3 commits - lib/Auth lib/Auth.php

Jeroen van Meeuwen vanmeeuwen at kolabsys.com
Fri Mar 16 09:56:16 CET 2012


 lib/Auth.php      |    6 +
 lib/Auth/LDAP.php |  168 ++++++++++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 156 insertions(+), 18 deletions(-)

New commits:
commit dcd077242da6032fa68f37b862e3d6faec8d7d4b
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Fri Mar 16 08:51:32 2012 +0000

    Update LDAP class with some extra TODOs

diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 26e33d7..fffa1f1 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -253,6 +253,7 @@ class LDAP
         $conf = Conf::get_instance();
 
         $command = Array(
+                # TODO: Very 64-bit specific
                 '/usr/lib64/mozldap/ldapsearch',
                 '-x',
                 '-h',
@@ -321,10 +322,11 @@ class LDAP
 
         $root_dn = $this->domain_root_dn($this->domain);
 
+        # TODO: Do not query for both, it's either one or the other
         $entries = $this->search($root_dn, "(|" .
-            "(&(objectclass=groupofnames)(member=$member_dn))" .
-            "(&(objectclass=groupofuniquenames)(uniquemember=$member_dn))" .
-        ")");
+                "(&(objectclass=groupofnames)(member=$member_dn))" .
+                "(&(objectclass=groupofuniquenames)(uniquemember=$member_dn))" .
+            ")");
 
         $entries = $this->normalize_result($entries);
 
@@ -343,6 +345,7 @@ class LDAP
             $group_dn = $this->_get_group_dn($root_dn, '(mail=' . $group . ')');
         }
         else {
+            # TODO: Where does user come from?
             $group_dn = $user;
         }
 
@@ -379,6 +382,7 @@ class LDAP
 
         # TODO: From config
         $base_dn = "ou=Groups,dc=klab,dc=cc";
+        # TODO: From config
         $filter  = "(|"
             ."(objectClass=kolabgroupofnames)"
             ."(objectclass=kolabgroupofuniquenames)"
@@ -522,12 +526,19 @@ class LDAP
             $type_str = $_key['key'];
         }
 
+        // Check if the user_type has a specific base DN specified.
         $base_dn = $this->conf->get($this->domain, $type_str . "_user_base_dn");
-        if (!$base_dn) {
+        // If not, take the regular user_base_dn
+        if (!$base_dn)
+            $base_dn = $this->conf->get($this->domain, "user_base_dn");
+
+        // If no user_base_dn either, take the user type specific from the parent
+        // configuration
+        if (!$base_dn)
             $base_dn = $this->conf->get('ldap', $type_str . "_user_base_dn");
-        }
 
-        // TODO: The rdn is configurable as well
+        // TODO: The rdn is configurable as well.
+        // Use [$type_str . "_"]user_rdn_attr
         $dn = "uid=" . $attrs['uid'] . "," . $base_dn;
 
         return $this->add($dn, $attrs);
@@ -689,10 +700,6 @@ class LDAP
         return array(implode('@', $username_parts), $domain_name);
     }
 
-    /*
-        Deprecated, use domain_root_dn()
-    */
-
     public function user_type_attribute_filter($type = false)
     {
         global $conf;
@@ -709,7 +716,7 @@ class LDAP
             $attributes_filter[] = is_array($value) ? $key : $value;
         }
 
-        echo "<li>"; print_r($attributes_filter);
+//         console($attributes_filter);
 
         return $attributes_filter;
     }
@@ -769,6 +776,7 @@ class LDAP
 
     private function _add($entry_dn, $attributes)
     {
+        // Always bind with the session credentials
         $this->_connect();
         $this->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
 
@@ -837,7 +845,8 @@ class LDAP
     private function _delete($entry_dn)
     {
         $this->_connect();
-        $this->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
+        // Always bind with the session credentials
+        $this->_bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
 
         if (($delete_result = ldap_delete($this->_connection, $entry_dn)) == false) {
             // Issue warning
@@ -1095,11 +1104,6 @@ class LDAP
     }
 
 
-    public function _get_email_address()
-    {
-        return "kanarip at kanarip.com";
-    }
-
     private function _list_group_members($dn, $entry = null)
     {
         $group_members = array();


commit dd333ce7f10c7f162c74ed0e0c4295d61a59fabd
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Fri Mar 16 08:38:19 2012 +0000

    Add effective_rights() to LDAP

diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 99ab0f1..26e33d7 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -36,6 +36,24 @@ class LDAP
     protected $user_bind_dn;
     protected $user_bind_pw;
 
+    protected $attribute_level_rights_map = Array(
+            "r" => "read",
+            "s" => "search",
+            "w" => "write",
+            "o" => "delete",
+            "c" => "compare",
+            "W" => "write",
+            "O" => "delete"
+        );
+
+    protected $entry_level_rights_map = Array(
+            "a" => "add",
+            "d" => "delete",
+            "n" => "modrdn",
+            "v" => "read"
+        );
+
+
     // This is the default and should actually be set through Conf.
     private $_ldap_uri = 'ldap://localhost:389/';
 
@@ -192,6 +210,7 @@ class LDAP
             $this->_bind($conf->manager_bind_dn, $conf->manager_bind_pw);
         }
 
+        # TODO: Get domain_attr from config
         if (($results = ldap_search($this->_connection, $conf->get('domain_base_dn'), '(associatedDomain=' . $domain . ')')) == false) {
             error_log("No results?");
             return false;
@@ -202,6 +221,7 @@ class LDAP
 
 //        echo "<pre>"; print_r($domain_info); echo "</pre>";
 
+        // TODO: Also very 389 specific
         if (isset($domain_info['inetDomainBaseDN'][0])) {
             $domain_rootdn = $domain_info['inetDomainBaseDN'][0];
         }
@@ -225,6 +245,74 @@ class LDAP
         return $this->search($base_dn, $filter);
     }
 
+    public function effective_rights($subject_dn)
+    {
+        $attributes = Array();
+        $output = Array();
+
+        $conf = Conf::get_instance();
+
+        $command = Array(
+                '/usr/lib64/mozldap/ldapsearch',
+                '-x',
+                '-h',
+                # TODO: Get from conf
+                'ldap.klab.cc',
+                '-b',
+                # TODO: Get from conf
+                'dc=klab,dc=cc',
+                '-D',
+                '"' . $_SESSION['user']->user_bind_dn . '"',
+                '-w',
+                '"' . $_SESSION['user']->user_bind_pw . '"',
+                '-J',
+                '"' . implode(
+                        ':',
+                        Array(
+                                '1.3.6.1.4.1.42.2.27.9.5.2',            # OID
+                                'true',                                 # Criticality
+                                'dn:' . $_SESSION['user']->user_bind_dn # User DN
+                            )
+                    ) . '"',
+                '"(entrydn=' . $subject_dn . ')"'
+
+            );
+
+        exec(implode(' ', $command), $output);
+
+        $lines = Array();
+        foreach ($output as $line_num => $line) {
+            if (substr($line, 0, 1) == " ") {
+                $lines[count($lines)-1] .= trim($line);
+            } else {
+                $lines[] = trim($line);
+            }
+        }
+
+        foreach ($lines as $line) {
+            $line_components = explode(':', $line);
+            $attribute_name = array_shift($line_components);
+            $attribute_value = trim(implode(':', $line_components));
+
+            switch ($attribute_name) {
+                case "attributeLevelRights":
+                    $attributes[$attribute_name] = $this->parse_attribute_level_rights($attribute_value);
+                    break;
+                case "dn":
+                    $attributes[$attribute_name] = $attribute_value;
+                    break;
+                case "entryLevelRights":
+                    $attributes[$attribute_name] = $this->parse_entry_level_rights($attribute_value);
+                    break;
+
+                default:
+                    break;
+            }
+        }
+
+        return $attributes;
+    }
+
     public function find_user_groups($member_dn)
     {
         error_log(__FILE__ . "(" . __LINE__ . "): " .  $member_dn);
@@ -288,7 +376,8 @@ class LDAP
         if (empty($attributes)) {
             $attributes = array('*');
         }
-    
+
+        # TODO: From config
         $base_dn = "ou=Groups,dc=klab,dc=cc";
         $filter  = "(|"
             ."(objectClass=kolabgroupofnames)"
@@ -373,6 +462,45 @@ class LDAP
         return $result;
     }
 
+    private function parse_attribute_level_rights($attribute_value) {
+        $attribute_value = str_replace(", ", ",", $attribute_value);
+        $attribute_values = explode(",", $attribute_value);
+
+        $attribute_value = Array();
+
+        foreach ($attribute_values as $access_right) {
+            $access_right_components = explode(":", $access_right);
+            $access_attribute = array_shift($access_right_components);
+            $access_value = array_shift($access_right_components);
+
+            $attribute_value[$access_attribute] = Array();
+
+            for ($i = 0; $i < strlen($access_value); $i++) {
+                $method = $this->attribute_level_rights_map[substr($access_value, $i, 1)];
+
+                if (!in_array($method, $attribute_value[$access_attribute])) {
+                    $attribute_value[$access_attribute][] = $method;
+                }
+            }
+        }
+
+        return $attribute_value;
+    }
+
+    private function parse_entry_level_rights($attribute_value) {
+        $_attribute_value = Array();
+
+        for ($i = 0; $i < strlen($attribute_value); $i++) {
+            $method = $this->entry_level_rights_map[substr($attribute_value, $i, 1)];
+
+            if (!in_array($method, $_attribute_value)) {
+                $_attribute_value[] = $method;
+            }
+        }
+
+        return $_attribute_value;
+    }
+
     /**
      * Result sorting callback for uasort()
      */


commit a784764865163592f4a7aeb80100e6d6714ba192
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Fri Mar 16 08:32:13 2012 +0000

    Add public function list_rights($subject)

diff --git a/lib/Auth.php b/lib/Auth.php
index bd137c5..9d7563e 100644
--- a/lib/Auth.php
+++ b/lib/Auth.php
@@ -189,6 +189,12 @@ class Auth {
         return $this->_auth[$this->domain]->list_domains();
     }
 
+    public function list_rights($subject)
+    {
+        $this->connect();
+        return $this->_auth[$this->domain]->effective_rights($subject);
+    }
+
     public function list_users($domain = NULL, $attributes = array(), $search = array(), $params = array())
     {
         $this->connect($domain);





More information about the commits mailing list