Hello Janos,
although my answer is a bit late, I still want to thank you for your
explanation and example. It worked as expected for our use case. I
already knew about the custom authentication function but I never
thought of performing an ldap bind there to get the required addresses
and add them to the session data.
Thanks,
Martin
Am 22.11.2019 um 21:46 schrieb s...@acts.hu:
>
>
> Hello Martin,
>
> my first idea was the group feature until I saw you had ruled it out.
>
> Then the custom email query function is to the rescue, see
> http://www.mailpiler.org/wiki/current:custom-authentication for more.
>
> So let's say you have an ldap attribute called 'aaa' with value 'bbb'
> having the required email addresses, and the manager is
> mana...@yourdomain.com.
>
> Then put a similar function to config-site.php:
>
> $config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';
>
> function my_custom_func($username = '') {
> $session = Registry::get('session');
> $data = $session->get("auth_data");
>
> $extra_emails = [];
>
> if($data['email'] == 'mana...@yourdomain.com') {
> $ldap = new LDAP($ldap_host, $ldap_port, $ldap_helper_dn,
> $ldap_helper_password);
>
> if($ldap->is_bind_ok()) {
> $query = $ldap->query($ldap_base_dn, "aaa=bbb");
> $extra_emails = $query->rows;
> }
> }
>
> $data['emails'] = array_merge($data['emails'] , $extra_emails);
>
> $session->set("auth_data", $data);
> }
>
> Note that you may have to fine tune the ldap query, need to do some
> polishing on the $query->rows
> part. Also be sure to check out checkLoginAgainstLDAP_real() function
> in model/user/auth.php
> to see how it works.
>
>
> Janos
>
> On 2019-11-22 20:30, Martin Nadvornik wrote:
>> Hello fellow piler users,
>>
>> I am currently trying to find a way to give managers the ability to
>> search e-mails of employees who are not anymore with the company. I know
>> that in general you can give the owner of one address the ability to
>> access other addresses by using an alias or distribution list. However
>> in our case the e-mail accounts of prior employees don't exist anymore
>> and their e-mail addresses should not be reachable. Therore using alias
>> or distribution lists are not an option.
>> It would be possible of course to create groups directly in piler but
>> maintaining such groups by hand is not really efficient. So I am looking
>> for a way to use the group feature using LDAP.
>> The easiest method for us would be if there was a config value that just
>> tells piler which LDAP attribute to use and just allows the logged in
>> user access to every addresses listed in the attribute. But this needs
>> some development effort as far as I can tell.
>>
>> Is there anyone who has done this before? Any recommendations to solve
>> this are welcome.
>>
>> Thanks,
>> Martin
>
--
Martin Nadvornik
IT Mitarbeiter
Diakonie Flüchtlingsdienst gem. GmbH
Steinergasse 3/12
1170 Wien, Austria
Tel: +43 (0) 1/ 402 67 54 - 1337
Fax: +43 (0) 1/ 402 67 54 - 16
Mobil: 0664/88350692
http://www.diakonie.at/fluechtlingsdienst
Verantwortung kann man nicht abschieben!
