You are here

function ldap_servers_update_7201 in Lightweight Directory Access Protocol (LDAP) 7.2

Same name and namespace in other branches
  1. 8.2 ldap_servers/ldap_servers.install \ldap_servers_update_7201()

Upgrade as much as feasible for 7.1 to 7.2 branch.

File

ldap_servers/ldap_servers.install, line 531
Install, update and uninstall functions for the LDAP API module.

Code

function ldap_servers_update_7201() {
  $change_log = [];

  // 1. ldap_user is now required for ldap_authentication and ldap_authorization.
  if (module_exists('ldap_authentication') || module_exists('ldap_authorization')) {
    module_enable([
      'ldap_user',
    ], TRUE);
    $change_log[] = t('LDAP User Module Enabled');
  }

  /**
   * ldap_servers and ldap_authorization tables in 7.x-1.x to 7.x-2.x update
   *
   * LDAP_SERVERS fields that don't change:
   *  sid, numeric_sid, name, status, ldap_type, address, port, tls, bind_method,
   *  binding_service_acct, binddn, bindpw, basedn, user_attr, account_name_attr,
   *  mail_attr, mail_template, unique_persistent_attr, user_dn_expression,
   *  testing_drupal_username, group_object_category
   *  search_pagination, search_page_size, ldap_to_drupal_user,
   *
   * LDAP_SERVERS fields not populated in update:
   *   unique_persistent_attr_binary
   *   testingDrupalUserDn
   *   groupTestGroupDn - new no value in it and not important
   *   groupTestGroupDnWriteable - new no value in it and not important
   *
   * LDAP_SERVERS fields set/adjusted in update:
   *   groupNested
   *   groupFunctionalityUnused = 1 if ldap authorization tables exist
   *   groupDeriveFromDn from option IIA of ldap authorization
   *   groupDeriveFromDnAttr from option IIA of ldap authorization
   *   groupUserMembershipsAttrExists = 1 if option IIB used in ldap authorization
   *   groupUserMembershipsAttr  get from ldap authorization  IIB
   *   groupMembershipsAttr from option IIC in ldap authorization derive from entry
   *   groupMembershipsAttrMatchingUserAttr from option IIC
   *
   *
   * LDAP_AUTHORIZATION fields that don't change:
   *   numeric_consumer_conf_id, sid, consumer_type, consumer_module
   *   status, only_ldap_authenticated, mappings, use_filter,
   *   synchronization_modes, synchronization_actions, synch_to_ldap,
   *   synch_on_logon, revoke_ldap_provisioned, create_consumers,
   *   regrant_ldap_provisioned
   *
   * LDAP_AUTHORIZATION fields populated in update:
   *   useFirstAttrAsGroupId = derive_from_attr_use_first_attr || derive_from_entry_use_first_attr
   *
   * LDAP_AUTHORIZATION fields to remove in update
   *    derive_from_dn, derive_from_dn_attr, derive_from_entry, derive_from_attr
   *    derive_from_attr_attr, derive_from_entry, derive_from_entry_attr,
   *    derive_from_entry_entries_attr, derive_from_entry_nested,
   *    derive_from_attr_use_first_attr, derive_from_entry_search_all
   *    derive_from_entry_use_first_attr
   *
   */

  // 2.  add any missing fields from schema.
  ldap_servers_install_update_schema(ldap_servers_schema(), $change_log);
  if (module_exists('ldap_authorization')) {
    ldap_servers_install_update_schema(ldap_authorization_schema(), $change_log);
  }
  if (module_exists('ldap_query')) {
    ldap_servers_install_update_schema(ldap_query_schema(), $change_log);
  }

  // 3.  move configuration data that has changed location within ldap modules.
  $field_changes = [];
  $ldap_server_records = [];
  $select = db_select('ldap_servers')
    ->fields('ldap_servers')
    ->execute();
  foreach ($select as $record) {
    $ldap_server_records[$record->sid] = $record;
  }
  if (db_table_exists('ldap_authorization')) {
    $ldap_authorization_record = NULL;
    $select = db_select('ldap_authorization', 'authz')
      ->fields('authz')
      ->execute();

    // Pick best ldap authorization conf to use to configure ldap server.
    $max_weight = -1;
    foreach ($select as $record) {
      $weight = (int) $record->status + (int) ($record->consumer_type == 'drupal_role');
      if ($weight > $max_weight) {
        $max_weight = $weight;
        $ldap_authorization_record = $record;
      }
    }
    foreach ($ldap_server_records as $sid => $ldap_server_record) {
      if ($ldap_authorization_record && $ldap_authorization_record->sid == $sid) {
        $consumer_type = $ldap_authorization_record->consumer_type;
        $field_changes['ldap_servers'][$sid]['groupFunctionalityUnused'] = 0;
        if ($ldap_authorization_record->derive_from_dn) {
          $field_changes['ldap_servers'][$sid]['groupDeriveFromDn'] = 1;
          $field_changes['ldap_servers'][$sid]['groupDeriveFromDnAttr'] = $ldap_authorization_record->derive_from_dn_attr;
        }
        if ($ldap_authorization_record->derive_from_attr) {
          $field_changes['ldap_servers'][$sid]['groupUserMembershipsAttrExists'] = 1;
          $field_changes['ldap_servers'][$sid]['groupUserMembershipsAttr'] = $ldap_authorization_record->derive_from_attr_attr;
        }
        if ($ldap_authorization_record->derive_from_entry) {

          // Eg members.
          $field_changes['ldap_servers'][$sid]['groupMembershipsAttr'] = $ldap_authorization_record->derive_from_entry_attr;

          // Eg dn.
          $field_changes['ldap_servers'][$sid]['groupMembershipsAttrMatchingUserAttr'] = $ldap_authorization_record->derive_from_entry_entries_attr;
        }
        if ($ldap_authorization_record->derive_from_entry_nested) {
          $field_changes['ldap_servers'][$sid]['groupNested'] = 1;
        }
        if ($ldap_authorization_record->derive_from_attr_use_first_attr || $ldap_authorization_record->derive_from_entry_use_first_attr) {
          $field_changes['ldap_authorization'][$consumer_type]['useFirstAttrAsGroupId'] = 1;
        }
      }
      else {
        $field_changes['ldap_servers'][$sid]['groupFunctionalityUnused'] = 1;
      }
    }
  }
  foreach ($field_changes as $table_name => $record) {
    foreach ($record as $id => $field_data) {
      if ($table_name == 'ldap_servers' || $table_name == 'ldap_authorization') {
        $id_field_name = 'sid';
      }
      else {
        continue;
      }
      if (count($field_data)) {
        $change_log[] = t("!table_name where !id_field_name = !id values updated", [
          '!table_name' => $table_name,
          '!id_field_name' => $id_field_name,
          '!id' => $id,
        ]);
        $num_updated = db_update($table_name)
          ->fields($field_data)
          ->condition($id_field_name, $id, '=')
          ->execute();
      }
    }
  }

  // 4.  remove ldap_authorization fields that are unused.
  $ldap_authorization_fields_to_remove = [
    'derive_from_dn',
    'derive_from_dn_attr',
    'derive_from_attr',
    'derive_from_entry',
    'derive_from_attr_attr',
    'derive_from_entry_attr',
    'derive_from_entry_entries_attr',
    'derive_from_entry_nested',
    'derive_from_entry_search_all',
    'derive_from_entry_use_first_attr',
    'derive_from_attr_use_first_attr',
  ];
  foreach ($ldap_authorization_fields_to_remove as $ldap_authorization_field) {
    db_drop_field('ldap_authorization', $ldap_authorization_field);
  }
  $change_log[] = t("ldap_authorization table fields removed: !fields_removed", [
    '!fields_removed' => join(', ', $ldap_authorization_fields_to_remove),
  ]);

  // 5. ldap_authentication and ldap_user changes are in variables, not tables.
  $ldap_authentication_conf_data = variable_get('ldap_authentication_conf', []);
  if (!is_array($ldap_authentication_conf_data['sids'])) {
    $ldap_authentication_conf_data['sids'] = [];
  }
  $ldap_user_conf_data = variable_get('ldap_user_conf', []);
  $ldap_authentication_sids = array_keys($ldap_authentication_conf_data['sids']);
  if (count($ldap_authentication_sids) == 1) {
    $ldap_user_conf_data['drupalAcctProvisionServer'] = $ldap_authentication_sids[0];
  }

  // Conflict log vs resolve moved from ldap_authentication to ldap_user.
  if (!empty($ldap_authentication_conf_data['authenticationMode'])) {
    if ($ldap_authentication_conf_data['loginConflictResolve'] == LDAP_AUTHENTICATION_CONFLICT_LOG) {
      $ldap_user_conf_data['userConflictResolve'] = LDAP_USER_CONFLICT_LOG;
      $change_log[] = t('ldap_authentication_conf -> userConflictResolve set to') . LDAP_USER_CONFLICT_LOG;
    }
    elseif ($ldap_authentication_conf_data['loginConflictResolve'] == LDAP_AUTHENTICATION_CONFLICT_RESOLVE) {
      $ldap_user_conf_data['userConflictResolve'] = LDAP_USER_CONFLICT_RESOLVE;
      $change_log[] = t('ldap_authentication_conf -> userConflictResolve set to') . LDAP_USER_CONFLICT_RESOLVE;
    }
    unset($ldap_authentication_conf_data['loginConflictResolve']);
    $change_log[] = t('ldap_authentication_conf -> loginConflictResolve value removed');
  }
  else {
    $ldap_user_conf_data['userConflictResolve'] = LDAP_USER_CONFLICT_RESOLVE_DEFAULT;
    $change_log[] = t('ldap_authentication_conf -> userConflictResolve set to') . LDAP_USER_CONFLICT_RESOLVE_DEFAULT;
  }
  if (isset($ldap_authentication_conf_data['acctCreation'])) {
    $ldap_user_conf_data['acctCreation'] = $ldap_authentication_conf_data['acctCreation'];
    $change_log[] = t('ldap_user_conf -> acctCreation set to value in ldap_authentication_conf -> acctCreation');
    unset($ldap_authentication_conf_data['acctCreation']);
    $change_log[] = t('ldap_authentication_conf -> acctCreation value removed');
  }
  else {
    $ldap_user_conf_data['acctCreation'] = LDAP_USER_ACCT_CREATION_LDAP_BEHAVIOR_DEFAULT;
    $change_log[] = t('ldap_user_conf -> acctCreation set to default:') . ' ' . LDAP_USER_ACCT_CREATION_LDAP_BEHAVIOR_DEFAULT;
  }
  $ldap_user_conf_data['manualAccountConflict'] = LDAP_USER_MANUAL_ACCT_CONFLICT_REJECT;
  $change_log[] = t('ldap_user_conf -> manualAccountConflict set to default:') . ' ' . LDAP_USER_MANUAL_ACCT_CONFLICT_REJECT;
  $change_log[] = t('LDAP User configuration populated.');
  $change_log[] = t('LDAP Authentication configuration updated.');
  variable_set('ldap_authentication_conf', $ldap_authentication_conf_data);
  variable_set('ldap_user_conf', $ldap_user_conf_data);
  $summary = '<h2>' . t('Please check through all the LDAP module configuration pages.
    The update from 7.x-1.x to 7.x-2.x is not automatable!  The configuration pages
    must be read through and configured.') . '</h2>' . theme('item_list', [
    'items' => $change_log,
    'type' => 'ul',
    'title' => 'Changes in 7.x-1.x to 7.x-2.x update',
  ]);
  watchdog('ldap_servers', $summary, [], WATCHDOG_INFO);
  return $summary;
}