lib/Auth
Aleksander Machniak
machniak at kolabsys.com
Mon Nov 18 13:47:19 CET 2013
lib/Auth/LDAP.php | 66 ++++++++++++++++++++++++++++++------------------------
1 file changed, 37 insertions(+), 29 deletions(-)
New commits:
commit 9cfd311602aa7ae92ba16c71c2f9949154de377e
Author: Aleksander Machniak <alec at alec.pl>
Date: Mon Nov 18 13:46:46 2013 +0100
Fix bug where adding new domains omits the kolab* ldap attributes for self-write (Bug #2514)
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 4872521..bf02ba1 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -340,36 +340,44 @@ class LDAP extends Net_LDAP3 {
}
$dn = $inetdomainbasedn;
+
+ // @TODO: this list should be configurable or auto-created somehow
+ $self_attrs = array(
+ 'carLicense', 'description', 'displayName', 'facsimileTelephoneNumber', 'homePhone',
+ 'homePostalAddress', 'initials', 'jpegPhoto', 'labeledURI', 'mobile', 'o', 'pager', 'photo',
+ 'postOfficeBox', 'postalAddress', 'postalCode', 'preferredDeliveryMethod', 'preferredLanguage',
+ 'registeredAddress', 'roomNumber', 'secretary', 'seeAlso', 'st', 'street', 'telephoneNumber',
+ 'telexNumber', 'title', 'userCertificate', 'userPassword', 'userSMIMECertificate',
+ 'x500UniqueIdentifier',
+ );
+ if (in_array('kolabInetOrgPerson', $this->classes_allowed())) {
+ $self_attrs = array_merge($self_attrs, array('kolabDelegate', 'kolabInvitationPolicy', 'kolabAllowSMTPSender'));
+ }
+
$attrs = array(
- // @TODO: Probably just use ldap_explode_dn()
- 'dc' => substr($dn, (strpos($dn, '=')+1), ((strpos($dn, ',')-strpos($dn, '='))-1)),
- 'objectclass' => array(
- 'top',
- 'domain',
- ),
- 'aci' => array(
- // Self-modification
- "(targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)",
-
- // Directory Administrators
- "(targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators," . $inetdomainbasedn . "\" or roledn=\"ldap:///cn=kolab-admin," . $inetdomainbasedn . "\");)",
-
- // Configuration Administrators
- "(targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)",
-
- // Administrator users
- "(targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)",
-
- // SIE Group
- $_aci,
-
- // Search Access,
- "(targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///" . $inetdomainbasedn . "??sub?(objectclass=*)\");)",
-
- // Service Search Access
- "(targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///" . $service_bind_dn . "\");)",
- ),
- );
+ // @TODO: Probably just use ldap_explode_dn()
+ 'dc' => substr($dn, (strpos($dn, '=')+1), ((strpos($dn, ',')-strpos($dn, '='))-1)),
+ 'objectclass' => array(
+ 'top',
+ 'domain',
+ ),
+ 'aci' => array(
+ // Self-modification
+ "(targetattr = \"" . implode(" || ", $self_attrs) . "\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)",
+ // Directory Administrators
+ "(targetattr = \"*\")(version 3.0; acl \"Directory Administrators Group\"; allow (all) (groupdn=\"ldap:///cn=Directory Administrators," . $inetdomainbasedn . "\" or roledn=\"ldap:///cn=kolab-admin," . $inetdomainbasedn . "\");)",
+ // Configuration Administrators
+ "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)",
+ // Administrator users
+ "(targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)",
+ // SIE Group
+ $_aci,
+ // Search Access,
+ "(targetattr != \"userPassword\") (version 3.0; acl \"Search Access\"; allow (read,compare,search) (userdn = \"ldap:///" . $inetdomainbasedn . "??sub?(objectclass=*)\");)",
+ // Service Search Access
+ "(targetattr = \"*\") (version 3.0; acl \"Service Search Access\"; allow (read,compare,search) (userdn = \"ldap:///" . $service_bind_dn . "\");)",
+ ),
+ );
if (!empty($replica_hosts)) {
foreach ($replica_hosts as $replica_host) {
More information about the commits
mailing list