summaryrefslogtreecommitdiffstats
path: root/lib/Auth
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-01-17 11:57:22 +0100
committerAleksander Machniak <alec@alec.pl>2014-01-17 11:57:22 +0100
commit11efdc8b637e3ebebf9bcb5fdc1fafe1c05f1a11 (patch)
tree28919ce1d93d4d0c230b2e2fc412d86c4b7822b9 /lib/Auth
parentf434be6ad70510471bf1ccada311c869a5bc6f62 (diff)
downloadwebadmin-11efdc8b637e3ebebf9bcb5fdc1fafe1c05f1a11.tar.gz
Refactored domain_add()
Diffstat (limited to 'lib/Auth')
-rw-r--r--lib/Auth/LDAP.php365
1 files changed, 152 insertions, 213 deletions
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 5958166..a2e951f 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -159,9 +159,12 @@ class LDAP extends Net_LDAP3 {
$domain_base_dn = $this->conf->get('ldap', 'domain_base_dn');
$domain_name_attribute = $this->conf->get('ldap', 'domain_name_attribute');
+ $service_bind_dn = $this->conf->get('ldap', 'service_bind_dn');
$primary_domain = $this->conf->get('kolab', 'primary_domain');
- $_primary_domain = str_replace('.', '_', $primary_domain);
- $_domain = str_replace('.', '_', $domain);
+
+ if (empty($service_bind_dn)) {
+ $service_bind_dn = $this->conf->get('ldap', 'bind_dn');
+ }
if (empty($domain_name_attribute)) {
$domain_name_attribute = 'associateddomain';
@@ -190,124 +193,6 @@ class LDAP extends Net_LDAP3 {
$inetdomainbasedn = $this->_standard_root_dn($domain);
}
- $cn = str_replace(array(',', '='), array('\2C', '\3D'), $inetdomainbasedn);
-
- $dn = "cn=" . $cn . ",cn=mapping tree,cn=config";
- $attrs = array(
- 'objectclass' => array(
- 'top',
- 'extensibleObject',
- 'nsMappingTree',
- ),
- 'nsslapd-state' => 'backend',
- 'cn' => $inetdomainbasedn,
- 'nsslapd-backend' => $_domain,
- );
-
- $replica_hosts = $this->list_replicas();
-
- if (!empty($replica_hosts)) {
- foreach ($replica_hosts as $replica_host) {
- Log::trace("Iterating over replication partners (now: $replica_host)");
- $ldap = new Net_LDAP3($this->config);
- $ldap->config_set("log_hook", array($this, "_log"));
- $ldap->config_set('host', $replica_host);
- $ldap->config_set('hosts', array($replica_host));
- $ldap->connect();
- $ldap->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
- $result = $ldap->add_entry($dn, $attrs);
-
- if (!$result) {
- Log::error("Error adding $dn to $replica_host");
- }
-
- $ldap->close();
- }
- } else {
- $this->add_entry($dn, $attrs);
- }
-
- $result = $this->_read("cn=" . $_primary_domain . ",cn=ldbm database,cn=plugins,cn=config", array('nsslapd-directory'));
- if (!$result) {
- $result = $this->_read("cn=" . $primary_domain . ",cn=ldbm database,cn=plugins,cn=config", array('nsslapd-directory'));
- }
-
- if (!$result) {
- $result = $this->_read("cn=userRoot,cn=ldbm database,cn=plugins,cn=config", array('nsslapd-directory'));
- }
-
- $this->_log(LOG_DEBUG, "Primary domain ldbm database configuration entry: " . var_export($result, true));
-
- $result = $result[key($result)];
- $orig_directory = $result['nsslapd-directory'];
- $directory = str_replace($_primary_domain, $_domain, $result['nsslapd-directory']);
-
- if ($directory == $orig_directory) {
- $directory = str_replace($primary_domain, $_domain, $result['nsslapd-directory']);
- }
-
- if ($directory == $orig_directory) {
- $directory = str_replace("userRoot", $_domain, $result['nsslapd-directory']);
- }
-
- $dn = "cn=" . $_domain . ",cn=ldbm database,cn=plugins,cn=config";
- $attrs = array(
- 'objectclass' => array(
- 'top',
- 'extensibleobject',
- 'nsbackendinstance',
- ),
- 'cn' => $_domain,
- 'nsslapd-suffix' => $inetdomainbasedn,
- 'nsslapd-cachesize' => '-1',
- 'nsslapd-cachememsize' => '10485760',
- 'nsslapd-readonly' => 'off',
- 'nsslapd-require-index' => 'off',
- 'nsslapd-dncachememsize' => '10485760'
- );
-
- if (!empty($replica_hosts)) {
- foreach ($replica_hosts as $replica_host) {
- $ldap = new Net_LDAP3($this->config);
- $ldap->config_set("log_hook", array($this, "_log"));
- $ldap->config_set('host', $replica_host);
- $ldap->config_set('hosts', array($replica_host));
- $ldap->connect();
- $ldap->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
-
- $ldap->config_set('return_attributes', array('nsslapd-directory'));
- $result = $ldap->get_entry("cn=" . $_primary_domain . ",cn=ldbm database,cn=plugins,cn=config");
- if (!$result) {
- $result = $ldap->get_entry("cn=" . $primary_domain . ",cn=ldbm database,cn=plugins,cn=config");
- }
-
- if (!$result) {
- $result = $ldap->get_entry("cn=userRoot,cn=ldbm database,cn=plugins,cn=config");
- }
-
- $this->_log(LOG_DEBUG, "Primary domain ldbm database configuration entry: " . var_export($result, true));
-
- $result = $result[key($result)];
- $orig_directory = $result['nsslapd-directory'];
- $directory = str_replace($_primary_domain, $_domain, $result['nsslapd-directory']);
-
- if ($directory == $orig_directory) {
- $directory = str_replace($primary_domain, $_domain, $result['nsslapd-directory']);
- }
-
- if ($directory == $orig_directory) {
- $directory = str_replace("userRoot", $_domain, $result['nsslapd-directory']);
- }
-
- $attrs['nsslapd-directory'] = $directory;
-
- $ldap->add_entry($dn, $attrs);
- $ldap->close();
- }
- } else {
- $this->add_entry($dn, $attrs);
- }
-
// Query the ACI for the primary domain
if ($domain_entry = $this->_find_domain($primary_domain)) {
$domain_entry = array_shift($domain_entry);
@@ -332,13 +217,6 @@ class LDAP extends Net_LDAP3 {
$_aci = $aci;
}
- $service_bind_dn = $this->conf->get('ldap', 'service_bind_dn');
- if (empty($service_bind_dn)) {
- $service_bind_dn = $this->conf->get('ldap', 'bind_dn');
- }
-
- $dn = $inetdomainbasedn;
-
// @TODO: this list should be configurable or auto-created somehow
$self_attrs = array(
'carLicense', 'description', 'displayName', 'facsimileTelephoneNumber', 'homePhone',
@@ -352,31 +230,65 @@ class LDAP extends Net_LDAP3 {
$self_attrs = array_merge($self_attrs, array('kolabDelegate', 'kolabInvitationPolicy', 'kolabAllowSMTPSender'));
}
- $attrs = array(
- // @TODO: Probably just use ldap_explode_dn()
- 'dc' => substr($dn, (strpos($dn, '=')+1), ((strpos($dn, ',')-strpos($dn, '='))-1)),
- 'objectclass' => array(
- 'top',
- 'domain',
+ $_domain = str_replace('.', '_', $domain);
+ $dn = $inetdomainbasedn;
+ $cn = str_replace(array(',', '='), array('\2C', '\3D'), $dn);
+
+ // Additional domain entries in various trees
+ $entries = array(
+ "cn={$cn},cn=mapping tree,cn=config" => array(
+ 'objectclass' => array(
+ 'top',
+ 'extensibleObject',
+ 'nsMappingTree',
+ ),
+ 'nsslapd-state' => 'backend',
+ 'cn' => $inetdomainbasedn,
+ 'nsslapd-backend' => $_domain,
),
- 'aci' => array(
- // Self-modification
- "(targetattr = \"" . implode(" || ", $self_attrs) . "\")(version 3.0; acl \"Enable self write for common attributes\"; allow (read,compare,search,write) userdn=\"ldap:///self\";)",
- // Directory Administrators
- "(targetattr = \"*\")(version 3.0; acl \"Directory Administrators Group\"; allow (all) (groupdn=\"ldap:///cn=Directory Administrators," . $inetdomainbasedn . "\" or roledn=\"ldap:///cn=kolab-admin," . $inetdomainbasedn . "\");)",
- // Configuration Administrators
- "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)",
- // Administrator users
- "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)",
- // SIE Group
- $_aci,
- // Search Access,
- "(targetattr != \"userPassword\") (version 3.0; acl \"Search Access\"; allow (read,compare,search) (userdn = \"ldap:///" . $inetdomainbasedn . "??sub?(objectclass=*)\");)",
- // Service Search Access
- "(targetattr = \"*\") (version 3.0; acl \"Service Search Access\"; allow (read,compare,search) (userdn = \"ldap:///" . $service_bind_dn . "\");)",
+ "cn={$_domain},cn=ldbm database,cn=plugins,cn=config" => array(
+ 'objectclass' => array(
+ 'top',
+ 'extensibleobject',
+ 'nsbackendinstance',
+ ),
+ 'cn' => $_domain,
+ 'nsslapd-suffix' => $inetdomainbasedn,
+ 'nsslapd-cachesize' => '-1',
+ 'nsslapd-cachememsize' => '10485760',
+ 'nsslapd-readonly' => 'off',
+ 'nsslapd-require-index' => 'off',
+ 'nsslapd-dncachememsize' => '10485760',
+ 'nsslapd-directory' => true, // will be replaced below
+ ),
+ $inetdomainbasedn => array(
+ // @TODO: Probably just use ldap_explode_dn()
+ 'dc' => substr($dn, (strpos($dn, '=')+1), ((strpos($dn, ',')-strpos($dn, '='))-1)),
+ 'objectclass' => array(
+ 'top',
+ 'domain',
+ ),
+ 'aci' => array(
+ // Self-modification
+ "(targetattr = \"" . implode(" || ", $self_attrs) . "\")(version 3.0; acl \"Enable self write for common attributes\"; allow (read,compare,search,write) userdn=\"ldap:///self\";)",
+ // Directory Administrators
+ "(targetattr = \"*\")(version 3.0; acl \"Directory Administrators Group\"; allow (all) (groupdn=\"ldap:///cn=Directory Administrators,{$inetdomainbasedn}\" or roledn=\"ldap:///cn=kolab-admin,{$inetdomainbasedn}\");)",
+ // Configuration Administrators
+ "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)",
+ // Administrator users
+ "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)",
+ // SIE Group
+ $_aci,
+ // Search Access,
+ "(targetattr != \"userPassword\") (version 3.0; acl \"Search Access\"; allow (read,compare,search) (userdn = \"ldap:///{$inetdomainbasedn}??sub?(objectclass=*)\");)",
+ // Service Search Access
+ "(targetattr = \"*\") (version 3.0; acl \"Service Search Access\"; allow (read,compare,search) (userdn = \"ldap:///{$service_bind_dn}\");)",
+ ),
),
);
+ $replica_hosts = $this->list_replicas();
+
if (!empty($replica_hosts)) {
foreach ($replica_hosts as $replica_host) {
$ldap = new Net_LDAP3($this->config);
@@ -385,84 +297,77 @@ class LDAP extends Net_LDAP3 {
$ldap->config_set('hosts', array($replica_host));
$ldap->connect();
$ldap->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
- $ldap->add_entry($dn, $attrs);
+
+ foreach ($entries as $dn => $attrs) {
+ if (isset($attrs['nsslapd-directory'])) {
+ $attrs['nsslapd-directory'] = $this->nsslapd_directory($ldap, $domain);
+ }
+ if (!$ldap->add_entry($dn, $attrs)) {
+ Log::error("Error adding $dn to $replica_host");
+ }
+ }
$ldap->close();
}
- } else {
- $this->add_entry($dn, $attrs);
+ }
+ else {
+ foreach ($entries as $dn => $attrs) {
+ if (isset($attrs['nsslapd-directory'])) {
+ $attrs['nsslapd-directory'] = $this->nsslapd_directory($this, $domain);
+ }
+ if (!$this->add_entry($dn, $attrs)) {
+ Log::error("Error adding $dn");
+ }
+ }
}
if (!empty($replica_hosts)) {
$this->add_replication_agreements($inetdomainbasedn);
}
- $dn = "cn=Directory Administrators," . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array(
- 'top',
- 'groupofuniquenames',
+ // add OUs, do this after adding replication agreements
+ $entries = array(
+ "cn=Directory Administrators,$inetdomainbasedn" => array(
+ 'cn' => 'Directory Administrators',
+ 'objectclass' => array('top', 'groupofuniquenames'),
+ 'uniquemember' => array('cn=Directory Manager'),
),
- 'cn' => 'Directory Administrators',
- 'uniquemember' => array(
- 'cn=Directory Manager'
+ "cn=kolab-admin,$inetdomainbasedn" => array(
+ 'cn' => 'kolab-admin',
+ 'objectclass' => array(
+ 'top',
+ 'ldapsubentry',
+ 'nsroledefinition',
+ 'nssimpleroledefinition',
+ 'nsmanagedroledefinition',
+ ),
),
- );
-
- $this->add_entry($dn, $attrs);
-
- $dn = "ou=Groups," . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array('top', 'organizationalunit'),
- 'ou' => 'Groups',
- );
-
- $this->add_entry($dn, $attrs);
-
- $dn = "ou=People," . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array('top', 'organizationalunit'),
- 'ou' => 'People',
- );
-
- $this->add_entry($dn, $attrs);
-
- $dn = "ou=Special Users," . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array('top', 'organizationalunit'),
- 'ou' => 'Special Users',
- );
-
- $this->add_entry($dn, $attrs);
-
- $dn = "ou=Resources," . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array('top', 'organizationalunit'),
- 'ou' => 'Resources',
- );
-
- $this->add_entry($dn, $attrs);
-
- $dn = "ou=Shared Folders," . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array('top', 'organizationalunit'),
- 'ou' => 'Shared Folders',
- );
-
- $this->add_entry($dn, $attrs);
-
- $dn = 'cn=kolab-admin,' . $inetdomainbasedn;
- $attrs = array(
- 'objectclass' => array(
- 'top',
- 'ldapsubentry',
- 'nsroledefinition',
- 'nssimpleroledefinition',
- 'nsmanagedroledefinition',
+ // @TODO: these OUs DN should be read from config
+ "ou=Groups,$inetdomainbasedn" => array(
+ 'ou' => 'Groups',
+ 'objectclass' => array('top', 'organizationalunit'),
+ ),
+ "ou=People,$inetdomainbasedn" => array(
+ 'ou' => 'People',
+ 'objectclass' => array('top', 'organizationalunit'),
+ ),
+ "ou=Special Users,$inetdomainbasedn" => array(
+ 'ou' => 'Special Users',
+ 'objectclass' => array('top', 'organizationalunit'),
+ ),
+ "ou=Resources,$inetdomainbasedn" => array(
+ 'ou' => 'Resources',
+ 'objectclass' => array('top', 'organizationalunit'),
+ ),
+ "ou=Shared Folders,$inetdomainbasedn" => array(
+ 'ou' => 'Shared Folders',
+ 'objectclass' => array('top', 'organizationalunit'),
),
- 'cn' => 'kolab-admin'
);
- $this->add_entry($dn, $attrs);
+ // create set of OUs and other domain entries
+ foreach ($entries as $dn => $attrs) {
+ $this->add_entry($dn, $attrs);
+ }
return true;
}
@@ -1595,6 +1500,40 @@ class LDAP extends Net_LDAP3 {
}
/**
+ * Finds nsslapd-directory for specified domain
+ */
+ protected function nsslapd_directory($ldap, $domain)
+ {
+ $primary_domain = $this->conf->get('kolab', 'primary_domain');
+ $_primary_domain = str_replace('.', '_', $primary_domain);
+ $_domain = str_replace('.', '_', $domain);
+ $roots = array($_primary_domain, $primary_domain, 'userRoot');
+
+ foreach ($roots as $root) {
+ if ($result = $ldap->get_entry("cn=$root,cn=ldbm database,cn=plugins,cn=config")) {
+ break;
+ }
+ }
+
+ $this->_log(LOG_DEBUG, "Primary domain ldbm database configuration entry: " . var_export($result, true));
+
+ $result = $result[key($result)];
+ $orig_directory = $result['nsslapd-directory'];
+ $directory = $orig_directory;
+
+ reset($roots);
+ foreach ($roots as $root) {
+ if ($directory == $orig_directory) {
+ $directory = str_replace($root, $_domain, $result['nsslapd-directory']);
+ }
+ }
+
+ $this->_log(LOG_DEBUG, "nsslapd-directory for domain $domain is $directory");
+
+ return $directory;
+ }
+
+ /**
* Get global handle for memcache access
*
* @return object Memcache