Merge branch 'master' into dist/envole/6/master

This commit is contained in:
Arnaud Fornerot 2021-01-08 14:55:28 +01:00
commit d69e869c10
6 changed files with 124 additions and 66 deletions

View File

@ -86,16 +86,16 @@
<variable type='oui/non' name='ninegate_ssosynchrogroup' description="Générer automatiquement les groupes en fonction d'un attribut SSO"><value>oui</value></variable>
<variable type='string' name='ninegate_ssoreqgroup' description="Attribut SSO associé à la notion de groupe" mandatory='True'><value>user_groups</value></variable>
<variable type='oui/non' name='ninegate_ssosynchroitem' description="Associer automatiquement les items en fonction d'un attribut SSO"><value>non</value></variable>
<variable type='string' name='ninegate_ssoreqitem' description="Attribut SSO associé à la notion d'item" mandatory='True'><value></value></variable>
<variable type='oui/non' name='ninegate_syncldap' description="Synchroniser Ninegate vers votre Annuaire CadolesLDAP"><value>non</value></variable>
<variable type='string' name='ninegate_ldaptemplate' description="Modèle d'annuaire"><value>scribe</value></variable>
<variable type='oui/non' name='ninegate_scribegroup' description="Considérer les classes/options comme des groupes de travail"><value>oui</value></variable>
<variable type='string' name='ninegate_scribemaster' description="Placer les professeurs comme manager des groupes classes/options"><value>oui</value></variable>
<variable type='oui/non' name='ninegate_scribemaster' description="Placer les professeurs comme manager des groupes classes/options"><value>oui</value></variable>
<variable type='string' name='ninegate_openldapreqniveau01' description="Lors de l'initalisation de Ninegate requete LDAP utilisateur de votre premier Niveau01" mandatory='True'><value>(uid=*)</value></variable>
<variable type='oui/non' name='ninegate_openldapsynchrogroup' description="Générer automatiquement les groupes en fonction de votre annuaire"><value>oui</value></variable>
<variable type='string' name='ninegate_openldapreqgroup' description="Générer automatiquement les groupes en fonction de votre annuaire" mandatory='True'><value>(objectClass=posixGroup)</value></variable>
<variable type='string' name='ninegate_openldapsubbranchgroup' description="Rechercher les groupes dans la sous-branche" mandatory='False' />
<variable type='string' name='ninegate_openldapsubbranchuser' description="Rechercher les utilisateurs dans la sous-branche" mandatory='False' />
<variable type='string' name='ninegate_pwdadmin' description="Mot de passe du compte admin durant l'instance (idem valeur Cadoles ldap)" mandatory='True'><value></value></variable>
<variable type='string' name='ninegate_organization' description="Nom de l'organisation principale (idem valeur Cadoles ldap)" mandatory='True'><value></value></variable>
@ -433,8 +433,6 @@
<target type='variable'>ninegate_ssosynchrogroup</target>
<target type='variable'>ninegate_ssoreqgroup</target>
<target type='variable'>ninegate_ssosynchroitem</target>
<target type='variable'>ninegate_ssoreqitem</target>
<target type='variable'>ninegate_syncldap</target>
<target type='variable'>ninegate_ldaptemplate</target>
@ -443,7 +441,9 @@
<target type='variable'>ninegate_openldapreqniveau01</target>
<target type='variable'>ninegate_openldapsynchrogroup</target>
<target type='variable'>ninegate_openldapreqgroup</target>
<target type='variable'>ninegate_openldapsubbranchgroup</target>
<target type='variable'>ninegate_openldapsubbranchuser</target>
<target type='variable'>ninegate_pwdadmin</target>
<target type='variable'>ninegate_organization</target>
<target type='variable'>ninegate_niveau01branche</target>
@ -528,8 +528,6 @@
<target type='variable'>ninegate_ssosynchrogroup</target>
<target type='variable'>ninegate_ssoreqgroup</target>
<target type='variable'>ninegate_ssosynchroitem</target>
<target type='variable'>ninegate_ssoreqitem</target>
</condition>
<condition name='hidden_if_in' source='ninegate_syncldap'>
@ -597,13 +595,6 @@
<target type='variable'>ninegate_ssoreqgroup</target>
</condition>
<!-- AFFICHAGE EN FONCTION DE SSO SYNCHRO ITEM -->
<condition name='hidden_if_in' source='ninegate_ssosynchroitem'>
<param>non</param>
<target type='variable'>ninegate_ssoreqitem</target>
</condition>
<!-- AFFICHAGE EN FONCTION DE CADOLESLDAP -->
<fill name='calc_val' target='ninegate_pwdadmin'>
<param type='eole' hidden='False'>cadolesldap_pwdadmin</param>
@ -648,6 +639,8 @@
<target type='variable'>ninegate_openldapreqniveau01</target>
<target type='variable'>ninegate_openldapsynchrogroup</target>
<target type='variable'>ninegate_openldapreqgroup</target>
<target type='variable'>ninegate_openldapsubbranchgroup</target>
<target type='variable'>ninegate_openldapsubbranchuser</target>
</condition>
<!-- AFFICHAGE EN FONCTION DU LDAP SYNCHRO GROUP -->

View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<variables>
<family name='annuaire'>
<variable type='string' name='ldap_writer' description="Utilisateur d'écriture des comptes LDAP" exists='False'>
cn=admin,o=gouv,c=fr
</variable>
</family>
</variables>
<constraints>
<fill name='concat' target='ldap_writer'>
<param>cn=admin,</param>
<param type='eole'>ldap_base_dn</param>
</fill>
</constraints>
<help>
</help>
</creole>

View File

@ -36,6 +36,8 @@ class SynchroCommand extends Command
private $rootlog;
private $ldap;
private $ldap_basedn;
private $ldap_baseuser;
private $ldap_basegroup;
protected function configure()
{
@ -94,18 +96,23 @@ class SynchroCommand extends Command
$this->writeln('=====================================================');
$this->ldap_basedn = $this->container->getParameter('ldap_basedn');
$ldap_template = $this->container->getParameter('ldap_template');
$ldap_username = $this->container->getParameter('ldap_username');
$ldap_firstname = $this->container->getParameter('ldap_firstname');
$ldap_lastname = $this->container->getParameter('ldap_lastname');
$ldap_email = $this->container->getParameter('ldap_email');
$ldap_usersadmin = $this->container->getParameter('ldap_usersadmin');
$scribe_group = $this->container->getParameter('scribe_group');
$scribe_master = $this->container->getParameter('scribe_master');
$fieldstoread = array($ldap_username,$ldap_firstname,$ldap_lastname,$ldap_email);
$ldapusers = array();
$ldapmails = array();
$this->ldap_basedn = $this->container->getParameter('ldap_basedn');
$this->ldap_baseuser = $this->container->getParameter('ldap_baseuser');
$this->ldap_basegroup = $this->container->getParameter('ldap_basegroup');
$ldap_username = strtolower($this->container->getParameter('ldap_username'));
$ldap_firstname = strtolower($this->container->getParameter('ldap_firstname'));
$ldap_lastname = strtolower($this->container->getParameter('ldap_lastname'));
$ldap_email = strtolower($this->container->getParameter('ldap_email'));
$ldap_member = strtolower($this->container->getParameter('ldap_member'));
$scribe_group = strtolower($this->container->getParameter('scribe_group'));
$ldap_template = $this->container->getParameter('ldap_template');
$ldap_usersadmin = $this->container->getParameter('ldap_usersadmin');
$scribe_master = strtolower($this->container->getParameter('scribe_master'));
$fieldstoread = array($ldap_username,$ldap_firstname,$ldap_lastname,$ldap_email);
$ldapusers = array();
$ldapmails = array();
if($ldap_template=="scribe") {
$this->writeln('');
@ -179,7 +186,7 @@ class SynchroCommand extends Command
$this->writeln('');
$this->writeln('== GROUPES ==========================================');
$results = $this->ldap->search($this->container->getParameter('openldapreqgroup'), ['cn','description','gidNumber'], $this->ldap_basedn);
$results = $this->ldap->search($this->container->getParameter('openldapreqgroup'), ['cn','description','gidNumber'], $this->ldap_basegroup);
foreach($results as $result) {
$cn=$result["cn"];
$ldapfilter="(&".$this->container->getParameter('openldapreqgroup')."(cn=$cn))";
@ -209,7 +216,7 @@ class SynchroCommand extends Command
// On execute le filtre d'appartenance à ce niveau
$this->writeln("== Récupération des utilisateurs de l'annuaire");
$niveau01=$this->em->getRepository('CadolesCoreBundle:Niveau01')->find($data["id"]);
$results = $this->ldap->search($niveau01->getLdapfilter(), $fieldstoread, $this->ldap_basedn);
$results = $this->ldap->search($niveau01->getLdapfilter(), $fieldstoread, $this->ldap_baseuser);
$nbuserstotal=count($results);
// Pour chaque utilisateur ldap
@ -229,6 +236,7 @@ class SynchroCommand extends Command
$result[$ldap_username]=utf8_encode($result[$ldap_username]);
if(!isset($result[$ldap_lastname])) $result[$ldap_lastname] = "";
if(!isset($result[$ldap_firstname])) $result[$ldap_firstname] = "";
if(!array_key_exists($ldap_email,$result)) {
$this->writelnred(" - Création dans Bundle impossible >> ".$result[$ldap_username]." sans email");
continue;
@ -306,18 +314,29 @@ class SynchroCommand extends Command
$this->writeln('== '.$group->getLabel());
if(!is_null($ldapfilter)) {
$results = $this->ldap->search($ldapfilter,[$ldap_username,"memberuid"] , $this->ldap_basedn);
$results = $this->ldap->search($ldapfilter,[$ldap_username,$ldap_member] , $this->ldap_basedn);
foreach($results as $result) {
if(isset($result["memberuid"])) {
if(isset($result[$ldap_member])) {
// Si memberid est un tableau il y a plusieur user dedans
if(is_array($result["memberuid"])) {
foreach($result["memberuid"] as $key => $value) {
if(is_array($result[$ldap_member])) {
foreach($result[$ldap_member] as $key => $value) {
if(is_int($key)) {
$user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $value));
$username=$value;
// si le username forme un DN, il faut récupérer juste la première entrée
$tmp=explode(",",$username);
if(is_array($tmp)&&count($tmp)>1) {
$tmp=explode("=",$tmp[0]);
$username=$tmp[1];
}
$user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $username));
if($user) {
array_push($ldapusersgroup,$value);
$this->writeln(" - Rattacher >> ".$value);
array_push($ldapusersgroup,$username);
$this->writeln(" - Rattacher >> ".$username);
if(!$simulate) $this->addtoGroup($user,$group);
}
}
@ -325,10 +344,19 @@ class SynchroCommand extends Command
}
// sinon m'a qu'un seul uid
else {
$user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $result["memberuid"]));
$username=$result[$ldap_member];
// si le username forme un DN, il faut récupérer juste la première entrée
$tmp=explode(",",$username);
if(is_array($tmp)&&count($tmp)>1) {
$tmp=explode("=",$tmp[0]);
$username=$tmp[1];
}
$user=$this->em->getRepository('CadolesCoreBundle:User')->findOneBy(array('username' => $username));
if($user) {
array_push($ldapusersgroup,$result["memberuid"]);
$this->writeln(" - Rattacher >> ".$result["memberuid"]);
array_push($ldapusersgroup,$username);
$this->writeln(" - Rattacher >> ".$username);
if(!$simulate) $this->addtoGroup($user,$group);
}
}

View File

@ -106,6 +106,7 @@ services:
arguments:
- %ldap_host%
- %ldap_port%
- %ldap_tls%
calls:
- [setUser, ["%ldap_user%"]]
- [setPassword, ["%ldap_password%"]]

View File

@ -13,6 +13,7 @@ class ldapService
protected $host;
protected $port;
protected $tls;
protected $baseDN;
protected $baseUser;
protected $baseNiveau01;
@ -24,10 +25,11 @@ class ldapService
private $connection = null;
private $ldapSync = false;
public function __construct($host, $port)
public function __construct($host, $port, $tls)
{
$this->host = $host;
$this->port = $port;
$this->tls = $tls;
}
public function isEnabled() {
@ -39,8 +41,11 @@ class ldapService
return $this->connection;
} else {
$ldapConn = ldap_connect($this->host, $this->port);
if($ldapConn){
ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3);
if($this->tls) ldap_start_tls($ldapConn);
if(ldap_bind( $ldapConn, $this->user, $this->password)){
$this->connection = $ldapConn;
return $this->connection;

View File

@ -1,8 +1,5 @@
# This file is auto-generated during the composer install
parameters:
# Certaines trace seront visible via un passage à true de fgdebug
fgdebug: false
# Determine qui est le maitre de l'identitité = SQL / LDAP / SSO
# Si SQL cela veut dire que c'est l'applicatif qui gère les utilisateurs
# Sinon la source est externe soit via un annuaire soit via des attributs venant d'un SSO
@ -118,16 +115,25 @@ parameters:
%end if
# Information de base de l'annuaire
ldap_host: %%adresse_ip_ldap
ldap_host: ldap://%%adresse_ip_ldap
ldap_port: %%ldap_port
%if %%getVar("ldap_tls","non") == "oui"
ldap_tls: true
%else
ldap_tls: false
%end if
%if %%getVar("activer_admin_passfile", 'non') == "oui"
%if %%getVar("ldap_writer", '') == ""
ldap_user: cn=admin,o=gouv,c=fr
%else
ldap_user: %%ldap_writer
%end if
ldap_password: %%pwdreader("",%%ldap_admin_passfile)
%else
ldap_user: %%ldap_reader
ldap_password: %%pwdreader("",%%ldap_reader_passfile)
%end if
ldap_basedn: o=gouv,c=fr
ldap_basedn: %%ldap_base_dn
# Mise en page
weburl: %%web_url
@ -162,15 +168,28 @@ parameters:
%end if
%if %%getVar("ninegate_test_conf_ldap", 'non') == "oui"
ldap_baseuser: ou=users,ou=%%ninegate_organization,o=gouv,c=fr
ldap_baseniveau01: ou=%%ninegate_niveau01branche,ou=%%ninegate_organization,o=gouv,c=fr
ldap_baseniveau02: ou=%%ninegate_niveau02branche,ou=%%ninegate_organization,o=gouv,c=fr
ldap_basegroup: ou=groups,ou=%%ninegate_organization,o=gouv,c=fr
ldap_baseuser: ou=users,ou=%%ninegate_organization,%%ldap_base_dn
ldap_baseniveau01: ou=%%ninegate_niveau01branche,ou=%%ninegate_organization,%%ldap_base_dn
ldap_baseniveau02: ou=%%ninegate_niveau02branche,ou=%%ninegate_organization,%%ldap_base_dn
ldap_basegroup: ou=groups,ou=%%ninegate_organization,%%ldap_base_dn
%else if %%getVar("ninegate_ldaptemplate", 'open') == "open"
%if not %%is_empty(%%ninegate_openldapsubbranchuser)
ldap_baseuser: %%ninegate_openldapsubbranchuser
%else
ldap_baseuser: %%ldap_base_dn
%end if
ldap_baseniveau01: %%ldap_base_dn
ldap_baseniveau02: %%ldap_base_dn
%if not %%is_empty(%%ninegate_openldapsubbranchgroup)
ldap_basegroup: %%ninegate_openldapsubbranchgroup
%else
ldap_basegroup: %%ldap_base_dn
%end if
%else
ldap_baseuser:
ldap_baseniveau01:
ldap_baseniveau02:
ldap_basegroup:
ldap_baseuser: %%ldap_base_dn
ldap_baseniveau01: %%ldap_base_dn
ldap_baseniveau02: %%ldap_base_dn
ldap_basegroup: %%ldap_base_dn
%end if
# Si masteridentity est à LDAP = quel est le modele d'organisation
@ -183,10 +202,11 @@ parameters:
%end if
# Si masteridentity est à LDAP = quel champs sont à récupérer = faudrait templetiser dans genconfig
ldap_username: uid
ldap_username: %%ldap_match_attribute
ldap_firstname: givenname
ldap_lastname: sn
ldap_email: mail
ldap_email: %%ldap_fill_mail
ldap_member: %%ldap_member_group_attribute
%if %%getVar("activer_addadmin", 'non') == "oui"
ldap_usersadmin: [admin,%%uid_addadmin]
%else
@ -472,7 +492,7 @@ parameters:
# Si mode_auth = CAS
cas_host: %%eolesso_adresse
cas_path: %%getVar("eolesso_cas_folder", '')
cas_path: %%eolesso_cas_folder
cas_port: %%eolesso_port
# Si mode_aut = SAML
@ -495,18 +515,10 @@ parameters:
ssosynchrogroup: true
user_attr_cas_group: %%ninegate_ssoreqgroup
%else
ssosynchrogroup: false
ssosynchrogroup: fase
user_attr_cas_group:
%end if
%if %%getVar("ninegate_ssosynchroitem", 'non') == "oui"
ssosynchroitem: true
user_attr_cas_item: %%ninegate_ssoreqitem
%else
ssosynchroitem: false
user_attr_cas_item:
%end if
%if %%is_defined("ninegate_smtpport")
mailer_port: '%%ninegate_smtpport'
mailer_encryption: %%ninegate_smtpencryption
@ -542,7 +554,6 @@ doctrine:
CadolesCronBundle: ~
CadolesPortalBundle: ~
CadolesWebsocketBundle: ~
CadolesEdispatcherBundle: ~