|
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
/* For licensing terms, see /license.txt */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
User account synchronisation from LDAP
|
|
|
|
|
|
|
|
|
|
This script
|
|
|
|
|
creates new user accounts found in the LDAP directory
|
|
|
|
|
disables user accounts not found in the LDAP directory
|
|
|
|
|
updates existing user accounts found in the LDAP directory, re-enabling them if disabled
|
|
|
|
|
anonymizes user accounts disabled for more than 3 years
|
|
|
|
|
|
|
|
|
|
This script can be run unattended.
|
|
|
|
|
|
|
|
|
|
It does not read any parameter from the command line, but uses the global configuration arrays
|
|
|
|
|
$extldap_config
|
|
|
|
|
and
|
|
|
|
|
$extldap_user_correspondance
|
|
|
|
|
defined in app/config/auth.conf.php.
|
|
|
|
|
|
|
|
|
|
username field is used to identify and match LDAP and Chamilo accounts together.
|
|
|
|
|
($extldap_user_correspondance['username'])
|
|
|
|
|
*/
|
|
|
|
|
exit;
|
|
|
|
|
// Change this to the absolute path to chamilo root folder if you move the script out of tests/scripts
|
|
|
|
|
$chamiloRoot = __DIR__.'/../..';
|
|
|
|
|
|
|
|
|
|
// Set to true in order to get a trace of changes made by this script
|
|
|
|
|
$debug = false;
|
|
|
|
|
|
|
|
|
|
use Chamilo\CoreBundle\Entity\ExtraFieldValues;
|
|
|
|
|
use Chamilo\CoreBundle\Entity\ExtraField;
|
|
|
|
|
use Chamilo\CoreBundle\Entity\TrackEDefault;
|
|
|
|
|
use Chamilo\UserBundle\Entity\User;
|
|
|
|
|
use Doctrine\DBAL\FetchMode;
|
|
|
|
|
use Doctrine\ORM\OptimisticLockException;
|
|
|
|
|
|
|
|
|
|
if (php_sapi_name() !== 'cli') {
|
|
|
|
|
die("this script is supposed to be run from the command-line\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
require $chamiloRoot.'/cli-config.php';
|
|
|
|
|
require_once $chamiloRoot.'/app/config/auth.conf.php';
|
|
|
|
|
require_once $chamiloRoot.'/main/inc/lib/api.lib.php';
|
|
|
|
|
require_once $chamiloRoot.'/main/inc/lib/database.constants.inc.php';
|
|
|
|
|
|
|
|
|
|
ini_set('memory_limit', -1);
|
|
|
|
|
|
|
|
|
|
// Retreive information from $extldap_user_correspondance and extra fields
|
|
|
|
|
// into $tableFields, $extraFields, $allFields and $ldapAttributes
|
|
|
|
|
|
|
|
|
|
$tableFields = [];
|
|
|
|
|
$extraFields = [];
|
|
|
|
|
$ldapAttributes = [];
|
|
|
|
|
$tableFieldMap = $extldap_user_correspondance;
|
|
|
|
|
$extraFieldMap = [];
|
|
|
|
|
const EXTRA_ARRAY_KEY = 'extra';
|
|
|
|
|
if (array_key_exists(EXTRA_ARRAY_KEY, $tableFieldMap) and is_array($tableFieldMap[EXTRA_ARRAY_KEY])) {
|
|
|
|
|
$extraFieldMap = $tableFieldMap[EXTRA_ARRAY_KEY];
|
|
|
|
|
unset($tableFieldMap[EXTRA_ARRAY_KEY]);
|
|
|
|
|
}
|
|
|
|
|
$extraFieldRepository = Database::getManager()->getRepository('ChamiloCoreBundle:ExtraField');
|
|
|
|
|
$extraFieldValueRepository = Database::getManager()->getRepository('ChamiloCoreBundle:ExtraFieldValues');
|
|
|
|
|
foreach ([false => $tableFieldMap, true => $extraFieldMap] as $areExtra => $fields) {
|
|
|
|
|
foreach ($fields as $name => $value) {
|
|
|
|
|
$userField = (object)[
|
|
|
|
|
'name' => $name,
|
|
|
|
|
'constant' => '!' === $value[0] ? substr($value, 1) : null,
|
|
|
|
|
'function' => 'func' === $value,
|
|
|
|
|
'ldapAttribute' => ('!' !== $value[0] and 'func' !== $value) ? $value : null,
|
|
|
|
|
];
|
|
|
|
|
if (!$userField->constant and !$userField->function) {
|
|
|
|
|
$ldapAttributes[] = $value;
|
|
|
|
|
}
|
|
|
|
|
if ($areExtra) {
|
|
|
|
|
$userField->extraField = $extraFieldRepository->findOneBy(
|
|
|
|
|
[
|
|
|
|
|
'extraFieldType' => ExtraField::USER_FIELD_TYPE,
|
|
|
|
|
'variable' => $name,
|
|
|
|
|
]
|
|
|
|
|
) or die("Cannot find user extra field '$name'\n");
|
|
|
|
|
foreach ($extraFieldValueRepository->findBy(['field' => $userField->extraField]) as $extraFieldValue) {
|
|
|
|
|
$userField->extraFieldValues[$extraFieldValue->getItemId()] = $extraFieldValue;
|
|
|
|
|
}
|
|
|
|
|
$extraFields[] = $userField;
|
|
|
|
|
} else {
|
|
|
|
|
try {
|
|
|
|
|
$userField->getter = new ReflectionMethod(
|
|
|
|
|
'\Chamilo\UserBundle\Entity\User',
|
|
|
|
|
'get' . str_replace('_', '', ucfirst($name))
|
|
|
|
|
);
|
|
|
|
|
$userField->setter = new ReflectionMethod(
|
|
|
|
|
'\Chamilo\UserBundle\Entity\User',
|
|
|
|
|
'set' . str_replace('_', '', ucfirst($name))
|
|
|
|
|
);
|
|
|
|
|
} catch (ReflectionException $exception) {
|
|
|
|
|
die($exception->getMessage() . "\n");
|
|
|
|
|
}
|
|
|
|
|
$tableFields[] = $userField;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$allFields = array_merge($tableFields, $extraFields);
|
|
|
|
|
|
|
|
|
|
// Retrieve source information from LDAP
|
|
|
|
|
|
|
|
|
|
$ldap = false;
|
|
|
|
|
foreach ($extldap_config['host'] as $ldapHost) {
|
|
|
|
|
$ldap = array_key_exists('port', $extldap_config)
|
|
|
|
|
? ldap_connect($ldapHost, $extldap_config['port'])
|
|
|
|
|
: ldap_connect($ldapHost);
|
|
|
|
|
if (false !== $ldap) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (false === $ldap) {
|
|
|
|
|
die("ldap_connect() failed\n");
|
|
|
|
|
}
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo "Connected to LDAP server $ldapHost.\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldap_set_option(
|
|
|
|
|
$ldap,
|
|
|
|
|
LDAP_OPT_PROTOCOL_VERSION,
|
|
|
|
|
array_key_exists('protocol_version', $extldap_config) ? $extldap_config['protocol_version'] : 2
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
ldap_set_option(
|
|
|
|
|
$ldap,
|
|
|
|
|
LDAP_OPT_REFERRALS,
|
|
|
|
|
array_key_exists('referrals', $extldap_config) ? $extldap_config['referrals'] : false
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
ldap_bind($ldap, $extldap_config['admin_dn'], $extldap_config['admin_password'])
|
|
|
|
|
or die('ldap_bind() failed: ' . ldap_error($ldap) . "\n");
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo "Bound to LDAP server as ${extldap_config['admin_dn']}.\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$baseDn = $extldap_config['base_dn']
|
|
|
|
|
or die("cannot read the LDAP directory base DN where to search for user entries\n");
|
|
|
|
|
|
|
|
|
|
$ldapUsernameAttribute = $extldap_user_correspondance['username']
|
|
|
|
|
or die("cannot read the name of the LDAP attribute where to find the username\n");
|
|
|
|
|
|
|
|
|
|
$filter = "$ldapUsernameAttribute=*";
|
|
|
|
|
|
|
|
|
|
if (array_key_exists('filter', $extldap_config)) {
|
|
|
|
|
$filter = '(&('.$filter.')('.$extldap_config['filter'].'))';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$searchResult = ldap_search($ldap, $baseDn, $filter, $ldapAttributes)
|
|
|
|
|
or die("ldap_search(\$ldap, '$baseDn', '$filter', [".join(',', $ldapAttributes).']) failed: '.ldap_error($ldap)."\n");
|
|
|
|
|
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo ldap_count_entries($ldap, $searchResult) . " LDAP entries found\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ldapUsers = [];
|
|
|
|
|
$entry = ldap_first_entry($ldap, $searchResult);
|
|
|
|
|
while (false !== $entry) {
|
|
|
|
|
$attributes = ldap_get_attributes($ldap, $entry);
|
|
|
|
|
$ldapUser = [];
|
|
|
|
|
foreach ($allFields as $userField) {
|
|
|
|
|
if (!is_null($userField->constant)) {
|
|
|
|
|
$value = $userField->constant;
|
|
|
|
|
} elseif ($userField->function) {
|
|
|
|
|
switch ($userField->name) {
|
|
|
|
|
case 'status':
|
|
|
|
|
$value = STUDENT;
|
|
|
|
|
break;
|
|
|
|
|
case 'admin':
|
|
|
|
|
$value = false;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
die("'func' not implemented for $userField->name\n");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (array_key_exists($userField->ldapAttribute, $attributes)) {
|
|
|
|
|
$values = ldap_get_values($ldap, $entry, $userField->ldapAttribute)
|
|
|
|
|
or die(
|
|
|
|
|
'could not read value of attribute ' . $userField->ldapAttribute
|
|
|
|
|
. ' of entry ' . ldap_get_dn($ldap, $entry)
|
|
|
|
|
. "\n"
|
|
|
|
|
);
|
|
|
|
|
(1 === $values['count'])
|
|
|
|
|
or die(
|
|
|
|
|
$values['count'] . ' values found (expected only one)'
|
|
|
|
|
. ' in attribute ' . $userField->ldapAttribute
|
|
|
|
|
. ' of entry ' . ldap_get_dn($ldap, $entry)
|
|
|
|
|
. "\n"
|
|
|
|
|
);
|
|
|
|
|
$value = $values[0];
|
|
|
|
|
} else {
|
|
|
|
|
$value = '';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
$ldapUser[$userField->name] = $value;
|
|
|
|
|
}
|
|
|
|
|
$username = strtolower($ldapUser['username']);
|
|
|
|
|
array_key_exists($username, $ldapUsers) and die("duplicate username '$username' found in LDAP\n");
|
|
|
|
|
$ldapUsers[$username] = $ldapUser;
|
|
|
|
|
$entry = ldap_next_entry($ldap, $entry);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldap_close($ldap);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// read all users from the internal database
|
|
|
|
|
|
|
|
|
|
$userRepository = Database::getManager()->getRepository('ChamiloUserBundle:User');
|
|
|
|
|
$dbUsers = [];
|
|
|
|
|
foreach ($userRepository->findAll() as $user) {
|
|
|
|
|
if ($user->getId() > 1) {
|
|
|
|
|
$username = strtolower($user->getUsername());
|
|
|
|
|
array_key_exists($username, $dbUsers) and die("duplicate username $username found in the database\n");
|
|
|
|
|
$dbUsers[$username] = $user;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo count($dbUsers) . " users with id > 1 found in internal database\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// disable user accounts not found in the LDAP directory
|
|
|
|
|
|
|
|
|
|
$now = new DateTime();
|
|
|
|
|
foreach (array_diff(array_keys($dbUsers), array_keys($ldapUsers)) as $usernameToDisable) {
|
|
|
|
|
$user = $dbUsers[$usernameToDisable];
|
|
|
|
|
if ($user->isActive()) {
|
|
|
|
|
// In order to avoid slow individual SQL updates, we do not call
|
|
|
|
|
// UserManager::disable($user->getId());
|
|
|
|
|
$user->setActive(false);
|
|
|
|
|
UserManager::getManager()->save($user, false);
|
|
|
|
|
// In order to avoid slow individual SQL updates, we do not call
|
|
|
|
|
// Event::addEvent(LOG_USER_DISABLE, LOG_USER_ID, $user->getId());
|
|
|
|
|
$trackEDefault = new TrackEDefault();
|
|
|
|
|
$trackEDefault->setDefaultUserId(1);
|
|
|
|
|
$trackEDefault->setDefaultDate($now);
|
|
|
|
|
$trackEDefault->setDefaultEventType(LOG_USER_DISABLE);
|
|
|
|
|
$trackEDefault->setDefaultValueType(LOG_USER_ID);
|
|
|
|
|
$trackEDefault->setDefaultValue($user->getId());
|
|
|
|
|
Database::getManager()->persist($trackEDefault);
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo 'Disabled ' . $user->getUsername() . "\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
|
// Saving everything together
|
|
|
|
|
Database::getManager()->flush();
|
|
|
|
|
} catch (OptimisticLockException $exception) {
|
|
|
|
|
die($exception->getMessage()."\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// create new user accounts found in the LDAP directory and update the existing ones, re-enabling them if disabled
|
|
|
|
|
|
|
|
|
|
foreach ($ldapUsers as $username => $ldapUser) {
|
|
|
|
|
if (array_key_exists($username, $dbUsers)) {
|
|
|
|
|
$user = $dbUsers[$username];
|
|
|
|
|
} else {
|
|
|
|
|
$user = new User();
|
|
|
|
|
$dbUsers[$username] = $user;
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo 'Created ' . $username . "\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
foreach ($tableFields as $userField) {
|
|
|
|
|
$value = $ldapUser[$userField->name];
|
|
|
|
|
if ($userField->getter->invoke($user) !== $value) {
|
|
|
|
|
$userField->setter->invoke($user, $value);
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo 'Updated ' . $username . ' field '.$userField->name."\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!$user->isActive()) {
|
|
|
|
|
$user->setActive(true);
|
|
|
|
|
}
|
|
|
|
|
UserManager::getManager()->save($user, false);
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
|
Database::getManager()->flush();
|
|
|
|
|
} catch (OptimisticLockException $exception) {
|
|
|
|
|
die($exception->getMessage()."\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// also update extra field values
|
|
|
|
|
|
|
|
|
|
foreach ($ldapUsers as $username => $ldapUser) {
|
|
|
|
|
$user = $dbUsers[$username];
|
|
|
|
|
foreach ($extraFields as $userField) {
|
|
|
|
|
$value = $ldapUser[$userField->name];
|
|
|
|
|
if (array_key_exists($user->getId(), $userField->extraFieldValues)) {
|
|
|
|
|
/**
|
|
|
|
|
* @var ExtraFieldValues $extraFieldValue
|
|
|
|
|
*/
|
|
|
|
|
$extraFieldValue = $userField->extraFieldValues[$user->getId()];
|
|
|
|
|
if ($extraFieldValue->getValue() !== $value) {
|
|
|
|
|
$extraFieldValue->setValue($value);
|
|
|
|
|
Database::getManager()->persist($extraFieldValue);
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo 'Updated ' . $username . ' extra field ' . $userField->name . "\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
$extraFieldValue = new ExtraFieldValues();
|
|
|
|
|
$extraFieldValue->setValue($value);
|
|
|
|
|
$extraFieldValue->setField($userField->extraField);
|
|
|
|
|
$extraFieldValue->setItemId($user->getId());
|
|
|
|
|
Database::getManager()->persist($extraFieldValue);
|
|
|
|
|
$userField->extraFieldValues[$user->getId()] = $extraFieldValue;
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo 'Created ' . $username . ' extra field ' . $userField->name . "\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
|
Database::getManager()->flush();
|
|
|
|
|
} catch (OptimisticLockException $exception) {
|
|
|
|
|
die($exception->getMessage()."\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// anonymize user accounts disabled for more than 3 years
|
|
|
|
|
|
|
|
|
|
$longDisabledUserIds = [];
|
|
|
|
|
foreach (Database::query(
|
|
|
|
|
'select default_value
|
|
|
|
|
from track_e_default
|
|
|
|
|
where default_event_type=\'user_disable\' and default_value_type=\'user_id\'
|
|
|
|
|
group by default_value
|
|
|
|
|
having max(default_date) < date_sub(now(), interval 3 year)'
|
|
|
|
|
)->fetchAll(FetchMode::COLUMN) as $userId) {
|
|
|
|
|
$longDisabledUserIds[] = $userId;
|
|
|
|
|
}
|
|
|
|
|
$anonymizedUserIds = [];
|
|
|
|
|
foreach (Database::query(
|
|
|
|
|
'select distinct default_value
|
|
|
|
|
from track_e_default
|
|
|
|
|
where default_event_type=\'user_anonymized\' and default_value_type=\'user_id\''
|
|
|
|
|
)->fetchAll(FetchMode::COLUMN) as $userId) {
|
|
|
|
|
$anonymizedUserIds[] = $userId;
|
|
|
|
|
}
|
|
|
|
|
foreach (array_diff($longDisabledUserIds, $anonymizedUserIds) as $userId) {
|
|
|
|
|
$user = $userRepository->find($userId);
|
|
|
|
|
if ($user && !$user->isEnabled()) {
|
|
|
|
|
try {
|
|
|
|
|
UserManager::anonymize($userId)
|
|
|
|
|
or die("could not anonymize user $userId\n");
|
|
|
|
|
} catch (Exception $exception) {
|
|
|
|
|
die($exception->getMessage()."\n");
|
|
|
|
|
}
|
|
|
|
|
if ($debug) {
|
|
|
|
|
echo "Anonymized user $userId\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
