[imp] Limit ldap user lists based on group membership.

Jan Schneider jan at horde.org
Sun Apr 18 12:04:15 UTC 2010 

Zitat von steen at ing-steen.se:

> Hello Jan!
>
>>
>> Message: 2
>> Date: Thu, 15 Apr 2010 09:44:10 +0200
>> From: Jan Schneider <jan at horde.org>
>> To: imp at lists.horde.org
>> Subject: Re: [imp] Limit ldap user lists based on group membership.
>> Message-ID: <20100415094410.75972wtpz6jyrruo at neo.wg.de>
>> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
>>    format="flowed"
>>
>> Zitat von steen at ing-steen.se:
>>
>> >> Zitat von steen at ing-steen.se:
>> >>
>> >> >
>> >> > Hello Folks!
>> >> >
>> >> > How do I limit user list based on a the ldap group of the
> administrator
>> >> > logged in (all is posix users and groups + shadow account) ?
>> >> >
>> >> >       In my case ldap group is same as the logged in users mail
> domain.
>> >> >       I have been looking around in the code, admin/user.php uses
>> > $users =
>> >> > $auth->listUsers(); for listing users.
>> >> >
>> >> > Or.. maby Horde was not designed for more advanced user
> administration
>> >> > tasks..
>> >>
>> >> No, it's not indeed. You can try to work around this by adding some
>> >> PHP code to horde/config/conf.php. You can change the filters in the
>> >> auth configuration dynamically, based on the current user. If your
>> >> user names are full DNs, you can simply extract the group from
>> >> Auth::getAuth(). Otherwise you'd have to do a separate LDAP lookup.
>> >
>> > I tried to add some PHP code in horde/config/conf.php which set $conf
>> > ['auth']['params']['filter'] so it sorts our users by group fails with
>> > Auth::getAuth(), It seems like conf.php is read in before I have the
> user
>> > logged in, only I could get hold of logged in user at this stage it
> would
>> > work, Faking a user by setting it static in conf.php additional code
> makes
>> > it work for that user.
>> >
>> > Then  trying use set _horde_hook_preauthenticate almost works, now
>> > Auth::getAuth()is populated correctly and $GLOBALS
>> > ['conf']['auth']['params']['filter'] is also set, BUT the value seems
> to
>> > get lost, because if I print it out in the lib/Horde/Auth/ldap.php
>> > listUsers() function (echo 'filter ' . $filter;) the old filter value
> get
>> > back again.
>> >
>> > I got the feeling that it is something with GLOBALS preventing me to
> set a
>> > proper value to filter, how do I confinue ?
>>
>> The configuration is cached in the session. Try a:
>> $GLOBALS['registry']->clearCache();
>> before changing the configuration parameter.
>>
>> Jan.
>>
>
> Thanks for the swift reply!
>
> I added the clearCache in the hook before setting the variable and it did
> not help either, result is exactly the same as before:
>
> $GLOBALS['registry']->clearCache();
> $GLOBALS['conf']['auth']['params']['filter'] =
> '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
> ')(uid=kalle)(uid=Administrator)))';
>
> $ggg contains the LDAP evaluated group id.

Probably because the configuration is reloaded on the next request,  
because the cache has been emptied.
Try re-adding the dynamic code to conf.php, and call clearCache() in  
the postauthenticate hoook. This way the configuration should be  
reloaded on the request after the authentication request, so you have  
the user name available when building the filter in conf.php.
As another safe-guard you can only set the filter if the user has  
already been authenticated, i.e.:

if (Auth::getAuth()) {
     $conf['ldap']['params']['filter'] = 'foo' . Auth::getAuth() . 'bar';
}

> Then, next, I  hack the lib/Horde/Auth/ldap.php by adding this test-code
> snippet and feeding the "filter" variable directly, then it works:
>
>           $ds = @ldap_connect('127.0.0.1');
>           @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
>           @ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
>           $searchResults = @ldap_search($ds,
> 'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
>           $information = @ldap_get_entries($ds, $searchResults);
>           @ldap_close($ds);
>
>           $ggg = $information[0]['gidnumber'][0];
>
>           //$filter = $this->_getParamFilter();
>           $filter = '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
> ')(uid=kalle)(uid=Administrator)))';
>
> But this way, I have broken the "standard" horde code and future
> upgrades! :-(
> In other words: there must be another better way that make this
> functionallity.
>
> Best have been if the hook really worked, then we are back to that it was
> not possible to alter the $GLOBALS['conf']['auth']['params']['filter']
> after it was set.  But how ?
>
> Regards //
>                  //  Peter Steen
>
>
>
> McAfee check.
> --
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>



Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the imp mailing list