* LDAP/Univention: periodic account-import for Univention (mailPrimaryAddress), use LDAP account-filter for reading accounts too

also set chunk-size for reading to 500 was somehow 5, probably from debugging
This commit is contained in:
ralf 2023-03-25 21:36:39 +01:00
parent 7a2a750432
commit 2cde60c266
3 changed files with 19 additions and 10 deletions

View File

@ -59,7 +59,7 @@ class Import
$GLOBALS['egw_info']['server'] += Api\Config::read('phpgwapi');
}
if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads']))
if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads', 'univention']))
{
throw new \InvalidArgumentException("Invalid account_import_source='{$GLOBALS['egw_info']['server']['account_import_source']}'!");
}
@ -154,7 +154,7 @@ class Import
{
try {
// determine from where we migrate to what
if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads']))
if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads', 'univention']))
{
throw new \InvalidArgumentException("Invalid account_import_source='{$GLOBALS['egw_info']['server']['account_import_source']}'!");
}
@ -168,7 +168,7 @@ class Import
}
if (!$initial_import && empty($GLOBALS['egw_info']['server']['account_import_lastrun']))
{
throw new \InvalidArgumentException(lang("You need to run the inital import first!"));
throw new \InvalidArgumentException(lang("You need to run the initial import first!"));
}
Api\Accounts::cache_invalidate(); // to not get any cached data eg. from the wrong backend
@ -215,7 +215,7 @@ class Import
$last_modified = null;
$start_import = time();
$cookie = '';
$start = ['', 5, &$cookie]; // cookie must be a reference!
$start = ['', 500, &$cookie]; // cookie must be a reference!
do
{
foreach ($this->contacts->search('', false, '', 'account_lid', '', '', 'AND', $start, $filter) as $contact)
@ -402,7 +402,7 @@ class Import
}
}
// if requested, also set memberships
if ($type === 'users+groups' && !$dry_run)
if (in_array('groups', explode('+', $type)) && !$dry_run)
{
// LDAP backend does not query it automatic
if (!isset($account['memberships']))
@ -884,9 +884,14 @@ class Import
{
if (!($account = $this->accounts->read($ldap_id)))
{
$this->logger("Failed reading user '$account_lid' (#$ldap_id) from LDAP, maybe he is not contained in filter --> ignored", 'detail');
$this->logger("Failed reading user '$account_lid' (#$ldap_id) from LDAP to set as member of group '$group', maybe he is not contained in filter --> ignored", 'detail');
continue;
}
// LDAP backend does not query it automatic
if (!isset($account['memberships']))
{
$account['memberships'] = $this->accounts->memberships($ldap_id);
}
if (!($contact = $this->contacts->read($account['person_id'])))
{
$this->logger("Error reading contact-data of user '$account_lid' (#$ldap_id)", 'error');
@ -926,11 +931,11 @@ class Import
$this->accounts_sql->set_memberships(array_filter(array_map(function($account_lid)
{
return $this->accounts_sql->name2id($account_lid);
}, $account['memberships'])), $sql_account['account_id']);
}, $account['memberships'] ?? [])), $sql_account['account_id']);
}
else
{
if (!($memberships = $this->accounts_sql->memberships($account_id)))
if (($memberships = $this->accounts_sql->memberships($account_id)) === false)
{
$this->logger("Error reading memberships of (existing) user '$account_lid' (#$account_id)!", 'error');
$errors++;

View File

@ -555,7 +555,10 @@ class Ldap
*/
protected function _read_user($account_id)
{
$sri = ldap_search($this->ds, $this->user_context, '(&(objectclass=posixAccount)(uidnumber=' . (int)$account_id.'))',
// add account_filter to filter (user has to be '*', as we otherwise only search uid's)
$account_filter = str_replace(array('%user', '%domain'), array('*', $GLOBALS['egw_info']['user']['domain']), $this->account_filter);
$sri = ldap_search($this->ds, $this->user_context, '(&(objectclass=posixAccount)(uidnumber=' . (int)$account_id.")$account_filter)",
array('dn','uidnumber','uid','gidnumber','givenname','sn','cn',static::MAIL_ATTR,'userpassword','telephonenumber',
'shadowexpire','shadowlastchange','homedirectory','loginshell','createtimestamp','modifytimestamp'));
@ -582,7 +585,7 @@ class Ldap
// both status and expires are encoded in the single shadowexpire value in LDAP
// - if it's unset an account is enabled AND does never expire
// - if it's set to 0, the account is disabled
// - if it's set to > 0, it will or already has expired --> acount is active if it not yet expired
// - if it's set to > 0, it will or already has expired --> account is active if it not yet expired
// shadowexpire is in days since 1970/01/01 (equivalent to a timestamp (int UTC!) / (24*60*60)
'account_status' => isset($data['shadowexpire']) && $data['shadowexpire'][0]*24*3600+$utc_diff < time() ? false : 'A',
'account_expires' => isset($data['shadowexpire']) && $data['shadowexpire'][0] ? $data['shadowexpire'][0]*24*3600+$utc_diff : -1, // LDAP date is in UTC

View File

@ -464,6 +464,7 @@
<select name="newsettings[account_import_source]">
<option value="ads" {selected_account_import_source_ads}>ADS</option>
<option value="ldap" {selected_account_import_source_ldap}>LDAP</option>
<option value="univention" {selected_account_import_source_univention}>Univention (LDAP)</option>
</select>
</td>
</tr>