mirror of
https://github.com/Icinga/icingaweb2.git
synced 2025-07-22 13:24:24 +02:00
Merge pull request #2924 from Icinga/bugfix/ldap-membership-resolution
Problems in LDAP membership resolution
This commit is contained in:
commit
401eda2d29
@ -13,6 +13,8 @@ matrix:
|
|||||||
include:
|
include:
|
||||||
- php: '5.3'
|
- php: '5.3'
|
||||||
dist: precise
|
dist: precise
|
||||||
|
env:
|
||||||
|
- ENABLE_LDAP=1
|
||||||
|
|
||||||
services:
|
services:
|
||||||
- mysql
|
- mysql
|
||||||
@ -32,7 +34,9 @@ notifications:
|
|||||||
|
|
||||||
# also see: test/setup_vendor.sh
|
# also see: test/setup_vendor.sh
|
||||||
before_script:
|
before_script:
|
||||||
|
- php -m
|
||||||
- sudo locale-gen en_US.UTF-8 de_DE.UTF-8 fr_FR.UTF-8
|
- sudo locale-gen en_US.UTF-8 de_DE.UTF-8 fr_FR.UTF-8
|
||||||
|
- sh -c '[ -z $ENABLE_LDAP ] || phpenv config-add test/travis-ldap.ini'
|
||||||
- test/travis_database.sh
|
- test/travis_database.sh
|
||||||
- test/setup_vendor.sh
|
- test/setup_vendor.sh
|
||||||
|
|
||||||
|
@ -10,6 +10,7 @@ use Icinga\Data\ConfigObject;
|
|||||||
use Icinga\Exception\ConfigurationError;
|
use Icinga\Exception\ConfigurationError;
|
||||||
use Icinga\Exception\ProgrammingError;
|
use Icinga\Exception\ProgrammingError;
|
||||||
use Icinga\Protocol\Ldap\LdapException;
|
use Icinga\Protocol\Ldap\LdapException;
|
||||||
|
use Icinga\Protocol\Ldap\LdapUtils;
|
||||||
use Icinga\Repository\LdapRepository;
|
use Icinga\Repository\LdapRepository;
|
||||||
use Icinga\Repository\RepositoryQuery;
|
use Icinga\Repository\RepositoryQuery;
|
||||||
use Icinga\User;
|
use Icinga\User;
|
||||||
@ -438,6 +439,11 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
|
|||||||
/**
|
/**
|
||||||
* Return whether the attribute name where to find a group's member holds ambiguous values
|
* Return whether the attribute name where to find a group's member holds ambiguous values
|
||||||
*
|
*
|
||||||
|
* This tries to detect if the member attribute of groups contain:
|
||||||
|
*
|
||||||
|
* full DN -> distinguished name of another object
|
||||||
|
* other -> ambiguous field referencing the member by userNameAttribute
|
||||||
|
*
|
||||||
* @return bool
|
* @return bool
|
||||||
*
|
*
|
||||||
* @throws ProgrammingError In case either $this->groupClass or $this->groupMemberAttribute
|
* @throws ProgrammingError In case either $this->groupClass or $this->groupMemberAttribute
|
||||||
@ -463,7 +469,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
|
|||||||
->setUnfoldAttribute($this->groupMemberAttribute)
|
->setUnfoldAttribute($this->groupMemberAttribute)
|
||||||
->setBase($this->groupBaseDn)
|
->setBase($this->groupBaseDn)
|
||||||
->fetchOne();
|
->fetchOne();
|
||||||
$this->ambiguousMemberAttribute = !$this->isRelatedDn($sampleValue);
|
|
||||||
|
$this->ambiguousMemberAttribute = ! LdapUtils::isDn($sampleValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->ambiguousMemberAttribute;
|
return $this->ambiguousMemberAttribute;
|
||||||
|
@ -19,8 +19,9 @@ class LdapUtils
|
|||||||
* UTF-8 chars like German umlauts would otherwise be escaped and shown
|
* UTF-8 chars like German umlauts would otherwise be escaped and shown
|
||||||
* as backslash-prefixed hexcode-sequenzes.
|
* as backslash-prefixed hexcode-sequenzes.
|
||||||
*
|
*
|
||||||
* @param string DN
|
* @param string $dn DN
|
||||||
* @param boolean Returns 'type=value' when true and 'value' when false
|
* @param boolean $with_type Returns 'type=value' when true and 'value' when false
|
||||||
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function explodeDN($dn, $with_type = true)
|
public static function explodeDN($dn, $with_type = true)
|
||||||
@ -45,7 +46,8 @@ class LdapUtils
|
|||||||
*
|
*
|
||||||
* TODO: throw away, this is not how it shall be done
|
* TODO: throw away, this is not how it shall be done
|
||||||
*
|
*
|
||||||
* @param string DN-component
|
* @param array $parts DN-component
|
||||||
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function implodeDN($parts)
|
public static function implodeDN($parts)
|
||||||
@ -61,12 +63,28 @@ class LdapUtils
|
|||||||
return $str;
|
return $str;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test if supplied value looks like a DN
|
||||||
|
*
|
||||||
|
* @param mixed $value
|
||||||
|
*
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public static function isDn($value)
|
||||||
|
{
|
||||||
|
if (is_string($value)) {
|
||||||
|
return ldap_dn2ufn($value) !== false;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Quote a string that should be used in a DN
|
* Quote a string that should be used in a DN
|
||||||
*
|
*
|
||||||
* Special characters will be escaped
|
* Special characters will be escaped
|
||||||
*
|
*
|
||||||
* @param string DN-component
|
* @param string $str DN-component
|
||||||
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function quoteForDN($str)
|
public static function quoteForDN($str)
|
||||||
|
@ -74,6 +74,9 @@ abstract class LdapRepository extends Repository
|
|||||||
*
|
*
|
||||||
* Will use the current connection's root DN if $baseDn is not given.
|
* Will use the current connection's root DN if $baseDn is not given.
|
||||||
*
|
*
|
||||||
|
* @deprecated This was only used by LdapUserGroupBackend::isMemberAttributeAmbiguous
|
||||||
|
* It will be removed with 2.6.0!
|
||||||
|
*
|
||||||
* @param string $dn The object DN to check
|
* @param string $dn The object DN to check
|
||||||
* @param string $baseDn The base DN to compare the object DN with
|
* @param string $baseDn The base DN to compare the object DN with
|
||||||
*
|
*
|
||||||
|
41
test/php/library/Icinga/Protocol/Ldap/LdapUtilsTest.php
Normal file
41
test/php/library/Icinga/Protocol/Ldap/LdapUtilsTest.php
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
<?php
|
||||||
|
/* Icinga Web 2 | (c) 2013 Icinga Development Team | GPLv2+ */
|
||||||
|
|
||||||
|
namespace Tests\Icinga\Protocol\Ldap;
|
||||||
|
|
||||||
|
use Icinga\Protocol\Ldap\LdapUtils;
|
||||||
|
use Icinga\Test\BaseTestCase;
|
||||||
|
|
||||||
|
class LdapUtilsTest extends BaseTestCase
|
||||||
|
{
|
||||||
|
protected static $validDn = array(
|
||||||
|
'dc=example,dc=com',
|
||||||
|
'dc=example, dc=com',
|
||||||
|
'dc = example , dc = com',
|
||||||
|
'DC=EXAMPLE,DC=COM',
|
||||||
|
'0.9.2342.19200300.100.1.25=Example,0.9.2342.19200300.100.1.25=Com',
|
||||||
|
'CN=host,OU=Datacenter Servers,DC=example,DC=com',
|
||||||
|
'CN=Doe\, John,OU=Admin Users,DC=example,DC=com'
|
||||||
|
);
|
||||||
|
|
||||||
|
protected static $invalidDn = array(
|
||||||
|
'testuser',
|
||||||
|
'heinzimüller',
|
||||||
|
'test.user@example.com',
|
||||||
|
'test,user@example.com',
|
||||||
|
);
|
||||||
|
|
||||||
|
public function testIsDnForValidValues()
|
||||||
|
{
|
||||||
|
foreach (static::$validDn as $dn) {
|
||||||
|
$this->assertTrue(LdapUtils::isDn($dn), 'DN should be tested as valid value: ' . $dn);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testIsDnForInvalidValues()
|
||||||
|
{
|
||||||
|
foreach (static::$invalidDn as $dn) {
|
||||||
|
$this->assertFalse(LdapUtils::isDn($dn), 'DN should be tested as invalid value: ' . $dn);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
1
test/travis-ldap.ini
Normal file
1
test/travis-ldap.ini
Normal file
@ -0,0 +1 @@
|
|||||||
|
extension=ldap.so
|
Loading…
x
Reference in New Issue
Block a user