Auth: add new "auth user changed" config event and hook it into LDAP's updatePolicies().

This fixes an omission when groups are updated via ldap, the local system doesn't know about it. Eventually we might consider moving some functionality from auth.inc and the system user management pages into the same event hooks, in which case the workflow would be more like the following: [page updates config.xml data] --> [fires event] --> [event handler diffs current state agains the desired one and updates the system]
2026-03-16 01:24:38 +00:00 · 2020-06-02 14:42:25 +02:00 · 2020-06-02 14:42:25 +02:00 · ecfd53ac2f
commit ecfd53ac2f
parent db85192043
3 changed files with 39 additions and 0 deletions
--- a/src/etc/inc/plugins.inc.d/core.inc
+++ b/src/etc/inc/plugins.inc.d/core.inc
@ -257,3 +257,35 @@ function core_xmlrpc_sync()

    return $result;
 }
+
+function core_configure()
+{
+    return array(
+        'user_changed' => array('core_user_changed_groups:2'),
+    );
+}
+
+/**
+ * user changed event, synchronize attached system groups for requested user
+ */
+function core_user_changed_groups($verbose = false, $username)
+{
+    global $config;
+    if (is_array($config['system']['user'])) {
+        foreach ($config['system']['user'] as $user) {
+            if ($user['name'] == $username) {
+                exec("/usr/bin/groups " . escapeshellarg($username). ' 2>/dev/null', $out, $ret);
+                $current_groups = [];
+                if (!$ret) {
+                    $current_groups = explode(" ", $out[0]);
+                }
+                foreach ($config['system']['group'] as $group) {
+                    if (in_array($group['name'], $current_groups) ||
+                          (!empty($group['member']) && in_array($user['uid'], $group['member']))) {
+                        local_group_set($group);
+                    }
+                }
+            }
+        }
+    }
+}
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@ -29,6 +29,7 @@
 namespace OPNsense\Auth;

 use OPNsense\Core\Config;
+use OPNsense\Core\Backend;

 /**
 * Class LDAP connector
@ -510,6 +511,7 @@ class LDAP extends Base implements IAuthConnector
                    }
                }
                Config::getInstance()->save();
+                (new Backend())->configdpRun("auth user changed", array($username));
            }
        }
    }
--- a/src/opnsense/service/conf/actions.d/actions_auth.conf
+++ b/src/opnsense/service/conf/actions.d/actions_auth.conf
@ -0,0 +1,5 @@
+[user.changed]
+command:/usr/local/sbin/pluginctl
+parameters:  -c user_changed %s
+type:script
+message: User %s changed