From e2a3b0f100ddeda509edd316bf3d2130abf60b38 Mon Sep 17 00:00:00 2001 From: trkr1410 Date: Fri, 15 Aug 2014 14:37:27 +0200 Subject: [PATCH 1/2] Update auth.php Added a function to perform recursive search through nested groups in AD using LDAP. Most of the code is just reused from the queryLDAPServer function. --- wwwroot/inc/auth.php | 61 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 55 insertions(+), 6 deletions(-) diff --git a/wwwroot/inc/auth.php b/wwwroot/inc/auth.php index 00514b129..b9939f887 100644 --- a/wwwroot/inc/auth.php +++ b/wwwroot/inc/auth.php @@ -619,17 +619,66 @@ function queryLDAPServer ($username, $password) // Pull group membership, if any was returned. if (isset ($info[0][$LDAP_options['group_attr']])) for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++) - if - ( - preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) - and validTagName ('$lgcn_' . $matches[1], TRUE) - ) - $ret['memberof'][] = '$lgcn_' . $matches[1]; + if + ( + preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) + and validTagName ('$lgcn_' . $matches[1], TRUE) + ) + { + $ret['memberof'][] = '$lgcn_' . $matches[1]; + nested_groups ($ret, $matches[1], $connect); // This function will perform nested search + } } @ldap_close ($connect); return $ret; } +// This is the newly added function, which will perform a recursive search +// through all the nested group memberships of the user account requested. + +// This is possible because of the recursive call at the end of this function. + +function nested_groups (&$ret, $match, $connection) +{ + global $LDAP_options; + + $results = @ldap_search + ( + $connection, + $LDAP_options['search_dn'], + '(' . $LDAP_options['search_attr'] . "=${match})", + array_merge (array ($LDAP_options['group_attr']), explode (' ', $LDAP_options['displayname_attrs'])) + ); + if (@ldap_count_entries ($connection, $results) != 1) + { + return false; // If the group isn't found, exit function + } + else + { + $info = @ldap_get_entries ($connection, $results); + ldap_free_result ($results); + $space = ''; + foreach (explode (' ', $LDAP_options['displayname_attrs']) as $attr) + { + $ret['displayed_name'] .= $space . $info[0][$attr][0]; + $space = ' '; + } + // Pull group membership, if any was returned. + if (isset ($info[0][$LDAP_options['group_attr']])) + for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++) + if + ( + preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) + and validTagName ('$lgcn_' . $matches[1], TRUE) + ) + { + $ret['memberof'][] = '$lgcn_' . $matches[1]; + nested_groups ($ret, $matches[1], $connection); // Recursive call + } + } +} + + function authenticated_via_database ($userinfo, $password) { if (!isset ($userinfo['user_id'])) // not a local account From df2a614fd6f090503c67829b22e089c305accf67 Mon Sep 17 00:00:00 2001 From: trkr1410 Date: Tue, 19 Aug 2014 09:56:34 +0200 Subject: [PATCH 2/2] Update auth.php Removed unnecessary code from the recursive ldap search function --- wwwroot/inc/auth.php | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/wwwroot/inc/auth.php b/wwwroot/inc/auth.php index b9939f887..7b5f0cb30 100644 --- a/wwwroot/inc/auth.php +++ b/wwwroot/inc/auth.php @@ -653,29 +653,26 @@ function nested_groups (&$ret, $match, $connection) { return false; // If the group isn't found, exit function } - else + $info = @ldap_get_entries ($connection, $results); + ldap_free_result ($results); + $space = ''; + foreach (explode (' ', $LDAP_options['displayname_attrs']) as $attr) { - $info = @ldap_get_entries ($connection, $results); - ldap_free_result ($results); - $space = ''; - foreach (explode (' ', $LDAP_options['displayname_attrs']) as $attr) - { - $ret['displayed_name'] .= $space . $info[0][$attr][0]; - $space = ' '; - } - // Pull group membership, if any was returned. - if (isset ($info[0][$LDAP_options['group_attr']])) - for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++) - if - ( - preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) - and validTagName ('$lgcn_' . $matches[1], TRUE) - ) - { - $ret['memberof'][] = '$lgcn_' . $matches[1]; - nested_groups ($ret, $matches[1], $connection); // Recursive call - } + $ret['displayed_name'] .= $space . $info[0][$attr][0]; + $space = ' '; } + // Pull group membership, if any was returned. + if (isset ($info[0][$LDAP_options['group_attr']])) + for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++) + if + ( + preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) + and validTagName ('$lgcn_' . $matches[1], TRUE) + ) + { + $ret['memberof'][] = '$lgcn_' . $matches[1]; + nested_groups ($ret, $matches[1], $connection); // Recursive call + } }