Commit 36063629 authored by Clément OUDOT's avatar Clément OUDOT
Browse files

LDAP:

* Add ldapGroupRecursive to enable recursive group search
* Create searchGroup method in _LDAP
* Create getLdapValue method in _LDAP to manage DN and multi-valued attributes
parent dae6b880
......@@ -350,6 +350,14 @@ sub setDefaultValues {
$self->{passwordDB} ||= "LDAP";
}
# LDAP
$self->{ldapGroupObjectClass} ||= "groupOfNames";
$self->{ldapGroupAttributeName} ||= "member";
$self->{ldapGroupAttributeNameUser} ||= "dn";
$self->{ldapGroupAttributeNameGroup} ||= "dn";
$self->{ldapGroupAttributeNameSearch} ||= ["cn"];
$self->{ldapGroupRecursive} ||= 0;
# SAML
$self->{samlIdPResolveCookie} ||= "lemonldapidp";
}
......
......@@ -124,55 +124,32 @@ sub setGroups {
my $self = shift;
my $groups = $self->{sessionInfo}->{groups};
$self->{ldapGroupObjectClass} ||= "groupOfNames";
$self->{ldapGroupAttributeName} ||= "member";
$self->{ldapGroupAttributeNameUser} ||= "dn";
$self->{ldapGroupAttributeNameSearch} ||= ["cn"];
if ( $self->{ldapGroupBase}
&& $self->{sessionInfo}->{ $self->{ldapGroupAttributeNameUser} } )
{
my $searchFilter =
"(&(objectClass=" . $self->{ldapGroupObjectClass} . ")(|";
foreach (
split(
/[;]/,
$self->{sessionInfo}->{ $self->{ldapGroupAttributeNameUser} }
)
if ( $self->{ldapGroupBase} ) {
# Push group attribute value for recursive search
push(
@{ $self->{ldapGroupAttributeNameSearch} },
$self->{ldapGroupAttributeNameGroup}
)
{
$searchFilter .=
"(" . $self->{ldapGroupAttributeName} . "=" . $_ . ")";
}
$searchFilter .= "))";
my $mesg = $self->{ldap}->search(
base => $self->{ldapGroupBase},
filter => $searchFilter,
attrs => $self->{ldapGroupAttributeNameSearch},
if ( $self->{ldapGroupRecursive}
and $self->{ldapGroupAttributeNameGroup} ne "dn" );
# Get value for group search
my $group_value = $self->{ldap}->getLdapValue( $self->{entry}, $self->{ldapGroupAttributeNameUser} );
$self->lmLog(
"Searching LDAP groups in "
. $self->{ldapGroupBase}
. " for $group_value",
'debug'
);
if ( $mesg->code() == 0 ) {
foreach my $entry ( $mesg->all_entries ) {
my $nbAttrs = @{ $self->{ldapGroupAttributeNameSearch} };
for ( my $i = 0 ; $i < $nbAttrs ; $i++ ) {
my @data =
$entry->get_value(
$self->{ldapGroupAttributeNameSearch}[$i] );
if (@data) {
$groups .= $data[0];
$groups .= "|"
if (
$i + 1 < $nbAttrs
&& $entry->get_value(
$self->{ldapGroupAttributeNameSearch}[ $i + 1 ]
)
# Call searchGroups
$groups .= $self->{ldap}->searchGroups(
$self->{ldapGroupBase}, $self->{ldapGroupAttributeName},
$group_value, $self->{ldapGroupAttributeNameSearch}
);
}
}
$groups .= "; ";
}
$groups =~ s/; $//g;
}
}
$self->{sessionInfo}->{groups} = $groups;
PE_OK;
......
......@@ -347,4 +347,113 @@ sub ldap {
return 0;
}
## @method string searchGroups(string base, string key, string value, string attributes)
# Get groups from LDAP directory
# @param string base LDAP search base
# @param string key Attribute name in group containing searched value
# @param string value Searched value
# @param string attributes to get from found groups (array ref)
# @return string groups separated with ;
sub searchGroups {
my $self = shift;
my $base = shift;
my $key = shift;
my $value = shift;
my $attributes = shift;
my $portal = $self->{portal};
my $groups;
# Creating search filter
my $searchFilter =
"(&(objectClass=" . $portal->{ldapGroupObjectClass} . ")(|";
foreach ( split( /[;]/, $value ) ) {
$searchFilter .= "(" . $key . "=" . $_ . ")";
}
$searchFilter .= "))";
$portal->lmLog( "Group search filter: $searchFilter", 'debug' );
# Search
my $mesg = $self->search(
base => $base,
filter => $searchFilter,
attrs => $attributes,
);
# Browse results
if ( $mesg->code() == 0 ) {
foreach my $entry ( $mesg->all_entries ) {
$portal->lmLog( "Matching group " . $entry->dn() . " found",
'debug' );
# If recursive search is activated, do it here
if ( $portal->{ldapGroupRecursive} ) {
# Get searched value
my $group_value = $self->getLdapValue( $entry, $portal->{ldapGroupAttributeNameGroup} );
# Launch group search
if ($group_value) {
$portal->lmLog( "Recursive search for $group_value",
'debug' );
my $recursive_groups =
$self->searchGroups( $base, $key, $group_value,
$attributes );
$groups .= $recursive_groups . "; " if ($recursive_groups);
}
}
# Now parse attributes
foreach (@$attributes) {
# Next if group attribute value
next if ( $_ eq $portal->{ldapGroupAttributeValueGroup} );
my $data = $entry->get_value($_);
if ($data) {
$portal->lmLog( "Store $data in groups", 'debug' );
$groups .= $data . "|";
}
}
$groups =~ s/\|$//g;
$groups .= "; ";
}
$groups =~ s/; $//g;
}
return $groups;
}
## @method string getLdapValue(Net::LDAP::Entry entry, string attribute)
# Get the dn, or the attribute value with ; separator for multi-valuated attributes
# @param Net::LDAP::Entry LDAP entry
# @param string attribute name
# @return string value
sub getLdapValue {
my $self = shift;
my $entry = shift;
my $attribute = shift;
return $entry->dn() if ( $attribute eq "dn" );
my $value;
foreach ( $entry->get_value( $attribute ) ) {
$value .= $_;
$value .= ";";
}
$value =~ s/;$//g;
return $value;
}
1;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment