[Tickets #12295] Add POSIX group membership handling for LDAP accounts/groups

noreply at bugs.horde.org noreply at bugs.horde.org
Mon Jun 3 16:16:17 UTC 2013 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12295
------------------------------------------------------------------------------
  Ticket             | 12295
  Created By         | Joerg.Pulz at frm2.tum.de
  Summary            | Add POSIX group membership handling for LDAP
                     | accounts/groups
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Enhancement
  State              | New
  Priority           | 2. Medium
  Milestone          |
  Patch              | 1
  Owners             |
------------------------------------------------------------------------------


Joerg.Pulz at frm2.tum.de (2013-06-03 16:16) wrote:

If one is using the LDAP nis.schema to manage POSIX accounts in LDAP  
the numerical ID of the primary group of the user is normally stored  
in the gidNumber attribute of the posixAccount. Additional groups are  
stored in the memberUid attribute of the posixGroup.
Vanilla HORDE is unable to retrieve the primary group of the  
posixAccount, instead only the memberUid attribute of the posixGroup  
can be evaluated which results in incomplete group member lists.

Attached is a patch that adds the necessary bits and pieces to the  
LDAP group driver to evaluate the primary group of an posixAccount.  
Result are arrays with merged results of the new primary group and and  
the default memberUid lookup.

NOTE: Only read support as we don't write to LDAP using HORDE.

Configuration options are provided for easy setup. Default behavior is  
unchanged.

modified functions:
listUsers()
- if $this->_params['posix'] is true
* get numerical ID ($this->_params['posixgidnumber']) of the group
* search LDAP auth basedn  
($GLOBALS['conf']['auth']['params']['basedn']) for users with matching  
group ID
* if group has no memberUid attribute return list else return merged  
and resorted list

listGroups()
- if $this->_params['posix'] is true
* get numerical group ID ($this->_params['posixgidnumber']) of the  
user with filter ($this->_params['posixfilter'])
* get group name ($this->_params['gid']) by numerical group ID
* merge and sort results with results from memberUid lookup
* return results

Added new configuration parameters to conf.xml
- posix (Yes/No - true/false)
- posixgidnumber (numerical group ID, defaults to LDAP attribute 'gidNumber')
- posixfilter (LDAP RFC formatted filtet to match POSIX users,  
defaults to '(objectclass=posixAccount)')



Joerg.Pulz at frm2.tum.de (2013-06-03 16:16) uploaded:  
horde_posix-group_membership.diff

http://bugs.horde.org/h/services/download/?module=whups&actionID=download_file&file=horde_posix-group_membership.diff&ticket=12295&fn=%2Fhorde_posix-group_membership.diff

More information about the bugs mailing list