From 68ecee9771abb04402287ef6010e12608be4ddbd Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 7 May 2013 18:23:49 +0200 Subject: [PATCH 1/8] LDAP: Coypright info --- apps/user_ldap/settings.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/user_ldap/settings.php b/apps/user_ldap/settings.php index 05497ae8a33..22e2dac6d26 100644 --- a/apps/user_ldap/settings.php +++ b/apps/user_ldap/settings.php @@ -4,7 +4,9 @@ * ownCloud - user_ldap * * @author Dominik Schmidt + * @author Arthur Schiwon * @copyright 2011 Dominik Schmidt dev@dominik-schmidt.de + * @copyright 2012-2013 Arthur Schiwon blizzz@owncloud.com * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE From 498eae49b115787198a6b40cf92a3d02316be503 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 7 May 2013 19:31:51 +0200 Subject: [PATCH 2/8] LDAP: prepare settings for internal username attribute and clearing user mappings --- apps/user_ldap/css/settings.css | 4 ++++ apps/user_ldap/templates/settings.php | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/apps/user_ldap/css/settings.css b/apps/user_ldap/css/settings.css index 84ada0832ab..185952e14bb 100644 --- a/apps/user_ldap/css/settings.css +++ b/apps/user_ldap/css/settings.css @@ -11,6 +11,10 @@ display: inline-block; } +.ldapIndent { + margin-left: 50px; +} + .ldapwarning { margin-left: 1.4em; color: #FF3B3B; diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php index d3c2c298904..2d0a23e1a6f 100644 --- a/apps/user_ldap/templates/settings.php +++ b/apps/user_ldap/templates/settings.php @@ -3,6 +3,7 @@ '.$l->t('Warning: Apps user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour. Please ask your system administrator to disable one of them.').'

'); @@ -96,6 +97,14 @@ +
+

t('Internal Username'));?>

+

t('By default the internal username will be created from the UUID attribute. It makes sure that the username is unique and characters do not need to be converted. The internal username has the restriction that only these characters are allowed: [ a-zA-Z0-9_.@- ]. Other characters are replaced with their ASCII correspondence or simply omitted. On collisions a number will be added/increased. The internal username is used to identify a user internally. It is also the default name for the user home folder in ownCloud. It is also a port of remote URLs, for instance for all *DAV services. With this setting, the default behaviour can be overriden. To achieve a similar behaviour as before ownCloud 5 enter the user display name attribute in the following field. Leave it empty for default behaviour. Changes will have effect only to newly mapped (added) LDAP users.'));?>

+

+

t('Username-LDAP User Mapping'));?>

+

t('ownCloud uses usernames to store and assign (meta) data. In order to precisely identify and recognize users, each LDAP user will have a internal username. This requires a mapping from ownCloud username to LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally the DN is cached as well to reduce LDAP interaction, but it is not used for identification. If the DN changes, the changes will be found by ownCloud. The internal ownCloud name is used all over in ownCloud. Clearing the Mappings will have leftovers everywhere. Do never clear the mappings in a production environment. Only clear mappings in a testing or experimental stage.' ));?>

+

+
t('Help'));?> From c18158906cb39b0b7c2dafe429e8371f20f044e9 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 8 May 2013 13:57:21 +0200 Subject: [PATCH 3/8] LDAP: add settings for UUID override --- apps/user_ldap/templates/settings.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php index 2d0a23e1a6f..de166502028 100644 --- a/apps/user_ldap/templates/settings.php +++ b/apps/user_ldap/templates/settings.php @@ -99,10 +99,13 @@

t('Internal Username'));?>

-

t('By default the internal username will be created from the UUID attribute. It makes sure that the username is unique and characters do not need to be converted. The internal username has the restriction that only these characters are allowed: [ a-zA-Z0-9_.@- ]. Other characters are replaced with their ASCII correspondence or simply omitted. On collisions a number will be added/increased. The internal username is used to identify a user internally. It is also the default name for the user home folder in ownCloud. It is also a port of remote URLs, for instance for all *DAV services. With this setting, the default behaviour can be overriden. To achieve a similar behaviour as before ownCloud 5 enter the user display name attribute in the following field. Leave it empty for default behaviour. Changes will have effect only to newly mapped (added) LDAP users.'));?>

+

t('By default the internal username will be created from the UUID attribute. It makes sure that the username is unique and characters do not need to be converted. The internal username has the restriction that only these characters are allowed: [ a-zA-Z0-9_.@- ]. Other characters are replaced with their ASCII correspondence or simply omitted. On collisions a number will be added/increased. The internal username is used to identify a user internally. It is also the default name for the user home folder in ownCloud. It is also a port of remote URLs, for instance for all *DAV services. With this setting, the default behaviour can be overriden. To achieve a similar behaviour as before ownCloud 5 enter the user display name attribute in the following field. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users.'));?>

+

t('Override UUID detection'));?>

+

t('By default, ownCloud autodetects the UUID attribute. The UUID attribute is used to doubtlessly identify LDAP users and groups. You can override the setting and pass an attribute of your choice. You must make sure that the attribute of your choice can be fetched for both users and groups and it is unique. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users and groups.'));?>

+

t('Username-LDAP User Mapping'));?>

-

t('ownCloud uses usernames to store and assign (meta) data. In order to precisely identify and recognize users, each LDAP user will have a internal username. This requires a mapping from ownCloud username to LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally the DN is cached as well to reduce LDAP interaction, but it is not used for identification. If the DN changes, the changes will be found by ownCloud. The internal ownCloud name is used all over in ownCloud. Clearing the Mappings will have leftovers everywhere. Do never clear the mappings in a production environment. Only clear mappings in a testing or experimental stage.' ));?>

+

t('ownCloud uses usernames to store and assign (meta) data. In order to precisely identify and recognize users, each LDAP user will have a internal username. This requires a mapping from ownCloud username to LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally the DN is cached as well to reduce LDAP interaction, but it is not used for identification. If the DN changes, the changes will be found by ownCloud. The internal ownCloud name is used all over in ownCloud. Clearing the Mappings will have leftovers everywhere. Clearing the Mappings is not configuration sensitive, it affects all LDAP configurations! Do never clear the mappings in a production environment. Only clear mappings in a testing or experimental stage.'));?>

t('Help'));?> From bc23010670ecab5c5a0938e9e1a7a1f486f51827 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 8 May 2013 14:05:08 +0200 Subject: [PATCH 4/8] LDAP: implement r+w for new settings --- apps/user_ldap/lib/connection.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/apps/user_ldap/lib/connection.php b/apps/user_ldap/lib/connection.php index ef7cc5295b3..ecc13076179 100644 --- a/apps/user_ldap/lib/connection.php +++ b/apps/user_ldap/lib/connection.php @@ -65,6 +65,8 @@ class Connection { 'ldapAttributesForGroupSearch' => null, 'homeFolderNamingRule' => null, 'hasPagedResultSupport' => false, + 'ldapExpertUidAttr' => null, + 'ldapExpertUUIDAttr' => null, ); /** @@ -265,6 +267,10 @@ class Connection { = preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_user_search')); $this->config['ldapAttributesForGroupSearch'] = preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_group_search')); + $this->config['ldapExpertUidAttr'] + = $this->$v('ldap_expert_uid_attr'); + $this->config['ldapExpertUUIDAttr'] + = $this->$v('ldap_expert_uuid_attr'); $this->configured = $this->validateConfiguration(); } @@ -290,7 +296,6 @@ class Connection { 'ldap_group_filter'=>'ldapGroupFilter', 'ldap_display_name'=>'ldapUserDisplayName', 'ldap_group_display_name'=>'ldapGroupDisplayName', - 'ldap_tls'=>'ldapTLS', 'ldap_nocase'=>'ldapNoCase', 'ldap_quota_def'=>'ldapQuotaDefault', @@ -302,7 +307,9 @@ class Connection { 'ldap_turn_off_cert_check' => 'turnOffCertCheck', 'ldap_configuration_active' => 'ldapConfigurationActive', 'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch', - 'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch' + 'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch', + 'ldap_expert_uid_attr' => 'ldapExpertUidAttr', + 'ldap_expert_uuid_attr' => 'ldapExpertUUIDAttr', ); return $array; } @@ -543,6 +550,8 @@ class Connection { 'ldap_configuration_active' => 1, 'ldap_attributes_for_user_search' => '', 'ldap_attributes_for_group_search' => '', + 'ldap_expert_uid_attr' => '', + 'ldap_expert_uuid_attr' => '', ); } From c9b3da5bbce52f10f060fcb131697bf41e4ab037 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 8 May 2013 14:55:56 +0200 Subject: [PATCH 5/8] LDAP: better variable name --- apps/user_ldap/lib/connection.php | 14 +++++++++----- apps/user_ldap/templates/settings.php | 4 ++-- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apps/user_ldap/lib/connection.php b/apps/user_ldap/lib/connection.php index ecc13076179..7292ca15e78 100644 --- a/apps/user_ldap/lib/connection.php +++ b/apps/user_ldap/lib/connection.php @@ -65,7 +65,7 @@ class Connection { 'ldapAttributesForGroupSearch' => null, 'homeFolderNamingRule' => null, 'hasPagedResultSupport' => false, - 'ldapExpertUidAttr' => null, + 'ldapExpertUsernameAttr' => null, 'ldapExpertUUIDAttr' => null, ); @@ -267,8 +267,8 @@ class Connection { = preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_user_search')); $this->config['ldapAttributesForGroupSearch'] = preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_group_search')); - $this->config['ldapExpertUidAttr'] - = $this->$v('ldap_expert_uid_attr'); + $this->config['ldapExpertUsernameAttr'] + = $this->$v('ldap_expert_username_attr'); $this->config['ldapExpertUUIDAttr'] = $this->$v('ldap_expert_uuid_attr'); @@ -308,7 +308,7 @@ class Connection { 'ldap_configuration_active' => 'ldapConfigurationActive', 'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch', 'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch', - 'ldap_expert_uid_attr' => 'ldapExpertUidAttr', + 'ldap_expert_username_attr' => 'ldapExpertUsernameAttr', 'ldap_expert_uuid_attr' => 'ldapExpertUUIDAttr', ); return $array; @@ -512,6 +512,10 @@ class Connection { $configurationOK = false; } + if(!empty($this->config['ldapExpertUUIDAttr'])) { + $this->config['ldapUuidAttribute'] = $this->config['ldapExpertUUIDAttr']; + } + return $configurationOK; } @@ -550,7 +554,7 @@ class Connection { 'ldap_configuration_active' => 1, 'ldap_attributes_for_user_search' => '', 'ldap_attributes_for_group_search' => '', - 'ldap_expert_uid_attr' => '', + 'ldap_expert_username_attr' => '', 'ldap_expert_uuid_attr' => '', ); } diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php index de166502028..3c7dd7cce6e 100644 --- a/apps/user_ldap/templates/settings.php +++ b/apps/user_ldap/templates/settings.php @@ -100,9 +100,9 @@

t('Internal Username'));?>

t('By default the internal username will be created from the UUID attribute. It makes sure that the username is unique and characters do not need to be converted. The internal username has the restriction that only these characters are allowed: [ a-zA-Z0-9_.@- ]. Other characters are replaced with their ASCII correspondence or simply omitted. On collisions a number will be added/increased. The internal username is used to identify a user internally. It is also the default name for the user home folder in ownCloud. It is also a port of remote URLs, for instance for all *DAV services. With this setting, the default behaviour can be overriden. To achieve a similar behaviour as before ownCloud 5 enter the user display name attribute in the following field. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users.'));?>

-

+

t('Override UUID detection'));?>

-

t('By default, ownCloud autodetects the UUID attribute. The UUID attribute is used to doubtlessly identify LDAP users and groups. You can override the setting and pass an attribute of your choice. You must make sure that the attribute of your choice can be fetched for both users and groups and it is unique. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users and groups.'));?>

+

t('By default, ownCloud autodetects the UUID attribute. The UUID attribute is used to doubtlessly identify LDAP users and groups. Also, the internal username will be created based on the UUID, if not specified otherwise above. You can override the setting and pass an attribute of your choice. You must make sure that the attribute of your choice can be fetched for both users and groups and it is unique. Leave it empty for default behaviour. Changes will have effect only on newly mapped (added) LDAP users and groups.'));?>

t('Username-LDAP User Mapping'));?>

t('ownCloud uses usernames to store and assign (meta) data. In order to precisely identify and recognize users, each LDAP user will have a internal username. This requires a mapping from ownCloud username to LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally the DN is cached as well to reduce LDAP interaction, but it is not used for identification. If the DN changes, the changes will be found by ownCloud. The internal ownCloud name is used all over in ownCloud. Clearing the Mappings will have leftovers everywhere. Clearing the Mappings is not configuration sensitive, it affects all LDAP configurations! Do never clear the mappings in a production environment. Only clear mappings in a testing or experimental stage.'));?>

From 3f1717d3d54fd82090abe6518da56c88678e24a2 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 8 May 2013 14:56:52 +0200 Subject: [PATCH 6/8] LDAP: implement UUID and internal username override --- apps/user_ldap/lib/access.php | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index 234e91f792f..8c372766c00 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -317,7 +317,19 @@ abstract class Access { } $ldapname = $ldapname[0]; } - $intname = $isUser ? $this->sanitizeUsername($uuid) : $ldapname; + + if($isUser) { + $usernameAttribute = $this->connection->ldapExpertUsernameAttr; + if(!emptY($usernameAttribute)) { + $username = $this->readAttribute($dn, $usernameAttribute); + $username = $username[0]; + } else { + $username = $uuid; + } + $intname = $this->sanitizeUsername($username); + } else { + $intname = $ldapname; + } //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups //disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check @@ -897,6 +909,12 @@ abstract class Access { return true; } + $fixedAttribute = $this->connection->ldapExpertUUIDAttr; + if(!empty($fixedAttribute)) { + $this->connection->ldapUuidAttribute = $fixedAttribute; + return true; + } + //for now, supported (known) attributes are entryUUID, nsuniqueid, objectGUID $testAttributes = array('entryuuid', 'nsuniqueid', 'objectguid', 'guid'); From 796ee8c4c0cc7b105c6fd4c0e43d40c9e898bb43 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 8 May 2013 17:47:07 +0200 Subject: [PATCH 7/8] LDAP: Implement clear mappings functionality --- apps/user_ldap/ajax/clearMappings.php | 35 +++++++++++++++++++++++++++ apps/user_ldap/js/settings.js | 30 +++++++++++++++++++++++ apps/user_ldap/lib/helper.php | 25 +++++++++++++++++++ apps/user_ldap/templates/settings.php | 2 +- 4 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 apps/user_ldap/ajax/clearMappings.php diff --git a/apps/user_ldap/ajax/clearMappings.php b/apps/user_ldap/ajax/clearMappings.php new file mode 100644 index 00000000000..5dab39839b6 --- /dev/null +++ b/apps/user_ldap/ajax/clearMappings.php @@ -0,0 +1,35 @@ +. + * + */ + +// Check user and app status +OCP\JSON::checkAdminUser(); +OCP\JSON::checkAppEnabled('user_ldap'); +OCP\JSON::callCheck(); + +$subject = $_POST['ldap_clear_mapping']; +if(\OCA\user_ldap\lib\Helper::clearMapping($subject)) { + OCP\JSON::success(); +} else { + $l=OC_L10N::get('user_ldap'); + OCP\JSON::error(array('message' => $l->t('Failed to clear the mappings.'))); +} \ No newline at end of file diff --git a/apps/user_ldap/js/settings.js b/apps/user_ldap/js/settings.js index e34849ec887..5e4c0262a6d 100644 --- a/apps/user_ldap/js/settings.js +++ b/apps/user_ldap/js/settings.js @@ -99,6 +99,26 @@ var LdapConfiguration = { } } ); + }, + + clearMappings: function(mappingSubject) { + $.post( + OC.filePath('user_ldap','ajax','clearMappings.php'), + 'ldap_clear_mapping='+mappingSubject, + function(result) { + if(result.status == 'success') { + OC.dialogs.info( + t('user_ldap', 'mappings cleared'), + t('user_ldap', 'Success') + ); + } else { + OC.dialogs.alert( + result.message, + t('user_ldap', 'Error') + ); + } + } + ); } } @@ -166,6 +186,16 @@ $(document).ready(function() { ); }); + $('#ldap_action_clear_user_mappings').click(function(event) { + event.preventDefault(); + LdapConfiguration.clearMappings('user'); + }); + + $('#ldap_action_clear_group_mappings').click(function(event) { + event.preventDefault(); + LdapConfiguration.clearMappings('group'); + }); + $('#ldap_serverconfig_chooser').change(function(event) { value = $('#ldap_serverconfig_chooser option:selected:first').attr('value'); if(value == 'NEW') { diff --git a/apps/user_ldap/lib/helper.php b/apps/user_ldap/lib/helper.php index 612a088269b..7720c356a13 100644 --- a/apps/user_ldap/lib/helper.php +++ b/apps/user_ldap/lib/helper.php @@ -102,4 +102,29 @@ class Helper { return true; } + + /** + * Truncate's the given mapping table + * + * @param string $mapping either 'user' or 'group' + * @return boolean true on success, false otherwise + */ + static public function clearMapping($mapping) { + if($mapping === 'user') { + $table = '`*PREFIX*ldap_user_mapping`'; + } else if ($mapping === 'group') { + $table = '`*PREFIX*ldap_group_mapping`'; + } else { + return false; + } + + $query = \OCP\DB::prepare('TRUNCATE '.$table); + $res = $query->execute(); + + if(\OCP\DB::isError($res)) { + return false; + } + + return true; + } } diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php index 3c7dd7cce6e..ee1250fc911 100644 --- a/apps/user_ldap/templates/settings.php +++ b/apps/user_ldap/templates/settings.php @@ -106,7 +106,7 @@

t('Username-LDAP User Mapping'));?>

t('ownCloud uses usernames to store and assign (meta) data. In order to precisely identify and recognize users, each LDAP user will have a internal username. This requires a mapping from ownCloud username to LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally the DN is cached as well to reduce LDAP interaction, but it is not used for identification. If the DN changes, the changes will be found by ownCloud. The internal ownCloud name is used all over in ownCloud. Clearing the Mappings will have leftovers everywhere. Clearing the Mappings is not configuration sensitive, it affects all LDAP configurations! Do never clear the mappings in a production environment. Only clear mappings in a testing or experimental stage.'));?>

-

+


t('Help'));?> From d69579f7733c742eb0ca17e80747d1f6b06c80e9 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 8 May 2013 17:54:38 +0200 Subject: [PATCH 8/8] LDAP: fix display of numerical display names --- apps/user_ldap/user_proxy.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/user_ldap/user_proxy.php b/apps/user_ldap/user_proxy.php index 7e5b9045df3..73cc0963182 100644 --- a/apps/user_ldap/user_proxy.php +++ b/apps/user_ldap/user_proxy.php @@ -174,7 +174,7 @@ class User_Proxy extends lib\Proxy implements \OCP\UserInterface { foreach($this->backends as $backend) { $backendUsers = $backend->getDisplayNames($search, $limit, $offset); if (is_array($backendUsers)) { - $users = array_merge($users, $backendUsers); + $users = $users + $backendUsers; } } return $users;