2 commits - lib/Auth lib/ext
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Wed May 22 12:17:47 CEST 2013
lib/Auth/LDAP.php | 33 +++++++++++++++++++++++++++++----
lib/ext/Net/LDAP3.php | 11 ++++++++---
2 files changed, 37 insertions(+), 7 deletions(-)
New commits:
commit 77a1b9bc37ca80c22b6d65a83da5370f16982370
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Wed May 22 12:17:06 2013 +0200
Do not call legacy_rights()
Do not call domain_root_dn()
Ensure groups is a valid result set, and return the entries rather than the object
diff --git a/lib/ext/Net/LDAP3.php b/lib/ext/Net/LDAP3.php
index a5351fe..9355869 100644
--- a/lib/ext/Net/LDAP3.php
+++ b/lib/ext/Net/LDAP3.php
@@ -554,7 +554,7 @@ class Net_LDAP3
if (!in_array($effective_rights_control_oid, $supported_controls)) {
$this->_debug("LDAP: No getEffectiveRights control in supportedControls");
- return $this->legacy_rights($subject);
+ return false;
}
$attributes = array(
@@ -679,6 +679,9 @@ class Net_LDAP3
}
$unique_attr = $this->config_get('unique_attribute', 'nsuniqueid');
+
+ Log::trace("Using unique_attribute " . var_export($unique_attr, TRUE) . " at " . __FILE__ . ":" . __LINE__);
+
$attributes = array_merge(array($unique_attr => $subject), (array)$attributes);
$subject = $this->entry_find_by_attribute($attributes, $base_dn);
@@ -730,7 +733,7 @@ class Net_LDAP3
$this->_debug(__FILE__ . "(" . __LINE__ . "): " . $member_dn);
$groups = array();
- $root_dn = $this->domain_root_dn($this->domain);
+ $root_dn = $this->config_get('root_dn');
// TODO: Do not query for both, it's either one or the other
$entries = $this->search($root_dn, "(|" .
@@ -738,7 +741,9 @@ class Net_LDAP3
"(&(objectclass=groupofuniquenames)(uniquemember=$member_dn))" .
")");
- $groups = array_keys($entries);
+ if ($entries) {
+ $groups = array_keys($entries->entries(TRUE));
+ }
return $groups;
}
commit 0aff16beac733085ecb191781f8311d08807030f
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Wed May 22 12:15:31 2013 +0200
Make sure the correct (configured) unique_attribute is being used.
Ensure effective_rights returns a valid array of rights (Net::LDAP3 may not call back to LDAP::legacy_rights())
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index b9470c3..ec446e3 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -69,6 +69,18 @@ class LDAP extends Net_LDAP3 {
// Continue and default to the primary domain.
$this->domain = $domain ? $domain : $this->conf->get('primary_domain');
+ $unique_attr = $this->conf->get($domain, 'unique_attribute');
+
+ if (empty($unique_attr)) {
+ $unique_attr = $this->conf->get('ldap', 'unique_attribute');
+ }
+
+ if (empty($unique_attr)) {
+ $unique_attr = 'nsuniqueid';
+ }
+
+ $this->config_set('unique_attribute', $unique_attr);
+
$this->_ldap_uri = $this->conf->get('ldap_uri');
$this->_ldap_server = parse_url($this->_ldap_uri, PHP_URL_HOST);
$this->_ldap_port = parse_url($this->_ldap_uri, PHP_URL_PORT);
@@ -223,17 +235,23 @@ class LDAP extends Net_LDAP3 {
switch ($subject) {
case "domain":
- return parent::effective_rights($this->conf->get("ldap", "domain_base_dn"));
+ $result = parent::effective_rights($this->conf->get("ldap", "domain_base_dn"));
case "group":
case "resource":
case "role":
case "sharedfolder":
case "user":
- return parent::effective_rights($this->_subject_base_dn($subject));
+ $result = parent::effective_rights($this->_subject_base_dn($subject));
default:
- return parent::effective_rights($subject);
+ $result = parent::effective_rights($subject);
+ }
+
+ if (!$result) {
+ return $this->legacy_rights($subject);
+ } else {
+ return $result;
}
}
@@ -726,6 +744,8 @@ class LDAP extends Net_LDAP3 {
$unique_attr = 'nsuniqueid';
}
+ Log::trace("Using unique_attribute " . var_export($unique_attr, TRUE) . " at " . __FILE__ . ":" . __LINE__);
+
if (!in_array($unique_attr, $attributes)) {
$attributes[] = $unique_attr;
}
@@ -906,8 +926,13 @@ class LDAP extends Net_LDAP3 {
);
$subject = $this->_search($subject_dn);
+
+ if (!$subject) {
+ return $rights;
+ }
+
$subject = $subject->entries(true);
- $attributes = $this->allowed_attributes($subject[$subject_dn]['objectclass']);
+ $attributes = $this->attributes_allowed($subject[$subject_dn]['objectclass']);
$attributes = array_merge($attributes['may'], $attributes['must']);
foreach ($attributes as $attribute) {
More information about the commits
mailing list