[imp] Limit ldap user lists based on group membership.

Jan Schneider jan at horde.org
Tue Apr 20 11:00:20 UTC 2010


Zitat von steen at ing-steen.se:

>>
>> Zitat von steen at ing-steen.se:
>>
>> > Hello Jan!
>> >
>> >>
>> >> Message: 2
>> >> Date: Thu, 15 Apr 2010 09:44:10 +0200
>> >> From: Jan Schneider <jan at horde.org>
>> >> To: imp at lists.horde.org
>> >> Subject: Re: [imp] Limit ldap user lists based on group membership.
>> >> Message-ID: <20100415094410.75972wtpz6jyrruo at neo.wg.de>
>> >> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
>> >>    format="flowed"
>> >>
>> >> Zitat von steen at ing-steen.se:
>> >>
>> >> >> Zitat von steen at ing-steen.se:
>> >> >>
>> >> >> >
>> >> >> > Hello Folks!
>> >> >> >
>> >> >> > How do I limit user list based on a the ldap group of the
>> > administrator
>> >> >> > logged in (all is posix users and groups + shadow account) ?
>> >> >> >
>> >> >> >       In my case ldap group is same as the logged in users mail
>> > domain.
>> >> >> >       I have been looking around in the code, admin/user.php uses
>> >> > $users =
>> >> >> > $auth->listUsers(); for listing users.
>> >> >> >
>> >> >> > Or.. maby Horde was not designed for more advanced user
>> > administration
>> >> >> > tasks..
>> >> >>
>> >> >> No, it's not indeed. You can try to work around this by adding some
>> >> >> PHP code to horde/config/conf.php. You can change the filters in
> the
>> >> >> auth configuration dynamically, based on the current user. If your
>> >> >> user names are full DNs, you can simply extract the group from
>> >> >> Auth::getAuth(). Otherwise you'd have to do a separate LDAP lookup.
>> >> >
>> >> > I tried to add some PHP code in horde/config/conf.php which set
> $conf
>> >> > ['auth']['params']['filter'] so it sorts our users by group fails
> with
>> >> > Auth::getAuth(), It seems like conf.php is read in before I have the
>> > user
>> >> > logged in, only I could get hold of logged in user at this stage it
>> > would
>> >> > work, Faking a user by setting it static in conf.php additional code
>> > makes
>> >> > it work for that user.
>> >> >
>> >> > Then  trying use set _horde_hook_preauthenticate almost works, now
>> >> > Auth::getAuth()is populated correctly and $GLOBALS
>> >> > ['conf']['auth']['params']['filter'] is also set, BUT the value
> seems
>> > to
>> >> > get lost, because if I print it out in the lib/Horde/Auth/ldap.php
>> >> > listUsers() function (echo 'filter ' . $filter;) the old filter
> value
>> > get
>> >> > back again.
>> >> >
>> >> > I got the feeling that it is something with GLOBALS preventing me to
>> > set a
>> >> > proper value to filter, how do I confinue ?
>> >>
>> >> The configuration is cached in the session. Try a:
>> >> $GLOBALS['registry']->clearCache();
>> >> before changing the configuration parameter.
>> >>
>> >> Jan.
>> >>
>> >
>> > Thanks for the swift reply!
>> >
>> > I added the clearCache in the hook before setting the variable and it
> did
>> > not help either, result is exactly the same as before:
>> >
>> > $GLOBALS['registry']->clearCache();
>> > $GLOBALS['conf']['auth']['params']['filter'] =
>> > '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
>> > ')(uid=kalle)(uid=Administrator)))';
>> >
>> > $ggg contains the LDAP evaluated group id.
>>
>> Probably because the configuration is reloaded on the next request,
>> because the cache has been emptied.
>> Try re-adding the dynamic code to conf.php, and call clearCache() in
>> the postauthenticate hoook. This way the configuration should be
>> reloaded on the request after the authentication request, so you have
>> the user name available when building the filter in conf.php.
>> As another safe-guard you can only set the filter if the user has
>> already been authenticated, i.e.:
>>
>> if (Auth::getAuth()) {
>>      $conf['ldap']['params']['filter'] = 'foo' . Auth::getAuth() . 'bar';
>> }
>>
>
>
> Hello Jan!
>
> Thanks, it did not help, same result!
>
> It seems like horde never enters the 'safe-guard', to be noticed, I tried
> both preauth hook and post hook, same result, it did not work.
>
> In chonf.php:
> .
> .
> .
> if (Auth::getAuth()) {
>           $ds = @ldap_connect('127.0.0.1');
>           @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
>           @ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
>           $searchResults = @ldap_search($ds,
> 'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
>           $information = @ldap_get_entries($ds, $searchResults);
>           @ldap_close($ds);
>           $ggg = $information[0]['gidnumber'][0];
>           $uuu = $information[0]['uid'][0];
>         if ( $uuu != $conf['auth']['superadmin'] ) {
>                 $conf['auth']['params']['filter'] =
> '(&(objectclass=shadowaccount)(gidNumber=' . $ggg . '))';
>         }
> }
>
> And in hooks.php:
> .
> .
> .
>  if (!function_exists('_horde_hook_postauthenticate')) {
>      function _horde_hook_postauthenticate($userID, $credential, $realm)
>      {
>         $GLOBALS['registry']->clearCache();
>          $ret = true;
>          return $ret;
>      }
>  }
>
> Also to check if the code was/is reloaded, we did change the conf.php
> manually and saved it during one session, same result,
> the $GLOBALS['conf']['auth']['params']['filter'] did not change.
>
> I also hacked the ldap.php file to see if there was some problems setting
> the GLOBALS variable:
> $GLOBALS['conf']['auth']['params']['filter'] =
> '(&(objectclass=shadowaccount)(|(gidNumber=1002)))'
> $filter = $this->_getParamFilter();
> echo $filter;
>
> Result that is printed:
> (objectclass=shadowaccount)
>
> Not the expected (&(objectclass=shadowaccount)(|(gidNumber=1002)))
>
> This verifies that there is some problems setting the $GLOBALS
> ['conf']['auth']['params']['filter'], maby it is a limitation in horde ??

Did you enable the postauthenticate hook in the horde configuration?  
Did you check if the hook is called at all?

Other than that, I'm out of ideas. You probably have to trace the code  
yourself.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the imp mailing list