2015-06-05 14:52:46 +02:00
|
|
|
<?php
|
|
|
|
/* Icinga Web 2 | (c) 2013-2015 Icinga Development Team | GPLv2+ */
|
|
|
|
|
|
|
|
namespace Icinga\Forms\Config\UserGroup;
|
|
|
|
|
|
|
|
use Icinga\Application\Config;
|
|
|
|
use Icinga\Authentication\User\UserBackend;
|
|
|
|
use Icinga\Authentication\UserGroup\LdapUserGroupBackend;
|
|
|
|
use Icinga\Data\ConfigObject;
|
|
|
|
use Icinga\Data\ResourceFactory;
|
|
|
|
use Icinga\Protocol\Ldap\Connection;
|
|
|
|
use Icinga\Web\Form;
|
|
|
|
use Icinga\Web\Notification;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Form for managing LDAP user group backends
|
|
|
|
*/
|
|
|
|
class LdapUserGroupBackendForm extends Form
|
|
|
|
{
|
|
|
|
/**
|
|
|
|
* Initialize this form
|
|
|
|
*/
|
|
|
|
public function init()
|
|
|
|
{
|
|
|
|
$this->setName('form_config_ldapusergroupbackend');
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create and add elements to this form
|
|
|
|
*
|
|
|
|
* @param array $formData
|
|
|
|
*/
|
|
|
|
public function createElements(array $formData)
|
|
|
|
{
|
|
|
|
$resourceNames = $this->getLdapResourceNames();
|
|
|
|
$this->addElement(
|
|
|
|
'select',
|
|
|
|
'resource',
|
|
|
|
array(
|
|
|
|
'required' => true,
|
|
|
|
'autosubmit' => true,
|
|
|
|
'label' => $this->translate('LDAP Connection'),
|
|
|
|
'description' => $this->translate('The LDAP connection to use for this backend.'),
|
|
|
|
'multiOptions' => array_combine($resourceNames, $resourceNames)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$resource = ResourceFactory::create(
|
|
|
|
isset($formData['resource']) && in_array($formData['resource'], $resourceNames)
|
|
|
|
? $formData['resource']
|
|
|
|
: $resourceNames[0]
|
|
|
|
);
|
|
|
|
|
|
|
|
$userBackends = array('none' => $this->translate('None', 'usergroupbackend.ldap.user_backend'));
|
|
|
|
$userBackendNames = $this->getLdapUserBackendNames($resource);
|
|
|
|
if (! empty($userBackendNames)) {
|
|
|
|
$userBackends = array_merge($userBackends, array_combine($userBackendNames, $userBackendNames));
|
|
|
|
}
|
|
|
|
$this->addElement(
|
|
|
|
'select',
|
|
|
|
'user_backend',
|
|
|
|
array(
|
|
|
|
'required' => true,
|
|
|
|
'autosubmit' => true,
|
|
|
|
'label' => $this->translate('User Backend'),
|
|
|
|
'description' => $this->translate('The user backend to link with this user group backend.'),
|
|
|
|
'multiOptions' => $userBackends
|
|
|
|
)
|
|
|
|
);
|
|
|
|
|
|
|
|
$groupBackend = new LdapUserGroupBackend($resource);
|
|
|
|
if ($formData['type'] === 'ldap') {
|
|
|
|
$defaults = $groupBackend->getOpenLdapDefaults();
|
2015-06-05 16:07:27 +02:00
|
|
|
$groupConfigDisabled = $userConfigDisabled = null; // MUST BE null, do NOT change this to false!
|
2015-06-05 14:52:46 +02:00
|
|
|
} else { // $formData['type'] === 'msldap'
|
|
|
|
$defaults = $groupBackend->getActiveDirectoryDefaults();
|
2015-06-05 16:07:27 +02:00
|
|
|
$groupConfigDisabled = $userConfigDisabled = true;
|
2015-06-05 14:52:46 +02:00
|
|
|
}
|
|
|
|
|
2015-06-05 16:16:35 +02:00
|
|
|
$dnDisabled = null; // MUST BE null
|
2015-06-05 14:52:46 +02:00
|
|
|
if (isset($formData['user_backend']) && $formData['user_backend'] !== 'none') {
|
|
|
|
$userBackend = UserBackend::create($formData['user_backend']);
|
|
|
|
$defaults->merge(array(
|
|
|
|
'user_base_dn' => $userBackend->getBaseDn(),
|
|
|
|
'user_class' => $userBackend->getUserClass(),
|
|
|
|
'user_name_attribute' => $userBackend->getUserNameAttribute(),
|
|
|
|
'user_filter' => $userBackend->getFilter()
|
|
|
|
));
|
2015-06-05 16:16:35 +02:00
|
|
|
$userConfigDisabled = $dnDisabled = true;
|
2015-06-05 14:52:46 +02:00
|
|
|
}
|
|
|
|
|
2015-06-05 16:07:27 +02:00
|
|
|
$this->createGroupConfigElements($defaults, $groupConfigDisabled);
|
2015-06-05 16:16:35 +02:00
|
|
|
$this->createUserConfigElements($defaults, $userConfigDisabled, $dnDisabled);
|
2015-06-05 14:52:46 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create and add all elements to this form required for the group configuration
|
|
|
|
*
|
|
|
|
* @param ConfigObject $defaults
|
|
|
|
* @param null|bool $disabled
|
|
|
|
*/
|
|
|
|
protected function createGroupConfigElements(ConfigObject $defaults, $disabled)
|
|
|
|
{
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'group_class',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
2015-06-05 16:34:28 +02:00
|
|
|
'ignore' => $disabled,
|
2015-06-05 14:52:46 +02:00
|
|
|
'disabled' => $disabled,
|
|
|
|
'label' => $this->translate('LDAP Group Object Class'),
|
|
|
|
'description' => $this->translate('The object class used for storing groups on the LDAP server.'),
|
|
|
|
'value' => $defaults->group_class
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'group_filter',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
|
|
|
'allowEmpty' => true,
|
|
|
|
'label' => $this->translate('LDAP Group Filter'),
|
|
|
|
'description' => $this->translate(
|
|
|
|
'An additional filter to use when looking up groups using the specified connection. '
|
|
|
|
. 'Leave empty to not to use any additional filter rules.'
|
|
|
|
),
|
|
|
|
'requirement' => $this->translate(
|
|
|
|
'The filter needs to be expressed as standard LDAP expression, without'
|
|
|
|
. ' outer parentheses. (e.g. &(foo=bar)(bar=foo) or foo=bar)'
|
|
|
|
),
|
|
|
|
'validators' => array(
|
|
|
|
array(
|
|
|
|
'Callback',
|
|
|
|
false,
|
|
|
|
array(
|
|
|
|
'callback' => function ($v) {
|
|
|
|
return strpos($v, '(') !== 0;
|
|
|
|
},
|
|
|
|
'messages' => array(
|
|
|
|
'callbackValue' => $this->translate('The filter must not be wrapped in parantheses.')
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
),
|
|
|
|
'value' => $defaults->group_filter
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'group_name_attribute',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
2015-06-05 16:34:28 +02:00
|
|
|
'ignore' => $disabled,
|
2015-06-05 14:52:46 +02:00
|
|
|
'disabled' => $disabled,
|
|
|
|
'label' => $this->translate('LDAP Group Name Attribute'),
|
|
|
|
'description' => $this->translate(
|
|
|
|
'The attribute name used for storing a group\'s name on the LDAP server.'
|
|
|
|
),
|
|
|
|
'value' => $defaults->group_name_attribute
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'base_dn',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
|
|
|
'label' => $this->translate('LDAP Group Base DN'),
|
|
|
|
'description' => $this->translate(
|
|
|
|
'The path where groups can be found on the LDAP server. Leave ' .
|
|
|
|
'empty to select all users available using the specified connection.'
|
|
|
|
),
|
|
|
|
'value' => $defaults->base_dn
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create and add all elements to this form required for the user configuration
|
|
|
|
*
|
|
|
|
* @param ConfigObject $defaults
|
|
|
|
* @param null|bool $disabled
|
2015-06-05 16:16:35 +02:00
|
|
|
* @param null|bool $dnDisabled
|
2015-06-05 14:52:46 +02:00
|
|
|
*/
|
2015-06-05 16:16:35 +02:00
|
|
|
protected function createUserConfigElements(ConfigObject $defaults, $disabled, $dnDisabled)
|
2015-06-05 14:52:46 +02:00
|
|
|
{
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'user_class',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
2015-06-05 16:34:28 +02:00
|
|
|
'ignore' => $disabled,
|
2015-06-05 14:52:46 +02:00
|
|
|
'disabled' => $disabled,
|
|
|
|
'label' => $this->translate('LDAP User Object Class'),
|
|
|
|
'description' => $this->translate('The object class used for storing users on the LDAP server.'),
|
|
|
|
'value' => $defaults->user_class
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'user_filter',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
|
|
|
'allowEmpty' => true,
|
2015-06-05 17:24:03 +02:00
|
|
|
'ignore' => $dnDisabled,
|
|
|
|
'disabled' => $dnDisabled,
|
2015-06-05 14:52:46 +02:00
|
|
|
'label' => $this->translate('LDAP User Filter'),
|
|
|
|
'description' => $this->translate(
|
|
|
|
'An additional filter to use when looking up users using the specified connection. '
|
|
|
|
. 'Leave empty to not to use any additional filter rules.'
|
|
|
|
),
|
|
|
|
'requirement' => $this->translate(
|
|
|
|
'The filter needs to be expressed as standard LDAP expression, without'
|
|
|
|
. ' outer parentheses. (e.g. &(foo=bar)(bar=foo) or foo=bar)'
|
|
|
|
),
|
|
|
|
'validators' => array(
|
|
|
|
array(
|
|
|
|
'Callback',
|
|
|
|
false,
|
|
|
|
array(
|
|
|
|
'callback' => function ($v) {
|
|
|
|
return strpos($v, '(') !== 0;
|
|
|
|
},
|
|
|
|
'messages' => array(
|
|
|
|
'callbackValue' => $this->translate('The filter must not be wrapped in parantheses.')
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
),
|
|
|
|
'value' => $defaults->user_filter
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'user_name_attribute',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
2015-06-05 16:34:28 +02:00
|
|
|
'ignore' => $disabled,
|
2015-06-05 14:52:46 +02:00
|
|
|
'disabled' => $disabled,
|
|
|
|
'label' => $this->translate('LDAP User Name Attribute'),
|
|
|
|
'description' => $this->translate(
|
|
|
|
'The attribute name used for storing a user\'s name on the LDAP server.'
|
|
|
|
),
|
|
|
|
'value' => $defaults->user_name_attribute
|
|
|
|
)
|
|
|
|
);
|
|
|
|
$this->addElement(
|
|
|
|
'text',
|
|
|
|
'user_base_dn',
|
|
|
|
array(
|
|
|
|
'preserveDefault' => true,
|
2015-06-05 16:34:28 +02:00
|
|
|
'ignore' => $dnDisabled,
|
2015-06-05 16:16:35 +02:00
|
|
|
'disabled' => $dnDisabled,
|
2015-06-05 14:52:46 +02:00
|
|
|
'label' => $this->translate('LDAP User Base DN'),
|
|
|
|
'description' => $this->translate(
|
|
|
|
'The path where users can be found on the LDAP server. Leave ' .
|
|
|
|
'empty to select all users available using the specified connection.'
|
|
|
|
),
|
|
|
|
'value' => $defaults->user_base_dn
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return the names of all configured LDAP resources
|
|
|
|
*
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
protected function getLdapResourceNames()
|
|
|
|
{
|
|
|
|
$names = array();
|
|
|
|
foreach (ResourceFactory::getResourceConfigs() as $name => $config) {
|
|
|
|
if (in_array(strtolower($config->type), array('ldap', 'msldap'))) {
|
|
|
|
$names[] = $name;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (empty($names)) {
|
|
|
|
Notification::error(
|
|
|
|
$this->translate('No LDAP resources available. Please configure an LDAP resource first.')
|
|
|
|
);
|
|
|
|
$this->getResponse()->redirectAndExit('config/createresource');
|
|
|
|
}
|
|
|
|
|
|
|
|
return $names;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return the names of all configured LDAP user backends
|
|
|
|
*
|
|
|
|
* @param Connection $resource
|
|
|
|
*
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
protected function getLdapUserBackendNames(Connection $resource)
|
|
|
|
{
|
|
|
|
$names = array();
|
|
|
|
foreach (Config::app('authentication') as $name => $config) {
|
|
|
|
if (in_array(strtolower($config->backend), array('ldap', 'msldap'))) {
|
|
|
|
$backendResource = ResourceFactory::create($config->resource);
|
|
|
|
if (
|
|
|
|
$backendResource->getHostname() === $resource->getHostname()
|
|
|
|
&& $backendResource->getPort() === $resource->getPort()
|
|
|
|
) {
|
|
|
|
$names[] = $name;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return $names;
|
|
|
|
}
|
|
|
|
}
|