123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330 |
- <?php
- /**
- * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
- namespace OCA\User_LDAP;
- use OCA\User_LDAP\User\DeletedUsersIndex;
- use OCP\IServerContainer;
- use OCP\LDAP\IDeletionFlagSupport;
- use OCP\LDAP\ILDAPProvider;
- use Psr\Log\LoggerInterface;
- /**
- * LDAP provider for public access to the LDAP backend.
- */
- class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport {
- private $userBackend;
- private $groupBackend;
- private $logger;
- /**
- * Create new LDAPProvider
- * @param IServerContainer $serverContainer
- * @param Helper $helper
- * @param DeletedUsersIndex $deletedUsersIndex
- * @throws \Exception if user_ldap app was not enabled
- */
- public function __construct(
- IServerContainer $serverContainer,
- private Helper $helper,
- private DeletedUsersIndex $deletedUsersIndex,
- ) {
- $this->logger = $serverContainer->get(LoggerInterface::class);
- $userBackendFound = false;
- $groupBackendFound = false;
- foreach ($serverContainer->getUserManager()->getBackends() as $backend) {
- $this->logger->debug('instance ' . get_class($backend) . ' user backend.', ['app' => 'user_ldap']);
- if ($backend instanceof IUserLDAP) {
- $this->userBackend = $backend;
- $userBackendFound = true;
- break;
- }
- }
- foreach ($serverContainer->getGroupManager()->getBackends() as $backend) {
- $this->logger->debug('instance ' . get_class($backend) . ' group backend.', ['app' => 'user_ldap']);
- if ($backend instanceof IGroupLDAP) {
- $this->groupBackend = $backend;
- $groupBackendFound = true;
- break;
- }
- }
- if (!$userBackendFound or !$groupBackendFound) {
- throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled');
- }
- }
- /**
- * Translate an user id to LDAP DN
- * @param string $uid user id
- * @return string with the LDAP DN
- * @throws \Exception if translation was unsuccessful
- */
- public function getUserDN($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid);
- if (!$result) {
- throw new \Exception('Translation to LDAP DN unsuccessful');
- }
- return $result;
- }
- /**
- * Translate a group id to LDAP DN.
- * @param string $gid group id
- * @return string
- * @throws \Exception
- */
- public function getGroupDN($gid) {
- if (!$this->groupBackend->groupExists($gid)) {
- throw new \Exception('Group id not found in LDAP');
- }
- $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid);
- if (!$result) {
- throw new \Exception('Translation to LDAP DN unsuccessful');
- }
- return $result;
- }
- /**
- * Translate a LDAP DN to an internal user name. If there is no mapping between
- * the DN and the user name, a new one will be created.
- * @param string $dn LDAP DN
- * @return string with the internal user name
- * @throws \Exception if translation was unsuccessful
- */
- public function getUserName($dn) {
- $result = $this->userBackend->dn2UserName($dn);
- if (!$result) {
- throw new \Exception('Translation to internal user name unsuccessful');
- }
- return $result;
- }
- /**
- * Convert a stored DN so it can be used as base parameter for LDAP queries.
- * @param string $dn the DN in question
- * @return string
- */
- public function DNasBaseParameter($dn) {
- return $this->helper->DNasBaseParameter($dn);
- }
- /**
- * Sanitize a DN received from the LDAP server.
- * @param array|string $dn the DN in question
- * @return array|string the sanitized DN
- */
- public function sanitizeDN($dn) {
- return $this->helper->sanitizeDN($dn);
- }
- /**
- * Return a new LDAP connection resource for the specified user.
- * The connection must be closed manually.
- * @param string $uid user id
- * @return \LDAP\Connection The LDAP connection
- * @throws \Exception if user id was not found in LDAP
- */
- public function getLDAPConnection($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- return $this->userBackend->getNewLDAPConnection($uid);
- }
- /**
- * Return a new LDAP connection resource for the specified user.
- * The connection must be closed manually.
- * @param string $gid group id
- * @return \LDAP\Connection The LDAP connection
- * @throws \Exception if group id was not found in LDAP
- */
- public function getGroupLDAPConnection($gid) {
- if (!$this->groupBackend->groupExists($gid)) {
- throw new \Exception('Group id not found in LDAP');
- }
- return $this->groupBackend->getNewLDAPConnection($gid);
- }
- /**
- * Get the LDAP base for users.
- * @param string $uid user id
- * @return string the base for users
- * @throws \Exception if user id was not found in LDAP
- */
- public function getLDAPBaseUsers($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- $access = $this->userBackend->getLDAPAccess($uid);
- $bases = $access->getConnection()->ldapBaseUsers;
- $dn = $this->getUserDN($uid);
- foreach ($bases as $base) {
- if ($access->isDNPartOfBase($dn, [$base])) {
- return $base;
- }
- }
- // should not occur, because the user does not qualify to use NC in this case
- $this->logger->info(
- 'No matching user base found for user {dn}, available: {bases}.',
- [
- 'app' => 'user_ldap',
- 'dn' => $dn,
- 'bases' => $bases,
- ]
- );
- return array_shift($bases);
- }
- /**
- * Get the LDAP base for groups.
- * @param string $uid user id
- * @return string the base for groups
- * @throws \Exception if user id was not found in LDAP
- */
- public function getLDAPBaseGroups($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups;
- return array_shift($bases);
- }
- /**
- * Clear the cache if a cache is used, otherwise do nothing.
- * @param string $uid user id
- * @throws \Exception if user id was not found in LDAP
- */
- public function clearCache($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache();
- }
- /**
- * Clear the cache if a cache is used, otherwise do nothing.
- * Acts on the LDAP connection of a group
- * @param string $gid group id
- * @throws \Exception if user id was not found in LDAP
- */
- public function clearGroupCache($gid) {
- if (!$this->groupBackend->groupExists($gid)) {
- throw new \Exception('Group id not found in LDAP');
- }
- $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache();
- }
- /**
- * Check whether a LDAP DN exists
- * @param string $dn LDAP DN
- * @return bool whether the DN exists
- */
- public function dnExists($dn) {
- $result = $this->userBackend->dn2UserName($dn);
- return !$result ? false : true;
- }
- /**
- * Flag record for deletion.
- * @param string $uid user id
- */
- public function flagRecord($uid) {
- $this->deletedUsersIndex->markUser($uid);
- }
- /**
- * Unflag record for deletion.
- * @param string $uid user id
- */
- public function unflagRecord($uid) {
- //do nothing
- }
- /**
- * Get the LDAP attribute name for the user's display name
- * @param string $uid user id
- * @return string the display name field
- * @throws \Exception if user id was not found in LDAP
- */
- public function getLDAPDisplayNameField($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name'];
- }
- /**
- * Get the LDAP attribute name for the email
- * @param string $uid user id
- * @return string the email field
- * @throws \Exception if user id was not found in LDAP
- */
- public function getLDAPEmailField($uid) {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr'];
- }
- /**
- * Get the LDAP type of association between users and groups
- * @param string $gid group id
- * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', ''
- * @throws \Exception if group id was not found in LDAP
- */
- public function getLDAPGroupMemberAssoc($gid) {
- if (!$this->groupBackend->groupExists($gid)) {
- throw new \Exception('Group id not found in LDAP');
- }
- return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute'];
- }
- /**
- * Get an LDAP attribute for a nextcloud user
- *
- * @throws \Exception if user id was not found in LDAP
- */
- public function getUserAttribute(string $uid, string $attribute): ?string {
- $values = $this->getMultiValueUserAttribute($uid, $attribute);
- if (count($values) === 0) {
- return null;
- }
- return current($values);
- }
- /**
- * Get a multi-value LDAP attribute for a nextcloud user
- *
- * @throws \Exception if user id was not found in LDAP
- */
- public function getMultiValueUserAttribute(string $uid, string $attribute): array {
- if (!$this->userBackend->userExists($uid)) {
- throw new \Exception('User id not found in LDAP');
- }
- $access = $this->userBackend->getLDAPAccess($uid);
- $connection = $access->getConnection();
- $key = $uid . '-' . $attribute;
- $cached = $connection->getFromCache($key);
- if (is_array($cached)) {
- return $cached;
- }
- $values = $access->readAttribute($access->username2dn($uid), $attribute);
- if ($values === false) {
- $values = [];
- }
- $connection->writeToCache($key, $values);
- return $values;
- }
- }
|