Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow ldap_dynamic_group_member_url to be a filter #8230

Closed
wants to merge 3 commits into from
Closed

Allow ldap_dynamic_group_member_url to be a filter #8230

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
478b8b1
Allow ldap_dynamic_group_member_url to be a filter
Feb 7, 2018
6f1305e
Normalize the output of fetchListOfGroups
Feb 8, 2018
31aaac5
Replaced %gid by %gdn
Mar 7, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 59 additions & 30 deletions apps/user_ldap/lib/Group_LDAP.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,11 +178,19 @@ public function getDynamicGroupMembers($dnGroup) {
}

$dynamicMembers = array();
$memberURLs = $this->access->readAttribute(
$dnGroup,
$dynamicGroupMemberURL,
$this->access->connection->ldapGroupFilter
);
if (strpos($dynamicGroupMemberURL, '(') === 0) {
// This is the filter URL itself. Replace %gdn with the group's DN
$memberURLs = array(
preg_replace('/%gdn(?=\b)/', $dnGroup, $dynamicGroupMemberURL)
);
} else {
// This is an LDAP attribute where the URL can be found in
$memberURLs = $this->access->readAttribute(
$dnGroup,
$dynamicGroupMemberURL,
$this->access->connection->ldapGroupFilter
);
}
if ($memberURLs !== false) {
// this group has the 'memberURL' attribute so this is a dynamic group
// example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
Expand Down Expand Up @@ -632,34 +640,55 @@ public function getUserGroups($uid) {

if (!empty($dynamicGroupMemberURL)) {
// look through dynamic groups to add them to the result array if needed
$groupsToMatch = $this->access->fetchListOfGroups(
$this->access->connection->ldapGroupFilter,array('dn',$dynamicGroupMemberURL));
if (strpos($dynamicGroupMemberURL, '(') === 0) {
// This is a query filter. '%gdn' will be replaced by the group's DN
$urlIsFilter = true;
$groupsToMatch = $this->access->fetchListOfGroups(
$this->access->connection->ldapGroupFilter, array('dn'));
} else {
// This is the attribute name where the filter can be found
$urlIsFilter = false;
$groupsToMatch = $this->access->fetchListOfGroups(
$this->access->connection->ldapGroupFilter, array('dn',$dynamicGroupMemberURL));
}
foreach($groupsToMatch as $dynamicGroup) {
if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
continue;
}
$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
if ($pos !== false) {
$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0],$pos);
// apply filter via ldap search to see if this user is in this
// dynamic group
$userMatch = $this->access->readAttribute(
$userDN,
$this->access->connection->ldapUserDisplayName,
$memberUrlFilter
);
if ($userMatch !== false) {
// match found so this user is in this group
$groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
if(is_string($groupName)) {
// be sure to never return false if the dn could not be
// resolved to a name, for whatever reason.
$groups[] = $groupName;
}
if ($urlIsFilter) {
// Replace '%gdn' with the group's DN
if (is_string($dynamicGroup)) {
// fetchListOfGroups returns an array of strings when called
// with a single attribute to fetch. Make this compatible.
$dynamicGroup = array('dn' => array($dynamicGroup));
}
$memberUrlFilter = preg_replace('/%gdn(?=\b)/', $dynamicGroup['dn'][0], $dynamicGroupMemberURL);
} else {
\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
'of group ' . print_r($dynamicGroup, true), \OCP\Util::DEBUG);
// Resolve filter from given attribute
if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
continue;
}
$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
if ($pos === false) {
\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
'of group ' . print_r($dynamicGroup, true), \OCP\Util::DEBUG);
continue;
}
$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0],$pos);
}

// apply filter via ldap search to see if this user is in this
// dynamic group
$userMatch = $this->access->readAttribute(
$userDN,
$this->access->connection->ldapUserDisplayName,
$memberUrlFilter
);
if ($userMatch !== false) {
// match found so this user is in this group
$groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
if(is_string($groupName)) {
// be sure to never return false if the dn could not be
// resolved to a name, for whatever reason.
$groups[] = $groupName;
}
}
}
}
Expand Down