summaryrefslogtreecommitdiffstats
path: root/lib/api/kolab_api_service_domain.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/api/kolab_api_service_domain.php')
-rw-r--r--lib/api/kolab_api_service_domain.php157
1 files changed, 155 insertions, 2 deletions
diff --git a/lib/api/kolab_api_service_domain.php b/lib/api/kolab_api_service_domain.php
index f9910df..9190e62 100644
--- a/lib/api/kolab_api_service_domain.php
+++ b/lib/api/kolab_api_service_domain.php
@@ -95,6 +95,8 @@ class kolab_api_service_domain extends kolab_api_service
$attributes[$dna] = (array) $attributes[$dna];
$domain = array_shift($attributes[$dna]);
+ $this->_mod_domain_attrs($domain, $attributes);
+
$result = $auth->domain_add($domain, $attributes);
if ($result) {
@@ -102,6 +104,9 @@ class kolab_api_service_domain extends kolab_api_service
$attributes['id'] = $id;
}
+
+ $this->_after_domain_created($attributes, $domain);
+
return $attributes;
}
@@ -167,8 +172,11 @@ class kolab_api_service_domain extends kolab_api_service
}
}
- $attributes = $this->parse_input_attributes('domain', $postdata);
- $result = $auth->domain_edit($postdata['id'], $attributes, $postdata['type_id']);
+ $attributes = $this->parse_input_attributes('domain', $postdata, $postdata['type_id']);
+
+ $this->_mod_domain_attrs(null, $attributes);
+
+ $result = $auth->domain_edit($postdata['id'], $attributes, $postdata['type_id']);
if ($result) {
return $result;
@@ -266,4 +274,149 @@ class kolab_api_service_domain extends kolab_api_service
return false;
}
+
+ /**
+ * Modify hosted domain attributes
+ */
+ protected function _mod_domain_attrs($domain, &$attributes)
+ {
+ // Generate attributes (aci, inetdomainbasedn) for hosted domains
+ $conf = Conf::get_instance();
+ if ($conf->get('kolab_wap', 'hosted_root_dn')) {
+
+ $domain_name_attribute = $conf->get('ldap', 'domain_name_attribute');
+ $hosted_root_dn = $conf->get('kolab_wap', 'hosted_root_dn');
+ $mgmt_root_dn = $conf->get('kolab_wap', 'mgmt_root_dn');
+
+ if (empty($mgmt_root_dn)) {
+ $mgmt_root_dn = $conf->get('root_dn');
+ }
+
+ if (empty($domain_name_attribute)) {
+ $domain_name_attribute = 'associateddomain';
+ }
+
+ if (!is_array($attributes[$domain_name_attribute])) {
+ $attributes[$domain_name_attribute] = (array) $attributes[$domain_name_attribute];
+ }
+
+ if (empty($domain)) {
+ $domain = $attributes[$domain_name_attribute][0];
+ }
+
+ if (!in_array($domain, $attributes[$domain_name_attribute])) {
+ array_unshift($attributes[$domain_name_attribute], $domain);
+ }
+
+ $domain_root_dn = 'ou=' . $domain . ',' . $hosted_root_dn;
+
+ $aci = array(
+ '(targetattr = "*")'
+ . '(version 3.0; acl "Deny Unauthorized"; deny (all)'
+ . '(userdn != "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . ' || '
+ . 'ldap:///ou=People,' . $domain_root_dn . '??sub?(objectclass=inetorgperson)") AND NOT '
+ . 'roledn = "ldap:///cn=kolab-admin,' . $mgmt_root_dn . '";)',
+
+ '(targetattr != "userPassword")'
+ . '(version 3.0;acl "Search Access";allow (read,compare,search)'
+ . '(userdn = "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . ' || '
+ . 'ldap:///ou=People,' . $domain_root_dn . '??sub?(objectclass=inetorgperson)");)',
+
+ '(targetattr = "*")'
+ . '(version 3.0;acl "Kolab Administrators";allow (all)'
+ . '(roledn = "ldap:///cn=kolab-admin,' . $domain_root_dn . ' || '
+ . 'ldap:///cn=kolab-admin,' . $mgmt_root_dn . '");)'
+ );
+
+ $attributes['aci'] = $aci;
+ $attributes['inetdomainbasedn'] = $domain_root_dn;
+
+ $this->is_hosted = true;
+ }
+ }
+
+ /**
+ * Create LDAP object related to the new hosted domain
+ */
+ protected function _after_domain_created($attributes, $domain)
+ {
+ if (!$this->is_hosted) {
+ return;
+ }
+
+ $conf = Conf::get_instance();
+ $ou_service = $this->controller->get_service('ou');
+ $role_service = $this->controller->get_service('role');
+
+ $hosted_root_dn = $conf->get('kolab_wap', 'hosted_root_dn');
+ $mgmt_root_dn = $conf->get('kolab_wap', 'mgmt_root_dn');
+ $domain_root_dn = 'ou=' . $domain . ',' . $hosted_root_dn;
+
+ if (empty($mgmt_root_dn)) {
+ $mgmt_root_dn = $conf->get('root_dn');
+ }
+
+ $ou_domain = array(
+ 'ou' => $domain,
+ 'base_dn' => $hosted_root_dn,
+ 'description' => $domain,
+ 'type_id' => 1,
+ );
+
+ $ou_domain['aci'] = array(
+ '(targetattr = "*")'
+ . '(version 3.0;acl "Deny Unauthorized"; deny (all)'
+ . '(userdn != "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . ' || '
+ . 'ldap:///ou=People,' . $domain_root_dn . '??sub?(objectclass=inetorgperson)") AND NOT '
+ . 'roledn = "ldap:///cn=kolab-admin,' . $mgmt_root_dn . '";)',
+
+ '(targetattr != "userPassword")'
+ . '(version 3.0;acl "Search Access";allow (read,compare,search,write)'
+ . '(userdn = "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . ' || '
+ . 'ldap:///ou=People,' . $domain_root_dn . '??sub?(objectclass=inetorgperson)");)',
+
+ '(targetattr = "*")'
+ . '(version 3.0;acl "Kolab Administrators";allow (all)'
+ . '(roledn = "ldap:///cn=kolab-admin,' . $domain_root_dn . ' || '
+ . 'ldap:///cn=kolab-admin,' . $mgmt_root_dn . '");)',
+
+ '(target = "ldap:///ou=*,' . $domain_root_dn . '")(targetattr="objectclass || aci || ou")'
+ . '(version 3.0;acl "Allow Domain sub-OU Registration"; allow (add)'
+ . '(userdn = "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . '");)',
+
+ '(target = "ldap:///uid=*,ou=People,' . $domain_root_dn . '")(targetattr="*")'
+ . '(version 3.0;acl "Allow Domain First User Registration"; allow (add)'
+ . '(userdn = "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . '");)',
+
+ '(target = "ldap:///cn=*,' . $domain_root_dn . '")(targetattr="objectclass || cn")'
+ . '(version 3.0;acl "Allow Domain Role Registration"; allow (add)'
+ . '(userdn = "ldap:///uid=kolab-service,ou=Special Users,' . $mgmt_root_dn . '");)',
+ );
+
+ $ou_service->ou_add(null, $ou_domain);
+
+ // Add OU trees
+
+ foreach (array('Groups', 'People', 'Resources', 'Shared Folders') as $item) {
+ $ou = array(
+ 'ou' => $item,
+ 'base_dn' => $domain_root_dn,
+ 'type_id' => 1,
+ 'description' => $item,
+ );
+
+ $ou_service->ou_add(null, $ou);
+ }
+
+ // Add an admin role
+
+ $role = array(
+ 'cn' => 'kolab-admin',
+ 'description' => 'Domain Administrator',
+ 'type_id' => 1,
+ 'base_dn' => $domain_root_dn,
+ );
+
+ $role_service->role_add(null, $role);
+ }
}