1<?php 2/* 3 * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors. 4 * See the Contributors file for more details about them. 5 * 6 * This file is part of OCSInventory-NG/OCSInventory-ocsreports. 7 * 8 * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute 9 * it and/or modify it under the terms of the GNU General Public License as 10 * published by the Free Software Foundation, either version 2 of the License, 11 * or (at your option) any later version. 12 * 13 * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it 14 * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty 15 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the 20 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 21 * MA 02110-1301, USA. 22 */ 23/* This module automatically inserts valid LDAP users into OCS operators table. 24 * 25 * The userlevel is defined according to conditions defined in the following configuration fields: 26 * 27 * - CONEX_LDAP_CHECK_FIELD1_NAME 28 * - CONEX_LDAP_CHECK_FIELD1_VALUE 29 * - CONEX_LDAP_CHECK_FIELD1_ROLE 30 * - CONEX_LDAP_CHECK_FIELD2_NAME 31 * - CONEX_LDAP_CHECK_FIELD2_VALUE 32 * - CONEX_LDAP_CHECK_FIELD2_ROLE 33 * 34 * If any of these attributes are defined (and found on the LDAP query), they're used to determine the correct 35 * user level and role. 36 * 37 * in case of success, an array is returned with the access data in the following format: 38 * array('accesslvl'=>%%,'tag_show'=>array(%,%,%,%,%...)) 39 * 40 * else, an error code is returned. 41 * 42 * CONEX_LDAP_CHECK_FIELD1_NAME="thisGuyIsAdmin" 43 * CONEX_LDAP_CHECK_FIELD1_VALUE="0" 44 * CONEX_LDAP_CHECK_FIELD1_ROLE="user" 45 * CONEX_LDAP_CHECK_FIELD2_NAME="thisGuyIsAdmin" 46 * CONEX_LDAP_CHECK_FIELD2_VALUE="1" 47 * CONEX_LDAP_CHECK_FIELD2_ROLE="sadmin" 48 * In logical terms: 49 * if thisGuyIsAdmin=0 then 50 * role=user 51 * else if thisGuyIsAdmin=1 then 52 * role=sadmin 53 * 54 * Note: the default user levels in OCS currently are "admin", "ladmin" and "sadmin". The above is just an example. 55 * 56 */ 57if ($_SESSION['OCS']['cnx_origine'] != "LDAP") { 58 return false; 59} 60 61require_once ('require/function_files.php'); 62// page name 63$name = "ldap.php"; 64connexion_local_read(); 65 66// select the main database 67mysqli_select_db($link_ocs, $db_ocs); 68 69// retrieve LDAP-related config values into an array 70$sql = "select substr(NAME,7) as NAME,TVALUE from config where NAME like '%s'"; 71$arg = array("%CONEX%"); 72$res = mysql2_query_secure($sql, $link_ocs, $arg); 73while ($item = mysqli_fetch_object($res)) { 74 $config[$item->NAME] = $item->TVALUE; 75} 76 77// checks if the user already exists 78$reqOp = "SELECT new_accesslvl as accesslvl FROM operators WHERE id='%s'"; 79$argOp = array($_SESSION['OCS']["loggeduser"]); 80$resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp); 81 82// defines the user level according to specific LDAP attributes 83// default: normal user 84$defaultRole = $config['LDAP_CHECK_DEFAULT_ROLE']; 85// Checks if the custom fields are valid 86$f1_name = $config['LDAP_CHECK_FIELD1_NAME']; 87$f2_name = $config['LDAP_CHECK_FIELD2_NAME']; 88$f1_value = $_SESSION['OCS']['details'][$f1_name]; 89$f2_value = $_SESSION['OCS']['details'][$f2_name]; 90 91if (!empty($f1_value)) { 92 if (strtolower($f1_name) == "memberof") { 93 //the idea here is to iterate through the groups array looking for a match 94 //if we find it, unset the array and store only the match, else leave as it is 95 foreach ($f1_value as $group) { 96 if ($group == $config['LDAP_CHECK_FIELD1_VALUE']) { 97 $f1_value = array(); 98 $f1_value = $group; 99 } 100 } 101 } 102 //the if below is now redundant since we already know that we have a match 103 //the coding can be improved, but the logic works. 104 //END NEW CODE 105 if ($f1_value == $config['LDAP_CHECK_FIELD1_VALUE']) { 106 $defaultRole = $config['LDAP_CHECK_FIELD1_ROLE']; 107 } 108} 109 110if (!empty($f2_value)) { 111 if (strtolower($f2_name) == "memberof") { 112 foreach ($f2_value as $group) { 113 if ($group == $config['LDAP_CHECK_FIELD2_VALUE']) { 114 $f2_value = array(); 115 $f2_value = $group; 116 } 117 } 118 } 119 //END NEW CODE 120 if ($f2_value == $config['LDAP_CHECK_FIELD2_VALUE']) { 121 $defaultRole = $config['LDAP_CHECK_FIELD2_ROLE']; 122 } 123} 124 125// uncomment this section for DEBUG 126// note: cannot use the global DEBUG variable because this happens before the toggle is available. 127/* 128 echo ("field1: ".$f1_name." value=".$f1_value." condition: ".$config['LDAP_CHECK_FIELD1_VALUE']." role=".$config['LDAP_CHECK_FIELD1_ROLE']." level=".$config['LDAP_CHECK_FIELD1_USERLEVEL']."<br>"); 129 echo ("field2: ".$item['CONEX_LDAP_CHECK_FIELD2_NAME']." value=".$f2_value." condition: ".$config['LDAP_CHECK_FIELD2_VALUE']." role=".$config['LDAP_CHECK_FIELD2_ROLE']." level=".$config['LDAP_CHECK_FIELD2_USERLEVEL']."<br>"); 130 echo ("user: ".$_SESSION['OCS']["loggeduser"]." will have level=".$defaultLevel." and role=".$defaultRole."<br>"); 131 */ 132//if defaultRole is define 133if (isset($defaultRole) && $defaultRole != '') { 134 // if it doesn't exist, create the user record 135 if (!mysqli_fetch_object($resOp)) { 136 137 $reqInsert = "INSERT INTO operators ( 138 ID, 139 FIRSTNAME, 140 LASTNAME, 141 PASSWD, 142 COMMENTS, 143 NEW_ACCESSLVL, 144 EMAIL, 145 USER_GROUP 146 ) 147 VALUES ('%s','%s', '%s', '%s','%s', '%s', '%s', '%s')"; 148 149 $arg_insert = array($_SESSION['OCS']["loggeduser"], 150 $_SESSION['OCS']['details']['givenname'], 151 $_SESSION['OCS']['details']['sn'], 152 "", 153 "LDAP", 154 $defaultRole, 155 $_SESSION['OCS']['details']['mail'], 156 "NULL" 157 ); 158 } else { 159 // else update it 160 $reqInsert = "UPDATE operators SET 161 NEW_ACCESSLVL='%s', 162 EMAIL='%s' 163 WHERE ID='%s'"; 164 165 $arg_insert = array($defaultRole, 166 $_SESSION['OCS']['details']['mail'], 167 $_SESSION['OCS']["loggeduser"]); 168 } 169 connexion_local_write(); 170 // select the main database 171 mysqli_select_db($link_ocs, $db_ocs); 172 // Execute the query to insert/update the user record 173 mysql2_query_secure($reqInsert, $link_ocs, $arg_insert); 174 175 // repeat the query and define the needed OCS variables 176 // note: original OCS code below 177 connexion_local_read(); 178 179 // select the main database 180 mysqli_select_db($link_ocs, $db_ocs); 181 $resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp); 182 $rowOp = mysqli_fetch_object($resOp); 183 if (isset($rowOp->accesslvl)) { 184 $lvluser = $rowOp->accesslvl; 185 186 $profile_config = PROFILES_DIR . $lvluser . '.xml'; 187 188 if (!file_exists($profile_config)) { 189 migrate_config_2_2(); 190 } 191 192 $profile_serializer = new XMLProfileSerializer(); 193 $profile = $profile_serializer->unserialize($lvluser, file_get_contents($profile_config)); 194 195 $restriction = $profile->getRestriction('GUI'); 196 197 //if this user has RESTRICTION 198 //search all tag for this user 199 if ($restriction == 'YES') { 200 $sql = "select tag from tags where login='%s'"; 201 $arg = array($_SESSION['OCS']["loggeduser"]); 202 $res = mysql2_query_secure($sql, $link_ocs, $arg); 203 while ($row = mysqli_fetch_object($res)) { 204 // Check for wildcard 205 if (strpos($row->tag, '*') !== false || strpos($row->tag,'?') !== false) { 206 $wildcard = true; 207 $row->tag = str_replace("*", "%", $row->tag); 208 $row->tag = str_replace("?", "_", $row->tag); 209 if($wildcard === true){ 210 $sql_wildcard = "SELECT TAG FROM `accountinfo` WHERE TAG LIKE '$row->tag' GROUP BY TAG"; 211 $res_wildcard = mysql2_query_secure($sql_wildcard, $link_ocs); 212 while ($row_wildcard = mysqli_fetch_object($res_wildcard)) { 213 $list_tag[$row_wildcard->TAG] = $row_wildcard->TAG; 214 } 215 216 } 217 }else{ 218 $list_tag[$row->tag] = $row->tag; 219 } 220 } 221 if (!isset($list_tag)) { 222 $ERROR = $l->g(893); 223 } 224 } elseif (($restriction != 'NO')) { 225 $ERROR = $restriction; 226 } 227 } else { 228 $ERROR = $l->g(894); 229 } 230} else { 231 $ERROR = $l->g(1278); 232} 233?>