Add a new group template just as it is already there for adding users.

Rationale: this allows to support "custom" group LDAP classes, like the
groupOfMembers class of the rfc2307bis draft. The core user_ldap app
could also be changed to make this more handy, but already allows custom
group filters.

Signed-off-by: Claus-Justus Heine <[email protected]>

Author: rotdrop

lib/LDAPGroupManager.php

@@ -28,17 +28,25 @@
 use Exception;
 use OC\Group\Backend;
 use OCA\LdapWriteSupport\AppInfo\Application;
+use OCA\LdapWriteSupport\Service\Configuration;
 use OCA\User_LDAP\Group_Proxy;
 use OCA\User_LDAP\ILDAPGroupPlugin;
 use OCP\IGroupManager;
+use OCP\IUser;
+use OCP\IUserSession;
 use OCP\LDAP\ILDAPProvider;
 use Psr\Log\LoggerInterface;
 
 class LDAPGroupManager implements ILDAPGroupPlugin {
+	/** @var Configuration */
+	protected $configuration;
 
 	/** @var ILDAPProvider */
 	private $ldapProvider;
 
+	/** @var IUserSession */
+	private $userSession;
+
 	/** @var IGroupManager */
 	private $groupManager;
 
@@ -47,11 +55,13 @@ class LDAPGroupManager implements ILDAPGroupPlugin {
 	/** @var LoggerInterface */
 	private $logger;
 
-	public function __construct(IGroupManager $groupManager, LDAPConnect $ldapConnect, LoggerInterface $logger, ILDAPProvider $LDAPProvider) {
+	public function __construct(IGroupManager $groupManager, IUserSession $userSession, LDAPConnect $ldapConnect, LoggerInterface $logger, ILDAPProvider $LDAPProvider) {
 		$this->groupManager = $groupManager;
+		$this->userSession = $userSession;
 		$this->ldapConnect = $ldapConnect;
+		$this->ldapProvider = $ldapProvider;
+		$this->configuration = $configuration;
 		$this->logger = $logger;
-		$this->ldapProvider = $LDAPProvider;
 
 		if($this->ldapConnect->groupsEnabled()) {
 			$this->makeLdapBackendFirst();
@@ -82,15 +92,27 @@ public function respondToActions() {
 	 * @return string|null
 	 */
 	public function createGroup($gid) {
+		$adminUser = $this->userSession->getUser();
+		$requireActorFromLDAP = $this->configuration->isLdapActorRequired();
+		if ($requireActorFromLDAP && !$adminUser instanceof IUser) {
+			throw new Exception('Acting user is not from LDAP');
+		}
+		try {
+			$connection = $this->ldapProvider->getLDAPConnection($adminUser->getUID());
+			// TODO: what about multiple bases?
+			$base = $this->ldapProvider->getLDAPBaseGroups($adminUser->getUID());
+		} catch (Exception $e) {
+			if ($requireActorFromLDAP) {
+				if ($this->configuration->isPreventFallback()) {
+					throw new \Exception('Acting admin is not from LDAP', 0, $e);
+				}
+				return false;
+			}
+			$connection = $this->ldapConnect->getLDAPConnection();
+			$base = $this->ldapConnect->getLDAPBaseGroups()[0];
+		}
 
-		/**
-		 * FIXME could not create group using LDAPProvider, because its methods rely
-		 * on passing an already inserted [ug]id, which we do not have at this point.
-		 */
-
-		$newGroupEntry = $this->buildNewEntry($gid);
-		$connection = $this->ldapConnect->getLDAPConnection();
-		$newGroupDN = "cn=$gid," . $this->ldapConnect->getLDAPBaseGroups()[0];
+        list($newGroupDN, $newGroupEntry) = $this->buildNewEntry($gid, $base);
 		$newGroupDN = $this->ldapProvider->sanitizeDN([$newGroupDN])[0];
 
 		if ($ret = ldap_add($connection, $newGroupDN, $newGroupEntry)) {
@@ -151,7 +173,6 @@ public function addToGroup($uid, $gid) {
 				break;
 			case 'gidNumber':
 				throw new Exception('Cannot add to group when gidNumber is used as relation');
-				break;
 		}
 
 		if (!$ret = ldap_mod_add($connection, $groupDN, $entry)) {
@@ -220,12 +241,30 @@ public function isLDAPGroup($gid): bool {
 		}
 	}
 
-	private function buildNewEntry($gid): array {
-		return [
-			'objectClass' => ['groupOfNames', 'top'],
-			'cn' => $gid,
-			'member' => ['']
-		];
+	private function buildNewEntry($gid, $base): array {
+        $ldif = $this->configuration->getGroupTemplate();
+
+		$ldif = str_replace('{GID}', $gid, $ldif);
+		$ldif = str_replace('{BASE}', $base, $ldif);
+
+		$entry = [];
+		$lines = explode(PHP_EOL, $ldif);
+		foreach ($lines as $line) {
+			$split = explode(':', $line, 2);
+			$key = trim($split[0]);
+			$value = trim($split[1]);
+			if (!isset($entry[$key])) {
+				$entry[$key] = $value;
+			} else if (is_array($entry[$key])) {
+				$entry[$key][] = $value;
+			} else {
+				$entry[$key] = [$entry[$key], $value];
+			}
+		}
+		$dn = $entry['dn'];
+		unset($entry['dn']);
+
+		return [$dn, $entry];
 	}
 
 	public function makeLdapBackendFirst(): void {

lib/LDAPUserManager.php

@@ -107,6 +107,8 @@ public function respondToActions() {
 	 * @throws ServerNotAvailableException
 	 */
 	public function setDisplayName($uid, $displayName) {
+        trigger_error(__METHOD__);
+        $this->logger->error(__METHOD__, ['app' => 'ldap_write_support']);
 		$userDN = $this->getUserDN($uid);
 
 		$connection = $this->ldapProvider->getLDAPConnection($uid);
@@ -130,6 +132,10 @@ public function setDisplayName($uid, $displayName) {
 			if (ldap_mod_replace($connection, $userDN, [$displayNameField => $displayName])) {
 				return $displayName;
 			}
+            trigger_error(print_r(['conn' => $connection,
+                                   'user' => $userDN,
+                                   'dpyField' => $displayNameField,
+                                   'dpy' => $displayName], true));
 			throw new HintException('Failed to set display name');
 		} catch (ConstraintViolationException $e) {
 			throw new HintException(

lib/Service/Configuration.php

@@ -56,6 +56,14 @@ public function getUserTemplate() {
 		);
 	}
 
+	public function getGroupTemplate() {
+		return $this->config->getAppValue(
+			Application::APP_ID,
+			'template.group',
+			$this->getGroupTemplateDefault()
+		);
+	}
+
 	public function getUserTemplateDefault() {
 		return
 			'dn: uid={UID},{BASE}' . PHP_EOL .
@@ -66,6 +74,14 @@ public function getUserTemplateDefault() {
 			'sn: {UID}';
 	}
 
+	public function getGroupTemplateDefault() {
+		return
+			'dn: cn={GID},{BASE}' . PHP_EOL .
+			'objectClass: groupOfNames' . PHP_EOL .
+			'cn: {GID}' . PHP_EOL .
+			'member:';
+	}
+
 	public function isRequireEmail(): bool {
 		// this core settings flag is not exposed anywhere else
 		return $this->config->getAppValue('core', 'newUser.requireEmail', 'no') === 'yes';

lib/Settings/Admin.php

@@ -51,7 +51,9 @@ public function getForm() {
 			'templates',
 			[
 				'user' => $this->config->getUserTemplate(),
-				'userDefault' => $this->config->getUserTemplateDefault(),
+				'userDefault' => $this->config->getGroupTemplateDefault(),
+				'group' => $this->config->getGroupTemplate(),
+				'groupDefault' => $this->config->getGroupTemplateDefault(),
 			]
 		);
 		$this->initialStateService->provideInitialState(

src/components/AdminSettings.vue

@@ -53,6 +53,13 @@
 			<li><span class="mono">{BASE}</span> – {{ t('ldap_write_support', 'the LDAP node of the acting (sub)admin or the configured user base') }}</li>
 		</ul>
 		<textarea class="mono" v-on:change="setUserTemplate" v-model="templates.user">{{templates.user}}</textarea>
+		<h3>{{ t('ldap_write_support', 'Group template') }}</h3>
+		<p>{{ t('ldap_write_support', 'LDIF template for creating groups. Following placeholders may be used') }}</p>
+		<ul class="disc">
+			<li><span class="mono">{GID}</span> – {{ t('ldap_write_support', 'the group id provided by the (sub)admin') }}</li>
+			<li><span class="mono">{BASE}</span> – {{ t('ldap_write_support', 'the LDAP node of the acting (sub)admin or the configured group base') }}</li>
+		</ul>
+		<textarea class="mono" v-on:change="setGroupTemplate" v-model="templates.group">{{templates.group}}</textarea>
 	</div>
 </template>
 
@@ -67,6 +74,8 @@
 			templates: {
 				user: Object,
 				userDefault: Object,
+				group: Object,
+				groupDefault: Object,
 			},
 			switches: {
 				createRequireActorFromLdap: Boolean,
@@ -92,6 +101,18 @@
 				}
 				OCP.AppConfig.setValue('ldap_write_support', 'template.user', this.templates.user);
 			},
+			setGroupTemplate() {
+				if(this.templates.group === "") {
+					let self = this;
+					OCP.AppConfig.deleteKey('ldap_write_support', 'template.group', {
+						success: function() {
+							self.templates.group = self.templates.groupDefault;
+						}
+					});
+					return;
+				}
+				OCP.AppConfig.setValue('ldap_write_support', 'template.group', this.templates.group);
+			},
 			toggleSwitch(prefKey, state, appId = 'ldap_write_support') {
 				this.switches[prefKey] = state;
 				let value = (state | 0).toString();