From 296744ceb39b1b4b4e3d516ef26ad27298c6d8f7 Mon Sep 17 00:00:00 2001
From: c12simple <c12simple@gmail.com>
Date: Thu, 13 Nov 2014 16:09:46 +0100
Subject: [PATCH] create fakeMemberOf for openldap and enable map memberOf to
 roleID with prefix

---
 .../auth.ldap/class.ldapAuthDriver.php        | 83 +++++++++++++++++--
 core/src/plugins/auth.ldap/manifest.xml       | 35 ++++----
 2 files changed, 95 insertions(+), 23 deletions(-)

diff --git a/core/src/plugins/auth.ldap/class.ldapAuthDriver.php b/core/src/plugins/auth.ldap/class.ldapAuthDriver.php
index f29048ff2f..c6539bedef 100644
--- a/core/src/plugins/auth.ldap/class.ldapAuthDriver.php
+++ b/core/src/plugins/auth.ldap/class.ldapAuthDriver.php
@@ -39,6 +39,9 @@ class ldapAuthDriver extends AbstractAuthDriver
     public $dynamicExpected;
     public $ldapUserAttr;
     public $ldapGroupAttr;
+    public $enableMemberOf;
+    public $mappedRolePrefix;
+    public $pageSize;
 
     public $ldapconn = null;
     public $separateGroup = "";
@@ -69,6 +72,9 @@ public function init($options)
         if ($options["LDAP_PORT"]) $this->ldapPort = $options["LDAP_PORT"];
         if ($options["LDAP_USER"]) $this->ldapAdminUsername = $options["LDAP_USER"];
         if ($options["LDAP_PASSWORD"]) $this->ldapAdminPassword = $options["LDAP_PASSWORD"];
+        if ($options["LDAP_FAKE_MEMBEROF"]) $this->enableMemberOf = $options["LDAP_FAKE_MEMBEROF"];
+        if ($options["LDAP_PAGE_SIZE"]) $this->pageSize = $options["LDAP_PAGE_SIZE"];
+        if ($options["LDAP_GROUP_PREFIX"]) $this->mappedRolePrefix = $options["LDAP_GROUP_PREFIX"];
         if ($options["LDAP_DN"]) $this->ldapDN = $this->parseReplicatedParams($options, array("LDAP_DN"));
         if ($options["LDAP_GDN"]) $this->ldapGDN = $this->parseReplicatedParams($options, array("LDAP_GDN"));
         if (is_array($options["CUSTOM_DATA_MAPPING"])) $this->customParamsMapping = $options["CUSTOM_DATA_MAPPING"];
@@ -297,6 +303,13 @@ public function getUserEntries($login = null, $countOnly = false, $offset = -1,
                     if ($offset != -1 && $index < $offset) {
                         $index ++; continue;
                     }
+
+                    if (in_array(strtolower("memberof"), array_map("strtolower", $expected)) && ($this->enableMemberOf)) {
+                        $uid = $entry["dn"];
+                        $strldap = "(&" . $this->ldapGFilter . "(member=".$uid."))";
+                        $this->fakeMemberOf($conn, $this->ldapGDN, $strldap, array("cn"), $entry);
+                    }
+
                     $allEntries[] = $entry;
                     $index ++;
                     if($limit!= -1 && $index >= $offset + $limit) break;
@@ -628,6 +641,9 @@ public function updateUserObject(&$userObject)
                         }
                         switch ($params['MAPPING_LOCAL_TYPE']) {
                             case "role_id":
+                                $valueFilters = null;
+                                $matchFilter = null;
+
                                 $filter = $params["MAPPING_LOCAL_PARAM"];
                                 if (strpos($filter, "preg:") !== false) {
                                     $matchFilter = "/".str_replace("preg:", "", $filter)."/i";
@@ -635,15 +651,36 @@ public function updateUserObject(&$userObject)
                                     $valueFilters = array_map("trim", explode(",", $filter));
                                 }
                                 if ($key == "memberof") {
-                                    foreach ($memberValues as $uniqValue => $fullDN) {
-                                        if (!in_array($uniqValue, array_keys($userObject->getRoles()))) {
-                                            if(isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
-                                            if(isSet($valueFilters) && !in_array($uniqValue, $valueFilters)) continue;
-                                            $userObject->addRole(AuthService::getRole($uniqValue, true));
-                                            $userObject->recomputeMergedRole();
-                                            $changes = true;
+
+                                    if($this->mappedRolePrefix){
+                                        $ldap_prefix = $this->mappedRolePrefix;
+                                    }
+                                    else{
+                                        $ldap_prefix = "";
+                                    }
+
+                                    /*
+                                    $userroles = $userObject->getRoles();
+                                    //remove all mapped roles before
+
+                                    if (is_array($userroles)) {
+                                        foreach ($userroles as $key => $role) {
+                                            if ((AuthService::getRole($key)) && !(strpos($key, $this->mappedRolePrefix) === false)) {
+                                                $userObject->removeRole($key);
+                                            }
                                         }
                                     }
+                                    $userObject->recomputeMergedRole();
+                                    */
+
+                                    foreach ($memberValues as $uniqValue => $fullDN) {
+                                        $uniqValue = $ldap_prefix.$uniqValue;
+                                        if (isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
+                                        if (isSet($valueFilters) && !in_array($uniqValue, $valueFilters)) continue;
+                                        $userObject->addRole(AuthService::getRole($uniqValue, true));
+                                        $userObject->recomputeMergedRole();
+                                        $changes = true;
+                                    }
                                 } else {
                                     foreach ($entry[$key] as $uniqValue) {
                                         if(isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue;
@@ -722,4 +759,36 @@ public function updateUserObject(&$userObject)
         }
     }
 
+    public function fakeMemberOf($conn, $groupDN, $filterString, $atts, &$entry)
+    {
+        if (!($conn) || !($groupDN)) return null;
+
+        $searchForGroups = ldap_search($conn, $groupDN, $filterString, $atts);
+        $memberOf = array();
+        foreach ($searchForGroups as $i => $resourceResult) {
+            if ($resourceResult === false) continue;
+            $res = ldap_get_entries($conn[$i], $resourceResult);
+            if (!empty($res)) {
+                $memberOf["count"] += $res["count"];
+                unset($res["count"]);
+                foreach ($res as $element) {
+                    $memberOf[] = $element["dn"];
+                }
+            }
+        }
+        if ($memberOf) {
+            $isMemberOf = false;
+            for($i = 0; $i < $entry["count"]; $i++){
+                if(strcmp("memberof", strtolower($entry[$i])) === 0 ){
+                    $isMemberOf = true;
+                }
+            }
+            if(!$isMemberOf){
+                $entry[$entry["count"]] = "memberof";
+                $entry["count"]++;
+            }
+            $entry["memberof"] = $memberOf;
+        }
+    }
+
 }
diff --git a/core/src/plugins/auth.ldap/manifest.xml b/core/src/plugins/auth.ldap/manifest.xml
index fe1f5c1689..b2f145d05b 100644
--- a/core/src/plugins/auth.ldap/manifest.xml
+++ b/core/src/plugins/auth.ldap/manifest.xml
@@ -8,27 +8,30 @@
             <i18n namespace="ldap_auth" path="plugins/auth.ldap/i18n"/>
         </resources>
     </client_settings>
-	<server_settings>
-		<param name="LDAP_URL" type="string" label="CONF_MESSAGE[LDAP URL]" description="CONF_MESSAGE[LDAP Server URL (IP or name)]" mandatory="true"/>
-		<param name="LDAP_PROTOCOL" type="select" choices="ldap|Standard (ldap),ldaps|SSL (ldaps)" default="ldap" label="CONF_MESSAGE[Protocol]" description="CONF_MESSAGE[Connect through ldap or ldaps]" mandatory="true"/>
-		<param name="LDAP_PORT" type="string" label="CONF_MESSAGE[LDAP Port]" description="CONF_MESSAGE[LDAP Server Port (leave blank for default)]" mandatory="false"/>
-		<param name="LDAP_USER" type="string" label="CONF_MESSAGE[LDAP bind username]" description="CONF_MESSAGE[Username (uid + dn) of LDAP bind user]" mandatory="false"/>
-		<param name="LDAP_PASSWORD" type="string" label="CONF_MESSAGE[LDAP bind password]" description="CONF_MESSAGE[Password of LDAP bind user]" mandatory="false"/>
-		<param name="LDAP_DN" type="string" replicationGroup="LDAPDN" label="CONF_MESSAGE[People DN]" description="CONF_MESSAGE[DN where the users are stored]" mandatory="false"/>
-		<param name="LDAP_FILTER" type="string" label="CONF_MESSAGE[LDAP Filter]" description="CONF_MESSAGE[Filter which users to fetch.]" mandatory="false" default="objectClass=person"/>
+    <server_settings>
+        <param name="LDAP_URL" type="string" label="CONF_MESSAGE[LDAP URL]" description="CONF_MESSAGE[LDAP Server URL (IP or name)]" mandatory="true"/>
+        <param name="LDAP_PROTOCOL" type="select" choices="ldap|Standard (ldap),ldaps|SSL (ldaps)" default="ldap" label="CONF_MESSAGE[Protocol]" description="CONF_MESSAGE[Connect through ldap or ldaps]" mandatory="true"/>
+        <param name="LDAP_PORT" type="string" label="CONF_MESSAGE[LDAP Port]" description="CONF_MESSAGE[LDAP Server Port (leave blank for default)]" mandatory="false"/>
+        <param name="LDAP_USER" type="string" label="CONF_MESSAGE[LDAP bind username]" description="CONF_MESSAGE[Username (uid + dn) of LDAP bind user]" mandatory="false"/>
+        <param name="LDAP_PASSWORD" type="string" label="CONF_MESSAGE[LDAP bind password]" description="CONF_MESSAGE[Password of LDAP bind user]" mandatory="false"/>
+        <param name="LDAP_DN" type="string" replicationGroup="LDAPDN" label="CONF_MESSAGE[People DN]" description="CONF_MESSAGE[DN where the users are stored]" mandatory="false"/>
+        <param name="LDAP_FILTER" type="string" label="CONF_MESSAGE[LDAP Filter]" description="CONF_MESSAGE[Filter which users to fetch.]" mandatory="false" default="objectClass=person"/>
         <param name="LDAP_USERATTR" type="string" label="CONF_MESSAGE[User attribute]" description="CONF_MESSAGE[Username attribute]" mandatory="false"/>
+        <param name="LDAP_FAKE_MEMBEROF" type="boolean" label="Use Member Of" description="In openldap, there is no memberOf attribute. Enable this option to create additionally memberOf attribute" default="false" mandatory="false"/>
+        <param name="LDAP_PAGE_SIZE" type="string" label="CONF_MESSAGE[LDAP Server page size]" description="CONF_MESSAGE[Page size of LDAP Server]" mandatory="false" default="500"/>
+        <param name="LDAP_GROUP_PREFIX" type="string" label="CONF_MESSAGE[Role Prefix (for memberof)]" description="CONF_MESSAGE[Role prefix when you mapping memberof => roleID]" default="ldapgroup_" mandatory="false" />
         <param name="LDAP_SEARCHUSER_ATTR" type="string" label="CONF_MESSAGE[Search Users by Attribute]" description="CONF_MESSAGE[When looking for a user through autocomplete, search on a specific parameter instead of user ID]" mandatory="false" default=""/>
         <param name="LDAP_GDN" type="string" replicationGroup="LDAPGDN" label="CONF_MESSAGE[Groups DN]" description="CONF_MESSAGE[DN where the groups are stored. Must be used in cunjonction with a group parameter mapping, generally using the memberOf feature.]" mandatory="false"/>
         <param name="LDAP_GROUP_FILTER" type="string" label="CONF_MESSAGE[LDAP Groups Filter]" description="CONF_MESSAGE[Filter which groups to fetch.]" mandatory="false" default="objectClass=group"/>
         <param name="LDAP_GROUPATTR" type="string" label="CONF_MESSAGE[Group attribute]" description="CONF_MESSAGE[Group main attribute to be used as a label]" mandatory="false"/>
         <param name="MAPPING_LDAP_PARAM" type="string" replicationGroup="MAPPING" label="CONF_MESSAGE[LDAP attribute]" description="CONF_MESSAGE[Name of the LDAP attribute to read]" mandatory="false"/>
-		<param name="MAPPING_LOCAL_TYPE" type="select" replicationGroup="MAPPING" choices="plugin_param|Plugin Parameter,role_id|Role Id,group_path|Group Path,profile|Profile" label="CONF_MESSAGE[Mapping Type]" description="CONF_MESSAGE[Determine the type of mapping]" mandatory="false"/>
-		<param name="MAPPING_LOCAL_PARAM" type="string" replicationGroup="MAPPING" label="CONF_MESSAGE[Plugin parameter]" description="CONF_MESSAGE[Name of the custom local parameter to set]" mandatory="false"/>
+        <param name="MAPPING_LOCAL_TYPE" type="select" replicationGroup="MAPPING" choices="plugin_param|Plugin Parameter,role_id|Role Id,group_path|Group Path,profile|Profile" label="CONF_MESSAGE[Mapping Type]" description="CONF_MESSAGE[Determine the type of mapping]" mandatory="false"/>
+        <param name="MAPPING_LOCAL_PARAM" type="string" replicationGroup="MAPPING" label="CONF_MESSAGE[Plugin parameter]" description="CONF_MESSAGE[Name of the custom local parameter to set]" mandatory="false"/>
         <param type="string" name="TEST_USER" label="CONF_MESSAGE[Test User]" description="CONF_MESSAGE[Use the Test Connexion button to check if this user is correctly found in your LDAP directory.]" mandatory="false"/>
         <param type="button" name="TEST_LDAP" choices="run_plugin_action:auth.ldap:testLDAPConnexion" label="CONF_MESSAGE[Test Connexion]" description="CONF_MESSAGE[Try to connect to LDAP]" mandatory="false"/>
-	</server_settings>
-	<class_definition filename="plugins/auth.ldap/class.ldapAuthDriver.php" classname="ldapAuthDriver"/>
-	<registry_contributions>
-		<external_file filename="plugins/core.auth/standard_auth_actions.xml" include="actions/*" exclude=""/>
-	</registry_contributions>
-</authdriver>
+    </server_settings>
+    <class_definition filename="plugins/auth.ldap/class.ldapAuthDriver.php" classname="ldapAuthDriver"/>
+    <registry_contributions>
+        <external_file filename="plugins/core.auth/standard_auth_actions.xml" include="actions/*" exclude=""/>
+    </registry_contributions>
+</authdriver>
\ No newline at end of file