View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
433RackTablesdefaultpublic2011-06-07 16:312011-06-15 10:10
Reporterinfrastation Assigned Toinfrastation  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Target Version0.19.5Fixed in Version0.19.5 
Summary433: eDirectory support in LDAP
Descriptionby Walery Wysotsky:
"I changed module inc/auth.php. Now it is possible to gather group
members for LDAP servers, different from MS ActiveDirectory (I use
Novell eDirectory) and use it in permission checks (lgcn_ tag)."
TagsNo tags attached.

Activities

2011-06-07 16:32

 

auth.php.diff (1,738 bytes)    
329c329,331
< 		strlen ($LDAP_options['search_attr'])
---
> 		strlen ($LDAP_options['search_attr']) and
> 		isset ($LDAP_options['group_attr']) and
> 		strlen ($LDAP_options['group_attr'])
337c339
< 			array_merge (array ('memberof'), explode (' ', $LDAP_options['displayname_attrs']))
---
> 			array_merge (array ($LDAP_options['group_attr']), explode (' ', $LDAP_options['displayname_attrs']))
353,355c355,363
< 		if (isset ($info[0]['memberof']))
< 			for ($i = 0; $i < $info[0]['memberof']['count']; $i++)
< 				foreach (explode (',', $info[0]['memberof'][$i]) as $pair)
---
> 		if (isset ($info[0][$LDAP_options['group_attr']]))
> 			for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++)
> 			{
> 				$pair = $info[0][$LDAP_options['group_attr']][$i];
> 				if 
> 				(
> 					isset ($LDAP_options['group_filter']) and
> 					strlen ($LDAP_options['group_filter'])
> 				)
357,359c365,371
< 					list ($attr_name, $attr_value) = explode ('=', $pair);
< 					if (strtoupper ($attr_name) == 'CN' and validTagName ('$lgcn_' . $attr_value, TRUE))
< 						$ret['memberof'][] = '$lgcn_' . $attr_value;
---
> 					if (preg_match($LDAP_options['group_filter'], $pair, $matches))
> 					{
> 						$attr_name = $matches[1];
> 						$attr_value = $matches[2];
> 					}
> 					else
> 						$attr_name = 'undefined';
360a373,381
> 				else
> 				{
> 					$pairs = explode (',', $info[0][$LDAP_options['group_attr']][$i]);
> // group CN in only first element
> 					list ($attr_name, $attr_value) = explode ('=', $pairs[0]);
> 				}
> 				if (strtoupper ($attr_name) == 'CN' and validTagName ('$lgcn_' . $attr_value, TRUE))
> 					$ret['memberof'][] = '$lgcn_' . $attr_value;
> 			}
auth.php.diff (1,738 bytes)   

2011-06-07 16:32

 

secret-sample.php.diff (260 bytes)    
46a47,56
> 
> // for AD LDAP
>     'group_attr' => 'memberof',
> // for eDirectory LDAP
> //    'group_attr' => 'groupmembership',    
> 
> // filter user groups, optional
> #    'group_filter' => '/(cn)=(\w+),ou=RackTables,ou=IT,o=bogdan/i',
> 
>
secret-sample.php.diff (260 bytes)   

2011-06-13 21:01

 

edirectory-r4.patch (1,987 bytes)    
Index: wwwroot/inc/auth.php
===================================================================
--- wwwroot/inc/auth.php	(revision 4562)
+++ wwwroot/inc/auth.php	(working copy)
@@ -365,6 +365,10 @@
 function queryLDAPServer ($username, $password)
 {
 	global $LDAP_options;
+	if (! array_key_exists ('group_attr', $LDAP_options))
+		$LDAP_options['group_attr'] = 'memberof';
+	if (! array_key_exists ('group_filter', $LDAP_options))
+		$LDAP_options['group_filter'] = '/^[Cc][Nn]=([^,]+)/';
 
 	if(extension_loaded('ldap') === FALSE)
 		throw new RackTablesError ('LDAP misconfiguration. LDAP PHP Module is not installed.', RackTablesError::MISCONFIGURED);
@@ -429,7 +433,7 @@
 			$connect,
 			$LDAP_options['search_dn'],
 			'(' . $LDAP_options['search_attr'] . "=${username})",
-			array_merge (array ('memberof'), explode (' ', $LDAP_options['displayname_attrs']))
+			array_merge (array ($LDAP_options['group_attr']), explode (' ', $LDAP_options['displayname_attrs']))
 		);
 		if (@ldap_count_entries ($connect, $results) != 1)
 		{
@@ -445,17 +449,14 @@
 			$space = ' ';
 		}
 		// Pull group membership, if any was returned.
-		if (isset ($info[0]['memberof']))
-			for ($i = 0; $i < $info[0]['memberof']['count']; $i++)
-				foreach (explode (',', $info[0]['memberof'][$i]) as $pair)
-				{
-					$items = explode ('=', $pair);
-					if (count ($items) != 2)
-						continue;
-					list ($attr_name, $attr_value) = $items;
-					if (strtoupper ($attr_name) == 'CN' and validTagName ('$lgcn_' . $attr_value, TRUE))
-						$ret['memberof'][] = '$lgcn_' . $attr_value;
-				}
+		if (isset ($info[0][$LDAP_options['group_attr']]))
+			for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++)
+				if
+				(
+					preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches)
+					and validTagName ('$lgcn_' . $matches[1], TRUE)
+				)
+					$ret['memberof'][] = '$lgcn_' . $matches[1];
 	}
 	@ldap_close ($connect);
 	return $ret;
edirectory-r4.patch (1,987 bytes)   
infrastation

infrastation

2011-06-14 14:08

administrator   ~0000341

the fix is being tested in trunk

Issue History

Date Modified Username Field Change
2011-06-07 16:31 infrastation New Issue
2011-06-07 16:32 infrastation Assigned To => infrastation
2011-06-07 16:32 infrastation Status new => acknowledged
2011-06-07 16:32 infrastation Target Version => 0.19.5
2011-06-07 16:32 infrastation File Added: auth.php.diff
2011-06-07 16:32 infrastation File Added: secret-sample.php.diff
2011-06-11 22:53 infrastation File Added: edirectory-r2.patch
2011-06-13 21:01 infrastation File Added: edirectory-r4.patch
2011-06-13 21:02 infrastation File Deleted: edirectory-r2.patch
2011-06-14 14:08 infrastation Note Added: 0000341
2011-06-14 14:08 infrastation Status acknowledged => assigned
2011-06-15 10:10 infrastation Status assigned => closed
2011-06-15 10:10 infrastation Fixed in Version => 0.19.5
2011-06-15 10:10 infrastation Resolution open => fixed