* LDAP/Univention: periodic account-import for Univention (mailPrimaryAddress), use LDAP account-filter for reading accounts too

also set chunk-size for reading to 500 was somehow 5, probably from debugging

api/src/Accounts/Import.php

@@ -59,7 +59,7 @@ class Import
 			$GLOBALS['egw_info']['server'] += Api\Config::read('phpgwapi');
 		}
 
-		if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads']))
+		if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads', 'univention']))
 		{
 			throw new \InvalidArgumentException("Invalid account_import_source='{$GLOBALS['egw_info']['server']['account_import_source']}'!");
 		}
@@ -154,7 +154,7 @@ class Import
 	{
 		try {
 			// determine from where we migrate to what
-			if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads']))
+			if (!in_array($source = $GLOBALS['egw_info']['server']['account_import_source'], ['ldap', 'ads', 'univention']))
 			{
 				throw new \InvalidArgumentException("Invalid account_import_source='{$GLOBALS['egw_info']['server']['account_import_source']}'!");
 			}
@@ -168,7 +168,7 @@ class Import
 			}
 			if (!$initial_import && empty($GLOBALS['egw_info']['server']['account_import_lastrun']))
 			{
-				throw new \InvalidArgumentException(lang("You need to run the inital import first!"));
+				throw new \InvalidArgumentException(lang("You need to run the initial import first!"));
 			}
 
 			Api\Accounts::cache_invalidate();   // to not get any cached data eg. from the wrong backend
@@ -215,7 +215,7 @@ class Import
 			$last_modified = null;
 			$start_import = time();
 			$cookie = '';
-			$start = ['', 5, &$cookie]; // cookie must be a reference!
+			$start = ['', 500, &$cookie]; // cookie must be a reference!
 			do
 			{
 				foreach ($this->contacts->search('', false, '', 'account_lid', '', '', 'AND', $start, $filter) as $contact)
@@ -402,7 +402,7 @@ class Import
 						}
 					}
 					// if requested, also set memberships
-					if ($type === 'users+groups' && !$dry_run)
+					if (in_array('groups', explode('+', $type)) && !$dry_run)
 					{
 						// LDAP backend does not query it automatic
 						if (!isset($account['memberships']))
@@ -884,9 +884,14 @@ class Import
 				{
 					if (!($account = $this->accounts->read($ldap_id)))
 					{
-						$this->logger("Failed reading user '$account_lid' (#$ldap_id) from LDAP, maybe he is not contained in filter --> ignored", 'detail');
+						$this->logger("Failed reading user '$account_lid' (#$ldap_id) from LDAP to set as member of group '$group', maybe he is not contained in filter --> ignored", 'detail');
 						continue;
 					}
+					// LDAP backend does not query it automatic
+					if (!isset($account['memberships']))
+					{
+						$account['memberships'] = $this->accounts->memberships($ldap_id);
+					}
 					if (!($contact = $this->contacts->read($account['person_id'])))
 					{
 						$this->logger("Error reading contact-data of user '$account_lid' (#$ldap_id)", 'error');
@@ -926,11 +931,11 @@ class Import
 					$this->accounts_sql->set_memberships(array_filter(array_map(function($account_lid)
 					{
 						return $this->accounts_sql->name2id($account_lid);
-					}, $account['memberships'])), $sql_account['account_id']);
+					}, $account['memberships'] ?? [])), $sql_account['account_id']);
 				}
 				else
 				{
-					if (!($memberships = $this->accounts_sql->memberships($account_id)))
+					if (($memberships = $this->accounts_sql->memberships($account_id)) === false)
 					{
 						$this->logger("Error reading memberships of (existing) user '$account_lid' (#$account_id)!", 'error');
 						$errors++;

api/src/Accounts/Ldap.php

@@ -555,7 +555,10 @@ class Ldap
 	 */
 	protected function _read_user($account_id)
 	{
-		$sri = ldap_search($this->ds, $this->user_context, '(&(objectclass=posixAccount)(uidnumber=' . (int)$account_id.'))',
+		// add account_filter to filter (user has to be '*', as we otherwise only search uid's)
+		$account_filter = str_replace(array('%user', '%domain'), array('*', $GLOBALS['egw_info']['user']['domain']), $this->account_filter);
+
+		$sri = ldap_search($this->ds, $this->user_context, '(&(objectclass=posixAccount)(uidnumber=' . (int)$account_id.")$account_filter)",
 			array('dn','uidnumber','uid','gidnumber','givenname','sn','cn',static::MAIL_ATTR,'userpassword','telephonenumber',
 				'shadowexpire','shadowlastchange','homedirectory','loginshell','createtimestamp','modifytimestamp'));
 
@@ -582,7 +585,7 @@ class Ldap
 			// both status and expires are encoded in the single shadowexpire value in LDAP
 			// - if it's unset an account is enabled AND does never expire
 			// - if it's set to 0, the account is disabled
-			// - if it's set to > 0, it will or already has expired --> acount is active if it not yet expired
+			// - if it's set to > 0, it will or already has expired --> account is active if it not yet expired
 			// shadowexpire is in days since 1970/01/01 (equivalent to a timestamp (int UTC!) / (24*60*60)
 			'account_status'    => isset($data['shadowexpire']) && $data['shadowexpire'][0]*24*3600+$utc_diff < time() ? false : 'A',
 			'account_expires'   => isset($data['shadowexpire']) && $data['shadowexpire'][0] ? $data['shadowexpire'][0]*24*3600+$utc_diff : -1, // LDAP date is in UTC

setup/templates/default/config.tpl

@@ -464,6 +464,7 @@
      <select name="newsettings[account_import_source]">
       <option value="ads" {selected_account_import_source_ads}>ADS</option>
       <option value="ldap" {selected_account_import_source_ldap}>LDAP</option>
+      <option value="univention" {selected_account_import_source_univention}>Univention (LDAP)</option>
      </select>
     </td>
    </tr>