1st draft

Author: simonLeary42

defaults/config.ini.default

@@ -26,11 +26,14 @@ pass = "password"  ; Admin bind password
 custom_user_mappings_dir = "deployment/custom_user_mappings" ; for internal use only
 basedn = "dc=unityhpc,dc=test"  ; Base search DN
 user_ou = "ou=users,dc=unityhpc,dc=test"  ; User organizational unit (may contain more than user group)
-qualified_user_group = "cn=unityusers,dc=unityhpc,dc=test" ; Qualified user group (in at least one PI group)
 group_ou = "ou=groups,dc=unityhpc,dc=test"  ; Group organizational unit
 pigroup_ou = "ou=pi_groups,dc=unityhpc,dc=test"  ; PI Group organizational unit
 orggroup_ou = "ou=org_groups,dc=unityhpc,dc=test"  ; ORG group organizational unit
 admin_group = "cn=web_admins,dc=unityhpc,dc=test"  ; admin dn (members of this group are admins on the web portal)
+qualified_user_group = "cn=unityusers,dc=unityhpc,dc=test" ; Qualified user group (in at least one PI group)
+locked_user_group = "cn=locked,dc=unityhpc,dc=test"  ; locked user group dn
+idlelocked_user_group = "cn=idlelocked,dc=unityhpc,dc=test"  ; idlelocked user group dn
+ghost_user_group = "cn=ghost,dc=unityhpc,dc=test"  ; ghost user group dn
 def_user_shell = "/bin/bash"  ; Default shell for new users
 offset_UIDGID = 1000000 ; start point when allocating new UID/GID pairs for a new user
 offset_PIGID = 2000000 ; start point when allocating new GID for a new PI group

resources/lib/UnityLDAP.php

@@ -5,6 +5,7 @@
 use UnityWebPortal\lib\exceptions\EntryNotFoundException;
 use PHPOpenLDAPer\LDAPConn;
 use PHPOpenLDAPer\LDAPEntry;
+use UnityWebPortal\lib\PosixGroup;
 
 /**
  * An LDAP connection class which extends LDAPConn tailored for the Unity Cluster
@@ -35,8 +36,12 @@ class UnityLDAP extends LDAPConn
     private LDAPEntry $groupOU;
     private LDAPEntry $pi_groupOU;
     private LDAPEntry $org_groupOU;
-    private LDAPEntry $adminGroup;
-    private LDAPEntry $qualifiedUserGroup;
+
+    public PosixGroup $adminGroup;
+    public PosixGroup $qualifiedUserGroup;
+    public PosixGroup $lockedUserGroup;
+    public PosixGroup $idlelockedUserGroup;
+    public PosixGroup $ghostUserGroup;
 
     public function __construct()
     {
@@ -46,8 +51,21 @@ public function __construct()
         $this->groupOU = $this->getEntry(CONFIG["ldap"]["group_ou"]);
         $this->pi_groupOU = $this->getEntry(CONFIG["ldap"]["pigroup_ou"]);
         $this->org_groupOU = $this->getEntry(CONFIG["ldap"]["orggroup_ou"]);
-        $this->adminGroup = $this->getEntry(CONFIG["ldap"]["admin_group"]);
-        $this->qualifiedUserGroup = $this->getEntry(CONFIG["ldap"]["qualified_user_group"]);
+        $this->adminGroup = new PosixGroup(
+            new LDAPEntry($this->conn, CONFIG["ldap"]["admin_group"]),
+        );
+        $this->qualifiedUserGroup = new PosixGroup(
+            new LDAPEntry($this->conn, CONFIG["ldap"]["qualified_user_group"]),
+        );
+        $this->lockedUserGroup = new PosixGroup(
+            new LDAPEntry($this->conn, CONFIG["ldap"]["locked_user_group"]),
+        );
+        $this->idlelockedUserGroup = new PosixGroup(
+            new LDAPEntry($this->conn, CONFIG["ldap"]["idlelocked_user_group"]),
+        );
+        $this->ghostUserGroup = new PosixGroup(
+            new LDAPEntry($this->conn, CONFIG["ldap"]["ghost_user_group"]),
+        );
     }
 
     public function getUserOU(): LDAPEntry
@@ -70,16 +88,6 @@ public function getOrgGroupOU(): LDAPEntry
         return $this->org_groupOU;
     }
 
-    public function getAdminGroup(): LDAPEntry
-    {
-        return $this->adminGroup;
-    }
-
-    public function getQualifiedUserGroup(): LDAPEntry
-    {
-        return $this->qualifiedUserGroup;
-    }
-
     public function getDefUserShell(): string
     {
         return $this->def_user_shell;
@@ -191,7 +199,7 @@ public function getQualifiedUsersUIDs(): array
     {
         // should not use $user_ou->getChildren or $base_ou->getChildren(objectClass=posixAccount)
         // qualified users might be outside user ou, and not all users in LDAP tree are qualified users
-        return $this->qualifiedUserGroup->getAttribute("memberuid");
+        return $this->qualifiedUserGroup->getMemberUIDs();
     }
 
     public function getQualifiedUsers($UnitySQL, $UnityMailer, $UnityWebhook): array

resources/lib/UnityUser.php

@@ -99,7 +99,7 @@ public function init(
 
     public function isQualified(): bool
     {
-        return $this->LDAP->getQualifiedUserGroup()->attributeValueExists("memberUid", $this->uid);
+        return $this->LDAP->qualifiedUserGroup->memberUIDExists($this->uid);
     }
 
     public function setIsQualified(bool $newIsQualified, bool $doSendMail = true): void
@@ -109,19 +109,15 @@ public function setIsQualified(bool $newIsQualified, bool $doSendMail = true): v
             return;
         }
         if ($newIsQualified) {
-            $this->LDAP->getQualifiedUserGroup()->appendAttribute("memberuid", $this->uid);
-            $this->LDAP->getQualifiedUserGroup()->write();
+            $this->LDAP->qualifiedUserGroup->addMemberUID($this->uid);
             if ($doSendMail) {
                 $this->MAILER->sendMail($this->getMail(), "user_qualified", [
                     "user" => $this->uid,
                     "org" => $this->getOrg(),
                 ]);
             }
         } else {
-            $this->LDAP
-                ->getQualifiedUserGroup()
-                ->removeAttributeEntryByValue("memberuid", $this->uid);
-            $this->LDAP->getQualifiedUserGroup()->write();
+            $this->LDAP->qualifiedUserGroup->removeMemberUID($this->uid);
             if ($doSendMail) {
                 $this->MAILER->sendMail($this->getMail(), "user_dequalified", [
                     "user" => $this->uid,
@@ -324,8 +320,7 @@ public function getHomeDir(): string
      */
     public function isAdmin(): bool
     {
-        $admins = $this->LDAP->getAdminGroup()->getAttribute("memberuid");
-        return in_array($this->uid, $admins);
+        return $this->LDAP->adminGroup->memberUIDExists($this->uid);
     }
 
     /**

test/phpunit-bootstrap.php

@@ -186,18 +186,8 @@ function ensureUserDoesNotExist()
         $USER->getGroupEntry()->delete();
         ensure(!$USER->getGroupEntry()->exists());
     }
-    $qualified_users_group = $LDAP->getQualifiedUserGroup();
-    $all_member_uids = $qualified_users_group->getAttribute("memberuid");
-    if (in_array($USER->uid, $all_member_uids)) {
-        $qualified_users_group->setAttribute(
-            "memberuid",
-            // array_diff will break the contiguity of the array indexes
-            // ldap_mod_replace requires contiguity, array_values restores contiguity
-            array_values(array_diff($all_member_uids, [$USER->uid])),
-        );
-        $qualified_users_group->write();
-        ensure(!in_array($USER->uid, $qualified_users_group->getAttribute("memberuid")));
-    }
+    $USER->setIsQualified(false);
+    ensure(!$LDAP->qualifiedUserGroup->memberUIDExists($USER->uid));
 }
 
 function ensureOrgGroupDoesNotExist()