 . $U2 . $I1 . $L2 . $I2 . $U1 . $U3 . $L3; return $PW; } /* THIS FUNCTION GENERATES A RANDOM NUMBER THAT WILL BE USED TO * RANDOMLY SELECT CHARACTERS FROM THE STRINGS ABOVE */ function RndInt($Format){ switch ($Format){ case 'letter': $Rnd = rand(0,23); if ($Rnd > 23){ $Rnd = $Rnd - 1; } break; case 'number': $Rnd = rand(2,9); if ($Rnd > 8){ $Rnd = $Rnd - 1; } break; } return $Rnd; } // END RndInt() FUNCTION /* This function maintains the ldap-cache which is used to reduce ldap requests * If the array is older than $_SESSION['config']->get_cacheTimeoutSec() it will * be recreated * * $type can be user|group|host. * * $_SESSION['xxxxDN'] contains all attributes which are needed very often from * more than one function * $_SESSION['xxxx'DN'][0] contains the creation time of the array as unix timestamp. * All other entries have the following syntax: * $_SESSION['xxxx'DN'][$dn][$attributes] * $dn = DN of cached entry * $attributes = All cached attributes of DN * The cache contains the following attributes: * user: cn, uidNumber * group: cn, gidNumber * host: cn, uidNumber */ function ldapreload($type) { switch ($type) { case 'user': // Do we have to recreate array? if ((!isset($_SESSION['userDN'])) || ($_SESSION['userDN'][0] < time()-$_SESSION['config']->get_cacheTimeoutSec())) { // Remove old array if (isset($_SESSION['userDN'])) unset($_SESSION['userDN']); // insert timestamp in array $_SESSION['userDN'][0] = time(); // Search 4 values which should be cached $result = @ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_UserSuffix(), '(&(objectClass=posixAccount)(!(uid=*$)))', array('cn', 'uidNumber'), 0); // Write search result in array $entry = @ldap_first_entry($_SESSION['ldap']->server(), $result); while ($entry) { $dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr = ldap_get_attributes($_SESSION['ldap']->server(), $entry); if (isset($attr['cn'][0])) $_SESSION['userDN'][$dn]['cn'] = $attr['cn'][0]; if (isset($attr['uidNumber'][0])) $_SESSION['userDN'][$dn]['uidNumber'] = $attr['uidNumber'][0]; $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } } break; case 'group': // Do we have to recreate array? if ((!isset($_SESSION['groupDN'])) || ($_SESSION['groupDN'][0] < time()-$_SESSION['config']->get_cacheTimeoutSec())) { // Remove old array if (isset($_SESSION['groupDN'])) unset($_SESSION['groupDN']); // insert timestamp in array $_SESSION['groupDN'][0] = time(); // Search 4 values which should be cached $result = @ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_GroupSuffix(), 'objectClass=posixGroup', array('gidNumber', 'cn', 'memberUid', 'sambaSID'), 0); // Write search result in array $entry = @ldap_first_entry($_SESSION['ldap']->server(), $result); while ($entry) { $dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr = ldap_get_attributes($_SESSION['ldap']->server(), $entry); if (isset($attr['gidNumber'][0])) $_SESSION['groupDN'][$dn]['uidNumber'] = $attr['gidNumber'][0]; if (isset($attr['cn'][0])) $_SESSION['groupDN'][$dn]['cn'] = $attr['cn'][0]; if (isset($attr['sambaSID'][0])) $_SESSION['groupDN'][$dn]['sambaSID'] = $attr['sambaSID'][0]; $i=0; while (isset($attr['memberUid'][$i])) { $_SESSION['groupDN'][$dn]['memberUid'][$i] = $attr['memberUid'][$i]; $i++; } $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } } break; case 'host': // Do we have to recreate array? if ((!isset($_SESSION['hostDN'])) || ($_SESSION['hostDN'][0] < time()-$_SESSION['config']->get_cacheTimeoutSec())) { // Remove old array if (isset($_SESSION['hostDN'])) unset($_SESSION['hostDN']); // insert timestamp in array $_SESSION['hostDN'][0] = time(); // Search 4 values which should be cached $result = @ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_HostSuffix(), '(&(objectClass=posixAccount)(uid=*$))', array('cn', 'uidNumber'), 0); // Write search result in array $entry = @ldap_first_entry($_SESSION['ldap']->server(), $result); while ($entry) { $dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr = ldap_get_attributes($_SESSION['ldap']->server(), $entry); if (isset($attr['cn'][0])) $_SESSION['hostDN'][$dn]['cn'] = $attr['cn'][0]; if (isset($attr['uidNumber'][0])) $_SESSION['hostDN'][$dn]['uidNumber'] = $attr['uidNumber'][0]; $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } } break; } return 0; } /* This function will search in cache if the DN already exists * $values is an account-object * $values_old is an account-object * $values_old is needed because we don't want to raise * an error if the DN allredy exists but is the original DN */ function ldapexists($values, $values_old=false) { switch ($values->type) { case 'user': // Validate cache-array ldapreload('user'); // Entry which we search in ldap ',' is needed to ensure the complete username is checked $search = 'uid='.$values->general_username.','; // Get copy of cache-array $keys = array_keys($_SESSION['userDN']); break; case 'group': // Validate cache-array ldapreload('group'); // Entry which we search in ldap ',' is needed to ensure the complete username is checked $search = 'cn='.$values->general_username.','; // Get copy of cache-array and $keys = array_keys($_SESSION['groupDN']); break; case 'host': // Validate cache-array ldapreload('host'); // Entry which we search in ldap ',' is needed to ensure the complete username is checked $search = 'uid='.$values->general_username.','; // Get copy of cache-array $keys = array_keys($_SESSION['hostDN']); break; } // Remove timestamp stored in [0] unset ($keys[0]); $keys = array_values($keys); if (!$values_old) { // Create new account // Check if entry allready exists foreach ($keys as $key) if (strstr($key, $search)) return sprintf (_('%s already exists!'), $values->type); } // edit existing account and don't create a new one else if ($values_old->general_username != $values->general_username) { foreach ($keys as $key) if (strstr($key, $search)) return sprintf (_('%s already exists!'), $values->type); } return 0; } /* This function will return an array with all groupnames * found in ldap. Groupnames are taken from cache-array. */ function findgroups() { // Validate cache-array ldapreload('group'); // Get copy of cache-array $groups = $_SESSION['groupDN']; // Remove timestamp stored in [0] unset ($groups[0]); // Create and sort array foreach ($groups as $group) { $return[] = $group['cn']; } if (is_array($return)) sort ($return, SORT_STRING); return $return; } /* This function will return the gidNumber to an existing groupname * gidNumbers are taken from cache-array */ function getgid($groupname) { // Validate cache-array ldapreload('group'); // Get copy of cache-array $keys = $_SESSION['groupDN']; // Remove timestamp stored in [0] unset ($keys[0]); // Return gidNumber as soon as it's found foreach ($keys as $key) { if ($key['cn']==$groupname) return $key['uidNumber']; } // return -1 if groupname isn't found return -1; } /* This function will return the groupname to an existing gidNumber * groupnames are taken from cache-array */ function getgrnam($gidNumber) { // Validate cache-array ldapreload('group'); // Get copy of cache-array $groupDN_local = $_SESSION['groupDN']; // Remove timestamp stored in [0] unset ($groupDN_local[0]); // Now we only have an array with DNs $groupDN_local = array_keys($groupDN_local); $i=0; // Loop until we've found the right uidNumber while (!isset($return) && isset($_SESSION['groupDN'][$groupDN_local[$i]]['uidNumber'])) { if ($_SESSION['groupDN'][$groupDN_local[$i]]['uidNumber'] == $gidNumber) { // We've found the correct entry. Now we need the groupname $return = $_SESSION['groupDN'][$groupDN_local[$i]]['cn']; } // Increase loop-variable if entry wasn't found else $i++; } // Set $return to -1 if no group was found if (!isset($return)) $return = -1; return $return; } /* This function will return an unuesed id-number if $values->general_uidNumber is not set and $values_old is false * If values_old is true and $values->general_uidNumber is not set the original id-number is returned * If $values->general_uidNumber is set id-number is checked. If it's allready in use an error will be reported * id-numbers are taken from cache-array * $values and $values_old are account objects * Return-Values is an integer id-number or an string-error */ function checkid($values, $values_old=false) { switch ($values->type) { case 'group': // Validate cache-array ldapreload('group'); // Load all needed variables from session $minID = intval($_SESSION['config']->get_MinGID()); $maxID = intval($_SESSION['config']->get_MaxGID()); // Get copy of cache-array $temp = $_SESSION['groupDN']; break; case 'user': /* Validate cache-array * Because users and hosts are using the same id-numbers we have to merge * both cache-arrays */ ldapreload('user'); ldapreload('host'); // Load all needed variables from session $minID = intval($_SESSION['config']->get_minUID()); $maxID = intval($_SESSION['config']->get_maxUID()); // load and merge arrays $temp = $_SESSION['userDN']; // Remove timestamp stored in [0] unset ($temp[0]); // put only uidNumbers in array foreach ($temp as $key) $uids[] = $key['uidNumber']; $temp = $_SESSION['hostDN']; break; case 'host': /* Validate cache-array * Because users and hosts are using the same id-numbers we have to merge * both cache-arrays */ ldapreload('user'); ldapreload('host'); // Load all needed variables from session $minID = intval($_SESSION['config']->get_minMachine()); $maxID = intval($_SESSION['config']->get_maxMachine()); // load and merge arrays $temp = $_SESSION['userDN']; // Remove timestamp stored in [0] unset ($temp[0]); // put only uidNumbers in array foreach ($temp as $key) $uids[] = $key['uidNumber']; $temp = $_SESSION['hostDN']; break; } // Remove timestamp stored in [0] unset ($temp[0]); // put only uidNumbers in array. Put only uids in array witch are smaller than maxID foreach ($temp as $key) if ($key['uidNumber'] < $maxID) $uids[] = $key['uidNumber']; // sort array with uids if(is_array($uids)) sort ($uids, SORT_NUMERIC); if ($values->general_uidNumber=='') { // No id-number given if (!isset($values_old->general_uidNumber)) { // new account -> we have to find a free id-number if (count($uids)!=0) { // There are some uids // Store highest id-number $id = $uids[count($uids)-1]; // Return minimum allowed id-number if all found id-numbers are too low if ($id < $minID) return implode(':', array($minID, '')); // Return higesht used id-number + 1 if it's still in valid range if ($id < $maxID) return implode(':', array( $id+1, '')); /* If this function is still running we have to fid a free id-number between * the used id-numbers */ $i = intval($minID); while (in_array($i, $uids)) $i++; if ($i>$maxID) return implode(':', array($values->general_uidNumber , implode(';', array('ERROR', _('ID-Number'), _('No free ID-Number!'))))); else return implode(':', array($i, implode(';', array('WARN', _('ID-Number'), _('It is possible that this ID-number is reused. This can cause several problems because files with old permissions might still exist. To avoid this warning set maxUID to a higher value.'))))); } else return implode(':', array($minID, '')); // return minimum allowed id-number if no id-numbers are found } else return implode(':', array($values_old->general_uidNumber, '')); // old account -> return id-number which has been used } else { // Check manual ID // id-number is out of valid range if ( $values->general_uidNumber < $minID || $values->general_uidNumber > $maxID) return implode(':', array($values->general_uidNumber, implode(';', array('ERROR', _('ID-Number'), sprintf(_('Please enter a value between %s and %s!'), $minID, $maxID))))); // $uids is allways an array but not if no entries were found if (is_array($uids)) { // id-number is in use and account is a new account if ((in_array($values->general_uidNumber, $uids)) && !$values_old) return implode(':', array($values->general_uidNumber, implode(';', array('ERROR', _('ID-Number'), _('ID is already in use'))))); // id-number is in use, account is existing account and id-number is not used by itself if ((in_array($values->general_uidNumber, $uids)) && $values_old && ($values_old->general_uidNumber != $values->general_uidNumber) ) return implode(':', array($values_old->general_uidNumber, implode(';', array('ERROR', _('ID-Number'), _('ID is already in use'))))); } // return id-number if everything is OK return implode(':', array($values->general_uidNumber, '')); } } // This function will return the days from 1.1.1970 until now function getdays() { $days = time() / 86400; settype($days, 'integer'); return $days; } /* This function creates all attributes stored in attrFlags. It's the same * syntax used in smbpasswd * $values is an array of samba flags as defined in account object * Return value is a string */ function smbflag($input) { // Start character $flag = "["; // Add Options if ($input['W']) $flag .= "W"; else $flag .= "U"; if ($input['D']) $flag .= "D"; if ($input['X']) $flag .= "X"; if ($input['N']) $flag .= "N"; if ($input['S']) $flag .= "S"; if ($input['H']) $flag .= "H"; // Expand string to fixed length $flag = str_pad($flag, 12); // End character $flag = $flag. "]"; return $flag; } /* This function will load all needed values from an existing user account * $dns is an array of dns(string) of the users which should be loaded * return-value is an array of account-objects * $dns can also be an string. Then return-value is a single string too */ function loaduser($dns) { // Load userattributes from ldap //$result = ldap_search($_SESSION['ldap']->server(), $dn, "objectclass=PosixAccount"); // Get uid=$user from DN // Put ldapsearch together if (is_array($dns)) { foreach ($dns as $dn) $uids[] = substr($dn, 0, strpos($dn, ',')); $search = "(|"; foreach ($uids as $uid) $search .= "($uid)"; $search .= ")"; } else $search = substr($dns, 0, strpos($dns, ',')); /* if string is langer then 1024 characters we have to search for all users and * output only the selcted users because searchfilter would be too big */ if (strlen($search)<1024) $result = ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_UserSuffix(), $search); else $result = ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_UserSuffix(), "uid=*"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); // store smb_domain as samba3domain-Object if ($_SESSION['config']->is_samba3()) $samba3domains = $_SESSION['ldap']->search_domains($_SESSION[config]->get_domainSuffix()); // loop for every found user $i=0; while ($entry) { // Only load user if it should be loaded if (is_array($dns)) { if (in_array(ldap_get_dn($_SESSION['ldap']->server(), $entry), $dns)) $continue=true; else $continue=false; } else $continue=true; if ($continue) { // Create new object $return[$i] = new account(); // Set type of account $return[$i]->type='user'; // Set user samba flag $return[$i]->smb_flags['W'] = false; $return[$i]->general_dn = ldap_get_dn($_SESSION['ldap']->server(), $entry); $attr = ldap_get_attributes($_SESSION['ldap']->server(), $entry); /* Write attributes into $return. * Some values don't have to be set. These are only loaded if they are set */ $return[$i]->general_username = $attr['uid'][0]; $return[$i]->general_uidNumber = $attr['uidNumber'][0]; $return[$i]->general_homedir = $attr['homeDirectory'][0]; if (isset($attr['shadowLastChange'][0])) $return[$i]->unix_shadowLastChange = $attr['shadowLastChange'][0]; if (isset($attr['loginShell'][0])) $return[$i]->general_shell = $attr['loginShell'][0]; if (isset($attr['gecos'][0])) $return[$i]->general_gecos = utf8_decode($attr['gecos'][0]); // get groupname $return[$i]->general_group = getgrnam($attr['gidNumber'][0]); // get all additional groupmemberships // Load groups in cache ldapreload('group'); foreach ($_SESSION['groupDN'] as $group) { if (is_array($group['memberUid'])) if (in_array($return[$i]->general_username, $group['memberUid'])) $return[$i]->general_groupadd[] = $group['cn']; } /* Write attributes into $return. * Some values don't have to be set. These are only loaded if they are set */ if (isset($attr['shadowMin'][0])) $return[$i]->unix_pwdminage = $attr['shadowMin'][0]; if (isset($attr['shadowMax'][0])) $return[$i]->unix_pwdmaxage = $attr['shadowMax'][0]; if (isset($attr['shadowWarning'][0])) $return[$i]->unix_pwdwarn = $attr['shadowWarning'][0]; if (isset($attr['shadowInactive'][0])) $return[$i]->unix_pwdallowlogin = $attr['shadowInactive'][0]; if (isset($attr['shadowExpire'][0])) $return[$i]->unix_pwdexpire = $attr['shadowExpire'][0]*86400; // load hosts attributes if set $j=0; while (isset($attr['host'][$j])) { if ($j==0) $return[$i]->unix_host = $attr['host'][$j]; else $return[$i]->unix_host = $return[$i]->unix_host . ', ' . $attr['host'][$j]; $j++; } // load objectclasses $j=0; while (isset($attr['objectClass'][$j])) { $return[$i]->general_objectClass[$j] = $attr['objectClass'][$j]; $j++; } // load personal settings if (isset($attr['givenName'][0])) $return[$i]->general_givenname = utf8_decode($attr['givenName'][0]); if (isset($attr['sn'][0])) $return[$i]->general_surname = utf8_decode($attr['sn'][0]); if (isset($attr['title'][0])) $return[$i]->personal_title = utf8_decode($attr['title'][0]); if (isset($attr['mail'][0])) $return[$i]->personal_mail = utf8_decode($attr['mail'][0]); if (isset($attr['telephoneNumber'][0])) $return[$i]->personal_telephoneNumber = utf8_decode($attr['telephoneNumber'][0]); if (isset($attr['mobileTelephoneNumber'][0])) $return[$i]->personal_mobileTelephoneNumber = utf8_decode($attr['mobileTelephoneNumber'][0]); else if (isset($attr['mobile'][0])) $return[$i]->personal_mobileTelephoneNumber = utf8_decode($attr['mobile'][0]); if (isset($attr['facsimileTelephoneNumber'][0])) $return[$i]->personal_facsimileTelephoneNumber = utf8_decode($attr['facsimileTelephoneNumber'][0]); if (isset($attr['street'][0])) $return[$i]->personal_street = utf8_decode($attr['street'][0]); if (isset($attr['postalCode'][0])) $return[$i]->personal_postalCode = utf8_decode($attr['postalCode'][0]); if (isset($attr['postalAddress'][0])) $return[$i]->personal_postalAddress = utf8_decode($attr['postalAddress'][0]); if (isset($attr['employeeType'][0])) $return[$i]->personal_employeeType = utf8_decode($attr['employeeType'][0]); if (isset($attr['userPassword'][0])) { $return[$i]->unix_password = $attr['userPassword'][0]; $return[$i]->unix_deactivated=!pwd_is_enabled($attr['userPassword'][0]); } if (isset($attr['displayName'][0])) $return[$i]->smb_displayName = utf8_decode($attr['displayName'][0]); // sambaSamAccount (Samba3) is used. if (in_array('sambaSamAccount', $attr['objectClass'])) { /* Write attributes into $return. * Some values don't have to be set. These are only loaded if they are set */ if (isset($attr['sambaAcctFlags'][0])) { if (strrpos($attr['sambaAcctFlags'][0], 'D')) $return[$i]->smb_flags['D']=true; if (strrpos($attr['sambaAcctFlags'][0], 'X')) $return[$i]->smb_flags['X']=true; if (strrpos($attr['sambaAcctFlags'][0], 'N')) $return[$i]->smb_flags['N']=true; if (strrpos($attr['sambaAcctFlags'][0], 'S')) $return[$i]->smb_flags['S']=true; if (strrpos($attr['sambaAcctFlags'][0], 'H')) $return[$i]->smb_flags['H']=true; } if (isset($attr['sambaPwdCanChange'][0])) $return[$i]->smb_pwdcanchange = $attr['sambaPwdCanChange'][0]; if (isset($attr['sambaPwdMustChange'][0])) $return[$i]->smb_pwdmustchange = $attr['sambaPwdMustChange'][0]; if (isset($attr['sambaHomePath'][0])) $return[$i]->smb_smbhome = utf8_decode($attr['sambaHomePath'][0]); if (isset($attr['sambaHomeDrive'][0])) $return[$i]->smb_homedrive = $attr['sambaHomeDrive'][0]; if (isset($attr['sambaLogonScript'][0])) $return[$i]->smb_scriptPath = utf8_decode($attr['sambaLogonScript'][0]); if (isset($attr['sambaProfilePath'][0])) $return[$i]->smb_profilePath = $attr['sambaProfilePath'][0]; if (isset($attr['sambaUserWorkstations'][0])) $return[$i]->smb_smbuserworkstations = $attr['sambaUserWorkstations'][0]; if (isset($attr['sambaNTPassword'][0])) $return[$i]->smb_password = $attr['sambaNTPassword'][0]; if (isset($attr['sambaDomainName'][0])) { if ($_SESSION['config']->is_samba3()) { $j=0; while (!isset($return[$i]->smb_domain) && (count($samba3domains)>$j)) { if ($attr['sambaDomainName'][0] == $samba3domains[$j]->name) $return[$i]->smb_domain = $samba3domains[$j]; else $j++; } } // store smb_domain as string if (!isset($return[$i]->smb_domain)) $return[$i]->smb_domain = $attr['sambaDomainName']; } if (isset($attr['sambaPrimaryGroupSID'][0])) { if ($_SESSION['config']->is_samba3()) // store "real" SID if we want to save user as samba3 entry $return[$i]->smb_mapgroup = $attr['sambaPrimaryGroupSID'][0]; // store "calculated" id if we want to save user as samba2.2 entry else $return[$i]->smb_mapgroup = 2*$attr['gidNumber'][0]+1001; } } // sambaSamAccount (Samba2.2) is used. // second argument should prevent samba3 settings to be overwritten from samba 2.2 settings if ( (in_array('sambaAccount', $attr['objectClass'])) && (!$_SESSION['config']->is_samba3() || !isset($return[$i]->smb_domain))) { if (isset($attr['acctFlags'][0])) { if (strrpos($attr['acctFlags'][0], 'D')) $return[$i]->smb_flags['D']=true; if (strrpos($attr['acctFlags'][0], 'X')) $return[$i]->smb_flags['X']=true; if (strrpos($attr['acctFlags'][0], 'N')) $return[$i]->smb_flags['N']=true; if (strrpos($attr['acctFlags'][0], 'S')) $return[$i]->smb_flags['S']=true; if (strrpos($attr['acctFlags'][0], 'H')) $return[$i]->smb_flags['H']=true; } if (isset($attr['ntPassword'][0])) $return[$i]->smb_password = $attr['ntPassword'][0]; if (isset($attr['smbHome'][0])) $return[$i]->smb_smbhome = utf8_decode($attr['smbHome'][0]); if (isset($attr['pwdCanChange'][0])) $return[$i]->smb_pwdcanchange = $attr['pwdCanChange'][0]; if (isset($attr['pwdMustChange'][0])) $return[$i]->smb_pwdmustchange = $attr['pwdMustChange'][0]; if (isset($attr['homeDrive'][0])) $return[$i]->smb_homedrive = $attr['homeDrive'][0]; if (isset($attr['scriptPath'][0])) $return[$i]->smb_scriptPath = utf8_decode($attr['scriptPath'][0]); if (isset($attr['profilePath'][0])) $return[$i]->smb_profilePath = $attr['profilePath'][0]; if (isset($attr['userWorkstations'][0])) $return[$i]->smb_smbuserworkstations = $attr['userWorkstations'][0]; if (isset($attr['domain'][0])) { if ($_SESSION['config']->is_samba3()) { $j=0; while (!isset($return[$i]->smb_domain) && (count($samba3domains)>$j)) { if ($attr['domain'][0] == $samba3domains[$j]->name) $return[$i]->smb_domain = $samba3domains[$j]; else $j++; } } // store smb_domain as string if (!isset($return[$i]->smb_domain)) $return[$i]->smb_domain = $attr['domain']; } if (isset($attr['primaryGroupID'][0])) { if ($_SESSION['config']->is_samba3()) // store "real" SID if we want to save user as samba3 entry $return[$i]->smb_mapgroup = $return[$i]->smb_domain->SID. '-' . (2*$attr['primaryGroupID'][0]+1); // store "calculated" id if we want to save user as samba2.2 entry else $return[$i]->smb_mapgroup = $attr['primaryGroupID'][0]; } } } $i++; $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } // Return array if $dns is an array // else return string if (is_array($dns)) return $return; else return $return[0]; } /* This function will load all needed values from an existing host account * $dn is the dn(string) of the host which should be loaded * return-value is an account-object */ function loadhost($dn) { // Create new object $return = new account(); // Set type of account $return->type='host'; // Load hostattributes from ldap $result = ldap_search($_SESSION['ldap']->server(), $dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $return->general_dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr = ldap_get_attributes($_SESSION['ldap']->server(), $entry); // Set host samba flags $return->smb_flags['W'] = true; $return->smb_flags['X'] = true; // load objectclasses $i=0; while (isset($attr['objectClass'][$i])) { $return->general_objectClass[$i] = $attr['objectClass'][$i]; $i++; } $return->general_username = $attr['uid'][0]; $return->general_uidNumber = $attr['uidNumber'][0]; if (isset($attr['gecos'][0])) $return->general_gecos = utf8_decode($attr['gecos'][0]); // Get Groupname $return->general_group = getgrnam($attr['gidNumber'][0]); // sambaSamAccount (Samba3) is used. if (in_array('sambaSamAccount', $attr['objectClass'])) { /* Write attributes into $return. * Some values don't have to be set. These are only loaded if they are set */ if (isset($attr['sambaAcctFlags'][0])) { // we load a workstation $return->smb_flags['W']=true; if (strrpos($attr['sambaAcctFlags'][0], 'X')) $return->smb_flags['X']=true; // Because the "D"-Flag is ignored for hosts it has been removed } if (isset($attr['sambaDomainName'][0])) { if ($_SESSION['config']->is_samba3()) { // store smb_domain as samba3domain-Object $samba3domains = $_SESSION['ldap']->search_domains($_SESSION[config]->get_domainSuffix()); $i=0; while (!isset($return->smb_domain) && (count($samba3domains)>$i)) { if ($attr['sambaDomainName'][0] == $samba3domains[$i]->name) $return->smb_domain = $samba3domains[$i]; else $i++; } } // store smb_domain as string if (!isset($return->smb_domain)) $return->smb_domain = $attr['sambaDomainName']; } if (isset($attr['sambaPrimaryGroupSID'][0])) { if ($_SESSION['config']->is_samba3()) // store "real" SID if we want to save user as samba3 entry $return->smb_mapgroup = $attr['sambaPrimaryGroupSID'][0]; // store "calculated" id if we want to save user as samba2.2 entry else $return->smb_mapgroup = 2*$attr['gidNumber'][0]+1001; } // return value to prevent loaded values to be overwritten from old samba 2.2 attributes if ($_SESSION['config']->is_samba3()) return $return; } // sambaSamAccount (Samba2.2) is used. if (in_array('sambaAccount', $attr['objectClass'])) { if (isset($attr['acctFlags'][0])) { // we load a workstation $return->smb_flags['W']=true; if (strrpos($attr['acctFlags'][0], 'X')) $return->smb_flags['X']=true; // Because the "D"-Flag is ignored for hosts it has been removed } if (isset($attr['domain'][0])) { if ($_SESSION['config']->is_samba3()) { // store smb_domain as samba3domain-Object $samba3domains = $_SESSION['ldap']->search_domains($_SESSION[config]->get_domainSuffix()); $i=0; while (!isset($return->smb_domain) && (count($samba3domains)>$i)) { if ($attr['domain'][0] == $samba3domains[$i]->name) $return->smb_domain = $samba3domains[$i]; else $i++; } } // store smb_domain as string if (!isset($return->smb_domain)) $return->smb_domain = $attr['domain']; } if (isset($attr['primaryGroupID'][0])) { if ($_SESSION['config']->is_samba3()) // store "real" SID if we want to save user as samba3 entry $return->smb_mapgroup = $return->smb_domain->SID. '-' . (2*$attr['primaryGroupID'][0]+1); // store "calculated" id if we want to save user as samba2.2 entry else $return->smb_mapgroup = $attr['primaryGroupID'][0]; } } return $return; } /* This function will load all needed values from an existing group account * $dn is the dn(string) of the group which should be loaded * return-value is an account-object */ function loadgroup($dn) { // Create new object $return = new account(); // Set type of account $return->type='group'; // Load userattributes from ldap $result = ldap_search($_SESSION['ldap']->server(), $dn, "objectclass=PosixGroup"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $return->general_dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr = ldap_get_attributes($_SESSION['ldap']->server(), $entry); /* Write attributes into $return. * Some values don't have to be set. These are only loaded if they are set */ // load objectclasses $i=0; while (isset($attr['objectClass'][$i])) { $return->general_objectClass[$i] = $attr['objectClass'][$i]; $i++; } // Load Users which are also members of group $i=0; while (isset($attr['memberUid'][$i])) { $return->unix_memberUid[$i] = $attr['memberUid'][$i]; $i++; } $return->general_uidNumber = $attr['gidNumber'][0]; $return->general_username = $attr['cn'][0]; if (isset($attr['description'][0])) $return->general_gecos = utf8_decode($attr['description'][0]); if (isset($attr['sambaSID'][0])) { // Samba3 Samba 2.2 don't have any objects for groups $return->smb_mapgroup = $attr['sambaSID'][0]; if (isset($attr['displayName'][0])) $return->smb_displayName = utf8_decode($attr['displayName'][0]); // extract SID from sambaSID to find domain $temp = explode('-', $attr['sambaSID'][0]); $SID = $temp[0].'-'.$temp[1].'-'.$temp[2].'-'.$temp[3].'-'.$temp[4].'-'.$temp[5].'-'.$temp[6]; $samba3domains = $_SESSION['ldap']->search_domains($_SESSION[config]->get_domainSuffix()); $i=0; while (!isset($return->smb_domain) && (count($samba3domains)>$i)) { if ($SID == $samba3domains[$i]->SID) $return->smb_domain = $samba3domains[$i]; else $i++; } } return $return; } /* This function will create a new user acconut in ldap * $values is an account-object with all attributes of the user * if lamdaemon.pl is false no quotas are set. Usefull for massupload and deletion * return-value is an integer * 1 == Account has been created * 2 == Account already exists at different location * 4 == Error while creating Account */ function createuser($values, $uselamdaemon=true) { // These Objectclasses are needed for an user account $attr['objectClass'][0] = 'posixAccount'; $attr['objectClass'][1] = 'shadowAccount'; $attr['objectClass'][2] = 'inetOrgPerson'; // Create DN for new user account $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; // decrypt password because we don't want to store them unencrypted in session if ($values->unix_password != '') { $values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password)); } if ($values->smb_password != '') { $values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password)); } // Attributes which are required $attr['cn'] = $values->general_username; $attr['uid'] = $values->general_username; $attr['uidNumber'] = $values->general_uidNumber; $attr['gidNumber'] = getgid($values->general_group); $attr['homeDirectory'] = $values->general_homedir; $attr['givenName'] = utf8_encode($values->general_givenname); $attr['sn'] = utf8_encode($values->general_surname); // values stored in shadowExpire, days since 1.1.1970 if (isset($values->unix_pwdexpire)) $attr['shadowExpire'] = intval($values->unix_pwdexpire / 86400) ; /* Write unix attributes into $attr array * Some values don't have to be set. These are only loaded if they are set */ $attr['loginShell'] = $values->general_shell; // posixAccount_may $attr['gecos'] = utf8_encode(replace_umlaut($values->general_gecos)); // posixAccount_may $attr['description'] = utf8_encode($values->general_gecos); // posixAccount_may sambaAccount_may if ($values->unix_pwdminage!='') $attr['shadowMin'] = $values->unix_pwdminage; // shadowAccount_may if ($values->unix_pwdmaxage!='') $attr['shadowMax'] = $values->unix_pwdmaxage; // shadowAccount_may if ($values->unix_pwdwarn!='') $attr['shadowWarning'] = $values->unix_pwdwarn; // shadowAccount_may if ($values->unix_pwdallowlogin!='') $attr['shadowInactive'] = $values->unix_pwdallowlogin; // shadowAccount_may // Set unix password $attr['shadowLastChange'] = getdays(); // shadowAccount_may if ($values->unix_password_no) $values->unix_password = ''; if ($values->unix_deactivated) $attr['userPassword'] = pwd_hash($values->unix_password, false); else $attr['userPassword'] = pwd_hash($values->unix_password); // explode host-string and save every allowed host as separate attribute $values->unix_host = str_replace(' ', '', $values->unix_host); $hosts = explode (',', $values->unix_host); $i=0; while(isset($hosts[$i])) { if ($hosts[$i]!='') $attr['host'][$i] = $hosts[$i]; $i++; } // Samba attributes if ($_SESSION['config']->is_samba3()) { // Add all attributes as samba3 objectclass $attr['objectClass'][3] = 'sambaSamAccount'; if ($values->smb_flags['N']) { // Don't set samba-passwords $attr['sambaNTPassword'] = 'NO PASSWORD*****'; $attr['sambaLMPassword'] = 'NO PASSWORD*****'; } else { // use escapeshellarg() to make command shell-secure // Set samba-passwords with external perl-script $attr['sambaNTPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password)); $attr['sambaLMPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password)); } $attr['sambaPwdLastSet'] = time(); // Generate SID $attr['sambaSID'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); // sambaAccount_may //if ($values->smb_mapgroup!='') $attr['sambaPrimaryGroupSID'] = $values->smb_mapgroup; // sambaAccount_req ldapreload('group'); foreach ($_SESSION['groupDN'] as $groupname) { if ($groupname['cn'] == $values->general_group) $attr['sambaPrimaryGroupSID'] = $groupname['sambaSID']; } if ($values->smb_pwdcanchange!='') $attr['sambaPwdCanChange'] = $values->smb_pwdcanchange; // sambaAccount_may else $attr['sambaPwdCanChange'] = time(); // sambaAccount_may if ($values->smb_pwdmustchange!='') $attr['sambaPwdMustChange'] = $values->smb_pwdmustchange; // sambaAccount_may else $attr['sambaPwdMustChange'] = time() + 1000000000; // sambaAccount_may $attr['sambaAcctFlags'] = smbflag($values->smb_flags); // sambaAccount_may $attr['displayName'] = $values->general_gecos; // sambaAccount_may if ($values->smb_smbhome!='') $attr['sambaHomePath'] = utf8_encode($values->smb_smbhome); // sambaAccount_may if ($values->smb_homedrive!='') $attr['sambaHomeDrive'] = $values->smb_homedrive; // sambaAccount_may if ($values->smb_scriptPath!='') $attr['sambaLogonScript'] = utf8_encode($values->smb_scriptPath); // sambaAccount_may if ($values->smb_profilePath!='') $attr['sambaProfilePath'] = $values->smb_profilePath; // sambaAccount_may if ($values->smb_smbuserworkstations!='') $attr['sambaUserWorkstations'] = $values->smb_smbuserworkstations; // sambaAccount_may if ($values->smb_domain!='') $attr['sambaDomainName'] = $values->smb_domain->name; // sambaAccount_may } else { // Add all attributes as samba2.2 objectclass $attr['objectClass'][3] = 'sambaAccount'; if ($values->smb_flags['N']) { // Don't set samba-passwords $attr['ntPassword'] = 'NO PASSWORD*****'; $attr['lmPassword'] = 'NO PASSWORD*****'; } else { // use escapeshellarg() to make command shell-secure // Set samba-passwords with external perl-script $attr['ntPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password)); $attr['lmPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password)); } $attr['pwdLastSet'] = time(); // Generate pseudo SID $attr['rid'] = (2 * $values->general_uidNumber + 1000); // sambaAccount_may $attr['primaryGroupID'] = $values->smb_mapgroup; // sambaAccount_req if ($values->smb_pwdcanchange!='') $attr['pwdCanChange'] = $values->smb_pwdcanchange; // sambaAccount_may else $attr['pwdCanChange'] = time(); // sambaAccount_may if ($values->smb_pwdmustchange!='') $attr['pwdMustChange'] = $values->smb_pwdmustchange; // sambaAccount_may else $attr['pwdMustChange'] = time() + 1000000000; // sambaAccount_may $attr['pwdMustChange'] = $values->smb_pwdmustchange; // sambaAccount_may $attr['acctFlags'] = smbflag($values->smbflags); // sambaAccount_may $attr['displayName'] = $values->general_gecos; // sambaAccount_may if ($values->smb_smbhome!='') $attr['smbHome'] = utf8_encode($values->smb_smbhome); // sambaAccount_may if ($values->smb_homedrive!='') $attr['homeDrive'] = $values->smb_homedrive; // sambaAccount_may if ($values->smb_scriptPath!='') $attr['scriptPath'] = utf8_encode($values->smb_scriptPath); // sambaAccount_may if ($values->smb_profilePath!='') $attr['profilePath'] = $values->smb_profilePath; // sambaAccount_may if ($values->smb_smbuserworkstations!='') $attr['userWorkstations'] = $values->smb_smbuserworkstations; // sambaAccount_may if ($values->smb_domain!='') $attr['domain'] = $values->smb_domain; // sambaAccount_may } $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may // personal attributes if ($values->personal_title!='') $attr['title'] = utf8_encode($values->personal_title); if ($values->personal_mail!='') $attr['mail'] = utf8_encode($values->personal_mail); if ($values->personal_telephoneNumber!='') $attr['telephoneNumber'] = utf8_encode($values->personal_telephoneNumber); if ($values->personal_mobileTelephoneNumber!='') $attr['mobileTelephoneNumber'] = utf8_encode($values->personal_mobileTelephoneNumber); if ($values->personal_facsimileTelephoneNumber!='') $attr['facsimileTelephoneNumber'] = utf8_encode($values->personal_facsimileTelephoneNumber); if ($values->personal_street!='') $attr['street'] = utf8_encode($values->personal_street); if ($values->personal_postalCode!='') $attr['postalCode'] = utf8_encode($values->personal_postalCode); if ($values->personal_postalAddress!='') $attr['postalAddress'] = utf8_encode($values->personal_postalAddress); if ($values->personal_employeeType!='') $attr['employeeType'] = utf8_encode($values->personal_employeeType); // Create LDAP user account $success = ldap_add($_SESSION['ldap']->server(),$values->general_dn, $attr); // Continue if now error did ocour if (!$success) return 4; if ($_SESSION['config']->scriptServer && $uselamdaemon) { // lamdaemon.pl should be used // Set quotas if quotas are used if (is_array($values->quota)) setquotas(array($values)); // Create Homedirectory addhomedir(array($values->general_username)); } // Add User to Additional Groups if (isset($values->general_groupadd[0])) // Loop for every group foreach ($values->general_groupadd as $group2) { // Search for group in LDAP $result = ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_GroupSuffix(), "(&(objectclass=posixGroup)(cn=$group2))", array('')); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); // Get DN $dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); // Add user to group $success = ldap_mod_add($_SESSION['ldap']->server(), $dn, array('memberUid' => $values->general_username)); if (!$success) return 4; // Add new memberUid to cache-array ldapreload('group'); $_SESSION['groupDN'][$dn]['memberUid'][] = $values->general_username; } // Add new user to cache-array if ((isset($_SESSION['userDN']))) { $_SESSION['userDN'][$values->general_dn]['cn'] = $values->general_username; $_SESSION['userDN'][$values->general_dn]['uidNumber'] = $values->general_uidNumber; } // Everything is OK, return 1 return 1; } /* This function will modify a user acconut in ldap * $values and $values_old are an account-object with all * attributes of the user. * if lamdaemon.pl is false no quotas are set. Usefull for massupload and deletion * Only attributes which have changed will be written * return-value is an integer * 2 == Account already exists at different location * 3 == Account has been modified * 5 == Error while modifying Account */ function modifyuser($values,$values_old,$uselamdaemon=true) { // Will modify the LDAP-Account // Add missing objectclasses to user if (!in_array('posixAccount', $values->general_objectClass)) { $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'posixAccount'; } if (!in_array('shadowAccount', $values->general_objectClass)) { if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'shadowAccount'; } // Create DN for new user account $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; // decrypt password because we don't want to store them unencrypted in session if ($values->unix_password != '') { $values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password)); } if ($values->smb_password != '') { $values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password)); } // Attributes which are required if ($values->general_username != $values_old->general_username) { $attr['cn'] = $values->general_username; $attr['uid'] = $values->general_username; } if ($values->general_uidNumber != $values_old->general_uidNumber) { $attr['uidNumber'] = $values->general_uidNumber; // Because sambaSid(rid) is related to uidNumber we have to change it if uidNumbaer has changed if ($_SESSION['config']->is_samba3()) $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); else $attr['rid'] = (2 * $values->general_uidNumber + 1000); } if ($values->general_group != $values_old->general_group) { $attr['gidNumber'] = getgid($values->general_group); // Because primaryGroup(S)ID is related to gidNumber we have to change it if gidNumber has changed if ($_SESSION['config']->is_samba3()) { // We use samba 3 schema // Change SID only if we don't use a well known SID ldapreload('group'); foreach ($_SESSION['groupDN'] as $groupname) { if ($groupname['cn'] == $values->general_group) $attr['sambaPrimaryGroupSID'] = $groupname['sambaSID']; } } else { // We use old samba 2.2 schema // Change SID only if we don't use a well known SID if ($values->smb_mapgroup== '512') $found=true; if ($values->smb_mapgroup== '513') $found=true; if ($values->smb_mapgroup== '514') $found=true; if (!$found) $attr['primaryGroupID'] = (2 * getgid($values->general_group) + 1001); } } if ($values->general_homedir != $values_old->general_homedir) $attr['homeDirectory'] = $values->general_homedir; if ($values->general_givenname!=$values_old->general_givenname) $attr['givenName'] = utf8_encode($values->general_givenname); if ($values->general_surname!=$values_old->general_surname) $attr['sn'] = utf8_encode($values->general_surname); /* Write unix attributes into $attr array * Some values don't have to be set. These are only loaded if they are set */ if ($values->general_shell != $values_old->general_shell) $attr['loginShell'] = $values->general_shell; if ($values->general_gecos != $values_old->general_gecos) { $attr['gecos'] = utf8_encode(replace_umlaut($values->general_gecos)); $attr['description'] = utf8_encode($values->general_gecos); } if (($values->unix_pwdminage != $values_old->unix_pwdminage) && ($values->unix_pwdminage !='')) $attr['shadowMin'] = $values->unix_pwdminage; // shadowAccount_may if (($values->unix_pwdminage != $values_old->unix_pwdminage) && ($values->unix_pwdminage =='')) $attr_rem['shadowMin'] = $values_old->unix_pwdminage; // shadowAccount_may if (($values->unix_pwdmaxage != $values_old->unix_pwdmaxage) && ($values->unix_pwdmaxage !='')) $attr['shadowMax'] = $values->unix_pwdmaxage; // shadowAccount_may if (($values->unix_pwdmaxage != $values_old->unix_pwdmaxage) && ($values->unix_pwdmaxage =='')) $attr_rem['shadowMax'] = $values_old->unix_pwdmaxage; // shadowAccount_may if (($values->unix_pwdwarn != $values_old->unix_pwdwarn) && ($values->unix_pwdwarn !='')) $attr['shadowWarning'] = $values->unix_pwdwarn; // shadowAccount_may if (($values->unix_pwdwarn != $values_old->unix_pwdwarn) && ($values->unix_pwdwarn =='')) $attr_rem['shadowWarning'] = $values_old->unix_pwdwarn; // shadowAccount_may if (($values->unix_pwdallowlogin != $values_old->unix_pwdallowlogin) && ($values->unix_pwdallowlogin !='')) $attr['shadowInactive'] = $values->unix_pwdallowlogin; // shadowAccount_may if (($values->unix_pwdallowlogin != $values_old->unix_pwdallowlogin) && ($values->unix_pwdallowlogin =='')) $attr_rem['shadowInactive'] = $values_old->unix_pwdallowlogin; // shadowAccount_may // Check if shadow expire has changed if ($values->unix_pwdexpire != $values_old->unix_pwdexpire) $attr['shadowExpire'] = intval($values->unix_pwdexpire / 86400) ; // Set unix password if ($values->unix_password=='') { // $values->unix_password=='' means use old password if ($values->unix_deactivated != $values_old->unix_deactivated) { // (de)activate password // Split old password hash in {CRYPT} and password-hash $i = 0; while ($values_old->unix_password{$i} != '}') $i++; $passwd = substr($values_old->unix_password, $i+1 ); $crypt = substr($values_old->unix_password, 0, $i+1 ); // remove trailing ! from password hash if ($passwd{0} == '!') $passwd = substr($passwd, 1); // Write new password if ($values->unix_deactivated) $attr['userPassword'] = $crypt.'!'.$passwd; else $attr['userPassword'] = $crypt.$passwd; } if ($values->unix_password_no) { // use no password if ($values->unix_deactivated) $attr['userPassword'] = pwd_hash('', false); else $attr['userPassword'] = pwd_hash(''); $attr['shadowLastChange'] = getdays(); // shadowAccount_may } } else { // Set new password if ($values->unix_password_no) $values->unix_password = ''; if ($values->unix_deactivated) $attr['userPassword'] = pwd_hash($values->unix_password, false); else $attr['userPassword'] = pwd_hash($values->unix_password); $attr['shadowLastChange'] = getdays(); // shadowAccount_may } // explode host-string and save every allowed host as separate attribute if (($values->unix_host != $values_old->unix_host)) { $values->unix_host = str_replace(' ', '', $values->unix_host); $host = explode (',', $values->unix_host); $values_old->unix_host = str_replace(' ', '', $values_old->unix_host); $host_old = explode (',', $values_old->unix_host); if ($host[0]=='') $attr_rem['host'] = $host_old; else if ($host[0]!='') $attr['host'] = $host; } // Samba attributes if ($_SESSION['config']->is_samba3()) { if (!in_array('sambaSamAccount', $values->general_objectClass)) { // We have to convert sambaAccount Objectclass to sambaSamAccount objectclass if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'sambaSamAccount'; // unset old sambaAccount objectClass for ($i=0; $iserver(), $values_old->general_dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); // Add new attributed if (isset($attr_old['lmPassword'][0])) $attr['sambaLMPassword'] = $attr_old['lmPassword'][0]; if (isset($attr_old['ntPassword'][0])) $attr['sambaNTPassword'] = $attr_old['ntPassword'][0]; if (isset($attr_old['pwdLastSet'][0])) $attr['sambaPwdLastSet'] = $attr_old['pwdLastSet'][0]; if (isset($attr_old['logonTime'][0])) $attr['sambaLogonTime'] = $attr_old['logonTime'][0]; if (isset($attr_old['logoffTime'][0])) $attr['sambaLogoffTime'] = $attr_old['logoffTime'][0]; if (isset($attr_old['kickoffTime'][0])) $attr['sambaKickoffTime'] = $attr_old['kickoffTime'][0]; if (isset($attr_old['pwdCanChange'][0])) $attr['sambaPwdCanChange'] = $attr_old['pwdCanChange'][0]; if (isset($attr_old['pwdMustChange'][0])) $attr['sambaPwdMustChange'] = $attr_old['pwdMustChange'][0]; if (isset($attr_old['smbHome'][0])) $attr['sambaHomePath'] = $attr_old['smbHome'][0]; if (isset($attr_old['homeDrive'][0])) $attr['sambaHomeDrive'] = $attr_old['homeDrive'][0]; if (isset($attr_old['scriptPath'][0])) $attr['sambaLogonScript'] = $attr_old['scriptPath'][0]; if (isset($attr_old['profilePath'][0])) $attr['sambaProfilePath'] = $attr_old['profilePath'][0]; if (isset($attr_old['userWorkstations'][0])) $attr['sambaUserWorkstations'] = $attr_old['userWorkstations'][0]; // Values used from account object $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may $attr['sambaAcctFlags'] = smbflag($values->flags); // sambaAccount_may $attr['sambaDomainName'] = $values->smb_domain->name; // sambaAccount_may $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); // sambaAccount_may $attr['sambaPrimaryGroupSID'] = $values->smb_mapgroup; // sambaAccount_req // remove old attributes if (in_array('sambaAccount', $attr_old['objectClass'])) $attr_rem['objectClass'] = 'sambaAccount'; if (isset($attr_old['lmPassword'][0])) $attr_rem['lmPassword'] = $attr_old['lmPassword'][0]; if (isset($attr_old['ntPassword'][0])) $attr_rem['ntPassword'] = $attr_old['ntPassword'][0]; if (isset($attr_old['pwdLastSet'][0])) $attr_rem['pwdLastSet'] = $attr_old['pwdLastSet'][0]; if (isset($attr_old['logonTime'][0])) $attr_rem['logonTime'] = $attr_old['logonTime'][0]; if (isset($attr_old['kickoffTime'][0])) $attr_rem['kickoffTime'] = $attr_old['kickoffTime'][0]; if (isset($attr_old['pwdCanChange'][0])) $attr_rem['pwdCanChange'] = $attr_old['pwdCanChange'][0]; if (isset($attr_old['pwdMustChange'][0])) $attr_rem['pwdMustChange'] = $attr_old['pwdMustChange'][0]; if (isset($attr_old['smbHome'][0])) $attr_rem['smbHome'] = $attr_old['smbHome'][0]; if (isset($attr_old['acctFlags'][0])) $attr_rem['acctFlags'] = $attr_old['acctFlags'][0]; if (isset($attr_old['homeDrive'][0])) $attr_rem['homeDrive'] = $attr_old['homeDrive'][0]; if (isset($attr_old['scriptPath'][0])) $attr_rem['scriptPath'] = $attr_old['scriptPath'][0]; if (isset($attr_old['profilePath'][0])) $attr_rem['profilePath'] = $attr_old['profilePath'][0]; if (isset($attr_old['userWorkstations'][0])) $attr_rem['userWorkstations'] = $attr_old['userWorkstations'][0]; if (isset($attr_old['primaryGroupID'][0])) $attr_rem['primaryGroupID'] = $attr_old['primaryGroupID'][0]; if (isset($attr_old['domain'][0])) $attr_rem['domain'] = $attr_old['domain'][0]; if (isset($attr_old['rid'][0])) $attr_rem['rid'] = $attr_old['rid'][0]; } // Set all changed values if ($values->smb_flags['N']) { // use no samba Password $attr['sambaNTPassword'] = 'NO PASSWORD*****'; $attr['sambaLMPassword'] = 'NO PASSWORD*****'; $attr['sambaPwdLastSet'] = time(); // sambaAccount_may } else if ($values->smb_password!='') { // use escapeshellarg() to make command shell-secure // Set samba-passwords with external perl-script $attr['sambaNTPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password)); $attr['sambaLMPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password)); $attr['sambaPwdLastSet'] = time(); // sambaAccount_may } // Check which Samba-Attributes have changed if ($values->smb_pwdcanchange != $values_old->smb_pwdcanchange) $attr['sambaPwdCanChange'] = $values->smb_pwdcanchange; // sambaAccount_may if ($values->smb_pwdmustchange != $values_old->smb_pwdmustchange) $attr['sambaPwdMustChange'] = $values->smb_pwdmustchange; // sambaAccount_may if (smbflag($values->smb_flags) != smbflag($values_old->smb_flags)) $attr['sambaAcctFlags'] = smbflag($values->smb_flags); // sambaAccount_may if (($values->smb_smbhome!='') && ($values->smb_smbhome!=$values_old->smb_smbhome)) $attr['sambaHomePath'] = utf8_encode($values->smb_smbhome); // sambaAccount_may if (($values->smb_smbhome=='') && ($values->smb_smbhome!=$values_old->smb_smbhome)) $attr_rem['sambaHomePath'] = utf8_encode($values_old->smb_smbhome); // sambaAccount_may if (($values->smb_homedrive!='') && ($values->smb_homedrive!=$values_old->smb_homedrive)) $attr['sambaHomeDrive'] = $values->smb_homedrive; // sambaAccount_may if (($values->smb_homedrive=='') && ($values->smb_homedrive!=$values_old->smb_homedrive)) $attr_rem['sambaHomeDrive'] = $values_old->smb_homedrive; // sambaAccount_may if (($values->smb_scriptPath!='') && ($values->smb_scriptPath!=$values_old->smb_scriptPath)) $attr['sambaLogonScript'] = utf8_encode($values->smb_scriptPath); // sambaAccount_may if (($values->smb_scriptPath=='') && ($values->smb_scriptPath!=$values_old->smb_scriptPath)) $attr_rem['sambaLogonScript'] = utf8_encode($values_old->smb_scriptPath); // sambaAccount_may if (($values->smb_profilePath!='') && ($values->smb_profilePath!=$values_old->smb_profilePath)) $attr['sambaProfilePath'] = $values->smb_profilePath; // sambaAccount_may if (($values->smb_profilePath=='') && ($values->smb_profilePath!=$values_old->smb_profilePath)) $attr_rem['sambaProfilePath'] = $values_old->smb_profilePath; // sambaAccount_may if (($values->smb_smbuserworkstations!='') && ($values->smb_smbuserworkstations!=$values_old->smb_smbuserworkstations))$attr['sambaUserWorkstations'] = $values->smb_smbuserworkstations; // sambaAccount_may if (($values->smb_smbuserworkstations=='') && ($values->smb_smbuserworkstations!=$values_old->smb_smbuserworkstations))$attr_rem['sambaUserWorkstations'] = $values_old->smb_smbuserworkstations; // sambaAccount_may if ($values->smb_domain->name!=$values_old->smb_domain->name) { $attr['sambaDomainName'] = $values->smb_domain->name; // sambaAccount_may $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); $attr['sambaPrimaryGroupSID'] = $values->smb_domain->SID . "-". (2 * getgid($values->general_group) + $values->smb_domain->RIDbase+1); } if (($values->smb_mapgroup!='') && ($values->smb_mapgroup!=$values_old->smb_mapgroup)) { ldapreload('group'); foreach ($_SESSION['groupDN'] as $groupname) { if ($groupname['cn'] == $values->general_group) $attr['sambaPrimaryGroupSID'] = $groupname['sambaSID']; } } if ($values->smb_displayName != $values_old->smb_displayName) $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may } else { // use old samba 2.2 objectclass if (!in_array('sambaAccount', $values->general_objectClass)) { // Add or convert samba attributes & object to samba 2.2 if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'sambaAccount'; // unset old sambaAccount objectClass for ($i=0; $iserver(), $values_old->general_dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); if (isset($attr_old['sambaLMPassword'][0])) $attr['lmPassword'] = $attr_old['sambaLMPassword'][0]; if (isset($attr_old['sambaNTPassword'][0])) $attr['ntPassword'] = $attr_old['sambaNTPassword'][0]; if (isset($attr_old['sambaPwdLastSet'][0])) $attr['pwdLastSet'] = $attr_old['sambaPwdLastSet'][0]; if (isset($attr_old['sambaLogonTime'][0])) $attr['logonTime'] = $attr_old['sambaLogonTime'][0]; if (isset($attr_old['sambaLogoffTime'][0])) $attr['logoffTime'] = $attr_old['sambaLogoffTime'][0]; if (isset($attr_old['sambaKickoffTime'][0])) $attr['kickoffTime'] = $attr_old['sambaKickoffTime'][0]; if (isset($attr_old['sambaPwdCanChange'][0])) $attr['pwdCanChange'] = $attr_old['sambaPwdCanChange'][0]; if (isset($attr_old['sambaPwdMustChange'][0])) $attr['pwdMustChange'] = $attr_old['sambaPwdMustChange'][0]; if (isset($attr_old['sambaHomePath'][0])) $attr['smbHome'] = $attr_old['sambaHomePath'][0]; if (isset($attr_old['sambaHomeDrive'][0])) $attr['homeDrive'] = $attr_old['sambaHomeDrive'][0]; if (isset($attr_old['sambaLogonScript'][0])) $attr['scriptPath'] = $attr_old['sambaLogonScript'][0]; if (isset($attr_old['sambaProfilePath'][0])) $attr['profilePath'] = $attr_old['sambaProfilePath'][0]; if (isset($attr_old['sambaUserWorkstations'][0])) $attr['userWorkstations'] = $attr_old['sambaUserWorkstations'][0]; // Values used from account object $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may $attr['acctFlags'] = smbflag($values->smb_flags); // sambaAccount_may if ($values->smb_domain!='') $attr['domain'] = $values->smb_domain; // sambaAccount_may $attr['primaryGroupID'] = $values->smb_mapgroup; // sambaAccount_req $attr['rid'] = (2 * $values->general_uidNumber + 1000); // sambaAccount_may // remove old attributes if (in_array('sambaSamAccount', $attr_old['objectClass'])) $attr_rem['objectClass'] = 'sambaSamAccount'; if (isset($attr_old['sambaLMPassword'][0])) $attr_rem['sambaLMPassword'] = $attr_old['sambaLMPassword'][0]; if (isset($attr_old['sambaNTPassword'][0])) $attr_rem['sambaNTPassword'] = $attr_old['sambaNTPassword'][0]; if (isset($attr_old['sambaPwdLastSet'][0])) $attr_rem['sambaPwdLastSet'] = $attr_old['sambaPwdLastSet'][0]; if (isset($attr_old['sambaLogonTime'][0])) $attr_rem['sambaLogonTime'] = $attr_old['sambaLogonTime'][0]; if (isset($attr_old['sambaKickoffTime'][0])) $attr_rem['sambaKickoffTime'] = $attr_old['sambaKickoffTime'][0]; if (isset($attr_old['sambaPwdCanChange'][0])) $attr_rem['sambaPwdCanChange'] = $attr_old['sambaPwdCanChange'][0]; if (isset($attr_old['sambaPwdMustChange'][0])) $attr_rem['sambaPwdMustChange'] = $attr_old['sambaPwdMustChange'][0]; if (isset($attr_old['sambaHomePath'][0])) $attr_rem['sambaHomePath'] = $attr_old['sambaHomePAth'][0]; if (isset($attr_old['sambaAcctFlags'][0])) $attr_rem['sambaAcctFlags'] = $attr_old['sambaAcctFlags'][0]; if (isset($attr_old['sambaHomeDrive'][0])) $attr_rem['sambaHomeDrive'] = $attr_old['sambaHomeDrive'][0]; if (isset($attr_old['sambaLogonScript'][0])) $attr_rem['sambaLogonScript'] = $attr_old['sambaLogonScript'][0]; if (isset($attr_old['sambaProfilePath'][0])) $attr_rem['sambaProfilePath'] = $attr_old['sambaProfilePath'][0]; if (isset($attr_old['sambaUserWorkstations'][0])) $attr_rem['sambaUserWorkstations'] = $attr_old['sambaUserWorkstations'][0]; if (isset($attr_old['sambaPrimaryGroupID'][0])) $attr_rem['sambaPrimaryGroupID'] = $attr_old['sambaPrimaryGroupID'][0]; if (isset($attr_old['sambaDomainName'][0])) $attr_rem['sambaDomainName'] = $attr_old['sambaDomainName'][0]; if (isset($attr_old['sambaSID'][0])) $attr_rem['sambaSID'] = $attr_old['sambaSID'][0]; } // Set all changed values if ($values->smb_flags['N']) { // use no samba Password $attr['ntPassword'] = 'NO PASSWORD*****'; $attr['lmPassword'] = 'NO PASSWORD*****'; $attr['pwdLastSet'] = time(); } else if ($values->smb_password!='') { // use escapeshellarg() to make command shell-secure // Set samba-passwords with external perl-script $attr['ntPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($values->smb_password)); $attr['lmPassword'] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($values->smb_password)); $attr['pwdLastSet'] = time(); // sambaAccount_may } // Check which Samba-Attributes have changed if ($values->smb_pwdcanchange != $values_old->smb_pwdcanchange) $attr['pwdCanChange'] = $values->smb_pwdcanchange; // sambaAccount_may if ($values->smb_pwdmustchange != $values_old->smb_pwdmustchange) $attr['pwdMustChange'] = $values->smb_pwdmustchange; // sambaAccount_may if (smbflag($values->smb_flags) != smbflag($values_old->smb_flags)) $attr['acctFlags'] = smbflag($values->smb_flags); // sambaAccount_may if (($values->smb_smbhome!='') && ($values->smb_smbhome!=$values_old->smb_smbhome)) $attr['smbHome'] = utf8_encode($values->smb_smbhome); // sambaAccount_may if (($values->smb_smbhome=='') && ($values->smb_smbhome!=$values_old->smb_smbhome)) $attr_rem['smbHome'] = utf8_encode($values_old->smb_smbhome); // sambaAccount_may if (($values->smb_homedrive!='') && ($values->smb_homedrive!=$values_old->smb_homedrive)) $attr['homeDrive'] = $values->smb_homedrive; // sambaAccount_may if (($values->smb_homedrive=='') && ($values->smb_homedrive!=$values_old->smb_homedrive)) $attr_rem['homeDrive'] = $values_old->smb_homedrive; // sambaAccount_may if (($values->smb_scriptPath!='') && ($values->smb_scriptPath!=$values_old->smb_scriptPath)) $attr['scriptPath'] = utf8_encode($values->smb_scriptPath); // sambaAccount_may if (($values->smb_scriptPath=='') && ($values->smb_scriptPath!=$values_old->smb_scriptPath)) $attr_rem['scriptPath'] = utf8_encode($values_old->smb_scriptPath); // sambaAccount_may if (($values->smb_profilePath!='') && ($values->smb_profilePath!=$values_old->smb_profilePath)) $attr['profilePath'] = $values->smb_profilePath; // sambaAccount_may if (($values->smb_profilePath=='') && ($values->smb_profilePath!=$values_old->smb_profilePath)) $attr_rem['profilePath'] = $values_old->smb_profilePath; // sambaAccount_may if (($values->smb_smbuserworkstations!='') && ($values->smb_smbuserworkstations!=$values_old->smb_smbuserworkstations))$attr['userWorkstations'] = $values->smb_smbuserworkstations; // sambaAccount_may if (($values->smb_smbuserworkstations=='') && ($values->smb_smbuserworkstations!=$values_old->smb_smbuserworkstations))$attr_rem['userWorkstations'] = $values_old->smb_smbuserworkstations; // sambaAccount_may if (($values->smb_domain!='') && ($values->smb_domain!=$values_old->smb_domain)) $attr['domain'] = $values->smb_domain; // sambaAccount_may if (($values->smb_domain=='') && ($values->smb_domain!=$values_old->smb_domain)) $attr_rem['domain'] = $values_old->smb_domain; // sambaAccount_may if (($values->smb_mapgroup!='') && ($values->smb_mapgroup!=$values_old->smb_mapgroup)) $attr['primaryGroupID'] = $values->smb_mapgroup; // sambaAccount_may if (($values->smb_mapgroup=='') && ($values->smb_mapgroup!=$values_old->smb_mapgroup)) $attr_rem['primaryGroupID'] = $values_old->smb_mapgroup; if ($values->smb_displayName != $values_old->smb_displayName) $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may } // Check which personal attributes have changed if (($values->personal_title != $values_old->personal_title) && ($values->personal_title != '')) $attr['title'] = utf8_encode($values->personal_title); if (($values->personal_title != $values_old->personal_title) && ($values->personal_title == '')) $attr_rem['title'] = utf8_encode($values_old->personal_title); if (($values->personal_mail != $values_old->personal_mail) && ($values->personal_mail != '')) $attr['mail'] = utf8_encode($values->personal_mail); if (($values->personal_mail != $values_old->personal_mail) && ($values->personal_mail == '')) $attr_rem['mail'] = utf8_encode($values_old->personal_mail); if (($values->personal_telephoneNumber != $values_old->personal_telephoneNumber) && ($values->personal_telephoneNumber !='')) $attr['telephoneNumber'] = utf8_encode($values->personal_telephoneNumber); if (($values->personal_telephoneNumber != $values_old->personal_telephoneNumber) && ($values->personal_telephoneNumber =='')) $attr_rem['telephoneNumber'] = utf8_encode($values_old->personal_telephoneNumber); if (($values->personal_mobileTelephoneNumber != $values_old->personal_mobileTelephoneNumber) && ($values->personal_mobileTelephoneNumber!='')) $attr['mobileTelephoneNumber'] = utf8_encode($values->personal_mobileTelephoneNumber); if (($values->personal_mobileTelephoneNumber != $values_old->personal_mobileTelephoneNumber) && ($values->personal_mobileTelephoneNumber=='')) $attr_rem['mobileTelephoneNumber'] = utf8_encode($values_old->personal_mobileTelephoneNumber); if (($values->personal_facsimileTelephoneNumber != $values_old->personal_facsimileTelephoneNumber) && ($values->personal_facsimileTelephoneNumber!='')) $attr['facsimileTelephoneNumber'] = utf8_encode($values->personal_facsimileTelephoneNumber); if (($values->personal_facsimileTelephoneNumber != $values_old->personal_facsimileTelephoneNumber) && ($values->personal_facsimileTelephoneNumber=='')) $attr_rem['facsimileTelephoneNumber'] = utf8_encode($values_old->personal_facsimileTelephoneNumber); if (($values->personal_street != $values_old->personal_street) && ($values->personal_street!='')) $attr['street'] = utf8_encode($values->personal_street); if (($values->personal_street != $values_old->personal_street) && ($values->personal_street=='')) $attr_rem['street'] = utf8_encode($values_old->personal_street); if (($values->personal_street != $values_old->personal_street) && ($values->personal_street!='')) $attr['postalCode'] = utf8_encode($values->personal_street); if (($values->personal_street != $values_old->personal_street) && ($values->personal_street=='')) $attr_rem['postalCode'] = utf8_encode($values_old->personal_street); if (($values->personal_postalAddress != $values_old->personal_postalAddress) && ($values->personal_postalAddress!='')) $attr['postalAddress'] = utf8_encode($values->personal_postalAddress); if (($values->personal_postalAddress != $values_old->personal_postalAddress) && ($values->personal_postalAddress=='')) $attr_rem['postalAddress'] = utf8_encode($values_old->personal_postalAddress); if (($values->personal_employeeType != $values_old->personal_employeeType) && ($values->personal_employeeType!='')) $attr['employeeType'] = utf8_encode($values->personal_employeeType); if (($values->personal_employeeType != $values_old->personal_employeeType) && ($values->personal_employeeType=='')) $attr_rem['employeeType'] = utf8_encode($values_old->personal_employeeType); if (($values->general_uidNumber != $values_old->general_uidNumber) && $_SESSION['config']->scriptServer) { // Remove old quotas remquotas(array($values_old->general_username), "user"); // Remove quotas from $values_old because we have to rewrite them all unset ($values_old->quota); } if ($values->general_dn != $values_old->general_dn) { // Account should be moved to a new location // Load old account $result = ldap_search($_SESSION['ldap']->server(), $values_old->general_dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); // remove "count" from array unset($attr_old['count']); for ($i=0; $i < sizeof($attr_old); $i++) unset($attr_old[$i]); $keys = array_keys($attr_old); for ($i=0; $i < sizeof($keys); $i++) unset($attr_old[$keys[$i]]['count']); // Change uid to new uid. Else ldap won't create the new entry //$attr_old['uid'][0] = $values->general_username; $attr_rem_keys = @array_keys($attr_rem); for ($i=0; $iserver(),$values->general_dn, $attr_old); // remove old account if ($success) $success = ldap_delete($_SESSION['ldap']->server(),$values_old->general_dn); if (!$success) return 5; // Remove all memberUid entries. The new entries will be added again // Search for groups which have memberUid set to username $result = ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_GroupSuffix(), "(&(objectClass=PosixGroup)(memberUid=$values_old->general_username))", array('')); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); // loop for every found group and remove membership while ($entry) { $dn = ldap_get_dn($_SESSION['ldap']->server(), $entry); $success = ldap_mod_del($_SESSION['ldap']->server(), $dn , array('memberUid' => $values_old->general_username)); // *** fixme add error-message if memberUid couldn't be deleted // Remove old memberUid to cache-array if ((isset($_SESSION['groupDN']))) { if (!in_array($values->general_username, $_SESSION['groupDN'][$dn]['memberUid'])) { $i=0; for ($i=0; $igeneral_username) unset ($_SESSION['groupDN'][$dn]['memberUid'][$i]); $_SESSION['groupDN'][$dn]['memberUid'][$i] = array_values($_SESSION['groupDN'][$dn]['memberUid'][$i]); } } } $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } } else { // Just modify, not recreate if ($attr) { // Change or add new attributes $success = ldap_modify($_SESSION['ldap']->server(),$values->general_dn, $attr); if (!$success) return 5; } if ($attr_rem) { // Remove old attributes which are no longer in use $success = ldap_mod_del($_SESSION['ldap']->server(),$values->general_dn, $attr_rem); if (!$success) return 5; } } // Write additional groupmemberchips // Get a list with all groups $result = ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_GroupSuffix(), 'objectClass=PosixGroup', array('memberUid', 'cn')); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); while ($entry) { $modifygroup=0; $attr2 = ldap_get_attributes($_SESSION['ldap']->server(), $entry); // Remove "count" from array if (is_array($attr2['memberUid'])) array_shift($attr2['memberUid']); array_shift($attr2['cn']); if ($attr2['memberUid']) { // Remove user from groups he's not member anymore if (@in_array($values->general_username, $attr2['memberUid']) && !@in_array($attr2['cn'][0],$values->general_groupadd)) { $dn = ldap_get_dn($_SESSION['ldap']->server(), $entry); $success = ldap_mod_del($_SESSION['ldap']->server(), $dn ,array('memberUid' => $values->general_username)); if (!$success) return 5; // Remove old memberUid to cache-array ldapreload('group'); if ((isset($_SESSION['groupDN']))) { for ($i=0; $igeneral_username==$_SESSION['groupDN'][$dn]['memberUid'][$i]) { unset($_SESSION['groupDN'][$dn]['memberUid'][$i]); $_SESSION['groupDN'][$dn]['memberUid'] = array_values($_SESSION['groupDN'][$dn]['memberUid']); } } } } // Add user to groups if (!@in_array($values->general_username, $attr2['memberUid']) && @in_array($attr2['cn'][0],$values->general_groupadd)) { $dn = ldap_get_dn($_SESSION['ldap']->server(), $entry); $success = ldap_mod_add($_SESSION['ldap']->server(), $dn ,array('memberUid' => $values->general_username)); if (!$success) return 5; // Add new memberUid to cache-array ldapreload('group'); if ((isset($_SESSION['groupDN']))) { if (is_array($_SESSION['groupDN'][$dn]['memberUid'])) { if (!in_array($values->general_username, $_SESSION['groupDN'][$dn]['memberUid'])) $_SESSION['groupDN'][$dn]['memberUid'][] = $values->general_username; } else $_SESSION['groupDN'][$dn]['memberUid'][] = $values->general_username; } } } else { // Add user to groups if (@in_array($attr2['cn'][0],$values->general_groupadd)) { $dn = ldap_get_dn($_SESSION['ldap']->server(), $entry); $success = ldap_mod_add($_SESSION['ldap']->server(), $dn ,array('memberUid' => $values->general_username)); if (!$success) return 5; // Add new memberUid to cache-array ldapreload('group'); if ((isset($_SESSION['groupDN']))) { if (is_array($_SESSION['groupDN'][$dn]['memberUid'])) { if (!in_array($values->general_username, $_SESSION['groupDN'][$dn]['memberUid'])) $_SESSION['groupDN'][$dn]['memberUid'][] = $values->general_username; } else $_SESSION['groupDN'][$dn]['memberUid'][] = $values->general_username; } } } $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } // Change quotas if quotas are set and lamdaemon.pl should be used if ($_SESSION['config']->scriptServer && is_array($values->quota) && $uselamdaemon && ($values->quota != $values_old->quota)) setquotas(array($values)); //make required changes in cache-array if ((isset($_SESSION['userDN']))) { if ($values->general_dn != $values_old->general_dn) { unset ($_SESSION['userDN'][$values_old->general_dn]); } $_SESSION['userDN'][$values->general_dn]['cn'] = $values->general_username; $_SESSION['userDN'][$values->general_dn]['uidNumber'] = $values->general_uidNumber; } // Return 3 if everything has worked fine return 3; } /* This function will create a new host acconut in ldap * $values is an account-object with all attributes of the host * return-value is an integer * 1 == Account has been created * 2 == Account already exists at different location * 4 == Error while creating Account */ function createhost($values) { // These Objectclasses are needed for an host account $attr['objectClass'][0] = 'posixAccount'; $attr['objectClass'][1] = 'shadowAccount'; $attr['objectClass'][2] = 'account'; // Create DN for new host account $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; // Attributes which are required $attr['cn'] = $values->general_username; $attr['uid'] = $values->general_username; $attr['uidNumber'] = $values->general_uidNumber; $attr['gidNumber'] = getgid($values->general_group); $attr['homeDirectory'] = "/dev/null"; /* Write unix attributes into $attr array * Some values don't have to be set. These are only loaded if they are set */ $attr['loginShell'] = "/bin/false"; $attr['gecos'] = utf8_encode(replace_umlaut($values->general_gecos)); $attr['description'] = utf8_encode($values->general_gecos); // Set unix password // Samba attributes if ($_SESSION['config']->is_samba3()) { // Add all attributes as samba3 objectclass $attr['objectClass'][3] = 'sambaSamAccount'; // "Standard" password for new hosts $attr['sambaNTPassword'] = '0CB6948805F797BF2A82807973B89537'; $attr['sambaLMPassword'] = '01FC5A6BE7BC6929AAD3B435B51404EE'; $attr['sambaPwdLastSet'] = time(); // sambaAccount_may $attr['sambaSID'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); // sambaAccount_may $attr['sambaPrimaryGroupSID'] = $values->smb_domain->SID . "-515"; // sambaAccount_req $attr['sambaPwdCanChange'] = time(); // sambaAccount_may $attr['sambaPwdMustChange'] = "1893452400"; // sambaAccount_may // anywhere in year 2030 $attr['sambaAcctFlags'] = smbflag($values->smb_flags); // sambaAccount_may $attr['sambaDomainName'] = $values->smb_domain->name; // sambaAccount_may } else { // Add all attributes as samba2.2 objectclass $attr['objectClass'][3] = 'sambaAccount'; // "Standard" password for new hosts $attr['ntPassword'] = '0CB6948805F797BF2A82807973B89537'; $attr['lmPassword'] = '01FC5A6BE7BC6929AAD3B435B51404EE'; $attr['pwdLastSet'] = time(); // sambaAccount_may $attr['rid'] = (2 * $values->general_uidNumber + 1000); // sambaAccount_may $attr['primaryGroupID'] = (2 * getgid($values->general_group) + 1001); // sambaAccount_req $attr['pwdCanChange'] = time(); // sambaAccount_may $attr['pwdMustChange'] = "1893452400"; // sambaAccount_may // anywhere in 2030 $attr['acctFlags'] = smbflag($values->smb_flags); // sambaAccount_may if ($values->smb_domain!='') $attr['domain'] = $values->smb_domain; // sambaAccount_may } // Create LDAP user account $success = ldap_add($_SESSION['ldap']->server(),$values->general_dn, $attr); // Continue if now error did ocour if (!$success) return 4; // Add new host to cache-array if ((isset($_SESSION['hostDN']))) { $_SESSION['hostDN'][$values->general_dn]['cn'] = $values->general_username; $_SESSION['hostDN'][$values->general_dn]['uidNumber'] = $values->general_uidNumber; } return 1; } /* This function will modify a host acconut in ldap * $values and $values_old are an account-object with all * attributes of the host. * Only attributes which have changed will be written * return-value is an integer * 2 == Account already exists at different location * 3 == Account has been modified * 5 == Error while modifying Account */ function modifyhost($values,$values_old) { // Add missing objectclasses to host if (!in_array('posixAccount', $values->general_objectClass)) { $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'posixAccount'; } if (!in_array('shadowAccount', $values->general_objectClass)) { if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'shadowAccount'; } // Create DN for new host account $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; // Attributes which are required if ($values->general_username != $values_old->general_username) { $attr['cn'] = $values->general_username; // posixAccount_req shadowAccount_req sambaAccount_may $attr['uid'] = $values->general_username; // posixAccount_req } if ($values->general_uidNumber != $values_old->general_uidNumber) { $attr['uidNumber'] = $values->general_uidNumber; // Because sambaSid(rid) is related to uidNumber we have to change it if uidNumbaer has changed if ($_SESSION['config']->is_samba3()) $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); else $attr['rid'] = (2 * $values->general_uidNumber + 1000); } if ($values->general_group != $values_old->general_group) { $attr['gidNumber'] = getgid($values->general_group); // Because primaryGroup(S)ID is related to gidNumber we have to change it if gidNumber has changed if ($_SESSION['config']->is_samba3()) // We use samba 3 schema $attr['sambaPrimaryGroupSID'] = $values->smb_domain->SID . "-". (2 * getgid($values->general_group) + $values->smb_domain->RIDbase+1); else // We use old samba 2.2 schema $attr['primaryGroupID'] = (2 * getgid($values->general_group) + 1001); } /* Write unix attributes into $attr array * Some values don't have to be set. These are only loaded if they are set */ if ($values->general_gecos != $values_old->general_gecos) { $attr['gecos'] = utf8_encode(replace_umlaut($values->general_gecos)); // posixAccount_may $attr['description'] = utf8_encode($values->general_gecos); // posixAccount_may sambaAccount_may } // Samba attributes if ($_SESSION['config']->is_samba3()) { if (!in_array('sambaSamAccount', $values->general_objectClass)) { // We have to convert sambaAccount Objectclass to sambaSamAccount objectclass if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'sambaSamAccount'; // unset old sambaAccount objectClass for ($i=0; $iserver(), $values_old->general_dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $return->general_dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); if (isset($attr_old['lmPassword'][0])) $attr['sambaLMPassword'] = $attr_old['lmPassword'][0]; if (isset($attr_old['ntPassword'][0])) $attr['sambaNTPassword'] = $attr_old['ntPassword'][0]; if (isset($attr_old['pwdLastSet'][0])) $attr['sambaPwdLastSet'] = $attr_old['pwdLastSet'][0]; if (isset($attr_old['logonTime'][0])) $attr['sambaLogonTime'] = $attr_old['logonTime'][0]; if (isset($attr_old['logoffTime'][0])) $attr['sambaLogoffTime'] = $attr_old['logoffTime'][0]; if (isset($attr_old['kickoffTime'][0])) $attr['sambaKickoffTime'] = $attr_old['kickoffTime'][0]; if (isset($attr_old['pwdCanChange'][0])) $attr['sambaPwdCanChange'] = $attr_old['pwdCanChange'][0]; if (isset($attr_old['pwdMustChange'][0])) $attr['sambaPwdMustChange'] = $attr_old['pwdMustChange'][0]; if (isset($attr_old['smbHome'][0])) $attr['sambaHomePath'] = $attr_old['smbHome'][0]; if (isset($attr_old['homeDrive'][0])) $attr['sambaHomeDrive'] = $attr_old['homeDrive'][0]; if (isset($attr_old['scriptPath'][0])) $attr['sambaLogonScript'] = $attr_old['scriptPath'][0]; if (isset($attr_old['profilePath'][0])) $attr['sambaProfilePath'] = $attr_old['profilePath'][0]; if (isset($attr_old['userWorkstations'][0])) $attr['sambaUserWorkstations'] = $attr_old['userWorkstations'][0]; // Values used from account object $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may $attr['sambaAcctFlags'] = smbflag($values->smb_flags); // sambaAccount_may $attr['sambaDomainName'] = $values->smb_domain->name; // sambaAccount_may $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); // sambaAccount_may $attr['sambaPrimaryGroupSID'] = $values->smb_domain->SID . "-" . (2 * getgid($values->general_group) + $values->smb_domain->RIDbase +1); // sambaAccount_req // remove old attributes if (in_array('sambaAccount', $attr_old['objectClass'])) $attr_rem['objectClass'] = 'sambaAccount'; if (isset($attr_old['lmPassword'][0])) $attr_rem['lmPassword'] = $attr_old['lmPassword'][0]; if (isset($attr_old['ntPassword'][0])) $attr_rem['ntPassword'] = $attr_old['ntPassword'][0]; if (isset($attr_old['pwdLastSet'][0])) $attr_rem['pwdLastSet'] = $attr_old['pwdLastSet'][0]; if (isset($attr_old['logonTime'][0])) $attr_rem['logonTime'] = $attr_old['logonTime'][0]; if (isset($attr_old['kickoffTime'][0])) $attr_rem['kickoffTime'] = $attr_old['kickoffTime'][0]; if (isset($attr_old['pwdCanChange'][0])) $attr_rem['pwdCanChange'] = $attr_old['pwdCanChange'][0]; if (isset($attr_old['pwdMustChange'][0])) $attr_rem['pwdMustChange'] = $attr_old['pwdMustChange'][0]; if (isset($attr_old['smbHome'][0])) $attr_rem['smbHome'] = $attr_old['smbHome'][0]; if (isset($attr_old['acctFlags'][0])) $attr_rem['acctFlags'] = $attr_old['acctFlags'][0]; if (isset($attr_old['homeDrive'][0])) $attr_rem['homeDrive'] = $attr_old['homeDrive'][0]; if (isset($attr_old['scriptPath'][0])) $attr_rem['scriptPath'] = $attr_old['scriptPath'][0]; if (isset($attr_old['profilePath'][0])) $attr_rem['profilePath'] = $attr_old['profilePath'][0]; if (isset($attr_old['userWorkstations'][0])) $attr_rem['userWorkstations'] = $attr_old['userWorkstations'][0]; if (isset($attr_old['primaryGroupID'][0])) $attr_rem['primaryGroupID'] = $attr_old['primaryGroupID'][0]; if (isset($attr_old['domain'][0])) $attr_rem['domain'] = $attr_old['domain'][0]; if (isset($attr_old['rid'][0])) $attr_rem['rid'] = $attr_old['rid'][0]; } // Reset password if ($values->smb_flags['N']) { // "Standard" password for new hosts $attr['sambaNTPassword'] = '0CB6948805F797BF2A82807973B89537'; $attr['sambaLMPassword'] = '01FC5A6BE7BC6929AAD3B435B51404EE'; $attr['sambaPwdLastSet'] = time(); // sambaAccount_may } if ($values->smb_domain->name!=$values_old->smb_domain->name) { $attr['sambaDomainName'] = $values->smb_domain->name; // sambaAccount_may $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase); $attr['sambaPrimaryGroupSID'] = $values->smb_domain->SID . "-". (2 * getgid($values->general_group) + $values->smb_domain->RIDbase+1); } } else { // use old samba 2.2 objectclass if (!in_array('sambaAccount', $values->general_objectClass)) { // Add or convert samba attributes & object to samba 2.2 if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'sambaAccount'; // unset old sambaAccount objectClass for ($i=0; $iserver(), $values_old->general_dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $return->general_dn = (ldap_get_dn($_SESSION['ldap']->server(), $entry)); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); if (isset($attr_old['sambaLMPassword'][0])) $attr['lmPassword'] = $attr_old['sambaLMPassword'][0]; if (isset($attr_old['sambaNTPassword'][0])) $attr['ntPassword'] = $attr_old['sambaNTPassword'][0]; if (isset($attr_old['sambaPwdLastSet'][0])) $attr['pwdLastSet'] = $attr_old['sambaPwdLastSet'][0]; if (isset($attr_old['sambaLogonTime'][0])) $attr['logonTime'] = $attr_old['sambaLogonTime'][0]; if (isset($attr_old['sambaLogoffTime'][0])) $attr['logoffTime'] = $attr_old['sambaLogoffTime'][0]; if (isset($attr_old['sambaKickoffTime'][0])) $attr['kickoffTime'] = $attr_old['sambaKickoffTime'][0]; if (isset($attr_old['sambaPwdCanChange'][0])) $attr['pwdCanChange'] = $attr_old['sambaPwdCanChange'][0]; if (isset($attr_old['sambaPwdMustChange'][0])) $attr['pwdMustChange'] = $attr_old['sambaPwdMustChange'][0]; if (isset($attr_old['sambaHomePath'][0])) $attr['smbHome'] = $attr_old['sambaHomePath'][0]; if (isset($attr_old['sambaHomeDrive'][0])) $attr['homeDrive'] = $attr_old['sambaHomeDrive'][0]; if (isset($attr_old['sambaLogonScript'][0])) $attr['scriptPath'] = $attr_old['sambaLogonScript'][0]; if (isset($attr_old['sambaProfilePath'][0])) $attr['profilePath'] = $attr_old['sambaProfilePath'][0]; if (isset($attr_old['sambaUserWorkstations'][0])) $attr['userWorkstations'] = $attr_old['sambaUserWorkstations'][0]; // Values used from account object $attr['displayName'] = utf8_encode($values->smb_displayName); // sambaAccount_may $attr['acctFlags'] = smbflag($values->smb_flags); // sambaAccount_may if ($values->smb_domain!='') $attr['domain'] = $values->smb_domain; // sambaAccount_may $attr['primaryGroupID'] = (2 * getgid($values->general_group) + 1001); // sambaAccount_req $attr['rid'] = (2 * $values->general_uidNumber + 1000); // sambaAccount_may // remove old attributes if (in_array('sambaSamAccount', $attr_old['objectClass'])) $attr_rem['objectClass'] = 'sambaSamAccount'; if (isset($attr_old['sambaLMPassword'][0])) $attr_rem['sambaLMPassword'] = $attr_old['sambaLMPassword'][0]; if (isset($attr_old['sambaNTPassword'][0])) $attr_rem['sambaNTPassword'] = $attr_old['sambaNTPassword'][0]; if (isset($attr_old['sambaPwdLastSet'][0])) $attr_rem['sambaPwdLastSet'] = $attr_old['sambaPwdLastSet'][0]; if (isset($attr_old['sambaLogonTime'][0])) $attr_rem['sambaLogonTime'] = $attr_old['sambaLogonTime'][0]; if (isset($attr_old['sambaKickoffTime'][0])) $attr_rem['sambaKickoffTime'] = $attr_old['sambaKickoffTime'][0]; if (isset($attr_old['sambaPwdCanChange'][0])) $attr_rem['sambaPwdCanChange'] = $attr_old['sambaPwdCanChange'][0]; if (isset($attr_old['sambaPwdMustChange'][0])) $attr_rem['sambaPwdMustChange'] = $attr_old['sambaPwdMustChange'][0]; if (isset($attr_old['sambaHomePath'][0])) $attr_rem['sambaHomePath'] = $attr_old['sambaHomePAth'][0]; if (isset($attr_old['sambaAcctFlags'][0])) $attr_rem['sambaAcctFlags'] = $attr_old['sambaAcctFlags'][0]; if (isset($attr_old['sambaHomeDrive'][0])) $attr_rem['sambaHomeDrive'] = $attr_old['sambaHomeDrive'][0]; if (isset($attr_old['sambaLogonScript'][0])) $attr_rem['sambaLogonScript'] = $attr_old['sambaLogonScript'][0]; if (isset($attr_old['sambaProfilePath'][0])) $attr_rem['sambaProfilePath'] = $attr_old['sambaProfilePath'][0]; if (isset($attr_old['sambaUserWorkstations'][0])) $attr_rem['sambaUserWorkstations'] = $attr_old['sambaUserWorkstations'][0]; if (isset($attr_old['sambaPrimaryGroupID'][0])) $attr_rem['sambaPrimaryGroupID'] = $attr_old['sambaPrimaryGroupID'][0]; if (isset($attr_old['sambaDomainName'][0])) $attr_rem['sambaDomainName'] = $attr_old['sambaDomainName'][0]; if (isset($attr_old['sambaSID'][0])) $attr_rem['sambaSID'] = $attr_old['sambaSID'][0]; } if ($values->smb_flags['N']) { // "Standard" password for new hosts $attr['ntPassword'] = '0CB6948805F797BF2A82807973B89537'; $attr['lmPassword'] = '01FC5A6BE7BC6929AAD3B435B51404EE'; $attr['pwdLastSet'] = time(); // sambaAccount_may } if (isset($attr_old['sambaSID'][0])) $attr_rem['sambaSID'] = $attr_old['sambaSID'][0]; if (($values->smb_domain!='') && ($values->smb_domain!=$values_old->smb_domain)) $attr['domain'] = $values->smb_domain; // sambaAccount_may if (($values->smb_domain=='') && ($values->smb_domain!=$values_old->smb_domain)) $attr_rem['domain'] = $values_old->smb_domain; // sambaAccount_may } if ($values->general_dn != $values_old->general_dn) { // Account should be moved to a new location // Load old account $result = ldap_search($_SESSION['ldap']->server(), $values_old->general_dn, "objectclass=PosixAccount"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); // remove "count" from array unset($attr_old['count']); for ($i=0; $i < sizeof($attr_old); $i++) unset($attr_old[$i]); $keys = array_keys($attr_old); for ($i=0; $i < sizeof($keys); $i++) unset($attr_old[$keys[$i]]['count']); // Change uid to new uid. Else ldap won't create the new entry //$attr_old['uid'][0] = $values->general_username; $attr_rem_keys = @array_keys($attr_rem); for ($i=0; $iserver(),$values->general_dn, $attr_old); // remove old account if ($success) $success = ldap_delete($_SESSION['ldap']->server(),$values_old->general_dn); if (!$success) return 5; } else { // Just modify, not recreate if ($attr) { // Change or add new attributes $success = ldap_modify($_SESSION['ldap']->server(),$values->general_dn, $attr); if (!$success) return 5; } if ($attr_rem) { // Remove old attributes which are no longer in use $success = ldap_mod_del($_SESSION['ldap']->server(),$values->general_dn, $attr_rem); if (!$success) return 5; } } //make required changes in cache-array if ((isset($_SESSION['hostDN']))) { if ($values->general_dn != $values_old->general_dn) { unset ($_SESSION['hostDN'][$values_old->general_dn]); } $_SESSION['hostDN'][$values->general_dn]['cn'] = $values->general_username; $_SESSION['hostDN'][$values->general_dn]['uidNumber'] = $values->general_uidNumber; } // Return 3 if everything has worked fine return 3; } /* This function will create a new group acconut in ldap * $values is an account-object with all attributes of the group * if lamdaemon.pl is false no quotas are set. Usefull for massupload and deletion * return-value is an integer * 1 == Account has been created * 2 == Account already exists at different location * 4 == Error while creating Account */ function creategroup($values, $uselamdaemon=true) { // These Objectclasses are needed for an user account $attr['objectClass'][0] = 'posixGroup'; // Create DN for new user account $values->general_dn = 'cn=' . $values->general_username . ',' . $values->general_dn; // Attributes which are required $attr['cn'] = $values->general_username; $attr['gidNumber'] = $values->general_uidNumber; /* Write unix attributes into $attr array * Some values don't have to be set. These are only loaded if they are set */ if ($values->general_gecos) $attr['description'] = utf8_encode($values->general_gecos); // Samba 3 attributes // $values->smb_mapgroup is not set if creategroup is called from masscreate.php if ($_SESSION['config']->is_samba3() && isset($values->smb_mapgroup)) { $attr['sambaSID'] = $values->smb_mapgroup; $attr['objectClass'][1] = 'sambaGroupMapping'; $attr['sambaGroupType'] = '2'; if ($values->smb_displayName) $attr['displayName'] = utf8_encode($values->smb_displayName); } // Write additional group members if (is_array($values->unix_memberUid)) $attr['memberUid'] = $values->unix_memberUid; // Create LDAP group account $success = ldap_add($_SESSION['ldap']->server(),$values->general_dn, $attr); // Continue if now error did ocour if (!$success) return 4; // lamdaemon.pl should be used. Set quotas if quotas are used if ($_SESSION['config']->scriptServer && is_array($values->quota) && $uselamdaemon) setquotas(array($values)); // Add new group to cache-array if ((isset($_SESSION['groupDN']))) { $_SESSION['groupDN'][$values->general_dn]['memberUid'] = $values->unix_memberUid; $_SESSION['groupDN'][$values->general_dn]['cn'] = $values->general_username; $_SESSION['groupDN'][$values->general_dn]['uidNumber'] = $values->general_uidNumber; if ($_SESSION['config']->is_samba3() && isset($values->smb_mapgroup)) $_SESSION['groupDN'][$values->general_dn]['sambaSID'] = $values->smb_mapgroup; } return 1; } /* This function will modify a group acconut in ldap * $values and $values_old are an account-object with all * attributes of the group. * if lamdaemon.pl is false no quotas are set. Usefull for massupload and deletion * Only attributes which have changed will be written * return-value is an integer * 2 == Account already exists at different location * 3 == Account has been modified * 5 == Error while modifying Account */ function modifygroup($values,$values_old, $uselamdaemon=true) { // Add missing objectclasses to group if (!in_array('posixGroup', $values->general_objectClass)) { $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'posixGroup'; } if (($_SESSION['config']->is_samba3()) && (!in_array('sambaGroupMapping', $values->general_objectClass))) { if (!isset($attr['objectClass'])) $attr['objectClass'] = $values->general_objectClass; $attr['objectClass'][] = 'sambaGroupMapping'; $attr['sambaGroupType'] = '2'; } // Create DN for new group account $values->general_dn = 'cn=' . $values->general_username . ',' . $values->general_dn; // Attributes which are required if ($values->general_username != $values_old->general_username) $attr['cn'] = $values->general_username; if ($values->general_uidNumber != $values_old->general_uidNumber) { $attr['gidNumber'] = $values->general_uidNumber; // Set correct SID if UID was changed if ($_SESSION['config']->is_samba3()) $attr['sambaSid'] = $values->smb_domain->SID . "-" . (2 * $values->general_uidNumber + $values->smb_domain->RIDbase +1); } if ($values->general_gecos != $values_old->general_gecos) $attr['description'] = utf8_encode($values->general_gecos); if ($values->smb_displayName != $values_old->smb_displayName) $attr['displayName'] = utf8_encode($values->smb_displayName); // Samba 3.0 attributes if ($_SESSION['config']->is_samba3()) { if ($values->smb_mapgroup != $values_old->smb_mapgroup) $attr['sambaSID'] = $values->smb_mapgroup; } // Write Additional group members if (($values->unix_memberUid != $values_old->unix_memberUid)) { if (count($values->unix_memberUid)==0) $attr_rem['memberUid'] = $values_old->unix_memberUid; else $attr['memberUid'] = $values->unix_memberUid; } // Rewrite quotas if uidnumbers has changed if ($values->general_uidNumber != $values_old->general_uidNumber && $_SESSION['config']->scriptServer) { // Remove old quotas remquotas(array($values_old->general_username), "user"); // Remove quotas from $values_old because we have to rewrite them all unset ($values_old->quota); } if ($values->general_dn != $values_old->general_dn) { // Account should be moved to a new location // Load old account $result = ldap_search($_SESSION['ldap']->server(), $values_old->general_dn, "objectclass=PosixGroup"); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); $attr_old = ldap_get_attributes($_SESSION['ldap']->server(), $entry); // remove "count" from array unset($attr_old['count']); for ($i=0; $i < sizeof($attr_old); $i++) unset($attr_old[$i]); $keys = @array_keys($attr_old); for ($i=0; $i < sizeof($keys); $i++) unset($attr_old[$keys[$i]]['count']); // Change cn to new cn. Else ldap won't create the new entry //$attr_old['cn'][0] = $values->general_username; $attr_rem_keys = @array_keys($attr_rem); for ($i=0; $iserver(),$values->general_dn, $attr_old); // remove old account if ($success) $success = ldap_delete($_SESSION['ldap']->server(),$values_old->general_dn); if (!$success) return 5; } else { // Just modify, not recreate if ($attr) { // Change or add new attributes $success = ldap_modify($_SESSION['ldap']->server(),$values->general_dn, $attr); if (!$success) return 5; } if ($attr_rem) { // Remove old attributes which are no longer in use $success = ldap_mod_del($_SESSION['ldap']->server(),$values->general_dn, $attr_rem); if (!$success) return 5; } } // Chnage GIDs of all users which are member of group if ( $_SESSION['final_changegids']==true ) { $result = ldap_search($_SESSION['ldap']->server(), $_SESSION['config']->get_UserSuffix(), 'gidNumber=' . $values_old->general_uidNumber, array('')); $entry = ldap_first_entry($_SESSION['ldap']->server(), $result); while ($entry) { $user['gidNumber'][0] = $values->general_uidNumber; $success =ldap_modify($_SESSION['ldap']->server(), ldap_get_dn($_SESSION['ldap']->server(), $entry), $user); if (!$success) return 5; $entry = ldap_next_entry($_SESSION['ldap']->server(), $entry); } } // Change quotas if quotas are set and lamdaemon.pl should be used if ($_SESSION['config']->scriptServer && is_array($values->quota) && $uselamdaemon && ($values->quota != $values_old->quota)) setquotas(array($values)); //make required changes in cache-array if ((isset($_SESSION['groupDN']))) { if ($values->general_dn != $values_old->general_dn) { unset ($_SESSION['groupDN'][$values_old->general_dn]); } if (is_array($values->unix_memberUid)) $_SESSION['groupDN'][$values->general_dn]['memberUid'] = $values->unix_memberUid; $_SESSION['groupDN'][$values->general_dn]['cn'] = $values->general_username; $_SESSION['groupDN'][$values->general_dn]['uidNumber'] = $values->general_uidNumber; if ($values->smb_mapgroup != $values_old->smb_mapgroup) $_SESSION['groupDN'][$values->general_dn]['sambaSID'] = $values->smb_mapgroup; } // Return 3 if everything has worked fine return 3; } ?>