Add ldap support AD memberof values in nested group

pydio · Jan 5, 2017 · 4311008 · 4311008
1 parent 0bec0a7
commit 4311008
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 0 deletions.
diff --git a/core/src/plugins/auth.ldap/LdapAuthDriver.php b/core/src/plugins/auth.ldap/LdapAuthDriver.php
@@ -54,6 +54,7 @@ class LdapAuthDriver extends AbstractAuthDriver
     public $fakeAttrMemberOf;
     public $mappedRolePrefix;
     public $pageSize;
+    public $userRecursiveMemberOf = false;
 
     public $ldapconn = null;
     public $separateGroup = "";
@@ -138,6 +139,9 @@ public function init(ContextInterface $ctx, $options = [])
         } else {
             $this->ldapGroupAttr = 'cn';
         }
+        if (!empty($options["LDAP_RECURSIVE_MEMBEROF"])) {
+            $this->userRecursiveMemberOf = $options["LDAP_RECURSIVE_MEMBEROF"];
+        }
     }
 
     /**
@@ -736,6 +740,12 @@ public function updateUserObject(&$userObject)
             $entries = $this->getUserEntries($userObject->getId());
             if ($entries["count"]) {
                 $entry = $entries[0];
+
+                // search memberof recursively.(if ldap is AD)
+                if($this->userRecursiveMemberOf){
+                    $this->recursiveMemberOf($entry);
+                }
+
                 foreach ($this->paramsMapping as $params) {
                     $key = strtolower($params['MAPPING_LDAP_PARAM']);
                     if (isSet($entry[$key])) {
@@ -996,6 +1006,56 @@ public function fakeMemberOf($conn, $groupDN, $filterString, $atts, &$entry)
         }
     }
 
+    /**
+     * Reconstruct memberOf values recursive.
+     * @param $entry ldap user object.
+     */
+    public function recursiveMemberOf(&$entry){
+        $filterPrefix = "member:1.2.840.113556.1.4.1941:=";
+        $userDN = $entry["dn"];
+        $filterString = $filterPrefix.$userDN;
+
+        // backup ldap configs
+        $bkUserDN = $this->ldapDN;
+        $this->ldapDN = $this->ldapGDN;
+        $bkFilter = $this->dynamicFilter;
+        $bkUserFilter = $this->ldapFilter;
+        $this->ldapFilter = $filterString;
+        $bkUserAttribute = $this->ldapUserAttr;
+        $this->ldapUserAttr = $this->ldapGroupAttr;
+        $bkDynamicExpected = $this->dynamicExpected;
+        $this->dynamicExpected = null;
+        $bkCustomParamsMapping = $this->customParamsMapping;
+        $this->customParamsMapping = null;
+        $bkParamsMapping = $this->paramsMapping;
+        $this->paramsMapping = null;
+
+        $searchForGroups = $this->getUserEntries();
+
+        // restore ldap configs
+        $this->ldapDN = $bkUserDN;
+        $this->dynamicFilter = $bkFilter;
+        $this->ldapFilter = $bkUserFilter;
+        $this->ldapUserAttr = $bkUserAttribute;
+        $this->dynamicExpected = $bkDynamicExpected;
+        $this->customParamsMapping = $bkCustomParamsMapping;
+        $this->paramsMapping = $bkParamsMapping;
+
+        if (empty($searchForGroups) || $searchForGroups["count"] < 1) return;
+
+        // construct recursive ldap
+        $memberOf = array();
+        $memberOf["count"] = $searchForGroups["count"];
+        unset($searchForGroups["count"]);
+
+        foreach ($searchForGroups as $i => $group) {
+            $memberOf[] = $group["dn"];
+        }
+
+        $entry[$entry["count"]] = "memberof";
+        $entry["count"]++;
+        $entry["memberof"] = $memberOf;
+    }
     /**
      * @return string
      * @throws \Exception

diff --git a/core/src/plugins/auth.ldap/manifest.xml b/core/src/plugins/auth.ldap/manifest.xml
@@ -42,6 +42,7 @@
         <!-- Advanced Parameters -->
         <param name="LDAP_ADVANCED_LEGEND" group="CONF_MESSAGE[Advanced Parameters]" type="legend" label="" description="CONF_MESSAGE[More advanced settings for LDAP/AD]"/>
         <param name="LDAP_FAKE_MEMBEROF" group="CONF_MESSAGE[Advanced Parameters]" type="string" label="CONF_MESSAGE[Fake Member from...]" description="CONF_MESSAGE[If there is no memberOf attribute/overlay, use this option to create additional memberOf attribute. Enter the groups attribute storing the members ids, can be generally either memberUid or member, depending on the schema.]" default="" mandatory="false"/>
+        <param name="LDAP_RECURSIVE_MEMBEROF" group="CONF_MESSAGE[Advanced Parameters]" type="boolean" label="CONF_MESSAGE[Search MemberOf recursively. (use with AD only)]" description="CONF_MESSAGE[Search all values of MemberOf including nested groups]" default="false" mandatory="false"/>
         <param name="LDAP_VALUE_MEMBERATTR_IN_GROUP" group="CONF_MESSAGE[Advanced Parameters]" type="boolean" label="CONF_MESSAGE[Fake MemberOf. value of member/memberUid attribute of group]" description="CONF_MESSAGE[value of member/memberUid attribute of group: can be user DN or user CN. Use with Fake memberOf enabled. YES use DN, otherwise CN]" default="true" mandatory="false"/>
         <param name="LDAP_SEARCHUSER_ATTR" group="CONF_MESSAGE[Advanced Parameters]" type="string" label="CONF_MESSAGE[Search Users by Attribute]" description="CONF_MESSAGE[When looking for a user through autocomplete, search on a specific parameter instead of user ID]" mandatory="false" default=""/>
         <param name="LDAP_PAGE_SIZE" group="CONF_MESSAGE[Advanced Parameters]" type="string" label="CONF_MESSAGE[LDAP Server page size]" description="CONF_MESSAGE[Page size of LDAP Server]" mandatory="false" default="500"/>