3 commits - lib/Auth lib/Auth.php
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Fri Mar 16 09:56:16 CET 2012
lib/Auth.php | 6 +
lib/Auth/LDAP.php | 168 ++++++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 156 insertions(+), 18 deletions(-)
New commits:
commit dcd077242da6032fa68f37b862e3d6faec8d7d4b
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Fri Mar 16 08:51:32 2012 +0000
Update LDAP class with some extra TODOs
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 26e33d7..fffa1f1 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -253,6 +253,7 @@ class LDAP
$conf = Conf::get_instance();
$command = Array(
+ # TODO: Very 64-bit specific
'/usr/lib64/mozldap/ldapsearch',
'-x',
'-h',
@@ -321,10 +322,11 @@ class LDAP
$root_dn = $this->domain_root_dn($this->domain);
+ # TODO: Do not query for both, it's either one or the other
$entries = $this->search($root_dn, "(|" .
- "(&(objectclass=groupofnames)(member=$member_dn))" .
- "(&(objectclass=groupofuniquenames)(uniquemember=$member_dn))" .
- ")");
+ "(&(objectclass=groupofnames)(member=$member_dn))" .
+ "(&(objectclass=groupofuniquenames)(uniquemember=$member_dn))" .
+ ")");
$entries = $this->normalize_result($entries);
@@ -343,6 +345,7 @@ class LDAP
$group_dn = $this->_get_group_dn($root_dn, '(mail=' . $group . ')');
}
else {
+ # TODO: Where does user come from?
$group_dn = $user;
}
@@ -379,6 +382,7 @@ class LDAP
# TODO: From config
$base_dn = "ou=Groups,dc=klab,dc=cc";
+ # TODO: From config
$filter = "(|"
."(objectClass=kolabgroupofnames)"
."(objectclass=kolabgroupofuniquenames)"
@@ -522,12 +526,19 @@ class LDAP
$type_str = $_key['key'];
}
+ // Check if the user_type has a specific base DN specified.
$base_dn = $this->conf->get($this->domain, $type_str . "_user_base_dn");
- if (!$base_dn) {
+ // If not, take the regular user_base_dn
+ if (!$base_dn)
+ $base_dn = $this->conf->get($this->domain, "user_base_dn");
+
+ // If no user_base_dn either, take the user type specific from the parent
+ // configuration
+ if (!$base_dn)
$base_dn = $this->conf->get('ldap', $type_str . "_user_base_dn");
- }
- // TODO: The rdn is configurable as well
+ // TODO: The rdn is configurable as well.
+ // Use [$type_str . "_"]user_rdn_attr
$dn = "uid=" . $attrs['uid'] . "," . $base_dn;
return $this->add($dn, $attrs);
@@ -689,10 +700,6 @@ class LDAP
return array(implode('@', $username_parts), $domain_name);
}
- /*
- Deprecated, use domain_root_dn()
- */
-
public function user_type_attribute_filter($type = false)
{
global $conf;
@@ -709,7 +716,7 @@ class LDAP
$attributes_filter[] = is_array($value) ? $key : $value;
}
- echo "<li>"; print_r($attributes_filter);
+// console($attributes_filter);
return $attributes_filter;
}
@@ -769,6 +776,7 @@ class LDAP
private function _add($entry_dn, $attributes)
{
+ // Always bind with the session credentials
$this->_connect();
$this->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
@@ -837,7 +845,8 @@ class LDAP
private function _delete($entry_dn)
{
$this->_connect();
- $this->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
+ // Always bind with the session credentials
+ $this->_bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
if (($delete_result = ldap_delete($this->_connection, $entry_dn)) == false) {
// Issue warning
@@ -1095,11 +1104,6 @@ class LDAP
}
- public function _get_email_address()
- {
- return "kanarip at kanarip.com";
- }
-
private function _list_group_members($dn, $entry = null)
{
$group_members = array();
commit dd333ce7f10c7f162c74ed0e0c4295d61a59fabd
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Fri Mar 16 08:38:19 2012 +0000
Add effective_rights() to LDAP
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 99ab0f1..26e33d7 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -36,6 +36,24 @@ class LDAP
protected $user_bind_dn;
protected $user_bind_pw;
+ protected $attribute_level_rights_map = Array(
+ "r" => "read",
+ "s" => "search",
+ "w" => "write",
+ "o" => "delete",
+ "c" => "compare",
+ "W" => "write",
+ "O" => "delete"
+ );
+
+ protected $entry_level_rights_map = Array(
+ "a" => "add",
+ "d" => "delete",
+ "n" => "modrdn",
+ "v" => "read"
+ );
+
+
// This is the default and should actually be set through Conf.
private $_ldap_uri = 'ldap://localhost:389/';
@@ -192,6 +210,7 @@ class LDAP
$this->_bind($conf->manager_bind_dn, $conf->manager_bind_pw);
}
+ # TODO: Get domain_attr from config
if (($results = ldap_search($this->_connection, $conf->get('domain_base_dn'), '(associatedDomain=' . $domain . ')')) == false) {
error_log("No results?");
return false;
@@ -202,6 +221,7 @@ class LDAP
// echo "<pre>"; print_r($domain_info); echo "</pre>";
+ // TODO: Also very 389 specific
if (isset($domain_info['inetDomainBaseDN'][0])) {
$domain_rootdn = $domain_info['inetDomainBaseDN'][0];
}
@@ -225,6 +245,74 @@ class LDAP
return $this->search($base_dn, $filter);
}
+ public function effective_rights($subject_dn)
+ {
+ $attributes = Array();
+ $output = Array();
+
+ $conf = Conf::get_instance();
+
+ $command = Array(
+ '/usr/lib64/mozldap/ldapsearch',
+ '-x',
+ '-h',
+ # TODO: Get from conf
+ 'ldap.klab.cc',
+ '-b',
+ # TODO: Get from conf
+ 'dc=klab,dc=cc',
+ '-D',
+ '"' . $_SESSION['user']->user_bind_dn . '"',
+ '-w',
+ '"' . $_SESSION['user']->user_bind_pw . '"',
+ '-J',
+ '"' . implode(
+ ':',
+ Array(
+ '1.3.6.1.4.1.42.2.27.9.5.2', # OID
+ 'true', # Criticality
+ 'dn:' . $_SESSION['user']->user_bind_dn # User DN
+ )
+ ) . '"',
+ '"(entrydn=' . $subject_dn . ')"'
+
+ );
+
+ exec(implode(' ', $command), $output);
+
+ $lines = Array();
+ foreach ($output as $line_num => $line) {
+ if (substr($line, 0, 1) == " ") {
+ $lines[count($lines)-1] .= trim($line);
+ } else {
+ $lines[] = trim($line);
+ }
+ }
+
+ foreach ($lines as $line) {
+ $line_components = explode(':', $line);
+ $attribute_name = array_shift($line_components);
+ $attribute_value = trim(implode(':', $line_components));
+
+ switch ($attribute_name) {
+ case "attributeLevelRights":
+ $attributes[$attribute_name] = $this->parse_attribute_level_rights($attribute_value);
+ break;
+ case "dn":
+ $attributes[$attribute_name] = $attribute_value;
+ break;
+ case "entryLevelRights":
+ $attributes[$attribute_name] = $this->parse_entry_level_rights($attribute_value);
+ break;
+
+ default:
+ break;
+ }
+ }
+
+ return $attributes;
+ }
+
public function find_user_groups($member_dn)
{
error_log(__FILE__ . "(" . __LINE__ . "): " . $member_dn);
@@ -288,7 +376,8 @@ class LDAP
if (empty($attributes)) {
$attributes = array('*');
}
-
+
+ # TODO: From config
$base_dn = "ou=Groups,dc=klab,dc=cc";
$filter = "(|"
."(objectClass=kolabgroupofnames)"
@@ -373,6 +462,45 @@ class LDAP
return $result;
}
+ private function parse_attribute_level_rights($attribute_value) {
+ $attribute_value = str_replace(", ", ",", $attribute_value);
+ $attribute_values = explode(",", $attribute_value);
+
+ $attribute_value = Array();
+
+ foreach ($attribute_values as $access_right) {
+ $access_right_components = explode(":", $access_right);
+ $access_attribute = array_shift($access_right_components);
+ $access_value = array_shift($access_right_components);
+
+ $attribute_value[$access_attribute] = Array();
+
+ for ($i = 0; $i < strlen($access_value); $i++) {
+ $method = $this->attribute_level_rights_map[substr($access_value, $i, 1)];
+
+ if (!in_array($method, $attribute_value[$access_attribute])) {
+ $attribute_value[$access_attribute][] = $method;
+ }
+ }
+ }
+
+ return $attribute_value;
+ }
+
+ private function parse_entry_level_rights($attribute_value) {
+ $_attribute_value = Array();
+
+ for ($i = 0; $i < strlen($attribute_value); $i++) {
+ $method = $this->entry_level_rights_map[substr($attribute_value, $i, 1)];
+
+ if (!in_array($method, $_attribute_value)) {
+ $_attribute_value[] = $method;
+ }
+ }
+
+ return $_attribute_value;
+ }
+
/**
* Result sorting callback for uasort()
*/
commit a784764865163592f4a7aeb80100e6d6714ba192
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Fri Mar 16 08:32:13 2012 +0000
Add public function list_rights($subject)
diff --git a/lib/Auth.php b/lib/Auth.php
index bd137c5..9d7563e 100644
--- a/lib/Auth.php
+++ b/lib/Auth.php
@@ -189,6 +189,12 @@ class Auth {
return $this->_auth[$this->domain]->list_domains();
}
+ public function list_rights($subject)
+ {
+ $this->connect();
+ return $this->_auth[$this->domain]->effective_rights($subject);
+ }
+
public function list_users($domain = NULL, $attributes = array(), $search = array(), $params = array())
{
$this->connect($domain);
More information about the commits
mailing list