From 0377b00054e47b654de56dd64f4111911101dbb1 Mon Sep 17 00:00:00 2001 From: Xavier Perseguers Date: Fri, 8 Mar 2019 14:00:48 +0100 Subject: [PATCH] [TASK] Drop support for migrating from EXT:eu_ldap Rationale: Users have had plenty of time to migrate from EXT:eu_ldap and that extension is not compatible with TYPO3 for quite some time now. --- Documentation/Faq/Index.rst | 22 --- class.ext_update.php | 358 ------------------------------------ 2 files changed, 380 deletions(-) diff --git a/Documentation/Faq/Index.rst b/Documentation/Faq/Index.rst index 460b35b1..90ac487e 100644 --- a/Documentation/Faq/Index.rst +++ b/Documentation/Faq/Index.rst @@ -185,25 +185,3 @@ a random 16 byte password for the sole purpose of making TYPO3 happy.* - **636** *is the industry standard port for LDAP connections over SSL.* ------- - - -.. _faq-migration: - -Migration ---------- - -.. question - -**I am currently using another LDAP extension to authenticate my users, namely** :ter:`eu_ldap`. **Does this extension -at least provide the same feature set?** - -.. answer - -*Yes. And in order to ease the migration, this extension is able to migrate your legacy eu_ldap configuration records -to be compatible with ig_ldap_sso_auth using the "UPDATE!" script in Extension Manager (EM). You should first configure -global options for ig_ldap_sso_auth in EM and only then migrate your legacy eu_ldap configuration records. This will -ensure possible configuration issues to be detected.* - -.. hint:: - The migration wizard does not require extension eu_ldap to be **loaded** but only expects the corresponding - database table to be present. diff --git a/class.ext_update.php b/class.ext_update.php index a9cf9aaa..56f08bf7 100644 --- a/class.ext_update.php +++ b/class.ext_update.php @@ -68,9 +68,6 @@ public function access() if ($this->checkV2xToV30()) { $this->operations[] = 'upgradeV2xToV30'; } - if ($this->checkEuLdap()) { - $this->operations[] = 'migrateEuLdap'; - } return count($this->operations) > 0; } @@ -138,39 +135,6 @@ protected function checkV2xToV30() return $oldTaskRecords > 0; } - /** - * Returns true if upgrade wizard for legacy EXT:eu_ldap records should be run. - * - * @return bool - */ - protected function checkEuLdap() - { - $table = 'tx_euldap_server'; - $migrationField = 'tx_igldapssoauth_migrated'; - - // We check the database table itself and not whether EXT:eu_ldap is loaded - // because it may have been deactivated since it is not incompatible - $existingTables = $this->databaseConnection->admin_get_tables(); - if (!isset($existingTables[$table])) { - return false; - } - - // Ensure the column used to flag processed records is present - $fields = $this->databaseConnection->admin_get_fields($table); - if (!isset($fields[$migrationField])) { - $alterTableQuery = 'ALTER TABLE ' . $table . ' ADD ' . $migrationField . ' tinyint(4) NOT NULL default \'0\''; - // Method admin_query() will parse the query and make it compatible with DBAL, if needed - $this->databaseConnection->admin_query($alterTableQuery); - } - - $euLdapConfigurationRecords = $this->databaseConnection->exec_SELECTcountRows( - '*', - $table, - $migrationField . '=0' - ); - return $euLdapConfigurationRecords > 0; - } - /** * Main method that is called whenever UPDATE! menu * was clicked. @@ -280,328 +244,6 @@ protected function upgradeV2xToV30() return $this->formatOk('Successfully updated ' . $i . ' user import scheduler task' . ($i > 1 ? 's' : '')); } - /** - * Migrates configuration records from EXT:eu_ldap. - * - * @return string - */ - protected function migrateEuLdap() - { - $out = []; - - // STEP 1: check global options - $this->migrateEuLdapGlobalOptions($out); - - // STEP 2: migrate configuration records - $this->migrateEuLdapConfiguration($out); - - // STEP 3: migrate users - $this->migrateEuLdapUsers($out); - - return implode(LF, $out); - } - - /** - * Migrates global options from eu_ldap. - * - * @param array &$out - * @return void - */ - protected function migrateEuLdapGlobalOptions(array &$out) - { - $automaticImportRows = $this->databaseConnection->exec_SELECTgetRows( - 'DISTINCT authenticate_be, automatic_import, doitfe', - 'tx_euldap_server', - '1=1' - ); - - $hasBackendAuthentication = false; - $hasFrontendAuthentication = false; - $shouldAutomaticallyImportBackendUsers = false; - $shouldAutomaticallyImportBackendGroups = false; - $shouldAutomaticallyImportFrontendUsers = false; - $shouldAutomaticallyImportFrontendGroups = false; - - foreach ($automaticImportRows as $row) { - if ($row['authenticate_be'] == 1 || $row['authenticate_be'] == 2) { - $hasBackendAuthentication = true; - if ($row['automatic_import'] == 1) { - $shouldAutomaticallyImportBackendUsers = true; - } - if ($row['doitfe'] == 1) { - $shouldAutomaticallyImportBackendGroups = true; - } - } - if ($row['authenticate_be'] == 0 || $row['authenticate_be'] == 2) { - $hasFrontendAuthentication = true; - if ($row['automatic_import'] == 1) { - $shouldAutomaticallyImportFrontendUsers = true; - } - if ($row['doitfe'] == 1) { - $shouldAutomaticallyImportFrontendGroups = true; - } - } - } - - if ($hasBackendAuthentication && $this->configuration['enableBELDAPAuthentication'] == 0) { - $out[] = $this->formatWarning('eu_ldap was configured for backend authentication but this extension does not. You should set enableBELDAPAuthentication = 1.'); - } elseif (!$hasBackendAuthentication && $this->configuration['enableBELDAPAuthentication'] == 1) { - $out[] = $this->formatWarning('eu_ldap was NOT configured for backend authentication but this extension does. You should probably set enableBELDAPAuthentication = 0.'); - } - if ($hasFrontendAuthentication && $this->configuration['enableFELDAPAuthentication'] == 0) { - $out[] = $this->formatWarning('eu_ldap was configured for frontend authentication but this extension does not. You should set enableFELDAPAuthentication = 1.'); - } elseif (!$hasFrontendAuthentication && $this->configuration['enableFELDAPAuthentication'] == 1) { - $out[] = $this->formatWarning('eu_ldap was NOT configured for frontend authentication but this extension does. You should probably set enableFELDAPAuthentication = 0.'); - } - - if ($shouldAutomaticallyImportBackendUsers && $this->configuration['TYPO3BEUserExist'] == '1') { - $out[] = $this->formatWarning('eu_ldap was configured to automatically import backend users but this extension does not. You should set TYPO3BEUserExist = 0.'); - } elseif (!$shouldAutomaticallyImportBackendUsers && $this->configuration['TYPO3BEUserExist'] == '0') { - $out[] = $this->formatWarning('eu_ldap was configured to NEVER automatically import backend users but this extension does. You should set TYPO3BEUserExist = 1.'); - } - if ($shouldAutomaticallyImportFrontendUsers && $this->configuration['TYPO3FEUserExist'] == '1') { - $out[] = $this->formatWarning('eu_ldap was configured to automatically import frontend users but this extension does not. You should set TYPO3FEUserExist = 0.'); - } elseif (!$shouldAutomaticallyImportFrontendUsers && $this->configuration['TYPO3FEUserExist'] == '0') { - $out[] = $this->formatWarning('eu_ldap was configured to NEVER automatically import frontend users but this extension does. You should set TYPO3FEUserExist = 1.'); - } - - if ($shouldAutomaticallyImportBackendGroups && $this->configuration['TYPO3BEGroupsNotSynchronize'] == '1') { - $out[] = $this->formatWarning('eu_ldap was configured to automatically import backend groups but this extension does not. You should set TYPO3BEGroupsNotSynchronize = 0.'); - } elseif (!$shouldAutomaticallyImportBackendGroups && $this->configuration['TYPO3BEGroupsNotSynchronize'] == '0') { - $out[] = $this->formatWarning('eu_ldap was configured to NEVER automatically import backend group but this extension does. You should set TYPO3BEGroupsNotSynchronize = 1.'); - } - if ($shouldAutomaticallyImportFrontendGroups && $this->configuration['TYPO3FEGroupsNotSynchronize'] == '1') { - $out[] = $this->formatWarning('eu_ldap was configured to automatically import frontend groups but this extension does not. You should set TYPO3FEGroupsNotSynchronize = 0.'); - } elseif (!$shouldAutomaticallyImportFrontendGroups && $this->configuration['TYPO3FEGroupsNotSynchronize'] == '0') { - $out[] = $this->formatWarning('eu_ldap was configured to NEVER automatically import frontend group but this extension does. You should set TYPO3FEGroupsNotSynchronize = 1.'); - } - } - - /** - * Migrates eu_ldap configuration records. - * - * @param array &$out - * @return void - */ - protected function migrateEuLdapConfiguration(array &$out) - { - $euLdapConfigurationRecords = $this->databaseConnection->exec_SELECTgetRows( - '*', - 'tx_euldap_server', - 'tx_igldapssoauth_migrated=0' - ); - foreach ($euLdapConfigurationRecords as $legacy) { - $hasBackendAuthentication = $legacy['authenticate_be'] == 1 || $legacy['authenticate_be'] == 2; - $hasFrontendAuthentication = $legacy['authenticate_be'] == 0 || $legacy['authenticate_be'] == 2; - - $data = [ - 'pid' => 0, - 'tstamp' => $GLOBALS['EXEC_TIME'], - 'crdate' => $GLOBALS['EXEC_TIME'], - 'cruser_id' => $GLOBALS['BE_USER']->user['uid'], - 'name' => '[eu_ldap] ' . $legacy['server'], - 'ldap_server' => $legacy['servertype'] == 3 ? 0 : 1, - 'ldap_charset' => $legacy['characterset'], - 'ldap_host' => $legacy['server'], - 'ldap_port' => $legacy['port'], - 'ldap_tls' => 0, - 'ldap_binddn' => $legacy['servertype'] == 2 || $legacy['servertype'] == 3 - ? $legacy['user'] - : ( - $legacy['servertype'] == 0 - ? $legacy['domain'] . '\\' . $legacy['user'] - : $legacy['user'] . '@' . $legacy['domain'] - ), - 'ldap_password' => $legacy['password'], - 'be_users_basedn' => $hasBackendAuthentication ? $legacy['base_dn'] : '', - 'be_users_filter' => $hasBackendAuthentication ? str_replace('', '{USERNAME}', $legacy['filter']) : '', - 'be_users_mapping' => '', // computed below - 'be_groups_basedn' => $hasBackendAuthentication ? $legacy['base_dn'] : '', - 'be_groups_filter' => '', // computed below - 'be_groups_mapping' => $hasBackendAuthentication - ? implode(LF, [ - 'title = ', - 'tstamp = {DATE}', - ]) : '', - 'fe_users_basedn' => $hasFrontendAuthentication ? $legacy['base_dn'] : '', - 'fe_users_filter' => $hasFrontendAuthentication ? str_replace('', '{USERNAME}', $legacy['filter']) : '', - 'fe_users_mapping' => '', // computed below - 'fe_groups_basedn' => $hasFrontendAuthentication ? $legacy['base_dn'] : '', - 'fe_groups_filter' => '', // computed below - 'fe_groups_mapping' => $hasFrontendAuthentication - ? implode(LF, [ - 'pid = ' . (int)$legacy['feuser_pid'], - 'title = ', - 'tstamp = {DATE}', - ]) : '', - 'be_groups_required' => $hasBackendAuthentication ? $legacy['matchgrps'] : '', - 'be_groups_assigned' => $legacy['be_group'], - 'fe_groups_required' => $hasFrontendAuthentication ? $legacy['matchgrps'] : '', - 'fe_groups_assigned' => $legacy['fe_group'], - 'group_membership' => $legacy['memberof'] == 1 - ? ( - $legacy['servertype'] == 3 - ? \Causal\IgLdapSsoAuth\Library\Configuration::GROUP_MEMBERSHIP_FROM_GROUP - : \Causal\IgLdapSsoAuth\Library\Configuration::GROUP_MEMBERSHIP_FROM_MEMBER - ) - : 0, // No standard mapping, will have to be manually configured - 'sorting' => $legacy['sorting'], - ]; - - if ($hasBackendAuthentication) { - $mapping = []; - $mapping[] = 'tstamp = ' . (!empty($legacy['timestamp']) ? '<' . $legacy['timestamp'] . '>' : '{DATE}'); - - switch ($legacy['servertype']) { - case 0: - case 1: - $mapping[] = 'usergroup = '; - $data['be_groups_filter'] = '(objectClass=posixGroup)'; - break; - case 2: - $mapping[] = 'usergroup = '; - $data['be_groups_filter'] = '(objectClass=posixGroup)'; - break; - case 3: - $data['be_groups_filter'] = '(&(memberUid={USERUID})(objectClass=posixGroup))'; - break; - } - - $mapping[] = 'realName = <' . $legacy['name'] . '>'; - if (!empty($legacy['mail'])) { - $mapping[] = 'email = <' . $legacy['mail'] . '>'; - } - - $data['be_users_mapping'] = implode(LF, $mapping); - } - if ($hasFrontendAuthentication) { - $mapping = []; - $mapping[] = 'pid = ' . (int)$legacy['feuser_pid']; - $mapping[] = 'tstamp = ' . (!empty($legacy['timestamp']) ? '<' . $legacy['timestamp'] . '>' : '{DATE}'); - - switch ($legacy['servertype']) { - case 0: - case 1: - $mapping[] = 'usergroup = '; - $data['fe_groups_filter'] = '(objectClass=posixGroup)'; - break; - case 2: - $mapping[] = 'usergroup = '; - $data['fe_groups_filter'] = '(objectClass=posixGroup)'; - break; - case 3: - $data['fe_groups_filter'] = '(&(memberUid={USERUID})(objectClass=posixGroup))'; - break; - } - - if (!empty($legacy['mail'])) { - $mapping[] = 'email = <' . $legacy['mail'] . '>'; - } - $mapping[] = 'name = <' . $legacy['name'] . '>'; - if (!empty($legacy['address'])) { - $mapping[] = 'address = <' . $legacy['address'] . '>'; - } - if (!empty($legacy['zip'])) { - $mapping[] = 'zip = <' . $legacy['zip'] . '>'; - } - if (!empty($legacy['city'])) { - $mapping[] = 'city = <' . $legacy['city'] . '>'; - } - if (!empty($legacy['country'])) { - $mapping[] = 'country = <' . $legacy['country'] . '>'; - } - if (!empty($legacy['phone'])) { - $mapping[] = 'telephone = <' . $legacy['phone'] . '>'; - } - if (!empty($legacy['fax'])) { - $mapping[] = 'fax = <' . $legacy['fax'] . '>'; - } - if (!empty($legacy['www'])) { - $mapping[] = 'www = <' . $legacy['www'] . '>'; - } - - $additionalInstructions = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', $legacy['map_additional_fields'], true); - foreach ($additionalInstructions as $additionalInstruction) { - list($dbField, $ldapField) = explode('=', $additionalInstruction, 2); - $mapping[] = $dbField . ' = <' . $ldapField . '>'; - } - - $data['fe_users_mapping'] = implode(LF, $mapping); - } - - if ($data['be_groups_required'] === '*') { - // Replace '*' by every local BE group - $groups = $this->databaseConnection->exec_SELECTgetRows( - 'uid', - 'be_groups', - 'hidden=0 AND deleted=0 AND tx_igldapssoauth_dn=\'\' AND eu_ldap=0', - '', - '', - '', - 'uid' - ); - $data['be_groups_required'] = implode(',', array_keys($groups)); - } - if ($data['fe_groups_required'] === '*') { - // Replace '*' by every local FE group - $groups = $this->databaseConnection->exec_SELECTgetRows( - 'uid', - 'fe_groups', - 'hidden=0 AND deleted=0 AND tx_igldapssoauth_dn=\'\' AND eu_ldap=0', - '', - '', - '', - 'uid' - ); - $data['fe_groups_required'] = implode(',', array_keys($groups)); - } - if ($legacy['only_emailusers'] == 1) { - $emailAttribute = !empty($legacy['mail']) ? $legacy['mail'] : 'mail'; - if ($hasBackendAuthentication) { - $data['be_users_filter'] = sprintf('(&%s(%s=*))', $data['be_users_filter'], $emailAttribute); - } - if ($hasFrontendAuthentication) { - $data['fe_users_filter'] = sprintf('(&%s(%s=*))', $data['fe_users_filter'], $emailAttribute); - } - } - - // Insert the migrated record to ig_ldap_sso_auth - $this->databaseConnection->exec_INSERTquery($this->table, $data); - if ($this->databaseConnection->sql_affected_rows() == 1) { - $this->databaseConnection->exec_UPDATEquery( - 'tx_euldap_server', - 'uid=' . $legacy['uid'], - [ - 'tx_igldapssoauth_migrated' => 1, - ] - ); - } - } - - $out[] = $this->formatOk('Successfully migrated eu_ldap configuration records.'); - } - - /** - * Migrates backend and/or frontend users that were previously imported - * with eu_ldap. - * - * @param array &$out - * @return void - */ - protected function migrateEuLdapUsers(array &$out) - { - foreach (['fe_users', 'be_users'] as $table) { - $query = <<'' -SQL; - $this->databaseConnection->sql_query($query); - } - - $out[] = $this->formatOk('Successfully migrated eu_ldap users.'); - } - /** * Returns the mapping between global configuration options and * configuration record fields.