new setup config denying (default) or allowing user names identical to system users (ldap only)

This commit is contained in:
Ralf Becker 2010-03-16 16:33:28 +00:00
parent 7489a9cfb4
commit b40f14a95e
5 changed files with 44 additions and 63 deletions

View File

@ -7,13 +7,13 @@
* @package admin
* @copyright (c) 2007 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @version $Id$
* @version $Id$
*/
/**
* admin command: edit/add a user
*/
class admin_cmd_edit_user extends admin_cmd_change_pw
class admin_cmd_edit_user extends admin_cmd_change_pw
{
/**
* Constructor
@ -37,7 +37,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
/**
* change the password of a given user
*
*
* @param boolean $check_only=false only run the checks (and throw the exceptions), but not the command itself
* @return string success message
* @throws egw_exception_no_admin
@ -62,11 +62,18 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
{
throw new egw_exception_wrong_userinput(lang('You must enter a loginid'),9);
}
// Check if an account already exists as system user, and if it does deny creation
if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
function_exists('posix_getpwnam') && posix_getpwnam($data['account_lid']))
{
throw new egw_exception_wrong_userinput(lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser'),99);
}
if (!$data['account_lastname'] && (!$this->account || !is_null($data['account_lastname'])))
{
throw new egw_exception_wrong_userinput(lang('You must enter a lastname'),9);
}
if (!is_null($data['account_lid']) && ($id = admin_cmd::$accounts->name2id($data['account_lid'],'account_lid','u')) &&
if (!is_null($data['account_lid']) && ($id = admin_cmd::$accounts->name2id($data['account_lid'],'account_lid','u')) &&
$id !== $data['account_id'])
{
throw new egw_exception_wrong_userinput(lang('That loginid has already been taken'),999);
@ -77,10 +84,10 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
}
$data['account_expires'] = $expires = self::_parse_expired($data['account_expires'],(boolean)$this->account);
$data['account_status'] = is_null($expires) ? null : ($expires == -1 || $expires > time() ? 'A' : '');
$data['changepassword'] = admin_cmd::parse_boolean($data['changepassword'],$this->account ? null : true);
$data['anonymous'] = admin_cmd::parse_boolean($data['anonymous'],$this->account ? null : false);
if (!$data['account_primary_group'] && $this->account)
{
$data['account_primary_group'] = null; // dont change
@ -106,7 +113,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
$data['account_groups'] = admin_cmd::parse_accounts($data['account_groups'],false);
}
if ($check_only) return true;
if ($this->account)
{
if (!($old = admin_cmd::$accounts->read($data['account_id'])))
@ -161,7 +168,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
$GLOBALS['egw']->hooks->process($GLOBALS['hook_values']+array(
'location' => $this->account ? 'editaccount' : 'addaccount'
),False,True); // called for every app now, not only enabled ones)
return lang("Account %1 %2",$this->account ? $this->account : $data['account_lid'],
$this->account ? lang('updated') : lang("created with id #%1",$data['account_id']));
}
@ -176,7 +183,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
return lang('%1 user %2',$this->account ? lang('Edit') : lang('Add'),
admin_cmd::display_account($this->account ? $this->account : $this->set['account_lid']));
}
/**
* parse the expired string and return the expired date as timestamp
*
@ -190,7 +197,7 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
switch($str)
{
case '':
if ($existing) return null;
if ($existing) return null;
// fall through --> default for new accounts is never
case 'never':
return -1;

View File

@ -352,16 +352,14 @@
$error[$totalerrors] = lang('The groups must include the primary group');
$totalerrors++;
}
// if accounts stored in ldap, there is a chance that users are systemusers as well.
// check if an account already exists there, and if it does deny creation (increase the totalerrors counter
// and the message thereof
if($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
// Check if an account already exists as system user, and if it does deny creation
// (increase the totalerrors counter and the message thereof)
if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap' &&
!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
function_exists('posix_getpwnam') && posix_getpwnam($_userData['account_lid']))
{
if (function_exists('posix_getpwnam') && posix_getpwnam($_userData['account_lid']))
{
$error[$totalerrors] = lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser');
$totalerrors++;
}
$error[$totalerrors] = lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser');
$totalerrors++;
}
if($_userData['old_loginid'] != $_userData['account_lid'])
{

View File

@ -1051,44 +1051,3 @@ class accounts
return $data;
}
}
/**
* Enable this only, if your system users are automatically eGroupWare users.
* This is NOT the case for most installations and silently rejecting all this names causes a lot of trouble.
$GLOBALS['egw_info']['server']['global_denied_users'] = array(
'root' => True, 'bin' => True, 'daemon' => True,
'adm' => True, 'lp' => True, 'sync' => True,
'shutdown' => True, 'halt' => True, 'ldap' => True,
'mail' => True, 'news' => True, 'uucp' => True,
'operator' => True, 'games' => True, 'gopher' => True,
'nobody' => True, 'xfs' => True, 'pgsql' => True,
'mysql' => True, 'postgres' => True, 'oracle' => True,
'ftp' => True, 'gdm' => True, 'named' => True,
'alias' => True, 'web' => True, 'sweep' => True,
'cvs' => True, 'qmaild' => True, 'qmaill' => True,
'qmaillog' => True, 'qmailp' => True, 'qmailq' => True,
'qmailr' => True, 'qmails' => True, 'rpc' => True,
'rpcuser' => True, 'amanda' => True, 'apache' => True,
'pvm' => True, 'squid' => True, 'ident' => True,
'nscd' => True, 'mailnull' => True, 'cyrus' => True,
'backup' => True
);
$GLOBALS['egw_info']['server']['global_denied_groups'] = array(
'root' => True, 'bin' => True, 'daemon' => True,
'sys' => True, 'adm' => True, 'tty' => True,
'disk' => True, 'lp' => True, 'mem' => True,
'kmem' => True, 'wheel' => True, 'mail' => True,
'uucp' => True, 'man' => True, 'games' => True,
'dip' => True, 'ftp' => True, 'nobody' => True,
'floppy' => True, 'xfs' => True, 'console' => True,
'utmp' => True, 'pppusers' => True, 'popusers' => True,
'slipusers' => True, 'slocate' => True, 'mysql' => True,
'dnstools' => True, 'web' => True, 'named' => True,
'dba' => True, 'oinstall' => True, 'oracle' => True,
'gdm' => True, 'sweep' => True, 'cvs' => True,
'postgres' => True, 'qmail' => True, 'nofiles' => True,
'ldap' => True, 'backup' => True
);
*/

View File

@ -317,6 +317,13 @@ class accounts_ldap
$to_write['mail'] = array_values(array_unique($mail));
}
$data['account_type'] = 'u';
// Check if an account already exists as system user, and if it does deny creation
if (!$GLOBALS['egw_info']['server']['ldap_allow_systemusernames'] &&
function_exists('posix_getpwnam') && posix_getpwnam($data['account_lid']))
{
throw new egw_exception_wrong_userinput(lang('There already is a system-user with this name. User\'s should not have the same name as a systemuser'));
}
}
// remove memberuid when adding a group
@ -951,7 +958,7 @@ class accounts_ldap
*/
function members($gid)
{
if (!is_numeric($gid))
if (!is_numeric($gid))
{
// try to recover
$gid = $this->name2id($gid,'account_lid','g');

View File

@ -74,7 +74,7 @@
</select>
</td>
</tr>
<tr class="row_on">
<td>{lang_Complete_path_to_aspell_program}:</td>
<td>
@ -467,7 +467,17 @@
<td><input name="newsettings[ldap_account_shell]" value="{value_ldap_account_shell}" /></td>
</tr>
<tr class="row_on" valign="top">
<tr class="row_on">
<td>{lang_Allow_usernames_identical_to_system_users?}:</td>
<td>
<select name="newsettings[ldap_allow_systemusernames]">
<option value="">{lang_No}</option>
<option value="True"{selected_ldap_allow_systemusernames_True}>{lang_Yes}</option>
</select>
</td>
</tr>
<tr class="row_off" valign="top">
<td>
<a href="account_migration.php"><b>{lang_Migration_between_eGroupWare_account_repositories}:</b></a>
</td>