0011686: Editing Users / Sync with Active Directory doesn't work
authorPhilipp Schüle <p.schuele@metaways.de>
Wed, 30 Mar 2016 18:26:46 +0000 (20:26 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Tue, 5 Apr 2016 13:57:13 +0000 (15:57 +0200)
* don't try to set cn when updating AD entries as
 this is only allowed via rename()
* fixes rename() case for AD groups by using configured groupsDN
* improves some variable names

https://forge.tine20.org/view.php?id=11686

Change-Id: If3cd22f5e7b25b37c50199a7bf542739cac289fa
Reviewed-on: http://gerrit.tine20.com/customers/2996
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
Tested-by: Philipp Schüle <p.schuele@metaways.de>
tine20/Addressbook/Setup/Initialize.php
tine20/Tinebase/Group/ActiveDirectory.php
tine20/Tinebase/User/ActiveDirectory.php

index 56f90ef..0f7c422 100644 (file)
@@ -37,14 +37,16 @@ class Addressbook_Setup_Initialize extends Setup_Initialize
         if (Tinebase_User::getInstance() instanceof Tinebase_User_Interface_SyncAble) {
             Tinebase_User::syncUsers(array('syncContactData' => TRUE));
         }
-        
+
+        $initialUserName = $initialAdminUserOptions['adminLoginName'];
+
         try {
-            $initialUser = Tinebase_User::getInstance()->getUserByProperty('accountLoginName', $initialAdminUserOptions['adminLoginName']);
+            $initialUser = Tinebase_User::getInstance()->getUserByProperty('accountLoginName', $initialUserName);
         } catch (Tinebase_Exception_NotFound $tenf) {
             if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' '
-                . ' Could not find initial admin account in user backend. Creating new one ...');
+                . ' Could not find initial admin account ' . $initialUserName . ' in user backend. Creating new one ...');
             Tinebase_User::createInitialAccounts($initialAdminUserOptions);
-            $initialUser = Tinebase_User::getInstance()->getUserByProperty('accountLoginName', $initialAdminUserOptions['adminLoginName']);
+            $initialUser = Tinebase_User::getInstance()->getUserByProperty('accountLoginName', $initialUserName);
         }
         
         Tinebase_Core::set(Tinebase_Core::USER, $initialUser);
index 55bd64e..87c420a 100644 (file)
@@ -120,9 +120,9 @@ class Tinebase_Group_ActiveDirectory extends Tinebase_Group_Ldap
         $this->_domainSidBinary = $this->_domainConfig['objectsid'][0];
         $this->_domainSidPlain  = Tinebase_Ldap::decodeSid($this->_domainConfig['objectsid'][0]);
         
-        $domanNameParts    = array();
-        Zend_Ldap_Dn::explodeDn($this->_domainConfig['distinguishedname'][0], $fooBar, $domanNameParts);
-        $this->_domainName = implode('.', $domanNameParts);
+        $domainNameParts    = array();
+        Zend_Ldap_Dn::explodeDn($this->_domainConfig['distinguishedname'][0], $unusedPart, $domainNameParts);
+        $this->_domainName = implode('.', $domainNameParts);
     }
     
     /**
@@ -315,14 +315,19 @@ class Tinebase_Group_ActiveDirectory extends Tinebase_Group_Ldap
             Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . '  $dn: ' . $dn);
         if (Tinebase_Core::isLogLevel(Zend_Log::TRACE))
             Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . '  $ldapData: ' . print_r($ldapData, true));
-        
-        $this->getLdap()->update($dn, $ldapData);
-        
-        $newDn = "cn={$ldapData['cn']},{$this->_options['baseDn']}";
+
+        // rename?
+        $newDn = "cn={$ldapData['cn']},{$this->_options['groupsDn']}";
         if ($newDn != $dn) {
             $this->_ldap->rename($dn, $newDn);
         }
-        
+
+        // remove cn as samba forbids updating this
+        // 0x43 (Operation not allowed on RDN; 00002016: Modify of RDN 'CN' on CN=...,CN=Users,DC=example,DC=org
+        // not permitted, must use 'rename' operation instead
+        unset($ldapData['cn']);
+
+        $this->getLdap()->update($dn, $ldapData);
         
         $group = $this->getGroupByIdFromSyncBackend($_group);
         
index d1fa163..1e66c9b 100644 (file)
@@ -338,27 +338,32 @@ class Tinebase_User_ActiveDirectory extends Tinebase_User_Ldap
             $plugin->inspectUpdateUser($_account, $ldapData, $ldapEntry);
         }
 
-        // no need to update this attribute, it's not allowed to change and even might not be updateable
-        unset($ldapData[$this->_userUUIDAttribute]);
-
-        if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) 
-            Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . '  $dn: ' . $ldapEntry['dn']);
-        if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) 
-            Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . '  $ldapData: ' . print_r($ldapData, true));
-
-        $this->_ldap->update($ldapEntry['dn'], $ldapData);
-        
+        // do we need to rename the entry?
+        // TODO move to rename()
         $dn = Zend_Ldap_Dn::factory($ldapEntry['dn'], null);
         $rdn = $dn->getRdn();
-        
-        // do we need to rename the entry?
         if ($rdn['CN'] != $ldapData['cn']) {
             $newDN = $this->_generateDn($_account);
-            if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) 
+            if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG))
                 Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . '  rename ldap entry to: ' . $newDN);
             $this->_ldap->rename($dn, $newDN);
         }
-        
+
+        // no need to update this attribute, it's not allowed to change and even might not be updateable
+        unset($ldapData[$this->_userUUIDAttribute]);
+
+        // remove cn as samba forbids updating the CN (even if it does not change...
+        // 0x43 (Operation not allowed on RDN; 00002016: Modify of RDN 'CN' on CN=...,CN=Users,DC=example,DC=org
+        // not permitted, must use 'rename' operation instead
+        unset($ldapData['cn']);
+
+        if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG))
+            Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . '  $dn: ' . $ldapEntry['dn']);
+        if (Tinebase_Core::isLogLevel(Zend_Log::TRACE))
+            Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . '  $ldapData: ' . print_r($ldapData, true));
+
+        $this->_ldap->update($ldapEntry['dn'], $ldapData);
+
         // refetch user from ldap backend
         $user = $this->getUserByPropertyFromSyncBackend('accountId', $_account, 'Tinebase_Model_FullUser');
 
@@ -381,12 +386,11 @@ class Tinebase_User_ActiveDirectory extends Tinebase_User_Ldap
             case 'objectsid':
                 return Tinebase_Ldap::decodeSid($accountId);
                 break;
-                
+
             default:
                 return $accountId;
                 break;
         }
-        
     }
     
     /**
@@ -429,7 +433,7 @@ class Tinebase_User_ActiveDirectory extends Tinebase_User_Ldap
      * @param string $_accountClass
      * @return Tinebase_Record_Abstract
      */
-    protected function _ldap2User(array $_userData, $_accountClass)
+    protected function _ldap2User(array $_userData, $_accountClass = 'Tinebase_Model_FullUser')
     {
         $errors = false;