From 9e1e4ea381c5df8e8ffbb199b44e24395f27abc3 Mon Sep 17 00:00:00 2001 From: mildis Date: Fri, 22 May 2020 05:57:30 +0200 Subject: [PATCH] Allow use of the user's DN as the group filter substitution --- app/Core/Ldap/Group.php | 4 +-- app/Core/Ldap/User.php | 33 ++++++++++++++++++------- app/constants.php | 1 + config.default.php | 4 +++ tests/units/Core/Ldap/LdapGroupTest.php | 8 +++--- tests/units/Core/Ldap/LdapUserTest.php | 20 +++++++-------- 6 files changed, 45 insertions(+), 25 deletions(-) diff --git a/app/Core/Ldap/Group.php b/app/Core/Ldap/Group.php index e1f60ab5a..8b1d5feff 100644 --- a/app/Core/Ldap/Group.php +++ b/app/Core/Ldap/Group.php @@ -56,7 +56,7 @@ class Group */ public function find($query) { - $this->query->execute($this->getBasDn(), $query, $this->getAttributes()); + $this->query->execute($this->getBaseDn(), $query, $this->getAttributes()); $groups = array(); if ($this->query->hasResult()) { @@ -119,7 +119,7 @@ class Group * @access public * @return string */ - public function getBasDn() + public function getBaseDn() { if (! LDAP_GROUP_BASE_DN) { throw new LogicException('LDAP group base DN empty, check the parameter LDAP_GROUP_BASE_DN'); diff --git a/app/Core/Ldap/User.php b/app/Core/Ldap/User.php index 63bd1ccb5..723c9068e 100644 --- a/app/Core/Ldap/User.php +++ b/app/Core/Ldap/User.php @@ -67,7 +67,7 @@ class User */ public function find($query) { - $this->query->execute($this->getBasDn(), $query, $this->getAttributes()); + $this->query->execute($this->getBaseDn(), $query, $this->getAttributes()); $user = null; if ($this->query->hasResult()) { @@ -85,15 +85,20 @@ class User * * @access protected * @param Entry $entry - * @param string $username * @return string[] */ - protected function getGroups(Entry $entry, $username) + protected function getGroups(Entry $entry) { + $userattr = ''; + if ('username' == $this->getGroupUserAttribute()) { + $userattr = $entry->getFirstValue($this->getAttributeUsername()); + } else if ('dn' == $this->getGroupUserAttribute()) { + $userattr = $entry->getDn(); + } $groupIds = array(); - if (! empty($username) && $this->group !== null && $this->hasGroupUserFilter()) { - $groups = $this->group->find(sprintf($this->getGroupUserFilter(), $username)); + if (! empty($userattr) && $this->group !== null && $this->hasGroupUserFilter()) { + $groups = $this->group->find(sprintf($this->getGroupUserFilter(), $userattr)); foreach ($groups as $group) { $groupIds[] = $group->getExternalId(); @@ -150,12 +155,11 @@ class User protected function build() { $entry = $this->query->getEntries()->getFirstEntry(); - $username = $entry->getFirstValue($this->getAttributeUsername()); - $groupIds = $this->getGroups($entry, $username); + $groupIds = $this->getGroups($entry); return new LdapUserProvider( $entry->getDn(), - $username, + $entry->getFirstValue($this->getAttributeUsername()), $entry->getFirstValue($this->getAttributeName()), $entry->getFirstValue($this->getAttributeEmail()), $this->getRole($groupIds), @@ -274,6 +278,17 @@ class User return LDAP_GROUP_USER_FILTER; } + /** + * Get LDAP Group User attribute + * + * @access public + * @return string + */ + public function getGroupUserAttribute() + { + return LDAP_GROUP_USER_ATTRIBUTE; + } + /** * Return true if LDAP Group User filter is defined * @@ -324,7 +339,7 @@ class User * @access public * @return string */ - public function getBasDn() + public function getBaseDn() { if (! LDAP_USER_BASE_DN) { throw new LogicException('LDAP user base DN empty, check the parameter LDAP_USER_BASE_DN'); diff --git a/app/constants.php b/app/constants.php index 1a3bfc099..ae59a10e5 100644 --- a/app/constants.php +++ b/app/constants.php @@ -89,6 +89,7 @@ defined('LDAP_GROUP_PROVIDER') or define('LDAP_GROUP_PROVIDER', strtolower(geten defined('LDAP_GROUP_BASE_DN') or define('LDAP_GROUP_BASE_DN', getenv('LDAP_GROUP_BASE_DN') ?: ''); defined('LDAP_GROUP_FILTER') or define('LDAP_GROUP_FILTER', getenv('LDAP_GROUP_FILTER') ?: ''); defined('LDAP_GROUP_USER_FILTER') or define('LDAP_GROUP_USER_FILTER', getenv('LDAP_GROUP_USER_FILTER') ?: ''); +defined('LDAP_GROUP_USER_ATTRIBUTE') or define('LDAP_GROUP_USER_ATTRIBUTE', getenv('LDAP_GROUP_USER_ATTRIBUTE') ?: 'username'); defined('LDAP_GROUP_ATTRIBUTE_NAME') or define('LDAP_GROUP_ATTRIBUTE_NAME', getenv('LDAP_GROUP_ATTRIBUTE_NAME') ?: 'cn'); // Proxy authentication diff --git a/config.default.php b/config.default.php index 828e600c1..d40e3920e 100644 --- a/config.default.php +++ b/config.default.php @@ -184,6 +184,10 @@ define('LDAP_GROUP_FILTER', ''); // Example for OpenLDAP: (&(objectClass=posixGroup)(memberUid=%s)) define('LDAP_GROUP_USER_FILTER', ''); +// LDAP attribute for the user in the group filter +// 'username' or 'dn' +define('LDAP_GROUP_USER_ATTRIBUTE', 'username'); + // LDAP attribute for the group name define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn'); diff --git a/tests/units/Core/Ldap/LdapGroupTest.php b/tests/units/Core/Ldap/LdapGroupTest.php index 295a20e6b..a5d26763a 100644 --- a/tests/units/Core/Ldap/LdapGroupTest.php +++ b/tests/units/Core/Ldap/LdapGroupTest.php @@ -37,7 +37,7 @@ class LdapGroupTest extends Base ->setConstructorArgs(array($this->query)) ->setMethods(array( 'getAttributeName', - 'getBasDn', + 'getBaseDn', )) ->getMock(); } @@ -96,7 +96,7 @@ class LdapGroupTest extends Base $this->group ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('CN=Users,DC=kanboard,DC=local')); $groups = $this->group->find('(&(objectClass=group)(sAMAccountName=Kanboard*))'); @@ -142,7 +142,7 @@ class LdapGroupTest extends Base $this->group ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('CN=Users,DC=kanboard,DC=local')); $groups = $this->group->find('(&(objectClass=group)(sAMAccountName=Kanboard*))'); @@ -154,6 +154,6 @@ class LdapGroupTest extends Base $this->expectException('\LogicException'); $group = new Group($this->query); - $group->getBasDn(); + $group->getBaseDn(); } } diff --git a/tests/units/Core/Ldap/LdapUserTest.php b/tests/units/Core/Ldap/LdapUserTest.php index 64e306b54..bafa018a4 100644 --- a/tests/units/Core/Ldap/LdapUserTest.php +++ b/tests/units/Core/Ldap/LdapUserTest.php @@ -56,7 +56,7 @@ class LdapUserTest extends Base 'getGroupUserFilter', 'getGroupAdminDn', 'getGroupManagerDn', - 'getBasDn', + 'getBaseDn', )) ->getMock(); } @@ -127,7 +127,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('ou=People,dc=kanboard,dc=local')); $user = $this->user->find('(uid=my_ldap_user)'); @@ -202,7 +202,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('ou=People,dc=kanboard,dc=local')); $user = $this->user->find('(uid=my_ldap_user)'); @@ -293,7 +293,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('ou=People,dc=kanboard,dc=local')); $user = $this->user->find('(uid=my_ldap_user)'); @@ -396,7 +396,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('ou=People,dc=kanboard,dc=local')); $user = $this->user->find('(uid=my_ldap_user)'); @@ -451,7 +451,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('ou=People,dc=kanboard,dc=local')); $user = $this->user->find('(uid=my_ldap_user)'); @@ -543,7 +543,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('OU=Users,DC=kanboard,DC=local')); $this->group @@ -649,7 +649,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('OU=Users,DC=kanboard,DC=local')); $this->group @@ -760,7 +760,7 @@ class LdapUserTest extends Base $this->user ->expects($this->any()) - ->method('getBasDn') + ->method('getBaseDn') ->will($this->returnValue('OU=Users,DC=kanboard,DC=local')); $this->group @@ -790,7 +790,7 @@ class LdapUserTest extends Base $this->expectException('\LogicException'); $user = new User($this->query); - $user->getBasDn(); + $user->getBaseDn(); } public function testGetLdapUserPatternNotConfigured()