[imp] Limit ldap user lists based on group membership.

steen at ing-steen.se steen at ing-steen.se
Mon Apr 19 20:00:58 UTC 2010 

>
> Zitat von steen at ing-steen.se:
>
> > Hello Jan!
> >
> >>
> >> Message: 2
> >> Date: Thu, 15 Apr 2010 09:44:10 +0200
> >> From: Jan Schneider <jan at horde.org>
> >> To: imp at lists.horde.org
> >> Subject: Re: [imp] Limit ldap user lists based on group membership.
> >> Message-ID: <20100415094410.75972wtpz6jyrruo at neo.wg.de>
> >> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
> >>    format="flowed"
> >>
> >> Zitat von steen at ing-steen.se:
> >>
> >> >> Zitat von steen at ing-steen.se:
> >> >>
> >> >> >
> >> >> > Hello Folks!
> >> >> >
> >> >> > How do I limit user list based on a the ldap group of the
> > administrator
> >> >> > logged in (all is posix users and groups + shadow account) ?
> >> >> >
> >> >> >       In my case ldap group is same as the logged in users mail
> > domain.
> >> >> >       I have been looking around in the code, admin/user.php uses
> >> > $users =
> >> >> > $auth->listUsers(); for listing users.
> >> >> >
> >> >> > Or.. maby Horde was not designed for more advanced user
> > administration
> >> >> > tasks..
> >> >>
> >> >> No, it's not indeed. You can try to work around this by adding some
> >> >> PHP code to horde/config/conf.php. You can change the filters in
the
> >> >> auth configuration dynamically, based on the current user. If your
> >> >> user names are full DNs, you can simply extract the group from
> >> >> Auth::getAuth(). Otherwise you'd have to do a separate LDAP lookup.
> >> >
> >> > I tried to add some PHP code in horde/config/conf.php which set
$conf
> >> > ['auth']['params']['filter'] so it sorts our users by group fails
with
> >> > Auth::getAuth(), It seems like conf.php is read in before I have the
> > user
> >> > logged in, only I could get hold of logged in user at this stage it
> > would
> >> > work, Faking a user by setting it static in conf.php additional code
> > makes
> >> > it work for that user.
> >> >
> >> > Then  trying use set _horde_hook_preauthenticate almost works, now
> >> > Auth::getAuth()is populated correctly and $GLOBALS
> >> > ['conf']['auth']['params']['filter'] is also set, BUT the value
seems
> > to
> >> > get lost, because if I print it out in the lib/Horde/Auth/ldap.php
> >> > listUsers() function (echo 'filter ' . $filter;) the old filter
value
> > get
> >> > back again.
> >> >
> >> > I got the feeling that it is something with GLOBALS preventing me to
> > set a
> >> > proper value to filter, how do I confinue ?
> >>
> >> The configuration is cached in the session. Try a:
> >> $GLOBALS['registry']->clearCache();
> >> before changing the configuration parameter.
> >>
> >> Jan.
> >>
> >
> > Thanks for the swift reply!
> >
> > I added the clearCache in the hook before setting the variable and it
did
> > not help either, result is exactly the same as before:
> >
> > $GLOBALS['registry']->clearCache();
> > $GLOBALS['conf']['auth']['params']['filter'] =
> > '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
> > ')(uid=kalle)(uid=Administrator)))';
> >
> > $ggg contains the LDAP evaluated group id.
>
> Probably because the configuration is reloaded on the next request,
> because the cache has been emptied.
> Try re-adding the dynamic code to conf.php, and call clearCache() in
> the postauthenticate hoook. This way the configuration should be
> reloaded on the request after the authentication request, so you have
> the user name available when building the filter in conf.php.
> As another safe-guard you can only set the filter if the user has
> already been authenticated, i.e.:
>
> if (Auth::getAuth()) {
>      $conf['ldap']['params']['filter'] = 'foo' . Auth::getAuth() . 'bar';
> }
>


Hello Jan!

Thanks, it did not help, same result!

It seems like horde never enters the 'safe-guard', to be noticed, I tried
both preauth hook and post hook, same result, it did not work.

In chonf.php:
.
.
.
if (Auth::getAuth()) {
          $ds = @ldap_connect('127.0.0.1');
          @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
          @ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
          $searchResults = @ldap_search($ds,
'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
          $information = @ldap_get_entries($ds, $searchResults);
          @ldap_close($ds);
          $ggg = $information[0]['gidnumber'][0];
          $uuu = $information[0]['uid'][0];
        if ( $uuu != $conf['auth']['superadmin'] ) {
                $conf['auth']['params']['filter'] =
'(&(objectclass=shadowaccount)(gidNumber=' . $ggg . '))';
        }
}

And in hooks.php:
.
.
.
 if (!function_exists('_horde_hook_postauthenticate')) {
     function _horde_hook_postauthenticate($userID, $credential, $realm)
     {
        $GLOBALS['registry']->clearCache();
         $ret = true;
         return $ret;
     }
 }

Also to check if the code was/is reloaded, we did change the conf.php
manually and saved it during one session, same result,
the $GLOBALS['conf']['auth']['params']['filter'] did not change.

I also hacked the ldap.php file to see if there was some problems setting
the GLOBALS variable:
$GLOBALS['conf']['auth']['params']['filter'] =
'(&(objectclass=shadowaccount)(|(gidNumber=1002)))'
$filter = $this->_getParamFilter();
echo $filter;

Result that is printed:
(objectclass=shadowaccount)

Not the expected (&(objectclass=shadowaccount)(|(gidNumber=1002)))

This verifies that there is some problems setting the $GLOBALS
['conf']['auth']['params']['filter'], maby it is a limitation in horde ??


> > Then, next, I  hack the lib/Horde/Auth/ldap.php by adding this
test-code
> > snippet and feeding the "filter" variable directly, then it works:
> >
> >           $ds = @ldap_connect('127.0.0.1');
> >           @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
> >           @ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
> >           $searchResults = @ldap_search($ds,
> > 'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
> >           $information = @ldap_get_entries($ds, $searchResults);
> >           @ldap_close($ds);
> >
> >           $ggg = $information[0]['gidnumber'][0];
> >
> >           //$filter = $this->_getParamFilter();
> >           $filter = '(&(objectclass=shadowaccount)(|(gidNumber=' .
$ggg .
> > ')(uid=kalle)(uid=Administrator)))';
> >
> > But this way, I have broken the "standard" horde code and future
> > upgrades! :-(
> > In other words: there must be another better way that make this
> > functionallity.
> >
> > Best have been if the hook really worked, then we are back to that it
was
> > not possible to alter the $GLOBALS['conf']['auth']['params']['filter']
> > after it was set.  But how ?
> >
> > Regards //
> >                  //  Peter Steen
> >
> >
> >
> > McAfee check.
> > --
> > IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> > Frequently Asked Questions: http://horde.org/faq/
> > To unsubscribe, mail: imp-unsubscribe at lists.horde.org
> >
>
>
>
> Jan.
>
> --
> Do you need professional PHP or Horde consulting?
> http://horde.org/consulting/
>
>
>
> ------------------------------
>
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
> End of imp Digest, Vol 2571, Issue 1
> ************************************
>
>
> McAfee check.



McAfee check.

More information about the imp mailing list