diff --git a/contrib/bin/fusiondirectory-setup b/contrib/bin/fusiondirectory-setup
index e2344e36d0fdbeab843afc4c1c11c4dc4a9cca59..0a9fcb3487cd549e71e203a68ad8abfdce34aa8e 100644
--- a/contrib/bin/fusiondirectory-setup
+++ b/contrib/bin/fusiondirectory-setup
@@ -590,7 +590,7 @@ sub add_ldap_admin {
foreach my $entry (@$people_entries) {
my $mesg = $ldap->search(
base => "$entry",
- filter => "(&(objectClass=gosaAccount)(uid=$fd_admin_uid))",
+ filter => "(&(objectClass=inetOrgPerson)(uid=$fd_admin_uid))",
attrs => ['uid']
);
$mesg->code && die $mesg->error;
@@ -616,7 +616,7 @@ sub add_ldap_admin {
'sn' => 'Administrator',
'uid' => $fd_admin_uid,
'givenname' => 'System',
- 'objectclass' => [ 'top', 'person', 'gosaAccount', 'organizationalPerson', 'inetOrgPerson' ],
+ 'objectclass' => [ 'top', 'person', 'organizationalPerson', 'inetOrgPerson' ],
'userPassword' => "{CRYPT}".unix_md5_crypt($fd_admin_pwd)
);
if (not defined $obj{$attr}) {
@@ -837,7 +837,7 @@ sub check_admin {
my $member_node = $ldap->search(
base => $dn,
scope => 'base',
- filter => "(objectClass=gosaAccount)"
+ filter => "(objectClass=inetOrgPerson)"
);
if ($member_node->count == 1) {
print ("$dn is a valid admin\n");
@@ -854,7 +854,7 @@ sub check_admin {
# Find group members
my $member_entry = $member_node->shift_entry;
my $memberUids = $member_entry->get_value("memberUid", asref => 1);
- my $filter = '(&(objectClass=gosaAccount)(|(uid='.join(')(uid=', @$memberUids).')))';
+ my $filter = '(&(objectClass=inetOrgPerson)(|(uid='.join(')(uid=', @$memberUids).')))';
my $group_members = $ldap->search(
base => $base,
filter => $filter,
@@ -1117,7 +1117,7 @@ sub migrate_users {
print ("---------------------------------------------\n");
my $mesg = $ldap->search(
- filter => "(|(!(objectClass~=gosaAccount))(!(objectClass~=organizationalPerson))(!(objectClass~=Person)))",
+ filter => "(|(!(objectClass~=inetOrgPerson))(!(objectClass~=organizationalPerson))(!(objectClass~=Person)))",
base => "$peopleou,$base",
scope => $scope
);
@@ -1125,7 +1125,7 @@ sub migrate_users {
my @entries = $mesg->entries;
foreach my $entry (@entries) {
- $mesg = $ldap->modify($entry->dn(), add => { "ObjectClass" => "gosaAccount"});
+ $mesg = $ldap->modify($entry->dn(), add => { "ObjectClass" => "inetOrgPerson"});
$mesg = $ldap->modify($entry->dn(), add => { "ObjectClass" => "organizationalPerson"});
$mesg = $ldap->modify($entry->dn(), add => { "ObjectClass" => "Person"});
print $entry->dn();
diff --git a/contrib/docs/README.ldap-migration b/contrib/docs/README.ldap-migration
index 95ee7eb5507de8a083c54f456ee560f24bfd643a..4e30fdc2c49a54020aa054ebc05735a5cdb7d17c 100644
--- a/contrib/docs/README.ldap-migration
+++ b/contrib/docs/README.ldap-migration
@@ -4,15 +4,7 @@ LDAP TREE MIGRATION
To migrate an existing LDAP tree, you've to do all steps from above,
plus some modifications:
-- FusionDirectory only shows users that have the objectClass gosaAccount
- This one has been introduced for several reasons. First, there are
- cases you want to hide special accounts from regular admins (i.e.
- a samba admin account which is used to log windows machines into
- their domain, where changing a password by accident has bad consequences).
- Secondly the gosaAccount keeps the lm/nt password hashes and the
- attributes for the last password change - with the consequence that
- adding a samba account "later" will not require the user to reset
- the password.
+- FusionDirectory only shows users that have the objectClass inetOrgPerson
- FusionDirectory only recognizes subtrees (or departments in FusionDirectory's
view of things) that have the objectClass gosaDepartment. You can hide subtrees
diff --git a/contrib/openldap/core-fd.schema b/contrib/openldap/core-fd.schema
index 80326c1368876e7eface70772680c98bbff8d2b6..6728903d040185f840a0f5a5070f9e212d8fbba6 100644
--- a/contrib/openldap/core-fd.schema
+++ b/contrib/openldap/core-fd.schema
@@ -78,6 +78,7 @@ attributetype ( 1.3.6.1.4.1.10098.1.1.12.39 NAME 'gosaSnapshotData'
attributetype ( 1.3.6.1.4.1.10098.1.1.12.46 NAME 'gosaLoginRestriction'
DESC 'Multivalue attribute to carry a number of allowed ips/subnets'
+ OBSOLETE
SUP name)
attributetype ( 1.3.6.1.4.1.10098.1.1.6.2 NAME 'academicTitle'
@@ -120,6 +121,7 @@ objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.4 NAME 'gosaDepartment' SUP top AUXILIA
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY
DESC 'Class for GOsa Accounts (v2.6.6)'
+ OBSOLETE
MUST ( )
MAY (
gosaLoginRestriction $
diff --git a/include/class_acl.inc b/include/class_acl.inc
index 21c00d93fbc39551751d7c678475c697025268e0..b71fd3731f0d2149afaa8568a2a6c735f1589c00 100644
--- a/include/class_acl.inc
+++ b/include/class_acl.inc
@@ -198,7 +198,7 @@ class acl extends plugin
/* Found entry... */
if ($ldap->count()) {
$attrs = $ldap->fetch();
- if (in_array_ics('gosaAccount', $attrs['objectClass'])) {
+ if (in_array_ics('inetOrgPerson', $attrs['objectClass'])) {
$a['U:'.$dn] = $attrs['cn'][0].' ['.$attrs['uid'][0].']';
} elseif (in_array_ics('organizationalRole', $attrs['objectClass'])) {
$a['R:'.$dn] = $attrs['cn'][0];
diff --git a/include/class_plugin.inc b/include/class_plugin.inc
index 4da8ca8dd0bd7bad39ef10a2d6574dfecf974463..0771fdf4463fb210b5701c993d5490b339d189f9 100644
--- a/include/class_plugin.inc
+++ b/include/class_plugin.inc
@@ -1204,7 +1204,7 @@ class plugin
maybe we have to update ACL references.
* TODO : replace this with a call to handleForeignKeys on sub objects
*/
- $leaf_objs = get_list("(|(objectClass=posixGroup)(objectClass=gosaAccount)(objectClass=gosaRole))", array("all"), $dst_dn,
+ $leaf_objs = get_list("(|(objectClass=posixGroup)(objectClass=inetOrgPerson)(objectClass=gosaRole))", array("all"), $dst_dn,
array("dn","objectClass"), GL_SUBSEARCH | GL_NO_ACL_CHECK);
foreach ($leaf_objs as $obj) {
$new_dn = $obj['dn'];
diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc
index b35d80a7e3ebc23cc823ac3a4760b9626d6237de..0572936de14e3a5d0bb4c85a4c5c5bd5993a212b 100644
--- a/include/class_userinfo.inc
+++ b/include/class_userinfo.inc
@@ -37,7 +37,6 @@ class userinfo
var $username;
var $cn;
var $uid;
- var $restrictions = array();
var $gidNumber = -1;
var $language = "";
var $config;
@@ -57,7 +56,7 @@ class userinfo
{
$this->config = &$config;
$ldap = $this->config->get_ldap_link();
- $ldap->cat($userdn, array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaLoginRestriction'));
+ $ldap->cat($userdn, array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage'));
$attrs = $ldap->fetch();
if (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])) {
@@ -69,12 +68,6 @@ class userinfo
$this->gidNumber = $attrs['gidNumber'][0];
}
- /* Restrictions? */
- if (isset($attrs['gosaLoginRestriction'])) {
- $this->restrictions = $attrs['gosaLoginRestriction'];
- unset($this->restrictions['count']);
- }
-
/* Assign user language */
if (isset($attrs['preferredLanguage'][0])) {
$this->language = $attrs['preferredLanguage'][0];
@@ -817,52 +810,6 @@ class userinfo
return $this->ignoreACL;
}
- /*!
- * \brief Test if the login is allowed
- */
- function loginAllowed()
- {
- // Need to check restrictions?
- if (count($this->restrictions)) {
-
- // We have restrictions but cannot check them
- if (!isset($_SERVER['REMOTE_ADDR'])) {
- return FALSE;
- }
-
- // Move to binary...
- $source = $_SERVER['REMOTE_ADDR'];
- foreach ($this->restrictions as $restriction) {
-
- // Single IP
- if (preg_match('/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/', $restriction)) {
- if ($source == $restriction) {
- return TRUE;
- }
- }
-
- // Match with short netmask
- if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)$/', $restriction, $matches)) {
- if (isIpInNet($source, $matches[1], long2ip(~(pow(2, (32 - $matches[2])) - 1)))) {
- return TRUE;
- }
- }
-
- // Match with long netmask
- if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $restriction, $matches)) {
- if (isIpInNet($source, $matches[1], $matches[2])) {
- return TRUE;
- }
- }
-
- }
-
- return FALSE;
- }
-
- return TRUE;
- }
-
/*!
* \brief Checks the posixAccount status by comparing the shadow attributes.
*
diff --git a/include/functions.inc b/include/functions.inc
index b2e782000d0129cdbebc05d4e80d592e64d7707d..4b1bd2092997c77ebd3e272784e039b035fc28d0 100644
--- a/include/functions.inc
+++ b/include/functions.inc
@@ -533,7 +533,7 @@ function process_htaccess ($username, $kerberos = FALSE)
FATAL_ERROR_DIALOG);
exit();
}
- $ldap->search("(&(objectClass=gosaAccount)(|(uid=$username)(userPassword={$mode}$username)))", array("uid"));
+ $ldap->search("(&(objectClass=inetOrgPerson)(|(uid=$username)(userPassword={$mode}$username)))", array("uid"));
/* Found a uniq match? Return it... */
if ($ldap->count() == 1) {
@@ -569,7 +569,7 @@ function ldap_login_user_htaccess ($username)
FATAL_ERROR_DIALOG);
exit();
}
- $ldap->search("(&(objectClass=gosaAccount)(uid=$username))", array("uid"));
+ $ldap->search("(&(objectClass=inetOrgPerson)(uid=$username))", array("uid"));
/* Found no uniq match? Strange, because we did above... */
if ($ldap->count() != 1) {
msg_dialog::display(_("LDAP error"), _("Login (uid) is not unique inside the LDAP tree!"), FATAL_ERROR_DIALOG);
@@ -581,12 +581,6 @@ function ldap_login_user_htaccess ($username)
$ui = new userinfo($config, $ldap->getDN());
$ui->username = $attrs['uid'][0];
- /* Bail out if we have login restrictions set, for security reasons
- the message is the same than failed user/pw */
- if (!$ui->loginAllowed()) {
- return NULL;
- }
-
/* No password check needed - the webserver did it for us */
$ldap->disconnect();
@@ -643,7 +637,7 @@ function ldap_login_user ($username, $password)
foreach ($verify_attr as $attr) {
$filter .= "(".$attr."=".$username.")";
}
- $filter = "(&(|".$filter.")(objectClass=gosaAccount))";
+ $filter = "(&(|".$filter.")(objectClass=inetOrgPerson))";
$ldap->search($filter, $tmp);
/* get results, only a count of 1 is valid */
@@ -678,12 +672,6 @@ function ldap_login_user ($username, $password)
$ui = new userinfo($config, $ldap->getDN());
$ui->username = $attrs['uid'][0];
- /* Bail out if we have login restrictions set, for security reasons
- the message is the same than failed user/pw */
- if (!$ui->loginAllowed()) {
- return NULL;
- }
-
/* password check, bind as user with supplied password */
$ldap->disconnect();
$ldap = new ldapMultiplexer(new LDAP($ui->dn, $password, $config->current['SERVER'],
@@ -2700,13 +2688,6 @@ function check_schema($cfg)
$checks['gosaObject']['CLASSES_REQUIRED'] = array('gosaObject');
$checks['gosaObject']['IS_MUST_HAVE'] = TRUE;
- /* FusionDirectory Account class */
- $checks['gosaAccount']['REQUIRED_VERSION'] = '2.6.6';
- $checks['gosaAccount']['SCHEMA_FILES'] = array('core-fd.schema');
- $checks['gosaAccount']['CLASSES_REQUIRED'] = array('gosaAccount');
- $checks['gosaAccount']['IS_MUST_HAVE'] = TRUE;
- $checks['gosaAccount']['INFO'] = _('Used to store account specific informations.');
-
/* FusionDirectory lock entry, used to mark currently edited objects as 'in use' */
$checks['gosaLockEntry']['REQUIRED_VERSION'] = '2.6.1';
$checks['gosaLockEntry']['SCHEMA_FILES'] = array('core-fd.schema');
@@ -2715,22 +2696,11 @@ function check_schema($cfg)
$checks['gosaLockEntry']['INFO'] = _('Used to lock currently edited entries to avoid multiple changes at the same time.');
/* Some other checks */
- foreach (array(
- "gosaCacheEntry" => array("version" => "2.6.1", "class" => "gosaAccount"),
- "gosaDepartment" => array("version" => "2.6.1", "class" => "gosaAccount"),
- "gosaUserTemplate" => array("version" => "2.6.1", "class" => "posixAccount","file" => "nis.schema"),
- ) as $name => $values) {
- $checks[$name] = $def_check;
- if (isset($values['version'])) {
- $checks[$name]["REQUIRED_VERSION"] = $values['version'];
- }
- if (isset($values['file'])) {
- $checks[$name]["SCHEMA_FILES"] = array($values['file']);
- }
- if (isset($values['class'])) {
- $checks[$name]["CLASSES_REQUIRED"] = is_array($values['class'])?$values['class']:array($values['class']);
- }
- }
+ $checks['gosaUserTemplate']['REQUIRED_VERSION'] = '2.6.1';
+ $checks['gosaUserTemplate']['SCHEMA_FILES'] = array('nis.schema');
+ $checks['gosaUserTemplate']['CLASSES_REQUIRED'] = array('posixAccount');
+ $checks['gosaUserTemplate']['IS_MUST_HAVE'] = FALSE;
+
foreach ($checks as $name => $value) {
foreach ($value['CLASSES_REQUIRED'] as $class) {
if (!isset($objectclasses[$name])) {
diff --git a/include/password-methods/class_password-methods.inc b/include/password-methods/class_password-methods.inc
index 84a78f45171ef81dd96727d26cc9c87a4e61e8fc..80e34dad3ffb8a9ab780ee604be2169d48d959c1 100644
--- a/include/password-methods/class_password-methods.inc
+++ b/include/password-methods/class_password-methods.inc
@@ -108,8 +108,8 @@ class passwordMethod
return preg_match("/^[^\}]*+\}!/", $pwd);
}
- /*! \brief Locks an account (gosaAccount) by added a '!' as prefix to the password hashes.
- * This makes logins impossible, due to the fact that the hash becomes invalid.
+ /*! \brief Locks an account by adding a '!' as prefix to the password hashes.
+ * This makes login impossible, due to the fact that the hash becomes invalid.
* userPassword: {SHA}!q02NKl9IChNwZEAJxzRdmB6E
* sambaLMPassword: !EBD223B61F8C259AD3B435B51404EE
* sambaNTPassword: !98BB35737013AAF181D0FE9FDA09E
@@ -124,7 +124,7 @@ class passwordMethod
}
/*!
- * \brief Unlocks an account (gosaAccount) which was locked by 'lock_account()'.
+ * \brief Unlocks an account which was locked by 'lock_account()'.
* For details about the locking mechanism see 'lock_account()'.
*/
function unlock_account($config, $dn = "")
@@ -133,7 +133,7 @@ class passwordMethod
}
/*!
- * \brief Unlocks an account (gosaAccount) which was locked by 'lock_account()'.
+ * \brief Unlocks an account which was locked by 'lock_account()'.
* For details about the locking mechanism see 'lock_account()'.
*/
private function generic_modify_account($config, $dn, $mode)
diff --git a/plugins/addons/dashboard/class_dashBoardUsers.inc b/plugins/addons/dashboard/class_dashBoardUsers.inc
index ec4a74545f243836bc7046ce58c74a4b612d435f..9bfb22314f883684dd8cb4b5df1cd2df7ab5f4b7 100644
--- a/plugins/addons/dashboard/class_dashBoardUsers.inc
+++ b/plugins/addons/dashboard/class_dashBoardUsers.inc
@@ -69,7 +69,7 @@ class dashboardUsers extends simplePlugin
/* User statistics */
$ldap = $this->config->get_ldap_link();
$ldap->cd($this->config->current['BASE']);
- $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=gosaAccount))", array("userPassword"));
+ $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=inetOrgPerson))", array("userPassword"));
$nb_accounts = $ldap->count();
$nb_locked_accounts = 0;
while ($attrs = $ldap->fetch()) {
@@ -79,11 +79,11 @@ class dashboardUsers extends simplePlugin
}
}
}
- $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=gosaAccount)(objectClass=gosaMailAccount))", array("cn"));
+ $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=inetOrgPerson)(objectClass=gosaMailAccount))", array("cn"));
$nb_mail_accounts = $ldap->count();
- $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=gosaAccount)(objectClass=posixAccount))", array("cn"));
+ $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=inetOrgPerson)(objectClass=posixAccount))", array("cn"));
$nb_posix_accounts = $ldap->count();
- $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=gosaAccount)(objectClass=sambaSamAccount))", array("cn"));
+ $ldap->search("(&(!(objectClass=gosaUserTemplate))(objectClass=inetOrgPerson)(objectClass=sambaSamAccount))", array("cn"));
$nb_samba_accounts = $ldap->count();
return array(
diff --git a/plugins/admin/users/user-filter.xml b/plugins/admin/users/user-filter.xml
index f38e2890e53d352039cba39e4227513d087df5d4..bda17f0ffb254c1a4d921cf0cdd5701711c021a9 100644
--- a/plugins/admin/users/user-filter.xml
+++ b/plugins/admin/users/user-filter.xml
@@ -10,7 +10,7 @@
<search>
<query>
<backend>LDAP</backend>
- <filter>(&$NAME(|(&(objectClass=gosaAccount)(|$FUNCTIONAL$SAMBA$POSIX$MAIL))$TEMPLATES))</filter>
+ <filter>(&$NAME(|(&(objectClass=inetOrgPerson)(|$FUNCTIONAL$SAMBA$POSIX$MAIL))$TEMPLATES))</filter>
<attribute>dn</attribute>
<attribute>objectClass</attribute>
<attribute>givenName</attribute>
@@ -34,7 +34,7 @@
<alphabet>true</alphabet>
<autocomplete>
<backend>LDAP</backend>
- <filter>(&(objectClass=gosaAccount)(|(cn=*$NAME*)(sn=*$NAME*)(givenName=*$NAME*)(uid=*$NAME*)))</filter>
+ <filter>(&(objectClass=inetOrgPerson)(|(cn=*$NAME*)(sn=*$NAME*)(givenName=*$NAME*)(uid=*$NAME*)))</filter>
<attribute>cn</attribute>
<attribute>uid</attribute>
<frequency>0.5</frequency>
diff --git a/plugins/personal/generic/class_user.inc b/plugins/personal/generic/class_user.inc
index feadb0d3cb4db91dd067719bbe85567579d07d69..c6fad35e4da7ac425e63dd9c1725e165c211ff04 100644
--- a/plugins/personal/generic/class_user.inc
+++ b/plugins/personal/generic/class_user.inc
@@ -199,7 +199,7 @@ class UserPasswordAttribute extends CompositeAttribute
class user extends simplePlugin
{
- var $objectclasses = array('inetOrgPerson','gosaAccount');
+ var $objectclasses = array('inetOrgPerson');
var $mainTab = TRUE;
private $was_locked;
@@ -277,12 +277,6 @@ class user extends simplePlugin
new UserPasswordAttribute(
_('Password'), _('Password of the user'),
'userPassword', FALSE
- ),
- new SetAttribute(
- new IpAttribute(
- _('Restrict FD login to'), _('The user will only be able to connect to FusionDirectory from these hosts or networks'),
- 'gosaLoginRestriction', FALSE
- )
)
)
),
diff --git a/setup/class_setupStep_Migrate.inc b/setup/class_setupStep_Migrate.inc
index 9d5bf00792d2f8735cf94237687de3b84c2d4150..a1da9131aa6df643a34ba72d8d74e6e0d0428c2e 100644
--- a/setup/class_setupStep_Migrate.inc
+++ b/setup/class_setupStep_Migrate.inc
@@ -580,7 +580,7 @@ class Step_Migrate extends setupStep
/* Get all invisible users */
$ldap->cd($config->current['BASE']);
- $res = $ldap->search("(&(|(objectClass=posixAccount)(&(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(objectClass=OpenLDAPperson))(!(objectClass=gosaAccount))(!(&(objectClass=Account)(objectClass=sambaSamAccount)))(uid=*))", array("sn","givenName","cn","uid"));
+ $res = $ldap->search("(&(|(objectClass=posixAccount)(objectClass=organizationalPerson)(objectClass=OpenLDAPperson))(!(objectClass=inetOrgPerson))(!(&(objectClass=Account)(objectClass=sambaSamAccount)))(uid=*))", array("sn","givenName","cn","uid"));
while ($attrs = $ldap->fetch()) {
if (!preg_match("/,dc=addressbook,/", $attrs['dn'])) {
@@ -629,7 +629,7 @@ class Step_Migrate extends setupStep
{
return $this->check_multipleGeneric_migrate_confirm(
$checkobj,
- array('gosaAccount','inetOrgPerson','organizationalPerson','person'),
+ array('inetOrgPerson','organizationalPerson','person'),
array(),
$only_ldif
);
@@ -747,8 +747,7 @@ class Step_Migrate extends setupStep
/* Collect a list of available FusionDirectory users and groups */
$users = array();
- $ldap->search("(&(objectClass=gosaAccount)(objectClass=person)".
- "(objectClass=inetOrgPerson)(objectClass=organizationalPerson))", array("uid","dn"));
+ $ldap->search('(objectClass=inetOrgPerson)', array('uid','dn'));
while ($user_attrs = $ldap->fetch()) {
$users[$user_attrs['dn']] = $user_attrs['uid'][0];
$rusers[$user_attrs['uid'][0]] = $user_attrs['dn'];
@@ -1088,7 +1087,7 @@ class Step_Migrate extends setupStep
/***********
* Search for all users
***********/
- $res = $ldap->search('(&(objectClass=gosaAccount)(!(uid=*$)))', array('dn'));
+ $res = $ldap->search('(&(objectClass=inetOrgPerson)(!(uid=*$)))', array('dn'));
if (!$res) {
throw new CheckFailedException(
_('LDAP query failed'),