X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=gosa-core%2Finclude%2Ffunctions.inc;h=28e5a7fc8ed3f03f87043554f0376f4e7b0e0a30;hb=a3c6a8c40c4ab98152a7ac9773dd5eb120e63258;hp=ce88fdc4b41900a8d7c495d48bb8c91e798f6b88;hpb=323ea50a9c89d14281b7057cb07651a210c4005e;p=gosa.git diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc index ce88fdc4b..28e5a7fc8 100644 --- a/gosa-core/include/functions.inc +++ b/gosa-core/include/functions.inc @@ -88,6 +88,7 @@ define ("DEBUG_CONFIG", 64); define ("DEBUG_ACL", 128); define ("DEBUG_SI", 256); define ("DEBUG_MAIL", 512); // mailAccounts, imap, sieve etc. +define ("DEBUG_FAI", 1024); // FAI (incomplete) /* Rewrite german 'umlauts' and spanish 'accents' to get better results */ @@ -404,6 +405,12 @@ function ldap_login_user_htaccess ($username) $ui= new userinfo($config, $ldap->getDN()); $ui->username= $attrs['uid'][0]; + /* Bail out if we have login restrictions set, for security reasons + the message is the same than failed user/pw */ + if (!$ui->loginAllowed()){ + return (NULL); + } + /* No password check needed - the webserver did it for us */ $ldap->disconnect(); @@ -484,6 +491,12 @@ function ldap_login_user ($username, $password) $ui= new userinfo($config, $ldap->getDN()); $ui->username= $attrs['uid'][0]; + /* Bail out if we have login restrictions set, for security reasons + the message is the same than failed user/pw */ + if (!$ui->loginAllowed()){ + return (NULL); + } + /* password check, bind as user with supplied password */ $ldap->disconnect(); $ldap= new LDAP($ui->dn, $password, $config->current['SERVER'], @@ -606,6 +619,13 @@ function add_lock($object, $user) if(!session::global_is_set("LOCK_CACHE")){ session::global_set("LOCK_CACHE",array("")); } + if(is_array($object)){ + foreach($object as $obj){ + add_lock($obj,$user); + } + return; + } + $cache = &session::global_get("LOCK_CACHE"); if(isset($_POST['open_readonly'])){ $cache['READ_ONLY'][$object] = TRUE; @@ -615,12 +635,6 @@ function add_lock($object, $user) unset($cache['READ_ONLY'][$object]); } - if(is_array($object)){ - foreach($object as $obj){ - add_lock($obj,$user); - } - return; - } /* Just a sanity check... */ if ($object == "" || $user == ""){ @@ -1164,6 +1178,7 @@ function get_ou($name) global $config; $map = array( + "roleRDN" => "ou=roles,", "ogroupRDN" => "ou=groups,", "applicationRDN" => "ou=apps,", "systemRDN" => "ou=systems,", @@ -1293,7 +1308,9 @@ function gen_locked_message($user, $dn, $allow_readonly = FALSE) /* Save variables from LOCK_VARS_TO_USE in session - for further editing */ if( session::is_set('LOCK_VARS_TO_USE') && count(session::get('LOCK_VARS_TO_USE'))){ - $LOCK_VARS_USED = array(); + $LOCK_VARS_USED_GET = array(); + $LOCK_VARS_USED_POST = array(); + $LOCK_VARS_USED_REQUEST = array(); $LOCK_VARS_TO_USE = session::get('LOCK_VARS_TO_USE'); foreach($LOCK_VARS_TO_USE as $name){ @@ -1304,18 +1321,26 @@ function gen_locked_message($user, $dn, $allow_readonly = FALSE) foreach($_POST as $Pname => $Pvalue){ if(preg_match($name,$Pname)){ - $LOCK_VARS_USED[$Pname] = $_POST[$Pname]; + $LOCK_VARS_USED_POST[$Pname] = $_POST[$Pname]; } } foreach($_GET as $Pname => $Pvalue){ if(preg_match($name,$Pname)){ - $LOCK_VARS_USED[$Pname] = $_GET[$Pname]; + $LOCK_VARS_USED_GET[$Pname] = $_GET[$Pname]; + } + } + + foreach($_REQUEST as $Pname => $Pvalue){ + if(preg_match($name,$Pname)){ + $LOCK_VARS_USED_REQUEST[$Pname] = $_REQUEST[$Pname]; } } } session::set('LOCK_VARS_TO_USE',array()); - session::set('LOCK_VARS_USED' , $LOCK_VARS_USED); + session::set('LOCK_VARS_USED_GET' , $LOCK_VARS_USED_GET); + session::set('LOCK_VARS_USED_POST' , $LOCK_VARS_USED_POST); + session::set('LOCK_VARS_USED_REQUEST' , $LOCK_VARS_USED_REQUEST); } /* Prepare and show template */ @@ -1637,8 +1662,8 @@ function recurse($rule, $variables) function expand_id($rule, $attributes) { /* Check for id rule */ - if(preg_match('/^id(:|#)\d+$/',$rule)){ - return (array("\{$rule}")); + if(preg_match('/^id(:|#|!)\d+$/',$rule)){ + return (array("{$rule}")); } /* Check for clean attribute */ @@ -1706,27 +1731,28 @@ function gen_uids($rule, $attributes) $proposed= recurse($stripped, $variables); /* Get list of used ID's */ - $used= array(); $ldap= $config->get_ldap_link(); $ldap->cd($config->current['BASE']); - $ldap->search('(uid=*)'); - - while($attrs= $ldap->fetch()){ - $used[]= $attrs['uid'][0]; - } /* Remove used uids and watch out for id tags */ $ret= array(); foreach($proposed as $uid){ /* Check for id tag and modify uid if needed */ - if(preg_match('/\{id:\d+}/',$uid)){ - $size= preg_replace('/^.*{id:(\d+)}.*$/', '\\1', $uid); + if(preg_match('/\{id(:|!)\d+}/',$uid, $m)){ + $size= preg_replace('/^.*{id(:|!)(\d+)}.*$/', '\\2', $uid); - for ($i= 0, $p= pow(10,$size); $i < $p; $i++){ - $number= sprintf("%0".$size."d", $i); - $res= preg_replace('/{id:(\d+)}/', $number, $uid); - if (!in_array($res, $used)){ + $start= $m[1]==":"?0:-1; + for ($i= $start, $p= pow(10,$size); $i < $p; $i++){ + if ($i == -1) { + $number= ""; + } else { + $number= sprintf("%0".$size."d", $i+1); + } + $res= preg_replace('/{id(:|!)\d+}/', $number, $uid); + + $ldap->search("(uid=".preg_replace('/[{}]/', '', $res).")",array('dn')); + if($ldap->count() == 0){ $uid= $res; break; } @@ -1740,7 +1766,8 @@ function gen_uids($rule, $attributes) mt_srand((double) microtime()*1000000); $number= sprintf("%0".$size."d", mt_rand(0, pow(10, $size)-1)); $res= preg_replace('/{id#(\d+)}/', $number, $uid); - if (!in_array($res, $used)){ + $ldap->search("(uid=".preg_replace('/[{}]/', '', $res).")",array('dn')); + if($ldap->count() == 0){ $uid= $res; break; } @@ -1748,7 +1775,8 @@ function gen_uids($rule, $attributes) } /* Don't assign used ones */ - if (!in_array($uid, $used)){ + $ldap->search("(uid=".preg_replace('/[{}]/', '', $uid).")",array('dn')); + if($ldap->count() == 0){ /* Add uid, but remove {} first. These are invalid anyway. */ $ret[]= preg_replace('/[{}]/', '', $uid); } @@ -2206,47 +2234,47 @@ function check_schema($cfg,$rfc2307bis = FALSE) /* The gosa base schema */ $checks['gosaObject'] = $def_check; $checks['gosaObject']['REQUIRED_VERSION'] = "2.6.1"; - $checks['gosaObject']['SCHEMA_FILES'] = array("gosa+samba3.schema","gosa.schema"); + $checks['gosaObject']['SCHEMA_FILES'] = array("gosa-samba3.schema","gosa-samba2.schema"); $checks['gosaObject']['CLASSES_REQUIRED'] = array("gosaObject"); $checks['gosaObject']['IS_MUST_HAVE'] = TRUE; /* GOsa Account class */ - $checks["gosaAccount"]["REQUIRED_VERSION"]= "2.6.1"; - $checks["gosaAccount"]["SCHEMA_FILES"] = array("gosa+samba3.schema","gosa.schema"); + $checks["gosaAccount"]["REQUIRED_VERSION"]= "2.6.6"; + $checks["gosaAccount"]["SCHEMA_FILES"] = array("gosa-samba3.schema","gosa-samba2.schema"); $checks["gosaAccount"]["CLASSES_REQUIRED"]= array("gosaAccount"); $checks["gosaAccount"]["IS_MUST_HAVE"] = TRUE; $checks["gosaAccount"]["INFO"] = _("Used to store account specific informations."); /* GOsa lock entry, used to mark currently edited objects as 'in use' */ $checks["gosaLockEntry"]["REQUIRED_VERSION"] = "2.6.1"; - $checks["gosaLockEntry"]["SCHEMA_FILES"] = array("gosa+samba3.schema","gosa.schema"); + $checks["gosaLockEntry"]["SCHEMA_FILES"] = array("gosa-samba3.schema","gosa-samba2.schema"); $checks["gosaLockEntry"]["CLASSES_REQUIRED"] = array("gosaLockEntry"); $checks["gosaLockEntry"]["IS_MUST_HAVE"] = TRUE; $checks["gosaLockEntry"]["INFO"] = _("Used to lock currently edited entries to avoid multiple changes at the same time."); /* Some other checks */ foreach(array( - "gosaCacheEntry" => array("version" => "2.6.1"), - "gosaDepartment" => array("version" => "2.6.1"), + "gosaCacheEntry" => array("version" => "2.6.1", "class" => "gosaAccount"), + "gosaDepartment" => array("version" => "2.6.1", "class" => "gosaAccount"), "goFaxAccount" => array("version" => "1.0.4", "class" => "gofaxAccount","file" => "gofax.schema"), "goFaxSBlock" => array("version" => "1.0.4", "class" => "gofaxAccount","file" => "gofax.schema"), "goFaxRBlock" => array("version" => "1.0.4", "class" => "gofaxAccount","file" => "gofax.schema"), "gosaUserTemplate" => array("version" => "2.6.1", "class" => "posixAccount","file" => "nis.schema"), - "gosaMailAccount" => array("version" => "2.6.1", "class" => "mailAccount","file" => "gosa+samba3.schema"), - "gosaProxyAccount" => array("version" => "2.6.1", "class" => "proxyAccount","file" => "gosa+samba3.schema"), + "gosaMailAccount" => array("version" => "2.6.1", "class" => "mailAccount","file" => "gosa-samba3.schema"), + "gosaProxyAccount" => array("version" => "2.6.1", "class" => "proxyAccount","file" => "gosa-samba3.schema"), "gosaApplication" => array("version" => "2.6.1", "class" => "appgroup","file" => "gosa.schema"), "gosaApplicationGroup" => array("version" => "2.6.1", "class" => "appgroup","file" => "gosa.schema"), "GOhard" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"), "gotoTerminal" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"), - "goServer" => array("version" => "2.6.1","class" => "server","file" => "goserver.schema"), + "goServer" => array("version" => "2.6.1", "class" => "server","file" => "goserver.schema"), "goTerminalServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"), "goShareServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"), "goNtpServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"), "goSyslogServer" => array("version" => "2.6.1", "class" => "terminals","file" => "goto.schema"), - "goLdapServer" => array("version" => "2.6.1"), + "goLdapServer" => array("version" => "2.6.1", "class" => "goServer"), "goCupsServer" => array("version" => "2.6.1", "class" => array("posixAccount", "terminals"),), - "goImapServer" => array("version" => "2.6.1", "class" => array("mailAccount", "mailgroup"),"file" => "gosa+samba3. schema"), - "goKrbServer" => array("version" => "2.6.1"), + "goImapServer" => array("version" => "2.6.1", "class" => array("mailAccount", "mailgroup"),"file" => "gosa-samba3.schema"), + "goKrbServer" => array("version" => "2.6.1", "class" => "goServer"), "goFaxServer" => array("version" => "2.6.1", "class" => "gofaxAccount","file" => "gofax.schema"), ) as $name => $values){ @@ -2257,26 +2285,25 @@ function check_schema($cfg,$rfc2307bis = FALSE) if(isset($values['file'])){ $checks[$name]["SCHEMA_FILES"] = array($values['file']); } - $checks[$name]["CLASSES_REQUIRED"] = array($name); + if (isset($values['class'])) { + $checks[$name]["CLASSES_REQUIRED"] = is_array($values['class'])?$values['class']:array($values['class']); + } } foreach($checks as $name => $value){ foreach($value['CLASSES_REQUIRED'] as $class){ if(!isset($objectclasses[$name])){ - $checks[$name]['STATUS'] = FALSE; if($value['IS_MUST_HAVE']){ + $checks[$name]['STATUS'] = FALSE; $checks[$name]['MSG'] = sprintf(_("Missing required object class '%s'!"),$class); - }else{ + } else { + $checks[$name]['STATUS'] = TRUE; $checks[$name]['MSG'] = sprintf(_("Missing optional object class '%s'!"),$class); } }elseif(!check_schema_version($objectclasses[$name],$value['REQUIRED_VERSION'])){ $checks[$name]['STATUS'] = FALSE; - if($value['IS_MUST_HAVE']){ - $checks[$name]['MSG'] = sprintf(_("Version mismatch for required object class '%s' (!=%s)!"), $class, $value['REQUIRED_VERSION']); - }else{ - $checks[$name]['MSG'] = sprintf(_("Version mismatch for optional object class '%s' (!=%s)!"), $class, $value['REQUIRED_VERSION']); - } + $checks[$name]['MSG'] = sprintf(_("Version mismatch for required object class '%s' (!=%s)!"), $class, $value['REQUIRED_VERSION']); }else{ $checks[$name]['STATUS'] = TRUE; $checks[$name]['MSG'] = sprintf(_("Class(es) available")); @@ -2289,7 +2316,7 @@ function check_schema($cfg,$rfc2307bis = FALSE) /* The gosa base schema */ $checks['posixGroup'] = $def_check; $checks['posixGroup']['REQUIRED_VERSION'] = "2.6.1"; - $checks['posixGroup']['SCHEMA_FILES'] = array("gosa+samba3.schema","gosa.schema"); + $checks['posixGroup']['SCHEMA_FILES'] = array("gosa-samba3.schema","gosa-samba2.schema"); $checks['posixGroup']['CLASSES_REQUIRED'] = array("posixGroup"); $checks['posixGroup']['STATUS'] = TRUE; $checks['posixGroup']['IS_MUST_HAVE'] = TRUE; @@ -2564,17 +2591,11 @@ function generate_smb_nt_hash($password) list($lm,$nt)= split (":", trim($hash)); - if ($config->get_cfg_value("sambaversion") == 3) { - $attrs['sambaLMPassword']= $lm; - $attrs['sambaNTPassword']= $nt; - $attrs['sambaPwdLastSet']= date('U'); - $attrs['sambaBadPasswordCount']= "0"; - $attrs['sambaBadPasswordTime']= "0"; - } else { - $attrs['lmPassword']= $lm; - $attrs['ntPassword']= $nt; - $attrs['pwdLastSet']= date('U'); - } + $attrs['sambaLMPassword']= $lm; + $attrs['sambaNTPassword']= $nt; + $attrs['sambaPwdLastSet']= date('U'); + $attrs['sambaBadPasswordCount']= "0"; + $attrs['sambaBadPasswordTime']= "0"; return($attrs); } @@ -2774,6 +2795,7 @@ function cred_encrypt($input, $password) { } + function cred_decrypt($input,$password) { $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM); @@ -2781,16 +2803,199 @@ function cred_decrypt($input,$password) { return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv); } + function get_object_info() { return(session::get('objectinfo')); } + function set_object_info($str = "") { session::set('objectinfo',$str); } +function isIpInNet($ip, $net, $mask) { + // Move to long ints + $ip= ip2long($ip); + $net= ip2long($net); + $mask= ip2long($mask); + + // Mask given IP with mask. If it returns "net", we're in... + $res= $ip & $mask; + + return ($res == $net); +} + + +function get_next_id($attrib, $dn) +{ + global $config; + + switch ($config->get_cfg_value("idAllocationMethod", "traditional")){ + case "pool": + return get_next_id_pool($attrib); + case "traditional": + return get_next_id_traditional($attrib, $dn); + } + + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("unknown idAllocation method!"), ERROR_DIALOG); + return null; +} + + +function get_next_id_pool($attrib) { + global $config; + + /* Fill informational values */ + $min= $config->get_cfg_value("${attrib}PoolMin", 10000); + $max= $config->get_cfg_value("${attrib}PoolMax", 40000); + + /* Sanity check */ + if ($min >= $max) { + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." ".sprintf(_("%sPoolMin >= %sPoolMax!"), $attrib), ERROR_DIALOG); + return null; + } + + /* ID to skip */ + $ldap= $config->get_ldap_link(); + $id= null; + + /* Try to allocate the ID several times before failing */ + $tries= 3; + while ($tries--) { + + /* Look for ID map entry */ + $ldap->cd ($config->current['BASE']); + $ldap->search ("(&(objectClass=sambaUnixIdPool)($attrib=*))", array("$attrib")); + + /* If it does not exist, create one with these defaults */ + if ($ldap->count() == 0) { + /* Fill informational values */ + $minUserId= $config->get_cfg_value("uidPoolMin", 10000); + $minGroupId= $config->get_cfg_value("gidPoolMin", 10000); + + /* Add as default */ + $attrs= array("objectClass" => array("organizationalUnit", "sambaUnixIdPool")); + $attrs["ou"]= "idmap"; + $attrs["uidNumber"]= $minUserId; + $attrs["gidNumber"]= $minGroupId; + $ldap->cd("ou=idmap,".$config->current['BASE']); + $ldap->add($attrs); + if ($ldap->error != "Success") { + msg_dialog::display(_("Error"), _("Cannot create sambaUnixIdPool entry!"), ERROR_DIALOG); + return null; + } + $tries++; + continue; + } + /* Bail out if it's not unique */ + if ($ldap->count() != 1) { + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("sambaUnixIdPool is not unique!"), ERROR_DIALOG); + return null; + } + + /* Store old attrib and generate new */ + $attrs= $ldap->fetch(); + $dn= $ldap->getDN(); + $oldAttr= $attrs[$attrib][0]; + $newAttr= $oldAttr + 1; + + /* Sanity check */ + if ($newAttr >= $max) { + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("no ID available!"), ERROR_DIALOG); + return null; + } + if ($newAttr < $min) { + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("no ID available!"), ERROR_DIALOG); + return null; + } + + #FIXME: PHP is not able to do a modification of "del: .../add: ...", so this + # is completely unsafe in the moment. + #/* Remove old attr, add new attr */ + #$attrs= array($attrib => $oldAttr); + #$ldap->rm($attrs, $dn); + #if ($ldap->error != "Success") { + # continue; + #} + $ldap->cd($dn); + $ldap->modify(array($attrib => $newAttr)); + if ($ldap->error != "Success") { + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." ".$ldap->get_error(), ERROR_DIALOG); + return null; + } else { + return $oldAttr; + } + } + + /* Bail out if we had problems getting the next id */ + if (!$tries) { + msg_dialog::display(_("Error"), _("Cannot allocate a free ID:")." "._("maximum tries exceeded!"), ERROR_DIALOG); + } + + return $id; +} + +function get_next_id_traditional($attrib, $dn) +{ + global $config; + + $ids= array(); + $ldap= $config->get_ldap_link(); + + $ldap->cd ($config->current['BASE']); + if (preg_match('/gidNumber/i', $attrib)){ + $oc= "posixGroup"; + } else { + $oc= "posixAccount"; + } + $ldap->search ("(&(objectClass=$oc)($attrib=*))", array("$attrib")); + + /* Get list of ids */ + while ($attrs= $ldap->fetch()){ + $ids[]= (int)$attrs["$attrib"][0]; + } + + /* Add the nobody id */ + $ids[]= 65534; + + /* get the ranges */ + $tmp = array('0'=> 1000); + if (preg_match('/posixAccount/', $oc) && $config->get_cfg_value("uidNumberBase") != ""){ + $tmp= split('-',$config->get_cfg_value("uidNumberBase")); + } elseif($config->get_cfg_value("gidNumberBase") != ""){ + $tmp= split('-',$config->get_cfg_value("gidNumberBase")); + } + + /* Set hwm to max if not set - for backward compatibility */ + $lwm= $tmp[0]; + if (isset($tmp[1])){ + $hwm= $tmp[1]; + } else { + $hwm= pow(2,32); + } + /* Find out next free id near to UID_BASE */ + if ($config->get_cfg_value("baseIdHook") == ""){ + $base= $lwm; + } else { + /* Call base hook */ + $base= get_base_from_hook($dn, $attrib); + } + for ($id= $base; $id++; $id < pow(2,32)){ + if (!in_array($id, $ids)){ + return ($id); + } + } + + /* Should not happen */ + if ($id == $hwm){ + msg_dialog::display(_("Error"), _("Cannot allocate a free ID!"), ERROR_DIALOG); + exit; + } +} + + // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler: ?>