Re: groups based on LDAP attribute
Hello Martin,
On 2020-01-07 17:26, Martin Nadvornik wrote:
although my answer is a bit late, I still want to thank you for your
explanation and example. It worked as expected for our use case. I
already knew about the custom authentication function but I never
thought of performing an ldap bind there to get the required addresses
and add them to the session data.
no worries, you are welcome :-)
Janos
Am 22.11.2019 um 21:46 schrieb s...@acts.hu:
Hello Martin,
my first idea was the group feature until I saw you had ruled it out.
Then the custom email query function is to the rescue, see
http://www.mailpiler.org/wiki/current:custom-authentication for more.
So let's say you have an ldap attribute called 'aaa' with value 'bbb'
having the required email addresses, and the manager is
mana...@yourdomain.com.
Then put a similar function to config-site.php:
$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';
function my_custom_func($username = '') {
$session = Registry::get('session');
$data = $session->get("auth_data");
$extra_emails = [];
if($data['email'] == 'mana...@yourdomain.com') {
$ldap = new LDAP($ldap_host, $ldap_port, $ldap_helper_dn,
$ldap_helper_password);
if($ldap->is_bind_ok()) {
$query = $ldap->query($ldap_base_dn, "aaa=bbb");
$extra_emails = $query->rows;
}
}
$data['emails'] = array_merge($data['emails'] , $extra_emails);
$session->set("auth_data", $data);
}
Note that you may have to fine tune the ldap query, need to do some
polishing on the $query->rows
part. Also be sure to check out checkLoginAgainstLDAP_real() function
in model/user/auth.php
to see how it works.
Janos
On 2019-11-22 20:30, Martin Nadvornik wrote:
Hello fellow piler users,
I am currently trying to find a way to give managers the ability to
search e-mails of employees who are not anymore with the company. I
know
that in general you can give the owner of one address the ability to
access other addresses by using an alias or distribution list.
However
in our case the e-mail accounts of prior employees don't exist
anymore
and their e-mail addresses should not be reachable. Therore using
alias
or distribution lists are not an option.
It would be possible of course to create groups directly in piler but
maintaining such groups by hand is not really efficient. So I am
looking
for a way to use the group feature using LDAP.
The easiest method for us would be if there was a config value that
just
tells piler which LDAP attribute to use and just allows the logged in
user access to every addresses listed in the attribute. But this
needs
some development effort as far as I can tell.
Is there anyone who has done this before? Any recommendations to
solve
this are welcome.
Thanks,
Martin
--
Martin Nadvornik
IT Mitarbeiter
Diakonie Flüchtlingsdienst gem. GmbH
Steinergasse 3/12
1170 Wien, Austria
Tel: +43 (0) 1/ 402 67 54 - 1337
Fax: +43 (0) 1/ 402 67 54 - 16
Mobil: 0664/88350692
http://www.diakonie.at/fluechtlingsdienst
Verantwortung kann man nicht abschieben!
Re: groups based on LDAP attribute
Hello Janos,
although my answer is a bit late, I still want to thank you for your
explanation and example. It worked as expected for our use case. I
already knew about the custom authentication function but I never
thought of performing an ldap bind there to get the required addresses
and add them to the session data.
Thanks,
Martin
Am 22.11.2019 um 21:46 schrieb s...@acts.hu:
>
>
> Hello Martin,
>
> my first idea was the group feature until I saw you had ruled it out.
>
> Then the custom email query function is to the rescue, see
> http://www.mailpiler.org/wiki/current:custom-authentication for more.
>
> So let's say you have an ldap attribute called 'aaa' with value 'bbb'
> having the required email addresses, and the manager is
> mana...@yourdomain.com.
>
> Then put a similar function to config-site.php:
>
> $config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';
>
> function my_custom_func($username = '') {
> $session = Registry::get('session');
> $data = $session->get("auth_data");
>
> $extra_emails = [];
>
> if($data['email'] == 'mana...@yourdomain.com') {
> $ldap = new LDAP($ldap_host, $ldap_port, $ldap_helper_dn,
> $ldap_helper_password);
>
> if($ldap->is_bind_ok()) {
> $query = $ldap->query($ldap_base_dn, "aaa=bbb");
> $extra_emails = $query->rows;
> }
> }
>
> $data['emails'] = array_merge($data['emails'] , $extra_emails);
>
> $session->set("auth_data", $data);
> }
>
> Note that you may have to fine tune the ldap query, need to do some
> polishing on the $query->rows
> part. Also be sure to check out checkLoginAgainstLDAP_real() function
> in model/user/auth.php
> to see how it works.
>
>
> Janos
>
> On 2019-11-22 20:30, Martin Nadvornik wrote:
>> Hello fellow piler users,
>>
>> I am currently trying to find a way to give managers the ability to
>> search e-mails of employees who are not anymore with the company. I know
>> that in general you can give the owner of one address the ability to
>> access other addresses by using an alias or distribution list. However
>> in our case the e-mail accounts of prior employees don't exist anymore
>> and their e-mail addresses should not be reachable. Therore using alias
>> or distribution lists are not an option.
>> It would be possible of course to create groups directly in piler but
>> maintaining such groups by hand is not really efficient. So I am looking
>> for a way to use the group feature using LDAP.
>> The easiest method for us would be if there was a config value that just
>> tells piler which LDAP attribute to use and just allows the logged in
>> user access to every addresses listed in the attribute. But this needs
>> some development effort as far as I can tell.
>>
>> Is there anyone who has done this before? Any recommendations to solve
>> this are welcome.
>>
>> Thanks,
>> Martin
>
--
Martin Nadvornik
IT Mitarbeiter
Diakonie Flüchtlingsdienst gem. GmbH
Steinergasse 3/12
1170 Wien, Austria
Tel: +43 (0) 1/ 402 67 54 - 1337
Fax: +43 (0) 1/ 402 67 54 - 16
Mobil: 0664/88350692
http://www.diakonie.at/fluechtlingsdienst
Verantwortung kann man nicht abschieben!
Re: groups based on LDAP attribute
Hello Martin,
my first idea was the group feature until I saw you had ruled it out.
Then the custom email query function is to the rescue, see
http://www.mailpiler.org/wiki/current:custom-authentication for more.
So let's say you have an ldap attribute called 'aaa' with value 'bbb'
having the required email addresses, and the manager is
mana...@yourdomain.com.
Then put a similar function to config-site.php:
$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';
function my_custom_func($username = '') {
$session = Registry::get('session');
$data = $session->get("auth_data");
$extra_emails = [];
if($data['email'] == 'mana...@yourdomain.com') {
$ldap = new LDAP($ldap_host, $ldap_port, $ldap_helper_dn,
$ldap_helper_password);
if($ldap->is_bind_ok()) {
$query = $ldap->query($ldap_base_dn, "aaa=bbb");
$extra_emails = $query->rows;
}
}
$data['emails'] = array_merge($data['emails'] , $extra_emails);
$session->set("auth_data", $data);
}
Note that you may have to fine tune the ldap query, need to do some
polishing on the $query->rows
part. Also be sure to check out checkLoginAgainstLDAP_real() function in
model/user/auth.php
to see how it works.
Janos
On 2019-11-22 20:30, Martin Nadvornik wrote:
Hello fellow piler users,
I am currently trying to find a way to give managers the ability to
search e-mails of employees who are not anymore with the company. I
know
that in general you can give the owner of one address the ability to
access other addresses by using an alias or distribution list. However
in our case the e-mail accounts of prior employees don't exist anymore
and their e-mail addresses should not be reachable. Therore using alias
or distribution lists are not an option.
It would be possible of course to create groups directly in piler but
maintaining such groups by hand is not really efficient. So I am
looking
for a way to use the group feature using LDAP.
The easiest method for us would be if there was a config value that
just
tells piler which LDAP attribute to use and just allows the logged in
user access to every addresses listed in the attribute. But this needs
some development effort as far as I can tell.
Is there anyone who has done this before? Any recommendations to solve
this are welcome.
Thanks,
Martin
