Created
June 25, 2013 11:22
-
-
Save tpokorra/5857741 to your computer and use it in GitHub Desktop.
domainadmin patch for Kolab trunk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff -uNr kolab-webadmin.orig/lib/api/kolab_api_service_domain_types.php kolab-webadmin/lib/api/kolab_api_service_domain_types.php | |
| --- kolab-webadmin.orig/lib/api/kolab_api_service_domain_types.php 2013-06-18 11:33:48.542736382 +0200 | |
| +++ kolab-webadmin/lib/api/kolab_api_service_domain_types.php 2013-06-18 11:34:09.088733566 +0200 | |
| @@ -64,6 +64,10 @@ | |
| 'associateddomain' => array( | |
| 'type' => 'list', | |
| ), | |
| + 'domainadmin' => array( | |
| + 'type' => 'list', | |
| + 'optional' => 'true', | |
| + ), | |
| 'inetdomainbasedn' => array( | |
| 'optional' => 'true', | |
| ), | |
| diff -uNr kolab-webadmin.orig/lib/Auth/LDAP.php kolab-webadmin/lib/Auth/LDAP.php | |
| --- kolab-webadmin.orig/lib/Auth/LDAP.php 2013-06-18 11:33:48.542736382 +0200 | |
| +++ kolab-webadmin/lib/Auth/LDAP.php 2013-06-18 11:39:40.035734248 +0200 | |
| @@ -145,6 +145,18 @@ | |
| $_SESSION['user']->user_bind_dn = $result; | |
| $_SESSION['user']->user_bind_pw = $password; | |
| + # if the user does not have access to the default domain, set another domain | |
| + $domains = $this->list_domains(); | |
| + $domain = ""; | |
| + foreach ($domains['list'] as $key => $value) { | |
| + $domain = $value['associateddomain']; | |
| + | |
| + if ($domain == $this->domain) { | |
| + break; | |
| + } | |
| + } | |
| + $_SESSION['user']->set_domain($domain); | |
| + | |
| return $result; | |
| } | |
| @@ -159,7 +171,7 @@ | |
| if ($domain_info === false) { | |
| $this->_domain_add_new($parent_domain, $prepopulate); | |
| } | |
| - | |
| +#TODO store domain admin? | |
| $add_domain_result = $this->_domain_add_alias($domain, $parent_domain); | |
| } | |
| else { | |
| @@ -176,6 +188,93 @@ | |
| return $this->domain_edit($domain, $domain_attrs); | |
| } | |
| + private function ChangeDomainReadCapability($user, $domain, $action='add') | |
| + { | |
| + if (($tmpconn = ldap_connect($this->_ldap_server)) === false) { | |
| + return false; | |
| + } | |
| + | |
| + if (ldap_bind($tmpconn, $_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw) === false) { | |
| + ldap_close($tmpconn); | |
| + return false; | |
| + } | |
| + | |
| + $associateddomain_dn="associateddomain=$domain,cn=kolab,cn=config"; | |
| + $info = array(); | |
| + $info["aci"] = array(); | |
| + if (!(($sr = ldap_read($tmpconn, $associateddomain_dn, "(aci=*)", array('aci'))) === false)) { | |
| + $entry = ldap_get_entries($tmpconn, $sr); | |
| + if ($entry['count'] > 0) { | |
| + for ($count = 0; $count < $entry[0]['aci']['count']; $count++) { | |
| + if (strpos($entry[0]['aci'][$count], $user) === false) { | |
| + $info['aci'][] = $entry[0]['aci'][$count]; | |
| + } | |
| + } | |
| + } | |
| + } | |
| + | |
| + if ($action == 'add') { | |
| + $info["aci"][] = "(targetattr =\"*\")(version 3.0;acl \"$user\";allow (read,search) (userdn=\"ldap:///$user\");)"; | |
| + } | |
| + | |
| + if (ldap_modify($tmpconn, $associateddomain_dn, $info) === false) { | |
| + ldap_close($tmpconn); | |
| + return false; | |
| + } | |
| + | |
| + ldap_close($tmpconn); | |
| + return true; | |
| + } | |
| + | |
| + private function domain_admin_save($domain, $domain_dn, $attributes) { | |
| + $currentdomain_dn = $this->_standard_root_dn($domain[$domain_dn]["associateddomain"]); | |
| + $currentdomain_da_dn = "cn=Directory Administrators,".$currentdomain_dn; | |
| + | |
| + $domain_admins_result = $this->_search($currentdomain_dn, "cn=Directory Administrators*", array("uniqueMember")); | |
| + if ($domain_admins_result != null && count($domain_admins_result) > 0) { | |
| + $domain_admins = $domain_admins_result->entries(true); | |
| + } | |
| + | |
| + if (empty($domain_admins[$currentdomain_da_dn]["uniquemember"])) { | |
| + $domain_admins[$currentdomain_da_dn]["uniquemember"] = Array(); | |
| + } | |
| + | |
| + if (!is_array($domain_admins[$currentdomain_da_dn]["uniquemember"])) { | |
| + $domain_admins[$currentdomain_da_dn]["uniquemember"] = | |
| + (array)($domain_admins[$currentdomain_da_dn]["uniquemember"]); | |
| + } | |
| + | |
| + $info = array(); | |
| + $info["uniquemember"] = array(); | |
| + for ($count = 0; $count < count($attributes["domainadmin"]); $count++) { | |
| + $info["uniquemember"][] = $attributes["domainadmin"][$count]; | |
| + | |
| + if (!in_array($attributes["domainadmin"][$count], $domain_admins[$currentdomain_da_dn]["uniquemember"])) { | |
| + # add read permission to associateddomain in cn=kolab,cn=config | |
| + $this->ChangeDomainReadCapability($attributes["domainadmin"][$count], $domain[$domain_dn]["associateddomain"], 'add'); | |
| + } | |
| + } | |
| + | |
| + # check for removed admins: remove also read permission from associateddomain in cn=kolab,cn=config | |
| + foreach ($domain_admins[$currentdomain_da_dn]["uniquemember"] as $oldadmin) { | |
| + if (!in_array($oldadmin, $attributes["domainadmin"])) { | |
| + if ($oldadmin == "cn=Directory Manager") { | |
| + # make sure that Directory Manager is still in the list | |
| + $info["uniquemember"][] = "cn=Directory Manager"; | |
| + } else { | |
| + # drop read permission to associateddomain in cn=kolab,cn=config | |
| + $this->ChangeDomainReadCapability($oldadmin, $domain[$domain_dn]["associateddomain"], 'remove'); | |
| + } | |
| + } | |
| + } | |
| + | |
| + $result = $this->modify_entry($currentdomain_da_dn, $domain_admins[$currentdomain_da_dn], $info); | |
| + | |
| + if (!$result) { | |
| + return false; | |
| + } | |
| + } | |
| + | |
| public function domain_edit($domain, $attributes, $typeid = null) | |
| { | |
| $domain = $this->domain_info($domain, array_keys($attributes)); | |
| @@ -186,6 +285,12 @@ | |
| $domain_dn = key($domain); | |
| + # using isset, because if the array is empty, then we want to drop the domain admins. | |
| + if (isset($attributes["domainadmin"])) { | |
| + $this->domain_admin_save($domain, $domain_dn, $attributes); | |
| + unset($attributes["domainadmin"]); | |
| + } | |
| + | |
| // We should start throwing stuff over the fence here. | |
| return $this->modify_entry($domain_dn, $domain[$domain_dn], $attributes); | |
| } | |
| @@ -220,6 +325,7 @@ | |
| $this->_log(LOG_DEBUG, "Auth::LDAP::domain_info() uses _search()"); | |
| $result = $this->_search($domain_base_dn, $domain_filter, $attributes); | |
| $result = $result->entries(true); | |
| + $domain_dn = key($result); | |
| } | |
| else { | |
| $this->_log(LOG_DEBUG, "Auth::LDAP::domain_info() uses _read()"); | |
| @@ -230,6 +336,25 @@ | |
| return false; | |
| } | |
| + $currentdomain_dn = $this->_standard_root_dn($result[$domain_dn]["associateddomain"]); | |
| + $currentdomain_da_dn = "cn=Directory Administrators,".$currentdomain_dn; | |
| + | |
| + $domain_admins_result = $this->_search($currentdomain_dn, "cn=Directory Administrators*", array("uniqueMember")); | |
| + if ($domain_admins_result != null && count($domain_admins_result) > 0) { | |
| + $domain_admins = $domain_admins_result->entries(true); | |
| + } | |
| + | |
| + // read domain admins from LDAP, uniqueMembers of Directory Administrators of domain | |
| + $result[$domain_dn]["domainadmin"] = array(); | |
| + if (is_array($domain_admins[$currentdomain_da_dn]["uniquemember"])) { | |
| + foreach ($domain_admins[$currentdomain_da_dn]["uniquemember"] as $domainadmin) { | |
| + $result[$domain_dn]["domainadmin"][] = $domainadmin; | |
| + } | |
| + } | |
| + else { | |
| + $result[$domain_dn]["domainadmin"][] = $domain_admins[$currentdomain_da_dn]["uniquemember"]; | |
| + } | |
| + | |
| $this->_log(LOG_DEBUG, "Auth::LDAP::domain_info() result: " . var_export($result, true)); | |
| return $result; | |
| diff -uNr kolab-webadmin.orig/lib/client/kolab_client_task_domain.php kolab-webadmin/lib/client/kolab_client_task_domain.php | |
| --- kolab-webadmin.orig/lib/client/kolab_client_task_domain.php 2013-06-18 11:33:48.533737103 +0200 | |
| +++ kolab-webadmin/lib/client/kolab_client_task_domain.php 2013-06-18 11:34:09.091733685 +0200 | |
| @@ -232,6 +232,7 @@ | |
| $sections = array( | |
| 'system' => 'domain.system', | |
| 'other' => 'domain.other', | |
| + 'admins' => 'domain.admins', | |
| ); | |
| // field-to-section map and fields order | |
| @@ -239,6 +240,7 @@ | |
| 'type_id' => 'system', | |
| 'type_id_name' => 'system', | |
| 'associateddomain' => 'system', | |
| + 'domainadmin' => 'admins', | |
| ); | |
| //console("domain_form() \$data", $data); | |
| diff -uNr kolab-webadmin.orig/lib/kolab_api_service.php kolab-webadmin/lib/kolab_api_service.php | |
| --- kolab-webadmin.orig/lib/kolab_api_service.php 2013-06-18 11:33:48.534737012 +0200 | |
| +++ kolab-webadmin/lib/kolab_api_service.php 2013-06-18 11:34:09.092733719 +0200 | |
| @@ -96,6 +96,9 @@ | |
| 'inetdomainstatus' => array( | |
| 'optional' => true, | |
| ), | |
| + 'domainadmin' => array( | |
| + 'type' => 'list' | |
| + ), | |
| ), | |
| 'fields' => array( | |
| 'objectclass' => array( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment