[imp] Limit ldap user lists based on group membership.

steen at ing-steen.se steen at ing-steen.se
Thu Apr 15 20:28:43 UTC 2010 

Hello Jan!

>
> Message: 2
> Date: Thu, 15 Apr 2010 09:44:10 +0200
> From: Jan Schneider <jan at horde.org>
> To: imp at lists.horde.org
> Subject: Re: [imp] Limit ldap user lists based on group membership.
> Message-ID: <20100415094410.75972wtpz6jyrruo at neo.wg.de>
> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
>    format="flowed"
>
> Zitat von steen at ing-steen.se:
>
> >> Zitat von steen at ing-steen.se:
> >>
> >> >
> >> > Hello Folks!
> >> >
> >> > How do I limit user list based on a the ldap group of the
administrator
> >> > logged in (all is posix users and groups + shadow account) ?
> >> >
> >> >       In my case ldap group is same as the logged in users mail
domain.
> >> >       I have been looking around in the code, admin/user.php uses
> > $users =
> >> > $auth->listUsers(); for listing users.
> >> >
> >> > Or.. maby Horde was not designed for more advanced user
administration
> >> > tasks..
> >>
> >> No, it's not indeed. You can try to work around this by adding some
> >> PHP code to horde/config/conf.php. You can change the filters in the
> >> auth configuration dynamically, based on the current user. If your
> >> user names are full DNs, you can simply extract the group from
> >> Auth::getAuth(). Otherwise you'd have to do a separate LDAP lookup.
> >
> > I tried to add some PHP code in horde/config/conf.php which set $conf
> > ['auth']['params']['filter'] so it sorts our users by group fails with
> > Auth::getAuth(), It seems like conf.php is read in before I have the
user
> > logged in, only I could get hold of logged in user at this stage it
would
> > work, Faking a user by setting it static in conf.php additional code
makes
> > it work for that user.
> >
> > Then  trying use set _horde_hook_preauthenticate almost works, now
> > Auth::getAuth()is populated correctly and $GLOBALS
> > ['conf']['auth']['params']['filter'] is also set, BUT the value seems
to
> > get lost, because if I print it out in the lib/Horde/Auth/ldap.php
> > listUsers() function (echo 'filter ' . $filter;) the old filter value
get
> > back again.
> >
> > I got the feeling that it is something with GLOBALS preventing me to
set a
> > proper value to filter, how do I confinue ?
>
> The configuration is cached in the session. Try a:
> $GLOBALS['registry']->clearCache();
> before changing the configuration parameter.
>
> Jan.
>

Thanks for the swift reply!

I added the clearCache in the hook before setting the variable and it did
not help either, result is exactly the same as before:

$GLOBALS['registry']->clearCache();
$GLOBALS['conf']['auth']['params']['filter'] =
'(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
')(uid=kalle)(uid=Administrator)))';

$ggg contains the LDAP evaluated group id.

Then, next, I  hack the lib/Horde/Auth/ldap.php by adding this test-code
snippet and feeding the "filter" variable directly, then it works:

          $ds = @ldap_connect('127.0.0.1');
          @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
          @ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
          $searchResults = @ldap_search($ds,
'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
          $information = @ldap_get_entries($ds, $searchResults);
          @ldap_close($ds);

          $ggg = $information[0]['gidnumber'][0];

          //$filter = $this->_getParamFilter();
          $filter = '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
')(uid=kalle)(uid=Administrator)))';

But this way, I have broken the "standard" horde code and future
upgrades! :-(
In other words: there must be another better way that make this
functionallity.

Best have been if the hook really worked, then we are back to that it was
not possible to alter the $GLOBALS['conf']['auth']['params']['filter']
after it was set.  But how ?

Regards //
                 //  Peter Steen



McAfee check.

More information about the imp mailing list