From 5a0410f68e4391def009403489c1e1814c8500a3 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 17 Aug 2023 13:51:02 +0200 Subject: [PATCH] check for sync of groups from ldap --- inc/inc.ClassLdapAuthentication.php | 50 ++++++++++++++++++++++++++++- inc/inc.ClassSettings.php | 5 +++ 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/inc/inc.ClassLdapAuthentication.php b/inc/inc.ClassLdapAuthentication.php index d3f37a4f4..92a2c3871 100644 --- a/inc/inc.ClassLdapAuthentication.php +++ b/inc/inc.ClassLdapAuthentication.php @@ -29,7 +29,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication { var $settings; protected function addUser($username, $info) { - return $dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0); + return $this->dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0); } protected function updateUser($user, $info) { @@ -41,6 +41,41 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication { } } + protected function syncGroups($user, $ldapgroups) { + $groupnames = []; + $count = 0; + if(isset($ldapgroups['count'])) + $count = (int) $ldapgroups['count']; + for ($i = 0; $i < $count; $i++) { + $tmp = ldap_explode_dn($ldapgroups[$i], 1); + if (!in_array($tmp[0], $groupnames)) { + $groupnames[] = $tmp[0]; + } + } + + /* Remove user from all groups not listed in LDAP */ + $usergroups = $user->getGroups(); + foreach($usergroups as $usergroup) { + if(!in_array($usergroup->getName(), $groupnames)) + $user->leaveGroup($usergroup); + } + + /* Add new groups and make user a member of it */ + if($groupnames) { + foreach($groupnames as $groupname) { + $group = $this->dms->getGroupByName($groupname); + if($group) { /* Group already exists, just join it */ + $user->joinGroup($group); + } else { /* Add group and join it */ + $newgroup = $this->dms->addGroup($groupname, 'Added during LDAP Authentication'); + if($newgroup) { + $user->joinGroup($newgroup); + } + } + } + } + } + public function __construct($dms, $settings) { /* {{{ */ $this->dms = $dms; $this->settings = $settings; @@ -164,6 +199,19 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication { } else { $this->updateUser($user, $info[0]); } + /* + $this->syncGroups($user, [ + 'count'=>4, + 0=>'CN=vergussmaschine_networkfolder,OU=groups,OU=sanube,DC=SALLABERGER,DC=local', + 1=>'CN=Limesurvey,OU=groups,OU=sanube,DC=SALLABERGER,DC=local', + 2=>'CN=Altium365,OU=groups,OU=sanube,DC=SALLABERGER,DC=local', + 3=>'CN=Domain Admins,OU=groups,OU=sanube,DC=SALLABERGER,DC=local' + ] + ); + */ + if(!empty($settings->_ldapGroupField) && !empty($info[0][$settings->_ldapGroupField])) { + $this->syncGroups($user, $info[0][$settings->_ldapGroupField]); + } } } } diff --git a/inc/inc.ClassSettings.php b/inc/inc.ClassSettings.php index f89343c40..11c56d208 100644 --- a/inc/inc.ClassSettings.php +++ b/inc/inc.ClassSettings.php @@ -337,6 +337,9 @@ class Settings { /* {{{ */ // Used only by AD @_ldapAccountDomainName will be used for a bind // when the user is validated var $_ldapAccountDomainName = ""; + // Name of the ldap field containing the groups of the user, e.g. memeberOf + // This field must contain the DN of the groups + var $_ldapGroupField = ""; // Type of Ldap server: 0 = ldap; 1 = AD var $_ldapType = 1; // Additional filter when searching for the user. If not set, the user will be searched @@ -653,6 +656,7 @@ class Settings { /* {{{ */ $this->_ldapBindPw = strVal($connectorNode["bindPw"]); $this->_ldapType = 0; $this->_ldapFilter = strVal($connectorNode["filter"]); + $this->_ldapGroupField = strVal($connectorNode["groupField"]); } else if ($params['enable'] && ($typeConn == "AD")) { @@ -664,6 +668,7 @@ class Settings { /* {{{ */ $this->_ldapType = 1; $this->_ldapFilter = strVal($connectorNode["filter"]); $this->_ldapAccountDomainName = strVal($connectorNode["accountDomainName"]); + $this->_ldapGroupField = strVal($connectorNode["groupField"]); } }