You are here

ldapgroups.module in LDAP integration 6

Same filename and directory in other branches
  1. 5.2 ldapgroups.module
  2. 5 ldapgroups.module

ldapgroups integrates ldap groups with drupal roles.

File

ldapgroups.module
View source
<?php

/**
 * @file
 * ldapgroups integrates ldap groups with drupal roles.
 */

//////////////////////////////////////////////////////////////////////////////
define('LDAPGROUPS_DEFAULT_DN_ATTRIBUTE', 'ou');
define('LDAPGROUPS_DEFAULT_ENTRIES_ATTRIBUTE', 'member');
define('LDAPGROUPS_RULE_TYPE_ALLOW', 'ALLOW');
define('LDAPGROUPS_RULE_TYPE_DENY', 'DENY');
define('LDAPGROUPS_RULE_TYPE_ALLOW_X', 'ALLOW-X');
define('LDAPGROUPS_RULE_TYPE_DENY_X', 'DENY-X');
define('LDAPGROUPS_GROUP_ALL', 'ALL');
define('LDAPGROUPS_GROUP_EXISTING', 'EXISTING');
define('LDAPGROUPS_ROLE_MODE_DISABLED', 2);
define('LDAPGROUPS_ROLE_MODE_USE_MAP', 1);
define('LDAPGROUPS_ROLE_MODE_AUTO', 0);

//////////////////////////////////////////////////////////////////////////////

// Core API hooks

/**
 * Implementation of hook_menu().
 */
function ldapgroups_menu() {
  return array(
    'admin/settings/ldap/ldapgroups' => array(
      'title' => 'Groups',
      'description' => 'Configure LDAP groups to Drupal roles mapping settings.',
      'page callback' => 'drupal_get_form',
      'page arguments' => array(
        'ldapgroups_admin_settings',
      ),
      'access arguments' => array(
        'administer ldap modules',
      ),
      'file' => 'ldapgroups.admin.inc',
    ),
    'admin/settings/ldap/ldapgroups/configure' => array(
      'title' => 'Settings',
      'type' => MENU_DEFAULT_LOCAL_TASK,
    ),
    'admin/settings/ldap/ldapgroups/test' => array(
      'title' => 'Test Group Settings',
      'page callback' => 'drupal_get_form',
      'page arguments' => array(
        'ldapgroups_user_test',
      ),
      'access arguments' => array(
        'administer ldap modules',
      ),
      'file' => 'ldapgroups.admin.inc',
      'type' => MENU_LOCAL_TASK,
      'weight' => 1,
    ),
    'admin/settings/ldap/ldapgroups/edit' => array(
      'title' => 'Groups',
      'page callback' => 'drupal_get_form',
      'page arguments' => array(
        'ldapgroups_admin_edit',
        4,
        5,
      ),
      'type' => MENU_CALLBACK,
      'access arguments' => array(
        'administer ldap modules',
      ),
      'file' => 'ldapgroups.admin.inc',
    ),
    'admin/settings/ldap/ldapgroups/reset' => array(
      'title' => 'Groups',
      'page callback' => 'drupal_get_form',
      'page arguments' => array(
        'ldapgroups_admin_edit',
        4,
        5,
      ),
      'type' => MENU_CALLBACK,
      'weight' => 1,
      'access arguments' => array(
        'administer ldap modules',
      ),
      'file' => 'ldapgroups.admin.inc',
    ),
  );
}

/**
 * Implements hook_user().
 */
function ldapgroups_user($op, &$edit, &$account, $category = NULL) {

  // Only care about ldap authenticated users.
  if (!isset($account->ldap_authentified)) {
    return;
  }
  switch ($op) {
    case 'login':
      module_load_include('inc', 'ldapauth', 'includes/ldap.core');
      module_load_include('inc', 'ldapauth', 'includes/LDAPInterface');
      module_load_include('inc', 'ldapgroups', 'ldapgroups');
      ldapgroups_user_login($account);
      break;
  }
}

/**
 * Implementation of hook_schema_alter().
 *
 * @param &$schema Nested array describing the schemas for all modules.
 */
function ldapgroups_schema_alter($schema) {
  $schema['ldapauth']['fields']['ldapgroups_in_dn'] = array(
    'type' => 'int',
    'size' => 'tiny',
    'not null' => TRUE,
    'default' => '0',
  );
  $schema['ldapauth']['fields']['ldapgroups_dn_attribute'] = array(
    'type' => 'varchar',
    'length' => 255,
  );
  $schema['ldapauth']['fields']['ldapgroups_attr'] = array(
    'type' => 'varchar',
    'length' => 255,
  );
  $schema['ldapauth']['fields']['ldapgroups_in_attr'] = array(
    'type' => 'int',
    'size' => 'tiny',
    'not null' => TRUE,
    'default' => '0',
  );
  $schema['ldapauth']['fields']['ldapgroups_as_entries'] = array(
    'type' => 'int',
    'size' => 'tiny',
    'not null' => TRUE,
    'default' => '0',
  );
  $schema['ldapauth']['fields']['ldapgroups_entries'] = array(
    'type' => 'text',
  );
  $schema['ldapauth']['fields']['ldapgroups_entries_attribute'] = array(
    'type' => 'varchar',
    'length' => 255,
  );
  $schema['ldapauth']['fields']['ldapgroups_mappings'] = array(
    'type' => 'text',
    'not null' => FALSE,
  );
  $schema['ldapauth']['fields']['ldapgroups_mappings_filter'] = array(
    'type' => 'int',
    'size' => 'tiny',
    'not null' => TRUE,
    'default' => '0',
  );
  $schema['ldapauth']['fields']['ldapgroups_filter_php'] = array(
    'type' => 'text',
    'not null' => FALSE,
  );
  $schema['ldapauth']['fields']['ldapgroups_groups'] = array(
    'type' => 'text',
    'not null' => FALSE,
  );
}

/**
 * Implementation of hook_ldap_user_deny_alter.
 *
 * User denied if server access limited by group(s) and user is not in one.
 */
function ldapgroups_ldap_user_deny_alter(&$denied, $ldap, $name, $dn, $account) {
  module_load_include('inc', 'ldapgroups', 'ldapgroups');
  $sid = $ldap
    ->getOption('sid');
  $groups_allowed = _ldapgroups_ldap_info($sid, 'ldapgroups_groups');
  if (!ldapgroups_is_configured($sid) || empty($groups_allowed)) {
    return;

    // Nothing to do here.
  }
  $user_groups = ldapgroups_groups_load($ldap, $dn, $name);
  if ($user_groups === FALSE) {

    // Problem getting groups!
    $denied = TRUE;
    ldapauth_debug_msg(t("groups_deny: User, @name, denied because ldapgroups module is configured but the user's groups load failed", array(
      '@name' => $name,
    )));
    return;
  }
  $access_rules = ldapgroups_access_rules($ldap
    ->getOption('sid'));
  $allowed = FALSE;
  foreach ($access_rules as $rule) {
    $type = $rule[0];
    $rule_group = drupal_strtoupper($rule[1]);

    // See if the rule group matches the user.
    $matched = FALSE;
    switch ($rule_group) {
      case LDAPGROUPS_GROUP_ALL:
        $matched = TRUE;
        break;
      case LDAPGROUPS_GROUP_EXISTING:
        if ($account->ldap_authentified) {
          $matched = TRUE;
        }
        break;
      default:
        foreach ($user_groups as $group) {
          if (drupal_strtoupper($group) == $rule_group) {
            $matched = TRUE;
            break;
          }
        }
    }

    // Rule matched, apply action.
    if ($matched) {

      // Handle the match results according to rule type.
      switch ($type) {
        case LDAPGROUPS_RULE_TYPE_ALLOW:
          $allowed = TRUE;
          break;
        case LDAPGROUPS_RULE_TYPE_ALLOW_X:
          return;

        // Found Allowed exit rule - hook says do nothing
        case LDAPGROUPS_RULE_TYPE_DENY:
          $allowed = FALSE;
          break;
        case LDAPGROUPS_RULE_TYPE_DENY_X:
          ldapauth_debug_msg(t("groups_deny: User, @name, denied by DENY_X group access rule.", array(
            '@name' => $name,
          )));
          $denied = TRUE;

          // Found DENIED exit rule, deny and exit.
          return;
          break;
        default:
          drupal_set_message(t("Invalid rule type, @type, found in ldapgroups access rules for server, @server!", array(
            '@type' => $type,
            '@server' => $ldap
              ->getOption('name'),
          )));
      }
    }
  }
  if (!$allowed) {
    ldapauth_debug_msg(t("groups_deny: User, @name, denied by group access rules.", array(
      '@name' => $name,
    )));
    $denied = TRUE;
  }
}

/**
 * Implementation of hook_ldap_convert_to_local_alter().
 *
 * Remove ldap_drupal_roles property when user is convert back to a local user.
 *
 * @param Array $data
 * @param User $account
 */
function ldapgroups_ldap_convert_to_local_alter(&$data, $account) {
  $data['ldap_drupal_roles'] = NULL;
}