Skip to content
This repository has been archived by the owner on Nov 25, 2020. It is now read-only.

Commit

Permalink
create fakeMemberOf for openldap and enable map memberOf to roleID wi…
Browse files Browse the repository at this point in the history 
…th prefix
  • Loading branch information
@c12simple
c12simple committed Nov 13, 2014
1 parent 882f208 commit 296744c
Show file tree
Hide file tree
Showing 2 changed files with 95 additions and 23 deletions.
83 changes: 76 additions & 7 deletions core/src/plugins/auth.ldap/class.ldapAuthDriver.php
View file
Expand Up @@ -39,6 +39,9 @@ class ldapAuthDriver extends AbstractAuthDriver
public $dynamicExpected;
public $ldapUserAttr;
public $ldapGroupAttr;
public $enableMemberOf;
public $mappedRolePrefix;
public $pageSize;

public $ldapconn = null;
public $separateGroup = "";
Expand Down Expand Up @@ -69,6 +72,9 @@ public function init($options)
if ($options["LDAP_PORT"]) $this->ldapPort = $options["LDAP_PORT"];
if ($options["LDAP_USER"]) $this->ldapAdminUsername = $options["LDAP_USER"];
if ($options["LDAP_PASSWORD"]) $this->ldapAdminPassword = $options["LDAP_PASSWORD"];
if ($options["LDAP_FAKE_MEMBEROF"]) $this->enableMemberOf = $options["LDAP_FAKE_MEMBEROF"];
if ($options["LDAP_PAGE_SIZE"]) $this->pageSize = $options["LDAP_PAGE_SIZE"];
if ($options["LDAP_GROUP_PREFIX"]) $this->mappedRolePrefix = $options["LDAP_GROUP_PREFIX"];
if ($options["LDAP_DN"]) $this->ldapDN = $this->parseReplicatedParams($options, array("LDAP_DN"));
if ($options["LDAP_GDN"]) $this->ldapGDN = $this->parseReplicatedParams($options, array("LDAP_GDN"));
if (is_array($options["CUSTOM_DATA_MAPPING"])) $this->customParamsMapping = $options["CUSTOM_DATA_MAPPING"];
Expand Down Expand Up @@ -297,6 +303,13 @@ public function getUserEntries($login = null, $countOnly = false, $offset = -1,
if ($offset != -1 && $index < $offset) {
$index ++; continue;
}

if (in_array(strtolower("memberof"), array_map("strtolower", $expected)) && ($this->enableMemberOf)) {
$uid = $entry["dn"];
$strldap = "(&" . $this->ldapGFilter . "(member=".$uid."))";
$this->fakeMemberOf($conn, $this->ldapGDN, $strldap, array("cn"), $entry);
}

$allEntries[] = $entry;
$index ++;
if($limit!= -1 && $index >= $offset + $limit) break;
Expand Down Expand Up @@ -628,22 +641,46 @@ public function updateUserObject(&$userObject)
}
switch ($params['MAPPING_LOCAL_TYPE']) {
case "role_id":
$valueFilters = null;
$matchFilter = null;

$filter = $params["MAPPING_LOCAL_PARAM"];
if (strpos($filter, "preg:") !== false) {
$matchFilter = "/".str_replace("preg:", "", $filter)."/i";
} else if(!empty($filter)) {
$valueFilters = array_map("trim", explode(",", $filter));
}
if ($key == "memberof") {
foreach ($memberValues as $uniqValue => $fullDN) {
if (!in_array($uniqValue, array_keys($userObject->getRoles()))) {
if(isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
if(isSet($valueFilters) && !in_array($uniqValue, $valueFilters)) continue;
$userObject->addRole(AuthService::getRole($uniqValue, true));
$userObject->recomputeMergedRole();
$changes = true;

if($this->mappedRolePrefix){
$ldap_prefix = $this->mappedRolePrefix;
}
else{
$ldap_prefix = "";
}

/*
$userroles = $userObject->getRoles();
//remove all mapped roles before
if (is_array($userroles)) {
foreach ($userroles as $key => $role) {
if ((AuthService::getRole($key)) && !(strpos($key, $this->mappedRolePrefix) === false)) {
$userObject->removeRole($key);
}
}
}
$userObject->recomputeMergedRole();
*/

foreach ($memberValues as $uniqValue => $fullDN) {
$uniqValue = $ldap_prefix.$uniqValue;
if (isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
if (isSet($valueFilters) && !in_array($uniqValue, $valueFilters)) continue;
$userObject->addRole(AuthService::getRole($uniqValue, true));
$userObject->recomputeMergedRole();
$changes = true;
}
} else {
foreach ($entry[$key] as $uniqValue) {
if(isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
Expand Down Expand Up @@ -722,4 +759,36 @@ public function updateUserObject(&$userObject)
}
}

public function fakeMemberOf($conn, $groupDN, $filterString, $atts, &$entry)
{
if (!($conn) || !($groupDN)) return null;

$searchForGroups = ldap_search($conn, $groupDN, $filterString, $atts);
$memberOf = array();
foreach ($searchForGroups as $i => $resourceResult) {
if ($resourceResult === false) continue;
$res = ldap_get_entries($conn[$i], $resourceResult);
if (!empty($res)) {
$memberOf["count"] += $res["count"];
unset($res["count"]);
foreach ($res as $element) {
$memberOf[] = $element["dn"];
}
}
}
if ($memberOf) {
$isMemberOf = false;
for($i = 0; $i < $entry["count"]; $i++){
if(strcmp("memberof", strtolower($entry[$i])) === 0 ){
$isMemberOf = true;
}
}
if(!$isMemberOf){
$entry[$entry["count"]] = "memberof";
$entry["count"]++;
}
$entry["memberof"] = $memberOf;
}
}

}
35 changes: 19 additions & 16 deletions core/src/plugins/auth.ldap/manifest.xml
View file
Expand Up @@ -8,27 +8,30 @@
<i18n namespace="ldap_auth" path="plugins/auth.ldap/i18n"/>
</resources>
</client_settings>
<server_settings>
<param name="LDAP_URL" type="string" label="CONF_MESSAGE[LDAP URL]" description="CONF_MESSAGE[LDAP Server URL (IP or name)]" mandatory="true"/>
<param name="LDAP_PROTOCOL" type="select" choices="ldap|Standard (ldap),ldaps|SSL (ldaps)" default="ldap" label="CONF_MESSAGE[Protocol]" description="CONF_MESSAGE[Connect through ldap or ldaps]" mandatory="true"/>
<param name="LDAP_PORT" type="string" label="CONF_MESSAGE[LDAP Port]" description="CONF_MESSAGE[LDAP Server Port (leave blank for default)]" mandatory="false"/>
<param name="LDAP_USER" type="string" label="CONF_MESSAGE[LDAP bind username]" description="CONF_MESSAGE[Username (uid + dn) of LDAP bind user]" mandatory="false"/>
<param name="LDAP_PASSWORD" type="string" label="CONF_MESSAGE[LDAP bind password]" description="CONF_MESSAGE[Password of LDAP bind user]" mandatory="false"/>
<param name="LDAP_DN" type="string" replicationGroup="LDAPDN" label="CONF_MESSAGE[People DN]" description="CONF_MESSAGE[DN where the users are stored]" mandatory="false"/>
<param name="LDAP_FILTER" type="string" label="CONF_MESSAGE[LDAP Filter]" description="CONF_MESSAGE[Filter which users to fetch.]" mandatory="false" default="objectClass=person"/>
<server_settings>
<param name="LDAP_URL" type="string" label="CONF_MESSAGE[LDAP URL]" description="CONF_MESSAGE[LDAP Server URL (IP or name)]" mandatory="true"/>
<param name="LDAP_PROTOCOL" type="select" choices="ldap|Standard (ldap),ldaps|SSL (ldaps)" default="ldap" label="CONF_MESSAGE[Protocol]" description="CONF_MESSAGE[Connect through ldap or ldaps]" mandatory="true"/>
<param name="LDAP_PORT" type="string" label="CONF_MESSAGE[LDAP Port]" description="CONF_MESSAGE[LDAP Server Port (leave blank for default)]" mandatory="false"/>
<param name="LDAP_USER" type="string" label="CONF_MESSAGE[LDAP bind username]" description="CONF_MESSAGE[Username (uid + dn) of LDAP bind user]" mandatory="false"/>
<param name="LDAP_PASSWORD" type="string" label="CONF_MESSAGE[LDAP bind password]" description="CONF_MESSAGE[Password of LDAP bind user]" mandatory="false"/>
<param name="LDAP_DN" type="string" replicationGroup="LDAPDN" label="CONF_MESSAGE[People DN]" description="CONF_MESSAGE[DN where the users are stored]" mandatory="false"/>
<param name="LDAP_FILTER" type="string" label="CONF_MESSAGE[LDAP Filter]" description="CONF_MESSAGE[Filter which users to fetch.]" mandatory="false" default="objectClass=person"/>
<param name="LDAP_USERATTR" type="string" label="CONF_MESSAGE[User attribute]" description="CONF_MESSAGE[Username attribute]" mandatory="false"/>
<param name="LDAP_FAKE_MEMBEROF" type="boolean" label="Use Member Of" description="In openldap, there is no memberOf attribute. Enable this option to create additionally memberOf attribute" default="false" mandatory="false"/>
<param name="LDAP_PAGE_SIZE" type="string" label="CONF_MESSAGE[LDAP Server page size]" description="CONF_MESSAGE[Page size of LDAP Server]" mandatory="false" default="500"/>
<param name="LDAP_GROUP_PREFIX" type="string" label="CONF_MESSAGE[Role Prefix (for memberof)]" description="CONF_MESSAGE[Role prefix when you mapping memberof => roleID]" default="ldapgroup_" mandatory="false" />
<param name="LDAP_SEARCHUSER_ATTR" type="string" label="CONF_MESSAGE[Search Users by Attribute]" description="CONF_MESSAGE[When looking for a user through autocomplete, search on a specific parameter instead of user ID]" mandatory="false" default=""/>
<param name="LDAP_GDN" type="string" replicationGroup="LDAPGDN" label="CONF_MESSAGE[Groups DN]" description="CONF_MESSAGE[DN where the groups are stored. Must be used in cunjonction with a group parameter mapping, generally using the memberOf feature.]" mandatory="false"/>
<param name="LDAP_GROUP_FILTER" type="string" label="CONF_MESSAGE[LDAP Groups Filter]" description="CONF_MESSAGE[Filter which groups to fetch.]" mandatory="false" default="objectClass=group"/>
<param name="LDAP_GROUPATTR" type="string" label="CONF_MESSAGE[Group attribute]" description="CONF_MESSAGE[Group main attribute to be used as a label]" mandatory="false"/>
<param name="MAPPING_LDAP_PARAM" type="string" replicationGroup="MAPPING" label="CONF_MESSAGE[LDAP attribute]" description="CONF_MESSAGE[Name of the LDAP attribute to read]" mandatory="false"/>
<param name="MAPPING_LOCAL_TYPE" type="select" replicationGroup="MAPPING" choices="plugin_param|Plugin Parameter,role_id|Role Id,group_path|Group Path,profile|Profile" label="CONF_MESSAGE[Mapping Type]" description="CONF_MESSAGE[Determine the type of mapping]" mandatory="false"/>
<param name="MAPPING_LOCAL_PARAM" type="string" replicationGroup="MAPPING" label="CONF_MESSAGE[Plugin parameter]" description="CONF_MESSAGE[Name of the custom local parameter to set]" mandatory="false"/>
<param name="MAPPING_LOCAL_TYPE" type="select" replicationGroup="MAPPING" choices="plugin_param|Plugin Parameter,role_id|Role Id,group_path|Group Path,profile|Profile" label="CONF_MESSAGE[Mapping Type]" description="CONF_MESSAGE[Determine the type of mapping]" mandatory="false"/>
<param name="MAPPING_LOCAL_PARAM" type="string" replicationGroup="MAPPING" label="CONF_MESSAGE[Plugin parameter]" description="CONF_MESSAGE[Name of the custom local parameter to set]" mandatory="false"/>
<param type="string" name="TEST_USER" label="CONF_MESSAGE[Test User]" description="CONF_MESSAGE[Use the Test Connexion button to check if this user is correctly found in your LDAP directory.]" mandatory="false"/>
<param type="button" name="TEST_LDAP" choices="run_plugin_action:auth.ldap:testLDAPConnexion" label="CONF_MESSAGE[Test Connexion]" description="CONF_MESSAGE[Try to connect to LDAP]" mandatory="false"/>
</server_settings>
<class_definition filename="plugins/auth.ldap/class.ldapAuthDriver.php" classname="ldapAuthDriver"/>
<registry_contributions>
<external_file filename="plugins/core.auth/standard_auth_actions.xml" include="actions/*" exclude=""/>
</registry_contributions>
</authdriver>
</server_settings>
<class_definition filename="plugins/auth.ldap/class.ldapAuthDriver.php" classname="ldapAuthDriver"/>
<registry_contributions>
<external_file filename="plugins/core.auth/standard_auth_actions.xml" include="actions/*" exclude=""/>
</registry_contributions>
</authdriver>

0 comments on commit 296744c

Please sign in to comment.