Permalink
Browse files

Added "group_scope" as a configurable option.

This patch allows the scope of the LDAP group search to be configured,
instead of being hard-coded as "base".

It is useful to change the scope to "sub" when there are nested groups.

The default option has been kept as "base".
  • Loading branch information...
1 parent 114fa50 commit a89b476a1787d2b1f4b6ae5fcc14881e235c8555 @Kayvlim Kayvlim committed with tsibley Jul 25, 2012
Showing with 7 additions and 1 deletion.
  1. +3 −0 etc/RT_SiteConfig.pm
  2. +4 −1 lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -128,6 +128,9 @@ Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
'group' => 'GROUP_NAME',
+ # What is the scope of the group search? (base, one, sub)
+ # Optional; defaults to 'base', which is good enough for most cases. 'sub' is appropriate when you have nested groups
+ 'group_scope' => 'base',
# What is the attribute for the group object that determines membership?
'group_attr' => 'GROUP_ATTR',
# What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
@@ -20,6 +20,7 @@ sub GetAuth {
my $group = $config->{'group'};
my $group_attr = $config->{'group_attr'};
my $group_attr_val = $config->{'group_attr_value'} || 'dn';
+ my $group_scope = $config->{'group_scope'} || 'base';
my $attr_map = $config->{'attr_map'};
my @attrs = ('dn');
@@ -118,6 +119,8 @@ sub GetAuth {
$RT::Logger->debug( "LDAP Search === ",
"Base:",
$group,
+ "== Scope:",
+ $group_scope,
"== Filter:",
$filter->as_string,
"== Attrs:",
@@ -126,7 +129,7 @@ sub GetAuth {
$ldap_msg = $ldap->search( base => $group,
filter => $filter,
attrs => \@attrs,
- scope => 'base');
+ scope => $group_scope);
# And the user isn't a member:
unless ($ldap_msg->code == LDAP_SUCCESS ||

0 comments on commit a89b476

Please sign in to comment.