diff --git a/dicos/91_ninegate.xml b/dicos/91_ninegate.xml
index 8219b059..63ef8fc3 100644
--- a/dicos/91_ninegate.xml
+++ b/dicos/91_ninegate.xml
@@ -86,16 +86,16 @@
oui
user_groups
- non
-
non
scribe
oui
- oui
+ oui
(uid=*)
oui
(objectClass=posixGroup)
+
+
@@ -433,8 +433,6 @@
ninegate_ssosynchrogroup
ninegate_ssoreqgroup
- ninegate_ssosynchroitem
- ninegate_ssoreqitem
ninegate_syncldap
ninegate_ldaptemplate
@@ -443,7 +441,9 @@
ninegate_openldapreqniveau01
ninegate_openldapsynchrogroup
ninegate_openldapreqgroup
-
+ ninegate_openldapsubbranchgroup
+ ninegate_openldapsubbranchuser
+
ninegate_pwdadmin
ninegate_organization
ninegate_niveau01branche
@@ -528,8 +528,6 @@
ninegate_ssosynchrogroup
ninegate_ssoreqgroup
- ninegate_ssosynchroitem
- ninegate_ssoreqitem
@@ -597,13 +595,6 @@
ninegate_ssoreqgroup
-
-
- non
-
- ninegate_ssoreqitem
-
-
cadolesldap_pwdadmin
@@ -648,6 +639,8 @@
ninegate_openldapreqniveau01
ninegate_openldapsynchrogroup
ninegate_openldapreqgroup
+ ninegate_openldapsubbranchgroup
+ ninegate_openldapsubbranchuser
diff --git a/dicos/91_ninegate_annuaire.xml b/dicos/91_ninegate_annuaire.xml
new file mode 100644
index 00000000..db061041
--- /dev/null
+++ b/dicos/91_ninegate_annuaire.xml
@@ -0,0 +1,20 @@
+
+
+
+
+
+ cn=admin,o=gouv,c=fr
+
+
+
+
+
+
+ cn=admin,
+ ldap_base_dn
+
+
+
+
+
+
diff --git a/src/ninegate-1.0/src/Cadoles/CoreBundle/Command/SynchroCommand.php b/src/ninegate-1.0/src/Cadoles/CoreBundle/Command/SynchroCommand.php
index c2dc6d8f..55de0b47 100644
--- a/src/ninegate-1.0/src/Cadoles/CoreBundle/Command/SynchroCommand.php
+++ b/src/ninegate-1.0/src/Cadoles/CoreBundle/Command/SynchroCommand.php
@@ -36,6 +36,8 @@ class SynchroCommand extends Command
private $rootlog;
private $ldap;
private $ldap_basedn;
+ private $ldap_baseuser;
+ private $ldap_basegroup;
protected function configure()
{
@@ -94,18 +96,23 @@ class SynchroCommand extends Command
$this->writeln('=====================================================');
- $this->ldap_basedn = $this->container->getParameter('ldap_basedn');
- $ldap_template = $this->container->getParameter('ldap_template');
- $ldap_username = $this->container->getParameter('ldap_username');
- $ldap_firstname = $this->container->getParameter('ldap_firstname');
- $ldap_lastname = $this->container->getParameter('ldap_lastname');
- $ldap_email = $this->container->getParameter('ldap_email');
- $ldap_usersadmin = $this->container->getParameter('ldap_usersadmin');
- $scribe_group = $this->container->getParameter('scribe_group');
- $scribe_master = $this->container->getParameter('scribe_master');
- $fieldstoread = array($ldap_username,$ldap_firstname,$ldap_lastname,$ldap_email);
- $ldapusers = array();
- $ldapmails = array();
+ $this->ldap_basedn = $this->container->getParameter('ldap_basedn');
+ $this->ldap_baseuser = $this->container->getParameter('ldap_baseuser');
+ $this->ldap_basegroup = $this->container->getParameter('ldap_basegroup');
+
+ $ldap_username = strtolower($this->container->getParameter('ldap_username'));
+ $ldap_firstname = strtolower($this->container->getParameter('ldap_firstname'));
+ $ldap_lastname = strtolower($this->container->getParameter('ldap_lastname'));
+ $ldap_email = strtolower($this->container->getParameter('ldap_email'));
+ $ldap_member = strtolower($this->container->getParameter('ldap_member'));
+ $scribe_group = strtolower($this->container->getParameter('scribe_group'));
+
+ $ldap_template = $this->container->getParameter('ldap_template');
+ $ldap_usersadmin = $this->container->getParameter('ldap_usersadmin');
+ $scribe_master = strtolower($this->container->getParameter('scribe_master'));
+ $fieldstoread = array($ldap_username,$ldap_firstname,$ldap_lastname,$ldap_email);
+ $ldapusers = array();
+ $ldapmails = array();
if($ldap_template=="scribe") {
$this->writeln('');
@@ -179,7 +186,7 @@ class SynchroCommand extends Command
$this->writeln('');
$this->writeln('== GROUPES ==========================================');
- $results = $this->ldap->search($this->container->getParameter('openldapreqgroup'), ['cn','description','gidNumber'], $this->ldap_basedn);
+ $results = $this->ldap->search($this->container->getParameter('openldapreqgroup'), ['cn','description','gidNumber'], $this->ldap_basegroup);
foreach($results as $result) {
$cn=$result["cn"];
$ldapfilter="(&".$this->container->getParameter('openldapreqgroup')."(cn=$cn))";
@@ -209,7 +216,7 @@ class SynchroCommand extends Command
// On execute le filtre d'appartenance à ce niveau
$this->writeln("== Récupération des utilisateurs de l'annuaire");
$niveau01=$this->em->getRepository('CadolesCoreBundle:Niveau01')->find($data["id"]);
- $results = $this->ldap->search($niveau01->getLdapfilter(), $fieldstoread, $this->ldap_basedn);
+ $results = $this->ldap->search($niveau01->getLdapfilter(), $fieldstoread, $this->ldap_baseuser);
$nbuserstotal=count($results);
// Pour chaque utilisateur ldap
@@ -229,6 +236,7 @@ class SynchroCommand extends Command
$result[$ldap_username]=utf8_encode($result[$ldap_username]);
if(!isset($result[$ldap_lastname])) $result[$ldap_lastname] = "";
if(!isset($result[$ldap_firstname])) $result[$ldap_firstname] = "";
+
if(!array_key_exists($ldap_email,$result)) {
$this->writelnred(" - Création dans Bundle impossible >> ".$result[$ldap_username]." sans email");
continue;
@@ -306,18 +314,29 @@ class SynchroCommand extends Command
$this->writeln('== '.$group->getLabel());
if(!is_null($ldapfilter)) {
- $results = $this->ldap->search($ldapfilter,[$ldap_username,"memberuid"] , $this->ldap_basedn);
+ $results = $this->ldap->search($ldapfilter,[$ldap_username,$ldap_member] , $this->ldap_basedn);
foreach($results as $result) {
- if(isset($result["memberuid"])) {
+
+
+ if(isset($result[$ldap_member])) {
// Si memberid est un tableau il y a plusieur user dedans
- if(is_array($result["memberuid"])) {
- foreach($result["memberuid"] as $key => $value) {
+ if(is_array($result[$ldap_member])) {
+ foreach($result[$ldap_member] as $key => $value) {
if(is_int($key)) {
- $user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $value));
+ $username=$value;
+
+ // si le username forme un DN, il faut récupérer juste la première entrée
+ $tmp=explode(",",$username);
+ if(is_array($tmp)&&count($tmp)>1) {
+ $tmp=explode("=",$tmp[0]);
+ $username=$tmp[1];
+ }
+
+ $user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $username));
if($user) {
- array_push($ldapusersgroup,$value);
- $this->writeln(" - Rattacher >> ".$value);
+ array_push($ldapusersgroup,$username);
+ $this->writeln(" - Rattacher >> ".$username);
if(!$simulate) $this->addtoGroup($user,$group);
}
}
@@ -325,10 +344,19 @@ class SynchroCommand extends Command
}
// sinon m'a qu'un seul uid
else {
- $user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $result["memberuid"]));
+ $username=$result[$ldap_member];
+
+ // si le username forme un DN, il faut récupérer juste la première entrée
+ $tmp=explode(",",$username);
+ if(is_array($tmp)&&count($tmp)>1) {
+ $tmp=explode("=",$tmp[0]);
+ $username=$tmp[1];
+ }
+
+ $user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $username));
if($user) {
- array_push($ldapusersgroup,$result["memberuid"]);
- $this->writeln(" - Rattacher >> ".$result["memberuid"]);
+ array_push($ldapusersgroup,$username);
+ $this->writeln(" - Rattacher >> ".$username);
if(!$simulate) $this->addtoGroup($user,$group);
}
}
diff --git a/src/ninegate-1.0/src/Cadoles/CoreBundle/Resources/config/services.yml b/src/ninegate-1.0/src/Cadoles/CoreBundle/Resources/config/services.yml
index 5f3962d6..0b8f06fb 100644
--- a/src/ninegate-1.0/src/Cadoles/CoreBundle/Resources/config/services.yml
+++ b/src/ninegate-1.0/src/Cadoles/CoreBundle/Resources/config/services.yml
@@ -106,6 +106,7 @@ services:
arguments:
- %ldap_host%
- %ldap_port%
+ - %ldap_tls%
calls:
- [setUser, ["%ldap_user%"]]
- [setPassword, ["%ldap_password%"]]
diff --git a/src/ninegate-1.0/src/Cadoles/CoreBundle/Service/ldapService.php b/src/ninegate-1.0/src/Cadoles/CoreBundle/Service/ldapService.php
index 05079fe7..b61ea002 100644
--- a/src/ninegate-1.0/src/Cadoles/CoreBundle/Service/ldapService.php
+++ b/src/ninegate-1.0/src/Cadoles/CoreBundle/Service/ldapService.php
@@ -13,6 +13,7 @@ class ldapService
protected $host;
protected $port;
+ protected $tls;
protected $baseDN;
protected $baseUser;
protected $baseNiveau01;
@@ -24,10 +25,11 @@ class ldapService
private $connection = null;
private $ldapSync = false;
- public function __construct($host, $port)
+ public function __construct($host, $port, $tls)
{
$this->host = $host;
$this->port = $port;
+ $this->tls = $tls;
}
public function isEnabled() {
@@ -39,8 +41,11 @@ class ldapService
return $this->connection;
} else {
$ldapConn = ldap_connect($this->host, $this->port);
+
if($ldapConn){
ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3);
+ if($this->tls) ldap_start_tls($ldapConn);
+
if(ldap_bind( $ldapConn, $this->user, $this->password)){
$this->connection = $ldapConn;
return $this->connection;
diff --git a/tmpl/ninegate-template.yml b/tmpl/ninegate-template.yml
index 44feddfe..9e86cfed 100644
--- a/tmpl/ninegate-template.yml
+++ b/tmpl/ninegate-template.yml
@@ -1,8 +1,5 @@
# This file is auto-generated during the composer install
parameters:
- # Certaines trace seront visible via un passage à true de fgdebug
- fgdebug: false
-
# Determine qui est le maitre de l'identitité = SQL / LDAP / SSO
# Si SQL cela veut dire que c'est l'applicatif qui gère les utilisateurs
# Sinon la source est externe soit via un annuaire soit via des attributs venant d'un SSO
@@ -118,16 +115,25 @@ parameters:
%end if
# Information de base de l'annuaire
- ldap_host: %%adresse_ip_ldap
+ ldap_host: ldap://%%adresse_ip_ldap
ldap_port: %%ldap_port
+%if %%getVar("ldap_tls","non") == "oui"
+ ldap_tls: true
+%else
+ ldap_tls: false
+%end if
%if %%getVar("activer_admin_passfile", 'non') == "oui"
+ %if %%getVar("ldap_writer", '') == ""
ldap_user: cn=admin,o=gouv,c=fr
+ %else
+ ldap_user: %%ldap_writer
+ %end if
ldap_password: %%pwdreader("",%%ldap_admin_passfile)
%else
ldap_user: %%ldap_reader
ldap_password: %%pwdreader("",%%ldap_reader_passfile)
%end if
- ldap_basedn: o=gouv,c=fr
+ ldap_basedn: %%ldap_base_dn
# Mise en page
weburl: %%web_url
@@ -162,15 +168,28 @@ parameters:
%end if
%if %%getVar("ninegate_test_conf_ldap", 'non') == "oui"
- ldap_baseuser: ou=users,ou=%%ninegate_organization,o=gouv,c=fr
- ldap_baseniveau01: ou=%%ninegate_niveau01branche,ou=%%ninegate_organization,o=gouv,c=fr
- ldap_baseniveau02: ou=%%ninegate_niveau02branche,ou=%%ninegate_organization,o=gouv,c=fr
- ldap_basegroup: ou=groups,ou=%%ninegate_organization,o=gouv,c=fr
+ ldap_baseuser: ou=users,ou=%%ninegate_organization,%%ldap_base_dn
+ ldap_baseniveau01: ou=%%ninegate_niveau01branche,ou=%%ninegate_organization,%%ldap_base_dn
+ ldap_baseniveau02: ou=%%ninegate_niveau02branche,ou=%%ninegate_organization,%%ldap_base_dn
+ ldap_basegroup: ou=groups,ou=%%ninegate_organization,%%ldap_base_dn
+%else if %%getVar("ninegate_ldaptemplate", 'open') == "open"
+ %if not %%is_empty(%%ninegate_openldapsubbranchuser)
+ ldap_baseuser: %%ninegate_openldapsubbranchuser
+ %else
+ ldap_baseuser: %%ldap_base_dn
+ %end if
+ ldap_baseniveau01: %%ldap_base_dn
+ ldap_baseniveau02: %%ldap_base_dn
+ %if not %%is_empty(%%ninegate_openldapsubbranchgroup)
+ ldap_basegroup: %%ninegate_openldapsubbranchgroup
+ %else
+ ldap_basegroup: %%ldap_base_dn
+ %end if
%else
- ldap_baseuser:
- ldap_baseniveau01:
- ldap_baseniveau02:
- ldap_basegroup:
+ ldap_baseuser: %%ldap_base_dn
+ ldap_baseniveau01: %%ldap_base_dn
+ ldap_baseniveau02: %%ldap_base_dn
+ ldap_basegroup: %%ldap_base_dn
%end if
# Si masteridentity est à LDAP = quel est le modele d'organisation
@@ -183,10 +202,11 @@ parameters:
%end if
# Si masteridentity est à LDAP = quel champs sont à récupérer = faudrait templetiser dans genconfig
- ldap_username: uid
+ ldap_username: %%ldap_match_attribute
ldap_firstname: givenname
ldap_lastname: sn
- ldap_email: mail
+ ldap_email: %%ldap_fill_mail
+ ldap_member: %%ldap_member_group_attribute
%if %%getVar("activer_addadmin", 'non') == "oui"
ldap_usersadmin: [admin,%%uid_addadmin]
%else
@@ -472,7 +492,7 @@ parameters:
# Si mode_auth = CAS
cas_host: %%eolesso_adresse
- cas_path: %%getVar("eolesso_cas_folder", '')
+ cas_path: %%eolesso_cas_folder
cas_port: %%eolesso_port
# Si mode_aut = SAML
@@ -495,18 +515,10 @@ parameters:
ssosynchrogroup: true
user_attr_cas_group: %%ninegate_ssoreqgroup
%else
- ssosynchrogroup: false
+ ssosynchrogroup: fase
user_attr_cas_group:
%end if
-%if %%getVar("ninegate_ssosynchroitem", 'non') == "oui"
- ssosynchroitem: true
- user_attr_cas_item: %%ninegate_ssoreqitem
-%else
- ssosynchroitem: false
- user_attr_cas_item:
-%end if
-
%if %%is_defined("ninegate_smtpport")
mailer_port: '%%ninegate_smtpport'
mailer_encryption: %%ninegate_smtpencryption
@@ -542,7 +554,6 @@ doctrine:
CadolesCronBundle: ~
CadolesPortalBundle: ~
CadolesWebsocketBundle: ~
- CadolesEdispatcherBundle: ~
\ No newline at end of file