Skip to content
This repository has been archived by the owner on Nov 25, 2020. It is now read-only.

Commit

Permalink
Fix auth.ldap groups management. Still to be tested deeply on various…
Browse files Browse the repository at this point in the history 
… systems.
  • Loading branch information
@cdujeu
cdujeu committed Aug 27, 2013
1 parent 7dd5683 commit bc1ac77
Showing 1 changed file with 79 additions and 6 deletions.
85 changes: 79 additions & 6 deletions core/src/plugins/auth.ldap/class.ldapAuthDriver.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ class ldapAuthDriver extends AbstractAuthDriver {
var $ldapFilter;
var $ldapGFilter;
var $dynamicFilter;
var $dynamicExpected;
var $ldapUserAttr;
var $ldapGroupAttr;

Expand Down Expand Up @@ -249,6 +250,9 @@ function getUserEntries($login = null, $countOnly = false, $offset = -1, $limit
$expected = array_merge($expected, $keys);
}
}
if(is_array($this->dynamicExpected)){
$expected = array_merge($expected, $this->dynamicExpected);
}
foreach ($conn as $dn => $ldapc) {
if (!$ldapc) {
unset($conn[$dn]);
Expand Down Expand Up @@ -290,7 +294,7 @@ function listUsersPaginated($baseGroup="/", $regexp, $offset, $limit){

if($this->hasGroupsMapping !== false){
if($baseGroup == "/"){
$this->dynamicFilter = $this->hasGroupsMapping."=";
$this->dynamicFilter = "!(".$this->hasGroupsMapping."=*)";
}else{
$this->dynamicFilter = $this->hasGroupsMapping."=".ltrim($baseGroup, "/");
}
Expand Down Expand Up @@ -359,6 +363,15 @@ function listChildrenGroups($baseGroup = "/"){
$login = $person[$this->ldapUserAttr][0];
//if(AuthService::ignoreUserCase()) $login = strtolower($login);
$persons[$person["dn"]] = $login;

$branch = array();
$this->buildGroupBranch($login, $branch);
$parent = "/";
if(count($branch)){
$parent = "/".implode("/", array_reverse($branch));
}
AuthService::createGroup($parent, $person["dn"], $login);

}
$this->ldapDN = $origUsersDN;
$this->ldapFilter = $origUsersFilter;
Expand Down Expand Up @@ -438,6 +451,47 @@ function passwordsEditable(){
return false;
}

function buildGroupBranch($groupAttrValue, &$branch = array()){
// Load group data. Detect memberOf. Load parent group.
$origUsersDN = $this->ldapDN;
$origUsersFilter = $this->ldapFilter;
$origUsersAttr = $this->ldapUserAttr;
$this->ldapDN = $this->ldapGDN;
$this->ldapFilter = $this->ldapGFilter;
$this->ldapUserAttr = $this->ldapGroupAttr;

$this->dynamicFilter = $this->ldapGroupAttr."=".$groupAttrValue;
$this->dynamicExpected = array($this->hasGroupsMapping);

$entries = $this->getUserEntries();
$this->dynamicFilter = null;
$this->dynamicExpected = null;
$persons = array();
unset($entries['count']); // remove 'count' entry
$groupData = $entries[0];

$memberOf = $groupData[strtolower($this->hasGroupsMapping)][0];

$this->ldapDN = $origUsersDN;
$this->ldapFilter = $origUsersFilter;
$this->ldapUserAttr = $origUsersAttr;

if(!empty($memberOf)){
$parts = explode(",", ltrim($memberOf, '/'));
foreach($parts as $part){
list($att,$attVal) = explode("=", $part);
if(strtolower($att) == "cn") $parentCN = $attVal;
}
if(!empty($parentCN)){
$branch[] = $memberOf;
$this->buildGroupBranch($parentCN, $branch);
}

}


}

function updateUserObject(&$userObject){
if(!empty($this->separateGroup)) $userObject->setGroupPath("/".$this->separateGroup);
// SHOULD BE DEPRECATED
Expand Down Expand Up @@ -488,16 +542,17 @@ function updateUserObject(&$userObject){
if(strtolower($att) == "cn") $hnParts[] = $attVal;
}
if(count($hnParts)) {
$memberValues[] = implode(",", $hnParts);
$memberValues[implode(",", $hnParts)] = $possibleValue;
}
}
}
switch($params['MAPPING_LOCAL_TYPE']){
case "role_id":
if($key == "memberof"){
foreach($memberValues as $uniqValue){
foreach($memberValues as $uniqValue => $fullDN){
if(!in_array($uniqValue, array_keys($userObject->getRoles()))){
$userObject->addRole(AuthService::getRole($uniqValue, true));
$userObject->recomputeMergedRole();
$changes = true;
}
}
Expand All @@ -511,12 +566,29 @@ function updateUserObject(&$userObject){
}else{
$valueFilters = array_map("trim", explode(",", $filter));
}
foreach($memberValues as $uniqValue){
foreach($memberValues as $uniqValue => $fullDN){
if(isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
if(isSet($valueFilters) && !in_array($uniqValue, $matchFilter)) continue;
if($userObject->personalRole->filterParameterValue("auth.ldap", "MEMBER_OF", AJXP_REPO_SCOPE_ALL, "") == $fullDN){
break;
}
$humanName = $uniqValue;
AuthService::createGroup("/", $uniqValue, $humanName);
$userObject->setGroupPath("/".$uniqValue, true);
$branch = array();
$this->buildGroupBranch($uniqValue, $branch);
$parent = "/";
if(count($branch)){
$parent = "/".implode("/", array_reverse($branch));
}
AuthService::createGroup($parent, $fullDN, $humanName);
$userObject->setGroupPath(rtrim($parent, "/")."/".$fullDN, true);
// Update Roles from groupPath
$b = array_reverse($branch);
$b[] = $fullDN;
for($i=1;$i<=count($b);$i++){
$userObject->addRole(AuthService::getRole("AJXP_GRP_/".implode("/", array_slice($b, 0, $i)), true));
}
$userObject->personalRole->setParameterValue("auth.ldap", "MEMBER_OF", $fullDN);
$userObject->recomputeMergedRole();
$changes = true;
}
}
Expand All @@ -525,6 +597,7 @@ function updateUserObject(&$userObject){
if($userObject->getProfile() != $value){
$changes = true;
$userObject->setProfile($value);
AuthService::updateAutoApplyRole($userObject);
}
break;
case "plugin_param":
Expand Down

0 comments on commit bc1ac77

Please sign in to comment.