|
|
|
@ -57,8 +57,8 @@ use OCA\User_LDAP\User\Manager;
|
|
|
|
|
use OCA\User_LDAP\User\OfflineUser;
|
|
|
|
|
use OCP\HintException;
|
|
|
|
|
use OCP\IConfig;
|
|
|
|
|
use OCP\ILogger;
|
|
|
|
|
use OCP\IUserManager;
|
|
|
|
|
use Psr\Log\LoggerInterface;
|
|
|
|
|
use function strlen;
|
|
|
|
|
use function substr;
|
|
|
|
|
|
|
|
|
@ -95,6 +95,8 @@ class Access extends LDAPUtility {
|
|
|
|
|
private $config;
|
|
|
|
|
/** @var IUserManager */
|
|
|
|
|
private $ncUserManager;
|
|
|
|
|
/** @var LoggerInterface */
|
|
|
|
|
private $logger;
|
|
|
|
|
/** @var string */
|
|
|
|
|
private $lastCookie = '';
|
|
|
|
|
|
|
|
|
@ -104,7 +106,8 @@ class Access extends LDAPUtility {
|
|
|
|
|
Manager $userManager,
|
|
|
|
|
Helper $helper,
|
|
|
|
|
IConfig $config,
|
|
|
|
|
IUserManager $ncUserManager
|
|
|
|
|
IUserManager $ncUserManager,
|
|
|
|
|
LoggerInterface $logger
|
|
|
|
|
) {
|
|
|
|
|
parent::__construct($ldap);
|
|
|
|
|
$this->connection = $connection;
|
|
|
|
@ -113,6 +116,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
$this->helper = $helper;
|
|
|
|
|
$this->config = $config;
|
|
|
|
|
$this->ncUserManager = $ncUserManager;
|
|
|
|
|
$this->logger = $logger;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
@ -185,15 +189,16 @@ class Access extends LDAPUtility {
|
|
|
|
|
*/
|
|
|
|
|
public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
|
|
|
|
|
if (!$this->checkConnection()) {
|
|
|
|
|
\OCP\Util::writeLog('user_ldap',
|
|
|
|
|
$this->logger->warning(
|
|
|
|
|
'No LDAP Connector assigned, access impossible for readAttribute.',
|
|
|
|
|
ILogger::WARN);
|
|
|
|
|
['app' => 'user_ldap']
|
|
|
|
|
);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
$cr = $this->connection->getConnectionResource();
|
|
|
|
|
if (!$this->ldap->isResource($cr)) {
|
|
|
|
|
//LDAP not available
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug('LDAP resource not available.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
//Cancel possibly running Paged Results operation, otherwise we run in
|
|
|
|
@ -248,7 +253,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
}
|
|
|
|
|
} while ($isRangeRequest);
|
|
|
|
|
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'Requested attribute ' . $attr . ' not found for ' . $dn, ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug('Requested attribute ' . $attr . ' not found for ' . $dn, ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -279,13 +284,13 @@ class Access extends LDAPUtility {
|
|
|
|
|
if (!$this->ldap->isResource($rr)) {
|
|
|
|
|
if ($attribute !== '') {
|
|
|
|
|
//do not throw this message on userExists check, irritates
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug('readAttribute failed for DN ' . $dn, ['app' => 'user_ldap']);
|
|
|
|
|
}
|
|
|
|
|
//in case an error occurs , e.g. object does not exist
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) {
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug('readAttribute: ' . $dn . ' found', ['app' => 'user_ldap']);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
$er = $this->invokeLDAPMethod('firstEntry', $cr, $rr);
|
|
|
|
@ -371,7 +376,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
$cr = $this->connection->getConnectionResource();
|
|
|
|
|
if (!$this->ldap->isResource($cr)) {
|
|
|
|
|
//LDAP not available
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug('LDAP resource not available.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
try {
|
|
|
|
@ -545,14 +550,14 @@ class Access extends LDAPUtility {
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
//If the UUID can't be detected something is foul.
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for ' . $fdn . '. Skipping.', ILogger::INFO);
|
|
|
|
|
$this->logger->debug('Cannot determine UUID for ' . $fdn . '. Skipping.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (is_null($ldapName)) {
|
|
|
|
|
$ldapName = $this->readAttribute($fdn, $nameAttribute, $filter);
|
|
|
|
|
if (!isset($ldapName[0]) && empty($ldapName[0])) {
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ILogger::DEBUG);
|
|
|
|
|
if (!isset($ldapName[0]) || empty($ldapName[0])) {
|
|
|
|
|
$this->logger->debug('No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
$ldapName = $ldapName[0];
|
|
|
|
@ -562,6 +567,10 @@ class Access extends LDAPUtility {
|
|
|
|
|
$usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr;
|
|
|
|
|
if ($usernameAttribute !== '') {
|
|
|
|
|
$username = $this->readAttribute($fdn, $usernameAttribute);
|
|
|
|
|
if (!isset($username[0]) || empty($username[0])) {
|
|
|
|
|
$this->logger->debug('No or empty username (' . $usernameAttribute . ') for ' . $fdn . '.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
$username = $username[0];
|
|
|
|
|
} else {
|
|
|
|
|
$username = $uuid;
|
|
|
|
@ -569,9 +578,8 @@ class Access extends LDAPUtility {
|
|
|
|
|
try {
|
|
|
|
|
$intName = $this->sanitizeUsername($username);
|
|
|
|
|
} catch (\InvalidArgumentException $e) {
|
|
|
|
|
\OC::$server->getLogger()->logException($e, [
|
|
|
|
|
'app' => 'user_ldap',
|
|
|
|
|
'level' => ILogger::WARN,
|
|
|
|
|
$this->logger->warning('Error sanitizing username: ' . $e->getMessage(), [
|
|
|
|
|
'exception' => $e,
|
|
|
|
|
]);
|
|
|
|
|
// we don't attempt to set a username here. We can go for
|
|
|
|
|
// for an alternative 4 digit random number as we would append
|
|
|
|
@ -611,7 +619,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//if everything else did not help..
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'Could not create unique name for ' . $fdn . '.', ILogger::INFO);
|
|
|
|
|
$this->logger->info('Could not create unique name for ' . $fdn . '.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -933,7 +941,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
if ($user !== null) {
|
|
|
|
|
$user->processAttributes($userRecord);
|
|
|
|
|
} else {
|
|
|
|
|
\OC::$server->getLogger()->debug(
|
|
|
|
|
$this->logger->debug(
|
|
|
|
|
"The ldap user manager returned null for $ocName",
|
|
|
|
|
['app' => 'user_ldap']
|
|
|
|
|
);
|
|
|
|
@ -1112,13 +1120,13 @@ class Access extends LDAPUtility {
|
|
|
|
|
* Maybe implement exponential backoff?
|
|
|
|
|
* This was enough to get solr indexer working which has large delays between LDAP fetches.
|
|
|
|
|
*/
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug("Connection lost on $command, attempting to reestablish.", ['app' => 'user_ldap']);
|
|
|
|
|
$this->connection->resetConnectionResource();
|
|
|
|
|
$cr = $this->connection->getConnectionResource();
|
|
|
|
|
|
|
|
|
|
if (!$this->ldap->isResource($cr)) {
|
|
|
|
|
// Seems like we didn't find any resource.
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug("Could not $command, because resource is missing.", ['app' => 'user_ldap']);
|
|
|
|
|
throw $e;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1152,7 +1160,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
if (!$this->ldap->isResource($cr)) {
|
|
|
|
|
// Seems like we didn't find any resource.
|
|
|
|
|
// Return an empty array just like before.
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', ILogger::DEBUG);
|
|
|
|
|
$this->logger->debug('Could not search, because resource is missing.', ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1168,7 +1176,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
// cannot use $cr anymore, might have changed in the previous call!
|
|
|
|
|
$error = $this->ldap->errno($this->connection->getConnectionResource());
|
|
|
|
|
if (!$this->ldap->isResource($sr) || $error !== 0) {
|
|
|
|
|
\OCP\Util::writeLog('user_ldap', 'Attempt for Paging? ' . print_r($pagedSearchOK, true), ILogger::ERROR);
|
|
|
|
|
$this->logger->error('Attempt for Paging? ' . print_r($pagedSearchOK, true), ['app' => 'user_ldap']);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1213,7 +1221,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) {
|
|
|
|
|
\OC::$server->getLogger()->debug(
|
|
|
|
|
$this->logger->debug(
|
|
|
|
|
'Paged search was not available',
|
|
|
|
|
['app' => 'user_ldap']
|
|
|
|
|
);
|
|
|
|
@ -1249,7 +1257,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
?int $offset = null,
|
|
|
|
|
bool $skipHandling = false
|
|
|
|
|
) {
|
|
|
|
|
\OC::$server->getLogger()->debug('Count filter: {filter}', [
|
|
|
|
|
$this->logger->debug('Count filter: {filter}', [
|
|
|
|
|
'app' => 'user_ldap',
|
|
|
|
|
'filter' => $filter
|
|
|
|
|
]);
|
|
|
|
@ -1759,7 +1767,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
|
|
|
|
|
$value = $this->readAttribute($dn, $attribute);
|
|
|
|
|
if (is_array($value) && isset($value[0]) && !empty($value[0])) {
|
|
|
|
|
\OC::$server->getLogger()->debug(
|
|
|
|
|
$this->logger->debug(
|
|
|
|
|
'Setting {attribute} as {subject}',
|
|
|
|
|
[
|
|
|
|
|
'app' => 'user_ldap',
|
|
|
|
@ -1772,7 +1780,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
\OC::$server->getLogger()->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']);
|
|
|
|
|
$this->logger->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']);
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
@ -1867,7 +1875,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
* an exception here would kill the experience for a valid, acting
|
|
|
|
|
* user. Instead we write a log message.
|
|
|
|
|
*/
|
|
|
|
|
\OC::$server->getLogger()->info(
|
|
|
|
|
$this->logger->info(
|
|
|
|
|
'Passed string does not resemble a valid GUID. Known UUID ' .
|
|
|
|
|
'({uuid}) probably does not match UUID configuration.',
|
|
|
|
|
['app' => 'user_ldap', 'uuid' => $guid]
|
|
|
|
@ -2042,7 +2050,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
): bool {
|
|
|
|
|
$pagedSearchOK = false;
|
|
|
|
|
if ($limit !== 0) {
|
|
|
|
|
\OC::$server->getLogger()->debug(
|
|
|
|
|
$this->logger->debug(
|
|
|
|
|
'initializing paged search for filter {filter}, base {base}, attr {attr}, limit {limit}, offset {offset}',
|
|
|
|
|
[
|
|
|
|
|
'app' => 'user_ldap',
|
|
|
|
@ -2074,7 +2082,7 @@ class Access extends LDAPUtility {
|
|
|
|
|
'controlPagedResult', $this->connection->getConnectionResource(), $limit, false
|
|
|
|
|
);
|
|
|
|
|
if ($pagedSearchOK) {
|
|
|
|
|
\OC::$server->getLogger()->debug('Ready for a paged search', ['app' => 'user_ldap']);
|
|
|
|
|
$this->logger->debug('Ready for a paged search', ['app' => 'user_ldap']);
|
|
|
|
|
}
|
|
|
|
|
/* ++ Fixing RHDS searches with pages with zero results ++
|
|
|
|
|
* We coudn't get paged searches working with our RHDS for login ($limit = 0),
|
|
|
|
|