From 40aa7150b98da08472e18fdec844e626415e9e64 Mon Sep 17 00:00:00 2001
From: Wilfried Goesgens <dothebart@citadel.org>
Date: Wed, 23 Jul 2014 17:08:47 +0200
Subject: [PATCH] LDAP: check for new values in LDAP on each login (by HarryC)

---
 citadel/context.h                  |  2 +
 citadel/ldap.c                     | 65 ++++++++++++++++--------------
 citadel/modules/vcard/serv_vcard.c | 40 +++++++++++++++---
 3 files changed, 70 insertions(+), 37 deletions(-)

diff --git a/citadel/context.h b/citadel/context.h
index 6d93249b9..4b450a416 100644
--- a/citadel/context.h
+++ b/citadel/context.h
@@ -149,6 +149,8 @@ struct CitContext {
 	long *cached_msglist;			/* results of the previous CtdlForEachMessage() */
 	int cached_num_msgs;
 
+	char vcard_updated_by_ldap;		/* !0 iff ldap changed the vcard, treat as aide update */
+
 	AsyncIO *IO;				/* if this session has AsyncIO going on... */
 };
 
diff --git a/citadel/ldap.c b/citadel/ldap.c
index 04888318e..754692e29 100644
--- a/citadel/ldap.c
+++ b/citadel/ldap.c
@@ -24,7 +24,7 @@ int ctdl_require_ldap_version = 3;
 #include "user_ops.h"
 
 #ifdef HAVE_LDAP
-#define LDAP_DEPRECATED 1 	// Suppress libldap's warning that we are using deprecated API calls
+#define LDAP_DEPRECATED 1 	/* Suppress libldap's warning that we are using deprecated API calls */
 #include <ldap.h>
 
 int CtdlTryUserLDAP(char *username,
@@ -97,10 +97,10 @@ int CtdlTryUserLDAP(char *username,
 	tv.tv_usec = 0;
 
 	if (config.c_auth_mode == AUTHMODE_LDAP_AD) {
-		sprintf(searchstring, "(sAMAccountName=%s)", username);
+		snprintf(searchstring, sizeof(searchstring), "(sAMAccountName=%s)", username);
 	}
 	else {
-		sprintf(searchstring, "(&(objectclass=posixAccount)(uid=%s))", username);
+		snprintf(searchstring, sizeof(searchstring), "(&(objectclass=posixAccount)(uid=%s))", username);
 	}
 
 	syslog(LOG_DEBUG, "LDAP search: %s", searchstring);
@@ -235,9 +235,7 @@ int CtdlTryPasswordLDAP(char *user_dn, const char *password)
 	return(1);
 }
 
-
-// return !0 iff property changed.
-//
+//return !0 iff property changed.
 int vcard_set_props_iff_different(struct vCard *v,char *propname,int numvals, char **vals) {
 	int i;
 	char *oldval;
@@ -254,15 +252,14 @@ int vcard_set_props_iff_different(struct vCard *v,char *propname,int numvals, ch
 }
 
 
-// return !0 iff property changed.
-//
+//return !0 iff property changed.
 int vcard_set_one_prop_iff_different(struct vCard *v,char *propname, char *newfmt, ...) {
 	va_list args;
 	char *newvalue;
 	int changed_something;
 	va_start(args,newfmt);
 	if (-1==vasprintf(&newvalue,newfmt,args)) {
-		syslog(LOG_ALERT, "Out of memory!");
+		syslog(LOG_ALERT, "Out of memory!\n");
 		return 0;
 	}
 	changed_something = vcard_set_props_iff_different(v,propname,1,&newvalue);
@@ -271,10 +268,10 @@ int vcard_set_one_prop_iff_different(struct vCard *v,char *propname, char *newfm
 	return changed_something;
 }
 
-
-// Learn LDAP attributes and stuff them into the vCard.
-// Returns nonzero if we changed anything.
-//
+/*
+ * Learn LDAP attributes and stuff them into the vCard.
+ * Returns nonzero if we changed anything.
+ */
 int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
 {
 	int changed_something = 0;
@@ -338,21 +335,22 @@ int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
 
 	syslog(LOG_DEBUG, "LDAP search: %s", ldap_dn);
 	(void) ldap_search_ext_s(
-		ldserver,			// ld
-		ldap_dn,			// base
-		LDAP_SCOPE_SUBTREE,		// scope
-		NULL,				// filter
-		attrs,				// attrs (all attributes)
-		0,				// attrsonly (attrs + values)
-		NULL,				// serverctrls (none)
-		NULL,				// clientctrls (none)
-		&tv,				// timeout
-		1,				// sizelimit (1 result max)
-		&search_result			// res
+		ldserver,				/* ld				*/
+		ldap_dn,				/* base				*/
+		LDAP_SCOPE_SUBTREE,		/* scope			*/
+		NULL,					/* filter			*/
+		attrs,					/* attrs (all attributes)	*/
+		0,						/* attrsonly (attrs + values)	*/
+		NULL,					/* serverctrls (none)		*/
+		NULL,					/* clientctrls (none)		*/
+		&tv,					/* timeout			*/
+		1,						/* sizelimit (1 result max)	*/
+		&search_result			/* res				*/
 	);
 	
-	// Ignore the return value of ldap_search_ext_s().  Sometimes it returns an error even when
-	// the search succeeds.  Instead, we check to see whether search_result is still NULL.
+	/* Ignore the return value of ldap_search_ext_s().  Sometimes it returns an error even when
+	 * the search succeeds.  Instead, we check to see whether search_result is still NULL.
+	 */
 	 
 	if (search_result == NULL) {
 		syslog(LOG_DEBUG, "LDAP search: zero results were returned");
@@ -360,8 +358,9 @@ int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
 		return(0);
 	}
 
-	// At this point we've got at least one result from our query.  If there are multiple
-	// results, we still only look at the first one.
+	/* At this point we've got at least one result from our query.  If there are multiple
+	 * results, we still only look at the first one.
+	 */
 
 	entry = ldap_first_entry(ldserver, search_result);
 	if (entry) {
@@ -409,6 +408,7 @@ int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
 		if (o) changed_something |= vcard_set_one_prop_iff_different(v,"org","%s",o[0]);
 		if (cn) changed_something |= vcard_set_one_prop_iff_different(v,"fn","%s",cn[0]);
 		if (title) changed_something |= vcard_set_one_prop_iff_different(v,"title","%s",title[0]);
+		
 		if (givenName) ldap_value_free(givenName);
 		if (initials) ldap_value_free(initials);
 		if (sn) ldap_value_free(sn);
@@ -432,10 +432,13 @@ int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
 		if (title) ldap_value_free(title);
 		if (uuid) ldap_value_free(uuid);
 	}
+	/* free the results */
+	ldap_msgfree(search_result);
 
-	ldap_msgfree(search_result);	// free the results
-	ldap_unbind(ldserver);		// unbind so we can go back in as the authenticating user
-	return(changed_something);	// tell the caller whether we made any changes
+	/* unbind so we can go back in as the authenticating user */
+	ldap_unbind(ldserver);
+	
+	return(changed_something);	/* tell the caller whether we made any changes */
 }
 
 #endif /* HAVE_LDAP */
diff --git a/citadel/modules/vcard/serv_vcard.c b/citadel/modules/vcard/serv_vcard.c
index e35bdf933..2bd58bd1a 100644
--- a/citadel/modules/vcard/serv_vcard.c
+++ b/citadel/modules/vcard/serv_vcard.c
@@ -341,17 +341,16 @@ int vcard_upload_beforesave(struct CtdlMessage *msg, recptypes *recp) {
 	int yes_my_citadel_config = 0;
 	int yes_any_vcard_room = 0;
 
-	if (!CCC->logged_in) return(0);	/* Only do this if logged in. */
+	if ((!CCC->logged_in) && (CCC->vcard_updated_by_ldap==0)) return(0);	/* Only do this if logged in, or if ldap changed the vcard. */
 
 	/* Is this some user's "My Citadel Config" room? */
 	if (((CCC->room.QRflags & QR_MAILBOX) != 0) &&
 	      (!strcasecmp(&CCC->room.QRname[11], USERCONFIGROOM)) ) {
 		/* Yes, we want to do this */
 		yes_my_citadel_config = 1;
-
 #ifdef VCARD_SAVES_BY_AIDES_ONLY
-		/* Prevent non-aides from performing registration changes */
-		if (CCC->user.axlevel < AxAideU) {
+		/* Prevent non-aides from performing registration changes, but ldap is ok. */
+		if ((CCC->user.axlevel < AxAideU) && (CCC->vcard_updated_by_ldap==0)) {
 			return(1);
 		}
 #endif
@@ -385,12 +384,17 @@ int vcard_upload_beforesave(struct CtdlMessage *msg, recptypes *recp) {
 	if (v == NULL) return(0);	/* no vCards were found in this message */
 
 	/* If users cannot create their own accounts, they cannot re-register either. */
-	if ( (yes_my_citadel_config) && (config.c_disable_newu) && (CCC->user.axlevel < AxAideU) ) {
+	if ( (yes_my_citadel_config) &&
+	     (config.c_disable_newu) &&
+	     (CCC->user.axlevel < AxAideU) &&
+	     (CCC->vcard_updated_by_ldap==0) )
+	{
 		return(1);
 	}
 
 	vcard_get_prop(v, "fn", 1, 0, 0);
 
+
 	if (yes_my_citadel_config) {
 		/* Bingo!  The user is uploading a new vCard, so
 		 * delete the old one.  First, figure out which user
@@ -515,7 +519,7 @@ int vcard_upload_aftersave(struct CtdlMessage *msg, recptypes *recp) {
 	char roomname[ROOMNAMELEN];
 
 	if (msg->cm_format_type != 4) return(0);
-	if (!CCC->logged_in) return(0);	/* Only do this if logged in. */
+	if ((!CCC->logged_in) && (CCC->vcard_updated_by_ldap==0)) return(0);	/* Only do this if logged in, or if ldap changed the vcard. */
 
 	/* We're interested in user config rooms only. */
 
@@ -538,6 +542,8 @@ int vcard_upload_aftersave(struct CtdlMessage *msg, recptypes *recp) {
 
 	ptr = msg->cm_fields[eMesageText];
 
+	CCC->vcard_updated_by_ldap=0;  /* As this will write LDAP's previous changes, disallow LDAP change auth until next LDAP change. */ 
+
 	NewStrBufDupAppendFlush(&CCC->StatusMessage, NULL, NULL, 0);
 
 	StrBufPrintf(CCC->StatusMessage, "%d\n", LISTING_FOLLOWS);
@@ -880,6 +886,26 @@ void vcard_newuser(struct ctdluser *usbuf) {
 	}
 	vcard_add_prop(v, "email;internet", buf);
 
+#ifdef HAVE_LDAP
+	/*
+	 * Is this an LDAP session?  If so, copy various LDAP attributes from the directory entry
+	 * into the user's vCard.
+	 */
+	if ((config.c_auth_mode == AUTHMODE_LDAP) || (config.c_auth_mode == AUTHMODE_LDAP_AD)) {
+            uid_t ldap_uid;
+	    int found_user;
+            char ldap_cn[512];
+            char ldap_dn[512];
+	    found_user = CtdlTryUserLDAP(usbuf->fullname, ldap_dn, sizeof ldap_dn, ldap_cn, sizeof ldap_cn, &ldap_uid);
+            if (found_user == 0) {
+		if (Ctdl_LDAP_to_vCard(ldap_dn, v)) {
+			/* Allow global address book and internet directory update without login long enough to write this. */
+			CC->vcard_updated_by_ldap++;  /* Otherwise we'll only update the user config. */
+			syslog(LOG_DEBUG, "LDAP Created Initial Vcard for %s\n",usbuf->fullname);
+		}
+	    }
+	}
+#endif
 
 	vcard_write_user(usbuf, v);
 	vcard_free(v);
@@ -1252,6 +1278,8 @@ void vcard_session_login_hook(void) {
 		v = vcard_get_user(&CCC->user);
 		if (v) {
 			if (Ctdl_LDAP_to_vCard(CCC->ldap_dn, v)) {
+				CCC->vcard_updated_by_ldap++; /* Make sure changes make it to the global address book and internet directory, not just the user config. */
+				syslog(LOG_DEBUG, "LDAP Detected vcard change.\n");
 				vcard_write_user(&CCC->user, v);
 			}
 		}
-- 
2.30.2