inc/drivers_ldap.php

   1 <?php
   2 /**
   3 * Manages LDAP repository connection
   4 *
   5 * @package   davical
   6 * @category Technical
   7 * @subpackage   ldap
   8 * @author    Maxime Delorme <mdelorme@tennaxia.net>,
   9 *                Andrew McMillan <andrew@mcmillan.net.nz>
  10 * @copyright Maxime Delorme
  11 * @license   http://gnu.org/copyleft/gpl.html GNU GPL v2 or later
  12 */
  13
  14 require_once("auth-functions.php");
  15
  16 class ldapDrivers
  17 {
  18   /**#@+
  19   * @access private
  20   */
  21
  22   /**
  23   * Holds the LDAP connection parameters
  24   */
  25   var $connect;
  26
  27   /**#@-*/
  28
  29
  30   /**
  31   * Initializes the LDAP connection
  32   *
  33   * @param array $config The configuration data
  34   */
  35   function __construct($config)
  36   {
  37       global $c;
  38       $host=$config['host'];
  39       $port=$config['port'];
  40       if(!function_exists('ldap_connect')){
  41           $c->messages[] = i18n("drivers_ldap : function ldap_connect not defined, check your php_ldap module");
  42           $this->valid=false;
  43           return ;
  44       }
  45
  46       //Set LDAP protocol version
  47       if (isset($config['protocolVersion']))
  48           ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, $config['protocolVersion']);
  49       if (isset($config['optReferrals']))
  50           ldap_set_option($this->connect, LDAP_OPT_REFERRALS, $config['optReferrals']);
  51
  52       if ($port)
  53           $this->connect=ldap_connect($host, $port);
  54       else
  55           $this->connect=ldap_connect($host);
  56
  57       if (! $this->connect){
  58           $c->messages[] = sprintf(translate( 'drivers_ldap : Unable to connect to LDAP with port %s on host %s'), $port, $host );
  59           $this->valid=false;
  60           return ;
  61       }
  62
  63       dbg_error_log( "LDAP", "drivers_ldap : Connected to LDAP server %s",$host );
  64
  65       // Start TLS if desired (requires protocol version 3)
  66       if (isset($config['startTLS'])) {
  67         if (!ldap_set_option($this->connect, LDAP_OPT_PROTOCOL_VERSION, 3)) {
  68           $c->messages[] = i18n('drivers_ldap : Failed to set LDAP to use protocol version 3, TLS not supported');
  69           $this->valid=false;
  70           return;
  71         }
  72         if (!ldap_start_tls($this->connect)) {
  73           $c->messages[] = i18n('drivers_ldap : Could not start TLS: ldap_start_tls() failed');
  74           $this->valid=false;
  75           return;
  76         }
  77       }
  78
  79       //Set the search scope to be used, default to subtree.  This sets the functions to be called later.
  80       if (!isset($config['scope'])) $config['scope'] = 'subtree';
  81       switch (strtolower($config['scope'])) {
  82       case "base":
  83         $this->ldap_query_one = 'ldap_read';
  84         $this->ldap_query_all = 'ldap_read';
  85         break;
  86       case "onelevel":
  87         $this->ldap_query_one = 'ldap_list';
  88         $this->ldap_query_all = 'ldap_search';
  89         break;
  90       default:
  91         $this->ldap_query_one = 'ldap_search';
  92         $this->ldap_query_all = 'ldap_search';
  93         break;
  94       }
  95
  96       //connect as root
  97       if (!ldap_bind($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) ) ){
  98           $bindDN = isset($config['bindDN']) ? $config['bindDN'] : 'anonymous';
  99           $passDN = isset($config['passDN']) ? $config['passDN'] : 'anonymous';
 100           dbg_error_log( "LDAP", i18n('drivers_ldap : Failed to bind to host %1$s on port %2$s with bindDN of %3$s'), $host, $port, $bindDN );
 101           $c->messages[] = i18n( 'drivers_ldap : Unable to bind to LDAP - check your configuration for bindDN and passDN, and that your LDAP server is reachable');
 102           $this->valid=false;
 103           return ;
 104       }
 105       $this->valid = true;
 106       //root to start search
 107       $this->baseDNUsers  = is_string($config['baseDNUsers']) ? array($config['baseDNUsers']) : $config['baseDNUsers'];
 108       $this->filterUsers  = (isset($config['filterUsers'])  ? $config['filterUsers']  : null);
 109       $this->baseDNGroups = is_string($config['baseDNGroups']) ? array($config['baseDNGroups']) : $config['baseDNGroups'];
 110       $this->filterGroups = (isset($config['filterGroups']) ? $config['filterGroups'] : null);
 111   }
 112
 113   /**
 114   * Retrieve all users from the LDAP directory
 115   */
 116   function getAllUsers($attributes){
 117     global $c;
 118
 119     $query = $this->ldap_query_all;
 120
 121     foreach($this->baseDNUsers as $baseDNUsers) {
 122       $entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);
 123
 124       if (!ldap_first_entry($this->connect,$entry)) {
 125         $c->messages[] = sprintf(translate('Error NoUserFound with filter >%s<, attributes >%s< , dn >%s<'),
 126                                  $this->filterUsers,
 127                                  join(', ', $attributes),
 128                                  $baseDNUsers);
 129       }
 130       $row = array();
 131       for($i = ldap_first_entry($this->connect,$entry);
 132           $i && $arr = ldap_get_attributes($this->connect,$i);
 133           $i = ldap_next_entry($this->connect,$i) ) {
 134         $row = array();
 135         for ($j=0; $j < $arr['count']; $j++) {
 136           $row[$arr[$j]] = $arr[$arr[$j]][0];
 137         }
 138         $ret[]=$row;
 139       }
 140     }
 141     return $ret;
 142   }
 143
 144   /**
 145   * Retrieve all groups from the LDAP directory
 146   */
 147   function getAllGroups($attributes){
 148     global $c;
 149
 150     $query = $this->ldap_query_all;
 151
 152     foreach($this->baseDNGroups as $baseDNGroups) {
 153       $entry = $query($this->connect,$baseDNGroups,$this->filterGroups,$attributes);
 154
 155       if (!ldap_first_entry($this->connect,$entry)) {
 156         $c->messages[] = sprintf(translate('Error NoGroupFound with filter >%s<, attributes >%s< , dn >%s<'),
 157                                  $this->filterGroups,
 158                                  join(', ', $attributes),
 159                                  $baseDNGroups);
 160       }
 161       $row = array();
 162       for($i = ldap_first_entry($this->connect,$entry);
 163           $i && $arr = ldap_get_attributes($this->connect,$i);
 164           $i = ldap_next_entry($this->connect,$i) ) {
 165         for ($j=0; $j < $arr['count']; $j++) {
 166           $row[$arr[$j]] = count($arr[$arr[$j]])>2?$arr[$arr[$j]]:$arr[$arr[$j]][0];
 167         }
 168         $ret[]=$row;
 169       }
 170     }
 171     return $ret;
 172   }
 173
 174   /**
 175     * Returns the result of the LDAP query
 176     *
 177     * @param string $filter The filter used to search entries
 178     * @param array $attributes Attributes to be returned
 179     * @param string $passwd password to check
 180     * @return array Contains selected attributes from all entries corresponding to the given filter
 181     */
 182   function requestUser( $filter, $attributes=NULL, $username, $passwd) {
 183     global $c;
 184
 185     $entry=NULL;
 186     // We get the DN of the USER
 187     $query = $this->ldap_query_one;
 188
 189     foreach($this->baseDNUsers as $baseDNUsers) {
 190       $entry = $query($this->connect, $baseDNUsers, $filter, $attributes);
 191
 192       if (ldap_first_entry($this->connect,$entry) )
 193         break;
 194
 195       dbg_error_log( "LDAP", "drivers_ldap : Failed to find user with baseDN: %s", $baseDNUsers );
 196     }
 197
 198     if ( !ldap_first_entry($this->connect, $entry) ){
 199       dbg_error_log( "ERROR", "drivers_ldap : Unable to find the user with filter %s",$filter );
 200       return false;
 201     } else {
 202       dbg_error_log( "LDAP", "drivers_ldap : Found a user using filter %s",$filter );
 203     }
 204
 205     $dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));
 206
 207     if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
 208         dbg_error_log( "LDAP", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
 209       if ($username != $_SERVER["REMOTE_USER"]) {
 210         return false;
 211       }
 212     }
 213     else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
 214       // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
 215       dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
 216       return false;
 217     }
 218     else {
 219       if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
 220         dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
 221         return false;
 222       }
 223     }
 224
 225     dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,
 226           (isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') );
 227
 228     $i = ldap_first_entry($this->connect,$entry);
 229     $arr = ldap_get_attributes($this->connect,$i);
 230     for( $i=0; $i<$arr['count']; $i++ ) {
 231       $ret[$arr[$i]]=$arr[$arr[$i]][0];
 232     }
 233     return $ret;
 234
 235   }
 236 }
 237
 238
 239 /**
 240 * A generic function to create and fetch static objects
 241 */
 242 function getStaticLdap() {
 243   global $c;
 244   // Declare a static variable to hold the object instance
 245   static $instance;
 246
 247   // If the instance is not there, create one
 248   if(!isset($instance)) {
 249     $ldapDrivers = new ldapDrivers($c->authenticate_hook['config']);
 250   }
 251   return $ldapDrivers;
 252 }
 253
 254
 255 /**
 256 * Synchronise a cached user with one from LDAP
 257 * @param object $principal A Principal object to be updated (or created)
 258 */
 259 function sync_user_from_LDAP( Principal &$principal, $mapping, $ldap_values ) {
 260   global $c;
 261
 262   dbg_error_log( "LDAP", "Going to sync the user from LDAP" );
 263
 264   $fields_to_set = array();
 265   $updateable_fields = Principal::updateableFields();
 266   foreach( $updateable_fields AS $field ) {
 267     if ( isset($mapping[$field]) && isset($ldap_values[$mapping[$field]]) ) {
 268       $fields_to_set[$field] = $ldap_values[$mapping[$field]];
 269       dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$mapping[$field]], $mapping[$field] );
 270     }
 271     else if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value'])
 272               && isset($c->authenticate_hook['config']['default_value'][$field] ) ) {
 273       $fields_to_set[$field] = $c->authenticate_hook['config']['default_value'][$field];
 274       dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $c->authenticate_hook['config']['default_value'][$field] );
 275     }
 276   }
 277
 278   if ( $principal->Exists() ) {
 279     $principal->Update($fields_to_set);
 280   }
 281   else {
 282     $principal->Create($fields_to_set);
 283     CreateHomeCollections($principal->username());
 284     CreateDefaultRelationships($principal->username());
 285   }
 286 }
 287
 288
 289 /**
 290 * Check the username / password against the LDAP server
 291 */
 292 function LDAP_check($username, $password ){
 293   global $c;
 294
 295   $ldapDriver = getStaticLdap();
 296   if ( !$ldapDriver->valid ) {
 297     dbg_error_log( "ERROR", "Couldn't contact LDAP server for authentication" );
 298     return false;
 299   }
 300
 301   $mapping = $c->authenticate_hook['config']['mapping_field'];
 302   if ( isset($mapping['active']) && !isset($mapping['user_active']) ) {
 303     // Backward compatibility: now 'user_active'
 304     $mapping['user_active'] = $mapping['active'];
 305     unset($mapping['active']);
 306   }
 307   if ( isset($mapping['updated']) && !isset($mapping['modified']) ) {
 308     // Backward compatibility: now 'modified'
 309     $mapping['modified'] = $mapping['updated'];
 310     unset($mapping['updated']);
 311   }
 312   $attributes = array_values($mapping);
 313
 314   /**
 315   * If the config contains a filter that starts with a ( then believe
 316   * them and don't modify it, otherwise wrap the filter.
 317   */
 318   $filter_munge = "";
 319   if ( preg_match( '/^\(/', $ldapDriver->filterUsers ) ) {
 320     $filter_munge = $ldapDriver->filterUsers;
 321   }
 322   else if ( isset($ldapDriver->filterUsers) && $ldapDriver->filterUsers != '' ) {
 323     $filter_munge = "($ldapDriver->filterUsers)";
 324   }
 325
 326   $filter = "(&$filter_munge(".$mapping['username']."=$username))";
 327   $valid = $ldapDriver->requestUser( $filter, $attributes, $username, $password );
 328
 329   // is a valid user or not
 330   if ( !$valid ) {
 331     dbg_error_log( "LDAP", "user %s is not a valid user",$username );
 332     return false;
 333   }
 334
 335   $ldap_timestamp = $valid[$mapping['modified']];
 336
 337   /**
 338   * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
 339   */
 340   foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
 341     $$k = substr($ldap_timestamp,$v[0],$v[1]);
 342
 343   $ldap_timestamp = "$Y"."$m"."$d"."$H"."$M"."$S";
 344   $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
 345
 346   $principal = new Principal('username',$username);
 347   if ( $principal->Exists() ) {
 348     // should we update it ?
 349     $db_timestamp = $principal->modified;
 350     $db_timestamp = substr(strtr($db_timestamp, array(':' => '',' '=>'','-'=>'')),0,14);
 351     if( $ldap_timestamp <= $db_timestamp ) {
 352         return $principal; // no need to update
 353     }
 354     // we will need to update the user record
 355   }
 356   else {
 357     dbg_error_log( "LDAP", "user %s doesn't exist in local DB, we need to create it",$username );
 358   }
 359   $principal->setUsername($username);
 360
 361   // The local cached user doesn't exist, or is older, so we create/update their details
 362   sync_user_from_LDAP( $principal, $mapping, $valid );
 363
 364   return $principal;
 365
 366 }
 367
 368 /**
 369 * sync LDAP Groups against the DB
 370 */
 371 function sync_LDAP_groups(){
 372   global $c;
 373   $ldapDriver = getStaticLdap();
 374   if ( ! $ldapDriver->valid ) return;
 375
 376   $mapping = $c->authenticate_hook['config']['group_mapping_field'];
 377   //$attributes = array('cn','modifyTimestamp','memberUid');
 378   $attributes = array_values($mapping);
 379   $ldap_groups_tmp = $ldapDriver->getAllGroups($attributes);
 380
 381   if ( sizeof($ldap_groups_tmp) == 0 ) return;
 382
 383   $member_field = $mapping['members'];
 384
 385   foreach($ldap_groups_tmp as $key => $ldap_group){
 386     $group_mapping = $ldap_group[$mapping['username']];
 387     $ldap_groups_info[$group_mapping] = $ldap_group;
 388     if ( is_array($ldap_groups_info[$group_mapping][$member_field]) ) {
 389       unset( $ldap_groups_info[$group_mapping][$member_field]['count'] );
 390     }
 391     else {
 392       $ldap_groups_info[$group_mapping][$member_field] = array($ldap_groups_info[$group_mapping][$member_field]);
 393     }
 394     unset($ldap_groups_tmp[$key]);
 395   }
 396   $db_groups = array();
 397   $db_group_members = array();
 398   $qry = new AwlQuery( "SELECT g.username AS group_name, member.username AS member_name FROM dav_principal g LEFT JOIN group_member ON (g.principal_id=group_member.group_id) LEFT JOIN dav_principal member  ON (member.principal_id=group_member.member_id) WHERE g.type_id = 3");
 399   $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 400   while($db_group = $qry->Fetch()) {
 401     $db_groups[$db_group->group_name] = $db_group->group_name;
 402     $db_group_members[$db_group->group_name][] = $db_group->member_name;
 403   }
 404
 405   $ldap_groups = array_keys($ldap_groups_info);
 406   // users only in ldap
 407   $groups_to_create = array_diff($ldap_groups,$db_groups);
 408   // users only in db
 409   $groups_to_deactivate = array_diff($db_groups,$ldap_groups);
 410   // users present in ldap and in the db
 411   $groups_to_update = array_intersect($db_groups,$ldap_groups);
 412
 413   if ( sizeof ( $groups_to_create ) ){
 414     $c->messages[] = sprintf(i18n('- creating groups : %s'),join(', ',$groups_to_create));
 415     $validUserFields = get_fields('usr');
 416     foreach ( $groups_to_create as $k => $group ){
 417       $user = (object) array();
 418
 419       if ( isset($c->authenticate_hook['config']['default_value']) && is_array($c->authenticate_hook['config']['default_value']) ) {
 420         foreach ( $c->authenticate_hook['config']['default_value'] as $field => $value ) {
 421           if ( isset($validUserFields[$field]) ) {
 422             $user->{$field} =  $value;
 423             dbg_error_log( "LDAP", "Setting usr->%s to %s from configured defaults", $field, $value );
 424           }
 425         }
 426       }
 427       $user->user_no = 0;
 428       $ldap_values = $ldap_groups_info[$group];
 429       foreach ( $mapping as $field => $value ) {
 430         dbg_error_log( "LDAP", "Considering copying %s", $field );
 431         if ( isset($validUserFields[$field]) ) {
 432           $user->{$field} =  $ldap_values[$value];
 433           dbg_error_log( "LDAP", "Setting usr->%s to %s from LDAP field %s", $field, $ldap_values[$value], $value );
 434         }
 435       }
 436       if ($user->fullname=="") {
 437         $user->fullname = $group;
 438       }
 439       if ($user->displayname=="") {
 440         $user->displayname = $group;
 441       }
 442       $user->username = $group;
 443       $user->updated = "now";  /** @todo Use the 'updated' timestamp from LDAP for groups too */
 444
 445       $principal = new Principal('username',$group);
 446       if ( $principal->Exists() ) {
 447         $principal->Update($user);
 448       }
 449       else {
 450         $principal->Create($user);
 451       }
 452
 453       $qry = new AwlQuery( "UPDATE dav_principal set type_id = 3 WHERE username=:group ",array(':group'=>$group) );
 454       $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 455       Principal::cacheDelete('username', $group);
 456       $c->messages[] = sprintf(i18n('- adding users %s to group : %s'),join(',',$ldap_groups_info[$group][$mapping['members']]),$group);
 457       foreach ( $ldap_groups_info[$group][$mapping['members']] as $member ){
 458         $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member;",array (':group'=>$group,':member'=>$member) );
 459         $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
 460         Principal::cacheDelete('username', $member);
 461       }
 462     }
 463   }
 464
 465   if ( sizeof ( $groups_to_update ) ){
 466     $c->messages[] = sprintf(i18n('- updating groups : %s'),join(', ',$groups_to_update));
 467     foreach ( $groups_to_update as $group ){
 468       $db_members = array_values ( $db_group_members[$group] );
 469       $ldap_members = array_values ( $ldap_groups_info[$group][$member_field] );
 470       $add_users = array_diff ( $ldap_members, $db_members );
 471       if ( sizeof ( $add_users ) ){
 472         $c->messages[] = sprintf(i18n('- adding %s to group : %s'),join(', ', $add_users ), $group);
 473         foreach ( $add_users as $member ){
 474           $qry = new AwlQuery( "INSERT INTO group_member SELECT g.principal_id AS group_id,u.principal_id AS member_id FROM dav_principal g, dav_principal u WHERE g.username=:group AND u.username=:member",array (':group'=>$group,':member'=>$member) );
 475           $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
 476           Principal::cacheDelete('username', $member);
 477         }
 478       }
 479       $remove_users = @array_flip( @array_flip( array_diff( $db_members, $ldap_members ) ));
 480       if ( sizeof ( $remove_users ) ){
 481         $c->messages[] = sprintf(i18n('- removing %s from group : %s'),join(', ', $remove_users ), $group);
 482         foreach ( $remove_users as $member ){
 483           $qry = new AwlQuery( "DELETE FROM group_member USING dav_principal g,dav_principal m WHERE group_id=g.principal_id AND member_id=m.principal_id AND g.username=:group AND m.username=:member",array (':group'=>$group,':member'=>$member) );
 484           $qry->Exec('sync_LDAP_groups',__LINE__,__FILE__);
 485           Principal::cacheDelete('username', $member);
 486         }
 487       }
 488     }
 489   }
 490
 491   if ( sizeof ( $groups_to_deactivate ) ){
 492     $c->messages[] = sprintf(i18n('- deactivate groups : %s'),join(', ',$groups_to_deactivate));
 493     foreach ( $groups_to_deactivate as $group ){
 494       $qry = new AwlQuery( 'UPDATE dav_principal set active=FALSE WHERE username=:group AND type_id = 3',array(':group'=>$group) );
 495       $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 496       Principal::cacheFlush('username=:group AND type_id = 3', array(':group'=>$group) );
 497     }
 498   }
 499
 500 }
 501
 502 /**
 503 * sync LDAP against the DB
 504 */
 505 function sync_LDAP(){
 506   global $c;
 507   $ldapDriver = getStaticLdap();
 508   if ( ! $ldapDriver->valid ) return;
 509
 510   $mapping = $c->authenticate_hook['config']['mapping_field'];
 511   $attributes = array_values($mapping);
 512   $ldap_users_tmp = $ldapDriver->getAllUsers($attributes);
 513
 514   if ( sizeof($ldap_users_tmp) == 0 ) return;
 515
 516   foreach($ldap_users_tmp as $key => $ldap_user){
 517     $ldap_users_info[$ldap_user[$mapping['username']]] = $ldap_user;
 518     unset($ldap_users_tmp[$key]);
 519   }
 520   $qry = new AwlQuery( "SELECT username, user_no, modified as updated FROM dav_principal where type_id=1");
 521   $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 522   while($db_user = $qry->Fetch()) {
 523     $db_users[] = $db_user->username;
 524     $db_users_info[$db_user->username] = array('user_no' => $db_user->user_no, 'updated' => $db_user->updated);
 525   }
 526
 527   // all users from ldap
 528   $ldap_users = array_keys($ldap_users_info);
 529   // users only in ldap
 530   $users_to_create = array_diff($ldap_users,$db_users);
 531   // users only in db
 532   $users_to_deactivate = array_diff($db_users,$ldap_users);
 533   // users present in ldap and in the db
 534   $users_to_update = array_intersect($db_users,$ldap_users);
 535
 536   // creation of all users;
 537   if ( sizeof($users_to_create) ) {
 538     $c->messages[] = sprintf(i18n('- creating record for users :  %s'),join(', ',$users_to_create));
 539
 540     foreach( $users_to_create as $username ) {
 541       $principal = new Principal( 'username', $username );
 542       $valid = $ldap_users_info[$username];
 543       $ldap_timestamp = $valid[$mapping['modified']];
 544
 545       if ( !empty($c->authenticate_hook['config']['format_updated']) ) {
 546         /**
 547         * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
 548         */
 549         foreach($c->authenticate_hook['config']['format_updated'] as $k => $v)
 550             $$k = substr($ldap_timestamp,$v[0],$v[1]);
 551         $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
 552       }
 553       else if ( preg_match('{^(\d{8})(\d{6})(Z)?$', $ldap_timestamp, $matches ) ) {
 554         $ldap_timestamp = $matches[1].'T'.$matches[2].$matches[3];
 555       }
 556       else if ( empty($ldap_timestamp) ) {
 557         $ldap_timestamp = date('c');
 558       }
 559       $valid[$mapping['modified']] = $ldap_timestamp;
 560
 561       sync_user_from_LDAP( $principal, $mapping, $valid );
 562     }
 563   }
 564
 565   // deactivating all users
 566   $params = array();
 567   $i = 0;
 568   foreach( $users_to_deactivate AS $v ) {
 569     if ( isset($c->do_not_sync_from_ldap) && isset($c->do_not_sync_from_ldap[$v]) ) continue;
 570     $params[':u'.$i++] = strtolower($v);
 571   }
 572   if ( count($params) > 0 ) {
 573     $c->messages[] = sprintf(i18n('- deactivating users : %s'),join(', ',$users_to_deactivate));
 574     $qry = new AwlQuery( 'UPDATE usr SET active = FALSE WHERE lower(username) IN ('.implode(',',array_keys($params)).')', $params);
 575     $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 576
 577     Principal::cacheFlush('lower(username) IN ('.implode(',',array_keys($params)).')', $params);
 578   }
 579
 580   // updating all users
 581   if ( sizeof($users_to_update) ) {
 582     foreach ( $users_to_update as $key=> $username ) {
 583       $principal = new Principal( 'username', $username );
 584       $valid=$ldap_users_info[$username];
 585       $ldap_timestamp = $valid[$mapping['modified']];
 586
 587       $valid['user_no'] = $db_users_info[$username]['user_no'];
 588       $mapping['user_no'] = 'user_no';
 589
 590       /**
 591       * This splits the LDAP timestamp apart and assigns values to $Y $m $d $H $M and $S
 592       */
 593       foreach($c->authenticate_hook['config']['format_updated'] as $k => $v) {
 594         $$k = substr($ldap_timestamp,$v[0],$v[1]);
 595       }
 596       $ldap_timestamp = $Y.$m.$d.$H.$M.$S;
 597       $valid[$mapping['modified']] = "$Y-$m-$d $H:$M:$S";
 598
 599       $db_timestamp = substr(strtr($db_users_info[$username]['updated'], array(':' => '',' '=>'','-'=>'')),0,14);
 600       if ( $ldap_timestamp > $db_timestamp ) {
 601         sync_user_from_LDAP($principal, $mapping, $valid );
 602       }
 603       else {
 604         unset($users_to_update[$key]);
 605         $users_nothing_done[] = $username;
 606       }
 607     }
 608     if ( sizeof($users_to_update) )
 609       $c->messages[] = sprintf(i18n('- updating user records : %s'),join(', ',$users_to_update));
 610     if ( sizeof($users_nothing_done) )
 611       $c->messages[] = sprintf(i18n('- nothing done on : %s'),join(', ', $users_nothing_done));
 612   }
 613
 614   $admins = 0;
 615   $qry = new AwlQuery( "SELECT count(*) AS admins FROM usr JOIN role_member USING ( user_no ) JOIN roles USING (role_no) WHERE usr.active=TRUE AND role_name='Admin'");
 616   $qry->Exec('sync_LDAP',__LINE__,__FILE__);
 617   while ( $db_user = $qry->Fetch() ) {
 618     $admins = $db_user->admins;
 619   }
 620   if ( $admins == 0 ) {
 621     $c->messages[] = sprintf(i18n('Warning: there are no active admin users! You should fix this before logging out.  Consider using the $c->do_not_sync_from_ldap configuration setting.'));
 622   }
 623 }