From 7989b48248e001010b9bfb93f5fed9c4e5c3ef47 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@netways.de>
Date: Tue, 3 Feb 2015 10:15:54 +0100
Subject: [PATCH] Fix ldap auth when the userNameAttribute holds multiple
 values

fixes #8246
---
 doc/authentication.md                            |  4 ++++
 .../Authentication/Backend/LdapUserBackend.php   | 16 ++++++++++++++--
 library/Icinga/Protocol/Ldap/Connection.php      |  6 +++---
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/doc/authentication.md b/doc/authentication.md
index 542eb9934..175403061 100644
--- a/doc/authentication.md
+++ b/doc/authentication.md
@@ -54,6 +54,10 @@ user_class          = inetOrgPerson
 user_name_attribute = uid
 ```
 
+Note that in case the set *user_name_attribute* holds multiple values it is required that all of its
+values are unique. Additionally, a user will be logged in using the exact user id used to authenticate
+with Icinga Web 2 (e.g. an alias) no matter what the primary user id might actually be.
+
 #### <a id="authentication-configuration-ad-authentication"></a> Active Directory
 
 Directive               | Description
diff --git a/library/Icinga/Authentication/Backend/LdapUserBackend.php b/library/Icinga/Authentication/Backend/LdapUserBackend.php
index 69fe795fc..666ed69ae 100644
--- a/library/Icinga/Authentication/Backend/LdapUserBackend.php
+++ b/library/Icinga/Authentication/Backend/LdapUserBackend.php
@@ -150,7 +150,13 @@ class LdapUserBackend extends UserBackend
     public function hasUser(User $user)
     {
         $username = $user->getUsername();
-        return strtolower($this->conn->fetchOne($this->selectUser($username))) === strtolower($username);
+        $entry = $this->conn->fetchOne($this->selectUser($username));
+
+        if (is_array($entry)) {
+            return in_array(strtolower($username), array_map('strtolower', $entry));
+        }
+
+        return strtolower($entry) === strtolower($username);
     }
 
     /**
@@ -225,7 +231,13 @@ class LdapUserBackend extends UserBackend
     {
         $users = array();
         foreach ($this->selectUsers()->fetchAll() as $row) {
-            $users[] = $row->{$this->userNameAttribute};
+            if (is_array($row->{$this->userNameAttribute})) {
+                foreach ($row->{$this->userNameAttribute} as $col) {
+                    $users[] = $col;
+                }
+            } else {
+                $users[] = $row->{$this->userNameAttribute};
+            }
         }
         return $users;
     }
diff --git a/library/Icinga/Protocol/Ldap/Connection.php b/library/Icinga/Protocol/Ldap/Connection.php
index 1f58f34da..a576ab790 100644
--- a/library/Icinga/Protocol/Ldap/Connection.php
+++ b/library/Icinga/Protocol/Ldap/Connection.php
@@ -214,20 +214,20 @@ class Connection
     /**
      * Fetch the distinguished name of the first result of the given query
      *
-     * @param       $query   The query returning the result set
+     * @param Query $query   The query returning the result set
      * @param array $fields  The fields to fetch
      *
      * @return string        Returns the distinguished name, or false when the given query yields no results
      * @throws LdapException When the query result is empty and contains no DN to fetch
      */
-    public function fetchDN($query, $fields = array())
+    public function fetchDN(Query $query, $fields = array())
     {
         $rows = $this->fetchAll($query, $fields);
         if (count($rows) !== 1) {
             throw new LdapException(
                 sprintf(
                     'Cannot fetch single DN for %s',
-                    $query
+                    $query->create()
                 )
             );
         }