add_objectClass(\'sambaSamAccount\');'), E_USER_ERROR); $this->base = $base; // sambaSamAccount is only a valid objectClass for user and host if (!($_SESSION[$this->base]->get_type() == 'user') && !($_SESSION[$this->base]->get_type() == 'host')) trigger_error(_('sambaSamAccount can only be used for users or hosts.'), E_USER_WARNING); /* Check if ldap conatiner is in array and set type * users are using inetOrgPerson-, hosts account-container */ if (!isset($_SESSION[$this->base]->module['posixAccount'])) $_SESSION[$this->base]->add_objectClass('posixAccount'); // Add Array with all attributes and type $this->attributes = $_SESSION[$this->base]->get_module_attributes('sambaSamAccount'); $_SESSION[$this->base]->add_attributes ('sambaSamAccount'); $this->alias = _('sambaSamAccount'); // Make references to attributes which already esists in ldap $newattributes = array_keys($this->attributes); $module = array_keys($_SESSION[$this->base]->module); // fixme *** do we have to unset module sambaSamAccount itself for ($i=0; $ibase]->module[$module[$i]]->attributes[$attribute])) $this->attributes[$attribute] =& $_SESSION[$this->base]->module[$module[$i]]->attributes[$attribute]; } $this->orig = $this->attributes ; $this->attributes['objectClass'][0] = 'sambaSamAccount'; $this->useunixpwd=false; // List of well known rids $this->rids = array ( _('Domain Admins') => 512, _('Domain Users') => 513, _('Domain Guests') => 514, _('Domain Computers') => 515, _('Domain Controllers') => 516, _('Domain Certificate Admins') => 517, _('Domain Schema Admins') => 518, _('Domain Enterprise Admins') => 519, _('Domain Policy Admins') => 520 ); } // Variables // Alias Name. This name is shown in the menu instead of sambaSamAccount var $alias; // name of accountContainer so we can read other classes in accuontArray var $base; // This variable contains all inetOrgPerson attributes var $attributes; /* If an account was loaded all attributes are kept in this array * to compare it with new changed attributes */ var $orig; // use unix password as samba password? var $useunixpwd; // Array of well known rids var $rids; /* This function returns a list with all required modules */ function dependencies() { return array('posixAccount'); } function module_ready() { if ($_SESSION[$this->base]->module['posixAccount']->attributes['gidNumber'][0]=='') return false; if ($_SESSION[$this->base]->module['posixAccount']->attributes['uidNumber'][0]=='') return false; if ($this->attributes['uid'][0]=='') return false; return true; } /* $attribute['sambaLMPassword'] and sambaNTPassword can't accessed directly because it's enrcypted * To read / write password function userPassword is needed * This function will return the unencrypted password when * called without a variable * If it's called with a new password, the * new password will be stored encrypted */ function sambaLMPassword($newpassword=false) { if (is_string($newpassword)) { // Write new password $iv = base64_decode($_COOKIE["IV"]); $key = base64_decode($_COOKIE["Key"]); $this->attributes['sambaLMPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv)); return 0; } else { if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword(); if ($this->attributes['sambaLMPassword'][0]!='') { // Read existing password if set $iv = base64_decode($_COOKIE["IV"]); $key = base64_decode($_COOKIE["Key"]); $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['sambaLMPassword'][0]), MCRYPT_MODE_ECB, $iv); $password = str_replace(chr(00), '', $password); return $password; } else return ''; } } /* Write variables into object and do some regexp checks */ function proccess_attributes($post) { // Load attributes $this->attributes['sambaDomainName'][0] = $post['form_sambaSamAccount_sambaDomainName']; // Get Domain SID from name $sambaDomains = $_SESSION[$_SESSION[$this->base]->ldap]->search_domains($_SESSION[$_SESSION[$this->base]->config]->get_domainSuffix()); for ($i=0; $iattributes['sambaDomainName'][0] == $sambaDomains[$i]->name) { $SID = $sambaDomains[$i]->SID; } $flag = "["; if ($post['form_sambaSamAccount_sambaAcctFlagsD']) $flag .= "D"; if ($post['form_sambaSamAccount_sambaAcctFlagsX']) $flag .= "X"; if ($post['form_sambaSamAccount_sambaAcctFlagsN']) $flag .= "N"; if ($post['form_sambaSamAccount_sambaAcctFlagsS']) $flag .= "S"; if ($post['form_sambaSamAccount_sambaAcctFlagsH']) $flag .= "H"; if ($post['form_sambaSamAccount_sambaAcctFlagsW']) $flag .= "W"; if ($post['form_sambaSamAccount_sambaAcctFlagsU']) $flag .= "U"; // Expand string to fixed length $flag = str_pad($flag, 12); // End character $flag = $flag. "]"; $this->attributes['sambaAcctFlags'][0] = $flag; if ($_SESSION[$this->base]->type=='host') { $this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain Computers')]; if ($post['form_sambaSamAccount_ResetSambaPassword']) { // *** fixme. What is the default password? $this->sambaLMPassword(''); $_SESSION[$this->base]->module['posixAccount']->userPassword(''); } } if ($_SESSION[$this->base]->type=='user') { $this->attributes['sambaPwdCanChange'][0] = mktime($post['form_sambaSamAccount_sambaPwdCanChange_h'], $post['form_sambaSamAccount_sambaPwdCanChange_m'], $post['form_sambaSamAccount_sambaPwdCanChange_s'], $post['form_sambaSamAccount_sambaPwdCanChange_mon'], $post['form_sambaSamAccount_sambaPwdCanChange_day'], $post['form_sambaSamAccount_sambaPwdCanChange_yea']); $this->attributes['sambaPwdMustChange'][0] = mktime($post['form_sambaSamAccount_sambaPwdMustChange_h'], $post['form_sambaSamAccount_sambaPwdMustChange_m'], $post['form_sambaSamAccount_sambaPwdMustChange_s'], $post['form_sambaSamAccount_sambaPwdMustChange_mon'], $post['form_sambaSamAccount_sambaPwdMustChange_day'], $post['form_sambaSamAccount_sambaPwdMustChange_yea']); $this->attributes['sambaHomePath'][0] = stripslashes($post['form_sambaSamAccount_sambaHomePath']); $this->attributes['sambaHomeDrive'][0] = $post['form_sambaSamAccount_sambaHomeDrive']; $this->attributes['sambaLogonScript'][0] = stripslashes($post['form_sambaSamAccount_sambaLogonScript']); $this->attributes['sambaProfilePath'][0] = stripslashes($post['form_sambaSamAccount_sambaProfilePath']); $rids = array_keys($this->rids); $wrid = false; for ($i=0; $iattributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[$rids[$i]]; } } if (!$wrid) $this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".($_SESSION[$this->base]->module['posixAccount']->attributes['gidNumber'][0]*2)+$RIDbase+1; if (isset($post['form_sambaSamAccount_sambaLMPassword'])) { if ($post['form_sambaSamAccount_sambaLMPassword'] != $post['form_sambaSamAccount_sambaLMPassword2']) { $errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.')); unset ($post['form_sambaSamAccount_sambaLMPassword2']); } else $this->sambaLMPassword($post['form_sambaSamAccount_sambaLMPassword']); } if ($post['form_sambaSamAccount_useunixpwd']) $this->useunixpwd = true; else $this->useunixpwd = false; if ($post['form_sambaSamAccount_sambaSID']== _('Administrator')) { $this->attributes['sambaSID'][0] = $SID."-500"; // Do a check if an administrator already exists if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($SID."-500", 'sambaSID', 'user')!=$_SESSION[$this->base]->dn_orig) $errors[] = array('ERROR', _('Special user'), _('There can be only one administrator per domain.')); } if ($post['form_sambaSamAccount_sambaSID']== _('Guest')) { $this->attributes['sambaSID'][0] = $SID."-501"; // Do a check if an administrator already exists if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($SID."-501", 'sambaSID', 'user')!=$_SESSION[$this->base]->dn_orig) $errors[] = array('ERROR', _('Special user'), _('There can be only one guest per domain.')); } // Check values $this->attributes['sambaHomePath'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['sambaHomePath'][0]); $this->attributes['sambaHomePath'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['sambaHomePath'][0]); if ($this->attributes['sambaHomePath'][0] != stripslashes($post['form_sambaSamAccount_sambaHomePath'])) $errors[] = array('INFO', _('Home path'), _('Inserted user- or groupname in HomePath.')); $this->attributes['sambaLogonScript'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['sambaLogonScript'][0]); $this->attributes['sambaLogonScript'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['sambaLogonScript'][0]); if ($this->attributes['sambaLogonScript'][0] != stripslashes($post['form_sambaSamAccount_sambaLogonScript'])) $errors[] = array('INFO', _('Logon script'), _('Inserted user- or groupname in logon script.')); $this->attributes['sambaProfilePath'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['sambaProfilePath'][0]); $this->attributes['sambaProfilePath'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['sambaProfilePath'][0]); if ($this->attributes['sambaProfiletPath'][0] != stripslashes($post['form_sambaSamAccount_sambaProfilePath'])) $errors[] = array('INFO', _('Profile path'), _('Inserted user- or groupname in profilepath.')); if ( (!$this->attributes['sambaHomePath'][0]=='') && (!ereg('^[\][\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%])+([\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%]|[?]|[?]|[?]|[?]|[?]|[?]|[?])+)+$', $this->attributes['sambaHomePath'][0]))) $errors[] = array('ERROR', _('Home path'), _('Home path is invalid.')); if ( !ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $this->sambaLMPassword())) $errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !')); if ( (!$this->attributes['sambaLogonScript'][0]=='') && (!ereg('^([/])*([a-z]|[0-9]|[.]|[-]|[_]|[%]|[?]|[?]|[?]|[?]|[?]|[?]|[?])+([a-z]|[0-9]|[.]|[-]|[_]|[%]|[?]|[?]|[?]|[?]|[?]|[?]|[?])*'. '([/]([a-z]|[0-9]|[.]|[-]|[_]|[%]|[?]|[?]|[?]|[?]|[?]|[?]|[?])+([a-z]|[0-9]|[.]|[-]|[_]|[%]|[?]|[?]|[?]|[?]|[?]|[?]|[?])*)*(([.][b][a][t])|([.][c][m][d]))$', $this->attributes['sambaLogonScript'][0]))) $errors[] = array('ERROR', _('Script path'), _('Script path is invalid!')); if ( (!$this->attributes['sambaProfilePath'][0]=='') && (!ereg('^[/][a-z]([a-z]|[0-9]|[.]|[-]|[_]|[%])*([/][a-z]([a-z]|[0-9]|[.]|[-]|[_]|[%])*)*$', $this->attributes['sambaProfilePath'][0])) && (!ereg('^[\][\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%])+([\]([a-z]|[A-Z]|[0-9]|[.]|[-]|[%])+)+$', $this->attributes['sambaProfilePath'][0]))) $errors[] = array('ERROR', _('Profile path'), _('Profile path is invalid!')); } if (is_array($errors)) return $errors; if ($post['form_sambaSamAccount_sambaUserWorkstations']) return 'sambaUserWorkstations'; return 0; } /* Write variables into object and do some regexp checks */ function proccess_sambaUserWorkstations($post) { // Load attributes do { // X-Or, only one if() can be true if (isset($post['form_sambaSamAccount_availableSambaUserWorkstations']) && isset($post['form_sambaSamAccount_sambaUserWorkstations_add'])) { // Add workstations to list $temp = str_replace(' ', '', $this->attributes['sambaUserWorkstations'][0]); $workstations = explode (',', $temp); for ($i=0; $iattributes['sambaUserWorkstations'][0] = $workstations[0]; for ($i=1; $iattributes['sambaUserWorkstations'][0] = $this->attributes['sambaUserWorkstations'][0] . "," . $workstations[$i]; } break; } if (isset($post['form_sambaSamAccount_sambaUserWorkstations']) && isset($post['form_sambaSamAccount_sambaUserWorkstations_remove'])) { // remove // Add workstations from list // Put all workstations in array $temp = str_replace(' ', '', $this->attributes['sambaUserWorkstations'][0]); $workstations = explode (',', $temp); for ($i=0; $iattributes['sambaUserWorkstations'][0] = $workstations[0]; for ($i=1; $iattributes['sambaUserWorkstations'][0] = $this->attributes['sambaUserWorkstations'][0] . "," . $workstations[$i]; } break; } } while(0); if ($post['form_sambaSamAccount_attributes']) return 'attributes'; return 0; } /* This function loads all attributes into the object * $attr is an array as it's retured from ldap_get_attributes */ function load_attributes($attr) { // Load attributes which are displayed // unset count entries unset ($attr['count']); $attributes = array_keys($attr); foreach ($attributes as $attribute) unset ($attr[$attribute]['count']); // unset double entries for ($i=0; $iattributes[$attribute])) { // decode as unicode $this->attributes[$attribute] = $attr[$attribute]; for ($i=0; $iattributes[$attribute]); $i++) $this->attributes[$attribute][$i] = utf8_decode ($this->attributes[$attribute][$i]); } } // Values are kept as copy so we can compare old attributes with new attributes $this->attributes['objectClass'][0] = 'sambaSamAccount'; $this->orig = $this->attributes; $this->sambaLMPassword(''); // Remove old password so it won't displayed as hash return 0; } /* This function returns an array with 3 entries: * array( DN1 ('add' => array($attr), 'remove' => array($attr), 'modify' => array($attr)), DN2 .... ) * DN is the DN to change. It may be possible to change several DNs, * e.g. create a new user and add him to some groups via attribute memberUid * add are attributes which have to be added to ldap entry * remove are attributes which have to be removed from ldap entry * modify are attributes which have to been modified in ldap entry */ function save_attributes() { /* Create sambaSID. Can't create it while loading attributes because * it's psssible uidNumber has changed */ // Get Domain SID from name $sambaDomains = $_SESSION[$_SESSION[$this->base]->ldap]->search_domains($_SESSION[$_SESSION[$this->base]->config]->get_domainSuffix()); for ($i=0; $iattributes['sambaDomainName'][0] == $sambaDomains[$i]->name) { $SID = $sambaDomains[$i]->SID; $RIDbase = $sambaDomain[$i]->RIDbase; } $special = false; if ($this->attributes['sambaSID'][0] == $SID."-500") $special = true; if ($this->attributes['sambaSID'][0] == $SID."-501") $special = true; if (!$special) $this->attributes['sambaSID'][0] == $SID."-".($_SESSION[$this->base]->module['posixAccount']->attributes['uidNumber'][0]*2+$RIDbase); $rids = array_keys($this->rids); $wrid = false; for ($i=0; $iattributes['sambaPrimaryGroupSID'][0] == $SID . "-" . $rids[$i]) $wrid = true; if (!$wrid) $this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".($_SESSION[$this->base]->module['posixAccount']->attributes['gidNumber'][0]*2)+$RIDbase+1; $return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig); // Set password if (isset($return[$_SESSION[$this->base]->dn]['modify']['sambaLMPassword'])) unset($return[$_SESSION[$this->base]->dn]['modify']['sambaLMPassword']); if (isset($return[$_SESSION[$this->base]->dn]['modify']['sambaNTPassword'])) unset($return[$_SESSION[$this->base]->dn]['modify']['sambaNTPassword']); if (!isset($this->orig['sambaLMPassword'][0])) { $return[$_SESSION[$this->base]->dn]['modify']['sambaLMPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($this->sambaLMPassword())); $return[$_SESSION[$this->base]->dn]['modify']['sambaNTPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($this->sambaLMPassword())); $return[$_SESSION[$this->base]->dn]['modify']['sambaPwdLastSet'][0] = time(); } if ($this->sambaLMPassword()!='') { $return[$_SESSION[$this->base]->dn]['modify']['sambaLMPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." lm ".escapeshellarg($this->sambaLMPassword())); $return[$_SESSION[$this->base]->dn]['modify']['sambaNTPassword'][0] = exec(escapeshellarg($_SESSION['lampath'].'lib/createntlm.pl')." nt ".escapeshellarg($this->sambaLMPassword())); $return[$_SESSION[$this->base]->dn]['modify']['sambaPwdLastSet'][0] = time(); } return $return; } /* This function returns all ldap attributes * which are part of sambaSamAccount and returns * also their values. */ function get_attributes() { return $this->attributes; } /* This function will create the html-page * to show a page with all attributes. * It will output a complete html-table */ function display_html_attributes($post) { // Get Domain SID from name $sambaDomains = $_SESSION[$_SESSION[$this->base]->ldap]->search_domains($_SESSION[$_SESSION[$this->base]->config]->get_domainSuffix()); for ($i=0; $iname; if ($this->attributes['sambaDomainName'][0] == $sambaDomains[$i]->name) $SID = $sambaDomains[$i]->SID; } if ($_SESSION[$this->base]->type=='user') { $canchangedate = getdate($this->attributes['sambaPwdCanChange'][0]); $mustchangedate = getdate($this->attributes['sambaPwdMustChange'][0]); echo ''. ''. ''. ''. ''. ''. ''; echo "\n\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; if ($_SESSION[$this->base]->module['posixAccount']->orig['userPassword'][0] != $_SESSION[$this->base]->module['posixAccount']->attributes['userPassword'][0]) { echo "\n"; echo "\n"; echo "\n"; echo ""; echo "\n"; } echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "
" . _('Samba password') . "sambaLMPassword() . "\">
" . _('Repeat password') . "sambaLMPassword(); echo "\">
" . _('Use unix password') . "useunixpwd) echo " checked "; echo ">" . _('Help') . "
" . _('Use no password') . "attributes['sambaAcctFlags'][0], "N")) echo " checked "; echo ">" . _('Help' ) ."
" . _('Password does not expire') . "attributes['sambaAcctFlags'][0], "X")) echo " checked "; echo ">" . _('Help') . "
" . _('User can change password') . "" . _('Help') . "
" . _('User must change password') . "" . _('Help') . "
" . _('Account is deactivated') . "attributes['sambaAcctFlags'][0], "D")) echo " checked "; echo ">" . _('Help') . "
" . _('Home drive') . "" . _('Help') . "
" . _('Home path') . "attributes['sambaHomePath'][0] . "\">" . _('Help') . "
" . _('Profile path') . "attributes['sambaProfilePath'][0] . "\">" . _('Help') . "
" . _('Logon script') . "attributes['sambaLogonScript'][0] . "\">" . _('Help') . "
" . _('Samba workstations') . "" . _('Help') . "
" . _('Windows group') . "" . _('Help') . "
" . _('Special user') . "" . _('Help-XX') . "
" . _('Domain') . "" . _('Help') . "
\n"; } if ($_SESSION[$this->base]->type=='host') { echo ''; echo "\n\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "
" . _('Reset password') . "
" . _('Domain') . "" . _('Help') . "
\n"; } return 0; } /* This function will create the html-page * to show a page with all attributes. * It will output a complete html-table */ function display_html_sambaUserWorkstations($post) { // Get list of all hosts. $result = $_SESSION[$_SESSION[$this->base]->cache]->get_cache('uid', 'sambaSamAccount', 'host'); if (is_array($result)) { foreach ($result as $host) $availableUserWorkstations[] = str_replace("$", '', $host[0]); sort($availableUserWorkstations, SORT_STRING); $result = str_replace(' ', '', $this->attributes['sambaUserWorkstations'][0]); $userWorkstations = explode (',', $result); $availableUserWorkstations = array_delete($userWorkstations, $availableUserWorkstations); } echo "\n\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "
"; echo "
base]->type."edit-bright\">base]->type."edit-bright\">"; echo _("Allowed workstations"); echo "\n"; // display all workstations the user is allowed to login if (count($userWorkstations)!=0) { echo "\n"; } echo "
"; echo " "; echo "\">

"; echo ""._('Help')."
"; echo "
base]->type."edit-bright\">base]->type."edit-bright\">"; echo _('Available workstations'); echo "\n"; // Display all workstations without these the user is allowed to login if (count($availableUserWorkstations)!=0) { echo "\n"; } echo "
\n"; } } ?>