lib/Auth

Aleksander Machniak machniak at kolabsys.com
Mon Nov 18 13:47:19 CET 2013


 lib/Auth/LDAP.php |   66 ++++++++++++++++++++++++++++++------------------------
 1 file changed, 37 insertions(+), 29 deletions(-)

New commits:
commit 9cfd311602aa7ae92ba16c71c2f9949154de377e
Author: Aleksander Machniak <alec at alec.pl>
Date:   Mon Nov 18 13:46:46 2013 +0100

    Fix bug where adding new domains omits the kolab* ldap attributes for self-write (Bug #2514)

diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 4872521..bf02ba1 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -340,36 +340,44 @@ class LDAP extends Net_LDAP3 {
         }
 
         $dn = $inetdomainbasedn;
+
+        // @TODO: this list should be configurable or auto-created somehow
+        $self_attrs = array(
+            'carLicense', 'description', 'displayName', 'facsimileTelephoneNumber', 'homePhone',
+            'homePostalAddress', 'initials', 'jpegPhoto', 'labeledURI', 'mobile', 'o', 'pager', 'photo',
+            'postOfficeBox', 'postalAddress', 'postalCode', 'preferredDeliveryMethod', 'preferredLanguage',
+            'registeredAddress', 'roomNumber', 'secretary', 'seeAlso', 'st', 'street', 'telephoneNumber',
+            'telexNumber', 'title', 'userCertificate', 'userPassword', 'userSMIMECertificate',
+            'x500UniqueIdentifier',
+        );
+        if (in_array('kolabInetOrgPerson', $this->classes_allowed())) {
+             $self_attrs = array_merge($self_attrs, array('kolabDelegate', 'kolabInvitationPolicy', 'kolabAllowSMTPSender'));
+        }
+
         $attrs = array(
-                // @TODO: Probably just use ldap_explode_dn()
-                'dc' => substr($dn, (strpos($dn, '=')+1), ((strpos($dn, ',')-strpos($dn, '='))-1)),
-                'objectclass' => array(
-                        'top',
-                        'domain',
-                    ),
-                'aci' => array(
-                        // Self-modification
-                        "(targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)",
-
-                        // Directory Administrators
-                        "(targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators," . $inetdomainbasedn . "\" or roledn=\"ldap:///cn=kolab-admin," . $inetdomainbasedn . "\");)",
-
-                        // Configuration Administrators
-                        "(targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)",
-
-                        // Administrator users
-                        "(targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)",
-
-                        // SIE Group
-                        $_aci,
-
-                        // Search Access,
-                        "(targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///" . $inetdomainbasedn . "??sub?(objectclass=*)\");)",
-
-                        // Service Search Access
-                        "(targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///" . $service_bind_dn . "\");)",
-                    ),
-            );
+            // @TODO: Probably just use ldap_explode_dn()
+            'dc' => substr($dn, (strpos($dn, '=')+1), ((strpos($dn, ',')-strpos($dn, '='))-1)),
+            'objectclass' => array(
+                'top',
+                'domain',
+            ),
+            'aci' => array(
+                // Self-modification
+                "(targetattr = \"" . implode(" || ", $self_attrs) . "\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)",
+                // Directory Administrators
+                "(targetattr = \"*\")(version 3.0; acl \"Directory Administrators Group\"; allow (all) (groupdn=\"ldap:///cn=Directory Administrators," . $inetdomainbasedn . "\" or roledn=\"ldap:///cn=kolab-admin," . $inetdomainbasedn . "\");)",
+                // Configuration Administrators
+                "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)",
+                // Administrator users
+                "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)",
+                // SIE Group
+                $_aci,
+                // Search Access,
+                "(targetattr != \"userPassword\") (version 3.0; acl \"Search Access\"; allow (read,compare,search) (userdn = \"ldap:///" . $inetdomainbasedn . "??sub?(objectclass=*)\");)",
+                // Service Search Access
+                "(targetattr = \"*\") (version 3.0; acl \"Service Search Access\"; allow (read,compare,search) (userdn = \"ldap:///" . $service_bind_dn . "\");)",
+            ),
+        );
 
         if (!empty($replica_hosts)) {
             foreach ($replica_hosts as $replica_host) {




More information about the commits mailing list