Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_setupStep_Migrate.inc 44.75 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4 
  Copyright (C) 2007  Fabian Hickert
5 
  Copyright (C) 2011-2016  FusionDirectory
6
7 
  This program is free software; you can redistribute it and/or modify
8 
  it under the terms of the GNU General Public License as published by
9 
  the Free Software Foundation; either version 2 of the License, or
10 
  (at your option) any later version.
11
12 
  This program is distributed in the hope that it will be useful,
13 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
14 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 
  GNU General Public License for more details.
16
17 
  You should have received a copy of the GNU General Public License
18 
  along with this program; if not, write to the Free Software
19 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
20 
*/
21
22 
/****************
23 
 * FUNCTIONS
24
25 
Step_Migrate                - Constructor.
26 
update_strings              - Used to update the displayed step informations.
27 
initialize_checks           - Initialize migration steps.
28 
check_ldap_permissions      - Check if the used admin account has full access to the ldap database.
29 
check_gosaAccounts          - Check if there are users without the required objectClasses.
30 
migrate_gosaAccounts        - Migrate selected users to FusionDirectory user accounts.
31 
check_orgUnits   - Check if there are departments, that are not visible for FusionDirectory
32 
migrate_orgUnits - Migrate selected departments
33 
check_adminAccount - Check if there is at least one acl entry available
34 
checkBase                   - Check if there is a root object available
35
36 
get_user_list               - Get list of available users
37
38 
create_admin
39 
create_admin_user
40
41 
execute                     - Generate html output of this plugin
42 
save_object                 - Save posts
43 
array_to_ldif               - Create ldif output of an ldap result array
44
45 
 ****************/
46
47 
class CheckFailedException extends Exception
48 
{
49 
  private $error;
50
51 
  public function __construct($msg, $error)
52 
  {
53 
    parent::__construct($msg);
54 
    $this->error = $error;
55 
  }
56
57 
  public function getError()
58 
  {
59 
    return $this->error;
60 
  }
61 
}
62
63 
class StepMigrateDialog extends GenericDialog
64 
{
65 
  protected $post_cancel = 'dialog_cancel';
66 
  protected $post_finish = 'dialog_confirm';
67
68 
  private $infos;
69 
  private $tplfile;
70 
  private $check;
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
public function __construct(&$check, $tpl, $infos) { $this->attribute = NULL; $this->dialog = NULL; $this->infos = $infos; $this->tplfile = $tpl; $this->check = $check; } public function dialog_execute() { if ( isset($_POST['dialog_showchanges']) || isset($_POST['dialog_hidechanges']) || isset($_POST['dialog_refresh'])) { $this->infos = $this->check->dialog_refresh(); } $smarty = get_smarty(); $smarty->assign('infos', $this->infos); return $smarty->fetch(get_template_path($this->tplfile, TRUE, dirname(__FILE__))); } function handle_finish () { if ($this->check->migrate_confirm()) { return FALSE; } else { return $this->dialog_execute(); } } function handle_cancel () { return FALSE; } } class StepMigrateCheck { public $name; public $title; public $status = FALSE; public $msg = ''; public $error = ''; public $fnc; private $step; public function __construct($step, $name, $title) { $this->name = $name; $this->title = $title; $this->fnc = 'check_'.$name; $this->step = $step; } public function run($fnc = NULL) { if ($fnc === NULL) { $fnc = $this->fnc; } try { $this->msg = _('Ok'); $this->error = $this->step->$fnc($this); $this->status = TRUE; } catch (CheckFailedException $e) { $this->status = FALSE; $this->msg = $e->getMessage(); $this->error = $e->getError(); }
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
} public function save_object() { if (isset($_POST[$this->name.'_create'])) { $fnc = $this->fnc.'_create'; $this->step->$fnc($this); } elseif (isset($_POST[$this->name.'_migrate'])) { $fnc = $this->fnc.'_migrate'; $this->step->$fnc($this); } } public function submit ($value = NULL, $id = 'migrate') { if ($value === NULL) { $value = _('Migrate'); } return '<input type="submit" name="'.$this->name.'_'.$id.'" value="'.$value.'"/>'; } public function migrate_confirm() { $fnc = $this->fnc.'_migrate'.'_confirm'; $res = $this->step->$fnc($this); if ($res) { $this->run(); } return $res; } public function dialog_refresh() { $fnc = $this->fnc.'_migrate'.'_refresh'; return $this->step->$fnc($this); } } class Step_Migrate extends setupStep { var $header_image = "geticon.php?context=applications&icon=utilities-system-monitor&size=48"; /* Root object classes */ var $rootOC_details = array(); /* Entries needing migration */ var $orgUnits_toMigrate = array(); var $gosaAccounts_toMigrate = array(); var $outsideUsers_toMigrate = array(); var $outsideGroups_toMigrate = array(); /* check for multiple use of same uidNumber */ var $check_uidNumbers = array(); /* check for multiple use of same gidNumber */ var $check_gidNumbers = array(); /* Defaults ACL roles */ var $defaultRoles; static function getAttributesInfo() { return array( 'checks' => array( 'class' => array('fullwidth'), 'name' => _('PHP module and extension checks'), 'template' => get_template_path("setup_migrate.tpl", TRUE, dirname(__FILE__)), 'attrs' => array( new FakeAttribute('checks') )
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
), ); } function __construct($parent) { parent::__construct($parent); $this->fill_defaultRoles(); } function update_strings() { $this->s_short_name = _('LDAP inspection'); $this->s_title = _('LDAP inspection'); $this->s_description = _('Analyze your current LDAP for FusionDirectory compatibility'); } function fill_defaultRoles() { $this->defaultRoles = array( array( 'cn' => 'manager', 'description' => _('Give all rights on users in the given branch'), 'objectclass' => array('top', 'gosaRole'), 'gosaAclTemplate' => '0:user/password;cmdrw,user/user;cmdrw,user/posixAccount;cmdrw' ), array( 'cn' => 'editowninfos', 'description' => _('Allow users to edit their own information (main tab and posix use only on base)'), 'objectclass' => array('top', 'gosaRole'), 'gosaAclTemplate' => '0:user/posixAccount;srw,user/user;srw' ), array( 'cn' => 'editowninfos', 'description' => _('Allow users to edit their own password (use only on base)'), 'objectclass' => array('top', 'gosaRole'), 'gosaAclTemplate' => '0:user/password;srw' ), ); } function initialize_checks() { global $config; $config->get_departments(); $checks = array( 'baseOC' => new StepMigrateCheck($this, 'baseOC', _('Inspecting object classes in root object')), 'permissions' => new StepMigrateCheck($this, 'permissions', _('Checking permission for LDAP database')), 'gosaAccounts' => new StepMigrateCheck($this, 'gosaAccounts', _('Checking for invisible users')), 'adminAccount' => new StepMigrateCheck($this, 'adminAccount', _('Checking for super administrator')), 'defaultACLs' => new StepMigrateCheck($this, 'defaultACLs', _('Checking for default ACL roles and groups')), 'outsideUsers' => new StepMigrateCheck($this, 'outsideUsers', _('Checking for users outside the people tree')), 'outsideGroups' => new StepMigrateCheck($this, 'outsideGroups', _('Checking for groups outside the groups tree')), 'orgUnits' => new StepMigrateCheck($this, 'orgUnits', _('Checking for invisible departments')), 'uidNumber' => new StepMigrateCheck($this, 'uidNumber', _('Checking for duplicated UID numbers')), 'gidNumber' => new StepMigrateCheck($this, 'gidNumber', _('Checking for duplicated GID numbers')), ); $this->checks = $checks; } /* Return ldif information for a given attribute array */ function array_to_ldif($attrs) { $ret = ''; unset($attrs['count']); unset($attrs['dn']); foreach ($attrs as $name => $value) { if (is_numeric($name)) {
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
continue; } if (is_array($value)) { unset($value['count']); foreach ($value as $a_val) { $ret .= $name.': '. $a_val."\n"; } } else { $ret .= $name.': '. $value."\n"; } } return preg_replace("/\n$/", '', $ret); } function execute() { if (empty($this->checks) || isset($_POST['reload'])) { $this->initialize_checks(); foreach ($this->checks as $check) { $check->run(); } } return parent::execute(); } function save_object() { $this->is_completed = TRUE; parent::save_object(); foreach ($this->checks as $check) { $check->save_object(); } } /* Check if the root object includes the required object classes, e.g. gosaDepartment is required for ACLs. * If the parameter just_check is TRUE, then just check for the OCs. * If the Parameter is FALSE, try to add the required object classes. */ function check_baseOC(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); /* Check if root object exists */ $ldap->cd($config->current['BASE']); $ldap->cat($config->current['BASE']); if (!$ldap->count()) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } $attrs = $ldap->fetch(); /* Root object doesn't exists */ if (!in_array("gosaDepartment", $attrs['objectClass'])) { $this->rootOC_details = array(); $mods = array(); /* Get list of possible container objects, to be able to detect naming * attributes and missing attribute types. */ if (!class_available("departmentManagement")) { throw new CheckFailedException( _("Failed"), sprintf(_("Missing FusionDirectory object class '%s'!"), "departmentManagement"). "&nbsp;"._("Please check your installation.") ); }
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420
/* Try to detect base class type, e.g. is it a dcObject */ $dep_types = departmentManagement::getDepartmentTypes(); $dep_type = ""; $attrs['objectClass'][] = 'gosaDepartment'; // This allow us to filter it as if it was already migrated foreach ($dep_types as $type) { if (objects::isOfType($attrs, $type)) { $dep_type = $type; break; } } $key = array_search('gosaDepartment', $attrs['objectClass']); unset($attrs['objectClass'][$key]); /* If no known base class was detect, abort with message */ if (empty($dep_type)) { throw new CheckFailedException( _("Failed"), sprintf(_("Cannot handle the structural object type of your root object. Please try to add the object class '%s' manually."), "gosaDepartment") ); } $dep_infos = objects::infos($dep_type); /* Create 'current' and 'target' object properties, to be able to display * a set of modifications required to create a valid FusionDirectory department. */ $str = "dn: ".$config->current['BASE']."\n"; for ($i = 0; $i < $attrs['objectClass']['count']; $i++) { $str .= "objectClass: ".$attrs['objectClass'][$i]."\n"; } $this->rootOC_details['current'] = $str; /* Create target infos */ $str = "dn: ".$config->current['BASE']."\n"; for ($i = 0; $i < $attrs['objectClass']['count']; $i++) { $str .= "objectClass: ".$attrs['objectClass'][$i]."\n"; $mods['objectClass'][] = $attrs['objectClass'][$i]; } $mods['objectClass'][] = "gosaDepartment"; $str .= "<b>objectClass: gosaDepartment</b>\n"; /* Append attribute 'ou', it is required by gosaDepartment */ if (!isset($attrs['ou'])) { $val = "GOsa"; if (isset($attrs[$dep_infos['mainAttr']][0])) { $val = $attrs[$dep_infos['mainAttr']][0]; } $str .= "<b>ou: ".$val."</b>\n"; $mods['ou'] = $val; } /*Append description, it is required by gosaDepartment too */ if (!isset($attrs['description'])) { $val = "GOsa"; if (isset($attrs[$dep_infos['mainAttr']][0])) { $val = $attrs[$dep_infos['mainAttr']][0]; } $str .= "<b>description: ".$val."</b>\n"; $mods['description'] = $val; } $this->rootOC_details['target'] = $str; $this->rootOC_details['mods'] = $mods; /* Add button that allows to open the migration details */ throw new CheckFailedException( _('Failed'), '&nbsp;'.$checkobj->submit()
421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
); } /* Create & remove of dummy object was successful */ return ''; } function check_baseOC_migrate (&$checkobj) { $this->openDialog(new StepMigrateDialog($checkobj, 'setup_migrate_baseOC.tpl', $this->rootOC_details)); } function check_baseOC_migrate_confirm () { global $config; $ldap = $config->get_ldap_link(); /* Check if root object exists */ $ldap->cd($config->current['BASE']); $ldap->cat($config->current['BASE']); $attrs = $ldap->fetch(); /* Root object doesn't exists */ if (!in_array("gosaDepartment", $attrs['objectClass'])) { /* Add root object */ $ldap->cd($config->current['BASE']); if (isset($this->rootOC_details['mods'])) { $res = $ldap->modify($this->rootOC_details['mods']); if (!$res) { msg_dialog::display(_('LDAP error'), msgPool::ldaperror($ldap->get_error(), $config->current['BASE'], LDAP_MOD, get_class()), LDAP_ERROR); } $this->checks['adminAccount']->run(); return $res; } else { trigger_error('No modifications to make... '); } return TRUE; } return TRUE; } /* Check ldap accessibility * Create and remove a dummy object, * to ensure that we have the necessary permissions */ function check_permissions(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); /* Create dummy entry */ $name = 'GOsa_setup_text_entry_'.session_id().rand(0, 999999); $dn = 'ou='.$name.','.$config->current['BASE']; $testEntry = array(); $testEntry['objectClass'][] = 'top'; $testEntry['objectClass'][] = 'organizationalUnit'; $testEntry['objectClass'][] = 'gosaDepartment'; $testEntry['description'] = 'Created by FusionDirectory setup, this object can be removed.'; $testEntry['ou'] = $name; /* check if simple ldap cat will be successful */ $res = $ldap->cat($config->current['BASE']); if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); }
491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
/* Try to create dummy object */ $ldap->cd ($dn); $res = $ldap->add($testEntry); $ldap->cat($dn); if (!$ldap->count()) { logging::log('view', 'setup/'.get_class($this), $dn, array(), $ldap->get_error()); throw new CheckFailedException( _('Failed'), sprintf(_('The specified user "%s" does not have full access to your LDAP database.'), $config->current['ADMINDN']) ); } /* Try to remove created entry */ $res = $ldap->rmDir($dn); $ldap->cat($dn); if ($ldap->count()) { logging::log('view', 'setup/'.get_class($this), $dn, array(), $ldap->get_error()); throw new CheckFailedException( _('Failed'), sprintf(_('The specified user "%s" does not have full access to your ldap database.'), $config->current['ADMINDN']) ); } /* Create & remove of dummy object was successful */ return ''; } /* Check if there are users which will * be invisible for FusionDirectory */ function check_gosaAccounts(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); /* Remember old list of invisible users, to be able to set * the 'html checked' status for the checkboxes again */ $old = $this->gosaAccounts_toMigrate; $this->gosaAccounts_toMigrate = array(); /* Get all invisible users */ $ldap->cd($config->current['BASE']); $res = $ldap->search( '(&'. '(|'. '(objectClass=posixAccount)'. '(objectClass=person)'. '(objectClass=OpenLDAPperson)'. ')'. '(!(objectClass=inetOrgPerson))'. '(uid=*)'. ')', array('sn','givenName','cn','uid') ); while ($attrs = $ldap->fetch()) { if (!preg_match('/,dc=addressbook,/', $attrs['dn'])) { $attrs['checked'] = FALSE; $attrs['before'] = ""; $attrs['after'] = ""; /* Set objects to selected, that were selected before reload */ if (isset($old[base64_encode($attrs['dn'])])) { $attrs['checked'] = $old[base64_encode($attrs['dn'])]['checked']; } $this->gosaAccounts_toMigrate[base64_encode($attrs['dn'])] = $attrs; } }
561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630
if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } elseif (count($this->gosaAccounts_toMigrate) == 0) { /* No invisible */ return ''; } else { throw new CheckFailedException( "<div style='color:#F0A500'>"._("Warning")."</div>", sprintf( _('Found %s user(s) that will not be visible in FusionDirectory or which are incomplete.'), count($this->gosaAccounts_toMigrate) ).$checkobj->submit() ); } } function check_gosaAccounts_migrate (&$checkobj) { $this->check_multipleGeneric_migrate($checkobj, array('title' => _('User migration'))); } function check_gosaAccounts_migrate_refresh (&$checkobj) { return $this->check_multipleGeneric_migrate_refresh($checkobj, array('title' => _('User migration'))); } function check_gosaAccounts_migrate_confirm(&$checkobj, $only_ldif = FALSE) { return $this->check_multipleGeneric_migrate_confirm( $checkobj, array('inetOrgPerson','organizationalPerson','person'), array(), $only_ldif ); } function check_multipleGeneric_migrate (&$checkobj, $infos) { $var = $checkobj->name.'_toMigrate'; /* Fix displayed dn syntax */ $infos['entries'] = $this->$var; foreach ($infos['entries'] as $key => $data) { $infos['entries'][$key]['dn'] = LDAP::fix($data['dn']); } $this->openDialog(new StepMigrateDialog($checkobj, 'setup_migrate_gosaAccounts.tpl', $infos)); } function check_multipleGeneric_migrate_refresh (&$checkobj, $infos) { if (isset($_POST['dialog_showchanges'])) { /* Show changes */ $fnc = 'check_'.$checkobj->name.'_migrate_confirm'; $this->$fnc($checkobj, TRUE); } else { /* Hide changes */ $checkobj->run(); } /* Fix displayed dn syntax */ $var = $checkobj->name.'_toMigrate'; $infos['entries'] = $this->$var; foreach ($infos['entries'] as $key => $data) { $infos['entries'][$key]['dn'] = LDAP::fix($data['dn']); } return $infos; }
631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700
function check_multipleGeneric_migrate_confirm(&$checkobj, $oc, $mandatory, $only_ldif) { global $config; $ldap = $config->get_ldap_link(); /* Add objectClasses to the selected entries */ $var = $checkobj->name.'_toMigrate'; foreach ($this->$var as $key => &$entry) { $entry['checked'] = isset($_POST['migrate_'.$key]); if ($entry['checked']) { /* Get old objectClasses */ $ldap->cat($entry['dn'], array_merge(array('objectClass'), array_keys($mandatory))); $attrs = $ldap->fetch(); /* Create new objectClass array */ $new_attrs = array(); $new_attrs['objectClass'] = $oc; for ($i = 0; $i < $attrs['objectClass']['count']; $i++) { if (!in_array_ics($attrs['objectClass'][$i], $new_attrs['objectClass'])) { $new_attrs['objectClass'][] = $attrs['objectClass'][$i]; } } /* Append mandatories if missing */ foreach ($mandatory as $name => $value) { if (!isset($attrs[$name])) { $new_attrs[$name] = $value; } } /* Set info attributes for current object, * or write changes to the ldap database */ if ($only_ldif) { $entry['before'] = $this->array_to_ldif($attrs); $entry['after'] = $this->array_to_ldif($new_attrs); } else { $ldap->cd($attrs['dn']); if (!$ldap->modify($new_attrs)) { msg_dialog::display( _('Migration error'), sprintf( _('Cannot migrate entry "%s":').'<br/><br/><i>%s</i>', LDAP::fix($attrs['dn']), $ldap->get_error() ), ERROR_DIALOG ); return FALSE; } } } } unset($entry); return TRUE; } /* Check Acls if there is at least one object with acls defined */ function check_adminAccount(&$checkobj) { global $config; /* Reset settings */ $FD_1_0_8_found = FALSE; /* Establish ldap connection */ $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $res = $ldap->cat($config->current['BASE']); if (!$res) {
701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770
throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } else { $FD_1_0_8_found = FALSE; $FD_1_0_7_found = FALSE; $attrs = $ldap->fetch(); /* Collect a list of available FusionDirectory users and groups */ $users = array(); $ldap->search('(objectClass=inetOrgPerson)', array('uid','dn')); while ($user_attrs = $ldap->fetch()) { $users[$user_attrs['dn']] = $user_attrs['uid'][0]; $rusers[$user_attrs['uid'][0]] = $user_attrs['dn']; } $groups = array(); $ldap->search("objectClass=posixGroup", array("cn","dn")); while ($group_attrs = $ldap->fetch()) { $groups[$group_attrs['dn']] = $group_attrs['cn'][0]; } /* Check if a valid FusionDirectory 1.0.8 admin exists -> gosaAclEntry for an existing and accessible user. */ $valid_users = ""; $valid_groups = ""; if (isset($attrs['gosaAclEntry'])) { $acls = $attrs['gosaAclEntry']; for ($i = 0; $i < $acls['count']; $i++) { $acl = $acls[$i]; $tmp = explode(":", $acl); if ($tmp[1] == "subtree") { /* Check if acl owner is a valid FusionDirectory user account */ $ldap->cat(base64_decode($tmp[2]), array("gosaAclTemplate"), '(gosaAclTemplate=*:all;cmdrw)'); if ($ldap->count()) { $members = explode(",", $tmp[3]); foreach ($members as $member) { $member = base64_decode($member); if (isset($users[$member])) { $valid_users .= $users[$member].", "; $FD_1_0_8_found = TRUE; } if (isset($groups[$member])) { $ldap->cat($member); $group_attrs = $ldap->fetch(); $val_users = ""; if (isset($group_attrs['memberUid'])) { for ($e = 0; $e < $group_attrs['memberUid']['count']; $e ++) { if (isset($rusers[$group_attrs['memberUid'][$e]])) { $val_users .= $group_attrs['memberUid'][$e].", "; } } } if (!empty($val_users)) { $valid_groups .= $groups[$member]."(<i>".trim($val_users, ", ")."</i>), "; $FD_1_0_8_found = TRUE; } } } } } } } /* Try to find an old FD 1.0.7 administrator account that may be migrated */ if (!$FD_1_0_8_found) {
771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840
$valid_users = ""; $valid_groups = ""; if (isset($attrs['gosaAclEntry'])) { $acls = $attrs['gosaAclEntry']; for ($i = 0; $i < $acls['count']; $i++) { $acl = $acls[$i]; $tmp = explode(":", $acl); if ($tmp[1] == "psub") { $members = explode(",", $tmp[2]); foreach ($members as $member) { $member = base64_decode($member); if (isset($users[$member])) { if (preg_match("/all;cmdrw/i", $tmp[3])) { $valid_users .= $users[$member].", "; $FD_1_0_7_found = TRUE; } } if (isset($groups[$member])) { if (preg_match("/all;cmdrw/i", $tmp[3])) { $ldap->cat($member); $group_attrs = $ldap->fetch(); $val_users = ""; if (isset($group_attrs['memberUid'])) { for ($e = 0; $e < $group_attrs['memberUid']['count']; $e++) { if (isset($rusers[$group_attrs['memberUid'][$e]])) { $val_users .= $group_attrs['memberUid'][$e].", "; } } } if (!empty($val_users)) { $valid_groups .= $groups[$member]."(<i>".trim($val_users, ", ")."</i>), "; $FD_1_0_7_found = TRUE; } } } } } elseif ($tmp[1] == "role") { /* Check if acl owner is a valid FusionDirectory user account */ $ldap->cat(base64_decode($tmp[2]), array("gosaAclTemplate")); $ret = $ldap->fetch(); if (isset($ret['gosaAclTemplate'])) { $cnt = $ret['gosaAclTemplate']['count']; for ($e = 0; $e < $cnt; $e++) { $a_str = $ret['gosaAclTemplate'][$e]; if (preg_match("/^[0-9]*:psub:/", $a_str) && preg_match("/:all;cmdrw$/", $a_str)) { $members = explode(",", $tmp[3]); foreach ($members as $member) { $member = base64_decode($member); if (isset($users[$member])) { $valid_users .= $users[$member].", "; $FD_1_0_7_found = TRUE; } if (isset($groups[$member])) { $ldap->cat($member); $group_attrs = $ldap->fetch(); $val_users = ""; if (isset($group_attrs['memberUid'])) { for ($e = 0; $e < $group_attrs['memberUid']['count']; $e ++) { if (isset($rusers[$group_attrs['memberUid'][$e]])) { $val_users .= $group_attrs['memberUid'][$e].", "; } } } if (!empty($val_users)) { $valid_groups .= $groups[$member]."(<i>".trim($val_users, ", ")."</i>), ";
841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910
$FD_1_0_7_found = TRUE; } } } } } } } } } } /* Print out results */ if ($FD_1_0_7_found) { $str = ""; if (!empty($valid_users)) { $str .= '<i>'.sprintf(_('FD 1.0.7 administrative accounts found: %s'), trim($valid_users, ', ')).'</i><br/>'; } if (!empty($valid_groups)) { $str .= '<i>'.sprintf(_('FD 1.0.7 administrative groups found: %s'), trim($valid_groups, ', ')).'</i><br/>'; } $str .= _('You may run <i>fusiondirectory-setup --migrate-acls</i> after saving config file at the end of the setup to migrate it.<br/>'); throw new CheckFailedException( _('Failed'), $str._('There is no valid FusionDirectory 1.0.8 administrator account inside your LDAP.').'&nbsp;'. $checkobj->submit(_('Create'), 'create') ); } elseif ($FD_1_0_8_found) { $str = ""; if (!empty($valid_users)) { $str .= "<b>"._("Users")."</b>:&nbsp;".trim($valid_users, ", ")."<br>"; } if (!empty($valid_groups)) { $str .= "<b>"._("Groups")."</b>:&nbsp;".trim($valid_groups, ", ")."<br>"; } return $str; } else { throw new CheckFailedException( _('Failed'), _('There is no FusionDirectory administrator account inside your LDAP.').'&nbsp;'. $checkobj->submit(_('Create'), 'create') ); } } // Reload base OC $this->checks['baseOC']->run(); return ''; } function check_adminAccount_create(&$checkobj) { $infos = array( 'uid' => 'fd-admin', 'password' => '', 'password2' => '', ); $this->openDialog(new StepMigrateDialog($checkobj, 'setup_migrate_adminAccount.tpl', $infos)); } function check_adminAccount_migrate_confirm(&$checkobj) { global $config; session::global_set('CurrentMainBase', $config->current['BASE']); /* Creating role */ $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $ldap->search('(&(objectClass=gosaRole)(gosaAclTemplate=*:all;cmdrw))', array('dn'));
911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980
if ($attrs = $ldap->fetch()) { $roledn = $attrs['dn']; } else { $tabObject = objects::create('aclRole'); $baseObject = $tabObject->getBaseObject(); $baseObject->cn = 'admin'; $baseObject->description = _('Gives all rights on all objects'); $baseObject->gosaAclTemplate = array(array('all' => array('0' => 'cmdrw'))); $tabObject->save(); $roledn = $tabObject->dn; } /* Creating user */ $tabObject = objects::create('user'); $_POST['givenName'] = 'System'; $_POST['sn'] = 'Administrator'; $_POST[$tabObject->current.'_posted'] = TRUE; $_POST['dialog_refresh'] = TRUE; $tabObject->save_object(); $errors = $tabObject->check(); if (!empty($errors)) { foreach ($errors as $error) { msg_dialog::display(_('Error'), $error, ERROR_DIALOG); } return FALSE; } $tabObject->save(); $admindn = $tabObject->dn; /* Assigning role */ $tabObject = objects::open($config->current['BASE'], 'aclAssignment'); $baseObject = $tabObject->getBaseObject(); $assignments = $baseObject->gosaAclEntry; array_unshift( $assignments, array( 'scope' => 'subtree', 'role' => $roledn, 'members' => array($admindn), ) ); $baseObject->gosaAclEntry = $assignments; $tabObject->save(); return TRUE; } function check_adminAccount_migrate_refresh(&$checkobj) { return array( 'uid' => $_POST['uid'], 'password' => $_POST['userPassword_password'], 'password2' => $_POST['userPassword_password2'], ); } /* Check if default roles and groupes have been inserted */ function check_defaultACLs(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $res = $ldap->cat($config->current['BASE']); if (!$res) { throw new CheckFailedException( _('LDAP query failed'),
981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050
_('Possibly the "root object" is missing.') ); } $existings = 0; foreach ($this->defaultRoles as $role) { $dn = 'cn='.$role['cn'].','.get_ou('aclRoleRDN').$config->current['BASE']; $ldap->cat($dn, array('dn')); if ($ldap->count() > 0) { $existings++; } } $status = ($existings == count($this->defaultRoles)); if ($existings == 0) { $checkobj->msg = _('Default ACL roles have not been inserted'); } elseif ($existings < count($this->defaultRoles)) { $checkobj->msg = _('Some default ACL roles are missing'); } else { $checkobj->msg = _('Default ACL roles have been inserted'); } if ($status === FALSE) { throw new CheckFailedException( $checkobj->msg, '&nbsp;'.$checkobj->submit() ); } else { return ''; } } function check_defaultACLs_migrate(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); foreach ($this->defaultRoles as $role) { $dn = 'cn='.$role['cn'].','.get_ou('aclRoleRDN').$config->current['BASE']; $ldap->cat($dn); if ($ldap->count() == 0) { $ldap->cd($config->current['BASE']); $ldap->create_missing_trees(get_ou('aclRoleRDN').$config->current['BASE']); $ldap->cd($dn); $ldap->add($role); if (!$ldap->success()) { msg_dialog::display( _('Migration error'), sprintf( _('Cannot add ACL role "%s":').'<br/><br/><i>%s</i>', LDAP::fix($dn), $ldap->get_error() ), ERROR_DIALOG ); return FALSE; } } } $checkobj->run(); return TRUE; } /* Search for users outside the people ou */ function check_outsideUsers(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); /***********
1051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120
* Search for all users ***********/ $res = $ldap->search('(&(objectClass=inetOrgPerson)(!(uid=*$)))', array('dn')); if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } /*********** * Check if returned users are within a valid department. (peopleou,gosaDepartment,base) ***********/ $this->outsideUsers_toMigrate = array(); $people_ou = trim(get_ou('userRDN')); while ($attrs = $ldap->fetch()) { $people_db_base = preg_replace('/^[^,]+,'.preg_quote($people_ou, '/').'/i', '', $attrs['dn']); /* Check if entry is not an addressbook only user * and verify that he is in a valid department */ if (!preg_match('/dc=addressbook,/', $people_db_base) && !in_array($people_db_base, $config->departments)) { $attrs['checked'] = FALSE; $attrs['ldif'] = ''; $this->outsideUsers_toMigrate[base64_encode($attrs['dn'])] = $attrs; } } if (count($this->outsideUsers_toMigrate)) { throw new CheckFailedException( "<div style='color:#F0A500'>"._("Warning")."</div>", sprintf(_('Found %s user(s) outside the configured tree "%s".'), count($this->outsideUsers_toMigrate), $people_ou). $checkobj->submit() ); } else { return ''; } } function check_outsideUsers_migrate(&$checkobj) { global $config; $this->check_multipleGeneric_migrate( $checkobj, array( 'title' => _('Move users into configured user tree'), 'outside' => TRUE, 'ous' => $config->departments, 'destination' => $_POST['destination'], ) ); } function check_outsideUsers_migrate_refresh(&$checkobj) { global $config; return $this->check_multipleGeneric_migrate_refresh( $checkobj, array( 'title' => _('Move users into configured user tree'), 'outside' => TRUE, 'ous' => $config->departments, 'destination' => $_POST['destination'], ) ); } function check_outsideUsers_migrate_confirm(&$checkobj, $only_ldif = FALSE, $ou = 'userRDN')
1121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190
{ global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); /* Check if there was a destination department posted */ if (isset($_POST['destination'])) { $destination_dep = get_ou($ou).$_POST['destination']; } else { msg_dialog::display(_('LDAP error'), _('Cannot move entries to the requested department!'), ERROR_DIALOG); return FALSE; } $var = $checkobj->name.'_toMigrate'; foreach ($this->$var as $b_dn => &$entry) { $entry['checked'] = isset($_POST['migrate_'.$b_dn]); $entry['ldif'] = ''; if ($entry['checked']) { $dn = base64_decode($b_dn); $d_dn = preg_replace('/,.*$/', ','.$destination_dep, $dn); if ($only_ldif) { $entry['ldif'] = _('Entry will be moved from').":<br/>\t".($ldap->fix($dn)).'<br/>'._('to').":<br/>\t".($ldap->fix($d_dn)); /* Check if there are references to this object */ $ldap->search('(&(member='.ldap_escape_f($dn).')(|(objectClass=gosaGroupOfNames)(objectClass=groupOfNames)))', array('dn')); $refs = ''; while ($attrs = $ldap->fetch()) { $ref_dn = $attrs['dn']; $refs .= "<br/>\t".$ref_dn; } if (!empty($refs)) { $entry['ldif'] .= '<br/><br/><i>'._('The following references will be updated').':</i>'.$refs; } } else { $this->move($dn, $d_dn); } } } unset($entry); return TRUE; } /* Search for groups outside the group ou */ function check_outsideGroups(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $group_ou = get_ou('groupRDN'); $ldap->cd($config->current['BASE']); /*********** * Get all groups ***********/ $res = $ldap->search('(objectClass=posixGroup)', array('dn')); if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } $this->outsideGroups_toMigrate = array(); while ($attrs = $ldap->fetch()) { $group_db_base = preg_replace('/^[^,]+,'.preg_quote($group_ou, '/').'/i', '', $attrs['dn']); /* Check if entry is not an addressbook only user * and verify that he is in a valid department */
1191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260
if ( !preg_match('/'.preg_quote('dc=addressbook,', '/').'/', $group_db_base) && !in_array($group_db_base, $config->departments) ) { $attrs['checked'] = FALSE; $attrs['ldif'] = ''; $this->outsideGroups_toMigrate[base64_encode($attrs['dn'])] = $attrs; } } if (count($this->outsideGroups_toMigrate)) { throw new CheckFailedException( "<div style='color:#F0A500'>"._("Warning")."</div>", sprintf(_("Found %s groups outside the configured tree '%s'."), count($this->outsideGroups_toMigrate), $group_ou). '&nbsp;'.$checkobj->submit() ); } else { return ''; } } function check_outsideGroups_migrate(&$checkobj) { global $config; $this->check_multipleGeneric_migrate( $checkobj, array( 'title' => _('Move groups into configured groups tree'), 'outside' => TRUE, 'ous' => $config->departments, 'destination' => $_POST['destination'], ) ); } function check_outsideGroups_migrate_refresh(&$checkobj) { global $config; return $this->check_multipleGeneric_migrate_refresh( $checkobj, array( 'title' => _('Move groups into configured groups tree'), 'outside' => TRUE, 'ous' => $config->departments, 'destination' => $_POST['destination'], ) ); } function check_outsideGroups_migrate_confirm(&$checkobj, $only_ldif = FALSE) { return $this->check_outsideUsers_migrate_confirm($checkobj, $only_ldif, 'groupRDN'); } /* Check if there are invisible organizational Units */ function check_orgUnits(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $old = $this->orgUnits_toMigrate; $this->orgUnits_toMigrate = array(); /* Skip FusionDirectory internal departments */ $skip_dns = array( '/ou=fusiondirectory,'.preg_quote($config->current['BASE']).'$/', '/dc=addressbook,/', '/ou=systems,'.preg_quote($config->current['BASE']).'$/', '/ou=snapshots,/' ); foreach (objects::types() as $type) {
1261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330
$infos = objects::infos($type); if (isset($infos['ou']) && ($infos['ou'] != '')) { $skip_dns[] = '/^'.preg_quote($infos['ou'], '/').'/'; } } /* Get all invisible departments */ $ldap->cd($config->current['BASE']); $res = $ldap->search('(&(objectClass=organizationalUnit)(!(objectClass=gosaDepartment)))', array('ou','description','dn')); if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } while ($attrs = $ldap->fetch()) { $attrs['checked'] = FALSE; $attrs['before'] = ''; $attrs['after'] = ''; /* Set objects to selected, that were selected before reload */ if (isset($old[base64_encode($attrs['dn'])])) { $attrs['checked'] = $old[base64_encode($attrs['dn'])]['checked']; } $this->orgUnits_toMigrate[base64_encode($attrs['dn'])] = $attrs; } /* Filter returned list of departments and ensure that * FusionDirectory internal departments will not be listed */ foreach ($this->orgUnits_toMigrate as $key => $attrs) { $dn = $attrs['dn']; $skip = FALSE; foreach ($skip_dns as $skip_dn) { if (preg_match($skip_dn, $dn)) { $skip = TRUE; break; } } if ($skip) { unset($this->orgUnits_toMigrate[$key]); } } /* If we have no invisible departments found * tell the user that everything is ok */ if (count($this->orgUnits_toMigrate) == 0) { return ''; } else { throw new CheckFailedException( '<font style="color:#FFA500">'._("Warning").'</font>', sprintf(_('Found %s department(s) that will not be visible in FusionDirectory.'), count($this->orgUnits_toMigrate)). '&nbsp;'.$checkobj->submit() ); /* TODO: maybe warnings should be an other kind of exception? */ } } function check_orgUnits_migrate(&$checkobj) { $this->check_multipleGeneric_migrate($checkobj, array('title' => _('Department migration'))); } function check_orgUnits_migrate_refresh(&$checkobj) { return $this->check_multipleGeneric_migrate_refresh($checkobj, array('title' => _('Department migration'))); }
1331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400
function check_orgUnits_migrate_confirm(&$checkobj, $only_ldif) { return $this->check_multipleGeneric_migrate_confirm( $checkobj, array('gosaDepartment'), array('description' => 'FusionDirectory department'), $only_ldif ); } /* Check if there are uidNumbers which are used more than once */ function check_uidNumber(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $res = $ldap->search("(&(objectClass=posixAccount)(uidNumber=*))", array("dn","uidNumber")); if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } $this->check_uidNumbers = array(); $tmp = array(); while ($attrs = $ldap->fetch()) { $tmp[$attrs['uidNumber'][0]][] = $attrs; } foreach ($tmp as $entries) { if (count($entries) > 1) { foreach ($entries as $entry) { $this->check_uidNumbers[$entry['dn']] = $entry; } } } if ($this->check_uidNumbers) { $list = '<ul>'; foreach ($this->check_uidNumbers as $dn => $entry) { $list .= '<li>'.$dn.' ('.$entry['uidNumber'][0].')</li>'; } $list .= '</ul>'; throw new CheckFailedException( "<div style='color:#F0A500'>"._("Warning")."</div>", sprintf(_('Found %s duplicate values for attribute "uidNumber":%s'), count($this->check_uidNumbers), $list) ); } else { return ''; } } /* Check if there are duplicated gidNumbers present in ldap */ function check_gidNumber(&$checkobj) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $res = $ldap->search("(&(objectClass=posixGroup)(gidNumber=*))", array("dn","gidNumber")); if (!$res) { throw new CheckFailedException( _('LDAP query failed'), _('Possibly the "root object" is missing.') ); } $this->check_gidNumbers = array();
140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430
$tmp = array(); while ($attrs = $ldap->fetch()) { $tmp[$attrs['gidNumber'][0]][] = $attrs; } foreach ($tmp as $entries) { if (count($entries) > 1) { foreach ($entries as $entry) { $this->check_gidNumbers[$entry['dn']] = $entry; } } } if ($this->check_gidNumbers) { $list = '<ul>'; foreach ($this->check_gidNumbers as $dn => $entry) { $list .= '<li>'.$dn.' ('.$entry['gidNumber'][0].')</li>'; } $list .= '</ul>'; throw new CheckFailedException( "<div style='color:#F0A500'>"._("Warning")."</div>", sprintf(_('Found %s duplicate values for attribute "gidNumber":%s'), count($this->check_gidNumbers), $list) ); } else { return ''; } } } ?>