need to report expired accounts as NOT active and add ability to copy shadowExpire attribute from LDAP to AD (not done by samba-tool classicupgrade!)

This commit is contained in:
Ralf Becker 2013-06-20 09:54:08 +00:00
parent da0aa5864c
commit 025c6a4c22
5 changed files with 38 additions and 3 deletions

View File

@ -103,6 +103,7 @@ class addressbook_ads extends addressbook_ldap
'account_id' => 'objectsid', 'account_id' => 'objectsid',
'account_lid' => 'samaccountname', 'account_lid' => 'samaccountname',
'contact_uid' => 'objectguid', 'contact_uid' => 'objectguid',
'accountexpires', 'useraccountcontrol', // needed to exclude deactivated or expired accounts
); );
foreach($this->schema2egw as $schema => $attributes) foreach($this->schema2egw as $schema => $attributes)
@ -182,6 +183,9 @@ class addressbook_ads extends addressbook_ldap
// ignore system accounts // ignore system accounts
if ($contact['account_id'] < accounts_ads::MIN_ACCOUNT_ID) return false; if ($contact['account_id'] < accounts_ads::MIN_ACCOUNT_ID) return false;
// ignore deactivated or expired accounts
if (!$this->accounts_ads->user_active($data)) return false;
$this->_inetorgperson2egw($contact, $data); $this->_inetorgperson2egw($contact, $data);
} }

View File

@ -544,6 +544,8 @@ class accounts
/** /**
* test if an account is expired * test if an account is expired
* *
* Can be used static if array with user-data is supplied
*
* @param array $data=null array with account data, not specifying the account is depricated!!! * @param array $data=null array with account data, not specifying the account is depricated!!!
* @return boolean true=expired (no more login possible), false otherwise * @return boolean true=expired (no more login possible), false otherwise
*/ */
@ -559,6 +561,8 @@ class accounts
/** /**
* Test if an account is active - NOT deactivated or expired * Test if an account is active - NOT deactivated or expired
* *
* Can be used static if array with user-data is supplied
*
* @param int|array $data account_id or array with account-data * @param int|array $data account_id or array with account-data
* @return boolean false if account does not exist, is expired or decativated, true otherwise * @return boolean false if account does not exist, is expired or decativated, true otherwise
*/ */
@ -566,7 +570,7 @@ class accounts
{ {
if (!is_array($data)) $data = $this->read($data); if (!is_array($data)) $data = $this->read($data);
return $data && !($this->is_expired($data) || $data['account_status'] != 'A'); return $data && !(self::is_expired($data) || $data['account_status'] != 'A');
} }
/** /**

View File

@ -486,11 +486,30 @@ class accounts_ads
'account_modified' => !isset($data['whenchanged'][0]) ? null : 'account_modified' => !isset($data['whenchanged'][0]) ? null :
self::_when2ts($data['whenchanged'][0]), self::_when2ts($data['whenchanged'][0]),
); );
// expired accounts are NOT active
if ($user['account_expires'] !== -1 && $user['account_expires'] < time())
{
$user['account_status'] = false;
}
$user['person_id'] = $user['account_guid']; // id of contact $user['person_id'] = $user['account_guid']; // id of contact
//error_log(__METHOD__."(".array2string($data).") returning ".array2string($user)); //error_log(__METHOD__."(".array2string($data).") returning ".array2string($user));
return $user; return $user;
} }
/**
* Check if user is active
*
* @param array $data values for attributes 'useraccountcontrol' and 'accountexpires'
* @return boolean true if user is active, false otherwise
*/
public function user_active(array $data)
{
$user = $this->_ldap2user($data);
$active = accounts::is_active($user);
//error_log(__METHOD__."(cn={$data['cn'][0]}, useraccountcontrol={$data['useraccountcontrol'][0]}, accountexpires={$data['accountexpires'][0]}) user=".array2string($user)." returning ".array2string($active));
return $active;
}
/** /**
* Reads the data of one user * Reads the data of one user
* *

View File

@ -400,7 +400,7 @@ function pear_check($package,$args)
} }
if ($pear_available && $package) if ($pear_available && $package)
{ {
$file = str_replace('_','/',$package).'.php'; $file = str_replace('_','/',$package == 'Mail_Mime' ? 'Mail_mime' : $package).'.php';
$available = @include_once($file); $available = @include_once($file);

View File

@ -30,7 +30,7 @@
* setup/setup-cli.php [--dry-run] --setup-cmd-ldap <domain>,<config-user>,<config-pw> sub_command=copy2ad \ * setup/setup-cli.php [--dry-run] --setup-cmd-ldap <domain>,<config-user>,<config-pw> sub_command=copy2ad \
* ldap_base=dc=local ldap_root_dn=cn=admin,dc=local ldap_root_pw=secret ldap_host=localhost \ * ldap_base=dc=local ldap_root_dn=cn=admin,dc=local ldap_root_pw=secret ldap_host=localhost \
* ads_domain=samba4.intern [ads_admin_user=Administrator] ads_admin_pw=secret ads_host=ad.samba4.intern [ads_connection=(ssl|tls)] \ * ads_domain=samba4.intern [ads_admin_user=Administrator] ads_admin_pw=secret ads_host=ad.samba4.intern [ads_connection=(ssl|tls)] \
* attributes=@inetOrgPerson,{smtp:}proxyAddresses=mail,{smtp:}proxyAddresses=mailalias,{quota:}proxyAddresses=mailuserquota,{forward:}proxyaddresses=maildrop * attributes=@inetOrgPerson,accountExpires=shadowExpire,{smtp:}proxyAddresses=mail,{smtp:}proxyAddresses=mailalias,{quota:}proxyAddresses=mailuserquota,{forward:}proxyaddresses=maildrop
* *
* - copies from samba-tool clasicupgrade not copied inetOrgPerson attributes and mail attributes to AD * - copies from samba-tool clasicupgrade not copied inetOrgPerson attributes and mail attributes to AD
*/ */
@ -333,6 +333,14 @@ class setup_cmd_ldap extends setup_cmd
if ($value) if ($value)
{ {
$to = isset($rename[$attr]) ? $rename[$attr] : $attr; $to = isset($rename[$attr]) ? $rename[$attr] : $attr;
// special handling for copying shadowExpires to accountExpires (not set or 0 is handled by classicupgrade!)
if ($attr == 'shadowexpire' && strtolower($to) == 'accountexpires')
{
if (is_null($utc_diff)) $utc_diff = date('Z');
$value = $value*24*3600+$utc_diff; // ldap time to unixTime
$update['accountexpires'] = accounts_ads::convertUnixTimeToWindowsTime($value);
continue;
}
unset($prefix); unset($prefix);
if ($to[0] == '{') // eg. {smtp:}proxyAddresses=forwardTo if ($to[0] == '{') // eg. {smtp:}proxyAddresses=forwardTo
{ {