Club Drupal

<?php

/**

 * @file

 * This classextends by LdapUserConf for configuration and other admin functions.

 */

module_load_include('php', 'ldap_user', 'LdapUserConf.class');

module_load_include('inc', 'user', 'user.pages');

/**

 *

 */

class LdapUserConfAdmin extends LdapUserConf {

  /**

   * Basic settings.

   */

  protected $drupalAcctProvisionServerDescription;

  protected $drupalAcctProvisionServerOptions = [];

  protected $ldapEntryProvisionServerOptions = [];

  protected $drupalAccountProvisionEventsDescription;

  protected $drupalAccountProvisionEventsOptions = [];

  protected $ldapEntryProvisionTriggersDescription;

  protected $ldapEntryProvisionTriggersOptions = [];

  protected $synchFormRow = 0;

  /**

   * 3. Drupal Account Provisioning and Syncing.

   */

  public $userConflictResolveDescription;

  public $userConflictResolveDefault = LDAP_USER_CONFLICT_RESOLVE_DEFAULT;

  public $userConflictOptions;

  public $accountsWithSameEmailDescription;

  public $accountsWithSameEmailOptions;

  public $acctCreationDescription = '';

  public $acctCreationDefault = LDAP_USER_ACCT_CREATION_LDAP_BEHAVIOR_DEFAULT;

  public $acctCreationOptions;

  public $errorMsg = NULL;

  public $hasError = FALSE;

  public $errorName = NULL;

  /**

   *

   */

  public function clearError() {

    $this->hasError = FALSE;

    $this->errorMsg = NULL;

    $this->errorName = NULL;

  }

  /**

   *

   */

  public function save() {

    foreach ($this->saveable as $property) {

      $save[$property] = $this->{$property};

    }

    variable_set('ldap_user_conf', $save);

    ldap_user_conf_cache_clear();

  }

  /**

   *

   */

  public static function uninstall() {

    variable_del('ldap_user_conf');

  }

  /**

   *

   */

  public function __construct() {

    parent::__construct();

    $this->setTranslatableProperties();

    if ($servers = ldap_servers_get_servers(NULL, 'enabled')) {

      $this->drupalAcctProvisionServerOptions[LDAP_USER_AUTH_SERVER_SID] = t('Use server which performed the authentication. Useful for multi-domain environments.');

      foreach ($servers as $sid => $ldap_server) {

        $enabled = ($ldap_server->status) ? 'Enabled' : 'Disabled';

        $this->drupalAcctProvisionServerOptions[$sid] = $ldap_server->name . ' (' . $ldap_server->address . ') Status: ' . $enabled;

        $this->ldapEntryProvisionServerOptions[$sid] = $ldap_server->name . ' (' . $ldap_server->address . ') Status: ' . $enabled;

      }

    }

    $this->drupalAcctProvisionServerOptions['none'] = t('None');

    $this->ldapEntryProvisionServerOptions['none'] = t('None');

  }

  /**

   * Generate admin form for ldapUserConf object.

   *

   * @return array $form as drupal form api form array

   */

  public function drupalForm() {

    if (count($this->drupalAcctProvisionServerOptions) == 0) {

      $message = ldap_servers_no_enabled_servers_msg('configure LDAP User');

      $form['intro'] = [

        '#type' => 'item',

        '#markup' => t('<h1>LDAP User Settings</h1>') . $message,

      ];

      return $form;

    }

    $form['#storage'] = [];

    $form['#theme'] = 'ldap_user_conf_form';

    $form['intro'] = [

      '#type' => 'item',

      '#markup' => t('<h1>LDAP User Settings</h1>'),

    ];

    $form['manual_drupal_account_editing'] = [

      '#type' => 'fieldset',

      '#title' => t('Manual Drupal Account Creation and Updates'),

      '#collapsible' => TRUE,

      '#collapsed' => FALSE,

    ];

    $form['manual_drupal_account_editing']['manualAccountConflict'] = [

      '#type' => 'radios',

      '#options' => $this->manualAccountConflictOptions,

      '#title' => t('How to resolve LDAP conflicts with manually  created Drupal accounts.'),

      '#description' => t('This applies only to accounts created manually through admin/people/create

        for which an LDAP entry can be found on the LDAP server selected in "LDAP Servers Providing Provisioning Data"'),

      '#default_value' => $this->manualAccountConflict,

    ];

    $form['basic_to_drupal'] = [

      '#type' => 'fieldset',

      '#title' => t('Basic Provisioning to Drupal Account Settings'),

      '#collapsible' => TRUE,

      '#collapsed' => FALSE,

    ];

    $default_value = ($this->drupalAcctProvisionServer) ? $this->drupalAcctProvisionServer : 'none';

    $form['basic_to_drupal']['drupalAcctProvisionServer'] = [

      '#type' => 'radios',

      '#title' => t('LDAP Servers Providing Provisioning Data'),

      '#required' => 1,

      '#default_value' => $default_value,

      '#options' => $this->drupalAcctProvisionServerOptions,

      '#description' => $this->drupalAcctProvisionServerDescription,

      '#states' => [

        'enabled' => [

          ':input[name=drupalAcctProvisionTriggers]' => ['value' => LDAP_USER_DRUPAL_USER_PROV_ON_AUTHENTICATE],

        ],

      ],

    ];

    $form['basic_to_drupal']['drupalAcctProvisionTriggers'] = [

      '#type' => 'checkboxes',

      '#title' => t('Drupal Account Provisioning Events'),

      '#required' => FALSE,

      '#default_value' => $this->drupalAcctProvisionTriggers,

      '#options' => $this->drupalAccountProvisionEventsOptions,

      '#description' => $this->drupalAccountProvisionEventsDescription,

    ];

    $form['basic_to_drupal']['disableAdminPasswordField'] = [

      '#type' => 'checkbox',

      '#title' => t('Disable the password fields at /admin/create/people since the password is going to be randomly generated anyway. This is useful if you are synching data to Drupal from LDAP, and not bringing the user password from LDAP.'),

      '#default_value' => $this->disableAdminPasswordField,

    ];

    $form['basic_to_drupal']['userConflictResolve'] = [

      '#type' => 'radios',

      '#title' => t('Existing Drupal User Account Conflict'),

      '#required' => 1,

      '#default_value' => $this->userConflictResolve,

      '#options' => $this->userConflictOptions,

      '#description' => t($this->userConflictResolveDescription),

    ];

    $form['basic_to_drupal']['accountsWithSameEmail'] = [

      '#type' => 'radios',

      '#title' => t('Existing Account with Same Email Address'),

      '#default_value' => $this->accountsWithSameEmail,

      '#options' => $this->accountsWithSameEmailOptions,

      '#description' => t($this->accountsWithSameEmailDescription),

      '#disabled' => (module_exists('sharedemail') === FALSE),

    ];

    $form['basic_to_drupal']['acctCreation'] = [

      '#type' => 'radios',

      '#title' => t('Application of Drupal Account settings to LDAP Authenticated Users'),

      '#required' => 1,

      '#default_value' => $this->acctCreation,

      '#options' => $this->acctCreationOptions,

      '#description' => t($this->acctCreationDescription),

    ];

    $account_options = [];

    $account_options['ldap_user_orphan_do_not_check'] = t('Do not check for orphaned Drupal accounts.');

    $account_options['ldap_user_orphan_email'] = t('Perform no action, but email list of orphaned accounts. (All the other options will send email summaries also.)');

    foreach (user_cancel_methods() as $option_name => $option) {

      $account_options[$option_name] = $option['#title'];

    }

    // @todo these 2 options are removed until this feature is better tested in

    // actual production environments; it has potentially disastrous effects

    unset($account_options['user_cancel_reassign']);

    unset($account_options['user_cancel_delete']);

    $form['basic_to_drupal']['orphanedDrupalAcctBehavior'] = [

      '#type' => 'radios',

      '#title' => t('Action to perform on Drupal account that no longer have a

        corresponding LDAP entry'),

      '#required' => 0,

      '#default_value' => $this->orphanedDrupalAcctBehavior,

      '#options' => $account_options,

      '#description' => t($this->orphanedDrupalAcctBehaviorDescription),

    ];

    $form['basic_to_drupal']['orphanedCheckQty'] = [

      '#type' => 'textfield',

      '#size' => 10,

      '#title' => t('Number of users to check each cron run.'),

      '#description' => t(''),

      '#default_value' => $this->orphanedCheckQty,

      '#required' => FALSE,

    ];

    $form['basic_to_ldap'] = [

      '#type' => 'fieldset',

      '#title' => t('Basic Provisioning to LDAP Settings'),

      '#collapsible' => TRUE,

      '#collapsed' => !($this->ldapEntryProvisionServer),

    ];

    $default_value = ($this->ldapEntryProvisionServer) ? $this->ldapEntryProvisionServer : 'none';

    $form['basic_to_ldap']['ldapEntryProvisionServer'] = [

      '#type' => 'radios',

      '#title' => t('LDAP Servers to Provision LDAP Entries on'),

      '#required' => 1,

      '#default_value' => $default_value,

      '#options' => $this->ldapEntryProvisionServerOptions,

      '#description' => $this->ldapEntryProvisionServerDescription,

    ];

    $form['basic_to_ldap']['ldapEntryProvisionTriggers'] = [

      '#type' => 'checkboxes',

      '#title' => t('LDAP Entry Provisioning Events'),

      '#required' => FALSE,

      '#default_value' => $this->ldapEntryProvisionTriggers,

      '#options' => $this->ldapEntryProvisionTriggersOptions,

      '#description' => $this->ldapEntryProvisionTriggersDescription,

    ];

    $form['basic_to_drupal']['server_mapping_preamble'] = [

      '#type' => 'markup',

      '#markup' => t('

The relationship between a Drupal user and an LDAP entry is defined within the LDAP server configurations.

The mappings below are for user fields, properties, and profile2 data that are not automatically mapped elsewhere.

Mappings such as username or email address that are configured elsewhere are shown at the top for clarity.

When more than one ldap server is enabled for provisioning data (or simply more than one configuration for the same ldap server),

mappings need to be setup for each server.  If no tables are listed below, you have not enabled any provisioning servers at

the top of this form.

'),

    ];

    foreach ([LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER, LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY] as $direction) {

      $sid = $this->provisionSidFromDirection[$direction];

      $ldap_server = ($sid) ? ldap_servers_get_servers($sid, NULL, TRUE) : FALSE;

      $ldap_server_selected = (boolean) $ldap_server;

      if ($direction == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER) {

        $parent_fieldset = 'basic_to_drupal';

        $description = t('Provisioning from LDAP to Drupal Mappings:');

      }

      elseif ($direction == LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY) {

        $parent_fieldset = 'basic_to_ldap';

        $description = t('Provisioning from Drupal to LDAP Mappings:');

      }

      $form[$parent_fieldset]['mappings__' . $direction] = [

        '#type' => 'fieldset',

        '#title' => $description,

        '#collapsible' => TRUE,

        '#collapsed' => FALSE,

        '#description' => '',

        'table__' . $direction => [

          '#type' => 'markup',

          '#markup' => '[replace_with_table__' . $direction . ']',

        ],

      ];

      $password_notes = '<h3>' . t('Password Tokens') . '</h3><ul>' .

      '<li>' . t('Pwd: Random -- Uses a random Drupal generated password') . '</li>' .

      '<li>' . t('Pwd: User or Random -- Uses password supplied on user forms.

  If none available uses random password.') . '</li></ul>' .

      '<h3>' . t('Password Concerns') . '</h3>' .

      '<ul>' .

      '<li>' . t('Provisioning passwords to LDAP means passwords must meet the LDAP\'s

password requirements.  Password Policy module can be used to add requirements.') . '</li>' .

      '<li>' . t('Some LDAPs require a user to reset their password if it has been changed

by someone other that user.  Consider this when provisioning LDAP passwords.') . '</li>' .

      '</ul></p>';

      $source_drupal_token_notes = <<<EOT

<p>Examples in form: Source Drupal User token => Target LDAP Token (notes)</p>

<ul>

<li>Source Drupal User token => Target LDAP Token</li>

<li>cn=[property.name],ou=test,dc=ad,dc=mycollege,dc=edu => [dn] (example of token and constants)</li>

<li>top => [objectclass:0] (example of constants mapped to multivalued attribute)</li>

<li>person => [objectclass:1] (example of constants mapped to multivalued attribute)</li>

<li>organizationalPerson => [objectclass:2] (example of constants mapped to multivalued attribute)</li>

<li>user => [objectclass:3] (example of constants mapped to multivalued attribute)</li>

<li>Drupal Provisioned LDAP Account => [description] (example of constant)</li>

<li>[field.field_lname] => [sn]</li>

</ul>

EOT;

      // Add some password notes.

      if ($direction == LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY) {

        $form[$parent_fieldset]['password_notes'] = [

          '#type' => 'fieldset',

          '#title' => t('Password Notes'),

          '#collapsible' => TRUE,

          '#collapsed' => TRUE,

          'directions' => [

            '#type' => 'markup',

            '#markup' => $password_notes,

          ],

        ];

        $form[$parent_fieldset]['source_drupal_token_notes'] = [

          '#type' => 'fieldset',

          '#title' => t('Source Drupal User Tokens and Corresponding Target LDAP Tokens'),

          '#collapsible' => TRUE,

          '#collapsed' => TRUE,

          'directions' => [

            '#type' => 'markup',

            '#markup' => $source_drupal_token_notes,

          ],

        ];

      }

      $this->addServerMappingFields($form, $direction);

    }

    foreach (['orphanedCheckQty', 'orphanedDrupalAcctBehavior', 'acctCreation', 'userConflictResolve', 'accountsWithSameEmail', 'drupalAcctProvisionTriggers', 'mappings__' . LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER] as $input_name) {

      $form['basic_to_drupal'][$input_name]['#states']['invisible'] =

        [

          ':input[name=drupalAcctProvisionServer]' => ['value' => 'none'],

        ];

    }

    foreach (['ldapEntryProvisionTriggers', 'password_notes', 'source_drupal_token_notes', 'mappings__' . LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY] as $input_name) {

      $form['basic_to_ldap'][$input_name]['#states']['invisible'] =

        [

          ':input[name=ldapEntryProvisionServer]' => ['value' => 'none'],

        ];

    }

    $form['submit'] = [

      '#type' => 'submit',

      '#value' => 'Save',

    ];

    return $form;

  }

  /**

   * @param $sid

   * @param $orphan_handling

   */

  private function checkPuidOrphans($sid, $orphan_handling) {

    $ldap_server = ldap_servers_get_servers($sid, NULL, TRUE);

    if ($ldap_server && empty($ldap_server->unique_persistent_attr)

      && $orphan_handling != 'ldap_user_orphan_do_not_check') {

      drupal_set_message(t('You\'ve configured the orphan check but are missing the required persistent user ID property.'), 'error');

    }

  }

  /**

   * Validate submitted form.

   *

   * @param array $values

   *   as $form_state['values'] from drupal form api.

   * @param array $storage

   *   as $form_state['storage'] from drupal form api.

   *

   * @return array in form array($errors, $warnings)to be thrown by form api

   */

  public function drupalFormValidate($values, $storage) {

    $this->populateFromDrupalForm($values, $storage);

    list($errors, $warnings) = $this->validate($values);

    $this->checkPuidOrphans($values['drupalAcctProvisionServer'], $values['orphanedDrupalAcctBehavior']);

    // Since failed mapping rows in form, don't populate ->ldapUserSynchMappings, need to validate these from values.

    foreach ($values as $field => $value) {

      $parts = explode('__', $field);

      // Since synch mapping fields are in n-tuples, process entire n-tuple at once (on field == configurable_to_drupal)

      if (count($parts) != 4 || $parts[1] !== 'sm' || $parts[2] != 'configurable_to_drupal') {

        continue;

      }

      list($direction, $discard, $column_name, $i) = $parts;

      $action = $storage['synch_mapping_fields'][$direction][$i]['action'];

      $tokens = [];

      $row_mappings = [];

      foreach (['remove', 'configurable_to_drupal', 'configurable_to_ldap', 'convert', 'direction', 'ldap_attr', 'user_attr', 'user_tokens'] as $column_name) {

        $input_name = join('__', ['sm', $column_name, $i]);

        $row_mappings[$column_name] = isset($values[$input_name]) ? $values[$input_name] : NULL;

      }

      $has_values = $row_mappings['ldap_attr'] || $row_mappings['user_attr'];

      if ($has_values) {

        $tokens['%ldap_attr'] = $row_mappings['ldap_attr'];

        $row_descriptor = t("server %sid row mapping to ldap attribute %ldap_attr", $tokens);

        $tokens['!row_descriptor'] = $row_descriptor;

        if (!$row_mappings['direction']) {

          $input_name = join('__', ['sm', 'direction', $i]);

          $errors[$input_name] = t('No mapping direction given in !row_descriptor', $tokens);

        }

        if ($direction == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER && $row_mappings['user_attr'] == 'user_tokens') {

          $input_name = join('__', ['sm', 'user_attr', $i]);

          $errors[$input_name] = t('User tokens not allowed when mapping to Drupal user.  Location: !row_descriptor', $tokens);

        }

        if (!$row_mappings['ldap_attr']) {

          $input_name = join('__', ['sm', 'ldap_attr', $i]);

          $errors[$input_name] = t('No ldap attribute given in !row_descriptor', $tokens);

        }

        if (!$row_mappings['user_attr']) {

          $input_name = join('__', ['sm', 'user_attr', $i]);

          $errors[$input_name] = t('No user attribute given in !row_descriptor', $tokens);

        }

      }

    }

    return [$errors, $warnings];

  }

  /**

   * Validate object, not form.

   *

   * @param array $values

   *   as $form_state['values'] from drupal form api.

   *

   * @return array in form array($errors, $warnings)to be thrown by form api

   *

   * @todo validate that a user field exists, such as field.field_user_lname

   */

  public function validate($values) {

    $errors = [];

    $warnings = [];

    $tokens = [];

    $has_drupal_acct_prov_servers = (boolean) ($this->drupalAcctProvisionServer);

    $has_drupal_acct_prov_settings_options = (count(array_filter($this->drupalAcctProvisionTriggers)) > 0);

    if (!$has_drupal_acct_prov_servers && $has_drupal_acct_prov_settings_options) {

      $warnings['drupalAcctProvisionServer'] = t('No Servers are enabled to provide provisioning to Drupal, but Drupal Account Provisioning Options are selected.', $tokens);

    }

    if ($has_drupal_acct_prov_servers && !$has_drupal_acct_prov_settings_options) {

      $warnings['drupalAcctProvisionTriggers'] = t('Servers are enabled to provide provisioning to Drupal, but no Drupal Account Provisioning Options are selected.  This will result in no synching happening.', $tokens);

    }

    $has_ldap_prov_servers = (boolean) ($this->ldapEntryProvisionServer);

    $has_ldap_prov_settings_options = (count(array_filter($this->ldapEntryProvisionTriggers)) > 0);

    if (!$has_ldap_prov_servers && $has_ldap_prov_settings_options) {

      $warnings['ldapEntryProvisionServer'] = t('No Servers are enabled to provide provisioning to ldap, but LDAP Entry Options are selected.', $tokens);

    }

    if ($has_ldap_prov_servers && !$has_ldap_prov_settings_options) {

      $warnings['ldapEntryProvisionTriggers'] = t('Servers are enabled to provide provisioning to ldap, but no LDAP Entry Options are selected.  This will result in no synching happening.', $tokens);

    }

    if (isset($this->ldapUserSynchMappings)) {

      $to_ldap_entries_mappings_exist = FALSE;

      foreach ($this->ldapUserSynchMappings as $synch_direction => $mappings) {

        $map_index = [];

        // Format ['%sid' => $sid].

        $tokens = [];

        $to_drupal_user_mappings_exist = FALSE;

        $to_ldap_entries_mappings_exist = FALSE;

        foreach ($mappings as $target_attr => $mapping) {

          if ($mapping['direction'] == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER) {

            $attr_value = $mapping['user_attr'];

            $attr_name = 'user_attr';

          }

          if ($mapping['direction'] == LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY) {

            $attr_value = $mapping['ldap_attr'];

            $attr_name = 'ldap_attr';

          }

          foreach ($values as $field => $value) {

            $parts = explode('__', $field);

            if (count($parts) == 4 && $parts[2] == $attr_name && $value == $attr_value) {

              $map_index[$attr_value] = $parts[3];

            }

          }

        }

        foreach ($mappings as $target_attr => $mapping) {

          foreach ($mapping as $key => $value) {

            if (is_scalar($value)) {

              $tokens['%' . $key] = $value;

            }

          }

          $row_descriptor = t("server %sid row mapping to ldap attribute %ldap_attr", $tokens);

          $tokens['!row_descriptor'] = $row_descriptor;

          $ldap_attribute_maps_in_token = [];

          ldap_servers_token_extract_attributes($ldap_attribute_maps_in_token, $mapping['ldap_attr']);

          if ($mapping['direction'] == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER) {

            $row_id = $map_index[$mapping['user_attr']];

            $to_drupal_user_mappings_exist = TRUE;

          }

          if ($mapping['direction'] == LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY) {

            $row_id = $map_index[$mapping['ldap_attr']];

            $to_ldap_entries_mappings_exist = TRUE;

            if (count(array_keys($ldap_attribute_maps_in_token)) != 1) {

              $token_field_id = join('__', ['sm', 'user_tokens', $row_id]);

              $errors[$token_field_id] = t('When provisioning to ldap, ldap attribute column must be singular token such as [cn]. %ldap_attr is not.

                Do not use compound tokens such as "[displayName] [sn]" or literals such as "physics". Location: !row_descriptor', $tokens);

            }

          }

          $ldap_attr_field_id = join('__', ['sm', 'ldap_attr', $row_id]);

          $user_attr_field_id = join('__', ['sm', 'user_attr', $row_id]);

          $first_context_field_id = join('__', ['sm', 1, $row_id]);

          $user_tokens_field_id = join('__', ['sm', 'user_tokens', $row_id]);

          if (!$mapping['ldap_attr']) {

            $errors[$ldap_attr_field_id] = t('No LDAP Attribute given in !row_descriptor', $tokens);

          }

          if ($mapping['user_attr'] == 'user_tokens' && !$mapping['user_tokens']) {

            $errors[$user_tokens_field_id] = t('User tokens selected in !row_descriptor, but user tokens column empty.', $tokens);

          }

          if (isset($mapping['prov_events']) && count($mapping['prov_events']) == 0) {

            $warnings[$first_context_field_id] = t('No synchronization events checked in !row_descriptor.

              This field will not be synchronized until some are checked.', $tokens);

          }

        }

      }

      if ($to_ldap_entries_mappings_exist && !isset($mappings['[dn]'])) {

        $errors['mappings__' . $synch_direction] = t('Mapping rows exist for provisioning to ldap, but no ldap attribute is targetted for [dn].

          One row must map to [dn].  This row will have a user token like cn=[property.name],ou=users,dc=ldap,dc=mycompany,dc=com');

      }

    }

    return [$errors, $warnings];

  }

  /**

   * Populate object with data from form values.

   *

   * @param array $values

   *   as $form_state['values'] from drupal form api.

   * @param array $storage

   *   as $form_state['storage'] from drupal form api.

   */

  protected function populateFromDrupalForm($values, $storage) {

    $this->drupalAcctProvisionServer = ($values['drupalAcctProvisionServer'] == 'none') ? 0 : $values['drupalAcctProvisionServer'];

    $this->ldapEntryProvisionServer = ($values['ldapEntryProvisionServer'] == 'none') ? 0 : $values['ldapEntryProvisionServer'];

    $this->drupalAcctProvisionTriggers = $values['drupalAcctProvisionTriggers'];

    $this->ldapEntryProvisionTriggers = $values['ldapEntryProvisionTriggers'];

    $this->orphanedDrupalAcctBehavior = $values['orphanedDrupalAcctBehavior'];

    $this->orphanedCheckQty = $values['orphanedCheckQty'];

    $this->manualAccountConflict = $values['manualAccountConflict'];

    $this->userConflictResolve = ($values['userConflictResolve']) ? (int) $values['userConflictResolve'] : NULL;

    $this->accountsWithSameEmail = ($values['accountsWithSameEmail']) ? (int) $values['accountsWithSameEmail'] : NULL;

    $this->acctCreation = ($values['acctCreation']) ? (int) $values['acctCreation'] : NULL;

    $this->disableAdminPasswordField = $values['disableAdminPasswordField'];

    $this->ldapUserSynchMappings = $this->synchMappingsFromForm($values, $storage);

  }

  /**

   * Extract synch mappings array from mapping table in admin form.

   *

   * @param array $values

   *   as $form_state['values'] from drupal form api.

   * @param array $storage

   *   as $form_state['storage'] from drupal form api

   *

   *   $values input names in form:

   *   1__sm__configurable__5,

   *   1__sm__remove__5,

   *   1__sm__ldap_attr__5,

   *   1__sm__convert__5,

   *   1__sm__direction__5,

   *   1__sm__user_attr__5,

   *   1__sm__user_tokens__5

   *   1__sm__1__5,

   *   1__sm__2__5,

   *   ...where

   *   -- first arg is direction, eg 1 or 2 LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER or LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY

   *   -- second arg is discarded ('sm')

   *   -- third part is field, e.g. user_attr

   *   -- fourth is the row in the configuration form, e.g. 5

   *

   *   where additiond data is in $form['#storage'][<direction>]['synch_mapping_fields'][N]

   *   $form['#storage']['synch_mapping_fields'][<direction>][N] = array(

   *   'sid' => $sid,

   *   'action' => 'add',

   *   );.

   */

  private function synchMappingsFromForm($values, $storage) {

    $mappings = [];

    foreach ($values as $field => $value) {

      $parts = explode('__', $field);

      // Since synch mapping fields are in n-tuples, process entire n-tuple at once.

      if (count($parts) != 4 || $parts[1] !== 'sm') {

        continue;

      }

      list($direction, $discard, $column_name, $i) = $parts;

      $action = $storage['synch_mapping_fields'][$direction][$i]['action'];

      $row_mappings = [];

      foreach (['remove', 'configurable_to_drupal', 'configurable_to_ldap', 'convert', 'ldap_attr', 'user_attr', 'user_tokens'] as $column_name) {

        $input_name = join('__', [$direction, 'sm', $column_name, $i]);

        $row_mappings[$column_name] = isset($values[$input_name]) ? $values[$input_name] : NULL;

      }

      if ($row_mappings['remove']) {

        continue;

      }

      $key = ($direction == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER) ? $row_mappings['user_attr'] : $row_mappings['ldap_attr'];

      if ($row_mappings['configurable_to_drupal'] && $row_mappings['ldap_attr'] && $row_mappings['user_attr']) {

        $mappings[$direction][$key] = [

          'ldap_attr' => $row_mappings['ldap_attr'],

          'user_attr' => $row_mappings['user_attr'],

          'convert' => $row_mappings['convert'],

          'direction' => $direction,

          'user_tokens' => $row_mappings['user_tokens'],

          'config_module' => 'ldap_user',

          'prov_module' => 'ldap_user',

          'enabled' => 1,

        ];

        $synchEvents = ($direction == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER) ? $this->provisionsDrupalEvents : $this->provisionsLdapEvents;

        foreach ($synchEvents as $prov_event => $discard) {

          $input_name = join('__', [$direction, 'sm', $prov_event, $i]);

          if (isset($values[$input_name]) && $values[$input_name]) {

            $mappings[$direction][$key]['prov_events'][] = $prov_event;

          }

        }

      }

    }

    return $mappings;

  }

  /**

   * Method to respond to successfully validated form submit.

   *

   * @param array $values

   *   as $form_state['values'] from drupal form api.

   * @param array $storage

   *   as $form_state['storage'] from drupal form api.

   *

   * @return by reference to $form array

   */

  public function drupalFormSubmit($values, $storage) {

    $this->populateFromDrupalForm($values, $storage);

    try {

      $save_result = $this->save();

    }

    catch (Exception $e) {

      $this->errorName = 'Save Error';

      $this->errorMsg = t('Failed to save object.  Your form data was not saved.');

      $this->hasError = TRUE;

    }

  }

  /**

   * Add existing mappings to ldap user provisioning mapping admin form table.

   *

   * @param drupal form array $form

   * @param enum $direction

   *   LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER or LDAP_USER_PROV_DIRECTION_TO_LDAP_ENTRY.

   *

   * @return by reference to $form array

   */

  private function addServerMappingFields(&$form, $direction) {

    if ($direction == LDAP_USER_PROV_DIRECTION_NONE) {

      return;

    }

    $text = ($direction == LDAP_USER_PROV_DIRECTION_TO_DRUPAL_USER) ? 'target' : 'source';

    $user_attr_options = ['0' => t('Select') . ' ' . $text];

    if (!empty($this->synchMapping[$direction])) {

      foreach ($this->synchMapping[$direction] as $target_id => $mapping) {