Nicolas Ducoulombier
6 years ago
committed by
GitHub
commit
5512b44c5f
@ -0,0 +1,354 @@ |
|||||||
|
<?php |
||||||
|
/* For licensing terms, see /license.txt */ |
||||||
|
/* |
||||||
|
User account synchronisation from LDAP |
||||||
|
|
||||||
|
This script |
||||||
|
creates new user accounts found in the LDAP directory |
||||||
|
disables user accounts not found in the LDAP directory |
||||||
|
updates existing user accounts found in the LDAP directory, re-enabling them if disabled |
||||||
|
anonymizes user accounts disabled for more than 3 years |
||||||
|
|
||||||
|
This script can be run unattended. |
||||||
|
|
||||||
|
It does not read any parameter from the command line, but uses the global configuration arrays |
||||||
|
$extldap_config |
||||||
|
and |
||||||
|
$extldap_user_correspondance |
||||||
|
defined in app/config/auth.conf.php. |
||||||
|
|
||||||
|
username field is used to identify and match LDAP and Chamilo accounts together. |
||||||
|
($extldap_user_correspondance['username']) |
||||||
|
*/ |
||||||
|
|
||||||
|
use Chamilo\CoreBundle\Entity\ExtraFieldValues; |
||||||
|
use Chamilo\CoreBundle\Entity\ExtraField; |
||||||
|
use Chamilo\CoreBundle\Entity\TrackEDefault; |
||||||
|
use Chamilo\UserBundle\Entity\User; |
||||||
|
use Doctrine\DBAL\FetchMode; |
||||||
|
use Doctrine\ORM\OptimisticLockException; |
||||||
|
|
||||||
|
if (php_sapi_name() !== 'cli') { |
||||||
|
die("this script is supposed to be run from the command-line\n"); |
||||||
|
} |
||||||
|
|
||||||
|
require __DIR__.'/../../cli-config.php'; |
||||||
|
require_once __DIR__.'/../../app/config/auth.conf.php'; |
||||||
|
require_once __DIR__.'/../../main/inc/lib/api.lib.php'; |
||||||
|
require_once __DIR__.'/../../main/inc/lib/database.constants.inc.php'; |
||||||
|
|
||||||
|
$debug = false; |
||||||
|
|
||||||
|
ini_set('memory_limit', -1); |
||||||
|
|
||||||
|
// Retreive information from $extldap_user_correspondance and extra fields |
||||||
|
// into $tableFields, $extraFields, $allFields and $ldapAttributes |
||||||
|
|
||||||
|
$tableFields = []; |
||||||
|
$extraFields = []; |
||||||
|
$ldapAttributes = []; |
||||||
|
$tableFieldMap = $extldap_user_correspondance; |
||||||
|
$extraFieldMap = []; |
||||||
|
const EXTRA_ARRAY_KEY = 'extra'; |
||||||
|
if (array_key_exists(EXTRA_ARRAY_KEY, $tableFieldMap) and is_array($tableFieldMap[EXTRA_ARRAY_KEY])) { |
||||||
|
$extraFieldMap = $tableFieldMap[EXTRA_ARRAY_KEY]; |
||||||
|
unset($tableFieldMap[EXTRA_ARRAY_KEY]); |
||||||
|
} |
||||||
|
$extraFieldRepository = Database::getManager()->getRepository('ChamiloCoreBundle:ExtraField'); |
||||||
|
$extraFieldValueRepository = Database::getManager()->getRepository('ChamiloCoreBundle:ExtraFieldValues'); |
||||||
|
foreach ([false => $tableFieldMap, true => $extraFieldMap] as $areExtra => $fields) { |
||||||
|
foreach ($fields as $name => $value) { |
||||||
|
$userField = (object)[ |
||||||
|
'name' => $name, |
||||||
|
'constant' => '!' === $value[0] ? substr($value, 1) : null, |
||||||
|
'function' => 'func' === $value, |
||||||
|
'ldapAttribute' => ('!' !== $value[0] and 'func' !== $value) ? $value : null, |
||||||
|
]; |
||||||
|
if (!$userField->constant and !$userField->function) { |
||||||
|
$ldapAttributes[] = $value; |
||||||
|
} |
||||||
|
if ($areExtra) { |
||||||
|
$userField->extraField = $extraFieldRepository->findOneBy( |
||||||
|
[ |
||||||
|
'extraFieldType' => ExtraField::USER_FIELD_TYPE, |
||||||
|
'variable' => $name, |
||||||
|
] |
||||||
|
) or die("Cannot find user extra field '$name'\n"); |
||||||
|
foreach ($extraFieldValueRepository->findBy(['field' => $userField->extraField]) as $extraFieldValue) { |
||||||
|
$userField->extraFieldValues[$extraFieldValue->getItemId()] = $extraFieldValue; |
||||||
|
} |
||||||
|
$extraFields[] = $userField; |
||||||
|
} else { |
||||||
|
try { |
||||||
|
$userField->getter = new ReflectionMethod( |
||||||
|
'\Chamilo\UserBundle\Entity\User', 'get' . str_replace('_', '', ucfirst($name)) |
||||||
|
); |
||||||
|
$userField->setter = new ReflectionMethod( |
||||||
|
'\Chamilo\UserBundle\Entity\User', 'set' . str_replace('_', '', ucfirst($name)) |
||||||
|
); |
||||||
|
} catch (ReflectionException $exception) { |
||||||
|
die($exception->getMessage() . "\n"); |
||||||
|
} |
||||||
|
$tableFields[] = $userField; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
$allFields = array_merge($tableFields, $extraFields); |
||||||
|
|
||||||
|
// Retrieve source information from LDAP |
||||||
|
|
||||||
|
$ldap = false; |
||||||
|
foreach ($extldap_config['host'] as $ldapHost) { |
||||||
|
$ldap = array_key_exists('port', $extldap_config) |
||||||
|
? ldap_connect($ldapHost, $extldap_config['port']) |
||||||
|
: ldap_connect($ldapHost); |
||||||
|
if (false !== $ldap) { |
||||||
|
break; |
||||||
|
} |
||||||
|
} |
||||||
|
if (false === $ldap) { |
||||||
|
die("ldap_connect() failed\n"); |
||||||
|
} |
||||||
|
if ($debug) { |
||||||
|
echo "Connected to LDAP server $ldapHost.\n"; |
||||||
|
} |
||||||
|
|
||||||
|
ldap_set_option( |
||||||
|
$ldap, |
||||||
|
LDAP_OPT_PROTOCOL_VERSION, |
||||||
|
array_key_exists('protocol_version', $extldap_config) ? $extldap_config['protocol_version'] : 2 |
||||||
|
); |
||||||
|
|
||||||
|
ldap_set_option( |
||||||
|
$ldap, |
||||||
|
LDAP_OPT_REFERRALS, |
||||||
|
array_key_exists('referrals', $extldap_config) ? $extldap_config['referrals'] : false |
||||||
|
); |
||||||
|
|
||||||
|
ldap_bind($ldap, $extldap_config['admin_dn'], $extldap_config['admin_password']) |
||||||
|
or die('ldap_bind() failed: ' . ldap_error($ldap) . "\n"); |
||||||
|
if ($debug) { |
||||||
|
echo "Bound to LDAP server as ${extldap_config['admin_dn']}.\n"; |
||||||
|
} |
||||||
|
|
||||||
|
$baseDn = $extldap_config['base_dn'] |
||||||
|
or die("cannot read the LDAP directory base DN where to search for user entries\n"); |
||||||
|
|
||||||
|
$ldapUsernameAttribute = $extldap_user_correspondance['username'] |
||||||
|
or die("cannot read the name of the LDAP attribute where to find the username\n"); |
||||||
|
|
||||||
|
$filter = "$ldapUsernameAttribute=*"; |
||||||
|
|
||||||
|
if (array_key_exists('filter', $extldap_config)) { |
||||||
|
$filter = '(&('.$filter.')('.$extldap_config['filter'].'))'; |
||||||
|
} |
||||||
|
|
||||||
|
$searchResult = ldap_search($ldap, $baseDn, $filter, $ldapAttributes) |
||||||
|
or die("ldap_search(\$ldap, '$baseDn', '$filter', [".join(',', $ldapAttributes).']) failed: '.ldap_error($ldap)."\n"); |
||||||
|
|
||||||
|
if ($debug) { |
||||||
|
echo ldap_count_entries($ldap, $searchResult) . " LDAP entries found\n"; |
||||||
|
} |
||||||
|
|
||||||
|
$ldapUsers = []; |
||||||
|
$entry = ldap_first_entry($ldap, $searchResult); |
||||||
|
while (false !== $entry) { |
||||||
|
$attributes = ldap_get_attributes($ldap, $entry); |
||||||
|
$ldapUser = []; |
||||||
|
foreach ($allFields as $userField) { |
||||||
|
if (!is_null($userField->constant)) { |
||||||
|
$value = $userField->constant; |
||||||
|
} elseif ($userField->function) { |
||||||
|
switch ($userField->name) { |
||||||
|
case 'status': |
||||||
|
$value = STUDENT; |
||||||
|
break; |
||||||
|
case 'admin': |
||||||
|
$value = false; |
||||||
|
break; |
||||||
|
default: |
||||||
|
die("'func' not implemented for $userField->name\n"); |
||||||
|
} |
||||||
|
} else { |
||||||
|
if (array_key_exists($userField->ldapAttribute, $attributes)) { |
||||||
|
$values = ldap_get_values($ldap, $entry, $userField->ldapAttribute) |
||||||
|
or die( |
||||||
|
'could not read value of attribute ' . $userField->ldapAttribute |
||||||
|
. ' of entry ' . ldap_get_dn($ldap, $entry) |
||||||
|
. "\n" |
||||||
|
); |
||||||
|
(1 === $values['count']) |
||||||
|
or die( |
||||||
|
$values['count'] . ' values found (expected only one)' |
||||||
|
. ' in attribute ' . $userField->ldapAttribute |
||||||
|
. ' of entry ' . ldap_get_dn($ldap, $entry) |
||||||
|
. "\n" |
||||||
|
); |
||||||
|
$value = $values[0]; |
||||||
|
} else { |
||||||
|
$value = ''; |
||||||
|
} |
||||||
|
} |
||||||
|
$ldapUser[$userField->name] = $value; |
||||||
|
} |
||||||
|
$username = strtolower($ldapUser['username']); |
||||||
|
array_key_exists($username, $ldapUsers) and die("duplicate username '$username' found in LDAP\n"); |
||||||
|
$ldapUsers[$username] = $ldapUser; |
||||||
|
$entry = ldap_next_entry($ldap, $entry); |
||||||
|
} |
||||||
|
|
||||||
|
ldap_close($ldap); |
||||||
|
|
||||||
|
|
||||||
|
// read all users from the internal database |
||||||
|
|
||||||
|
$userRepository = Database::getManager()->getRepository('ChamiloUserBundle:User'); |
||||||
|
$dbUsers = []; |
||||||
|
foreach ($userRepository->findAll() as $user) { |
||||||
|
if ($user->getId() > 1) { |
||||||
|
$username = strtolower($user->getUsername()); |
||||||
|
array_key_exists($username, $dbUsers) and die("duplicate username $username found in the database\n"); |
||||||
|
$dbUsers[$username] = $user; |
||||||
|
} |
||||||
|
} |
||||||
|
if ($debug) { |
||||||
|
echo count($dbUsers) . " users with id > 1 found in internal database\n"; |
||||||
|
} |
||||||
|
|
||||||
|
// disable user accounts not found in the LDAP directory |
||||||
|
|
||||||
|
$now = new DateTime(); |
||||||
|
foreach (array_diff(array_keys($dbUsers), array_keys($ldapUsers)) as $usernameToDisable) { |
||||||
|
$user = $dbUsers[$usernameToDisable]; |
||||||
|
if ($user->isActive()) { |
||||||
|
// In order to avoid slow individual SQL updates, we do not call |
||||||
|
// UserManager::disable($user->getId()); |
||||||
|
$user->setActive(false); |
||||||
|
UserManager::getManager()->save($user, false); |
||||||
|
// In order to avoid slow individual SQL updates, we do not call |
||||||
|
// Event::addEvent(LOG_USER_DISABLE, LOG_USER_ID, $user->getId()); |
||||||
|
$trackEDefault = new TrackEDefault(); |
||||||
|
$trackEDefault->setDefaultUserId(1); |
||||||
|
$trackEDefault->setDefaultDate($now); |
||||||
|
$trackEDefault->setDefaultEventType(LOG_USER_DISABLE); |
||||||
|
$trackEDefault->setDefaultValueType(LOG_USER_ID); |
||||||
|
$trackEDefault->setDefaultValue($user->getId()); |
||||||
|
Database::getManager()->persist($trackEDefault); |
||||||
|
if ($debug) { |
||||||
|
echo 'Disabled ' . $user->getUsername() . "\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
try { |
||||||
|
// Saving everything together |
||||||
|
Database::getManager()->flush(); |
||||||
|
} catch (OptimisticLockException $exception) { |
||||||
|
die($exception->getMessage()."\n"); |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
// create new user accounts found in the LDAP directory and update the existing ones, re-enabling them if disabled |
||||||
|
|
||||||
|
foreach ($ldapUsers as $username => $ldapUser) { |
||||||
|
if (array_key_exists($username, $dbUsers)) { |
||||||
|
$user = $dbUsers[$username]; |
||||||
|
} else { |
||||||
|
$user = new User(); |
||||||
|
$dbUsers[$username] = $user; |
||||||
|
if ($debug) { |
||||||
|
echo 'Created ' . $username . "\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
foreach ($tableFields as $userField) { |
||||||
|
$value = $ldapUser[$userField->name]; |
||||||
|
if ($userField->getter->invoke($user) !== $value) { |
||||||
|
$userField->setter->invoke($user, $value); |
||||||
|
if ($debug) { |
||||||
|
echo 'Updated ' . $username . ' field '.$userField->name."\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
if (!$user->isActive()) { |
||||||
|
$user->setActive(true); |
||||||
|
} |
||||||
|
UserManager::getManager()->save($user, false); |
||||||
|
} |
||||||
|
try { |
||||||
|
Database::getManager()->flush(); |
||||||
|
} catch (OptimisticLockException $exception) { |
||||||
|
die($exception->getMessage()."\n"); |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
// also update extra field values |
||||||
|
|
||||||
|
foreach ($ldapUsers as $username => $ldapUser) { |
||||||
|
$user = $dbUsers[$username]; |
||||||
|
foreach ($extraFields as $userField) { |
||||||
|
$value = $ldapUser[$userField->name]; |
||||||
|
if (array_key_exists($user->getId(), $userField->extraFieldValues)) { |
||||||
|
/** |
||||||
|
* @var ExtraFieldValues $extraFieldValue |
||||||
|
*/ |
||||||
|
$extraFieldValue = $userField->extraFieldValues[$user->getId()]; |
||||||
|
if ($extraFieldValue->getValue() !== $value) { |
||||||
|
$extraFieldValue->setValue($value); |
||||||
|
Database::getManager()->persist($extraFieldValue); |
||||||
|
if ($debug) { |
||||||
|
echo 'Updated ' . $username . ' extra field ' . $userField->name . "\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
} else { |
||||||
|
$extraFieldValue = new ExtraFieldValues(); |
||||||
|
$extraFieldValue->setValue($value); |
||||||
|
$extraFieldValue->setField($userField->extraField); |
||||||
|
$extraFieldValue->setItemId($user->getId()); |
||||||
|
Database::getManager()->persist($extraFieldValue); |
||||||
|
$userField->extraFieldValues[$user->getId()] = $extraFieldValue; |
||||||
|
if ($debug) { |
||||||
|
echo 'Created ' . $username . ' extra field ' . $userField->name . "\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
try { |
||||||
|
Database::getManager()->flush(); |
||||||
|
} catch (OptimisticLockException $exception) { |
||||||
|
die($exception->getMessage()."\n"); |
||||||
|
} |
||||||
|
|
||||||
|
// anonymize user accounts disabled for more than 3 years |
||||||
|
|
||||||
|
$longDisabledUserIds = []; |
||||||
|
foreach (Database::query( |
||||||
|
'select default_value |
||||||
|
from track_e_default |
||||||
|
where default_event_type=\'user_disable\' and default_value_type=\'user_id\' |
||||||
|
group by default_value |
||||||
|
having max(default_date) < date_sub(now(), interval 3 year)' |
||||||
|
)->fetchAll(FetchMode::COLUMN) as $userId) { |
||||||
|
$longDisabledUserIds[] = $userId; |
||||||
|
} |
||||||
|
$anonymizedUserIds = []; |
||||||
|
foreach (Database::query( |
||||||
|
'select distinct default_value |
||||||
|
from track_e_default |
||||||
|
where default_event_type=\'user_anonymized\' and default_value_type=\'user_id\'' |
||||||
|
)->fetchAll(FetchMode::COLUMN) as $userId) { |
||||||
|
$anonymizedUserIds[] = $userId; |
||||||
|
} |
||||||
|
foreach (array_diff($longDisabledUserIds, $anonymizedUserIds) as $userId) { |
||||||
|
$user = $userRepository->find($userId); |
||||||
|
if ($user && !$user->isEnabled()) { |
||||||
|
try { |
||||||
|
UserManager::anonymize($userId) |
||||||
|
or die("could not anonymize user $userId\n"); |
||||||
|
} catch (Exception $exception) { |
||||||
|
die($exception->getMessage()."\n"); |
||||||
|
} |
||||||
|
if ($debug) { |
||||||
|
echo "Anonymized user $userId\n"; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
Loading…
Reference in new issue