[imp] Limit ldap user lists based on group membership.

steen at ing-steen.se steen at ing-steen.se
Tue Apr 20 16:11:07 UTC 2010 

>> >> >> > Hello Folks!
>> >> >> >
>> >> >> > How do I limit user list based on a the ldap group of the
>> > administrator
>> >> >> > logged in (all is posix users and groups + shadow account) ?
>> >> >> >
>> >> >> >       In my case ldap group is same as the logged in users mail
>> > domain.
>> >> >> >       I have been looking around in the code, admin/user.php
uses
>> >> > $users =
>> >> >> > $auth->listUsers(); for listing users.
>> >> >> >
>> >> >> > Or.. maby Horde was not designed for more advanced user
>> > administration
>> >> >> > tasks..
>> >> >>
>> >> >> No, it's not indeed. You can try to work around this by adding
some
>> >> >> PHP code to horde/config/conf.php. You can change the filters in
> the
>> >> >> auth configuration dynamically, based on the current user. If your
>> >> >> user names are full DNs, you can simply extract the group from
>> >> >> Auth::getAuth(). Otherwise you'd have to do a separate LDAP
lookup.
>> >> >
>> >> > I tried to add some PHP code in horde/config/conf.php which set
> $conf
>> >> > ['auth']['params']['filter'] so it sorts our users by group fails
> with
>> >> > Auth::getAuth(), It seems like conf.php is read in before I have
the
>> > user
>> >> > logged in, only I could get hold of logged in user at this stage it
>> > would
>> >> > work, Faking a user by setting it static in conf.php additional
code
>> > makes
>> >> > it work for that user.
>> >> >
>> >> > Then  trying use set _horde_hook_preauthenticate almost works, now
>> >> > Auth::getAuth()is populated correctly and $GLOBALS
>> >> > ['conf']['auth']['params']['filter'] is also set, BUT the value
> seems
>> > to
>> >> > get lost, because if I print it out in the lib/Horde/Auth/ldap.php
>> >> > listUsers() function (echo 'filter ' . $filter;) the old filter
> value
>> > get
>> >> > back again.
>> >> >
>> >> > I got the feeling that it is something with GLOBALS preventing me
to
>> > set a
>> >> > proper value to filter, how do I confinue ?
>> >>
>> >> The configuration is cached in the session. Try a:
>> >> $GLOBALS['registry']->clearCache();
>> >> before changing the configuration parameter.
>> >>
>> >> Jan.
>> >>
>> >
>> > Thanks for the swift reply!
>> >
>> > I added the clearCache in the hook before setting the variable and it
> did
>> > not help either, result is exactly the same as before:
>> >
>> > $GLOBALS['registry']->clearCache();
>> > $GLOBALS['conf']['auth']['params']['filter'] =
>> > '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
>> > ')(uid=kalle)(uid=Administrator)))';
>> >
>> > $ggg contains the LDAP evaluated group id.
>>
>> Probably because the configuration is reloaded on the next request,
>> because the cache has been emptied.
>> Try re-adding the dynamic code to conf.php, and call clearCache() in
>> the postauthenticate hoook. This way the configuration should be
>> reloaded on the request after the authentication request, so you have
>> the user name available when building the filter in conf.php.
>> As another safe-guard you can only set the filter if the user has
>> already been authenticated, i.e.:
>>
>> if (Auth::getAuth()) {
>>      $conf['ldap']['params']['filter'] = 'foo' . Auth::getAuth() .
'bar';
>> }
>>
>
>
> Hello Jan!
>
> Thanks, it did not help, same result!
>
> It seems like horde never enters the 'safe-guard', to be noticed, I tried
> both preauth hook and post hook, same result, it did not work.
>
> In chonf.php:
> .
> .
> .
> if (Auth::getAuth()) {
>           $ds = @ldap_connect('127.0.0.1');
>           @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
>           @ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
>           $searchResults = @ldap_search($ds,
> 'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
>           $information = @ldap_get_entries($ds, $searchResults);
>           @ldap_close($ds);
>           $ggg = $information[0]['gidnumber'][0];
>           $uuu = $information[0]['uid'][0];
>         if ( $uuu != $conf['auth']['superadmin'] ) {
>                 $conf['auth']['params']['filter'] =
> '(&(objectclass=shadowaccount)(gidNumber=' . $ggg . '))';
>         }
> }
>
> And in hooks.php:
> .
> .
> .
>  if (!function_exists('_horde_hook_postauthenticate')) {
>      function _horde_hook_postauthenticate($userID, $credential, $realm)
>      {
>         $GLOBALS['registry']->clearCache();
>          $ret = true;
>          return $ret;
>      }
>  }
>
> Also to check if the code was/is reloaded, we did change the conf.php
> manually and saved it during one session, same result,
> the $GLOBALS['conf']['auth']['params']['filter'] did not change.
>
> I also hacked the ldap.php file to see if there was some problems setting
> the GLOBALS variable:
> $GLOBALS['conf']['auth']['params']['filter'] =
> '(&(objectclass=shadowaccount)(|(gidNumber=1002)))'
> $filter = $this->_getParamFilter();
> echo $filter;
>
> Result that is printed:
> (objectclass=shadowaccount)
>
> Not the expected (&(objectclass=shadowaccount)(|(gidNumber=1002)))
>
> This verifies that there is some problems setting the $GLOBALS
> ['conf']['auth']['params']['filter'], maby it is a limitation in horde ??
>
> Did you enable the postauthenticate hook in the horde configuration?
> Did you check if the hook is called at all?
>
> Other than that, I'm out of ideas. You probably have to trace the code
> yourself.
>
> Jan.
>
> --

Thanks Jan! I checked the hooks, they work. :-)

So I guess I need to go through the code, which I already started to do by
now, I have already introduced the superadmin who can do all and made a
series of functional workarounds to the horde code for the limitations I
need.

Regards //
               //  Peter Steen



McAfee check.

More information about the imp mailing list