inc/drivers_ldap.php

   1 <?php
   2 /**
   3 * Manages LDAP repository connection
   4 *
   5 * @package   davical
   6 * @category Technical
   7 * @subpackage   ldap
   8 * @author    Maxime Delorme <mdelorme@tennaxia.net>,
   9 *                Andrew McMillan <andrew@mcmillan.net.nz>
  10 * @copyright Maxime Delorme
  11 * @license   http://gnu.org/copyleft/gpl.html GNU GPL v2 or later
  12 */
  13
  14 require_once("auth-functions.php");
  15
  16 class ldapDrivers
  17 {
  18   /**#@+
  19   * @access private
  20   */
  21
  22   /**
  23   * Holds the LDAP connection parameters
  24   */
  25   var $connect;
  26
  27   /**#@-*/
  28
  29
  30   /**
  31   * Initializes the LDAP connection
  32   *
  33   * @param array $config The configuration data
  34   */
  35   function __construct($config)
  36   {
  37       global $c;
  38       $host=$config['host'];
  39       $port=$config['port'];
  40       if(!function_exists('ldap_connect')){
  41           $c->messages[] = i18n("drivers_ldap : function ldap_connect not defined, check your php_ldap module");
  42           $this->valid=false;
  43           return ;
  44       }
  45
  46       //Set LDAP protocol version
  47       if (isset($config['protocolVersion']))
  48           ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, $config['protocolVersion']);
  49       if (isset($config['optReferrals']))
  50           ldap_set_option($this->connect, LDAP_OPT_REFERRALS, $config['optReferrals']);
  51
  52       if ($port)
  53           $this->connect=ldap_connect($host, $port);
  54       else
  55           $this->connect=ldap_connect($host);
  56
  57       if (! $this->connect){
  58           $c->messages[] = sprintf(translate( 'drivers_ldap : Unable to connect to LDAP with port %s on host %s'), $port, $host );
  59           $this->valid=false;
  60           return ;
  61       }
  62
  63       dbg_error_log( "LDAP", "drivers_ldap : Connected to LDAP server %s",$host );
  64
  65       // Start TLS if desired (requires protocol version 3)
  66       if (isset($config['startTLS'])) {
  67         if (!ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, 3)) {
  68           $c->messages[] = i18n('drivers_ldap : Failed to set LDAP to use protocol version 3, TLS not supported');
  69           $this->valid=false;
  70           return;
  71         }
  72         if (!ldap_start_tls($this->connect)) {
  73           $c->messages[] = i18n('drivers_ldap : Could not start TLS: ldap_start_tls() failed');
  74           $this->valid=false;
  75           return;
  76         }
  77       }
  78
  79       //Set the search scope to be used, default to subtree.  This sets the functions to be called later.
  80       if (!isset($config['scope'])) $config['scope'] = 'subtree';
  81       switch (strtolower($config['scope'])) {
  82       case "base":
  83         $this->ldap_query_one = 'ldap_read';
  84         $this->ldap_query_all = 'ldap_read';
  85         break;
  86       case "onelevel":
  87         $this->ldap_query_one = 'ldap_list';
  88         $this->ldap_query_all = 'ldap_search';
  89         break;
  90       default:
  91         $this->ldap_query_one = 'ldap_search';
  92         $this->ldap_query_all = 'ldap_search';
  93         break;
  94       }
  95
  96       //connect as root
  97       if (!ldap_bind($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) ) ){
  98           $bindDN = isset($config['bindDN']) ? $config['bindDN'] : 'anonymous';
  99           $passDN = isset($config['passDN']) ? $config['passDN'] : 'anonymous';
 100           dbg_error_log( "LDAP", i18n('drivers_ldap : Failed to bind to host %1$s on port %2$s with bindDN of %3$s'), $host, $port, $bindDN );
 101           $c->messages[] = i18n( 'drivers_ldap : Unable to bind to LDAP - check your configuration for bindDN and passDN, and that your LDAP server is reachable');
 102           $this->valid=false;
 103           return ;
 104       }
 105       $this->valid = true;
 106       //root to start search
 107       $this->baseDNUsers  = is_string($config['baseDNUsers']) ? array($config['baseDNUsers']) : $config['baseDNUsers'];
 108       $this->filterUsers  = (isset($config['filterUsers'])  ? $config['filterUsers']  : null);
 109       $this->baseDNGroups = is_string($config['baseDNGroups']) ? array($config['baseDNGroups']) : $config['baseDNGroups'];
 110       $this->filterGroups = (isset($config['filterGroups']) ? $config['filterGroups'] : null);
 111   }
 112
 113   /**
 114   * Retrieve all users from the LDAP directory
 115   */
 116   function getAllUsers($attributes){
 117     global $c;
 118
 119     $query = $this->ldap_query_all;
 120
 121     foreach($this->baseDNUsers as $baseDNUsers) {
 122       $entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);
 123
 124       if (!ldap_first_entry($this->connect,$entry)) {
 125         $c->messages[] = sprintf(translate('Error NoUserFound with filter >%s<, attributes >%s< , dn >%s<'),
 126                                  $this->filterUsers,
 127                                  join(', ', $attributes),
 128                                  $baseDNUsers);
 129       }
 130       $row = array();
 131       for($i = ldap_first_entry($this->connect,$entry);
 132           $i && $arr = ldap_get_attributes($this->connect,$i);
 133           $i = ldap_next_entry($this->connect,$i) ) {
 134         $row = array();
 135         for ($j=0; $j < $arr['count']; $j++) {
 136           $row[$arr[$j]] = $arr[$arr[$j]][0];
 137         }
 138         $ret[]=$row;
 139       }
 140     }
 141     return $ret;
 142   }
 143
 144   /**
 145   * Retrieve all groups from the LDAP directory
 146   */
 147   function getAllGroups($attributes){
 148     global $c;
 149
 150     $query = $this->ldap_query_all;
 151
 152     foreach($this->baseDNGroups as $baseDNGroups) {
 153       $entry = $query($this->connect,$baseDNGroups,$this->filterGroups,$attributes);
 154
 155       if (!ldap_first_entry($this->connect,$entry)) {
 156         $c->messages[] = sprintf(translate('Error NoGroupFound with filter >%s<, attributes >%s< , dn >%s<'),
 157                                  $this->filterGroups,
 158                                  join(', ', $attributes),
 159                                  $baseDNGroups);
 160       }
 161       $row = array();
 162       for($i = ldap_first_entry($this->connect,$entry);
 163           $i && $arr = ldap_get_attributes($this->connect,$i);
 164           $i = ldap_next_entry($this->connect,$i) ) {
 165         for ($j=0; $j < $arr['count']; $j++) {
 166           $row[$arr[$j]] = count($arr[$arr[$j]])>2?$arr[$arr[$j]]:$arr[$arr[$j]][0];
 167         }
 168         $ret[]=$row;
 169       }
 170     }
 171     return $ret;
 172   }
 173
 174   /**
 175     * Returns the result of the LDAP query
 176     *
 177     * @param string $filter The filter used to search entries
 178     * @param array $attributes Attributes to be returned
 179     * @param string $passwd password to check
 180     * @return array Contains selected attributes from all entries corresponding to the given filter
 181     */
 182   function requestUser( $filter, $attributes=NULL, $username, $passwd) {
 183     global $c;
 184
 185     $entry=NULL;
 186     // We get the DN of the USER
 187     $query = $this->ldap_query_one;
 188
 189     foreach($this->baseDNUsers as $baseDNUsers) {
 190       $entry = $query($this->connect, $baseDNUsers, $filter, $attributes);
 191
 192       if (ldap_first_entry($this->connect,$entry) )
 193         break;
 194
 195       dbg_error_log( "LDAP", "drivers_ldap : Failed to find user with baseDN: %s", $baseDNUsers );
 196     }
 197
 198     if ( !ldap_first_entry($this->connect, $entry) ){
 199       dbg_error_log( "ERROR", "drivers_ldap : Unable to find the user with filter %s",$filter );
 200       return false;
 201     } else {
 202       dbg_error_log( "LDAP", "drivers_ldap : Found a user using filter %s",$filter );
 203     }
 204
 205     $dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));
 206
 207     if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
 208       if (isset($_SERVER["REMOTE_USER"])) {
 209         dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
 210         if ($username != $_SERVER["REMOTE_USER"]) {
 211           return false;
 212         }
 213       } else {
 214         dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
 215         if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) {
 216           return false;
 217         }
 218       }
 219     }
 220     else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
 221       // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
 222       dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
 223       return false;
 224     }
 225     else {
 226       if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
 227         dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
 228         return false;
 229       }
 230     }
 231
 232     dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,
 233           (isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') );
 234
 235     $i = ldap_first_entry($this->connect,$entry);
 236     $arr = ldap_get_attributes($this->connect,$i);
 237     for( $i=0; $i<$arr['count']; $i++ ) {
 238       $ret[$arr[$i]]=$arr[$arr[$i]][0];
 239     }
 240     return $ret;
 241
 242   }
 243 }
 244
 245
 246 /**
 247 * A generic function to create and fetch static objects
 248 */
 249 function getStaticLdap() {
 250   global $c;
 251   // Declare a static variable to hold the object instance
 252   static $instance;
 253
 254   // If the instance is not there, create one
 255   if(!isset($instance)) {
 256     $ldapDrivers = new ldapDrivers($c->authenticate_hook['config']);
 257
 258     if ($ldapDrivers->valid) {
 259         $instance = $ldapDrivers
 260     }
 261   }
 262   else {
 263       $ldapDrivers = $instance
 264   }
 265   return $ldapDrivers;
 266 }
 267
 268
 269 /**
 270 * Synchronise a cached user with one from LDAP
 271 * @param object $principal A Principal object to be updated (or created)
 272 */
 273 function sync_user_from_LDAP( Principal &$principal, $mapping, $ldap_values ) {
 274   global $c;
 275
 276   dbg_error_log( "LDAP", "Going to sync the user from LDAP" );
 277
 278   $fields_to_set = array();
 279   $updateable_fields = Principal::updateableFields();
 280   foreach( $updateable_fields AS $field ) {
 281     if ( isset($mapping[$field]) ) {
 282       $tab_part_fields = explode(',',$mapping[$field]);
 283       foreach( $tab_part_fields as $part_field ) {
 284         if ( isset($ldap_values[$part_field]) ) {
 285           if (isset($fields_to_set[$field]) ) {
 286             $fields_to_set[$field] .= ' '.$ldap_values[$part_field];
 287           }
 288           else {
 289             $fields_to_set[$field] = $ldap_values[$part_field];
 290           }
 291         }
 292       }
 293       dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $fields_to_set[$field], $mapping[$field] );
 294     }
 295     else if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value'])
 296               && isset($c->authenticate_hook['config']['default_value'][$field] ) ) {
 297       $fields_to_set[$field] = $c->authenticate_hook['config']['default_value'][$field];
 298       dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $c->authenticate_hook['config']['default_value'][$field] );
 299     }
 300   }
 301
 302   if ( $principal->Exists() ) {
 303     $principal->Update($fields_to_set);
 304   }
 305   else {
 306     $principal->Create($fields_to_set);
 307     CreateHomeCollections($principal->username());
 308     CreateDefaultRelationships($principal->username());
 309   }
 310 }
 311
 312 /*
 313 * explode the multipart mapping
 314 */
 315 function array_values_mapping($mapping){
 316   $attributes=array();
 317   foreach ( $mapping as $field ) {
 318     $tab_part_field = explode(",",$field);
 319     foreach( $tab_part_field as $part_field ) {
 320       $attributes[] = $part_field;
 321     }
 322   }
 323   return $attributes;
 324 }
 325
 326 /**
 327 * Check the username / password against the LDAP server
 328 */
 329 function LDAP_check($username, $password ){
 330   global $c;
 331
 332   $ldapDriver = getStaticLdap();
 333   if ( !$ldapDriver->valid ) {
 334     sleep(1);  // Sleep very briefly to try and survive intermittent issues
 335     $ldapDriver = getStaticLdap();
 336     if ( !$ldapDriver->valid ) {
 337       dbg_error_log( "ERROR", "Couldn't contact LDAP server for authentication" );
 338       foreach($c->messages as $msg) {
 339           dbg_error_log( "ERROR", "-> ".$msg );
 340       }
 341       header( sprintf("HTTP/1.1 %d %s", 503, translate("Authentication server unavailable.")) );
 342       exit(0);
 343     }
 344   }
 345
 346   $mapping = $c->authenticate_hook['config']['mapping_field'];
 347   if ( isset($mapping['active']) && !isset($mapping['user_active']) ) {
 348     // Backward compatibility: now 'user_active'
 349     $mapping['user_active'] = $mapping['active'];
 350     unset($mapping['active']);
 351   }
 352   if ( isset($mapping['updated']) && !isset($mapping['modified']) ) {
 353     // Backward compatibility: now 'modified'
 354     $mapping['modified'] = $mapping['updated'];
 355     unset($mapping['updated']);
 356   }
 357   $attributes = array_values_mapping($mapping);
 358
 359   /**
 360   * If the config contains a filter that starts with a ( then believe
 361   * them and don't modify it, otherwise wrap the filter.
 362   */
 363   $filter_munge = "";
 364   if ( preg_match( '/^\(/', $ldapDriver->filterUsers ) ) {
 365     $filter_munge = $ldapDriver->filterUsers;
 366   }
 367   else if ( isset($ldapDriver->filterUsers) && $ldapDriver->filterUsers != '' ) {
 368     $filter_munge = "($ldapDriver->filterUsers)";
 369   }
 370
 371   $filter = "(&$filter_munge(".$mapping['username']."=$username))";
 372   $valid = $ldapDriver->requestUser( $filter, $attributes, $username, $password );
 373
 374   // is a valid user or not
 375   if ( !$valid ) {
 376     dbg_error_log( "LDAP", "user %s is not a valid user",$username );
 377     return false;
 378   }
 379
 380   $ldap_timestamp = $valid[$mapping['modified']];
 381
 382   /**
 383   * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
 384   */
 385   foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
 386     $$k = substr($ldap_timestamp,$v[0],$v[1]);
 387
 388   $ldap_timestamp = "$Y"."$m"."$d"."$H"."$M"."$S";
 389   $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
 390
 391   $principal = new Principal('username',$username);
 392   if ( $principal->Exists() ) {
 393     // should we update it ?
 394     $db_timestamp = $principal->modified;
 395     $db_timestamp = substr(strtr($db_timestamp, array(':' => '',' '=>'','-'=>'')),0,14);
 396     if( $ldap_timestamp <= $db_timestamp ) {
 397         return $principal; // no need to update
 398     }
 399     // we will need to update the user record
 400   }
 401   else {
 402     dbg_error_log( "LDAP", "user %s doesn't exist in local DB, we need to create it",$username );
 403   }
 404   $principal->setUsername($username);
 405
 406   // The local cached user doesn't exist, or is older, so we create/update their details
 407   sync_user_from_LDAP( $principal, $mapping, $valid );
 408
 409   return $principal;
 410
 411 }
 412
 413 /**
 414 * sync LDAP Groups against the DB
 415 */
 416 function sync_LDAP_groups(){
 417   global $c;
 418   $ldapDriver = getStaticLdap();
 419   if ( ! $ldapDriver->valid ) return;
 420
 421   $mapping = $c->authenticate_hook['config']['group_mapping_field'];
 422   //$attributes = array('cn','modifyTimestamp','memberUid');
 423   $attributes = array_values_mapping($mapping);
 424   $ldap_groups_tmp = $ldapDriver->getAllGroups($attributes);
 425
 426   if ( sizeof($ldap_groups_tmp) == 0 ) return;
 427
 428   $member_field = $mapping['members'];
 429
 430   foreach($ldap_groups_tmp as $key => $ldap_group){
 431     $group_mapping = $ldap_group[$mapping['username']];
 432     $ldap_groups_info[$group_mapping] = $ldap_group;
 433     if ( is_array($ldap_groups_info[$group_mapping][$member_field]) ) {
 434       unset( $ldap_groups_info[$group_mapping][$member_field]['count'] );
 435     }
 436     else {
 437       $ldap_groups_info[$group_mapping][$member_field] = array($ldap_groups_info[$group_mapping][$member_field]);
 438     }
 439     unset($ldap_groups_tmp[$key]);
 440   }
 441   $db_groups = array();
 442   $db_group_members = array();
 443   $qry = new AwlQuery( "SELECT g.username AS group_name, member.username AS member_name FROM dav_principal g LEFT JOIN group_member ON (g.principal_id=group_member.group_id) LEFT JOIN dav_principal member  ON (member.principal_id=group_member.member_id) WHERE g.type_id = 3");
 444   $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 445   while($db_group = $qry->Fetch()) {
 446     $db_groups[$db_group->group_name] = $db_group->group_name;
 447     $db_group_members[$db_group->group_name][] = $db_group->member_name;
 448   }
 449
 450   $ldap_groups = array_keys($ldap_groups_info);
 451   // users only in ldap
 452   $groups_to_create = array_diff($ldap_groups,$db_groups);
 453   // users only in db
 454   $groups_to_deactivate = array_diff($db_groups,$ldap_groups);
 455   // users present in ldap and in the db
 456   $groups_to_update = array_intersect($db_groups,$ldap_groups);
 457
 458   if ( sizeof ( $groups_to_create ) ){
 459     $c->messages[] = sprintf(i18n('- creating groups : %s'),join(', ',$groups_to_create));
 460     $validUserFields = get_fields('usr');
 461     foreach ( $groups_to_create as $k => $group ){
 462       $user = (object) array();
 463
 464       if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value']) ) {
 465         foreach ( $c->authenticate_hook['config']['default_value'] as $field => $value ) {
 466           if ( isset($validUserFields[$field]) ) {
 467             $user->{$field} =  $value;
 468             dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $value );
 469           }
 470         }
 471       }
 472       $user->user_no = 0;
 473       $ldap_values = $ldap_groups_info[$group];
 474       foreach ( $mapping as $field => $value ) {
 475         dbg_error_log( "LDAP", "Considering copying %s", $field );
 476         if ( isset($validUserFields[$field]) ) {
 477           $user->{$field} =  $ldap_values[$value];
 478           dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$value], $value );
 479         }
 480       }
 481       if ($user->fullname=="") {
 482         $user->fullname = $group;
 483       }
 484       if ($user->displayname=="") {
 485         $user->displayname = $group;
 486       }
 487       $user->username = $group;
 488       $user->updated = "now";  /** @todo Use the 'updated' timestamp from LDAP for groups too */
 489
 490       $principal = new Principal('username',$group);
 491       if ( $principal->Exists() ) {
 492         $principal->Update($user);
 493       }
 494       else {
 495         $principal->Create($user);
 496       }
 497
 498       $qry = new AwlQuery( "UPDATE dav_principal set type_id = 3 WHERE username=:group ",array(':group'=>$group) );
 499       $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 500       Principal::cacheDelete('username', $group);
 501       $c->messages[] = sprintf(i18n('- adding users %s to group : %s'),join(',',$ldap_groups_info[$group][$mapping['members']]),$group);
 502       foreach ( $ldap_groups_info[$group][$mapping['members']] as $member ){
 503         $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member;",array (':group'=>$group,':member'=>$member) );
 504         $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
 505         Principal::cacheDelete('username', $member);
 506       }
 507     }
 508   }
 509
 510   if ( sizeof ( $groups_to_update ) ){
 511     $c->messages[] = sprintf(i18n('- updating groups : %s'),join(', ',$groups_to_update));
 512     foreach ( $groups_to_update as $group ){
 513       $db_members = array_values ( $db_group_members[$group] );
 514       $ldap_members = array_values ( $ldap_groups_info[$group][$member_field] );
 515       $add_users = array_diff ( $ldap_members, $db_members );
 516       if ( sizeof ( $add_users ) ){
 517         $c->messages[] = sprintf(i18n('- adding %s to group : %s'),join(', ', $add_users ), $group);
 518         foreach ( $add_users as $member ){
 519           $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member",array (':group'=>$group,':member'=>$member) );
 520           $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
 521           Principal::cacheDelete('username', $member);
 522         }
 523       }
 524       $remove_users = @array_flip( @array_flip( array_diff( $db_members, $ldap_members ) ));
 525       if ( sizeof ( $remove_users ) ){
 526         $c->messages[] = sprintf(i18n('- removing %s from group : %s'),join(', ', $remove_users ), $group);
 527         foreach ( $remove_users as $member ){
 528           $qry = new AwlQuery( "DELETE FROM group_member USING dav_principal g,dav_principal m WHERE group_id=g.principal_id AND member_id=m.principal_id AND g.username=:group AND m.username=:member",array (':group'=>$group,':member'=>$member) );
 529           $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
 530           Principal::cacheDelete('username', $member);
 531         }
 532       }
 533     }
 534   }
 535
 536   if ( sizeof ( $groups_to_deactivate ) ){
 537     $c->messages[] = sprintf(i18n('- deactivate groups : %s'),join(', ',$groups_to_deactivate));
 538     foreach ( $groups_to_deactivate as $group ){
 539       $qry = new AwlQuery( 'UPDATE dav_principal SET user_active=FALSE WHERE username=:group AND type_id = 3',array(':group'=>$group) );
 540       $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 541       Principal::cacheFlush('username=:group AND type_id = 3', array(':group'=>$group) );
 542     }
 543   }
 544
 545 }
 546
 547 /**
 548 * sync LDAP against the DB
 549 */
 550 function sync_LDAP(){
 551   global $c;
 552   $ldapDriver = getStaticLdap();
 553   if ( ! $ldapDriver->valid ) return;
 554
 555   $mapping = $c->authenticate_hook['config']['mapping_field'];
 556   $attributes = array_values_mapping($mapping);
 557   $ldap_users_tmp = $ldapDriver->getAllUsers($attributes);
 558
 559   if ( sizeof($ldap_users_tmp) == 0 ) return;
 560
 561   foreach($ldap_users_tmp as $key => $ldap_user){
 562     $ldap_users_info[$ldap_user[$mapping['username']]] = $ldap_user;
 563     unset($ldap_users_tmp[$key]);
 564   }
 565   $qry = new AwlQuery( "SELECT username, user_no, modified as updated FROM dav_principal where type_id=1");
 566   $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 567   while($db_user = $qry->Fetch()) {
 568     $db_users[] = $db_user->username;
 569     $db_users_info[$db_user->username] = array('user_no' => $db_user->user_no, 'updated' => $db_user->updated);
 570   }
 571
 572   // all users from ldap
 573   $ldap_users = array_keys($ldap_users_info);
 574   // users only in ldap
 575   $users_to_create = array_diff($ldap_users,$db_users);
 576   // users only in db
 577   $users_to_deactivate = array_diff($db_users,$ldap_users);
 578   // users present in ldap and in the db
 579   $users_to_update = array_intersect($db_users,$ldap_users);
 580
 581   // creation of all users;
 582   if ( sizeof($users_to_create) ) {
 583     $c->messages[] = sprintf(i18n('- creating record for users :  %s'),join(', ',$users_to_create));
 584
 585     foreach( $users_to_create as $username ) {
 586       $principal = new Principal( 'username', $username );
 587       $valid = $ldap_users_info[$username];
 588       $ldap_timestamp = $valid[$mapping['modified']];
 589
 590       if ( !empty($c->authenticate_hook['config']['format_updated']) ) {
 591         /**
 592         * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
 593         */
 594         foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
 595             $$k = substr($ldap_timestamp,$v[0],$v[1]);
 596         $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
 597       }
 598       else if ( preg_match('{^(\d{8})(\d{6})(Z)?$', $ldap_timestamp, $matches ) ) {
 599         $ldap_timestamp = $matches[1].'T'.$matches[2].$matches[3];
 600       }
 601       else if ( empty($ldap_timestamp) ) {
 602         $ldap_timestamp = date('c');
 603       }
 604       $valid[$mapping['modified']] = $ldap_timestamp;
 605
 606       sync_user_from_LDAP( $principal, $mapping, $valid );
 607     }
 608   }
 609
 610   // deactivating all users
 611   $params = array();
 612   $i = 0;
 613   $paramstring = '';
 614   foreach( $users_to_deactivate AS $v ) {
 615     if ( isset($c->do_not_sync_from_ldap) && isset($c->do_not_sync_from_ldap[$v]) ) continue;
 616     if ( $i > 0 ) $paramstring .= ',';
 617     $paramstring .= ':u'.$i.'::text';
 618     $params[':u'.$i++] = strtolower($v);
 619   }
 620   if ( count($params) > 0 ) {
 621     $c->messages[] = sprintf(i18n('- deactivating users : %s'),join(', ',$users_to_deactivate));
 622     $qry = new AwlQuery( 'UPDATE usr SET active = FALSE WHERE lower(username) IN ('.$paramstring.')', $params);
 623     $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 624
 625     Principal::cacheFlush('lower(username) IN ('.$paramstring.')', $params);
 626   }
 627
 628   // updating all users
 629   if ( sizeof($users_to_update) ) {
 630     foreach ( $users_to_update as $key=> $username ) {
 631       $principal = new Principal( 'username', $username );
 632       $valid=$ldap_users_info[$username];
 633       $ldap_timestamp = $valid[$mapping['modified']];
 634
 635       $valid['user_no'] = $db_users_info[$username]['user_no'];
 636       $mapping['user_no'] = 'user_no';
 637
 638       /**
 639       * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
 640       */
 641       foreach($c->authenticate_hook['config']['format_updated'] as $k => $v) {
 642         $$k = substr($ldap_timestamp,$v[0],$v[1]);
 643       }
 644       $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
 645       $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
 646
 647       $db_timestamp = substr(strtr($db_users_info[$username]['updated'], array(':' => '',' '=>'','-'=>'')),0,14);
 648       if ( $ldap_timestamp > $db_timestamp ) {
 649         sync_user_from_LDAP($principal, $mapping, $valid );
 650       }
 651       else {
 652         unset($users_to_update[$key]);
 653         $users_nothing_done[] = $username;
 654       }
 655     }
 656     if ( sizeof($users_to_update) )
 657       $c->messages[] = sprintf(i18n('- updating user records : %s'),join(', ',$users_to_update));
 658     if ( sizeof($users_nothing_done) )
 659       $c->messages[] = sprintf(i18n('- nothing done on : %s'),join(', ', $users_nothing_done));
 660   }
 661
 662   $admins = 0;
 663   $qry = new AwlQuery( "SELECT count(*) AS admins FROM usr JOIN role_member USING ( user_no ) JOIN roles USING (role_no) WHERE usr.active=TRUE AND role_name='Admin'");
 664   $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 665   while ( $db_user = $qry->Fetch() ) {
 666     $admins = $db_user->admins;
 667   }
 668   if ( $admins == 0 ) {
 669     $c->messages[] = sprintf(i18n('Warning: there are no active admin users! You should fix this before logging out.  Consider using the $c->do_not_sync_from_ldap configuration setting.'));
 670   }
 671 }