From 9092a3a39bb299f34c4187b44b877b7bec1a08b6 Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian@wheelybird.co.uk>
Date: Mon, 4 Apr 2022 13:55:56 +0100
Subject: [PATCH] Add attribute fields for groups and allow user-defined
 attributes to be displayed.  Move alert banner JS to a function.

---
 www/account_manager/groups.php      |  23 +-
 www/account_manager/index.php       |  24 +-
 www/account_manager/new_user.php    |  29 ++-
 www/account_manager/show_group.php  | 379 ++++++++++++++++------------
 www/account_manager/show_user.php   | 113 +++------
 www/includes/config.inc.php         |   5 +
 www/includes/ldap_functions.inc.php | 210 ++++++++-------
 www/includes/web_functions.inc.php  |  15 +-
 8 files changed, 427 insertions(+), 371 deletions(-)

diff --git a/www/account_manager/groups.php b/www/account_manager/groups.php
index fbbe471..b6d865d 100644
--- a/www/account_manager/groups.php
+++ b/www/account_manager/groups.php
@@ -14,37 +14,18 @@ $ldap_connection = open_ldap_connection();
 
 if (isset($_POST['delete_group'])) {
 
- ?>
- <script>
-    window.setTimeout(function() {
-                                  $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                 }, 4000);
- </script>
- <?php
-
  $this_group = $_POST['delete_group'];
  $this_group = urldecode($this_group);
 
  $del_group = ldap_delete_group($ldap_connection,$this_group);
 
  if ($del_group) {
-  ?>
-  <div class="alert alert-success" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-   <p class="text-center">Group <strong><?php print $this_group; ?> was deleted.</p>
-  </div>
-  <?php
+   render_alert_banner("Group <strong>$this_group</strong> was deleted.");
  }
  else {
-  ?>
-  <div class="alert alert-danger" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-   <p class="text-center">Group <strong><?php print $this_group; ?></strong> wasn't deleted.</p>
-  </div>
-  <?php
+   render_alert_banner("Group <strong>$this_group</strong> wasn't deleted.  See the logs for more information.","danger",15000);
  }
 
-
 }
 
 $groups = ldap_get_group_list($ldap_connection);
diff --git a/www/account_manager/index.php b/www/account_manager/index.php
index 573ebda..c6d5e28 100644
--- a/www/account_manager/index.php
+++ b/www/account_manager/index.php
@@ -14,39 +14,21 @@ $ldap_connection = open_ldap_connection();
 
 if (isset($_POST['delete_user'])) {
 
- ?>
- <script>
-    window.setTimeout(function() {
-                                  $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                 }, 4000);
- </script>
- <?php
-
  $this_user = $_POST['delete_user'];
  $this_user = urldecode($this_user);
 
  $del_user = ldap_delete_account($ldap_connection,$this_user);
 
  if ($del_user) {
- ?>
- <div class="alert alert-success" role="alert">
-  <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-  <p class="text-center">User <strong><?php print $this_user; ?> was deleted.</p>
- </div>
- <?php
+   render_alert_banner("User <strong>$this_user</strong> was deleted.");
  }
  else {
- ?>
- <div class="alert alert-danger" role="alert">
-  <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-  <p class="text-center">User <strong><?php print $this_user; ?></strong> wasn't deleted.</p>
- </div>
- <?php
+   render_alert_banner("User <strong>$this_user</strong> wasn't deleted.  See the logs for more information.","danger",15000);
  }
 
 
 }
-#'
+
 $people = ldap_get_user_list($ldap_connection);
 
 ?>
diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php
index f7bacf1..7732654 100644
--- a/www/account_manager/new_user.php
+++ b/www/account_manager/new_user.php
@@ -6,7 +6,11 @@ include_once "web_functions.inc.php";
 include_once "ldap_functions.inc.php";
 include_once "module_functions.inc.php";
 
-$attribute_map = ldap_complete_account_attribute_array();
+$attribute_map = $LDAP['default_attribute_map'];
+if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
+if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
+  $attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
+}
 
 if ( isset($_POST['setup_admin_account']) ) {
  $admin_setup = TRUE;
@@ -321,18 +325,17 @@ $tabindex=1;
      <input type="hidden" name="create_account">
      <input type="hidden" id="pass_score" value="0" name="pass_score">
 
-
-<?php
-  foreach ($attribute_map as $attribute => $attr_r) {
-    $label = $attr_r['label'];
-    if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
-    if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
-    if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
-    if (isset($attr_r['multiple'])) { $multiple = $attr_r['multiple']; } else { $multiple = FALSE; }
-    render_attribute_fields($attribute,$label,$these_values,$onkeyup,$multiple,$tabindex);
-    $tabindex++;
-  }
-?>
+     <?php
+       foreach ($attribute_map as $attribute => $attr_r) {
+         $label = $attr_r['label'];
+         if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
+         if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
+         if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
+         if (isset($attr_r['multiple'])) { $multiple = $attr_r['multiple']; } else { $multiple = FALSE; }
+         render_attribute_fields($attribute,$label,$these_values,$onkeyup,$multiple,$tabindex);
+         $tabindex++;
+       }
+     ?>
 
      <div class="form-group" id="password_div">
       <label for="password" class="col-sm-3 control-label">Password</label>
diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php
index a212c34..18c783a 100644
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@@ -12,19 +12,18 @@ render_submenu();
 
 $ldap_connection = open_ldap_connection();
 
-
 if (!isset($_POST['group_name']) and !isset($_GET['group_name'])) {
 ?>
  <div class="alert alert-danger">
   <p class="text-center">The group name is missing.</p>
  </div>
 <?php
-render_footer();
-exit(0);
+ render_footer();
+ exit(0);
 }
 else {
- $group_cn =  (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
- $group_cn = urldecode($group_cn);
+  $group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
+  $group_cn = urldecode($group_cn);
 }
 
 if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$group_cn)) {
@@ -33,14 +32,20 @@ if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$grou
   <p class="text-center">The group name is invalid.</p>
  </div>
 <?php
-render_footer();
-exit(0);
+ render_footer();
+ exit(0);
 }
 
 
 ######################################################################################
 
 $initialise_group = FALSE;
+$attribute_map = $LDAP['default_group_attribute_map'];
+if (isset($LDAP['group_additional_attributes'])) {
+  $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['group_additional_attributes']);
+}
+$to_update = array();
+$this_group = array();
 
 if (isset($_POST['new_group'])) {
   $new_group = TRUE;
@@ -57,99 +62,123 @@ elseif (isset($_POST['initialise_group'])) {
 }
 else {
   $new_group = FALSE;
-  $initialise_group = TRUE;
   $current_members = ldap_get_group_members($ldap_connection,$group_cn);
-  $full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
+  $this_group = ldap_get_group_entry($ldap_connection,$group_cn);
+  $full_dn = $this_group[0]['dn'];
   $has_been = "updated";
 }
 
+foreach ($attribute_map as $attribute => $attr_r) {
+
+  if (isset($this_group[0][$attribute]) and $this_group[0][$attribute]['count'] > 0) {
+    $$attribute = $this_group[0][$attribute];
+  }
+  else {
+    $$attribute = array();
+  }
+
+  if (isset($_POST[$attribute])) {
+
+    $this_attribute = array();
+
+    if (is_array($_POST[$attribute])) {
+      $this_attribute['count'] = count($_POST[$attribute]);
+      foreach($_POST[$attribute] as $key => $value) {
+        $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+      }
+    }
+    else {
+      $this_attribute['count'] = 1;
+      $this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    }
+
+    if ($this_attribute != $$attribute) {
+      $$attribute = $this_attribute;
+      $to_update[$attribute] = $this_attribute;
+      unset($to_update[$attribute]['count']);
+    }
+
+  }
+
+  if (!isset($$attribute) and isset($attr_r['default'])) {
+    $$attribute['count'] = 1;
+    $$attribute[0] = $attr_r['default'];
+  }
+
+}
+
+if (!isset($gidnumber[0]) or !is_numeric($gidnumber[0])) {
+  $gidnumber[0]=ldap_get_highest_id($ldap_connection,$type="gid");
+  $gidnumber['count']=1;
+}
 
 ######################################################################################
 
-
-$current_members = ldap_get_group_members($ldap_connection,$group_cn);
-$full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
 $all_accounts = ldap_get_user_list($ldap_connection);
 $all_people = array();
 
 foreach ($all_accounts as $this_person => $attrs) {
- array_push($all_people, $this_person);
+  array_push($all_people, $this_person);
 }
 
 $non_members = array_diff($all_people,$current_members);
 
 if (isset($_POST["update_members"])) {
 
- $updated_membership = array();
+  $updated_membership = array();
 
- foreach ($_POST as $index => $member) {
-
-  if (is_numeric($index)) {
-   array_push($updated_membership,$member);
+  foreach ($_POST['membership'] as $index => $member) {
+    if (is_numeric($index)) {
+     array_push($updated_membership,filter_var($member, FILTER_SANITIZE_FULL_SPECIAL_CHARS));
+    }
   }
- }
 
- if ($group_cn == $LDAP['admins_group'] and !array_search($USER_ID, $updated_membership)){
-   array_push($updated_membership,$USER_ID);
- }
+  if ($group_cn == $LDAP['admins_group'] and !array_search($USER_ID, $updated_membership)){
+    array_push($updated_membership,$USER_ID);
+  }
 
- $members_to_del = array_diff($current_members,$updated_membership);
- $members_to_add = array_diff($updated_membership,$current_members);
+  $members_to_del = array_diff($current_members,$updated_membership);
+  $members_to_add = array_diff($updated_membership,$current_members);
 
- if ($initialise_group == TRUE) {
-   $initial_member = array_shift($members_to_add);
-   $group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member);
- }
- foreach ($members_to_add as $this_member) {
-  ldap_add_member_to_group($ldap_connection,$group_cn,$this_member);
- }
+  if ($initialise_group == TRUE) {
+    $initial_member = array_shift($members_to_add);
+    $group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member,$to_update);
+  }
+  elseif(count($to_update) > 0) {
+    $updated_attr = ldap_update_group_attributes($ldap_connection,$group_cn,$to_update);
+    if ($updated_attr) {
+      render_alert_banner("The group attributes have been updated.");
+    }
+    else {
+      render_alert_banner("There was a problem updating the group attributes.  See the logs for more information.","danger",15000);
+    }
+  }
 
- foreach ($members_to_del as $this_member) {
-  ldap_delete_member_from_group($ldap_connection,$group_cn,$this_member);
- }
+  foreach ($members_to_add as $this_member) {
+    ldap_add_member_to_group($ldap_connection,$group_cn,$this_member);
+  }
 
- $non_members = array_diff($all_people,$updated_membership);
- $group_members = $updated_membership;
+  foreach ($members_to_del as $this_member) {
+    ldap_delete_member_from_group($ldap_connection,$group_cn,$this_member);
+  }
 
- $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
- if ($rfc2307bis_available == TRUE and count($group_members) == 0) {
+  $non_members = array_diff($all_people,$updated_membership);
+  $group_members = $updated_membership;
 
-   $group_members = ldap_get_group_members($ldap_connection,$group_cn);
-   $non_members = array_diff($all_people,$group_members);
+  $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
+  if ($rfc2307bis_available == TRUE and count($group_members) == 0) {
 
-   ?>
-    <script>
-      window.setTimeout(function() {
-                                    $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                   }, 15000);
-    </script>
-    <div class="alert alert-danger" role="alert">
-     <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-     <p class="text-center">Groups can't be empty, so the final member hasn't been removed.  You could try deleting the group.</p>
-    </div>
-
-   <?php
-
- }
- else {
-
-   ?>
-    <script>
-      window.setTimeout(function() {
-                                    $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                   }, 4000);
-    </script>
-    <div class="alert alert-success" role="alert">
-     <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-     <p class="text-center">The group has been <?php print $has_been; ?>.</p>
-    </div>
-
-   <?php
+    $group_members = ldap_get_group_members($ldap_connection,$group_cn);
+    $non_members = array_diff($all_people,$group_members);
+    render_alert_banner("Groups can't be empty, so the final member hasn't been removed.  You could try deleting the group","danger",15000);
+  }
+  else {
+    render_alert_banner("The group has been ${has_been}.");
   }
 
 }
 else {
- $group_members = $current_members;
+  $group_members = $current_members;
 }
 
 ldap_close($ldap_connection);
@@ -177,7 +206,7 @@ ldap_close($ldap_connection);
   for (var i = 0; i < member_list.length; ++i) {
     var hidden = document.createElement("input");
         hidden.type = "hidden";
-        hidden.name = i;
+        hidden.name = 'membership[]';
         hidden.value = member_list[i]['textContent'];
         members_form.appendChild(hidden);
 
@@ -205,7 +234,10 @@ ldap_close($ldap_connection);
             $('.list-right ul li.active').removeClass('active');
             actives.remove();
         }
-        $("#submit_members").prop("disabled", false);
+        if ($("#membership_list").length > 0) {
+          $("#submit_members").prop("disabled", false);
+          $("#submit_attributes").prop("disabled", false);
+        }
     });
     $('.dual-list .selector').click(function () {
         var $checkBox = $(this);
@@ -257,97 +289,132 @@ ldap_close($ldap_connection);
 
 
 <div class="container">
+  <div class="col-md-12">
+    <div class="panel-group">
+      <div class="panel panel-default">
 
- <div class="panel panel-default">
-  <div class="panel-heading clearfix">
-   <h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $group_cn; ?><?php if ($group_cn == $LDAP["admins_group"]) { print " <sup>(admin group)</sup>" ; } ?></h3>
-   <button class="btn btn-warning pull-right" onclick="show_delete_group_button();" <?php if ($group_cn == $LDAP["admins_group"]) { print "disabled"; } ?>>Delete group</button>
-   <form action="<?php print "${THIS_MODULE_PATH}"; ?>/groups.php" method="post"><input type="hidden" name="delete_group" value="<?php print $group_cn; ?>"><button class="btn btn-danger pull-right invisible" id="delete_group">Confirm deletion</button></form>
-  </div>
-  <ul class="list-group">
-   <li class="list-group-item"><?php print $full_dn; ?></li>
-  </li>
-  <div class="panel-body">
+        <div class="panel-heading clearfix">
+          <h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $group_cn; ?><?php if ($group_cn == $LDAP["admins_group"]) { print " <sup>(admin group)</sup>" ; } ?></h3>
+          <button class="btn btn-warning pull-right" onclick="show_delete_group_button();" <?php if ($group_cn == $LDAP["admins_group"]) { print "disabled"; } ?>>Delete group</button>
+          <form action="<?php print "${THIS_MODULE_PATH}"; ?>/groups.php" method="post"><input type="hidden" name="delete_group" value="<?php print $group_cn; ?>"><button class="btn btn-danger pull-right invisible" id="delete_group">Confirm deletion</button></form>
+        </div>
 
-   <div class="row">
+        <ul class="list-group">
+          <li class="list-group-item"><?php print $full_dn; ?></li>
+        </li>
 
-        <div class="dual-list list-left col-md-5">
-         <strong>Members</strong>
-         <div class="well">
+        <div class="panel-body">
           <div class="row">
-           <div class="col-md-10">
-            <div class="input-group">
-             <span class="input-group-addon glyphicon glyphicon-search"></span>
-             <input type="text" name="SearchDualList" class="form-control" placeholder="search" />
+            <div class="dual-list list-left col-md-5">
+              <strong>Members</strong>
+              <div class="well">
+                <div class="row">
+                  <div class="col-md-10">
+                    <div class="input-group">
+                      <span class="input-group-addon glyphicon glyphicon-search"></span>
+                      <input type="text" name="SearchDualList" class="form-control" placeholder="search" />
+                    </div>
+                  </div>
+                  <div class="col-md-2">
+                    <div class="btn-group">
+                      <a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
+                    </div>
+                  </div>
+                </div>
+                <ul class="list-group" id="membership_list">
+                  <?php
+                  foreach ($group_members as $member) {
+                    if ($group_cn == $LDAP['admins_group'] and $member == $USER_ID) {
+                      print "<div class='list-group-item' style='opacity: 0.5; pointer-events:none;'>$member</div>\n";
+                    }
+                    else {
+                      print "<li class='list-group-item'>$member</li>\n";
+                    }
+                  }
+                  ?>
+                </ul>
+              </div>
             </div>
-           </div>
-           <div class="col-md-2">
-            <div class="btn-group">
-             <a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
+            <div class="list-arrows col-md-1 text-center">
+              <button class="btn btn-default btn-sm move-left">
+                <span class="glyphicon glyphicon-chevron-left"></span>
+              </button>
+              <button class="btn btn-default btn-sm move-right">
+                <span class="glyphicon glyphicon-chevron-right"></span>
+              </button>
+              <form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
+                <input type="hidden" name="update_members">
+                <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
+                <?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>
+                <button id="submit_members" class="btn btn-info" <?php if (count($group_members)==0) print 'disabled'; ?> type="submit" onclick="update_form_with_users()">Save</button>
+            </div>
+
+            <div class="dual-list list-right col-md-5">
+              <strong>Available accounts</strong>
+              <div class="well">
+                <div class="row">
+                  <div class="col-md-2">
+                    <div class="btn-group">
+                      <a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
+                    </div>
+                  </div>
+                  <div class="col-md-10">
+                    <div class="input-group">
+                      <input type="text" name="SearchDualList" class="form-control" placeholder="search" />
+                      <span class="input-group-addon glyphicon glyphicon-search"></span>
+                    </div>
+                  </div>
+                </div>
+                <ul class="list-group">
+                  <?php
+                   foreach ($non_members as $nonmember) {
+                     print "<li class='list-group-item'>$nonmember</li>\n";
+                   }
+                 ?>
+                </ul>
+              </div>
             </div>
-           </div>
           </div>
-          <ul class="list-group" id="membership_list">
-           <?php
-           foreach ($group_members as $member) {
-             if ($group_cn == $LDAP['admins_group'] and $member == $USER_ID) {
-               print "<div class='list-group-item' style='opacity: 0.5; pointer-events:none;'>$member</div>\n";
-             }
-             else {
-               print "<li class='list-group-item'>$member</li>\n";
-             }
-           }
-           ?>
-          </ul>
-         </div>
         </div>
-
-        <div class="list-arrows col-md-1 text-center">
-         <button class="btn btn-default btn-sm move-left">
-          <span class="glyphicon glyphicon-chevron-left"></span>
-         </button>
-         <button class="btn btn-default btn-sm move-right">
-          <span class="glyphicon glyphicon-chevron-right"></span>
-         </button>
-         <form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
-          <input type="hidden" name="update_members">
-          <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
-          <?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>
-         </form>
-         <button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button>
-        </div>
-
-        <div class="dual-list list-right col-md-5">
-         <strong>Available accounts</strong>
-         <div class="well">
-          <div class="row">
-           <div class="col-md-2">
-            <div class="btn-group">
-             <a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
-            </div>
-           </div>
-           <div class="col-md-10">
-            <div class="input-group">
-             <input type="text" name="SearchDualList" class="form-control" placeholder="search" />
-             <span class="input-group-addon glyphicon glyphicon-search"></span>
-            </div>
-           </div>
-          </div>
-          <ul class="list-group">
-           <?php
-            foreach ($non_members as $nonmember) {
-              print "<li class='list-group-item'>$nonmember</li>\n";
-            }
-           ?>
-          </ul>
-         </div>
-        </div>
-
-	</div>
-</div>
-
-
-
+      </div>
 <?php
-render_footer();
-?>
+
+if ($SIMPLE_INTERFACE == TRUE) {
+  unset($attribute_map['gidnumber']);
+}
+
+if (count($attribute_map) > 0) { ?>
+      <div class="panel panel-default">
+        <div class="panel-heading clearfix">
+          <h3 class="panel-title pull-left" style="padding-top: 7.5px;">Group attributes</h3>
+        </div>
+        <div class="panel-body">
+          <div class="col-md-8">
+            <?php
+              $tabindex=1;
+              foreach ($attribute_map as $attribute => $attr_r) {
+                $label = $attr_r['label'];
+                if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
+                if (isset($attr_r['multiple'])) { $multiple = $attr_r['multiple']; } else { $multiple = FALSE; }
+                print "<div class='row'>";
+                render_attribute_fields($attribute,$label,$these_values,"",$multiple,$tabindex);
+                print "</div>";
+                $tabindex++;
+              }
+            ?>
+            <div class="row">
+              <div class="col-md-4 col-md-offset-3">
+                <div class="form-group">
+                  <button id="submit_attributes" class="btn btn-info" <?php if (count($group_members)==0) print 'disabled'; ?> type="submit" tabindex="<?php print $tabindex; ?>" onclick="update_form_with_users()">Save</button>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+<?php } ?>
+              </form>
+    </div>
+  </div>
+</div>
+<?php render_footer(); ?>
diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php
index 63cd96a..66ad7fc 100644
--- a/www/account_manager/show_user.php
+++ b/www/account_manager/show_user.php
@@ -24,7 +24,11 @@ if ($SIMPLE_INTERFACE == FALSE) {
 }
 $LDAP['default_attribute_map']["mail"]  = array("label" => "Email", "onkeyup" => "check_if_we_should_enable_sending_email();");
 
-$attribute_map = ldap_complete_account_attribute_array();
+$attribute_map = $LDAP['default_attribute_map'];
+if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
+if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
+  $attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
+}
 
 if (!isset($_POST['account_identifier']) and !isset($_GET['account_identifier'])) {
 ?>
@@ -164,30 +168,10 @@ if ($ldap_search) {
     }
 
   if ($updated_account) {
-   ?>
-   <script>
-     window.setTimeout(function() {
-                                   $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                  }, 4000);
-   </script>
-   <div class="alert alert-success" role="alert">
-    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-    <p class="text-center">The account has been updated.<?php print $sent_email_message; ?></p>
-   </div>
-  <?php
+    render_alert_banner("The account has been updated.  $sent_email_message");
   }
   else {
-   ?>
-   <script>
-     window.setTimeout(function() {
-                                   $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                  }, 4000);
-   </script>
-   <div class="alert alert-danger" role="alert">
-    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-    <p class="text-center">There was a problem updating the account.  Check the logs for more information.</p>
-   </div>
-  <?php
+    render_alert_banner("There was a problem updating the account.  Check the logs for more information.","danger",15000);
   }
  }
 
@@ -248,19 +232,7 @@ if ($ldap_search) {
 
   $not_member_of = array_diff($all_groups,$updated_group_membership);
   $member_of = $updated_group_membership;
-
-  ?>
-   <script>
-     window.setTimeout(function() {
-                                   $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
-                                  }, 4000);
-   </script>
-   <div class="alert alert-success" role="alert">
-    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
-    <p class="text-center">The group membership has been updated.</p>
-   </div>
-
-  <?php
+  render_alert_banner("The group membership has been updated.");
 
  }
  else {
@@ -454,48 +426,47 @@ if ($ldap_search) {
       <input type="hidden" id="pass_score" value="0" name="pass_score">
       <input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
 
+      <?php
+        foreach ($attribute_map as $attribute => $attr_r) {
+          $label = $attr_r['label'];
+          if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
+          if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
+          if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
+          if (isset($attr_r['multiple'])) { $multiple = $attr_r['multiple']; } else { $multiple = FALSE; }
+          render_attribute_fields($attribute,$label,$these_values,$onkeyup,$multiple);
+        }
+      ?>
 
-<?php
-  foreach ($attribute_map as $attribute => $attr_r) {
-    $label = $attr_r['label'];
-    if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
-    if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
-    if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
-    if (isset($attr_r['multiple'])) { $multiple = $attr_r['multiple']; } else { $multiple = FALSE; }
-    render_attribute_fields($attribute,$label,$these_values,$onkeyup,$multiple);
-  }
-?>
-
-     <div class="form-group" id="password_div">
-      <label for="password" class="col-sm-3 control-label">Password</label>
-      <div class="col-sm-6">
-       <input type="password" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm'); check_if_we_should_enable_sending_email();">
-      </div>
-      <div class="col-sm-1">
-       <input type="button" class="btn btn-sm" id="password_generator" onclick="random_password(); check_if_we_should_enable_sending_email();" value="Generate password">
-      </div>
-     </div>
-
-     <div class="form-group" id="confirm_div">
-      <label for="confirm" class="col-sm-3 control-label">Confirm</label>
-      <div class="col-sm-6">
-       <input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
-      </div>
-     </div>
-
-<?php  if ($can_send_email == TRUE) { ?>
-      <div class="form-group" id="send_email_div">
-       <label for="send_email" class="col-sm-3 control-label"> </label>
+      <div class="form-group" id="password_div">
+       <label for="password" class="col-sm-3 control-label">Password</label>
        <div class="col-sm-6">
-        <input type="checkbox" class="form-check-input" id="send_email_checkbox" name="send_email" disabled>  Email the updated credentials to the user?
+        <input type="password" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm'); check_if_we_should_enable_sending_email();">
        </div>
+       <div class="col-sm-1">
+        <input type="button" class="btn btn-sm" id="password_generator" onclick="random_password(); check_if_we_should_enable_sending_email();" value="Generate password">
+       </div>
+      </div>
+
+      <div class="form-group" id="confirm_div">
+       <label for="confirm" class="col-sm-3 control-label">Confirm</label>
+       <div class="col-sm-6">
+        <input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
+       </div>
+      </div>
+
+<?php if ($can_send_email == TRUE) { ?>
+      <div class="form-group" id="send_email_div">
+        <label for="send_email" class="col-sm-3 control-label"> </label>
+        <div class="col-sm-6">
+          <input type="checkbox" class="form-check-input" id="send_email_checkbox" name="send_email" disabled>  Email the updated credentials to the user?
+        </div>
       </div>
 <?php } ?>
 
 
-     <div class="form-group">
-       <p align='center'><button type="submit" class="btn btn-default">Update account details</button></p>
-     </div>
+      <div class="form-group">
+        <p align='center'><button type="submit" class="btn btn-default">Update account details</button></p>
+      </div>
 
     </form>
 
diff --git a/www/includes/config.inc.php b/www/includes/config.inc.php
index f30f661..da7d16a 100644
--- a/www/includes/config.inc.php
+++ b/www/includes/config.inc.php
@@ -12,6 +12,11 @@
                                          "mail"      => array("label" => "Email",           "onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value);")
                                         );
 
+ $LDAP['group_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' );
+ $LDAP['default_group_attribute_map'] = array(  "gidnumber" => array("label" => "Group ID number")
+                                             );
+
+
  #Mandatory
 
  $LDAP['uri'] = getenv('LDAP_URI');
diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php
index 53c4195..3b4da4e 100644
--- a/www/includes/ldap_functions.inc.php
+++ b/www/includes/ldap_functions.inc.php
@@ -438,19 +438,17 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
 ##################################
 
 
-function ldap_get_dn_of_group($ldap_connection,$group_name) {
+function ldap_get_group_entry($ldap_connection,$group_name) {
 
  global $log_prefix, $LDAP, $LDAP_DEBUG;
 
  if (isset($group_name)) {
 
   $ldap_search_query = "(${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
-  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("dn"));
+  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
   $result = @ ldap_get_entries($ldap_connection, $ldap_search);
 
-  if (isset($result[0]['dn'])) {
-    return $result[0]['dn'];
-  }
+  return $result;
 
  }
 
@@ -567,7 +565,7 @@ function ldap_user_group_membership($ldap_connection,$username) {
 
 ##################################
 
-function ldap_new_group($ldap_connection,$group_name,$initial_member="") {
+function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_attributes=array()) {
 
  global $log_prefix, $LDAP, $LDAP_DEBUG;
 
@@ -575,61 +573,70 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="") {
 
  if (isset($group_name)) {
 
-  $new_group = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
-  $initial_member = ldap_escape($initial_member, "", LDAP_ESCAPE_FILTER);
+   $new_group = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
+   $initial_member = ldap_escape($initial_member, "", LDAP_ESCAPE_FILTER);
+   $update_gid_store=FALSE;
 
-  $ldap_search_query = "(${LDAP['group_attribute']}=$new_group,${LDAP['group_dn']})";
-  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
-  $result = @ ldap_get_entries($ldap_connection, $ldap_search);
+   $ldap_search_query = "(${LDAP['group_attribute']}=$new_group,${LDAP['group_dn']})";
+   $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
+   $result = @ ldap_get_entries($ldap_connection, $ldap_search);
 
-  if ($result['count'] == 0) {
+   if ($result['count'] == 0) {
 
-   $highest_gid = ldap_get_highest_id($ldap_connection,'gid');
-   $new_gid = $highest_gid + 1;
+     if ($rfc2307bis_available == FALSE) { $objectclasses = array('top','posixGroup'); } else { $objectclasses = array('top','groupOfUniqueNames','posixGroup'); }
+     if (isset($LDAP['group_additional_objectclasses']) and $LDAP['group_additional_objectclasses'] != "") {
+       $objectclasses = array_merge($objectclasses, explode(",", $LDAP['group_additional_objectclasses']));
+     }
+     if ($LDAP['group_membership_uses_uid'] == FALSE and $initial_member != "") { $initial_member = "${LDAP['account_attribute']}=$initial_member,${LDAP['user_dn']}"; }
 
-   if ($rfc2307bis_available == FALSE) { $objectclasses = array('top','posixGroup'); } else { $objectclasses = array('top','groupOfUniqueNames','posixGroup'); }
-   if (isset($LDAP['group_additional_objectclasses']) and $LDAP['group_additional_objectclasses'] != "")
-     $objectclasses = array_merge($objectclasses, explode(",", $LDAP['group_additional_objectclasses']));
-   if ($LDAP['group_membership_uses_uid'] == FALSE and $initial_member != "") { $initial_member = "${LDAP['account_attribute']}=$initial_member,${LDAP['user_dn']}"; }
+     $new_group_array=array( 'objectClass' => $objectclasses,
+                             'cn' => $new_group,
+                             $LDAP['group_membership_attribute'] => $initial_member
+                           );
 
-   $new_group_array=array( 'objectClass' => $objectclasses,
-                           'cn' => $new_group,
-                           'gidNumber' => $new_gid,
-                           $LDAP['group_membership_attribute'] => $initial_member
-                         );
+     $new_group_array = array_merge($new_group_array,$extra_attributes);
 
-   $group_dn="cn=$new_group,${LDAP['group_dn']}";
+     if (!isset($new_group_array["gidnumber"][0]) or !is_numeric($new_group_array["gidnumber"][0])) {
+       $highest_gid = ldap_get_highest_id($ldap_connection,'gid');
+       $new_gid = $highest_gid + 1;
+       $new_group_array["gidnumber"] = $new_gid;
+       $update_gid_store=TRUE;
+     }
 
-   $add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
+     $group_dn="cn=$new_group,${LDAP['group_dn']}";
 
-   if (! $add_group ) {
-    $this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
-    if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". print_r($new_group_array,true),0); }
-    error_log($this_error,0);
-   }
-   else {
-    error_log("$log_prefix Added new group $group_name",0);
+     $add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
 
-    $this_gid = fetch_id_stored_in_ldap($ldap_connection,"gid");
-    if ($this_gid != FALSE) {
-     $update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
-     if ($update_gid) {
-      error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
+     if (! $add_group ) {
+       $this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
+       if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". print_r($new_group_array,true),0); }
+       error_log($this_error,0);
      }
      else {
-      error_log("$log_prefix Unable to update cn=lastGID to $new_gid - this could cause groups to share the same GID.",0);
-     }
-    }
-    return TRUE;
-   }
+       error_log("$log_prefix Added new group $group_name",0);
 
-  }
-  else {
-   error_log("$log_prefix Create group; group $group_name already exists.",0);
-  }
+       if ($update_gid_store == TRUE) {
+         $this_gid = fetch_id_stored_in_ldap($ldap_connection,"gid");
+         if ($this_gid != FALSE) {
+           $update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
+           if ($update_gid) {
+             error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
+           }
+           else {
+             error_log("$log_prefix Unable to update cn=lastGID to $new_gid - this could cause groups to share the same GID.",0);
+           }
+         }
+         return TRUE;
+       }
+     }
+
+   }
+   else {
+     error_log("$log_prefix Create group; group $group_name already exists.",0);
+   }
  }
  else {
-  error_log("$log_prefix Create group; group name wasn't set.",0);
+   error_log("$log_prefix Create group; group name wasn't set.",0);
  }
 
  return FALSE;
@@ -637,6 +644,37 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="") {
 }
 
 
+##################################
+
+function ldap_update_group_attributes($ldap_connection,$group_name,$extra_attributes) {
+
+ global $log_prefix, $LDAP, $LDAP_DEBUG;
+
+ if (isset($group_name) and (count($extra_attributes) > 0)) {
+
+  $group_name = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
+  $group_dn = "${LDAP['group_attribute']}=$group_name,${LDAP['group_dn']}";
+
+  $update_group = @ ldap_mod_replace($ldap_connection, $group_dn, $extra_attributes);
+
+  if (!$update_group ) {
+    $this_error="$log_prefix LDAP: unable to update group attributes for group (${group_dn}): " . ldap_error($ldap_connection);
+    if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG update group attributes array: ". print_r($extra_attributes,true),0); }
+    error_log($this_error,0);
+    return FALSE;
+  }
+  else {
+    error_log("$log_prefix Updated group attributes for $group_name",0);
+    return TRUE;
+  }
+ }
+ else {
+  error_log("$log_prefix Update group attributes; group name wasn't set.",0);
+  return FALSE;
+ }
+
+}
+
 ##################################
 
 function ldap_delete_group($ldap_connection,$group_name) {
@@ -687,58 +725,54 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
 
 ##################################
 
-function ldap_complete_account_attribute_array() {
+function ldap_complete_attribute_array($default_attributes,$additional_attributes) {
 
- global $LDAP;
+  global $LDAP;
 
- $attribute_r = $LDAP['default_attribute_map'];
- $additional_attributes_r = array();
+  if (is_array($additional_attributes) and count($additional_attributes > 0)) {
 
- if (isset($LDAP['account_additional_attributes'])) {
+    $user_attribute_r = explode(",", $additional_attributes);
+    $to_merge = array();
 
-  $user_attribute_r = explode(",", $LDAP['account_additional_attributes']);
+    foreach ($user_attribute_r as $this_attr) {
 
-  foreach ($user_attribute_r as $this_attr) {
+      $this_r = array();
+      $kv = explode(":", $this_attr);
+      $attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_FULL_SPECIAL_CHARS));
+      if (substr($attr_name, -1) == '+') {
+        $this_r['multiple'] = TRUE;
+        $attr_name = rtrim($attr_name, '+');
+      }
+      else {
+        $this_r['multiple'] = FALSE;
+      }
 
-    $this_r = array();
-    $kv = explode(":", $this_attr);
-    $attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_FULL_SPECIAL_CHARS));
-    if (substr($attr_name, -1) == '+') {
-      $this_r['multiple'] = TRUE;
-      $attr_name = rtrim($attr_name, '+');
-    }
-    else {
-      $this_r['multiple'] = FALSE;
+      if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) {
+
+        if (isset($kv[1]) and $kv[1] != "") {
+          $this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+        }
+        else {
+          $this_r['label'] = $attr_name;
+        }
+
+        if (isset($kv[2]) and $kv[2] != "") {
+          $this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+        }
+
+        $to_merge[$attr_name] = $this_r;
+
+      }
     }
 
+    $attribute_r = array_merge($default_attributes, $to_merge);
 
-    if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) {
+    return($attribute_r);
 
-     if (isset($kv[1]) and $kv[1] != "") {
-      $this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
-     }
-     else {
-      $this_r['label'] = $attr_name;
-     }
-
-     if (isset($kv[2]) and $kv[2] != "") {
-      $this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
-     }
-
-     $additional_attributes_r[$attr_name] = $this_r;
-
-   }
   }
-
-  $attribute_r = array_merge($attribute_r, $additional_attributes_r);
-
- }
-
- if (! array_key_exists($LDAP['account_attribute'], $attribute_r)) {
-  $attribute_r = array_merge($attribute_r, array($LDAP['account_attribute'] => array("label" => "Account UID")));
- }
-
- return($attribute_r);
+  else {
+    return($default_attributes);
+  }
 
 }
 
diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php
index 179b65e..5af6772 100644
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@@ -654,6 +654,19 @@ function render_attribute_fields($attribute,$label,$values_r,$onkeyup="",$multip
 }
 
 
+######################################################
+
+function render_alert_banner($message,$alert_class="success",$timeout=4000) {
 
-##EoFilelocal
+?>
+    <script>window.setTimeout(function() {$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); }); }, $<?php print $timeout; ?>);</script>
+    <div class="alert alert-<?php print $alert_class; ?>" role="alert">
+     <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
+     <p class="text-center"><?php print $message; ?></p>
+    </div>
+<?php
+}
+
+
+##EoFile
 ?>