LDAPProvider.php 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de)
  4. *
  5. * @author Joas Schilling <coding@schilljs.com>
  6. * @author Roger Szabo <roger.szabo@web.de>
  7. * @author root <root@localhost.localdomain>
  8. * @author Vinicius Cubas Brand <vinicius@eita.org.br>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OCA\User_LDAP;
  27. use OCP\LDAP\ILDAPProvider;
  28. use OCP\LDAP\IDeletionFlagSupport;
  29. use OCP\IServerContainer;
  30. use OCA\User_LDAP\User\DeletedUsersIndex;
  31. /**
  32. * LDAP provider for pulic access to the LDAP backend.
  33. */
  34. class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport {
  35. private $userBackend;
  36. private $groupBackend;
  37. private $logger;
  38. private $helper;
  39. private $deletedUsersIndex;
  40. /**
  41. * Create new LDAPProvider
  42. * @param \OCP\IServerContainer $serverContainer
  43. * @param Helper $helper
  44. * @param DeletedUsersIndex $deletedUsersIndex
  45. * @throws \Exception if user_ldap app was not enabled
  46. */
  47. public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) {
  48. $this->logger = $serverContainer->getLogger();
  49. $this->helper = $helper;
  50. $this->deletedUsersIndex = $deletedUsersIndex;
  51. $userBackendFound = false;
  52. $groupBackendFound = false;
  53. foreach ($serverContainer->getUserManager()->getBackends() as $backend){
  54. $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']);
  55. if ($backend instanceof IUserLDAP) {
  56. $this->userBackend = $backend;
  57. $userBackendFound = true;
  58. break;
  59. }
  60. }
  61. foreach ($serverContainer->getGroupManager()->getBackends() as $backend){
  62. $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']);
  63. if ($backend instanceof IGroupLDAP) {
  64. $this->groupBackend = $backend;
  65. $groupBackendFound = true;
  66. break;
  67. }
  68. }
  69. if (!$userBackendFound or !$groupBackendFound) {
  70. throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled');
  71. }
  72. }
  73. /**
  74. * Translate an user id to LDAP DN
  75. * @param string $uid user id
  76. * @return string with the LDAP DN
  77. * @throws \Exception if translation was unsuccessful
  78. */
  79. public function getUserDN($uid) {
  80. if(!$this->userBackend->userExists($uid)){
  81. throw new \Exception('User id not found in LDAP');
  82. }
  83. $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid);
  84. if(!$result){
  85. throw new \Exception('Translation to LDAP DN unsuccessful');
  86. }
  87. return $result;
  88. }
  89. /**
  90. * Translate a group id to LDAP DN.
  91. * @param string $gid group id
  92. * @return string
  93. * @throws \Exception
  94. */
  95. public function getGroupDN($gid) {
  96. if(!$this->groupBackend->groupExists($gid)){
  97. throw new \Exception('Group id not found in LDAP');
  98. }
  99. $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid);
  100. if(!$result){
  101. throw new \Exception('Translation to LDAP DN unsuccessful');
  102. }
  103. return $result;
  104. }
  105. /**
  106. * Translate a LDAP DN to an internal user name. If there is no mapping between
  107. * the DN and the user name, a new one will be created.
  108. * @param string $dn LDAP DN
  109. * @return string with the internal user name
  110. * @throws \Exception if translation was unsuccessful
  111. */
  112. public function getUserName($dn) {
  113. $result = $this->userBackend->dn2UserName($dn);
  114. if(!$result){
  115. throw new \Exception('Translation to internal user name unsuccessful');
  116. }
  117. return $result;
  118. }
  119. /**
  120. * Convert a stored DN so it can be used as base parameter for LDAP queries.
  121. * @param string $dn the DN in question
  122. * @return string
  123. */
  124. public function DNasBaseParameter($dn) {
  125. return $this->helper->DNasBaseParameter($dn);
  126. }
  127. /**
  128. * Sanitize a DN received from the LDAP server.
  129. * @param array $dn the DN in question
  130. * @return array the sanitized DN
  131. */
  132. public function sanitizeDN($dn) {
  133. return $this->helper->sanitizeDN($dn);
  134. }
  135. /**
  136. * Return a new LDAP connection resource for the specified user.
  137. * The connection must be closed manually.
  138. * @param string $uid user id
  139. * @return resource of the LDAP connection
  140. * @throws \Exception if user id was not found in LDAP
  141. */
  142. public function getLDAPConnection($uid) {
  143. if(!$this->userBackend->userExists($uid)){
  144. throw new \Exception('User id not found in LDAP');
  145. }
  146. return $this->userBackend->getNewLDAPConnection($uid);
  147. }
  148. /**
  149. * Return a new LDAP connection resource for the specified user.
  150. * The connection must be closed manually.
  151. * @param string $gid group id
  152. * @return resource of the LDAP connection
  153. * @throws \Exception if group id was not found in LDAP
  154. */
  155. public function getGroupLDAPConnection($gid) {
  156. if(!$this->groupBackend->groupExists($gid)){
  157. throw new \Exception('Group id not found in LDAP');
  158. }
  159. return $this->groupBackend->getNewLDAPConnection($gid);
  160. }
  161. /**
  162. * Get the LDAP base for users.
  163. * @param string $uid user id
  164. * @return string the base for users
  165. * @throws \Exception if user id was not found in LDAP
  166. */
  167. public function getLDAPBaseUsers($uid) {
  168. if(!$this->userBackend->userExists($uid)){
  169. throw new \Exception('User id not found in LDAP');
  170. }
  171. $access = $this->userBackend->getLDAPAccess($uid);
  172. $bases = $access->getConnection()->ldapBaseUsers;
  173. $dn = $this->getUserDN($uid);
  174. foreach ($bases as $base) {
  175. if($access->isDNPartOfBase($dn, [$base])) {
  176. return $base;
  177. }
  178. }
  179. // should not occur, because the user does not qualify to use NC in this case
  180. $this->logger->info(
  181. 'No matching user base found for user {dn}, available: {bases}.',
  182. [
  183. 'app' => 'user_ldap',
  184. 'dn' => $dn,
  185. 'bases' => $bases,
  186. ]
  187. );
  188. return array_shift($bases);
  189. }
  190. /**
  191. * Get the LDAP base for groups.
  192. * @param string $uid user id
  193. * @return string the base for groups
  194. * @throws \Exception if user id was not found in LDAP
  195. */
  196. public function getLDAPBaseGroups($uid) {
  197. if(!$this->userBackend->userExists($uid)){
  198. throw new \Exception('User id not found in LDAP');
  199. }
  200. $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups;
  201. return array_shift($bases);
  202. }
  203. /**
  204. * Clear the cache if a cache is used, otherwise do nothing.
  205. * @param string $uid user id
  206. * @throws \Exception if user id was not found in LDAP
  207. */
  208. public function clearCache($uid) {
  209. if(!$this->userBackend->userExists($uid)){
  210. throw new \Exception('User id not found in LDAP');
  211. }
  212. $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache();
  213. }
  214. /**
  215. * Clear the cache if a cache is used, otherwise do nothing.
  216. * Acts on the LDAP connection of a group
  217. * @param string $gid group id
  218. * @throws \Exception if user id was not found in LDAP
  219. */
  220. public function clearGroupCache($gid) {
  221. if(!$this->groupBackend->groupExists($gid)){
  222. throw new \Exception('Group id not found in LDAP');
  223. }
  224. $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache();
  225. }
  226. /**
  227. * Check whether a LDAP DN exists
  228. * @param string $dn LDAP DN
  229. * @return bool whether the DN exists
  230. */
  231. public function dnExists($dn) {
  232. $result = $this->userBackend->dn2UserName($dn);
  233. return !$result ? false : true;
  234. }
  235. /**
  236. * Flag record for deletion.
  237. * @param string $uid user id
  238. */
  239. public function flagRecord($uid) {
  240. $this->deletedUsersIndex->markUser($uid);
  241. }
  242. /**
  243. * Unflag record for deletion.
  244. * @param string $uid user id
  245. */
  246. public function unflagRecord($uid) {
  247. //do nothing
  248. }
  249. /**
  250. * Get the LDAP attribute name for the user's display name
  251. * @param string $uid user id
  252. * @return string the display name field
  253. * @throws \Exception if user id was not found in LDAP
  254. */
  255. public function getLDAPDisplayNameField($uid) {
  256. if(!$this->userBackend->userExists($uid)){
  257. throw new \Exception('User id not found in LDAP');
  258. }
  259. return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name'];
  260. }
  261. /**
  262. * Get the LDAP attribute name for the email
  263. * @param string $uid user id
  264. * @return string the email field
  265. * @throws \Exception if user id was not found in LDAP
  266. */
  267. public function getLDAPEmailField($uid) {
  268. if(!$this->userBackend->userExists($uid)){
  269. throw new \Exception('User id not found in LDAP');
  270. }
  271. return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr'];
  272. }
  273. /**
  274. * Get the LDAP type of association between users and groups
  275. * @param string $gid group id
  276. * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber'
  277. * @throws \Exception if group id was not found in LDAP
  278. */
  279. public function getLDAPGroupMemberAssoc($gid) {
  280. if(!$this->groupBackend->groupExists($gid)){
  281. throw new \Exception('Group id not found in LDAP');
  282. }
  283. return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute'];
  284. }
  285. }