2 commits - lib/Auth lib/ext

Jeroen van Meeuwen vanmeeuwen at kolabsys.com
Wed May 22 12:17:47 CEST 2013 

 lib/Auth/LDAP.php     |   33 +++++++++++++++++++++++++++++----
 lib/ext/Net/LDAP3.php |   11 ++++++++---
 2 files changed, 37 insertions(+), 7 deletions(-)

New commits:
commit 77a1b9bc37ca80c22b6d65a83da5370f16982370
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Wed May 22 12:17:06 2013 +0200

    Do not call legacy_rights()
    Do not call domain_root_dn()
    Ensure groups is a valid result set, and return the entries rather than the object

diff --git a/lib/ext/Net/LDAP3.php b/lib/ext/Net/LDAP3.php
index a5351fe..9355869 100644
--- a/lib/ext/Net/LDAP3.php
+++ b/lib/ext/Net/LDAP3.php
@@ -554,7 +554,7 @@ class Net_LDAP3
 
         if (!in_array($effective_rights_control_oid, $supported_controls)) {
             $this->_debug("LDAP: No getEffectiveRights control in supportedControls");
-            return $this->legacy_rights($subject);
+            return false;
         }
 
         $attributes = array(
@@ -679,6 +679,9 @@ class Net_LDAP3
         }
 
         $unique_attr = $this->config_get('unique_attribute', 'nsuniqueid');
+
+        Log::trace("Using unique_attribute " . var_export($unique_attr, TRUE) . " at " . __FILE__ . ":" . __LINE__);
+
         $attributes  = array_merge(array($unique_attr => $subject), (array)$attributes);
         $subject     = $this->entry_find_by_attribute($attributes, $base_dn);
 
@@ -730,7 +733,7 @@ class Net_LDAP3
         $this->_debug(__FILE__ . "(" . __LINE__ . "): " .  $member_dn);
 
         $groups  = array();
-        $root_dn = $this->domain_root_dn($this->domain);
+        $root_dn = $this->config_get('root_dn');
 
         // TODO: Do not query for both, it's either one or the other
         $entries = $this->search($root_dn, "(|" .
@@ -738,7 +741,9 @@ class Net_LDAP3
             "(&(objectclass=groupofuniquenames)(uniquemember=$member_dn))" .
             ")");
 
-        $groups  = array_keys($entries);
+        if ($entries) {
+            $groups  = array_keys($entries->entries(TRUE));
+        }
 
         return $groups;
     }


commit 0aff16beac733085ecb191781f8311d08807030f
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Wed May 22 12:15:31 2013 +0200

    Make sure the correct (configured) unique_attribute is being used.
    Ensure effective_rights returns a valid array of rights (Net::LDAP3 may not call back to LDAP::legacy_rights())

diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index b9470c3..ec446e3 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -69,6 +69,18 @@ class LDAP extends Net_LDAP3 {
         // Continue and default to the primary domain.
         $this->domain       = $domain ? $domain : $this->conf->get('primary_domain');
 
+        $unique_attr = $this->conf->get($domain, 'unique_attribute');
+
+        if (empty($unique_attr)) {
+            $unique_attr = $this->conf->get('ldap', 'unique_attribute');
+        }
+
+        if (empty($unique_attr)) {
+            $unique_attr = 'nsuniqueid';
+        }
+
+        $this->config_set('unique_attribute', $unique_attr);
+
         $this->_ldap_uri    = $this->conf->get('ldap_uri');
         $this->_ldap_server = parse_url($this->_ldap_uri, PHP_URL_HOST);
         $this->_ldap_port   = parse_url($this->_ldap_uri, PHP_URL_PORT);
@@ -223,17 +235,23 @@ class LDAP extends Net_LDAP3 {
 
         switch ($subject) {
             case "domain":
-                return parent::effective_rights($this->conf->get("ldap", "domain_base_dn"));
+                $result = parent::effective_rights($this->conf->get("ldap", "domain_base_dn"));
 
             case "group":
             case "resource":
             case "role":
             case "sharedfolder":
             case "user":
-                return parent::effective_rights($this->_subject_base_dn($subject));
+                $result = parent::effective_rights($this->_subject_base_dn($subject));
 
             default:
-                return parent::effective_rights($subject);
+                $result = parent::effective_rights($subject);
+        }
+
+        if (!$result) {
+            return $this->legacy_rights($subject);
+        } else {
+            return $result;
         }
     }
 
@@ -726,6 +744,8 @@ class LDAP extends Net_LDAP3 {
             $unique_attr = 'nsuniqueid';
         }
 
+        Log::trace("Using unique_attribute " . var_export($unique_attr, TRUE) . " at " . __FILE__ . ":" . __LINE__);
+
         if (!in_array($unique_attr, $attributes)) {
             $attributes[] = $unique_attr;
         }
@@ -906,8 +926,13 @@ class LDAP extends Net_LDAP3 {
         );
 
         $subject    = $this->_search($subject_dn);
+
+        if (!$subject) {
+            return $rights;
+        }
+
         $subject    = $subject->entries(true);
-        $attributes = $this->allowed_attributes($subject[$subject_dn]['objectclass']);
+        $attributes = $this->attributes_allowed($subject[$subject_dn]['objectclass']);
         $attributes = array_merge($attributes['may'], $attributes['must']);
 
         foreach ($attributes as $attribute) {

More information about the commits mailing list