Context Navigation

source: trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Ldap/User.pm @ 2476

Visit:

Last change on this file since 2476 was 2476, checked in by nanardon, 3 years ago
sambaGroupType is mandatory
File size: 9.3 KB

Line
1	package LATMOS::Accounts::Bases::Ldap::User;
2
3	use 5.010000;
4	use strict;
5	use warnings;
6
7	use base qw(LATMOS::Accounts::Bases::Ldap::objects);
8	use Net::LDAP;
9	use Net::LDAPS;
10	use Net::LDAP::Entry;
11	use Net::LDAP::Control::Paged;
12	use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
13	use Net::LDAP::Util qw( escape_filter_value );
14	use LATMOS::Accounts::Log;
15	use LATMOS::Accounts::Bases::Ldap::Group;
16	use LATMOS::Accounts::Utils;
17	use Crypt::SmbHash;
18
19	our $VERSION = (q$Rev: 649 $ =~ /^Rev: (\d+) /)[0];
20
21	=head1 NAME
22
23	LATMOS::Ldap - Perl extension for blah blah blah
24
25	=head1 SYNOPSIS
26
27	use LATMOS::Ldap;
28	blah blah blah
29
30	=head1 DESCRIPTION
31
32	Stub documentation for LATMOS::Ldap, created by h2xs. It looks like the
33	author of the extension was negligent enough to leave the stub
34	unedited.
35
36	Blah blah blah.
37
38	=head1 FUNCTIONS
39
40	=cut
41
42	sub _class_filter { '(&(ObjectClass=posixAccount))' }
43
44	sub _key_attr { 'cn' }
45
46	sub _my_ldap_classes { qw(
47	top
48	inetOrgPerson
49	organizationalPerson
50	posixAccount
51	shadowAccount
52	sambaSamAccount
53	) }
54
55	sub _computeSSID {
56	my ($value) = @_;
57	$value * 2 + 1000
58	}
59
60	sub _get_attr_schema {
61	my ($class, $base) = @_;
62	$class->SUPER::_get_attr_schema($base,
63	{
64	displayName => { },
65	givenName => { },
66	homePhone => { },
67	homePostalAddress => { },
68	initials => { },
69	mail => { },
70	sn => { },
71	mobile => { },
72	o => { },
73	uid => { mandatory => 1 },
74	manager => {
75	delayed => 1,
76	can_values => sub { $base->list_objects('user') },
77	},
78	facsimileTelephoneNumber => { },
79	uidNumber => {
80	uniq => 1,
81	post => sub {
82	my ($self, $value) = @_;
83	$self->object->set_fields(sambaSID => $self->object->base->sambaSID(_computeSSID($value)));
84	},
85	},
86	gidNumber => {
87	reference => 'group',
88	mandatory => 1,
89	can_values => sub {
90	map { $base->get_object('group',
91	$_)->get_attributes('gidNumber') }
92	$base->list_objects('group')
93	},
94	display => sub {
95	my ($self, $val) = @_;
96	my ($gr) = $self->base->search_objects('group', "gidNumber=$val")
97	or return;
98	return $gr;
99	},
100
101	},
102	homeDirectory => { },
103	loginShell => { },
104	gecos => { },
105	description => { },
106	shadowLastChange => { },
107	shadowMin => { },
108	shadowMax => { },
109	shadowWarning => { },
110	shadowInactive => { },
111	shadowExpire => { },
112	shadowFlag => { },
113	street => { },
114	postOfficeBox => { },
115	postalCode => { },
116	postalAddress => { },
117	streetAddress => { },
118	physicalDeliveryOfficeName => { },
119	ou => { },
120	st => { },
121	l => { },
122	telephoneNumber => { },
123	memberOf => {
124	delayed => 1,
125	multiple => 1,
126	reference => 'group',
127	},
128	cn => { ro => 1, },
129	dn => { ro => 1, },
130	objectClass => { ro => 1, },
131	pwdAccountLockedTime => {},
132	pwdPolicySubentry => {},
133	pwdChangedTime => { ro => 1 },
134	labeledURI => {},
135	userPassword => { readable => 0, },
136	sambaLMPassword => { readable => 0, },
137	sambaNTPassword => { readable => 0, },
138	sambaSID => {
139	uniq => 1,
140	mandatory => 1,
141	},
142	}
143	);
144	}
145
146	sub _update_class {
147	my ($self) = @_;
148
149	$self->SUPER::_update_class(
150	sambaSID => $self->base->sambaSID(
151	_computeSSID($self->_get_attributes('uidNumber'))
152	)
153	);
154	}
155
156	sub _create {
157	my ($class, $base, $id, %data) = @_;
158
159	my $entry = Net::LDAP::Entry->new();
160
161	$entry->dn(join(',',
162	sprintf('%s=%s',
163	$class->_dn_attribute($base),
164	escape_filter_value($id)),
165	$base->object_base_dn($class->type),
166	)
167	);
168	$entry->replace(objectClass =>
169	[ $class->_my_ldap_classes ],);
170	$data{cn} \|\|= $data{sn} \|\| $id; # cn is mandatory
171	$data{sn} \|\|= $id; # sn is mandatory
172	$data{uid} \|\|= $id; # uid is mandatory
173	$data{sambaSID} \|\|= $base->sambaSID(_computeSSID($data{uidNumber}));
174	$data{homeDirectory} \|\|= '/dev/null'; # homeDirectory is mandatory
175	$data{$class->_key_attribute($base)} = $id;
176	foreach (keys %data) {
177	$class->_populate_entry($entry,
178	$_, $data{$_}, $base);
179	}
180
181	my $msg = $base->ldap->add($entry);
182	if ($msg->code) {
183	$base->log(LA_ERR, "Cannot create user: %s", $msg->error);
184	return 0;
185	}
186	return 1;
187	}
188
189	sub _rename {
190	my ($class, $base, $uid, $newuid) = @_;
191
192	$class->SUPER::_rename($base, $uid, $newuid) or return;
193	}
194
195	sub get_field {
196	my ($self, $field) = @_;
197
198	$field eq 'streetAddress' and $field = 'street';
199	$field eq 'memberOf' and do {
200	my @res;
201	$self->base->_unlimited_search(
202	base => $self->base->object_base_dn('group'),
203	filter => sprintf(
204	'(&(objectClass=posixGroup)(memberUID=%s))',
205	escape_filter_value($self->id),
206	),
207	callback => sub {
208	my ($mesg, $entry) = @_;
209	ref $entry eq 'Net::LDAP::Entry' or return;
210	push(@res, $entry->get_value(
211	LATMOS::Accounts::Bases::Ldap::Group->_key_attribute($self->base),
212	));
213	1;
214	},
215	);
216	return [ sort(@res) ];
217	};
218	$field eq 'manager' and do {
219	my $dn = $self->SUPER::get_field($field) or return;
220	my $manager = $self->base->_get_object_from_dn($dn) or return;
221	return $manager->get_value(__PACKAGE__->_key_attribute($self->base));
222	};
223	$self->SUPER::get_field($field);
224	}
225
226	sub _populate_entry {
227	my ($self, $entry, $f, $val, $base) = @_;
228	$base \|\|= $self->base;
229	for ($f) {
230	/^sn$/ and $val \|\|= $entry->get_value($self->_key_attribute);
231	/^memberOf$/ and do {
232	my %users;
233	$users{$_}{e} = 1 foreach (ref $self
234	? $self->get_attributes('memberOf')
235	: ());
236	$val = [ $val ] unless(ref $val);
237	$users{$_}{n} = 1 foreach (grep { $_ } @{ $val \|\| []});
238	foreach (keys %users) {
239	$users{$_}{e} && $users{$_}{n} and next;
240	my $group = $base->get_object('group', $_) or next;
241	if ($users{$_}{e}) {
242	$group->{entry}->delete(memberUID =>
243	$entry->get_value(
244	LATMOS::Accounts::Bases::Ldap::User->_key_attribute($base),
245	)
246	);
247	} elsif ($users{$_}{n}) {
248	$group->{entry}->add(memberUID =>
249	$entry->get_value(
250	LATMOS::Accounts::Bases::Ldap::User->_key_attribute($base),
251	)
252	);
253	} # else {} # can't happen
254	my $mesg = $group->{entry}->update($base->ldap);
255	if ($mesg->code) {
256	$base->log(LA_ERR, "Cannot set attributes: %s", $mesg->error);
257	return;
258	}
259	}
260	return 1;
261	};
262	/^manager$/ && $val and do {
263	my $user = $base->get_object('user', $val) or do {
264	$val = undef;
265	next;
266	};
267	$val = $user->get_field('dn');
268	next;
269	};
270	/^gecos$/ and do {
271	$val = to_ascii($val);
272	};
273	/^homeDirectory$/ and $val \|\|= '/dev/null';
274	}
275	$self->SUPER::_populate_entry($entry, $f, $val, $base);
276	}
277
278	sub _set_password {
279	my ($self, $clear_pass) = @_;
280
281	# openldap use prefix to identify encryption passwd
282	# {CRYPT} is system dependant, eg use crypt from system
283	# As we run openldap on UNIX, this should not be a problem
284	# as we use perl crypt() which does the same
285	# This code will have to be changed if we use openldap on other UNIX
286	my $crypt = '{CRYPT}' . $self->base->passCrypt($clear_pass);
287
288	my ($lm, $nt) = ntlmgen $clear_pass;
289
290	my $res = $self->set_fields(
291	userPassword => $crypt,
292	sambaLMPassword => $lm,
293	sambaNTPassword => $nt,
294	);
295	$self->base->log(LA_NOTICE, 'Mot de passe changÃ© pour %s', $self->id)
296	if($res);
297	return $res;
298	}
299
300	=head2 _InjectCryptPasswd($cryptpasswd)
301
302	Inject a password encrypted using standard UNIX method.
303
304	Works only for unix authentification method inside LDAP
305
306	=cut
307
308	sub _InjectCryptPasswd {
309	my ($self, $cryptpasswd) = @_;
310
311	my $res = $self->set_fields(
312	userPassword => '{CRYPT}' . $cryptpasswd,
313	);
314
315	if ($res) {
316	$self->base->log(LA_NOTICE, 'Crypted password injected for %s', $self->id);
317	return 1;
318	} else {
319	$self->base->log(LA_ERR, 'Cannot inject crypted password for %s', $self->id);
320	return 0;
321	}
322	}
323
324	1;
325
326	__END__
327
328	=head1 SEE ALSO
329
330	=head1 AUTHOR
331
332	Olivier Thauvin, E<lt>olivier.thauvin@aerov.jussieu.frE<gt>
333
334	=head1 COPYRIGHT AND LICENSE
335
336	Copyright (C) 2008 CNRS SA/CETP/LATMOS
337
338	This library is free software; you can redistribute it and/or modify
339	it under the same terms as Perl itself, either Perl version 5.10.0 or,
340	at your option, any later version of Perl 5 you may have available.
341
342
343	=cut

Note: See TracBrowser for help on using the repository browser.

Download in other formats: