Skip to content

Instantly share code, notes, and snippets.

@tpokorra
Created June 25, 2013 11:22
Show Gist options
  • Save tpokorra/5857741 to your computer and use it in GitHub Desktop.
Save tpokorra/5857741 to your computer and use it in GitHub Desktop.
domainadmin patch for Kolab trunk
diff -uNr kolab-webadmin.orig/lib/api/kolab_api_service_domain_types.php kolab-webadmin/lib/api/kolab_api_service_domain_types.php
--- kolab-webadmin.orig/lib/api/kolab_api_service_domain_types.php 2013-06-18 11:33:48.542736382 +0200
+++ kolab-webadmin/lib/api/kolab_api_service_domain_types.php 2013-06-18 11:34:09.088733566 +0200
@@ -64,6 +64,10 @@
'associateddomain' => array(
'type' => 'list',
),
+ 'domainadmin' => array(
+ 'type' => 'list',
+ 'optional' => 'true',
+ ),
'inetdomainbasedn' => array(
'optional' => 'true',
),
diff -uNr kolab-webadmin.orig/lib/Auth/LDAP.php kolab-webadmin/lib/Auth/LDAP.php
--- kolab-webadmin.orig/lib/Auth/LDAP.php 2013-06-18 11:33:48.542736382 +0200
+++ kolab-webadmin/lib/Auth/LDAP.php 2013-06-18 11:39:40.035734248 +0200
@@ -145,6 +145,18 @@
$_SESSION['user']->user_bind_dn = $result;
$_SESSION['user']->user_bind_pw = $password;
+ # if the user does not have access to the default domain, set another domain
+ $domains = $this->list_domains();
+ $domain = "";
+ foreach ($domains['list'] as $key => $value) {
+ $domain = $value['associateddomain'];
+
+ if ($domain == $this->domain) {
+ break;
+ }
+ }
+ $_SESSION['user']->set_domain($domain);
+
return $result;
}
@@ -159,7 +171,7 @@
if ($domain_info === false) {
$this->_domain_add_new($parent_domain, $prepopulate);
}
-
+#TODO store domain admin?
$add_domain_result = $this->_domain_add_alias($domain, $parent_domain);
}
else {
@@ -176,6 +188,93 @@
return $this->domain_edit($domain, $domain_attrs);
}
+ private function ChangeDomainReadCapability($user, $domain, $action='add')
+ {
+ if (($tmpconn = ldap_connect($this->_ldap_server)) === false) {
+ return false;
+ }
+
+ if (ldap_bind($tmpconn, $_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw) === false) {
+ ldap_close($tmpconn);
+ return false;
+ }
+
+ $associateddomain_dn="associateddomain=$domain,cn=kolab,cn=config";
+ $info = array();
+ $info["aci"] = array();
+ if (!(($sr = ldap_read($tmpconn, $associateddomain_dn, "(aci=*)", array('aci'))) === false)) {
+ $entry = ldap_get_entries($tmpconn, $sr);
+ if ($entry['count'] > 0) {
+ for ($count = 0; $count < $entry[0]['aci']['count']; $count++) {
+ if (strpos($entry[0]['aci'][$count], $user) === false) {
+ $info['aci'][] = $entry[0]['aci'][$count];
+ }
+ }
+ }
+ }
+
+ if ($action == 'add') {
+ $info["aci"][] = "(targetattr =\"*\")(version 3.0;acl \"$user\";allow (read,search) (userdn=\"ldap:///$user\");)";
+ }
+
+ if (ldap_modify($tmpconn, $associateddomain_dn, $info) === false) {
+ ldap_close($tmpconn);
+ return false;
+ }
+
+ ldap_close($tmpconn);
+ return true;
+ }
+
+ private function domain_admin_save($domain, $domain_dn, $attributes) {
+ $currentdomain_dn = $this->_standard_root_dn($domain[$domain_dn]["associateddomain"]);
+ $currentdomain_da_dn = "cn=Directory Administrators,".$currentdomain_dn;
+
+ $domain_admins_result = $this->_search($currentdomain_dn, "cn=Directory Administrators*", array("uniqueMember"));
+ if ($domain_admins_result != null && count($domain_admins_result) > 0) {
+ $domain_admins = $domain_admins_result->entries(true);
+ }
+
+ if (empty($domain_admins[$currentdomain_da_dn]["uniquemember"])) {
+ $domain_admins[$currentdomain_da_dn]["uniquemember"] = Array();
+ }
+
+ if (!is_array($domain_admins[$currentdomain_da_dn]["uniquemember"])) {
+ $domain_admins[$currentdomain_da_dn]["uniquemember"] =
+ (array)($domain_admins[$currentdomain_da_dn]["uniquemember"]);
+ }
+
+ $info = array();
+ $info["uniquemember"] = array();
+ for ($count = 0; $count < count($attributes["domainadmin"]); $count++) {
+ $info["uniquemember"][] = $attributes["domainadmin"][$count];
+
+ if (!in_array($attributes["domainadmin"][$count], $domain_admins[$currentdomain_da_dn]["uniquemember"])) {
+ # add read permission to associateddomain in cn=kolab,cn=config
+ $this->ChangeDomainReadCapability($attributes["domainadmin"][$count], $domain[$domain_dn]["associateddomain"], 'add');
+ }
+ }
+
+ # check for removed admins: remove also read permission from associateddomain in cn=kolab,cn=config
+ foreach ($domain_admins[$currentdomain_da_dn]["uniquemember"] as $oldadmin) {
+ if (!in_array($oldadmin, $attributes["domainadmin"])) {
+ if ($oldadmin == "cn=Directory Manager") {
+ # make sure that Directory Manager is still in the list
+ $info["uniquemember"][] = "cn=Directory Manager";
+ } else {
+ # drop read permission to associateddomain in cn=kolab,cn=config
+ $this->ChangeDomainReadCapability($oldadmin, $domain[$domain_dn]["associateddomain"], 'remove');
+ }
+ }
+ }
+
+ $result = $this->modify_entry($currentdomain_da_dn, $domain_admins[$currentdomain_da_dn], $info);
+
+ if (!$result) {
+ return false;
+ }
+ }
+
public function domain_edit($domain, $attributes, $typeid = null)
{
$domain = $this->domain_info($domain, array_keys($attributes));
@@ -186,6 +285,12 @@
$domain_dn = key($domain);
+ # using isset, because if the array is empty, then we want to drop the domain admins.
+ if (isset($attributes["domainadmin"])) {
+ $this->domain_admin_save($domain, $domain_dn, $attributes);
+ unset($attributes["domainadmin"]);
+ }
+
// We should start throwing stuff over the fence here.
return $this->modify_entry($domain_dn, $domain[$domain_dn], $attributes);
}
@@ -220,6 +325,7 @@
$this->_log(LOG_DEBUG, "Auth::LDAP::domain_info() uses _search()");
$result = $this->_search($domain_base_dn, $domain_filter, $attributes);
$result = $result->entries(true);
+ $domain_dn = key($result);
}
else {
$this->_log(LOG_DEBUG, "Auth::LDAP::domain_info() uses _read()");
@@ -230,6 +336,25 @@
return false;
}
+ $currentdomain_dn = $this->_standard_root_dn($result[$domain_dn]["associateddomain"]);
+ $currentdomain_da_dn = "cn=Directory Administrators,".$currentdomain_dn;
+
+ $domain_admins_result = $this->_search($currentdomain_dn, "cn=Directory Administrators*", array("uniqueMember"));
+ if ($domain_admins_result != null && count($domain_admins_result) > 0) {
+ $domain_admins = $domain_admins_result->entries(true);
+ }
+
+ // read domain admins from LDAP, uniqueMembers of Directory Administrators of domain
+ $result[$domain_dn]["domainadmin"] = array();
+ if (is_array($domain_admins[$currentdomain_da_dn]["uniquemember"])) {
+ foreach ($domain_admins[$currentdomain_da_dn]["uniquemember"] as $domainadmin) {
+ $result[$domain_dn]["domainadmin"][] = $domainadmin;
+ }
+ }
+ else {
+ $result[$domain_dn]["domainadmin"][] = $domain_admins[$currentdomain_da_dn]["uniquemember"];
+ }
+
$this->_log(LOG_DEBUG, "Auth::LDAP::domain_info() result: " . var_export($result, true));
return $result;
diff -uNr kolab-webadmin.orig/lib/client/kolab_client_task_domain.php kolab-webadmin/lib/client/kolab_client_task_domain.php
--- kolab-webadmin.orig/lib/client/kolab_client_task_domain.php 2013-06-18 11:33:48.533737103 +0200
+++ kolab-webadmin/lib/client/kolab_client_task_domain.php 2013-06-18 11:34:09.091733685 +0200
@@ -232,6 +232,7 @@
$sections = array(
'system' => 'domain.system',
'other' => 'domain.other',
+ 'admins' => 'domain.admins',
);
// field-to-section map and fields order
@@ -239,6 +240,7 @@
'type_id' => 'system',
'type_id_name' => 'system',
'associateddomain' => 'system',
+ 'domainadmin' => 'admins',
);
//console("domain_form() \$data", $data);
diff -uNr kolab-webadmin.orig/lib/kolab_api_service.php kolab-webadmin/lib/kolab_api_service.php
--- kolab-webadmin.orig/lib/kolab_api_service.php 2013-06-18 11:33:48.534737012 +0200
+++ kolab-webadmin/lib/kolab_api_service.php 2013-06-18 11:34:09.092733719 +0200
@@ -96,6 +96,9 @@
'inetdomainstatus' => array(
'optional' => true,
),
+ 'domainadmin' => array(
+ 'type' => 'list'
+ ),
),
'fields' => array(
'objectclass' => array(
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment