new setup config denying (default) or allowing user names identical to system users (ldap only)

admin/inc/class.admin_cmd_edit_user.inc.php

@@ -62,6 +62,13 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
 		{
 			throw new egw_exception_wrong_userinput(lang('You must enter a loginid'),9);
 		}
+		// Check if an account already exists as system user, and if it does deny creation
+		if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
+			!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
+			function_exists('posix_getpwnam') && posix_getpwnam($data['account_lid']))
+		{
+			throw new egw_exception_wrong_userinput(lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser'),99);
+		}
 		if (!$data['account_lastname'] && (!$this->account || !is_null($data['account_lastname'])))
 		{
 			throw new egw_exception_wrong_userinput(lang('You must enter a lastname'),9);

admin/inc/class.boaccounts.inc.php

@@ -352,17 +352,15 @@
 				$error[$totalerrors] = lang('The groups must include the primary group');
 				$totalerrors++;
 			}
-			// if accounts stored in ldap, there is a chance that users are systemusers as well.
-			// check if an account already exists there, and if it does deny creation (increase the totalerrors counter
-			// and the message thereof
-			if($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
-			{
-				if (function_exists('posix_getpwnam') && posix_getpwnam($_userData['account_lid']))
+			// Check if an account already exists as system user, and if it does deny creation
+			// (increase the totalerrors counter and the message thereof)
+			if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
+				!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
+				function_exists('posix_getpwnam') && posix_getpwnam($_userData['account_lid']))
 			{
 				$error[$totalerrors] = lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser');
 				$totalerrors++;
 			}
-			}
 			if($_userData['old_loginid'] != $_userData['account_lid'])
 			{
 				if($GLOBALS['egw']->accounts->exists($_userData['account_lid']))

phpgwapi/inc/class.accounts.inc.php

@@ -1051,44 +1051,3 @@ class accounts
 		return $data;
 	}
 }
-
-/**
- * Enable this only, if your system users are automatically eGroupWare users.
- * This is NOT the case for most installations and silently rejecting all this names causes a lot of trouble.
-
-$GLOBALS['egw_info']['server']['global_denied_users'] = array(
-	'root'     => True, 'bin'      => True, 'daemon'   => True,
-	'adm'      => True, 'lp'       => True, 'sync'     => True,
-	'shutdown' => True, 'halt'     => True, 'ldap'     => True,
-	'mail'     => True, 'news'     => True, 'uucp'     => True,
-	'operator' => True, 'games'    => True, 'gopher'   => True,
-	'nobody'   => True, 'xfs'      => True, 'pgsql'    => True,
-	'mysql'    => True, 'postgres' => True, 'oracle'   => True,
-	'ftp'      => True, 'gdm'      => True, 'named'    => True,
-	'alias'    => True, 'web'      => True, 'sweep'    => True,
-	'cvs'      => True, 'qmaild'   => True, 'qmaill'   => True,
-	'qmaillog' => True, 'qmailp'   => True, 'qmailq'   => True,
-	'qmailr'   => True, 'qmails'   => True, 'rpc'      => True,
-	'rpcuser'  => True, 'amanda'   => True, 'apache'   => True,
-	'pvm'      => True, 'squid'    => True, 'ident'    => True,
-	'nscd'     => True, 'mailnull' => True, 'cyrus'    => True,
-	'backup'    => True
-);
-
-$GLOBALS['egw_info']['server']['global_denied_groups'] = array(
-	'root'      => True, 'bin'       => True, 'daemon'    => True,
-	'sys'       => True, 'adm'       => True, 'tty'       => True,
-	'disk'      => True, 'lp'        => True, 'mem'       => True,
-	'kmem'      => True, 'wheel'     => True, 'mail'      => True,
-	'uucp'      => True, 'man'       => True, 'games'     => True,
-	'dip'       => True, 'ftp'       => True, 'nobody'    => True,
-	'floppy'    => True, 'xfs'       => True, 'console'   => True,
-	'utmp'      => True, 'pppusers'  => True, 'popusers'  => True,
-	'slipusers' => True, 'slocate'   => True, 'mysql'     => True,
-	'dnstools'  => True, 'web'       => True, 'named'     => True,
-	'dba'       => True, 'oinstall'  => True, 'oracle'    => True,
-	'gdm'       => True, 'sweep'     => True, 'cvs'       => True,
-	'postgres'  => True, 'qmail'     => True, 'nofiles'   => True,
-	'ldap'      => True, 'backup'    => True
-);
-*/

phpgwapi/inc/class.accounts_ldap.inc.php

@@ -317,6 +317,13 @@ class accounts_ldap
 				$to_write['mail'] = array_values(array_unique($mail));
 			}
 			$data['account_type'] = 'u';
+
+			// Check if an account already exists as system user, and if it does deny creation
+			if (!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
+				function_exists('posix_getpwnam') && posix_getpwnam($data['account_lid']))
+			{
+				throw new egw_exception_wrong_userinput(lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser'));
+			}
 		}
 
 		// remove memberuid when adding a group

setup/templates/default/config.tpl

@@ -467,7 +467,17 @@
     <td><input name="newsettings[ldap_account_shell]" value="{value_ldap_account_shell}" /></td>
    </tr>
 
-   <tr class="row_on" valign="top">
+   <tr class="row_on">
+     <td>{lang_Allow_usernames_identical_to_system_users?}:</td>
+     <td>
+      <select name="newsettings[ldap_allow_systemusernames]">
+       <option value="">{lang_No}</option>
+       <option value="True"{selected_ldap_allow_systemusernames_True}>{lang_Yes}</option>
+      </select>
+     </td>
+    </tr>
+
+   <tr class="row_off" valign="top">
     <td>
      <a href="account_migration.php"><b>{lang_Migration_between_eGroupWare_account_repositories}:</b></a>
     </td>