need to report expired accounts as NOT active and add ability to copy shadowExpire attribute from LDAP to AD (not done by samba-tool classicupgrade!)

This commit is contained in:
Ralf Becker 2013-06-20 09:56:43 +00:00
parent 692a513f5f
commit 96c5697009
5 changed files with 38 additions and 3 deletions

View File

@ -103,6 +103,7 @@ class addressbook_ads extends addressbook_ldap
'account_id' => 'objectsid',
'account_lid' => 'samaccountname',
'contact_uid' => 'objectguid',
'accountexpires', 'useraccountcontrol', // needed to exclude deactivated or expired accounts
);
foreach($this->schema2egw as $schema => $attributes)
@ -182,6 +183,9 @@ class addressbook_ads extends addressbook_ldap
// ignore system accounts
if ($contact['account_id'] < accounts_ads::MIN_ACCOUNT_ID) return false;
// ignore deactivated or expired accounts
if (!$this->accounts_ads->user_active($data)) return false;
$this->_inetorgperson2egw($contact, $data);
}

View File

@ -513,6 +513,8 @@ class accounts
/**
* test if an account is expired
*
* Can be used static if array with user-data is supplied
*
* @param array $data=null array with account data, not specifying the account is depricated!!!
* @return boolean true=expired (no more login possible), false otherwise
*/
@ -528,6 +530,8 @@ class accounts
/**
* Test if an account is active - NOT deactivated or expired
*
* Can be used static if array with user-data is supplied
*
* @param int|array $data account_id or array with account-data
* @return boolean false if account does not exist, is expired or decativated, true otherwise
*/
@ -535,7 +539,7 @@ class accounts
{
if (!is_array($data)) $data = $this->read($data);
return $data && !($this->is_expired($data) || $data['account_status'] != 'A');
return $data && !(self::is_expired($data) || $data['account_status'] != 'A');
}
/**

View File

@ -486,11 +486,30 @@ class accounts_ads
'account_modified' => !isset($data['whenchanged'][0]) ? null :
self::_when2ts($data['whenchanged'][0]),
);
// expired accounts are NOT active
if ($user['account_expires'] !== -1 && $user['account_expires'] < time())
{
$user['account_status'] = false;
}
$user['person_id'] = $user['account_guid']; // id of contact
//error_log(__METHOD__."(".array2string($data).") returning ".array2string($user));
return $user;
}
/**
* Check if user is active
*
* @param array $data values for attributes 'useraccountcontrol' and 'accountexpires'
* @return boolean true if user is active, false otherwise
*/
public function user_active(array $data)
{
$user = $this->_ldap2user($data);
$active = accounts::is_active($user);
//error_log(__METHOD__."(cn={$data['cn'][0]}, useraccountcontrol={$data['useraccountcontrol'][0]}, accountexpires={$data['accountexpires'][0]}) user=".array2string($user)." returning ".array2string($active));
return $active;
}
/**
* Reads the data of one user
*

View File

@ -400,7 +400,7 @@ function pear_check($package,$args)
}
if ($pear_available && $package)
{
$file = str_replace('_','/',$package).'.php';
$file = str_replace('_','/',$package == 'Mail_Mime' ? 'Mail_mime' : $package).'.php';
$available = @include_once($file);

View File

@ -30,7 +30,7 @@
* setup/setup-cli.php [--dry-run] --setup-cmd-ldap <domain>,<config-user>,<config-pw> sub_command=copy2ad \
* ldap_base=dc=local ldap_root_dn=cn=admin,dc=local ldap_root_pw=secret ldap_host=localhost \
* ads_domain=samba4.intern [ads_admin_user=Administrator] ads_admin_pw=secret ads_host=ad.samba4.intern [ads_connection=(ssl|tls)] \
* attributes=@inetOrgPerson,{smtp:}proxyAddresses=mail,{smtp:}proxyAddresses=mailalias,{quota:}proxyAddresses=mailuserquota,{forward:}proxyaddresses=maildrop
* attributes=@inetOrgPerson,accountExpires=shadowExpire,{smtp:}proxyAddresses=mail,{smtp:}proxyAddresses=mailalias,{quota:}proxyAddresses=mailuserquota,{forward:}proxyaddresses=maildrop
*
* - copies from samba-tool clasicupgrade not copied inetOrgPerson attributes and mail attributes to AD
*/
@ -333,6 +333,14 @@ class setup_cmd_ldap extends setup_cmd
if ($value)
{
$to = isset($rename[$attr]) ? $rename[$attr] : $attr;
// special handling for copying shadowExpires to accountExpires (not set or 0 is handled by classicupgrade!)
if ($attr == 'shadowexpire' && strtolower($to) == 'accountexpires')
{
if (is_null($utc_diff)) $utc_diff = date('Z');
$value = $value*24*3600+$utc_diff; // ldap time to unixTime
$update['accountexpires'] = accounts_ads::convertUnixTimeToWindowsTime($value);
continue;
}
unset($prefix);
if ($to[0] == '{') // eg. {smtp:}proxyAddresses=forwardTo
{