tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-07-21 21:04:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add support for nested AD groups resolved from the user

Browse Source 
This will make sure that nested groups also work with roles.

Signed-off-by: Alexander A. Klimov <alexander.klimov@icinga.com>

refs #12598
This commit is contained in:
Rune Darrud 2016-08-30 22:26:56 +02:00 committed by Alexander A. Klimov
parent 0665ca387b
commit 59f1a70d5e
2 changed files with 61 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
application/forms/Config/UserGroup/LdapUserGroupBackendForm.php
View File

@ -89,6 +89,19 @@ class LdapUserGroupBackendForm extends Form
$groupConfigDisabled = $userConfigDisabled = true; $groupConfigDisabled = $userConfigDisabled = true;
} }
if ($formData['type'] === 'msldap') {
$this->addElement(
'checkbox',
'nested_group_search_in_ad',
array(
'description' => $this->translate(
'Check this box for nested group search in Active Directory based on the user'
),
'label' => $this->translate('Nested Group Search')
)
);
}
$this->createGroupConfigElements($defaults, $groupConfigDisabled); $this->createGroupConfigElements($defaults, $groupConfigDisabled);
if (count($userBackends) === 1 || (isset($formData['user_backend']) && $formData['user_backend'] === 'none')) { if (count($userBackends) === 1 || (isset($formData['user_backend']) && $formData['user_backend'] === 'none')) {
$this->createUserConfigElements($defaults, $userConfigDisabled); $this->createUserConfigElements($defaults, $userConfigDisabled);

51
library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
View File

@ -93,6 +93,13 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
*/ */
protected $groupFilter; protected $groupFilter;
/**
* ActiveDirectory nested group on the user?
*
* @var bool
*/
protected $nestedGroupSearchInAD;
/** /**
* The columns which are not permitted to be queried * The columns which are not permitted to be queried
* *
@ -364,6 +371,33 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
return $this->groupFilter; return $this->groupFilter;
} }
/**
* Set nestedGroupSearchInAD for the group query
*
* @param string $enable
*
* @return bool
*/
public function setNestedGroupSearchInAD($enable)
{
if ($enable == "1") {
$this->nestedGroupSearchInAD = true;
} else {
$this->nestedGroupSearchInAD = false;
}
return $this;
}
/**
* Get nestedGroupSearchInAD for the group query
*
* @return bool
*/
public function getNestedGroupSearchInAD()
{
return $this->nestedGroupSearchInAD;
}
/** /**
* Return whether the attribute name where to find a group's member holds ambiguous values * Return whether the attribute name where to find a group's member holds ambiguous values
* *
@ -620,10 +654,16 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
} }
} }
if ($this->nestedGroupSearchInAD) {
$groupMemberAttribute = $this->groupMemberAttribute . ':1.2.840.113556.1.4.1941:';
} else {
$groupMemberAttribute = $this->groupMemberAttribute;
}
$groupQuery = $this->ds $groupQuery = $this->ds
->select() ->select()
->from($this->groupClass, array($this->groupNameAttribute)) ->from($this->groupClass, array($this->groupNameAttribute))
->where($this->groupMemberAttribute, $queryValue) ->where($groupMemberAttribute, $queryValue)
->setBase($this->groupBaseDn); ->setBase($this->groupBaseDn);
if ($this->groupFilter) { if ($this->groupFilter) {
$groupQuery->setNativeFilter($this->groupFilter); $groupQuery->setNativeFilter($this->groupFilter);
@ -706,7 +746,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
->setUserNameAttribute($config->get('user_name_attribute', $defaults->user_name_attribute)) ->setUserNameAttribute($config->get('user_name_attribute', $defaults->user_name_attribute))
->setGroupMemberAttribute($config->get('group_member_attribute', $defaults->group_member_attribute)) ->setGroupMemberAttribute($config->get('group_member_attribute', $defaults->group_member_attribute))
->setGroupFilter($config->group_filter) ->setGroupFilter($config->group_filter)
->setUserFilter($config->user_filter); ->setUserFilter($config->user_filter)
->setNestedGroupSearchInAD($config->get('nested_group_search_in_ad', $defaults->nested_group_search_in_ad));
} }
/** /**
@ -721,7 +762,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
'user_class' => 'inetOrgPerson', 'user_class' => 'inetOrgPerson',
'group_name_attribute' => 'gid', 'group_name_attribute' => 'gid',
'user_name_attribute' => 'uid', 'user_name_attribute' => 'uid',
'group_member_attribute' => 'member' 'group_member_attribute' => 'member',
'nested_group_search_in_ad' => '0'
)); ));
} }
@ -737,7 +779,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
'user_class' => 'user', 'user_class' => 'user',
'group_name_attribute' => 'sAMAccountName', 'group_name_attribute' => 'sAMAccountName',
'user_name_attribute' => 'sAMAccountName', 'user_name_attribute' => 'sAMAccountName',
'group_member_attribute' => 'member' 'group_member_attribute' => 'member',
'nested_group_search_in_ad' => '0'
)); ));
} }
} }