check for sync of groups from ldap

2025-05-11 12:11:19 +00:00 · 2023-08-17 13:51:02 +02:00 · 2023-08-17 13:51:02 +02:00 · 5a0410f68e
commit 5a0410f68e
parent 5de8c66d1f
2 changed files with 54 additions and 1 deletions
--- a/inc/inc.ClassLdapAuthentication.php
+++ b/inc/inc.ClassLdapAuthentication.php
@ -29,7 +29,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 	var $settings;

 	protected function addUser($username, $info) {
-		return $dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0);
+		return $this->dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0);
 	}

 	protected function updateUser($user, $info) {
@ -41,6 +41,41 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 		}
 	}

+	protected function syncGroups($user, $ldapgroups) {
+		$groupnames = [];
+		$count = 0;
+		if(isset($ldapgroups['count']))
+			$count = (int) $ldapgroups['count'];
+		for ($i = 0; $i < $count; $i++) {
+			$tmp = ldap_explode_dn($ldapgroups[$i], 1);
+			if (!in_array($tmp[0], $groupnames)) {
+				$groupnames[] = $tmp[0];
+			}
+		}
+
+		/* Remove user from all groups not listed in LDAP */
+		$usergroups = $user->getGroups();
+		foreach($usergroups as $usergroup) {
+			if(!in_array($usergroup->getName(), $groupnames))
+				$user->leaveGroup($usergroup);
+		}
+
+		/* Add new groups and make user a member of it */
+		if($groupnames) {
+			foreach($groupnames as $groupname) {
+				$group = $this->dms->getGroupByName($groupname);
+				if($group) { /* Group already exists, just join it */
+					$user->joinGroup($group);
+				} else { /* Add group and join it */
+					$newgroup = $this->dms->addGroup($groupname, 'Added during LDAP Authentication');
+					if($newgroup) {
+						$user->joinGroup($newgroup);
+					}
+				}
+			}
+		}
+	}
+
  public function __construct($dms, $settings) { /* {{{ */
    $this->dms = $dms;
    $this->settings = $settings;
@ -164,6 +199,19 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 						} else {
 							$this->updateUser($user, $info[0]);
 						}
+						/*
+						$this->syncGroups($user, [
+							'count'=>4,
+							0=>'CN=vergussmaschine_networkfolder,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							1=>'CN=Limesurvey,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							2=>'CN=Altium365,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							3=>'CN=Domain Admins,OU=groups,OU=sanube,DC=SALLABERGER,DC=local'
+						]
+						);
+						 */
+						if(!empty($settings->_ldapGroupField) && !empty($info[0][$settings->_ldapGroupField])) {
+							$this->syncGroups($user, $info[0][$settings->_ldapGroupField]);
+						}
 					}
 				}
 			}
--- a/inc/inc.ClassSettings.php
+++ b/inc/inc.ClassSettings.php
@ -337,6 +337,9 @@ class Settings { /* {{{ */
 	// Used only by AD <username>@_ldapAccountDomainName will be used for a bind
 	// when the user is validated
 	var $_ldapAccountDomainName = "";
+	// Name of the ldap field containing the groups of the user, e.g. memeberOf
+	// This field must contain the DN of the groups
+	var $_ldapGroupField = "";
 	// Type of Ldap server: 0 = ldap; 1 = AD
 	var $_ldapType = 1;
 	// Additional filter when searching for the user. If not set, the user will be searched
@ -653,6 +656,7 @@ class Settings { /* {{{ */
 				$this->_ldapBindPw = strVal($connectorNode["bindPw"]);
 				$this->_ldapType = 0;
 				$this->_ldapFilter = strVal($connectorNode["filter"]);
+				$this->_ldapGroupField = strVal($connectorNode["groupField"]);
 			}
 			else if ($params['enable'] && ($typeConn == "AD"))
 			{
@ -664,6 +668,7 @@ class Settings { /* {{{ */
 				$this->_ldapType = 1;
 				$this->_ldapFilter = strVal($connectorNode["filter"]);
 				$this->_ldapAccountDomainName = strVal($connectorNode["accountDomainName"]);
+				$this->_ldapGroupField = strVal($connectorNode["groupField"]);
 			}
 		}