LDAP: when checking group for matching filter, also take base DN into consideration. Fixes #17516
This commit is contained in:
Arthur Schiwon
parent
2b86ba43e3
commit
bfdf39b9bd
4 changed files with 96 additions and 2 deletions
|
|
@ -382,7 +382,12 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
|
|||
if (is_array($groupDNs)) {
|
||||
$groupDNs = $this->access->groupsMatchFilter($groupDNs);
|
||||
foreach ($groupDNs as $dn) {
|
||||
$groups[] = $this->access->dn2groupname($dn);
|
||||
$groupName = $this->access->dn2groupname($dn);
|
||||
if(is_string($groupName)) {
|
||||
// be sure to never return false if the dn could not be
|
||||
// resolved to a name, for whatever reason.
|
||||
$groups[] = $groupName;
|
||||
}
|
||||
}
|
||||
}
|
||||
if($primaryGroup !== false) {
|
||||
|
|
|
|||
|
|
@ -365,10 +365,21 @@ class Access extends LDAPUtility implements user\IUserTools {
|
|||
continue;
|
||||
}
|
||||
|
||||
// Check the base DN first. If this is not met already, we don't
|
||||
// need to ask the server at all.
|
||||
if(!$this->isDNPartOfBase($dn, $this->connection->ldapBaseGroups)) {
|
||||
$this->connection->writeToCache($cacheKey, false);
|
||||
continue;
|
||||
}
|
||||
|
||||
$result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter);
|
||||
if(is_array($result)) {
|
||||
$this->connection->writeToCache($cacheKey, true);
|
||||
$validGroupDNs[] = $dn;
|
||||
} else {
|
||||
$this->connection->writeToCache($cacheKey, false);
|
||||
}
|
||||
|
||||
}
|
||||
return $validGroupDNs;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ class IntegrationTestAccessGroupsMatchFilter {
|
|||
public function init() {
|
||||
require('setup-scripts/createExplicitUsers.php');
|
||||
require('setup-scripts/createExplicitGroups.php');
|
||||
require('setup-scripts/createExplicitGroupsDifferentOU.php');
|
||||
|
||||
$this->initLDAPWrapper();
|
||||
$this->initConnection();
|
||||
|
|
@ -55,7 +56,7 @@ class IntegrationTestAccessGroupsMatchFilter {
|
|||
* If a test failed, the script is exited with return code 1.
|
||||
*/
|
||||
public function run() {
|
||||
$cases = ['case1', 'case2'];
|
||||
$cases = ['case1', 'case2', 'case3'];
|
||||
|
||||
foreach ($cases as $case) {
|
||||
print("running $case " . PHP_EOL);
|
||||
|
|
@ -106,6 +107,30 @@ class IntegrationTestAccessGroupsMatchFilter {
|
|||
return $status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests whether a filter for limited groups is effective when more existing
|
||||
* groups were passed for validation.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
private function case3() {
|
||||
$this->connection->setConfiguration(['ldapGroupFilter' => '(objectclass=groupOfNames)']);
|
||||
|
||||
$dns = [
|
||||
'cn=RedGroup,ou=Groups,' . $this->base,
|
||||
'cn=PurpleGroup,ou=Groups,' . $this->base,
|
||||
'cn=SquaredCircleGroup,ou=SpecialGroups,' . $this->base
|
||||
];
|
||||
$result = $this->access->groupsMatchFilter($dns);
|
||||
|
||||
$status =
|
||||
count($result) === 2
|
||||
&& in_array('cn=RedGroup,ou=Groups,' . $this->base, $result)
|
||||
&& in_array('cn=PurpleGroup,ou=Groups,' . $this->base, $result);
|
||||
|
||||
return $status;
|
||||
}
|
||||
|
||||
/**
|
||||
* initializes the Access test instance
|
||||
*/
|
||||
|
|
@ -129,6 +154,7 @@ class IntegrationTestAccessGroupsMatchFilter {
|
|||
'ldapHost' => $this->server['host'],
|
||||
'ldapPort' => $this->server['port'],
|
||||
'ldapBase' => $this->base,
|
||||
'ldapBaseGroups' => 'ou=Groups,' . $this->base,
|
||||
'ldapAgentName' => $this->server['dn'],
|
||||
'ldapAgentPassword' => $this->server['pwd'],
|
||||
'ldapUserFilter' => 'objectclass=inetOrgPerson',
|
||||
|
|
|
|||
|
|
@ -0,0 +1,52 @@
|
|||
<?php
|
||||
|
||||
if(php_sapi_name() !== 'cli') {
|
||||
print('Only via CLI, please.');
|
||||
exit(1);
|
||||
}
|
||||
|
||||
include __DIR__ . '/config.php';
|
||||
|
||||
$cr = ldap_connect($host, $port);
|
||||
ldap_set_option($cr, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
$ok = ldap_bind($cr, $adn, $apwd);
|
||||
|
||||
if (!$ok) {
|
||||
die(ldap_error($cr));
|
||||
}
|
||||
|
||||
$ouName = 'SpecialGroups';
|
||||
$ouDN = 'ou=' . $ouName . ',' . $bdn;
|
||||
|
||||
//creates an OU
|
||||
if (true) {
|
||||
$entry = [];
|
||||
$entry['objectclass'][] = 'top';
|
||||
$entry['objectclass'][] = 'organizationalunit';
|
||||
$entry['ou'] = $ouName;
|
||||
$b = ldap_add($cr, $ouDN, $entry);
|
||||
if (!$b) {
|
||||
die(ldap_error($cr));
|
||||
}
|
||||
}
|
||||
|
||||
$groups = ['SquareGroup', 'CircleGroup', 'TriangleGroup', 'SquaredCircleGroup'];
|
||||
// groupOfNames requires groups to have at least one member
|
||||
// the member used is created by createExplicitUsers.php script
|
||||
$omniMember = 'uid=alice,ou=Users,' . $bdn;
|
||||
|
||||
foreach ($groups as $cn) {
|
||||
$newDN = 'cn=' . $cn . ',' . $ouDN;
|
||||
|
||||
$entry = [];
|
||||
$entry['cn'] = $cn;
|
||||
$entry['objectclass'][] = 'groupOfNames';
|
||||
$entry['member'][] = $omniMember;
|
||||
|
||||
$ok = ldap_add($cr, $newDN, $entry);
|
||||
if ($ok) {
|
||||
echo('created group ' . ': ' . $entry['cn'] . PHP_EOL);
|
||||
} else {
|
||||
die(ldap_error($cr));
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue