itop 把AD中群组与人员的关系,映射到itop的person与team的关系
AD中相关群组有添加、删除,在itop的team中 person也要做出相应的添加,删除
team_sync_AD.conf.php 是程序的配置文件:
URL为itop的webservice 的rest.php程序的URL
映射关系:team_mapping' => array
AD 与 itop 的team 映射,左边是AD群组,右边是itop的team
root@itsm-demo:/var/www/html# vim team_sync_AD.conf.php
<?php
#define("URL", "https://itsmtest.logo.cn:11443/itop.new/webservices/rest.php");
define("URL", "https://itsm-uat.logo.cn/new_itop/webservices/rest.php");
$aConfig = array(
'host' => '192.168.**.**', // IP or FQDN of your domain controller
'port' => '389', // LDAP port, 398=LDAP, 636= LDAPS
'dn' => 'OU=VB-User,DC=CORP,DC=logo',// Domain DN
'username' => 'CN=LDAPSearch,OU=Special-User,OU=VB-User,DC=CORP,DC=logo', // username with read access
'password' => 'password', // password for above
'ldap_query' => '(&(objectCategory=user))', // Retrieve all users
'attribs' => array(
'samaccountname',
'memberof'
),
//AD 与 itop 的team 映射,左边是AD群组,右边是itop的team
'team_mapping' => array(
'ROLE_ServiceDesk' => 'ServiceDesk',
#'IT' => 'DBA_Support',
#'ITSM_Administrator' => 'Administrator',
),
);
?>
root@itsm-demo:/var/www/html# vim team_sync_AD.php
<?php
function request_post($url, $param) {
if (empty($url) || empty($param)) return false;
$postUrl = $url;
$curlPost = $param;
$ch = curl_init(); //初始化curl
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_URL,$postUrl); //抓取指定网页
curl_setopt($ch, CURLOPT_HEADER, 0); //设置header
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //要求结果为字符串且输出到屏幕上
curl_setopt($ch, CURLOPT_POST, 1); //post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = curl_exec($ch); //运行curl
curl_close($ch);
return json_decode($data,true); //把返回的数据转换成json格式
}
function Action($action,$team_id=null,$person_id=null){
$url = URL;
$post_data['version'] = '1.0';
$post_data['auth_user']= 'admin';
$post_data['auth_pwd'] = 'pwd';
if($action =='Search_UserLDAP'){
$post_data['json_data']= "{
\"operation\": \"core/get\",
\"class\": \"UserLDAP\",
\"key\": \"SELECT UserLDAP\",
\"output_fields\": \"*\"
}";
}
if($action =='Search_lnkPersonToTeam'){
$post_data['json_data']= "{
\"operation\": \"core/get\",
\"class\": \"lnkPersonToTeam\",
\"key\": \"SELECT lnkPersonToTeam\",
\"output_fields\": \"*\"
}";
}
if($action =='Search_Team'){
$post_data['json_data']= "{
\"operation\": \"core/get\",
\"class\": \"Team\",
\"key\": \"SELECT Team\",
\"output_fields\": \"*\"
}";
}
if($action =='create'){
$post_data['json_data']="{
\"operation\": \"core/create\",
\"class\": \"lnkPersonToTeam\",
\"output_fields\": \"*\",
\"fields\": {
\"team_id\": $team_id,
\"person_id\": $person_id,
\"role_id\": 0
},
\"comment\": \"\"
}";
}
if($action=='delete'){
$post_data['json_data']="{
\"operation\": \"core/delete\",
\"class\": \"lnkPersonToTeam\",
\"output_fields\": \"*\",
\"key\": {
\"team_id\": $team_id,
\"person_id\": $person_id,
\"role_id\": 0
},
\"comment\": \"\"
}";
}
return request_post($url, $post_data);
}
function ReadLdapValue($aEntry, $sValueName){
if (array_key_exists($sValueName, $aEntry)) {
$iCount = $aEntry[$sValueName]['count'];
switch($iCount) {
case 0:
return null;
case 1:
return $aEntry[$sValueName][0];
default:
$aValues = $aEntry[$sValueName];
unset($aValues['count']);
return $aValues;
}
}
return null;
}
function get_ldap($aConfig){
$ad = ldap_connect($aConfig['host'], $aConfig['port']) or die( "Could not connect to {$aConfig['host']} on port {$aConfig['port']}!" );
# echo "<p>Connected to AD Server {$aConfig['host']} on port {$aConfig['port']}</p>\n";
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) or die ("Could not set ldap protocol");
ldap_set_option($ad, LDAP_OPT_REFERRALS,0) or die ("could no se the ldap referrals");
$bd = ldap_bind($ad, $aConfig['username'], $aConfig['password']) or die ("Could not bind");
# echo "<p>Identified as {$aConfig['username']}</p>\n";
$sLdapSearch = $aConfig['ldap_query'];
# echo "<p>LDAP Query: '$sLdapSearch'</p>";
$search = ldap_search($ad, $aConfig['dn'], $sLdapSearch) or die ("ldap search failed");
$entries = ldap_get_entries($ad, $search); #把ldap的搜索,转成数组
return $entries;
}
function get_memberof_samaccountname($ldap_array,$aConfig){
$entries=$ldap_array;
$aAttribs=$aConfig['attribs'];
$mapping =$aConfig['team_mapping'];
$memberof_samaccountname=array();
if ($entries["count"] > 0){ # 如果ldap查询返回的信息数目大于0,才执行
foreach($entries as $key => $aEntry) { #$key: 0~252
if(!is_array($aEntry)) continue;
$aData = array();
foreach($aAttribs as $sName){
$aData[$sName]= ReadLdapValue($aEntry, $sName);
}
if(is_array($aData['memberof'])){
foreach($aData['memberof'] as $value){
foreach($mapping as $mapping_key => $mapping_value){
if(stristr($value,$mapping_key)){$memberof_samaccountname["$mapping_value"][]=$aData['samaccountname'];}
}
}
}
if(!is_array($aData['memberof'])) {
foreach($mapping as $mapping_key => $mapping_value){
if(stristr($aData['memberof'],$mapping_key)){$memberof_samaccountname["$mapping_value"][]=$aData['samaccountname'];}
}
}
} #foreach
}
return $memberof_samaccountname;
}
//整理PersonToTeam,UserLDAP
//返回 群组 与 人的对应关系
function getteamperson($PersonToTeam,$UserLDAP){
$PersonToTeam=$PersonToTeam['objects'];
$UserLDAP=$UserLDAP['objects'];
$team_person=array();
foreach ($PersonToTeam as $PersonToTeam_key => $PersonToTeam_value){
$team_name = $PersonToTeam_value['fields']['team_name'];
$person_id = $PersonToTeam_value['fields']['person_id'];
foreach ($UserLDAP as $UserLDAP_key => $UserLDAP_value){
$UserLDAP_id = $UserLDAP_value['fields']['contactid'];
$UserLDAP_name = $UserLDAP_value['fields']['login'];
if($PersonToTeam_value['fields']['person_id'] == $UserLDAP_value['fields']['contactid']){
$team_person[$team_name][] = $UserLDAP_name;
}
}
}
return $team_person;
}
function team_name_to_id($Team,$team_name){
$res=array();
foreach($Team['objects'] as $key => $value){
$res[$value['key']]['key']=$value['key'];
$res[$value['key']]['name']=$value['fields']['name'];
$res[$value['key']]['email']=$value['fields']['email'];
$res[$value['key']]['phone']=$value['fields']['phone'];
$res[$value['key']]['function']=$value['fields']['function'];
$res[$value['key']]['org_id']=$value['fields']['org_id'];
$res[$value['key']]['org_name']=$value['fields']['org_name'];
if($team_name == $value['fields']['name']){$id=$value['key'];}
}
#return $res;
return $id;
}
function person_name_to_id($UserLDAP,$person_name){
$UserLDAP = $UserLDAP['objects'];
if(!is_array($UserLDAP))
return null;
foreach($UserLDAP as $UserLDAP_key => $UserLDAP_value){
if(strtolower($UserLDAP_value['fields']['login']) == strtolower($person_name)){
$person_id=$UserLDAP_value['fields']['contactid'];
}
}
return $person_id;
}
function compare($ad_team_person,$itop_team_person){
$change=array();
foreach($ad_team_person as $ad_team_person_key => $ad_team_person_value){
foreach($ad_team_person_value as $ad_team_person_value_key2 => $ad_team_person_value_value2){
$AD_team_name=$ad_team_person_key;
$AD_person_name=$ad_team_person_value_value2;
$diff=1;
foreach($itop_team_person as $itop_team_person_key => $itop_team_person_value){
foreach($itop_team_person_value as $itop_team_person_value_key2 => $itop_team_person_value_value2){
$itop_team=$itop_team_person_key;
$itop_person_name=$itop_team_person_value_value2;
if($AD_team_name == $itop_team && $AD_person_name == $itop_person_name){$diff=0;}
}
}
if($diff){$change['create'][$AD_team_name][]=$AD_person_name;}
}
}
foreach($itop_team_person as $itop_team_person_key => $itop_team_person_value){
foreach($itop_team_person_value as $itop_team_person_value_key2 => $itop_team_person_value_value2){
$diff=1;
$itop_team=$itop_team_person_key;
$itop_person_name=$itop_team_person_value_value2;
foreach($ad_team_person as $ad_team_person_key => $ad_team_person_value){
foreach($ad_team_person_value as $ad_team_person_value_key2 => $ad_team_person_value_value2){
$AD_team_name=$ad_team_person_key;
$AD_person_name=$ad_team_person_value_value2;
if($AD_team_name == $itop_team && $AD_person_name == $itop_person_name){$diff=0;}
}
}
if($diff){$change['delete'][$itop_team][]=$itop_person_name;}
}
}
return $change;
}
function process($UserLDAP,$Team,$change){
$change_num=1;
$info=array();
foreach($change as $change_key => $change_value){
foreach($change_value as $change_value_key2 => $change_value_value2){
foreach($change_value_value2 as $change_value_value2_key3 => $change_value_value2_value3){
$person_id=person_name_to_id($UserLDAP,$change_value_value2_value3);
$team_id=team_name_to_id($Team,$change_value_key2);
$info[]=Action($change_key,$team_id,$person_id);
echo "<h2>$change_key -->$change_value_key2-->$team_id -->$change_value_value2_value3 --> $person_id <br></h2>";
$change_num++;
}
}
}
#return $change_num;
if(empty($info)){
unset($info);
$info= "<h1>AD_ROLE群组 与 itop_team 完全一致!</h1>";
}
return $info;
}
////////////////////////////////////////////////////
//Main
require "team_sync_AD.conf.php" ;
echo "脚本名称:itop team 同步脚本<br>";
echo "版本:1.0<br>";
echo "完成日期:2016-03-23<br>";
echo "功能:把AD 把Group中的Person,映射到itop的person与team<br>";
$ldap_array =get_ldap($aConfig);
$ad_team_person =get_memberof_samaccountname($ldap_array,$aConfig);
$PersonToTeam =Action("Search_lnkPersonToTeam");
$UserLDAP =Action("Search_UserLDAP");
$Team =Action("Search_Team");
$itop_team_person=getteamperson($PersonToTeam,$UserLDAP);
$change =compare($ad_team_person,$itop_team_person);
$info=process($UserLDAP,$Team,$change);
echo "<pre>";
print_r($info);
echo "</pre>";
?>
root@itsm-demo:/var/www/html#
在命令行中执行: root@itsm-demo:/var/www/html# php team_sync_AD.php 脚本名称:itop team 同步脚本<br>版本:1.0<br>完成日期:2016-03-23<br>功能:把AD 把Group中的Person,映射到itop的person与team<br><pre><h1>AD_ROLE群组 与 itop_team 完全一致!</h1></pre> root@itsm-demo:/var/www/html#
在网页中执行:
