Changeset:
8556cc9ac42f
https://sourceforge.net/p/mrbs/hg-code/ci/8556cc9ac42f04ffcd9898bd24f39c1a12a3f5f1
Author:
John Beranek <[email protected]>
Date:
Wed Oct 14 20:39:58 2015 +0100
Log message:
Added more flexible LDAP filtering support, as supplied by Steve Cleveland.
Adds configuration variables $ldap_filter_base_dn and
$ldap_filter_user_attr.
diffstat:
web/auth/auth_ldap.inc | 38 ++++++++++++++++++++++++++++++++------
web/systemdefaults.inc.php | 10 ++++++++--
2 files changed, 40 insertions(+), 8 deletions(-)
diffs (96 lines):
diff -r ac92479f3400 -r 8556cc9ac42f web/auth/auth_ldap.inc
--- a/web/auth/auth_ldap.inc Wed Oct 14 20:29:49 2015 +0100
+++ b/web/auth/auth_ldap.inc Wed Oct 14 20:39:58 2015 +0100
@@ -41,6 +41,8 @@
global $ldap_email_attrib;
global $ldap_disable_referrals;
global $ldap_deref;
+ global $ldap_filter_base_dn;
+ global $ldap_filter_user_attr;
if (!function_exists("ldap_connect"))
{
@@ -66,7 +68,9 @@
'ldap_tls',
'ldap_email_attrib',
'ldap_disable_referrals',
- 'ldap_deref'
+ 'ldap_deref',
+ 'ldap_filter_base_dn',
+ 'ldap_filter_user_attr'
);
$all_ldap_opts = array();
@@ -399,11 +403,33 @@
authLdapDebug("authValidateUserCallback: Successful authenticated ".
"bind checking '$filter'");
- $res = @ldap_read($ldap,
- $dn,
- "($filter)",
- array()
- );
+ // If ldap_filter_base_dn is set, set the filter to search for the user
+ // in the given base_dn (OpenLDAP). If not, read from the user
+ // attribute (AD)
+ if (isset($object['config']['ldap_filter_base_dn']))
+ {
+ $f = "(&(".
+ $object['config']['ldap_filter_user_attr'].
+ "=$user)($filter))";
+ $filter_dn = $object['config']['ldap_filter_base_dn'];
+ $call = 'ldap_search';
+ }
+ else
+ {
+ $f = "($filter)";
+ $filter_dn = $dn;
+ $call = 'ldap_read';
+ }
+
+ authLdapDebug("authValidateUserCallback: Trying filter: $f: ".
+ "dn: $filter_dn: method: $call");
+
+ $res = $call(
+ $ldap,
+ $filter_dn,
+ $f,
+ array()
+ );
if (@ldap_count_entries($ldap, $res) > 0)
{
authLdapDebug("authValidateUserCallback: Found entry with filter");
diff -r ac92479f3400 -r 8556cc9ac42f web/systemdefaults.inc.php
--- a/web/systemdefaults.inc.php Wed Oct 14 20:29:49 2015 +0100
+++ b/web/systemdefaults.inc.php Wed Oct 14 20:39:58 2015 +0100
@@ -755,7 +755,7 @@
// LDAP base distinguish name.
// This can be an array.
-//$ldap_base_dn = "ou=organizationalunit,dc=my-domain,dc=com";
+//$ldap_base_dn = "ou=organizationalunit,dc=example,dc=com";
// Attribute within the base dn that contains the username
// This can be an array.
@@ -770,7 +770,7 @@
// If you need to bind as a particular user to do the search described
// above, specify the DN and password in the variables below
// These two parameters can be arrays.
-// $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=some,dc=company";
+// $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=example,dc=com";
// $ldap_dn_search_password = "some-password";
// 'auth_ldap' extra configuration for ldap configuration of who can use
@@ -781,6 +781,12 @@
// An example for Microsoft AD:
//$ldap_filter = "memberof=cn=whater,ou=whatver,dc=example,dc=com";
+// If you need to filter a user by the group a user is in with OpenLDAP
+// you need to search for the groups they are in. If you want to do
+// this, define the following two variables, e.g.:
+// $ldap_filter_base_dn = "ou=Groups,dc=example,dc=com";
+$ldap_filter_user_attr = "cn";
+
// If you need to disable client referrals, this should be set to TRUE.
// Note: Active Directory for Windows 2003 forward requires this.
// $ldap_disable_referrals = TRUE;
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
