/** * Checks the group membership of the bound user * * @param Zend_Ldap $ldap * @param string $canonicalName * @param string $dn * @param array $adapterOptions * @return string|true */ protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions) { if ($adapterOptions['group'] === null) { return true; } if ($adapterOptions['memberIsDn'] === false) { $user = $canonicalName; } else { $user = $dn; } /** * @see Zend_Ldap_Filter */ require_once 'Zend/Ldap/Filter.php'; $groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']); $membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user); $group = Zend_Ldap_Filter::andFilter($groupName, $membership); $groupFilter = $adapterOptions['groupFilter']; if (!empty($groupFilter)) { $group = $group->addAnd($groupFilter); } $result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']); if ($result === 1) { return true; } else { return 'Failed to verify group membership with ' . $group->toString(); } }
/** * return gidnumber of group * * @param string $_uuid * @return string */ public function resolveGidNumber($_uuid) { $filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_groupBaseFilter), Zend_Ldap_Filter::equals($this->_groupUUIDAttribute, $this->_encodeGroupId($_uuid))); $groupData = $this->getLdap()->search($filter, $this->_options['groupsDn'], $this->_groupSearchScope, array('gidnumber'))->getFirst(); return $groupData['gidnumber'][0]; }
public function testRealFilterString() { $f1 = Zend_Ldap_Filter::orFilter(Zend_Ldap_Filter::equals('sn', 'Gehrig'), Zend_Ldap_Filter::equals('sn', 'Goerke')); $f2 = Zend_Ldap_Filter::orFilter(Zend_Ldap_Filter::equals('givenName', 'Stefan'), Zend_Ldap_Filter::equals('givenName', 'Ingo')); $f = Zend_Ldap_Filter::andFilter($f1, $f2); $this->assertEquals('(&(|(sn=Gehrig)(sn=Goerke))(|(givenName=Stefan)(givenName=Ingo)))', $f->toString()); }
/** * return ldap entry of user * * @param string $_uid * @return array */ protected function _getLdapEntry($_property, $_userId) { switch ($_property) { case 'accountId': $value = $this->_encodeAccountId(Tinebase_Model_User::convertUserIdToInt($_userId)); break; default: $value = Zend_Ldap::filterEscape($_userId); break; } $filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_userBaseFilter), Zend_Ldap_Filter::equals($this->_rowNameMapping[$_property], $value)); $attributes = array_values($this->_rowNameMapping); foreach ($this->_ldapPlugins as $plugin) { $attributes = array_merge($attributes, $plugin->getSupportedAttributes()); } $attributes[] = 'objectclass'; $attributes[] = 'uidnumber'; $attributes[] = 'useraccountcontrol'; // needed for account status handling (shadowmax: days after which password must be changed) $attributes[] = 'shadowmax'; if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) { Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' filter ' . $filter); } if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' requested attributes ' . print_r($attributes, true)); } $accounts = $this->_ldap->search($filter, $this->_baseDn, $this->_userSearchScope, $attributes); if (count($accounts) !== 1) { throw new Tinebase_Exception_NotFound('User with ' . $_property . ' = ' . $value . ' not found.'); } if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' current ldap values ' . print_r($accounts->getFirst(), true)); } return $accounts->getFirst(); }
/** * read ldap / get users and groups from tine an create mapping * * @return array */ protected function _getGroupMapping() { $this->_logger->info(__METHOD__ . '::' . __LINE__ . ' Fetching user mapping ...'); $filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_groupBaseFilter)); $mapping = array(); $groupNameMapping = $this->_config->groupNameMapping ? $this->_config->groupNameMapping->toArray() : array(); $this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' Group name mapping: ' . print_r($groupNameMapping, TRUE)); $ldapGroups = $this->_ldap->search($filter, $this->_config->ldap->baseDn, $this->_groupSearchScope, array('*', '+')); foreach ($ldapGroups as $group) { $groupname = isset($groupNameMapping[$group['cn'][0]]) ? $groupNameMapping[$group['cn'][0]] : $group['cn'][0]; $ldapUuid = $group['entryuuid'][0]; try { $tineGroup = $this->_tineGroupBackend->getGroupByName($groupname); $this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' Group ' . $groupname . ' (' . $group['cn'][0] . '): ' . $tineGroup->getId() . ' -> ' . $ldapUuid); $mapping[$tineGroup->getId()] = $ldapUuid; } catch (Tinebase_Exception_Record_NotDefined $tenf) { // @todo should be: Tinebase_Exception_NotFound $this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' Group ' . $groupname . ' (' . $group['cn'][0] . '): ' . $tenf->getMessage()); } } $this->_logger->info(__METHOD__ . '::' . __LINE__ . ' Found ' . count($mapping) . ' groups for the mapping.'); $this->_logger->debug(__METHOD__ . '::' . __LINE__ . ' ' . print_r($mapping, TRUE)); return $mapping; }
/** * Checks the group membership of the bound user * * @param Zend_Ldap $ldap * @param string $canonicalName * @param string $dn * @param array $adapterOptions * @return string|true */ protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions) { if ($adapterOptions['group'] === null) { return true; } if ($adapterOptions['memberIsDn'] === false) { $user = $canonicalName; } else { $user = $dn; } /** * @see Zend_Ldap_Filter */ // require_once 'Zend/Ldap/Filter.php'; $groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']); $membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user); $group = Zend_Ldap_Filter::andFilter($groupName, $membership); $groupFilter = $adapterOptions['groupFilter']; if (!empty($groupFilter)) { $group = $group->addAnd($groupFilter); } /* * Fixes problem when authenticated user is not allowed to retrieve * group-membership information. * This requires that the user specified with "username" and "password" * in the Zend_Ldap options is able to retrieve the required information. */ $ldap->bind(); $result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']); if ($result === 1) { return true; } else { return 'Failed to verify group membership with ' . $group->toString(); } }
/** * get groupmemberships of user from sync backend * * @param Tinebase_Model_User|string $_userId * @return array list of group ids */ public function getGroupMembershipsFromSyncBackend($_userId) { $metaData = $this->_getUserMetaData($_userId); $filter = Zend_Ldap_Filter::andFilter(Zend_Ldap_Filter::string($this->_groupBaseFilter), Zend_Ldap_Filter::orFilter(Zend_Ldap_Filter::equals('memberuid', Zend_Ldap::filterEscape($metaData['uid'][0])), Zend_Ldap_Filter::equals('member', Zend_Ldap::filterEscape($metaData['dn'])))); if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' ldap search filter: ' . $filter); } $groups = $this->_ldap->search($filter, $this->_options['groupsDn'], $this->_groupSearchScope, array('cn', 'description', $this->_groupUUIDAttribute)); $memberships = array(); foreach ($groups as $group) { $memberships[] = $group[$this->_groupUUIDAttribute][0]; } if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' group memberships: ' . print_r($memberships, TRUE)); } return $memberships; }
public function getUserByLogin($login) { $f1 = Zend_Ldap_Filter::equals('objectCategory', 'person'); $f2 = Zend_Ldap_Filter::equals('objectCategory', 'user'); $f7 = Zend_Ldap_Filter::equals('samaccountname', $login); $f8 = Zend_Ldap_Filter::andFilter($f1, $f2); $f10 = Zend_Ldap_Filter::andFilter($f7, $f8); $ldap = $this->getLdap(); $attributes = array('displayname', 'dn', 'givenname', 'name', 'samaccountname', 'sn', 'whencreated', 'useraccountcontrol', 'memberof', 'telephoneNumber', 'objectguid'); $adUsers = $ldap->search($f10, null, null, $attributes); return $adUsers->getFirst(); }