index ce88fdc4b41900a8d7c495d48bb8c91e798f6b88..28e5a7fc8ed3f03f87043554f0376f4e7b0e0a30 100644 (file)
define ("DEBUG_ACL", 128);
define ("DEBUG_SI", 256);
define ("DEBUG_MAIL", 512); // mailAccounts, imap, sieve etc.
+define ("DEBUG_FAI", 1024); // FAI (incomplete)
/* Rewrite german 'umlauts' and spanish 'accents'
to get better results */
$ui= new userinfo($config, $ldap->getDN());
$ui->username= $attrs['uid'][0];
+ /* Bail out if we have login restrictions set, for security reasons
+ the message is the same than failed user/pw */
+ if (!$ui->loginAllowed()){
+ return (NULL);
+ }
+
/* No password check needed - the webserver did it for us */
$ldap->disconnect();
$ui= new userinfo($config, $ldap->getDN());
$ui->username= $attrs['uid'][0];
+ /* Bail out if we have login restrictions set, for security reasons
+ the message is the same than failed user/pw */
+ if (!$ui->loginAllowed()){
+ return (NULL);
+ }
+
/* password check, bind as user with supplied password */
$ldap->disconnect();
$ldap= new LDAP($ui->dn, $password, $config->current['SERVER'],
if(!session::global_is_set("LOCK_CACHE")){
session::global_set("LOCK_CACHE",array(""));
}
+ if(is_array($object)){
+ foreach($object as $obj){
+ add_lock($obj,$user);
+ }
+ return;
+ }
+
$cache = &session::global_get("LOCK_CACHE");
if(isset($_POST['open_readonly'])){
$cache['READ_ONLY'][$object] = TRUE;
unset($cache['READ_ONLY'][$object]);
}
- if(is_array($object)){
- foreach($object as $obj){
- add_lock($obj,$user);
- }
- return;
- }
/* Just a sanity check... */
if ($object == "" || $user == ""){
global $config;
$map = array(
+ "roleRDN" => "ou=roles,",
"ogroupRDN" => "ou=groups,",
"applicationRDN" => "ou=apps,",
"systemRDN" => "ou=systems,",
/* Save variables from LOCK_VARS_TO_USE in session - for further editing */
if( session::is_set('LOCK_VARS_TO_USE') && count(session::get('LOCK_VARS_TO_USE'))){
- $LOCK_VARS_USED = array();
+ $LOCK_VARS_USED_GET = array();
+ $LOCK_VARS_USED_POST = array();
+ $LOCK_VARS_USED_REQUEST = array();
$LOCK_VARS_TO_USE = session::get('LOCK_VARS_TO_USE');
foreach($LOCK_VARS_TO_USE as $name){
foreach($_POST as $Pname => $Pvalue){
if(preg_match($name,$Pname)){
- $LOCK_VARS_USED[$Pname] = $_POST[$Pname];
+ $LOCK_VARS_USED_POST[$Pname] = $_POST[$Pname];
}
}
foreach($_GET as $Pname => $Pvalue){
if(preg_match($name,$Pname)){
- $LOCK_VARS_USED[$Pname] = $_GET[$Pname];
+ $LOCK_VARS_USED_GET[$Pname] = $_GET[$Pname];
+ }
+ }
+
+ foreach($_REQUEST as $Pname => $Pvalue){
+ if(preg_match($name,$Pname)){
+ $LOCK_VARS_USED_REQUEST[$Pname] = $_REQUEST[$Pname];
}
}
}
session::set('LOCK_VARS_TO_USE',array());
- session::set('LOCK_VARS_USED' , $LOCK_VARS_USED);
+ session::set('LOCK_VARS_USED_GET' , $LOCK_VARS_USED_GET);
+ session::set('LOCK_VARS_USED_POST' , $LOCK_VARS_USED_POST);
+ session::set('LOCK_VARS_USED_REQUEST' , $LOCK_VARS_USED_REQUEST);
}
/* Prepare and show template */
function expand_id($rule, $attributes)
{
/* Check for id rule */
- if(preg_match('/^id(:|#)\d+$/',$rule)){
- return (array("\{$rule}"));
+ if(preg_match('/^id(:|#|!)\d+$/',$rule)){
+ return (array("{$rule}"));
}
/* Check for clean attribute */
$proposed= recurse($stripped, $variables);
/* Get list of used ID's */
- $used= array();
$ldap= $config->get_ldap_link();
$ldap->cd($config->current['BASE']);
- $ldap->search('(uid=*)');
-
- while($attrs= $ldap->fetch()){
- $used[]= $attrs['uid'][0];
- }
/* Remove used uids and watch out for id tags */
$ret= array();
foreach($proposed as $uid){
/* Check for id tag and modify uid if needed */
- if(preg_match('/\{id:\d+}/',$uid)){
- $size= preg_replace('/^.*{id:(\d+)}.*$/', '\\1', $uid);
+ if(preg_match('/\{id(:|!)\d+}/',$uid, $m)){
+ $size= preg_replace('/^.*{id(:|!)(\d+)}.*$/', '\\2', $uid);
- for ($i= 0, $p= pow(10,$size); $i < $p; $i++){
- $number= sprintf("%0".$size."d", $i);
- $res= preg_replace('/{id:(\d+)}/', $number, $uid);
- if (!in_array($res, $used)){
+ $start= $m[1]==":"?0:-1;
+ for ($i= $start, $p= pow(10,$size); $i < $p; $i++){
+ if ($i == -1) {
+ $number= "";
+ } else {
+ $number= sprintf("%0".$size."d", $i+1);
+ }
+ $res= preg_replace('/{id(:|!)\d+}/', $number, $uid);
+
+ $ldap->search("(uid=".preg_replace('/[{}]/', '', $res).")",array('dn'));
+ if($ldap->count() == 0){
$uid= $res;
break;
}
mt_srand((double) microtime()*1000000);
$number= sprintf("%0".$size."d", mt_rand(0, pow(10, $size)-1));
$res= preg_replace('/{id#(\d+)}/', $number, $uid);
- if (!in_array($res, $used)){
+ $ldap->search("(uid=".preg_replace('/[{}]/', '', $res).")",array('dn'));
+ if($ldap->count() == 0){
$uid= $res;
break;
}
}
/* Don't assign used ones */
- if (!in_array($uid, $used)){
+ $ldap->search("(uid=".preg_replace('/[{}]/', '', $uid).")",array('dn'));
+ if($ldap->count() == 0){
/* Add uid, but remove {} first. These are invalid anyway. */
$ret[]= preg_replace('/[{}]/', '', $uid);
}
/* The gosa base schema */
$checks['gosaObject'] = $def_check;
$checks['gosaObject']['REQUIRED_VERSION'] = "2.6.1";
- $checks['gosaObject']['SCHEMA_FILES'] = array("gosa+samba3.schema","gosa.schema");
+ $checks['gosaObject']['SCHEMA_FILES'] = array("gosa-samba3.schema","gosa-samba2.schema");
$checks['gosaObject']['CLASSES_REQUIRED'] = array("gosaObject");
$checks['gosaObject']['IS_MUST_HAVE'] = TRUE;
/* GOsa Account class */
- $checks["gosaAccount"]["REQUIRED_VERSION"]= "2.6.1";
- $checks["gosaAccount"]["SCHEMA_FILES"] = array("gosa+samba3.schema","gosa.schema");
+ $checks["gosaAccount"]["REQUIRED_VERSION"]= "2.6.6";
+ $checks["gosaAccount"]["SCHEMA_FILES"] = array("gosa-samba3.schema","gosa-samba2.schema");
$checks["gosaAccount"]["CLASSES_REQUIRED"]= array("gosaAccount");
$checks["gosaAccount"]["IS_MUST_HAVE"] = TRUE;
$checks["gosaAccount"]["INFO"] = _("Used to store account specific informations.");
/* GOsa lock entry, used to mark currently edited objects as 'in use' */
$checks["gosaLockEntry"]["REQUIRED_VERSION"] = "2.6.1";
- $checks["gosaLockEntry"]["SCHEMA_FILES"] = array("gosa+samba3.schema","gosa.schema");
+ $checks["gosaLockEntry"]["SCHEMA_FILES"] = array("gosa-samba3.schema","gosa-samba2.schema");
$checks["gosaLockEntry"]["CLASSES_REQUIRED"] = array("gosaLockEntry");
$checks["gosaLockEntry"]["IS_MUST_HAVE"] = TRUE;
$checks["gosaLockEntry"]["INFO"] = _("Used to lock currently edited entries to avoid multiple changes at the same time.");
/* Some other checks */
foreach(array(
- "gosaCacheEntry" => array("version" => "2.6.1"),
- "gosaDepartment" => array("version" => "2.6.1"),
+ "gosaCacheEntry" => array("version" => "2.6.1", "class" => "gosaAccount"),
+ "gosaDepartment" => array("version" => "2.6.1", "class" => "gosaAccount"),
"goFaxAccount" => array("version" => "1.0.4", "class" => "gofaxAccount","file" => "gofax.schema"),
"goFaxSBlock" => array("version" => "1.0.4", "class" => "gofaxAccount","file" => "gofax.schema"),
"goFaxRBlock" => array("version" => "1.0.4", "class" => "gofaxAccount","file" => "gofax.schema"),
"gosaUserTemplate" => array("version" => "2.6.1", "class" => "posixAccount","file" => "nis.schema"),
- "gosaMailAccount" => array("version" => "2.6.1", "class" => "mailAccount","file" => "gosa+samba3.schema"),
- "gosaProxyAccount" => array("version" => "2.6.1", "class" => "proxyAccount","file" => "gosa+samba3.schema"),
+ "gosaMailAccount" => array("version" => "2.6.1", "class" => "mailAccount","file" => "gosa-samba3.schema"),
+ "gosaProxyAccount" => array("version" => "2.6.1", "class" => "proxyAccount","file" => "gosa-samba3.schema"),
"gosaApplication" => array("version" => "2.6.1", "class" => "appgroup","file" => "gosa.schema"),
"gosaApplicationGroup" => array("version" => "2.6.1", "class" => "appgroup","file" => "gosa.schema"),
"GOhard" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"),
"gotoTerminal" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"),
- "goServer" => array("version" => "2.6.1","class" => "server","file" => "goserver.schema"),
+ "goServer" => array("version" => "2.6.1", "class" => "server","file" => "goserver.schema"),
"goTerminalServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"),
"goShareServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"),
"goNtpServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"),
"goSyslogServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"),
- "goLdapServer" => array("version" => "2.6.1"),
+ "goLdapServer" => array("version" => "2.6.1", "class" => "goServer"),
"goCupsServer" => array("version" => "2.6.1", "class" => array("posixAccount", "terminals"),),
- "goImapServer" => array("version" => "2.6.1", "class" => array("mailAccount", "mailgroup"),"file" => "gosa+samba3. schema"),
- "goKrbServer" => array("version" => "2.6.1"),
+ "goImapServer" => array("version" => "2.6.1", "class" => array("mailAccount", "mailgroup"),"file" => "gosa-samba3.schema"),
+ "goKrbServer" => array("version" => "2.6.1", "class" => "goServer"),
"goFaxServer" => array("version" => "2.6.1", "class" => "gofaxAccount","file" => "gofax.schema"),
) as $name => $values){
if(isset($values['file'])){
$checks[$name]["SCHEMA_FILES"] = array($values['file']);
}
- $checks[$name]["CLASSES_REQUIRED"] = array($name);
+ if (isset($values['class'])) {
+ $checks[$name]["CLASSES_REQUIRED"] = is_array($values['class'])?$values['class']:array($values['class']);
+ }
}
foreach($checks as $name => $value){
foreach($value['CLASSES_REQUIRED'] as $class){
if(!isset($objectclasses[$name])){
- $checks[$name]['STATUS'] = FALSE;
if($value['IS_MUST_HAVE']){
+ $checks[$name]['STATUS'] = FALSE;
$checks[$name]['MSG'] = sprintf(_("Missing required object class '%s'!"),$class);
- }else{
+ } else {
+ $checks[$name]['STATUS'] = TRUE;
$checks[$name]['MSG'] = sprintf(_("Missing optional object class '%s'!"),$class);
}
}elseif(!check_schema_version($objectclasses[$name],$value['REQUIRED_VERSION'])){
$checks[$name]['STATUS'] = FALSE;
- if($value['IS_MUST_HAVE']){
- $checks[$name]['MSG'] = sprintf(_("Version mismatch for required object class '%s' (!=%s)!"), $class, $value['REQUIRED_VERSION']);
- }else{
- $checks[$name]['MSG'] = sprintf(_("Version mismatch for optional object class '%s' (!=%s)!"), $class, $value['REQUIRED_VERSION']);
- }
+ $checks[$name]['MSG'] = sprintf(_("Version mismatch for required object class '%s' (!=%s)!"), $class, $value['REQUIRED_VERSION']);
}else{
$checks[$name]['STATUS'] = TRUE;
$checks[$name]['MSG'] = sprintf(_("Class(es) available"));
/* The gosa base schema */
$checks['posixGroup'] = $def_check;
$checks['posixGroup']['REQUIRED_VERSION'] = "2.6.1";
- $checks['posixGroup']['SCHEMA_FILES'] = array("gosa+samba3.schema","gosa.schema");
+ $checks['posixGroup']['SCHEMA_FILES'] = array("gosa-samba3.schema","gosa-samba2.schema");
$checks['posixGroup']['CLASSES_REQUIRED'] = array("posixGroup");
$checks['posixGroup']['STATUS'] = TRUE;
$checks['posixGroup']['IS_MUST_HAVE'] = TRUE;
list($lm,$nt)= split (":", trim($hash));
- if ($config->get_cfg_value("sambaversion") == 3) {
- $attrs['sambaLMPassword']= $lm;
- $attrs['sambaNTPassword']= $nt;
- $attrs['sambaPwdLastSet']= date('U');
- $attrs['sambaBadPasswordCount']= "0";
- $attrs['sambaBadPasswordTime']= "0";
- } else {
- $attrs['lmPassword']= $lm;
- $attrs['ntPassword']= $nt;
- $attrs['pwdLastSet']= date('U');
- }
+ $attrs['sambaLMPassword']= $lm;
+ $attrs['sambaNTPassword']= $nt;
+ $attrs['sambaPwdLastSet']= date('U');
+ $attrs['sambaBadPasswordCount']= "0";
+ $attrs['sambaBadPasswordTime']= "0";
return($attrs);
}
}
+
function cred_decrypt($input,$password) {
$size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv);
}
+
function get_object_info()
{
return(session::get('objectinfo'));
}
+
function set_object_info($str = "")
{
session::set('objectinfo',$str);
}
+function isIpInNet($ip, $net, $mask) {
+ // Move to long ints
+ $ip= ip2long($ip);
+ $net= ip2long($net);
+ $mask= ip2long($mask);
+
+ // Mask given IP with mask. If it returns "net", we're in...
+ $res= $ip & $mask;
+
+ return ($res == $net);
+}
+
+
+function get_next_id($attrib, $dn)
+{
+ global $config;
+
+ switch ($config->get_cfg_value("idAllocationMethod", "traditional")){
+ case "pool":
+ return get_next_id_pool($attrib);
+ case "traditional":
+ return get_next_id_traditional($attrib, $dn);
+ }
+
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("unknown idAllocation method!"), ERROR_DIALOG);
+ return null;
+}
+
+
+function get_next_id_pool($attrib) {
+ global $config;
+
+ /* Fill informational values */
+ $min= $config->get_cfg_value("${attrib}PoolMin", 10000);
+ $max= $config->get_cfg_value("${attrib}PoolMax", 40000);
+
+ /* Sanity check */
+ if ($min >= $max) {
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." ".sprintf(_("%sPoolMin >= %sPoolMax!"), $attrib), ERROR_DIALOG);
+ return null;
+ }
+
+ /* ID to skip */
+ $ldap= $config->get_ldap_link();
+ $id= null;
+
+ /* Try to allocate the ID several times before failing */
+ $tries= 3;
+ while ($tries--) {
+
+ /* Look for ID map entry */
+ $ldap->cd ($config->current['BASE']);
+ $ldap->search ("(&(objectClass=sambaUnixIdPool)($attrib=*))", array("$attrib"));
+
+ /* If it does not exist, create one with these defaults */
+ if ($ldap->count() == 0) {
+ /* Fill informational values */
+ $minUserId= $config->get_cfg_value("uidPoolMin", 10000);
+ $minGroupId= $config->get_cfg_value("gidPoolMin", 10000);
+
+ /* Add as default */
+ $attrs= array("objectClass" => array("organizationalUnit", "sambaUnixIdPool"));
+ $attrs["ou"]= "idmap";
+ $attrs["uidNumber"]= $minUserId;
+ $attrs["gidNumber"]= $minGroupId;
+ $ldap->cd("ou=idmap,".$config->current['BASE']);
+ $ldap->add($attrs);
+ if ($ldap->error != "Success") {
+ msg_dialog::display(_("Error"), _("Cannot create sambaUnixIdPool entry!"), ERROR_DIALOG);
+ return null;
+ }
+ $tries++;
+ continue;
+ }
+ /* Bail out if it's not unique */
+ if ($ldap->count() != 1) {
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("sambaUnixIdPool is not unique!"), ERROR_DIALOG);
+ return null;
+ }
+
+ /* Store old attrib and generate new */
+ $attrs= $ldap->fetch();
+ $dn= $ldap->getDN();
+ $oldAttr= $attrs[$attrib][0];
+ $newAttr= $oldAttr + 1;
+
+ /* Sanity check */
+ if ($newAttr >= $max) {
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("no ID available!"), ERROR_DIALOG);
+ return null;
+ }
+ if ($newAttr < $min) {
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("no ID available!"), ERROR_DIALOG);
+ return null;
+ }
+
+ #FIXME: PHP is not able to do a modification of "del: .../add: ...", so this
+ # is completely unsafe in the moment.
+ #/* Remove old attr, add new attr */
+ #$attrs= array($attrib => $oldAttr);
+ #$ldap->rm($attrs, $dn);
+ #if ($ldap->error != "Success") {
+ # continue;
+ #}
+ $ldap->cd($dn);
+ $ldap->modify(array($attrib => $newAttr));
+ if ($ldap->error != "Success") {
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." ".$ldap->get_error(), ERROR_DIALOG);
+ return null;
+ } else {
+ return $oldAttr;
+ }
+ }
+
+ /* Bail out if we had problems getting the next id */
+ if (!$tries) {
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("maximum tries exceeded!"), ERROR_DIALOG);
+ }
+
+ return $id;
+}
+
+function get_next_id_traditional($attrib, $dn)
+{
+ global $config;
+
+ $ids= array();
+ $ldap= $config->get_ldap_link();
+
+ $ldap->cd ($config->current['BASE']);
+ if (preg_match('/gidNumber/i', $attrib)){
+ $oc= "posixGroup";
+ } else {
+ $oc= "posixAccount";
+ }
+ $ldap->search ("(&(objectClass=$oc)($attrib=*))", array("$attrib"));
+
+ /* Get list of ids */
+ while ($attrs= $ldap->fetch()){
+ $ids[]= (int)$attrs["$attrib"][0];
+ }
+
+ /* Add the nobody id */
+ $ids[]= 65534;
+
+ /* get the ranges */
+ $tmp = array('0'=> 1000);
+ if (preg_match('/posixAccount/', $oc) && $config->get_cfg_value("uidNumberBase") != ""){
+ $tmp= split('-',$config->get_cfg_value("uidNumberBase"));
+ } elseif($config->get_cfg_value("gidNumberBase") != ""){
+ $tmp= split('-',$config->get_cfg_value("gidNumberBase"));
+ }
+
+ /* Set hwm to max if not set - for backward compatibility */
+ $lwm= $tmp[0];
+ if (isset($tmp[1])){
+ $hwm= $tmp[1];
+ } else {
+ $hwm= pow(2,32);
+ }
+ /* Find out next free id near to UID_BASE */
+ if ($config->get_cfg_value("baseIdHook") == ""){
+ $base= $lwm;
+ } else {
+ /* Call base hook */
+ $base= get_base_from_hook($dn, $attrib);
+ }
+ for ($id= $base; $id++; $id < pow(2,32)){
+ if (!in_array($id, $ids)){
+ return ($id);
+ }
+ }
+
+ /* Should not happen */
+ if ($id == $hwm){
+ msg_dialog::display(_("Error"), _("Cannot allocate a free ID!"), ERROR_DIALOG);
+ exit;
+ }
+}
+
+
// vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
?>