From 0e3c44c4796df1a5664f43c209573ff6c49e8a79 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 14 Nov 2025 15:58:01 -0500 Subject: [PATCH 1/4] strict LDAP --- resources/lib/UnityLDAP.php | 38 +++++++++++++++++++++++------------ resources/lib/phpopenldaper | 2 +- workers/update-ldap-cache.php | 4 ++-- 3 files changed, 28 insertions(+), 16 deletions(-) diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php index eef04195..98191806 100644 --- a/resources/lib/UnityLDAP.php +++ b/resources/lib/UnityLDAP.php @@ -169,7 +169,11 @@ private function getAllUIDNumbersInUse(): array // use baseOU for awareness of externally managed entries return array_map( fn($x) => $x["uidnumber"][0], - $this->baseOU->getChildrenArray(["uidNumber"], true, "(objectClass=posixAccount)"), + $this->baseOU->getChildrenArrayStrict( + ["uidNumber"], + true, + "(objectClass=posixAccount)", + ), ); } @@ -178,7 +182,7 @@ private function getAllGIDNumbersInUse(): array // use baseOU for awareness of externally managed entries return array_map( fn($x) => $x["gidnumber"][0], - $this->baseOU->getChildrenArray(["gidNumber"], true, "(objectClass=posixGroup)"), + $this->baseOU->getChildrenArrayStrict(["gidNumber"], true, "(objectClass=posixGroup)"), ); } @@ -227,13 +231,16 @@ public function getQualifiedUsers( return $out; } - public function getQualifiedUsersAttributes(array $attributes): array - { + public function getQualifiedUsersAttributes( + array $attributes, + array $default_values = [], + ): array { $include_uids = $this->getQualifiedUsersUIDs(); - $user_attributes = $this->baseOU->getChildrenArray( + $user_attributes = $this->baseOU->getChildrenArrayStrict( $attributes, true, // recursive "(objectClass=posixAccount)", + $default_values, ); foreach ($user_attributes as $i => $attributes) { if (!in_array($attributes["uid"][0], $include_uids)) { @@ -283,16 +290,19 @@ public function getAllPIGroups( return $out; } - public function getAllPIGroupsAttributes(array $attributes): array + public function getAllPIGroupsAttributes(array $attributes, array $default_values = []): array { - return $this->pi_groupOU->getChildrenArray($attributes); + return $this->pi_groupOU->getChildrenArrayStrict( + $attributes, + default_values: $default_values, + ); } public function getPIGroupGIDsWithMemberUID(string $uid): array { return array_map( fn($x) => $x["cn"][0], - $this->pi_groupOU->getChildrenArray( + $this->pi_groupOU->getChildrenArrayStrict( ["cn"], false, "(memberuid=" . ldap_escape($uid, LDAP_ESCAPE_FILTER) . ")", @@ -300,14 +310,16 @@ public function getPIGroupGIDsWithMemberUID(string $uid): array ); } - public function getAllPIGroupOwnerAttributes(array $attributes): array - { + public function getAllPIGroupOwnerAttributes( + array $attributes, + array $default_values = [], + ): array { // get the PI groups, filter for just the GIDs, then map the GIDs to owner UIDs $owner_uids = array_map( fn($x) => UnityGroup::GID2OwnerUID($x), - array_map(fn($x) => $x["cn"][0], $this->pi_groupOU->getChildrenArray(["cn"])), + array_map(fn($x) => $x["cn"][0], $this->pi_groupOU->getChildrenArrayStrict(["cn"])), ); - $owner_attributes = $this->getQualifiedUsersAttributes($attributes); + $owner_attributes = $this->getQualifiedUsersAttributes($attributes, $default_values); foreach ($owner_attributes as $i => $attributes) { if (!in_array($attributes["uid"][0], $owner_uids)) { unset($owner_attributes[$i]); @@ -402,7 +414,7 @@ public function getAllOrgGroups( public function getAllOrgGroupsAttributes(array $attributes): array { - return $this->org_groupOU->getChildrenArray($attributes); + return $this->org_groupOU->getChildrenArrayStrict($attributes); } public function getUserEntry(string $uid): LDAPEntry diff --git a/resources/lib/phpopenldaper b/resources/lib/phpopenldaper index 0900483b..53f52d72 160000 --- a/resources/lib/phpopenldaper +++ b/resources/lib/phpopenldaper @@ -1 +1 @@ -Subproject commit 0900483bd938fc0ad6c68a14ac355e5d188dc726 +Subproject commit 53f52d72db5f3d806c12c77e083db82649b84350 diff --git a/workers/update-ldap-cache.php b/workers/update-ldap-cache.php index b646625b..1dba929a 100755 --- a/workers/update-ldap-cache.php +++ b/workers/update-ldap-cache.php @@ -57,7 +57,7 @@ $org_group_ou = new LDAPEntry($LDAP->getConn(), CONFIG["ldap"]["orggroup_ou"]); echo "waiting for LDAP search (org groups)...\n"; - $org_groups = $org_group_ou->getChildrenArray(["cn", "memberuid"], true); + $org_groups = $org_group_ou->getChildrenArrayStrict(["cn", "memberuid"], true); echo "response received.\n"; // phpcs:disable $org_group_CNs = array_map(function ($x) { @@ -73,7 +73,7 @@ $pi_group_ou = new LDAPEntry($LDAP->getConn(), CONFIG["ldap"]["pigroup_ou"]); echo "waiting for LDAP search (pi groups)...\n"; - $pi_groups = $pi_group_ou->getChildrenArray(["cn", "memberuid"], true); + $pi_groups = $pi_group_ou->getChildrenArrayStrict(["cn", "memberuid"], true); echo "response received.\n"; // phpcs:disable $pi_group_CNs = array_map(function ($x) { From daf47deeeb62fc46afe691ba02b19f187e3b5ef3 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 14 Nov 2025 16:03:45 -0500 Subject: [PATCH 2/4] update phpopenldaper --- resources/lib/phpopenldaper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/lib/phpopenldaper b/resources/lib/phpopenldaper index 53f52d72..5432bdd7 160000 --- a/resources/lib/phpopenldaper +++ b/resources/lib/phpopenldaper @@ -1 +1 @@ -Subproject commit 53f52d72db5f3d806c12c77e083db82649b84350 +Subproject commit 5432bdd7a5320118aca431bbd69d090eb494f731 From 5089535a74df08b8313486bcc051c2868747477e Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 14 Nov 2025 16:08:05 -0500 Subject: [PATCH 3/4] more default_values args --- resources/lib/UnityLDAP.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php index 98191806..7db36b55 100644 --- a/resources/lib/UnityLDAP.php +++ b/resources/lib/UnityLDAP.php @@ -294,7 +294,9 @@ public function getAllPIGroupsAttributes(array $attributes, array $default_value { return $this->pi_groupOU->getChildrenArrayStrict( $attributes, - default_values: $default_values, + false, // non-recursive + "objectClass=posixGroup", + $default_values, ); } @@ -412,9 +414,12 @@ public function getAllOrgGroups( return $out; } - public function getAllOrgGroupsAttributes(array $attributes): array + public function getAllOrgGroupsAttributes(array $attributes, array $default_values): array { - return $this->org_groupOU->getChildrenArrayStrict($attributes); + return $this->org_groupOU->getChildrenArrayStrict( + $attributes, + default_values: $default_values, + ); } public function getUserEntry(string $uid): LDAPEntry From f912080fffa4e25134b4dfbe4422b0d08154258e Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 14 Nov 2025 16:08:58 -0500 Subject: [PATCH 4/4] optional --- resources/lib/UnityLDAP.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php index 7db36b55..6e235bc8 100644 --- a/resources/lib/UnityLDAP.php +++ b/resources/lib/UnityLDAP.php @@ -414,7 +414,7 @@ public function getAllOrgGroups( return $out; } - public function getAllOrgGroupsAttributes(array $attributes, array $default_values): array + public function getAllOrgGroupsAttributes(array $attributes, array $default_values = []): array { return $this->org_groupOU->getChildrenArrayStrict( $attributes,