diff options
| -rw-r--r-- | EVENTS.txt | 22 | ||||
| -rw-r--r-- | actions/apigroupcreate.php | 62 | ||||
| -rw-r--r-- | actions/login.php | 4 | ||||
| -rw-r--r-- | actions/newgroup.php | 46 | ||||
| -rw-r--r-- | actions/profilesettings.php | 2 | ||||
| -rw-r--r-- | classes/Profile.php | 11 | ||||
| -rw-r--r-- | classes/User_group.php | 62 | ||||
| -rw-r--r-- | lib/apiauth.php | 6 | ||||
| -rw-r--r-- | lib/common.php | 4 | ||||
| -rw-r--r-- | lib/language.php | 57 | ||||
| -rw-r--r-- | lib/util.php | 13 | ||||
| -rw-r--r-- | plugins/Authentication/AuthenticationPlugin.php | 2 | ||||
| -rw-r--r-- | plugins/Authorization/AuthorizationPlugin.php | 108 | ||||
| -rw-r--r-- | plugins/LdapAuthentication/LdapAuthenticationPlugin.php | 13 | ||||
| -rw-r--r-- | plugins/LdapAuthorization/LdapAuthorizationPlugin.php | 211 | ||||
| -rw-r--r-- | plugins/LdapAuthorization/README | 91 | ||||
| -rwxr-xr-x | scripts/update_pot.sh | 12 |
17 files changed, 610 insertions, 116 deletions
diff --git a/EVENTS.txt b/EVENTS.txt index c788a9215..34a222e8f 100644 --- a/EVENTS.txt +++ b/EVENTS.txt @@ -535,6 +535,28 @@ StartChangePassword: Before changing a password EndChangePassword: After changing a password - $user: user +StartSetUser: Before setting the currently logged in user +- $user: user + +EndSetUser: After setting the currently logged in user +- $user: user + +StartSetApiUser: Before setting the current API user +- $user: user + +EndSetApiUser: After setting the current API user +- $user: user + +StartHasRole: Before determing if the a profile has a given role +- $profile: profile in question +- $name: name of the role in question +- &$has_role: does this profile have the named role? + +EndHasRole: Before determing if the a profile has a given role +- $profile: profile in question +- $name: name of the role in question +- $has_role: does this profile have the named role? + UserDeleteRelated: Specify additional tables to delete entries from when deleting users - $user: User object - &$related: array of DB_DataObject class names to delete entries on matching user_id. diff --git a/actions/apigroupcreate.php b/actions/apigroupcreate.php index 895dfb7ab..8827d1c5c 100644 --- a/actions/apigroupcreate.php +++ b/actions/apigroupcreate.php @@ -117,61 +117,13 @@ class ApiGroupCreateAction extends ApiAuthAction return; } - $group = new User_group(); - - $group->query('BEGIN'); - - $group->nickname = $this->nickname; - $group->fullname = $this->fullname; - $group->homepage = $this->homepage; - $group->description = $this->description; - $group->location = $this->location; - $group->created = common_sql_now(); - - $result = $group->insert(); - - if (!$result) { - common_log_db_error($group, 'INSERT', __FILE__); - $this->serverError( - _('Could not create group.'), - 500, - $this->format - ); - return; - } - - $result = $group->setAliases($this->aliases); - - if (!$result) { - $this->serverError( - _('Could not create aliases.'), - 500, - $this->format - ); - return; - } - - $member = new Group_member(); - - $member->group_id = $group->id; - $member->profile_id = $this->user->id; - $member->is_admin = 1; - $member->created = $group->created; - - $result = $member->insert(); - - if (!$result) { - common_log_db_error($member, 'INSERT', __FILE__); - $this->serverError( - _('Could not set group membership.'), - 500, - $this->format - ); - return; - } - - $group->query('COMMIT'); - + $group = User_group::register(array('nickname' => $this->nickname, + 'fullname' => $this->fullname, + 'homepage' => $this->homepage, + 'description' => $this->description, + 'location' => $this->location, + 'aliases' => $this->aliases, + 'userid' => $this->user->id)); switch($this->format) { case 'xml': $this->showSingleXmlGroup($group); diff --git a/actions/login.php b/actions/login.php index ad57dd667..63955e3f5 100644 --- a/actions/login.php +++ b/actions/login.php @@ -133,7 +133,7 @@ class LoginAction extends Action return; } - $nickname = common_canonical_nickname($this->trimmed('nickname')); + $nickname = $this->trimmed('nickname'); $password = $this->arg('password'); $user = common_check_user($nickname, $password); @@ -146,7 +146,7 @@ class LoginAction extends Action // success! if (!common_set_user($user)) { - $this->serverError(_('Error setting user.')); + $this->serverError(_('Error setting user. You are probably not authorized.')); return; } diff --git a/actions/newgroup.php b/actions/newgroup.php index 80da9861a..25da7f8fc 100644 --- a/actions/newgroup.php +++ b/actions/newgroup.php @@ -186,45 +186,13 @@ class NewgroupAction extends Action assert(!is_null($cur)); - $group = new User_group(); - - $group->query('BEGIN'); - - $group->nickname = $nickname; - $group->fullname = $fullname; - $group->homepage = $homepage; - $group->description = $description; - $group->location = $location; - $group->created = common_sql_now(); - - $result = $group->insert(); - - if (!$result) { - common_log_db_error($group, 'INSERT', __FILE__); - $this->serverError(_('Could not create group.')); - } - - $result = $group->setAliases($aliases); - - if (!$result) { - $this->serverError(_('Could not create aliases.')); - } - - $member = new Group_member(); - - $member->group_id = $group->id; - $member->profile_id = $cur->id; - $member->is_admin = 1; - $member->created = $group->created; - - $result = $member->insert(); - - if (!$result) { - common_log_db_error($member, 'INSERT', __FILE__); - $this->serverError(_('Could not set group membership.')); - } - - $group->query('COMMIT'); + $group = User_group::register(array('nickname' => $nickname, + 'fullname' => $fullname, + 'homepage' => $homepage, + 'description' => $description, + 'location' => $location, + 'aliases' => $aliases, + 'userid' => $cur->id)); common_redirect($group->homeUrl(), 303); } diff --git a/actions/profilesettings.php b/actions/profilesettings.php index 0a0cc5997..359664096 100644 --- a/actions/profilesettings.php +++ b/actions/profilesettings.php @@ -323,7 +323,7 @@ class ProfilesettingsAction extends AccountSettingsAction $result = $profile->update($orig_profile); - if (!$result) { + if ($result === false) { common_log_db_error($profile, 'UPDATE', __FILE__); $this->serverError(_('Couldn\'t save profile.')); return; diff --git a/classes/Profile.php b/classes/Profile.php index 1b9cdb52f..4b2e09006 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -594,9 +594,14 @@ class Profile extends Memcached_DataObject function hasRole($name) { - $role = Profile_role::pkeyGet(array('profile_id' => $this->id, - 'role' => $name)); - return (!empty($role)); + $has_role = false; + if (Event::handle('StartHasRole', array($this, $name, &$has_role))) { + $role = Profile_role::pkeyGet(array('profile_id' => $this->id, + 'role' => $name)); + $has_role = !empty($role); + Event::handle('EndHasRole', array($this, $name, $has_role)); + } + return $has_role; } function grantRole($name) diff --git a/classes/User_group.php b/classes/User_group.php index b92638f7a..c86eadf8f 100644 --- a/classes/User_group.php +++ b/classes/User_group.php @@ -354,4 +354,66 @@ class User_group extends Memcached_DataObject return $xs->getString(); } + + static function register($fields) { + + // MAGICALLY put fields into current scope + + extract($fields); + + $group = new User_group(); + + $group->query('BEGIN'); + + $group->nickname = $nickname; + $group->fullname = $fullname; + $group->homepage = $homepage; + $group->description = $description; + $group->location = $location; + $group->created = common_sql_now(); + + $result = $group->insert(); + + if (!$result) { + common_log_db_error($group, 'INSERT', __FILE__); + $this->serverError( + _('Could not create group.'), + 500, + $this->format + ); + return; + } + $result = $group->setAliases($aliases); + + if (!$result) { + $this->serverError( + _('Could not create aliases.'), + 500, + $this->format + ); + return; + } + + $member = new Group_member(); + + $member->group_id = $group->id; + $member->profile_id = $userid; + $member->is_admin = 1; + $member->created = $group->created; + + $result = $member->insert(); + + if (!$result) { + common_log_db_error($member, 'INSERT', __FILE__); + $this->serverError( + _('Could not set group membership.'), + 500, + $this->format + ); + return; + } + + $group->query('COMMIT'); + return $group; + } } diff --git a/lib/apiauth.php b/lib/apiauth.php index 2f2e44a26..0d1613d38 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -110,7 +110,11 @@ class ApiAuthAction extends ApiAction } else { $nickname = $this->auth_user; $password = $this->auth_pw; - $this->auth_user = common_check_user($nickname, $password); + $user = common_check_user($nickname, $password); + if (Event::handle('StartSetApiUser', array(&$user))) { + $this->auth_user = $user; + Event::handle('EndSetApiUser', array($user)); + } if (empty($this->auth_user)) { diff --git a/lib/common.php b/lib/common.php index 203b37c87..732c22bfd 100644 --- a/lib/common.php +++ b/lib/common.php @@ -59,10 +59,6 @@ require_once('PEAR.php'); require_once('DB/DataObject.php'); require_once('DB/DataObject/Cast.php'); # for dates -if (!function_exists('gettext')) { - require_once("php-gettext/gettext.inc"); -} - require_once(INSTALLDIR.'/lib/language.php'); // This gets included before the config file, so that admin code and plugins diff --git a/lib/language.php b/lib/language.php index 2570907b7..a99bf89e3 100644 --- a/lib/language.php +++ b/lib/language.php @@ -32,6 +32,63 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } +if (!function_exists('gettext')) { + require_once("php-gettext/gettext.inc"); +} + +if (!function_exists('pgettext')) { + /** + * Context-aware gettext wrapper; use when messages in different contexts + * won't be distinguished from the English source but need different translations. + * The context string will appear as msgctxt in the .po files. + * + * Not currently exposed in PHP's gettext module; implemented to be compat + * with gettext.h's macros. + * + * @param string $context context identifier, should be some key like "menu|file" + * @param string $msgid English source text + * @return string original or translated message + */ + function pgettext($context, $msg) + { + $msgid = $context . "\004" . $msg; + $out = dcgettext(textdomain(NULL), $msgid, LC_MESSAGES); + if ($out == $msgid) { + return $msg; + } else { + return $out; + } + } +} + +if (!function_exists('npgettext')) { + /** + * Context-aware ngettext wrapper; use when messages in different contexts + * won't be distinguished from the English source but need different translations. + * The context string will appear as msgctxt in the .po files. + * + * Not currently exposed in PHP's gettext module; implemented to be compat + * with gettext.h's macros. + * + * @param string $context context identifier, should be some key like "menu|file" + * @param string $msg singular English source text + * @param string $plural plural English source text + * @param int $n number of items to control plural selection + * @return string original or translated message + */ + function npgettext($context, $msg, $plural, $n) + { + $msgid = $context . "\004" . $msg; + $out = dcngettext(textdomain(NULL), $msgid, $plural, $n, LC_MESSAGES); + if ($out == $msgid) { + return $msg; + } else { + return $out; + } + } +} + + /** * Content negotiation for language codes * diff --git a/lib/util.php b/lib/util.php index 68f3520db..5bf4f6091 100644 --- a/lib/util.php +++ b/lib/util.php @@ -196,10 +196,15 @@ function common_set_user($user) } if ($user) { - common_ensure_session(); - $_SESSION['userid'] = $user->id; - $_cur = $user; - return $_cur; + if (Event::handle('StartSetUser', array(&$user))) { + if($user){ + common_ensure_session(); + $_SESSION['userid'] = $user->id; + $_cur = $user; + Event::handle('EndSetUser', array($user)); + return $_cur; + } + } } return false; } diff --git a/plugins/Authentication/AuthenticationPlugin.php b/plugins/Authentication/AuthenticationPlugin.php index 1b9084187..cd1de1149 100644 --- a/plugins/Authentication/AuthenticationPlugin.php +++ b/plugins/Authentication/AuthenticationPlugin.php @@ -2,7 +2,7 @@ /** * StatusNet, the distributed open-source microblogging tool * - * Superclass for plugins that do authentication and/or authorization + * Superclass for plugins that do authentication * * PHP version 5 * diff --git a/plugins/Authorization/AuthorizationPlugin.php b/plugins/Authorization/AuthorizationPlugin.php new file mode 100644 index 000000000..e4e046d08 --- /dev/null +++ b/plugins/Authorization/AuthorizationPlugin.php @@ -0,0 +1,108 @@ +<?php +/** + * StatusNet, the distributed open-source microblogging tool + * + * Superclass for plugins that do authorization + * + * PHP version 5 + * + * LICENCE: This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * @category Plugin + * @package StatusNet + * @author Craig Andrews <candrews@integralblue.com> + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET') && !defined('LACONICA')) { + exit(1); +} + +/** + * Superclass for plugins that do authorization + * + * @category Plugin + * @package StatusNet + * @author Craig Andrews <candrews@integralblue.com> + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +abstract class AuthorizationPlugin extends Plugin +{ + //is this plugin authoritative for authorization? + public $authoritative = false; + + //------------Auth plugin should implement some (or all) of these methods------------\\ + + /** + * Is a user allowed to log in? + * @param user + * @return boolean true if the user is allowed to login, false if explicitly not allowed to login, null if we don't explicitly allow or deny login + */ + function loginAllowed($user) { + return null; + } + + /** + * Does a profile grant the user a named role? + * @param profile + * @return boolean true if the profile has the role, false if not + */ + function hasRole($profile, $name) { + return false; + } + + //------------Below are the methods that connect StatusNet to the implementing Auth plugin------------\\ + function onInitializePlugin(){ + + } + + function onStartSetUser(&$user) { + $loginAllowed = $this->loginAllowed($user); + if($loginAllowed === true){ + return; + }else if($loginAllowed === false){ + $user = null; + return false; + }else{ + if($this->authoritative) { + $user = null; + return false; + }else{ + return; + } + } + } + + function onStartSetApiUser(&$user) { + return $this->onStartSetUser(&$user); + } + + function onStartHasRole($profile, $name, &$has_role) { + if($this->hasRole($profile, $name)){ + $has_role = true; + return false; + }else{ + if($this->authoritative) { + $has_role = false; + return false; + }else{ + return; + } + } + } +} + diff --git a/plugins/LdapAuthentication/LdapAuthenticationPlugin.php b/plugins/LdapAuthentication/LdapAuthenticationPlugin.php index ad5dd3a02..8caacff46 100644 --- a/plugins/LdapAuthentication/LdapAuthenticationPlugin.php +++ b/plugins/LdapAuthentication/LdapAuthenticationPlugin.php @@ -2,7 +2,7 @@ /** * StatusNet, the distributed open-source microblogging tool * - * Plugin to enable LDAP Authentication and Authorization + * Plugin to enable LDAP Authentication * * PHP version 5 * @@ -63,6 +63,9 @@ class LdapAuthenticationPlugin extends AuthenticationPlugin if(!isset($this->attributes['username'])){ throw new Exception("must specify a username attribute"); } + if($this->password_changeable && (! isset($this->attributes['password']) || !isset($this->password_encoding))){ + throw new Exception("if password_changeable is set, the password attribute and password_encoding must also be specified"); + } } //---interface implementation---// @@ -156,20 +159,21 @@ class LdapAuthenticationPlugin extends AuthenticationPlugin } function ldap_get_connection($config = null){ - if($config == null){ - $config = $this->ldap_get_config(); + if($config == null && isset($this->default_ldap)){ + return $this->default_ldap; } //cannot use Net_LDAP2::connect() as StatusNet uses //PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError'); //PEAR handling can be overridden on instance objects, so we do that. - $ldap = new Net_LDAP2($config); + $ldap = new Net_LDAP2(isset($config)?$config:$this->ldap_get_config()); $ldap->setErrorHandling(PEAR_ERROR_RETURN); $err=$ldap->bind(); if (Net_LDAP2::isError($err)) { common_log(LOG_WARNING, 'Could not connect to LDAP server: '.$err->getMessage()); return false; } + if($config == null) $this->default_ldap=$ldap; return $ldap; } @@ -186,7 +190,6 @@ class LdapAuthenticationPlugin extends AuthenticationPlugin } $filter = Net_LDAP2_Filter::create($this->attributes['username'], 'equals', $username); $options = array( - 'scope' => 'sub', 'attributes' => $attributes ); $search = $ldap->search(null,$filter,$options); diff --git a/plugins/LdapAuthorization/LdapAuthorizationPlugin.php b/plugins/LdapAuthorization/LdapAuthorizationPlugin.php new file mode 100644 index 000000000..5e759c379 --- /dev/null +++ b/plugins/LdapAuthorization/LdapAuthorizationPlugin.php @@ -0,0 +1,211 @@ +<?php +/** + * StatusNet, the distributed open-source microblogging tool + * + * Plugin to enable LDAP Authorization + * + * PHP version 5 + * + * LICENCE: This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * @category Plugin + * @package StatusNet + * @author Craig Andrews <candrews@integralblue.com> + * @copyright 2009 Craig Andrews http://candrews.integralblue.com + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET') && !defined('LACONICA')) { + exit(1); +} + +require_once INSTALLDIR.'/plugins/Authorization/AuthorizationPlugin.php'; +require_once 'Net/LDAP2.php'; + +class LdapAuthorizationPlugin extends AuthorizationPlugin +{ + public $host=null; + public $port=null; + public $version=null; + public $starttls=null; + public $binddn=null; + public $bindpw=null; + public $basedn=null; + public $options=null; + public $filter=null; + public $scope=null; + public $provider_name = null; + public $uniqueMember_attribute = null; + public $roles_to_groups = array(); + public $login_group = null; + public $attributes = array(); + + function onInitializePlugin(){ + parent::onInitializePlugin(); + if(!isset($this->host)){ + throw new Exception("must specify a host"); + } + if(!isset($this->basedn)){ + throw new Exception("must specify a basedn"); + } + if(!isset($this->provider_name)){ + throw new Exception("provider_name must be set. Use the provider_name from the LDAP Authentication plugin."); + } + if(!isset($this->uniqueMember_attribute)){ + throw new Exception("uniqueMember_attribute must be set."); + } + if(!isset($this->attributes['username'])){ + throw new Exception("username attribute must be set."); + } + } + + //---interface implementation---// + function loginAllowed($user) { + $user_username = new User_username(); + $user_username->user_id=$user->id; + $user_username->provider_name=$this->provider_name; + if($user_username->find() && $user_username->fetch()){ + $entry = $this->ldap_get_user($user_username->username); + if($entry){ + if(isset($this->login_group)){ + if(is_array($this->login_group)){ + foreach($this->login_group as $group){ + if($this->ldap_is_dn_member_of_group($entry->dn(),$group)){ + return true; + } + } + }else{ + if($this->ldap_is_dn_member_of_group($entry->dn(),$this->login_group)){ + return true; + } + } + return null; + }else{ + //if a user exists, we can assume he's allowed to login + return true; + } + }else{ + return null; + } + }else{ + return null; + } + } + + function hasRole($profile, $name) { + $user_username = new User_username(); + $user_username->user_id=$profile->id; + $user_username->provider_name=$this->provider_name; + if($user_username->find() && $user_username->fetch()){ + $entry = $this->ldap_get_user($user_username->username); + if($entry){ + if(isset($this->roles_to_groups[$name])){ + if(is_array($this->roles_to_groups[$name])){ + foreach($this->roles_to_groups[$name] as $group){ + if($this->ldap_is_dn_member_of_group($entry->dn(),$group)){ + return true; + } + } + }else{ + if($this->ldap_is_dn_member_of_group($entry->dn(),$this->roles_to_groups[$name])){ + return true; + } + } + } + } + } + return false; + } + + function ldap_is_dn_member_of_group($userDn, $groupDn) + { + $ldap = $this->ldap_get_connection(); + $link = $ldap->getLink(); + $r = ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn); + if ($r === true){ + return true; + }else if($r === false){ + return false; + }else{ + common_log(LOG_ERR, ldap_error($r)); + return false; + } + } + + function ldap_get_config(){ + $config = array(); + $keys = array('host','port','version','starttls','binddn','bindpw','basedn','options','filter','scope'); + foreach($keys as $key){ + $value = $this->$key; + if($value!==null){ + $config[$key]=$value; + } + } + return $config; + } + + //-----the below function were copied from LDAPAuthenticationPlugin. They will be moved to a utility class soon.----\\ + function ldap_get_connection($config = null){ + if($config == null && isset($this->default_ldap)){ + return $this->default_ldap; + } + + //cannot use Net_LDAP2::connect() as StatusNet uses + //PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError'); + //PEAR handling can be overridden on instance objects, so we do that. + $ldap = new Net_LDAP2(isset($config)?$config:$this->ldap_get_config()); + $ldap->setErrorHandling(PEAR_ERROR_RETURN); + $err=$ldap->bind(); + if (Net_LDAP2::isError($err)) { + common_log(LOG_WARNING, 'Could not connect to LDAP server: '.$err->getMessage()); + return false; + } + if($config == null) $this->default_ldap=$ldap; + return $ldap; + } + + /** + * get an LDAP entry for a user with a given username + * + * @param string $username + * $param array $attributes LDAP attributes to retrieve + * @return string DN + */ + function ldap_get_user($username,$attributes=array(),$ldap=null){ + if($ldap==null) { + $ldap = $this->ldap_get_connection(); + } + $filter = Net_LDAP2_Filter::create($this->attributes['username'], 'equals', $username); + $options = array( + 'attributes' => $attributes + ); + $search = $ldap->search(null,$filter,$options); + + if (PEAR::isError($search)) { + common_log(LOG_WARNING, 'Error while getting DN for user: '.$search->getMessage()); + return false; + } + + if($search->count()==0){ + return false; + }else if($search->count()==1){ + $entry = $search->shiftEntry(); + return $entry; + }else{ + common_log(LOG_WARNING, 'Found ' . $search->count() . ' ldap user with the username: ' . $username); + return false; + } + } +} diff --git a/plugins/LdapAuthorization/README b/plugins/LdapAuthorization/README new file mode 100644 index 000000000..44239d8e0 --- /dev/null +++ b/plugins/LdapAuthorization/README @@ -0,0 +1,91 @@ +The LDAP Authorization plugin allows for StatusNet to handle authorization +through LDAP. + +Installation +============ +add "addPlugin('ldapAuthorization', + array('setting'=>'value', 'setting2'=>'value2', ...);" +to the bottom of your config.php + +You *cannot* use this plugin without the LDAP Authentication plugin + +Settings +======== +provider_name*: name of the LDAP authentication provider that this plugin works with. +authoritative (false): should this plugin be authoritative for + authorization? +uniqueMember_attribute ('uniqueMember')*: the attribute of a group + that lists the DNs of its members +roles_to_groups: array that maps StatusNet roles to LDAP groups + some StatusNet roles are: moderator, administrator, sandboxed, silenced +login_group: if this is set to a group DN, only members of that group will be + allowed to login + +The below settings must be exact copies of the settings used for the + corresponding LDAP Authentication plugin. + +host*: LDAP server name to connect to. You can provide several hosts in an + array in which case the hosts are tried from left to right. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +port: Port on the server. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +version: LDAP version. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +starttls: TLS is started after connecting. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +binddn: The distinguished name to bind as (username). + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +bindpw: Password for the binddn. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +basedn*: LDAP base name (root directory). + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +options: See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +filter: Default search filter. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php +scope: Default search scope. + See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php + +attributes: an array that relates StatusNet user attributes to LDAP ones + username*: LDAP attribute value entered when authenticating to StatusNet + +* required +default values are in (parenthesis) + +Example +======= +Here's an example of an LDAP plugin configuration that connects to + Microsoft Active Directory. + +addPlugin('ldapAuthentication', array( + 'provider_name'=>'Example', + 'authoritative'=>true, + 'autoregistration'=>true, + 'binddn'=>'username', + 'bindpw'=>'password', + 'basedn'=>'OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc', + 'host'=>array('server1', 'server2'), + 'password_encoding'=>'ad', + 'attributes'=>array( + 'username'=>'sAMAccountName', + 'nickname'=>'sAMAccountName', + 'email'=>'mail', + 'fullname'=>'displayName', + 'password'=>'unicodePwd') +)); +addPlugin('ldapAuthorization', array( + 'provider_name'=>'Example', + 'authoritative'=>false, + 'uniqueMember_attribute'=>'member', + 'roles_to_groups'=> array( + 'moderator'=>'CN=SN-Moderators,OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc', + 'administrator'=> array('CN=System-Adminstrators,OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc', + 'CN=SN-Administrators,OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc') + ), + 'binddn'=>'username', + 'bindpw'=>'password', + 'basedn'=>'OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc', + 'host'=>array('server1', 'server2'), + 'attributes'=>array( + 'username'=>'sAMAccountName') +)); + diff --git a/scripts/update_pot.sh b/scripts/update_pot.sh index 9419e4337..de53fe7c9 100755 --- a/scripts/update_pot.sh +++ b/scripts/update_pot.sh @@ -1,3 +1,13 @@ cd `dirname $0` cd .. -xgettext --from-code=UTF-8 --default-domain=statusnet --output=locale/statusnet.po --language=PHP --join-existing actions/*.php classes/*.php lib/*.php scripts/*.php +xgettext \ + --from-code=UTF-8 \ + --default-domain=statusnet \ + --output=locale/statusnet.po \ + --language=PHP \ + --keyword="pgettext:1c,2" \ + --keyword="npgettext:1c,2,3" \ + actions/*.php \ + classes/*.php \ + lib/*.php \ + scripts/*.php |