This manual is deprecated. Please visit https://groupoffice.readthedocs.io for the latest documentation. |
Difference between revisions of "Synchronize LDAP users"
(→Extending the synchronization) |
|||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | Group-Office comes with an LDAP user sync script. It uses the same configuration as the [[ | + | Group-Office comes with an LDAP user sync script. It uses the same configuration as the [[IMAP_or_LDAP_authentication|LDAP authentication module]]. So this module must be installed and working. |
You can run the synchronization on the command line like this: | You can run the synchronization on the command line like this: | ||
Line 7: | Line 7: | ||
* --delete=1 means it will delete users when they are not found on the LDAP server. | * --delete=1 means it will delete users when they are not found on the LDAP server. | ||
− | * --max_delete_percentage=5 is a safety | + | * --max_delete_percentage=5 is a safety threshold. It will abort deletion if the percentage to delete is greater than this value. |
+ | * --dry=1 will enable a dry run without doing anything. Extended code below will NOT be executed. | ||
− | == | + | =Group synchronization= |
+ | You can also synchronize LDAP groups. The script assumes the LDAP groups have a "cn" attribute with the group name and "memberuid" contain the member usernames. | ||
+ | |||
+ | Add this entry to config.php and adjust it to your LDAP database: | ||
+ | <pre> | ||
+ | $config["ldap_groupsdn"]='ou=groups,dc=example,dc=com'; | ||
+ | </pre> | ||
+ | |||
+ | You can run the synchronization on the command line like this: | ||
+ | <pre> | ||
+ | sudo -u www-data php groupofficecli.php -r=ldapauth/sync/groups --delete=1 --max_delete_percentage=5 | ||
+ | </pre> | ||
+ | |||
+ | * --delete=1 means it will delete groups when they are not found on the LDAP server (Except for the default "Admins", "Everyone" and "Internal" group). | ||
+ | * --max_delete_percentage=5 is a safety threshold. It will abort deletion if the percentage to delete is greater than this value. | ||
+ | * --dry=1 will enable a dry run without doing anything. Extended code below will NOT be executed. | ||
+ | |||
+ | =Extending the synchronization= | ||
If you would like to do some special actions when syncing, you can extend the functionality with a custom module. In this example we check if particular LDAP attribute is set. If it's not set then we delete all user data. If it is set then we check that the user is correctly configured. | If you would like to do some special actions when syncing, you can extend the functionality with a custom module. In this example we check if particular LDAP attribute is set. If it's not set then we delete all user data. If it is set then we check that the user is correctly configured. | ||
Line 23: | Line 41: | ||
$syncController = new GO_Ldapauth_Controller_Sync(); | $syncController = new GO_Ldapauth_Controller_Sync(); | ||
$syncController->addListener('ldapsyncuser', "GO_Ldapsync_LdapsyncModule", "syncUser"); | $syncController->addListener('ldapsyncuser', "GO_Ldapsync_LdapsyncModule", "syncUser"); | ||
+ | $syncController->addListener('ldapsyncgroup', "GO_Ldapsync_LdapsyncModule", "syncGroup"); | ||
} | } | ||
Line 34: | Line 53: | ||
$serviceAttribute = "ServiceAgreement"; | $serviceAttribute = "ServiceAgreement"; | ||
+ | |||
+ | //value is an array or null if it's not set | ||
$serviceValues = $record->{$serviceAttribute}; | $serviceValues = $record->{$serviceAttribute}; | ||
+ | if(!isset($serviceValues)) | ||
+ | $serviceValues=array(); | ||
− | if($user->id!=1 && | + | if($user->id!=1 && !in_array("groupware",$serviceValues)){ |
− | echo 'No service agreement. Removing data for: ' . $user->username . " ".$serviceAttribute.": ".$ | + | echo 'No service agreement. Removing data for: ' . $user->username . " ".$serviceAttribute.": ".implode(",",$serviceValues) ."\n"; |
+ | echo "Deleting calendars\n"; | ||
$stmt = GO_Calendar_Model_Calendar::model()->findByAttribute("user_id", $user->id); | $stmt = GO_Calendar_Model_Calendar::model()->findByAttribute("user_id", $user->id); | ||
$stmt->callOnEach("delete"); | $stmt->callOnEach("delete"); | ||
− | $stmt = | + | echo "Deleting tasklists\n"; |
+ | $stmt = GO_Tasks_Model_Tasklist::model()->findByAttribute("user_id", $user->id); | ||
+ | $stmt->callOnEach("delete"); | ||
+ | |||
+ | echo "Deleting categories\n"; | ||
+ | $stmt = GO_Notes_Model_Category::model()->findByAttribute("user_id", $user->id); | ||
$stmt->callOnEach("delete"); | $stmt->callOnEach("delete"); | ||
+ | echo "Deleting files\n"; | ||
$folder = GO_Files_Model_Folder::model()->findHomeFolder($user); | $folder = GO_Files_Model_Folder::model()->findHomeFolder($user); | ||
$stmt = $folder->folders; | $stmt = $folder->folders; | ||
Line 52: | Line 82: | ||
$stmt->callOnEach("delete"); | $stmt->callOnEach("delete"); | ||
+ | echo "Done\n\n"; | ||
}else | }else | ||
Line 58: | Line 89: | ||
$user->checkDefaultModels(); | $user->checkDefaultModels(); | ||
} | } | ||
+ | } | ||
+ | |||
+ | /** | ||
+ | * This function will be called for each group that has been found in LDAP. | ||
+ | * | ||
+ | * @param GO_Base_Model_Group $group | ||
+ | * @param GO_Base_Ldap_Record $record | ||
+ | */ | ||
+ | public static function syncGroup(GO_Base_Model_Group $group, GO_Base_Ldap_Record $record) { | ||
+ | |||
} | } | ||
Line 64: | Line 105: | ||
Now install the module and reload Group-Office to activate the listener. | Now install the module and reload Group-Office to activate the listener. | ||
+ | |||
+ | <b>Note:</b> The extended code is not executed with the --dry option enabled. |
Latest revision as of 11:06, 5 June 2013
Group-Office comes with an LDAP user sync script. It uses the same configuration as the LDAP authentication module. So this module must be installed and working.
You can run the synchronization on the command line like this:
sudo -u www-data php groupofficecli.php -r=ldapauth/sync/users --delete=1 --max_delete_percentage=5
- --delete=1 means it will delete users when they are not found on the LDAP server.
- --max_delete_percentage=5 is a safety threshold. It will abort deletion if the percentage to delete is greater than this value.
- --dry=1 will enable a dry run without doing anything. Extended code below will NOT be executed.
Group synchronization
You can also synchronize LDAP groups. The script assumes the LDAP groups have a "cn" attribute with the group name and "memberuid" contain the member usernames.
Add this entry to config.php and adjust it to your LDAP database:
$config["ldap_groupsdn"]='ou=groups,dc=example,dc=com';
You can run the synchronization on the command line like this:
sudo -u www-data php groupofficecli.php -r=ldapauth/sync/groups --delete=1 --max_delete_percentage=5
- --delete=1 means it will delete groups when they are not found on the LDAP server (Except for the default "Admins", "Everyone" and "Internal" group).
- --max_delete_percentage=5 is a safety threshold. It will abort deletion if the percentage to delete is greater than this value.
- --dry=1 will enable a dry run without doing anything. Extended code below will NOT be executed.
Extending the synchronization
If you would like to do some special actions when syncing, you can extend the functionality with a custom module. In this example we check if particular LDAP attribute is set. If it's not set then we delete all user data. If it is set then we check that the user is correctly configured.
Create the folder modules/ldapsync and the file modules/ldapsync/LdapsyncModule.php:
<?php class GO_Ldapsync_LdapsyncModule extends GO_Base_Module { public static function initListeners() { //attach the function to the default LDAP sync script event $syncController = new GO_Ldapauth_Controller_Sync(); $syncController->addListener('ldapsyncuser', "GO_Ldapsync_LdapsyncModule", "syncUser"); $syncController->addListener('ldapsyncgroup', "GO_Ldapsync_LdapsyncModule", "syncGroup"); } /** * This function will be called for each user that has been found in LDAP. * * @param GO_Base_Model_User $user * @param GO_Base_Ldap_Record $record */ public static function syncUser(GO_Base_Model_User $user, GO_Base_Ldap_Record $record) { $serviceAttribute = "ServiceAgreement"; //value is an array or null if it's not set $serviceValues = $record->{$serviceAttribute}; if(!isset($serviceValues)) $serviceValues=array(); if($user->id!=1 && !in_array("groupware",$serviceValues)){ echo 'No service agreement. Removing data for: ' . $user->username . " ".$serviceAttribute.": ".implode(",",$serviceValues) ."\n"; echo "Deleting calendars\n"; $stmt = GO_Calendar_Model_Calendar::model()->findByAttribute("user_id", $user->id); $stmt->callOnEach("delete"); echo "Deleting tasklists\n"; $stmt = GO_Tasks_Model_Tasklist::model()->findByAttribute("user_id", $user->id); $stmt->callOnEach("delete"); echo "Deleting categories\n"; $stmt = GO_Notes_Model_Category::model()->findByAttribute("user_id", $user->id); $stmt->callOnEach("delete"); echo "Deleting files\n"; $folder = GO_Files_Model_Folder::model()->findHomeFolder($user); $stmt = $folder->folders; $stmt->callOnEach("delete"); $stmt = $folder->files; $stmt->callOnEach("delete"); echo "Done\n\n"; }else { echo "Service agreement accepted by ".$user->username.". Checking presence of default models like calendar, tasklists etc.\n"; $user->checkDefaultModels(); } } /** * This function will be called for each group that has been found in LDAP. * * @param GO_Base_Model_Group $group * @param GO_Base_Ldap_Record $record */ public static function syncGroup(GO_Base_Model_Group $group, GO_Base_Ldap_Record $record) { } }
Now install the module and reload Group-Office to activate the listener.
Note: The extended code is not executed with the --dry option enabled.