diff --git a/core/src/plugins/auth.ldap/class.ldapAuthDriver.php b/core/src/plugins/auth.ldap/class.ldapAuthDriver.php index c6ab04a65a..ae296bb7a8 100644 --- a/core/src/plugins/auth.ldap/class.ldapAuthDriver.php +++ b/core/src/plugins/auth.ldap/class.ldapAuthDriver.php @@ -36,6 +36,7 @@ class ldapAuthDriver extends AbstractAuthDriver { var $ldapFilter; var $ldapGFilter; var $dynamicFilter; + var $dynamicExpected; var $ldapUserAttr; var $ldapGroupAttr; @@ -249,6 +250,9 @@ function getUserEntries($login = null, $countOnly = false, $offset = -1, $limit $expected = array_merge($expected, $keys); } } + if(is_array($this->dynamicExpected)){ + $expected = array_merge($expected, $this->dynamicExpected); + } foreach ($conn as $dn => $ldapc) { if (!$ldapc) { unset($conn[$dn]); @@ -290,7 +294,7 @@ function listUsersPaginated($baseGroup="/", $regexp, $offset, $limit){ if($this->hasGroupsMapping !== false){ if($baseGroup == "/"){ - $this->dynamicFilter = $this->hasGroupsMapping."="; + $this->dynamicFilter = "!(".$this->hasGroupsMapping."=*)"; }else{ $this->dynamicFilter = $this->hasGroupsMapping."=".ltrim($baseGroup, "/"); } @@ -359,6 +363,15 @@ function listChildrenGroups($baseGroup = "/"){ $login = $person[$this->ldapUserAttr][0]; //if(AuthService::ignoreUserCase()) $login = strtolower($login); $persons[$person["dn"]] = $login; + + $branch = array(); + $this->buildGroupBranch($login, $branch); + $parent = "/"; + if(count($branch)){ + $parent = "/".implode("/", array_reverse($branch)); + } + AuthService::createGroup($parent, $person["dn"], $login); + } $this->ldapDN = $origUsersDN; $this->ldapFilter = $origUsersFilter; @@ -438,6 +451,47 @@ function passwordsEditable(){ return false; } + function buildGroupBranch($groupAttrValue, &$branch = array()){ + // Load group data. Detect memberOf. Load parent group. + $origUsersDN = $this->ldapDN; + $origUsersFilter = $this->ldapFilter; + $origUsersAttr = $this->ldapUserAttr; + $this->ldapDN = $this->ldapGDN; + $this->ldapFilter = $this->ldapGFilter; + $this->ldapUserAttr = $this->ldapGroupAttr; + + $this->dynamicFilter = $this->ldapGroupAttr."=".$groupAttrValue; + $this->dynamicExpected = array($this->hasGroupsMapping); + + $entries = $this->getUserEntries(); + $this->dynamicFilter = null; + $this->dynamicExpected = null; + $persons = array(); + unset($entries['count']); // remove 'count' entry + $groupData = $entries[0]; + + $memberOf = $groupData[strtolower($this->hasGroupsMapping)][0]; + + $this->ldapDN = $origUsersDN; + $this->ldapFilter = $origUsersFilter; + $this->ldapUserAttr = $origUsersAttr; + + if(!empty($memberOf)){ + $parts = explode(",", ltrim($memberOf, '/')); + foreach($parts as $part){ + list($att,$attVal) = explode("=", $part); + if(strtolower($att) == "cn") $parentCN = $attVal; + } + if(!empty($parentCN)){ + $branch[] = $memberOf; + $this->buildGroupBranch($parentCN, $branch); + } + + } + + + } + function updateUserObject(&$userObject){ if(!empty($this->separateGroup)) $userObject->setGroupPath("/".$this->separateGroup); // SHOULD BE DEPRECATED @@ -488,16 +542,17 @@ function updateUserObject(&$userObject){ if(strtolower($att) == "cn") $hnParts[] = $attVal; } if(count($hnParts)) { - $memberValues[] = implode(",", $hnParts); + $memberValues[implode(",", $hnParts)] = $possibleValue; } } } switch($params['MAPPING_LOCAL_TYPE']){ case "role_id": if($key == "memberof"){ - foreach($memberValues as $uniqValue){ + foreach($memberValues as $uniqValue => $fullDN){ if(!in_array($uniqValue, array_keys($userObject->getRoles()))){ $userObject->addRole(AuthService::getRole($uniqValue, true)); + $userObject->recomputeMergedRole(); $changes = true; } } @@ -511,12 +566,29 @@ function updateUserObject(&$userObject){ }else{ $valueFilters = array_map("trim", explode(",", $filter)); } - foreach($memberValues as $uniqValue){ + foreach($memberValues as $uniqValue => $fullDN){ if(isSet($matchFilter) && !preg_match($matchFilter, $uniqValue)) continue; if(isSet($valueFilters) && !in_array($uniqValue, $matchFilter)) continue; + if($userObject->personalRole->filterParameterValue("auth.ldap", "MEMBER_OF", AJXP_REPO_SCOPE_ALL, "") == $fullDN){ + break; + } $humanName = $uniqValue; - AuthService::createGroup("/", $uniqValue, $humanName); - $userObject->setGroupPath("/".$uniqValue, true); + $branch = array(); + $this->buildGroupBranch($uniqValue, $branch); + $parent = "/"; + if(count($branch)){ + $parent = "/".implode("/", array_reverse($branch)); + } + AuthService::createGroup($parent, $fullDN, $humanName); + $userObject->setGroupPath(rtrim($parent, "/")."/".$fullDN, true); + // Update Roles from groupPath + $b = array_reverse($branch); + $b[] = $fullDN; + for($i=1;$i<=count($b);$i++){ + $userObject->addRole(AuthService::getRole("AJXP_GRP_/".implode("/", array_slice($b, 0, $i)), true)); + } + $userObject->personalRole->setParameterValue("auth.ldap", "MEMBER_OF", $fullDN); + $userObject->recomputeMergedRole(); $changes = true; } } @@ -525,6 +597,7 @@ function updateUserObject(&$userObject){ if($userObject->getProfile() != $value){ $changes = true; $userObject->setProfile($value); + AuthService::updateAutoApplyRole($userObject); } break; case "plugin_param":