forked from verdnatura/hedera-web
263 lines
6.0 KiB
PHP
263 lines
6.0 KiB
PHP
<?php
|
|
|
|
class Account {
|
|
static function trySync($db, $userName, $password = NULL) {
|
|
$isSync = $db->getValue(
|
|
'SELECT sync FROM account.user WHERE name = #',
|
|
[$userName]
|
|
);
|
|
|
|
if ($isSync)
|
|
return;
|
|
|
|
self::sync($db, $userName, $password);
|
|
}
|
|
|
|
static function sync($db, $userName, $password = NULL, $force = TRUE) {
|
|
$hasAccount = $db->getValue(
|
|
'SELECT COUNT(*) > 0
|
|
FROM account.user u
|
|
JOIN account.account a ON u.id = a.id
|
|
WHERE u.name = #',
|
|
[$userName]
|
|
);
|
|
|
|
if ($hasAccount) {
|
|
self::ldapSync($db, $userName, $password);
|
|
self::sambaSync($db, $userName, $password);
|
|
}
|
|
|
|
$userId = $db->getValue(
|
|
'SELECT id FROM account.user WHERE `name` = #',
|
|
[$userName]
|
|
);
|
|
$db->query(
|
|
'CALL account.user_syncPassword(#, #)',
|
|
[$userId, $password]
|
|
);
|
|
$db->query(
|
|
'UPDATE account.user SET sync = TRUE WHERE id = #',
|
|
[$userId]
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Synchronizes the user credentials in the LDAP server.
|
|
*/
|
|
static function ldapSync($db, $userName, $password) {
|
|
// Gets LDAP configuration parameters
|
|
|
|
$conf = $db->getObject(
|
|
'SELECT host, rdn, password, baseDn, filter
|
|
FROM account.ldapConfig');
|
|
|
|
// Connects an authenticates against server
|
|
|
|
$ds = ldap_connect($conf->host);
|
|
|
|
if (!$ds)
|
|
throw new Exception("Can't connect to LDAP server: ". ldapError($ds));
|
|
|
|
try {
|
|
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
$bind = ldap_bind($ds, $conf->rdn, base64_decode($conf->password));
|
|
|
|
if (!$bind)
|
|
throw new Exception("Authentication failed on LDAP server: ". ldapError($ds));
|
|
|
|
// Prepares the data
|
|
|
|
$domain = $db->getValue('SELECT domain FROM account.mailConfig');
|
|
|
|
$user = $db->getObject(
|
|
'SELECT id, nickname, lang
|
|
FROM account.user
|
|
WHERE name = #',
|
|
[$userName]
|
|
);
|
|
|
|
$cn = empty($user->nickname) ? $userName : $user->nickname;
|
|
|
|
$nameArgs = explode(' ', $user->nickname);
|
|
$givenName = $nameArgs[0];
|
|
|
|
if (count($nameArgs) > 1)
|
|
$sn = $nameArgs[1];
|
|
if (empty($sn))
|
|
$sn = 'Empty';
|
|
|
|
$attrs = [
|
|
'cn' => $cn,
|
|
'displayName' => $user->nickname,
|
|
'givenName' => $givenName,
|
|
'sn' => $sn,
|
|
'mail' => "$userName@{$domain}",
|
|
'userPassword' => sshaEncode($password),
|
|
'preferredLanguage' => $user->lang
|
|
];
|
|
|
|
// Search the user entry
|
|
|
|
$filter = "uid=$userName";
|
|
|
|
if (!empty($conf->filter))
|
|
$filter = "(&($filter)($conf->filter))";
|
|
|
|
$res = ldap_search($ds, $conf->baseDn, $filter);
|
|
|
|
if (!$res)
|
|
throw new Exception("Can't get the LDAP entry: ". ldapError($ds));
|
|
|
|
$dn = "uid=$userName,{$conf->baseDn}";
|
|
$entry = ldap_first_entry($ds, $res);
|
|
|
|
$classes = ldap_get_values($ds, $entry, 'objectClass');
|
|
|
|
if (!in_array('inetOrgPerson', $classes)) {
|
|
ldap_delete($ds, $dn);
|
|
$entry = NULL;
|
|
}
|
|
|
|
if ($entry) {
|
|
$modifs = [];
|
|
$curAttrs = ldap_get_attributes($ds, $entry);
|
|
|
|
foreach ($attrs as $attribute => $value)
|
|
if (!empty($value)) {
|
|
$modifs[] = [
|
|
'attrib' => $attribute,
|
|
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
|
|
'values' => [$value]
|
|
];
|
|
} elseif (isset($curAttrs[$attribute])) {
|
|
$modifs[] = [
|
|
'attrib' => $attribute,
|
|
'modtype' => LDAP_MODIFY_BATCH_REMOVE_ALL
|
|
];
|
|
}
|
|
|
|
$updated = ldap_modify_batch($ds, $dn, $modifs);
|
|
} else {
|
|
$addAttrs = [];
|
|
|
|
foreach ($attrs as $attribute => $value)
|
|
if (!empty($value))
|
|
$addAttrs[$attribute] = $value;
|
|
|
|
$addAttrs = array_merge($addAttrs, [
|
|
'objectClass' => ['inetOrgPerson'],
|
|
'uid' => $userName
|
|
]);
|
|
$updated = ldap_add($ds, $dn, $addAttrs);
|
|
}
|
|
|
|
if (!$updated)
|
|
throw new Exception("Can't update the LDAP entry: ". ldapError($ds));
|
|
} catch (Exception $e) {
|
|
ldap_unbind($ds);
|
|
throw $e;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Synchronizes the user credentials in the Samba server.
|
|
*/
|
|
static function sambaSync($db, $userName, $password) {
|
|
$conf = $db->getObject(
|
|
'SELECT host, sshUser, sshPass, uidBase
|
|
FROM account.sambaConfig'
|
|
);
|
|
|
|
$domain = $db->getValue('SELECT domain FROM account.mailConfig');
|
|
|
|
$samba = new SshConnection($conf->host
|
|
,$conf->sshUser
|
|
,base64_decode($conf->sshPass)
|
|
);
|
|
|
|
$scriptDir = '/mnt/storage/scripts';
|
|
|
|
// Creates the Samba user and initializes it's home directory
|
|
|
|
$userId = $db->getValue(
|
|
'SELECT id FROM account.user WHERE name = #', [$userName]);
|
|
|
|
$samba->exec("$scriptDir/create-user.sh %s %s %s"
|
|
,$userName
|
|
,$conf->uidBase + $userId
|
|
,"$userName@{$domain}"
|
|
);
|
|
|
|
// Syncronizes the Samba password
|
|
|
|
if (empty($password))
|
|
return;
|
|
|
|
$samba->exec("$scriptDir/set-password.sh %s %s"
|
|
,$userName
|
|
,$password
|
|
);
|
|
}
|
|
}
|
|
|
|
function ldapError($ds) {
|
|
return ldap_errno($ds) .': '. ldap_error($ds);
|
|
}
|
|
|
|
function sshaEncode($value) {
|
|
mt_srand((double) microtime() * 1000000);
|
|
$salt = pack('CCCC', mt_rand(), mt_rand(), mt_rand(), mt_rand());
|
|
$hash = '{SSHA}' . base64_encode(pack('H*', sha1($value . $salt)) . $salt);
|
|
return $hash;
|
|
}
|
|
|
|
function sshaVerify($hash, $value) {
|
|
$ohash = base64_decode(substr($hash, 6));
|
|
$osalt = substr($ohash, 20);
|
|
$ohash = substr($ohash, 0, 20);
|
|
$nhash = pack('H*', sha1($value . $osalt));
|
|
return $ohash == $nhash;
|
|
}
|
|
|
|
class SshConnection {
|
|
var $connection;
|
|
|
|
/**
|
|
* Abrebiated method to make SSH connections.
|
|
*/
|
|
function __construct($host, $user, $password) {
|
|
$this->connection = $connection = ssh2_connect($host);
|
|
|
|
if (!$connection)
|
|
throw new Exception("Can't connect to SSH server $host");
|
|
|
|
$authOk = ssh2_auth_password($connection, $user, $password);
|
|
|
|
if (!$authOk)
|
|
throw new Exception("SSH authentication failed on server $host");
|
|
|
|
return $connection;
|
|
}
|
|
|
|
/**
|
|
* Executes a command on the host.
|
|
*/
|
|
function exec() {
|
|
$nargs = func_num_args();
|
|
$args = func_get_args();
|
|
|
|
for ($i = 1; $i < $nargs; $i++)
|
|
$args[$i] = self::escape($args[$i]);
|
|
|
|
$command = call_user_func_array('sprintf', $args);
|
|
return ssh2_exec($this->connection, $command);
|
|
}
|
|
|
|
/**
|
|
* Escapes the double quotes from an string.
|
|
*/
|
|
static function escape($str) {
|
|
return '"'. str_replace('"', '\\"', $str) .'"';
|
|
}
|
|
}
|