Merge pull request #2924 from Icinga/bugfix/ldap-membership-resolution

Problems in LDAP membership resolution
2017-10-23 11:10:47 +02:00 · 2017-10-23 11:10:47 +02:00 · 401eda2d29
parent 75578c5b72 2e94bec22c
commit 401eda2d29
6 changed files with 79 additions and 5 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -13,6 +13,8 @@ matrix:
  include:
  - php: '5.3'
    dist: precise
+    env:
+    - ENABLE_LDAP=1

 services:
  - mysql
@ -32,7 +34,9 @@ notifications:

 # also see: test/setup_vendor.sh
 before_script:
+  - php -m
  - sudo locale-gen en_US.UTF-8 de_DE.UTF-8 fr_FR.UTF-8
+  - sh -c '[ -z $ENABLE_LDAP ] || phpenv config-add test/travis-ldap.ini'
  - test/travis_database.sh
  - test/setup_vendor.sh

--- a/library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
+++ b/library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
@ -10,6 +10,7 @@ use Icinga\Data\ConfigObject;
 use Icinga\Exception\ConfigurationError;
 use Icinga\Exception\ProgrammingError;
 use Icinga\Protocol\Ldap\LdapException;
+use Icinga\Protocol\Ldap\LdapUtils;
 use Icinga\Repository\LdapRepository;
 use Icinga\Repository\RepositoryQuery;
 use Icinga\User;
@ -438,6 +439,11 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
    /**
     * Return whether the attribute name where to find a group's member holds ambiguous values
     *
+     * This tries to detect if the member attribute of groups contain:
+     *
+     *  full DN -> distinguished name of another object
+     *  other   -> ambiguous field referencing the member by userNameAttribute
+     *
     * @return  bool
     *
     * @throws  ProgrammingError    In case either $this->groupClass or $this->groupMemberAttribute
@ -463,7 +469,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
                ->setUnfoldAttribute($this->groupMemberAttribute)
                ->setBase($this->groupBaseDn)
                ->fetchOne();
-            $this->ambiguousMemberAttribute = !$this->isRelatedDn($sampleValue);
+
+            $this->ambiguousMemberAttribute = ! LdapUtils::isDn($sampleValue);
        }

        return $this->ambiguousMemberAttribute;
--- a/library/Icinga/Protocol/Ldap/LdapUtils.php
+++ b/library/Icinga/Protocol/Ldap/LdapUtils.php
@ -19,8 +19,9 @@ class LdapUtils
     * UTF-8 chars like German umlauts would otherwise be escaped and shown
     * as backslash-prefixed hexcode-sequenzes.
     *
-     * @param  string  DN
-     * @param  boolean Returns 'type=value' when true and 'value' when false
+     * @param  string  $dn        DN
+     * @param  boolean $with_type Returns 'type=value' when true and 'value' when false
+     *
     * @return string
     */
    public static function explodeDN($dn, $with_type = true)
@ -45,7 +46,8 @@ class LdapUtils
     *
     * TODO: throw away, this is not how it shall be done
     *
-     * @param  string DN-component
+     * @param  array $parts DN-component
+     *
     * @return string
     */
    public static function implodeDN($parts)
@ -61,12 +63,28 @@ class LdapUtils
        return $str;
    }

+    /**
+     * Test if supplied value looks like a DN
+     *
+     * @param  mixed $value
+     *
+     * @return bool
+     */
+    public static function isDn($value)
+    {
+        if (is_string($value)) {
+            return ldap_dn2ufn($value) !== false;
+        }
+        return false;
+    }
+
    /**
     * Quote a string that should be used in a DN
     *
     * Special characters will be escaped
     *
-     * @param  string DN-component
+     * @param  string $str DN-component
+     *
     * @return string
     */
    public static function quoteForDN($str)
--- a/library/Icinga/Repository/LdapRepository.php
+++ b/library/Icinga/Repository/LdapRepository.php
@ -74,6 +74,9 @@ abstract class LdapRepository extends Repository
     *
     * Will use the current connection's root DN if $baseDn is not given.
     *
+     * @deprecated This was only used by LdapUserGroupBackend::isMemberAttributeAmbiguous
+     *             It will be removed with 2.6.0!
+     *
     * @param   string  $dn         The object DN to check
     * @param   string  $baseDn     The base DN to compare the object DN with
     *
--- a/test/php/library/Icinga/Protocol/Ldap/LdapUtilsTest.php
+++ b/test/php/library/Icinga/Protocol/Ldap/LdapUtilsTest.php
@ -0,0 +1,41 @@
+<?php
+/* Icinga Web 2 | (c) 2013 Icinga Development Team | GPLv2+ */
+
+namespace Tests\Icinga\Protocol\Ldap;
+
+use Icinga\Protocol\Ldap\LdapUtils;
+use Icinga\Test\BaseTestCase;
+
+class LdapUtilsTest extends BaseTestCase
+{
+    protected static $validDn = array(
+        'dc=example,dc=com',
+        'dc=example, dc=com',
+        'dc = example , dc = com',
+        'DC=EXAMPLE,DC=COM',
+        '0.9.2342.19200300.100.1.25=Example,0.9.2342.19200300.100.1.25=Com',
+        'CN=host,OU=Datacenter Servers,DC=example,DC=com',
+        'CN=Doe\, John,OU=Admin Users,DC=example,DC=com'
+    );
+
+    protected static $invalidDn = array(
+        'testuser',
+        'heinzimüller',
+        'test.user@example.com',
+        'test,user@example.com',
+    );
+
+    public function testIsDnForValidValues()
+    {
+        foreach (static::$validDn as $dn) {
+            $this->assertTrue(LdapUtils::isDn($dn), 'DN should be tested as valid value: ' . $dn);
+        }
+    }
+
+    public function testIsDnForInvalidValues()
+    {
+        foreach (static::$invalidDn as $dn) {
+            $this->assertFalse(LdapUtils::isDn($dn), 'DN should be tested as invalid value: ' . $dn);
+        }
+    }
+}
--- a/test/travis-ldap.ini
+++ b/test/travis-ldap.ini
@ -0,0 +1 @@
+extension=ldap.so