dongtao9095 2015-03-03 16:44
浏览 44
已采纳

Wordpress AD集成错误检索组

enter image description here

For some odd reason im unable to retrieve group memebers from domain users or any group for that batter.

Base DN is set to dc=domain,dc=com Ive hits block here. When I use the test tool im able to authenticate [NOTICE] Authentication successfull for "rpimentel@domain.com"

Something is missing. Something simple, that im over looking. What could it be?

    // Extend the ADIntegrationPlugin class
    class BulkImportADIntegrationPlugin extends ADIntegrationPlugin {

/**
 * Output formatted debug informations
 * 
 * @param integer level
 * @param string $notice
 */
protected function _log($level = 0, $info = '') {
    if ($level <= $this->_loglevel) {
        switch ($level) {
            case ADI_LOG_DEBUG: 
                $class = 'debug';
                $type  = '[DEBUG]  ';
                break;
            case ADI_LOG_INFO: 
                $class = 'info';
                $type  = '[INFO]   ';
                break;
            case ADI_LOG_NOTICE: 
                $class = 'notice';
                $type = '[NOTICE] ';
                break;
            case ADI_LOG_WARN: 
                $class = 'warn';
                $type = '[WARN]   ';
                break;
            case ADI_LOG_ERROR: 
                $class = 'error';
                $type = '[ERROR]  ';
                break;
            case ADI_LOG_FATAL: 
                $class = 'fatal';
                $type = '[FATAL]  ';
                    break;
            default:
                $class = '';
                $type = '';

        }
        $output = '<span class="'.$class.'">'.$type;
        $output .= str_replace("
","<br />         ",$info).'</span><br />';
        echo $output;

        if (WP_DEBUG) {
            if ($fh = @fopen($this->_logfile,'a+')) {
                fwrite($fh,$type . str_replace("
","
         ",$info) . "
");
                fclose($fh);
            }
        }       
    }
}


/**
 * Do Bulk Import
 * 
 * @param string $authcode
 * @return bool true on success, false on error
 */
public function bulkimport($authcode)
{
    global $wp_version;
    global $wpdb;

    $this->setLogFile(dirname(__FILE__).'/import.log');

    $this->_log(ADI_LOG_INFO,"-------------------------------------
".
                             "START OF BULK IMPORT
".
                             date('Y-m-d / H:i:s')."
".
                             "-------------------------------------
");

    $time = time();
    $all_users = array();

    // Is bulk import enabled?
    if (!$this->_bulkimport_enabled) {
        $this->_log(ADI_LOG_INFO,'Bulk Import is disabled.');
        return false;
    }

    // DO we have the correct Auth Code?
    if ($this->_bulkimport_authcode !== $authcode) {
        $this->_log(ADI_LOG_ERROR,'Wrong Auth Code.');
        return false;
    }

    $ad_password = $this->_decrypt($this->_bulkimport_pwd);

    // Log informations
    $this->_log(ADI_LOG_INFO,"Options for adLDAP connection:
".
                  "- base_dn: $this->_base_dn
".
                  "- domain_controllers: $this->_domain_controllers
".
                  "- ad_username: $this->_bulkimport_user
".
                  "- ad_password: **not shown**
".
                  "- ad_port: $this->_port
".
                  "- use_tls: ".(int) $this->_use_tls."
".
                  "- network timeout: ". $this->_network_timeout);

    // Connect to Active Directory
    try {
        $this->_adldap = @new adLDAP(array(
                    "base_dn" => $this->_base_dn, 
                    "domain_controllers" => explode(';', $this->_domain_controllers),
                    "ad_username" => $this->_bulkimport_user,       // Bulk Import User
                    "ad_password" => $ad_password,                  // password
                    "ad_port" => $this->_port,                      // AD port
                    "use_tls" => $this->_use_tls,                   // secure?
                    "network_timeout" => $this->_network_timeout    // network timeout
                    ));
    } catch (Exception $e) {
        $this->_log(ADI_LOG_ERROR,'adLDAP exception: ' . $e->getMessage());
        return false;
    }
    $this->_log(ADI_LOG_NOTICE,'adLDAP object created.');
    $this->_log(ADI_LOG_INFO,'Domain Controller: ' . $this->_adldap->get_last_used_dc());

    // Let's give us some more time (60 minutes)
    $max_execution_time = ini_get('max_execution_time');
    if ($max_execution_time < 3600) {
        ini_set('max_execution_time', 3600);
    }
    if (ini_get('max_execution_time') < 3600) {
        $this->_log(ADI_LOG_ERROR,'Can not increase PHP configuration option "max_execution_time".');
        return false;
    }

    // get all users of the chosen security groups from
    $groups = explode(";",$this->_bulkimport_security_groups);
    if (count($groups) < 1) {
        $this->_log(ADI_LOG_WARN,'No security group.');
        return false;
    }

    foreach ($groups AS $group) {
        // get all members of group
        $group = trim($group);
        if ($group != '')  {
            // do we have a groupid?
            if (($pos = stripos($group,'id:')) !== false) {
                $pgid = substr($group,$pos+3);
                $members = $this->_adldap->group_members_by_primarygroupid($pgid, true);
            } else {
                $members = $this->_adldap->group_members($group, true);
            }
            if ($members) {
                $this->_log(ADI_LOG_INFO,count($members).' Members of group "'.$group.'".');
                $this->_log(ADI_LOG_DEBUG,'Members of group "'.$group.'": ' . implode(', ',$members));
                foreach ($members AS $user) {
                    $all_users[strtolower($user)] = $user;
                }
            } else {
                $this->_log(ADI_LOG_ERROR,'Error retrieving group members for group "'.$group.'".');
            }
        } else {
            $this->_log(ADI_LOG_WARN,'No group. Nothing to do.');
        } 
    }

    // Adding all local users with non empty entry adi_samaccountname in usermeta
    $blogusers=$wpdb->get_results( 
        '
        SELECT
            users.user_login
        FROM
            '. $wpdb->users . ' users
        INNER JOIN
            ' . $wpdb->usermeta ." meta ON meta.user_id = users.ID
        where
            meta.meta_key = 'adi_samaccountname'
            AND
            meta.meta_value IS NOT NULL
            AND
            meta.meta_value <> ''
            AND
            users.ID <> 1
        "
    );
    if (is_array($blogusers)) {
        foreach ($blogusers AS $user) {
            $all_users[strtolower($user->user_login)] = $user->user_login;
        }
    }   


    $elapsed_time = time() - $time;
    $this->_log(ADI_LOG_INFO,'Number of users to import/update: '.count($all_users).' (list generated in '. $elapsed_time .' seconds)');

    if (version_compare($wp_version, '3.1', '<')) {
        require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
    }


    // import all relevant users
    $added_users = 0;
    $updated_users = 0;
    foreach ($all_users AS $username) {

        $ad_username = $username;

        // getting user data
        //$user = get_userdatabylogin($username); // deprecated
        $user = get_user_by('login', $username);

        // role
        $user_role = $this->_get_user_role_equiv($ad_username); // important: use $ad_username not $username

        // userinfo from AD
        $this->_log(ADI_LOG_DEBUG, 'ATTRIBUTES TO LOAD: '.print_r($this->_all_user_attributes, true));
        $userinfo = $this->_adldap->user_info($ad_username, $this->_all_user_attributes);
        $userinfo = $userinfo[0];
        $this->_log(ADI_LOG_DEBUG,"USERINFO[0]: 
".print_r($userinfo,true));

        if (empty($userinfo)) {
            $this->_log(ADI_LOG_INFO,'User "' . $ad_username . '" not found in Active Directory.');
            if (isset($user->ID) && ($this->_disable_users)) {
                $this->_log(ADI_LOG_WARN,'User "' . $username . '" disabled.');
                $this->_disable_user($user->ID, sprintf(__('User "%s" not found in Active Directory.', 'ad-integration'), $username));
            }

        } else {

            // Only user accounts (UF_NORMAL_ACCOUNT is set and other account flags are unset)
            if (($userinfo["useraccountcontrol"][0] & (UF_NORMAL_ACCOUNT | ADI_NO_UF_NORMAL_ACOUNT)) == UF_NORMAL_ACCOUNT) { 
               //&& (($userinfo["useraccountcontrol"][0] & ADI_NO_UF_NORMAL_ACOUNT)  == 0)) {

                // users with flag UF_SMARTCARD_REQUIRED have no password so they can not logon with ADI
                if (($userinfo["useraccountcontrol"][0] & UF_SMARTCARD_REQUIRED) == 0) {

                    // get display name
                    $display_name = $this->_get_display_name_from_AD($username, $userinfo);

                    // create new users or update them
                    if (!$user OR (strtolower($user->user_login) != strtolower($username))) { // use strtolower!!!
                        $user_id = $this->_create_user($ad_username, $userinfo, $display_name, $user_role, '', true);
                        $added_users++;
                    } else {
                        $user_id = $this->_update_user($ad_username, $userinfo, $display_name, $user_role, '', true);
                        $updated_users++;
                    }

                    // load user object (this shouldn't be necessary)
                    if (!$user_id) {
                        $user_id = username_exists($username);
                        $this->_log(ADI_LOG_NOTICE,'user_id: '.$user_id);
                    }

                    // if the user is disabled
                    if (($userinfo["useraccountcontrol"][0] & UF_ACCOUNT_DISABLE) == UF_ACCOUNT_DISABLE)
                    {
                        $this->_log(ADI_LOG_INFO,'The user "' . $username .'" is disabled in Active Directory.');
                        if ($this->_disable_users) {
                            $this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
                            $this->_disable_user($user_id, sprintf(__('User "%s" is disabled in Active Directory.', 'ad-integration'), $username));
                        }
                    } else {
                        // Enable user / turn off user_disabled
                        $this->_log(ADI_LOG_INFO,'Enabling user "' . $username .'".');
                        $this->_enable_user($user_id);
                    }
                } else {
                    // Flag UF_SMARTCARD_REQUIRED is set
                    $this->_log(ADI_LOG_INFO,'The user "' . $username .'" requires a SmartCard to logon.');
                    if (isset($user->ID) && ($this->_disable_users)) {
                        $this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
                        $this->_disable_user($user->ID, sprintf(__('User "%s" requires a SmartCard to logon.', 'ad-integration'), $username));
                    }
                }
            } else {
                // not a normal user account
                $this->_log(ADI_LOG_INFO,'The user "' . $username .'" has no normal user account.');
                if (isset($user->ID) && ($this->_disable_users)) {
                    $this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
                    $this->_disable_user($user->ID, sprintf(__('User "%s" has no normal user account.', 'ad-integration'), $username));
                }
            } 
        }
    }

    // Logging  
    $elapsed_time = time() - $time;
    $this->_log(ADI_LOG_INFO,$added_users . ' Users added.');
    $this->_log(ADI_LOG_INFO,$updated_users . ' Users updated.');
    $this->_log(ADI_LOG_INFO,'In '. $elapsed_time . ' seconds.');

    $this->_log(ADI_LOG_INFO,"-------------------------------------
".
                             "END OF BULK IMPORT
".
                             date('Y-m-d / H:i:s')."
".
                             "-------------------------------------
");        

    return true;
}

It looks like this is where I fails. But why wouldn't it be able to get group?

    foreach ($groups AS $group) {
    // get all members of group
    $group = trim($group);
    if ($group != '')  {
        // do we have a groupid?
        if (($pos = stripos($group,'id:')) !== false) {
            $pgid = substr($group,$pos+3);
            $members = $this->_adldap->group_members_by_primarygroupid($pgid, true);
        } else {
            $members = $this->_adldap->group_members($group, true);
        }
        if ($members) {
            $this->_log(ADI_LOG_INFO,count($members).' Members of group "'.$group.'".');
            $this->_log(ADI_LOG_DEBUG,'Members of group "'.$group.'": ' . implode(', ',$members));
            foreach ($members AS $user) {
                $all_users[strtolower($user)] = $user;
            }
        } else {
            $this->_log(ADI_LOG_ERROR,'Error retrieving group members for group "'.$group.'".');
        }
  • 写回答

2条回答 默认 最新

  • duandang2123 2015-03-03 18:04
    关注

    I removed $ad_password = $this->_decrypt($this->_bulkimport_pwd); and added $ad_password = 'my_password_here';

    And it worked

    Seems that this decrypt password is broken.

    [INFO] 1000 Members of group "id:513". [INFO] Number of users to import/update: 3439

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?