From 7b8f3ef0bbfc276eba891886e0cfd0b5a3e7d24d Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 16 Aug 2023 17:40:14 +0200
Subject: [PATCH 1/4] some reorganization of code

---
 inc/inc.ClassLdapAuthentication.php | 53 ++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 17 deletions(-)

diff --git a/inc/inc.ClassLdapAuthentication.php b/inc/inc.ClassLdapAuthentication.php
index 64995f8e6..8f4928d7d 100644
--- a/inc/inc.ClassLdapAuthentication.php
+++ b/inc/inc.ClassLdapAuthentication.php
@@ -115,35 +115,54 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 				$dn = $tmpDN;
 			}
 
-			/* Now do the actual authentication of the user */
-			$bind = @ldap_bind($ds, $dn, $password);
+			/* Check if user already exists in the database. Return with an error
+			 * only if the sql statements fails, but not if no user was found.
+			 */
 			$user = $dms->getUserByLogin($username);
 			if($user === false) {
 				ldap_close($ds);
 				return false;
 			}
-			if ($bind) {
-				// Successfully authenticated. Now check to see if the user exists within
-				// the database. If not, add them in if _restricted is not set,
-				// but do not add their password.
-				if (is_null($user) && !$settings->_restricted) {
-					// Retrieve the user's LDAP information.
-					if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) {
-						$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
-					} else {
-						$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
-					}
 
-					if (!is_bool($search)) {
-						$info = ldap_get_entries($ds, $search);
+			/* Now do the actual authentication of the user */
+			$bind = @ldap_bind($ds, $dn, $password);
+			if (!$bind) {
+				ldap_close($ds);
+				return false;
+			}
 
+<<<<<<< Updated upstream
 						if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
 							$user = $dms->addUser($username, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, "", 0);
+=======
+			// Successfully authenticated. Now check to see if the user exists within
+			// the database. If not, add them in if _restricted is not set,
+			// but do not add their password.
+			if (!$settings->_restricted) {
+				// Retrieve the user's LDAP information.
+				if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) {
+					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
+				} else {
+					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
+				}
+
+				if (!is_bool($search)) {
+					$info = ldap_get_entries($ds, $search);
+
+					if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
+						if (is_null($user)) {
+							$user = $dms->addUser($username, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, "", 3);
+						} else {
+							if(isset($info[0]['cn'][0]) && ($info[0]['cn'][0] != $user->getFullName())) {
+								$user->setFullName($info[0]['cn'][0]);
+							}
+							if(isset($info[0]['mail'][0]) && ($info[0]['mail'][0] != $user->getEmail())) {
+								$user->setEmail($info[0]['mail'][0]);
+							}
+>>>>>>> Stashed changes
 						}
 					}
 				}
-			} elseif($user) {
-				$user = false;
 			}
 			ldap_close($ds);
 

From 5de8c66d1f9997669e13211654f6992f9f84d18c Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 16 Aug 2023 18:45:20 +0200
Subject: [PATCH 2/4] move code to update/add user into protected function

---
 inc/inc.ClassLdapAuthentication.php | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/inc/inc.ClassLdapAuthentication.php b/inc/inc.ClassLdapAuthentication.php
index 8f4928d7d..d3f37a4f4 100644
--- a/inc/inc.ClassLdapAuthentication.php
+++ b/inc/inc.ClassLdapAuthentication.php
@@ -26,7 +26,20 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
   var $dms;
 
-  var $settings;
+	var $settings;
+
+	protected function addUser($username, $info) {
+		return $dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0);
+	}
+
+	protected function updateUser($user, $info) {
+		if(isset($info['cn'][0]) && ($info['cn'][0] != $user->getFullName())) {
+			$user->setFullName($info['cn'][0]);
+		}
+		if(isset($info['mail'][0]) && ($info['mail'][0] != $user->getEmail())) {
+			$user->setEmail($info['mail'][0]);
+		}
+	}
 
   public function __construct($dms, $settings) { /* {{{ */
     $this->dms = $dms;
@@ -131,10 +144,6 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 				return false;
 			}
 
-<<<<<<< Updated upstream
-						if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
-							$user = $dms->addUser($username, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, "", 0);
-=======
 			// Successfully authenticated. Now check to see if the user exists within
 			// the database. If not, add them in if _restricted is not set,
 			// but do not add their password.
@@ -151,15 +160,9 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
 					if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
 						if (is_null($user)) {
-							$user = $dms->addUser($username, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, "", 3);
+							$user = $this->addUser($username, $info[0]);
 						} else {
-							if(isset($info[0]['cn'][0]) && ($info[0]['cn'][0] != $user->getFullName())) {
-								$user->setFullName($info[0]['cn'][0]);
-							}
-							if(isset($info[0]['mail'][0]) && ($info[0]['mail'][0] != $user->getEmail())) {
-								$user->setEmail($info[0]['mail'][0]);
-							}
->>>>>>> Stashed changes
+							$this->updateUser($user, $info[0]);
 						}
 					}
 				}

From 5a0410f68e4391def009403489c1e1814c8500a3 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Thu, 17 Aug 2023 13:51:02 +0200
Subject: [PATCH 3/4] check for sync of groups from ldap

---
 inc/inc.ClassLdapAuthentication.php | 50 ++++++++++++++++++++++++++++-
 inc/inc.ClassSettings.php           |  5 +++
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/inc/inc.ClassLdapAuthentication.php b/inc/inc.ClassLdapAuthentication.php
index d3f37a4f4..92a2c3871 100644
--- a/inc/inc.ClassLdapAuthentication.php
+++ b/inc/inc.ClassLdapAuthentication.php
@@ -29,7 +29,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 	var $settings;
 
 	protected function addUser($username, $info) {
-		return $dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0);
+		return $this->dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0);
 	}
 
 	protected function updateUser($user, $info) {
@@ -41,6 +41,41 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 		}
 	}
 
+	protected function syncGroups($user, $ldapgroups) {
+		$groupnames = [];
+		$count = 0;
+		if(isset($ldapgroups['count']))
+			$count = (int) $ldapgroups['count'];
+		for ($i = 0; $i < $count; $i++) {
+			$tmp = ldap_explode_dn($ldapgroups[$i], 1);
+			if (!in_array($tmp[0], $groupnames)) {
+				$groupnames[] = $tmp[0];
+			}
+		}
+
+		/* Remove user from all groups not listed in LDAP */
+		$usergroups = $user->getGroups();
+		foreach($usergroups as $usergroup) {
+			if(!in_array($usergroup->getName(), $groupnames))
+				$user->leaveGroup($usergroup);
+		}
+
+		/* Add new groups and make user a member of it */
+		if($groupnames) {
+			foreach($groupnames as $groupname) {
+				$group = $this->dms->getGroupByName($groupname);
+				if($group) { /* Group already exists, just join it */
+					$user->joinGroup($group);
+				} else { /* Add group and join it */
+					$newgroup = $this->dms->addGroup($groupname, 'Added during LDAP Authentication');
+					if($newgroup) {
+						$user->joinGroup($newgroup);
+					}
+				}
+			}
+		}
+	}
+
   public function __construct($dms, $settings) { /* {{{ */
     $this->dms = $dms;
     $this->settings = $settings;
@@ -164,6 +199,19 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 						} else {
 							$this->updateUser($user, $info[0]);
 						}
+						/*
+						$this->syncGroups($user, [
+							'count'=>4,
+							0=>'CN=vergussmaschine_networkfolder,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							1=>'CN=Limesurvey,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							2=>'CN=Altium365,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							3=>'CN=Domain Admins,OU=groups,OU=sanube,DC=SALLABERGER,DC=local'
+						]
+						);
+						 */
+						if(!empty($settings->_ldapGroupField) && !empty($info[0][$settings->_ldapGroupField])) {
+							$this->syncGroups($user, $info[0][$settings->_ldapGroupField]);
+						}
 					}
 				}
 			}
diff --git a/inc/inc.ClassSettings.php b/inc/inc.ClassSettings.php
index f89343c40..11c56d208 100644
--- a/inc/inc.ClassSettings.php
+++ b/inc/inc.ClassSettings.php
@@ -337,6 +337,9 @@ class Settings { /* {{{ */
 	// Used only by AD <username>@_ldapAccountDomainName will be used for a bind
 	// when the user is validated
 	var $_ldapAccountDomainName = "";
+	// Name of the ldap field containing the groups of the user, e.g. memeberOf
+	// This field must contain the DN of the groups
+	var $_ldapGroupField = "";
 	// Type of Ldap server: 0 = ldap; 1 = AD
 	var $_ldapType = 1;
 	// Additional filter when searching for the user. If not set, the user will be searched
@@ -653,6 +656,7 @@ class Settings { /* {{{ */
 				$this->_ldapBindPw = strVal($connectorNode["bindPw"]);
 				$this->_ldapType = 0;
 				$this->_ldapFilter = strVal($connectorNode["filter"]);
+				$this->_ldapGroupField = strVal($connectorNode["groupField"]);
 			}
 			else if ($params['enable'] && ($typeConn == "AD"))
 			{
@@ -664,6 +668,7 @@ class Settings { /* {{{ */
 				$this->_ldapType = 1;
 				$this->_ldapFilter = strVal($connectorNode["filter"]);
 				$this->_ldapAccountDomainName = strVal($connectorNode["accountDomainName"]);
+				$this->_ldapGroupField = strVal($connectorNode["groupField"]);
 			}
 		}
 

From a283cc5ead46c9cd746940d654ece768e0d07573 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Fri, 18 Aug 2023 06:38:25 +0200
Subject: [PATCH 4/4] check if DOCUMENT_ROOT is set propperly

---
 views/bootstrap/class.Info.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/views/bootstrap/class.Info.php b/views/bootstrap/class.Info.php
index 4b4bb439f..7259e5403 100644
--- a/views/bootstrap/class.Info.php
+++ b/views/bootstrap/class.Info.php
@@ -140,6 +140,7 @@ class SeedDMS_View_Info extends SeedDMS_Theme_Style {
 			echo "<th>".getMLText("directory_check_result")."</th>\n";
 			echo "</tr>\n</thead>\n<tbody>\n";
 			check_result('directory_check_ext_exists', is_dir($settings->_rootDir."/ext"));
+			check_result('directory_check_ext_below_docroot', is_dir($_SERVER['DOCUMENT_ROOT']."/ext"));
 			check_result('directory_check_ext_writable', is_writable($settings->_rootDir."/ext"));
 			check_result('directory_check_data_exists', is_dir($settings->_contentDir));
 			check_result('directory_check_data_writable', is_writable($settings->_contentDir));