Synchronize LDAP users

From Group-Office Groupware and CRM Documentation
Jump to: navigation, search

Group-Office comes with an LDAP user sync script. It uses the same configuration as the LDAP authentication module. So this module must be installed and working.

You can run the synchronization on the command line like this:

sudo -u www-data php groupofficecli.php -r=ldapauth/sync/users --delete=1 --max_delete_percentage=5
  • --delete=1 means it will delete users when they are not found on the LDAP server.
  • --max_delete_percentage=5 is a safety threshold. It will abort deletion if the percentage to delete is greater than this value.
  • --dry=1 will enable a dry run without doing anything. Extended code below will NOT be executed.

Group synchronization

You can also synchronize LDAP groups. The script assumes the LDAP groups have a "cn" attribute with the group name and "memberuid" contain the member usernames.

Add this entry to config.php and adjust it to your LDAP database:

$config["ldap_groupsdn"]='ou=groups,dc=example,dc=com';

You can run the synchronization on the command line like this:

sudo -u www-data php groupofficecli.php -r=ldapauth/sync/groups --delete=1 --max_delete_percentage=5
  • --delete=1 means it will delete groups when they are not found on the LDAP server (Except for the default "Admins", "Everyone" and "Internal" group).
  • --max_delete_percentage=5 is a safety threshold. It will abort deletion if the percentage to delete is greater than this value.
  • --dry=1 will enable a dry run without doing anything. Extended code below will NOT be executed.

Extending the synchronization

If you would like to do some special actions when syncing, you can extend the functionality with a custom module. In this example we check if particular LDAP attribute is set. If it's not set then we delete all user data. If it is set then we check that the user is correctly configured.

Create the folder modules/ldapsync and the file modules/ldapsync/LdapsyncModule.php:

<?php

class GO_Ldapsync_LdapsyncModule extends GO_Base_Module {

	public static function initListeners() {
		
		//attach the function to the default LDAP sync script event
		$syncController = new GO_Ldapauth_Controller_Sync();
		$syncController->addListener('ldapsyncuser', "GO_Ldapsync_LdapsyncModule", "syncUser");
		$syncController->addListener('ldapsyncgroup', "GO_Ldapsync_LdapsyncModule", "syncGroup");
	}

	/**
	 * This function will be called for each user that has been found in LDAP.
	 * 
	 * @param GO_Base_Model_User $user
	 * @param GO_Base_Ldap_Record $record
	 */
	public static function syncUser(GO_Base_Model_User $user, GO_Base_Ldap_Record $record) {
		
		$serviceAttribute = "ServiceAgreement";

		//value is an array or null if it's not set
		$serviceValues = $record->{$serviceAttribute};
		if(!isset($serviceValues))
			$serviceValues=array();
		
		if($user->id!=1 && !in_array("groupware",$serviceValues)){
			echo 'No service agreement. Removing data for: ' . $user->username . " ".$serviceAttribute.": ".implode(",",$serviceValues) ."\n";
			
			echo "Deleting calendars\n";
			$stmt = GO_Calendar_Model_Calendar::model()->findByAttribute("user_id", $user->id);
			$stmt->callOnEach("delete");
			
			echo "Deleting tasklists\n";
			$stmt = GO_Tasks_Model_Tasklist::model()->findByAttribute("user_id", $user->id);
			$stmt->callOnEach("delete");
						
			echo "Deleting categories\n";
			$stmt = GO_Notes_Model_Category::model()->findByAttribute("user_id", $user->id);
			$stmt->callOnEach("delete");
			
			echo "Deleting files\n";
			$folder = GO_Files_Model_Folder::model()->findHomeFolder($user);
			$stmt = $folder->folders;
			$stmt->callOnEach("delete");
			
			$stmt = $folder->files;
			$stmt->callOnEach("delete");
			
			echo "Done\n\n";
			
		}else
		{
			echo "Service	agreement accepted by ".$user->username.". Checking presence of default models like calendar, tasklists etc.\n";
			$user->checkDefaultModels();
		}
	}

	/**
	 * This function will be called for each group that has been found in LDAP.
	 * 
	 * @param GO_Base_Model_Group $group
	 * @param GO_Base_Ldap_Record $record
	 */
	public static function syncGroup(GO_Base_Model_Group $group, GO_Base_Ldap_Record $record) {

	}

}

Now install the module and reload Group-Office to activate the listener.

Note: The extended code is not executed with the --dry option enabled.