1
0

LDAPProvider.php 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de)
  4. *
  5. * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. * @author Roger Szabo <roger.szabo@web.de>
  9. * @author root <root@localhost.localdomain>
  10. * @author Vinicius Cubas Brand <vinicius@eita.org.br>
  11. *
  12. * @license GNU AGPL version 3 or any later version
  13. *
  14. * This program is free software: you can redistribute it and/or modify
  15. * it under the terms of the GNU Affero General Public License as
  16. * published by the Free Software Foundation, either version 3 of the
  17. * License, or (at your option) any later version.
  18. *
  19. * This program is distributed in the hope that it will be useful,
  20. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  22. * GNU Affero General Public License for more details.
  23. *
  24. * You should have received a copy of the GNU Affero General Public License
  25. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  26. *
  27. */
  28. namespace OCA\User_LDAP;
  29. use OCA\User_LDAP\User\DeletedUsersIndex;
  30. use OCP\IServerContainer;
  31. use OCP\LDAP\IDeletionFlagSupport;
  32. use OCP\LDAP\ILDAPProvider;
  33. /**
  34. * LDAP provider for pulic access to the LDAP backend.
  35. */
  36. class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport {
  37. private $userBackend;
  38. private $groupBackend;
  39. private $logger;
  40. private $helper;
  41. private $deletedUsersIndex;
  42. /**
  43. * Create new LDAPProvider
  44. * @param \OCP\IServerContainer $serverContainer
  45. * @param Helper $helper
  46. * @param DeletedUsersIndex $deletedUsersIndex
  47. * @throws \Exception if user_ldap app was not enabled
  48. */
  49. public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) {
  50. $this->logger = $serverContainer->getLogger();
  51. $this->helper = $helper;
  52. $this->deletedUsersIndex = $deletedUsersIndex;
  53. $userBackendFound = false;
  54. $groupBackendFound = false;
  55. foreach ($serverContainer->getUserManager()->getBackends() as $backend){
  56. $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']);
  57. if ($backend instanceof IUserLDAP) {
  58. $this->userBackend = $backend;
  59. $userBackendFound = true;
  60. break;
  61. }
  62. }
  63. foreach ($serverContainer->getGroupManager()->getBackends() as $backend){
  64. $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']);
  65. if ($backend instanceof IGroupLDAP) {
  66. $this->groupBackend = $backend;
  67. $groupBackendFound = true;
  68. break;
  69. }
  70. }
  71. if (!$userBackendFound or !$groupBackendFound) {
  72. throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled');
  73. }
  74. }
  75. /**
  76. * Translate an user id to LDAP DN
  77. * @param string $uid user id
  78. * @return string with the LDAP DN
  79. * @throws \Exception if translation was unsuccessful
  80. */
  81. public function getUserDN($uid) {
  82. if(!$this->userBackend->userExists($uid)){
  83. throw new \Exception('User id not found in LDAP');
  84. }
  85. $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid);
  86. if(!$result){
  87. throw new \Exception('Translation to LDAP DN unsuccessful');
  88. }
  89. return $result;
  90. }
  91. /**
  92. * Translate a group id to LDAP DN.
  93. * @param string $gid group id
  94. * @return string
  95. * @throws \Exception
  96. */
  97. public function getGroupDN($gid) {
  98. if(!$this->groupBackend->groupExists($gid)){
  99. throw new \Exception('Group id not found in LDAP');
  100. }
  101. $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid);
  102. if(!$result){
  103. throw new \Exception('Translation to LDAP DN unsuccessful');
  104. }
  105. return $result;
  106. }
  107. /**
  108. * Translate a LDAP DN to an internal user name. If there is no mapping between
  109. * the DN and the user name, a new one will be created.
  110. * @param string $dn LDAP DN
  111. * @return string with the internal user name
  112. * @throws \Exception if translation was unsuccessful
  113. */
  114. public function getUserName($dn) {
  115. $result = $this->userBackend->dn2UserName($dn);
  116. if(!$result){
  117. throw new \Exception('Translation to internal user name unsuccessful');
  118. }
  119. return $result;
  120. }
  121. /**
  122. * Convert a stored DN so it can be used as base parameter for LDAP queries.
  123. * @param string $dn the DN in question
  124. * @return string
  125. */
  126. public function DNasBaseParameter($dn) {
  127. return $this->helper->DNasBaseParameter($dn);
  128. }
  129. /**
  130. * Sanitize a DN received from the LDAP server.
  131. * @param array $dn the DN in question
  132. * @return array the sanitized DN
  133. */
  134. public function sanitizeDN($dn) {
  135. return $this->helper->sanitizeDN($dn);
  136. }
  137. /**
  138. * Return a new LDAP connection resource for the specified user.
  139. * The connection must be closed manually.
  140. * @param string $uid user id
  141. * @return resource of the LDAP connection
  142. * @throws \Exception if user id was not found in LDAP
  143. */
  144. public function getLDAPConnection($uid) {
  145. if(!$this->userBackend->userExists($uid)){
  146. throw new \Exception('User id not found in LDAP');
  147. }
  148. return $this->userBackend->getNewLDAPConnection($uid);
  149. }
  150. /**
  151. * Return a new LDAP connection resource for the specified user.
  152. * The connection must be closed manually.
  153. * @param string $gid group id
  154. * @return resource of the LDAP connection
  155. * @throws \Exception if group id was not found in LDAP
  156. */
  157. public function getGroupLDAPConnection($gid) {
  158. if(!$this->groupBackend->groupExists($gid)){
  159. throw new \Exception('Group id not found in LDAP');
  160. }
  161. return $this->groupBackend->getNewLDAPConnection($gid);
  162. }
  163. /**
  164. * Get the LDAP base for users.
  165. * @param string $uid user id
  166. * @return string the base for users
  167. * @throws \Exception if user id was not found in LDAP
  168. */
  169. public function getLDAPBaseUsers($uid) {
  170. if(!$this->userBackend->userExists($uid)){
  171. throw new \Exception('User id not found in LDAP');
  172. }
  173. $access = $this->userBackend->getLDAPAccess($uid);
  174. $bases = $access->getConnection()->ldapBaseUsers;
  175. $dn = $this->getUserDN($uid);
  176. foreach ($bases as $base) {
  177. if($access->isDNPartOfBase($dn, [$base])) {
  178. return $base;
  179. }
  180. }
  181. // should not occur, because the user does not qualify to use NC in this case
  182. $this->logger->info(
  183. 'No matching user base found for user {dn}, available: {bases}.',
  184. [
  185. 'app' => 'user_ldap',
  186. 'dn' => $dn,
  187. 'bases' => $bases,
  188. ]
  189. );
  190. return array_shift($bases);
  191. }
  192. /**
  193. * Get the LDAP base for groups.
  194. * @param string $uid user id
  195. * @return string the base for groups
  196. * @throws \Exception if user id was not found in LDAP
  197. */
  198. public function getLDAPBaseGroups($uid) {
  199. if(!$this->userBackend->userExists($uid)){
  200. throw new \Exception('User id not found in LDAP');
  201. }
  202. $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups;
  203. return array_shift($bases);
  204. }
  205. /**
  206. * Clear the cache if a cache is used, otherwise do nothing.
  207. * @param string $uid user id
  208. * @throws \Exception if user id was not found in LDAP
  209. */
  210. public function clearCache($uid) {
  211. if(!$this->userBackend->userExists($uid)){
  212. throw new \Exception('User id not found in LDAP');
  213. }
  214. $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache();
  215. }
  216. /**
  217. * Clear the cache if a cache is used, otherwise do nothing.
  218. * Acts on the LDAP connection of a group
  219. * @param string $gid group id
  220. * @throws \Exception if user id was not found in LDAP
  221. */
  222. public function clearGroupCache($gid) {
  223. if(!$this->groupBackend->groupExists($gid)){
  224. throw new \Exception('Group id not found in LDAP');
  225. }
  226. $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache();
  227. }
  228. /**
  229. * Check whether a LDAP DN exists
  230. * @param string $dn LDAP DN
  231. * @return bool whether the DN exists
  232. */
  233. public function dnExists($dn) {
  234. $result = $this->userBackend->dn2UserName($dn);
  235. return !$result ? false : true;
  236. }
  237. /**
  238. * Flag record for deletion.
  239. * @param string $uid user id
  240. */
  241. public function flagRecord($uid) {
  242. $this->deletedUsersIndex->markUser($uid);
  243. }
  244. /**
  245. * Unflag record for deletion.
  246. * @param string $uid user id
  247. */
  248. public function unflagRecord($uid) {
  249. //do nothing
  250. }
  251. /**
  252. * Get the LDAP attribute name for the user's display name
  253. * @param string $uid user id
  254. * @return string the display name field
  255. * @throws \Exception if user id was not found in LDAP
  256. */
  257. public function getLDAPDisplayNameField($uid) {
  258. if(!$this->userBackend->userExists($uid)){
  259. throw new \Exception('User id not found in LDAP');
  260. }
  261. return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name'];
  262. }
  263. /**
  264. * Get the LDAP attribute name for the email
  265. * @param string $uid user id
  266. * @return string the email field
  267. * @throws \Exception if user id was not found in LDAP
  268. */
  269. public function getLDAPEmailField($uid) {
  270. if(!$this->userBackend->userExists($uid)){
  271. throw new \Exception('User id not found in LDAP');
  272. }
  273. return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr'];
  274. }
  275. /**
  276. * Get the LDAP type of association between users and groups
  277. * @param string $gid group id
  278. * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', ''
  279. * @throws \Exception if group id was not found in LDAP
  280. */
  281. public function getLDAPGroupMemberAssoc($gid) {
  282. if(!$this->groupBackend->groupExists($gid)){
  283. throw new \Exception('Group id not found in LDAP');
  284. }
  285. return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute'];
  286. }
  287. }