\LDAPService
Class LDAPService
Provides LDAP operations expressed in terms of the SilverStripe domain.
All other modules should access LDAP through this class.
This class builds on top of LDAPGateway's detailed code by adding:
- caching
- data aggregation and restructuring from multiple lower-level calls
- error handling
LDAPService relies on Zend LDAP module's data structures for some parameters and some return values.
Synopsis
class LDAPService
extends Object
implements
Flushable
{
- // members
- private static array $dependencies = ;
- private static array $users_search_locations = ;
- private static array $groups_search_locations = ;
- private static $new_users_dn;
- private static $new_groups_dn;
- private static array $_cache_nested_groups = ;
- private static $default_group;
- private static bool $password_history_workaround = false;
- public LDAPGateway $gateway;
- // methods
- public static Zend_Cache_Frontend get_cache()
- public static void flush()
- public void setGateway()
- public bool enabled()
- public array authenticate()
- public array getNodes()
- public array getGroups()
- public array getNestedGroups()
- public array getGroupByGUID()
- public array getGroupByDN()
- public array getUsers()
- public array getUserByGUID()
- public array getUserByDN()
- public array getUserByEmail()
- public array getUserByUsername()
- public string|null getUsernameByEmail()
- public array getLDAPGroupMembers()
- public bool updateMemberFromLDAP()
- public bool updateGroupFromLDAP()
- public void createLDAPUser()
- public void createLDAPGroup()
- public void updateLDAPFromMember()
- public void updateLDAPGroupsForMember()
- public void addLDAPUserToGroup()
- public ValidationResult setPassword()
- public void deleteLDAPMember()
- public void update()
- public void delete()
- public void move()
- public void add()
- private void passwordHistoryWorkaround()
Hierarchy
Extends
- Object
Implements
- Flushable
Tasks
Line | Task |
---|---|
949+ | Use the Zend\Ldap\Attribute::setPassword functionality to create a password in an abstract way, so it works on other LDAP directories, not just Active Directory. Ensure that the LDAP bind:ed user can change passwords and that the connection is secure. |
Members
private
- $_cache_nested_groups — array
- $default_group
—
string
If this is configured to a "Code" value of a {@link Group} in SilverStripe, the user will always be added to this group's membership when imported, regardless of any sort of group mappings. - $dependencies — array
- $groups_search_locations
—
array
If configured, only group objects within these locations will be exposed to this service. - $new_groups_dn
—
string
Location to create new groups in (distinguished name). - $new_users_dn
—
string
Location to create new users in (distinguished name). - $password_history_workaround
—
bool
For samba4 directory, there is no way to enforce password history on password resets. - $users_search_locations
—
array
If configured, only user objects within these locations will be exposed to this service.
public
- $gateway — LDAPGateway
Methods
private
public
- add() — A simple proxy to LDAP add operation.
- addLDAPUserToGroup() — Add LDAP user by DN to LDAP group.
- authenticate() — Authenticate the given username and password with LDAP.
- createLDAPGroup() — Creates a new LDAP group from the passed Group record.
- createLDAPUser() — Creates a new LDAP user from the passed Member record.
- delete() — A simple proxy to LDAP delete operation.
- deleteLDAPMember() — Delete an LDAP user mapped to the Member record
- enabled() — Checkes whether or not the service is enabled.
- flush() — Flushes out the LDAP results cache when flush=1 is called.
- getGroupByDN() — Get a particular AD group's data given a DN.
- getGroupByGUID() — Get a particular AD group's data given a GUID.
- getGroups() — Return all AD groups in configured search locations, including all nested groups.
- getLDAPGroupMembers() — Given a group DN, get the group membership data in LDAP.
- getNestedGroups() — Return all member groups (and members of those, recursively) underneath a specific group DN.
- getNodes() — Return all nodes (organizational units, containers, and domains) within the current base DN.
- getUserByDN() — Get a specific AD user's data given a DN.
- getUserByEmail() — Get a specific user's data given an email.
- getUserByGUID() — Get a specific AD user's data given a GUID.
- getUserByUsername() — Get a specific user's data given a username.
- getUsernameByEmail() — Get a username for an email.
- getUsers() — Return all AD users in configured search locations, including all users in nested groups.
- get_cache() — Get the cache objecgt used for LDAP results. Note that the default lifetime set here is 8 hours, but you can change that by calling SS_Cache::set_lifetime('ldap', <lifetime in seconds>)
- move() — A simple proxy to LDAP copy/delete operation.
- setGateway() — Setter for gateway. Useful for overriding the gateway with a fake for testing.
- setPassword() — Change a members password on the AD. Works with ActiveDirectory compatible services that saves the password in the `unicodePwd` attribute.
- update() — A simple proxy to LDAP update operation.
- updateGroupFromLDAP() — Sync a specific Group by updating it with LDAP data.
- updateLDAPFromMember() — Update the Member data back to the corresponding LDAP user object.
- updateLDAPGroupsForMember() — Ensure the user belongs to the correct groups in LDAP from their membership to local LDAP mapped SilverStripe groups.
- updateMemberFromLDAP() — Update the current Member record with data from LDAP.