From f6810523d4e48549a309e2142cf9b939b6540da3 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 11:50:47 -0400 Subject: [PATCH 1/7] add functions to build cache properly --- workers/update-ldap-cache.php | 75 +++++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 30 deletions(-) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index a62b19f..ab7e55a 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -14,24 +14,50 @@ use UnityWebPortal\lib\UnityWebhook; use PHPOpenLDAPer\LDAPEntry; -// in PHP LDAP all attributes are arrays, we need these as strings instead -// it's possible but probably difficult to find this out using LDAP schema information -$user_string_attributes = [ - "gidnumber", - "givenname", - "homedirectory", - "loginshell", - "mail", - "o", - "sn", - "uid", - "uidnumber", - "gecos", -]; +function process_user_attribute_key($x) +{ + if ($x == "givenname") { + return "firstname"; + } + if ($x == "sn") { + return "lastname"; + } + if ($x == "o") { + return "org"; + } + return $x; +} + +function process_user_attribute_value($x) +{ + if (in_array( + $x, + [ + "gidnumber", + "givenname", + "homedirectory", + "loginshell", + "mail", + "o", + "sn", + "uid", + "uidnumber", + "gecos", + ] + ) + ) { + return $x[0]; + } + return $x; +} -$pi_group_string_attributes = [ - "gidnumber", -]; +function process_group_attribute_value($x) +{ + if ($x == "gidnumber") { + return $x[0]; + } + return $x; +} $options = getopt("fuh", ["help"]); if (array_key_exists("h", $options) or array_key_exists("help", $options)) { @@ -62,11 +88,7 @@ foreach ($users as $user) { $cn = $user->getAttribute("cn")[0]; foreach ($user->getAttributes() as $key => $val) { - if (in_array($key, $user_string_attributes)) { - $REDIS->setCache($cn, $key, $val[0]); - } else { - $REDIS->setCache($cn, $key, $val); - } + $REDIS->setCache($cn, process_user_attribute_key($key), process_user_attribute_value($val)); } } @@ -98,14 +120,7 @@ $user_pi_group_member_of[$uid] = []; } foreach ($pi_groups as $pi_group) { - if (array_key_exists("memberuid", $pi_group)) { - $REDIS->setCache($pi_group["cn"][0], "members", $pi_group["memberuid"]); - foreach ($pi_group["memberuid"] as $member_uid) { - array_push($user_pi_group_member_of[$member_uid], $pi_group["cn"][0]); - } - } else { - $REDIS->setCache($pi_group["cn"][0], "members", []); - } + $REDIS->setCache($pi_group["cn"][0], $key, process_group_attribute_value($val)); } foreach ($user_pi_group_member_of as $uid => $pi_groups) { // FIXME should be pi_groups From 26ce09a85a10f7e9e6a37d0e9ea243b81e3cd01d Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 12:10:36 -0400 Subject: [PATCH 2/7] pretty --- workers/update-ldap-cache.php | 63 +++++++---------------------------- 1 file changed, 12 insertions(+), 51 deletions(-) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index ab7e55a..12cd7fd 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -14,51 +14,6 @@ use UnityWebPortal\lib\UnityWebhook; use PHPOpenLDAPer\LDAPEntry; -function process_user_attribute_key($x) -{ - if ($x == "givenname") { - return "firstname"; - } - if ($x == "sn") { - return "lastname"; - } - if ($x == "o") { - return "org"; - } - return $x; -} - -function process_user_attribute_value($x) -{ - if (in_array( - $x, - [ - "gidnumber", - "givenname", - "homedirectory", - "loginshell", - "mail", - "o", - "sn", - "uid", - "uidnumber", - "gecos", - ] - ) - ) { - return $x[0]; - } - return $x; -} - -function process_group_attribute_value($x) -{ - if ($x == "gidnumber") { - return $x[0]; - } - return $x; -} - $options = getopt("fuh", ["help"]); if (array_key_exists("h", $options) or array_key_exists("help", $options)) { echo "arguments: @@ -86,10 +41,14 @@ function process_group_attribute_value($x) sort($user_CNs); $REDIS->setCache("sorted_users", "", $user_CNs); foreach ($users as $user) { - $cn = $user->getAttribute("cn")[0]; - foreach ($user->getAttributes() as $key => $val) { - $REDIS->setCache($cn, process_user_attribute_key($key), process_user_attribute_value($val)); - } + $uid = $user->getAttribute("cn")[0]; + $REDIS->setCache($uid, "firstname", $user->getAttribute("givenname")[0]); + $REDIS->setCache($uid, "lastname", $user->getAttribute("sn")[0]); + $REDIS->setCache($uid, "org", $user->getAttribute("o")[0]); + $REDIS->setCache($uid, "mail", $user->getAttribute("mail")[0]); + $REDIS->setCache($uid, "sshkeys", $user->getAttribute("sshpublickey")); + $REDIS->setCache($uid, "loginshell", $user->getAttribute("loginshell")[0]); + $REDIS->setCache($uid, "homedir", $user->getAttribute("homedirectory")[0]); } $org_group_ou = new LDAPEntry($LDAP->getConn(), $CONFIG["ldap"]["orggroup_ou"]); @@ -102,7 +61,8 @@ function process_group_attribute_value($x) sort($org_group_CNs); $REDIS->setCache("sorted_orgs", "", $org_group_CNs); foreach ($org_groups as $org_group) { - $REDIS->setCache($org_group->getAttribute("cn")[0], "members", $org_group->getAttribute("memberuid")); + $gid = $org_group->getAttribute("cn")[0]; + $REDIS->setCache($gid, "members", $org_group->getAttribute("memberuid")); } $pi_group_ou = new LDAPEntry($LDAP->getConn(), $CONFIG["ldap"]["pigroup_ou"]); @@ -120,7 +80,8 @@ function process_group_attribute_value($x) $user_pi_group_member_of[$uid] = []; } foreach ($pi_groups as $pi_group) { - $REDIS->setCache($pi_group["cn"][0], $key, process_group_attribute_value($val)); + $gid = $pi_group->getAttribute("cn")[0]; + $REDIS->setCache($gid, "members", $pi_group->getAttribute("memberuid")); } foreach ($user_pi_group_member_of as $uid => $pi_groups) { // FIXME should be pi_groups From a0e69825933057569fdc6f26487214a855977e2b Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 12:55:14 -0400 Subject: [PATCH 3/7] fix update-ldap-cache.php --- workers/update-ldap-cache.php | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index 12cd7fd..a0a4696 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -32,16 +32,20 @@ echo " use -f argument to flush cache, or -u argument to update without flush.\n"; } else { echo "updating cache...\n"; - echo "waiting for LDAP response (users)...\n"; - $users = $LDAP->search("objectClass=posixAccount", $CONFIG["ldap"]["basedn"]); - echo "response received.\n"; - // phpcs:disable - $user_CNs = array_map(function ($x){return $x->getAttribute("cn")[0];}, $users); - // phpcs:enable + + $user_CNs = $LDAP->getUserGroup()->getAttribute("memberuid"); sort($user_CNs); $REDIS->setCache("sorted_users", "", $user_CNs); + + // search entire tree, some users created for admin purposes might not be in the normal OU + echo "waiting for LDAP search (users)...\n"; + $users = $LDAP->search("objectClass=posixAccount", $CONFIG["ldap"]["basedn"]); + echo "response received.\n"; foreach ($users as $user) { $uid = $user->getAttribute("cn")[0]; + if (!in_array($uid, $user_CNs)) { + continue; + } $REDIS->setCache($uid, "firstname", $user->getAttribute("givenname")[0]); $REDIS->setCache($uid, "lastname", $user->getAttribute("sn")[0]); $REDIS->setCache($uid, "org", $user->getAttribute("o")[0]); @@ -52,21 +56,21 @@ } $org_group_ou = new LDAPEntry($LDAP->getConn(), $CONFIG["ldap"]["orggroup_ou"]); - echo "waiting for LDAP response (org_groups)...\n"; - $org_groups = $LDAP->search("objectClass=posixGroup", $CONFIG["ldap"]["basedn"]); + echo "waiting for LDAP search (org groups)...\n"; + $org_groups = $org_group_ou->getChildrenArray(true); echo "response received.\n"; // phpcs:disable - $org_group_CNs = array_map(function($x){return $x->getAttribute("cn")[0];}, $org_groups); + $org_group_CNs = array_map(function($x){return $x["cn"][0];}, $org_groups); // phpcs:enable sort($org_group_CNs); $REDIS->setCache("sorted_orgs", "", $org_group_CNs); foreach ($org_groups as $org_group) { - $gid = $org_group->getAttribute("cn")[0]; - $REDIS->setCache($gid, "members", $org_group->getAttribute("memberuid")); + $gid = $org_group["cn"][0]; + $REDIS->setCache($gid, "members", (@$org_group["memberuid"] ?? [])); } $pi_group_ou = new LDAPEntry($LDAP->getConn(), $CONFIG["ldap"]["pigroup_ou"]); - echo "waiting for LDAP response (pi_groups)...\n"; + echo "waiting for LDAP search (pi groups)...\n"; $pi_groups = $pi_group_ou->getChildrenArray(true); echo "response received.\n"; // phpcs:disable @@ -75,13 +79,14 @@ sort($pi_group_CNs); // FIXME should be sorted_pi_groups $REDIS->setCache("sorted_groups", "", $pi_group_CNs); + $user_pi_group_member_of = []; foreach ($user_CNs as $uid) { $user_pi_group_member_of[$uid] = []; } foreach ($pi_groups as $pi_group) { - $gid = $pi_group->getAttribute("cn")[0]; - $REDIS->setCache($gid, "members", $pi_group->getAttribute("memberuid")); + $gid = $pi_group["cn"][0]; + $REDIS->setCache($gid, "members", (@$pi_group["memberuid"] ?? [])); } foreach ($user_pi_group_member_of as $uid => $pi_groups) { // FIXME should be pi_groups From bed26c9fc071ff3d38e1669a33541dd064fe5b72 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 12:56:31 -0400 Subject: [PATCH 4/7] rearrange --- workers/update-ldap-cache.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index a0a4696..99d4d53 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -33,14 +33,13 @@ } else { echo "updating cache...\n"; - $user_CNs = $LDAP->getUserGroup()->getAttribute("memberuid"); - sort($user_CNs); - $REDIS->setCache("sorted_users", "", $user_CNs); - // search entire tree, some users created for admin purposes might not be in the normal OU echo "waiting for LDAP search (users)...\n"; $users = $LDAP->search("objectClass=posixAccount", $CONFIG["ldap"]["basedn"]); echo "response received.\n"; + $user_CNs = $LDAP->getUserGroup()->getAttribute("memberuid"); + sort($user_CNs); + $REDIS->setCache("sorted_users", "", $user_CNs); foreach ($users as $user) { $uid = $user->getAttribute("cn")[0]; if (!in_array($uid, $user_CNs)) { From da9828fe38d9b4bd0b26241efe3c422741e914ee Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 13:20:01 -0400 Subject: [PATCH 5/7] fix user groups list --- workers/update-ldap-cache.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index 99d4d53..9938745 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -88,6 +88,11 @@ $REDIS->setCache($gid, "members", (@$pi_group["memberuid"] ?? [])); } foreach ($user_pi_group_member_of as $uid => $pi_groups) { + $gid = $pi_group["cn"][0]; + $members = (@$pi_group["memberuid"] ?? []); + foreach ($members as $uid) { + array_push($user_pi_group_member_of[$uid], $gid); + } // FIXME should be pi_groups $REDIS->setCache($uid, "groups", $pi_groups); } From eb20959d081b68db659adec4180ebf4246ba8ee9 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 13:20:30 -0400 Subject: [PATCH 6/7] oops --- workers/update-ldap-cache.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index 9938745..905e77e 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -84,15 +84,14 @@ $user_pi_group_member_of[$uid] = []; } foreach ($pi_groups as $pi_group) { - $gid = $pi_group["cn"][0]; - $REDIS->setCache($gid, "members", (@$pi_group["memberuid"] ?? [])); - } - foreach ($user_pi_group_member_of as $uid => $pi_groups) { $gid = $pi_group["cn"][0]; $members = (@$pi_group["memberuid"] ?? []); foreach ($members as $uid) { array_push($user_pi_group_member_of[$uid], $gid); } + $REDIS->setCache($gid, "members", (@$pi_group["memberuid"] ?? [])); + } + foreach ($user_pi_group_member_of as $uid => $pi_groups) { // FIXME should be pi_groups $REDIS->setCache($uid, "groups", $pi_groups); } From 871900b8365655600a66cc5d148f83d39debe7fe Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 6 Jun 2025 13:23:48 -0400 Subject: [PATCH 7/7] edge case --- workers/update-ldap-cache.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index 905e77e..4b2a0ed 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -87,7 +87,11 @@ $gid = $pi_group["cn"][0]; $members = (@$pi_group["memberuid"] ?? []); foreach ($members as $uid) { - array_push($user_pi_group_member_of[$uid], $gid); + if (in_array($uid, $user_CNs)) { + array_push($user_pi_group_member_of[$uid], $gid); + } else { + echo "warning: group '$gid' has member '$uid' who is not in the users group!\n"; + } } $REDIS->setCache($gid, "members", (@$pi_group["memberuid"] ?? [])); }