Fix ldap auth when the userNameAttribute holds multiple values

fixes #8246
2025-07-29 16:54:04 +02:00 · 2015-02-03 10:15:54 +01:00 · 2015-02-03 10:15:54 +01:00 · 7989b48248
commit 7989b48248
parent f6fc592b91
3 changed files with 21 additions and 5 deletions
--- a/doc/authentication.md
+++ b/doc/authentication.md
@ -54,6 +54,10 @@ user_class          = inetOrgPerson
 user_name_attribute = uid
 ```

+Note that in case the set *user_name_attribute* holds multiple values it is required that all of its
+values are unique. Additionally, a user will be logged in using the exact user id used to authenticate
+with Icinga Web 2 (e.g. an alias) no matter what the primary user id might actually be.
+
 #### <a id="authentication-configuration-ad-authentication"></a> Active Directory

 Directive               | Description
--- a/library/Icinga/Authentication/Backend/LdapUserBackend.php
+++ b/library/Icinga/Authentication/Backend/LdapUserBackend.php
@ -150,7 +150,13 @@ class LdapUserBackend extends UserBackend
    public function hasUser(User $user)
    {
        $username = $user->getUsername();
-        return strtolower($this->conn->fetchOne($this->selectUser($username))) === strtolower($username);
+        $entry = $this->conn->fetchOne($this->selectUser($username));
+
+        if (is_array($entry)) {
+            return in_array(strtolower($username), array_map('strtolower', $entry));
+        }
+
+        return strtolower($entry) === strtolower($username);
    }

    /**
@ -225,8 +231,14 @@ class LdapUserBackend extends UserBackend
    {
        $users = array();
        foreach ($this->selectUsers()->fetchAll() as $row) {
+            if (is_array($row->{$this->userNameAttribute})) {
+                foreach ($row->{$this->userNameAttribute} as $col) {
+                    $users[] = $col;
+                }
+            } else {
                $users[] = $row->{$this->userNameAttribute};
            }
+        }
        return $users;
    }
 }
--- a/library/Icinga/Protocol/Ldap/Connection.php
+++ b/library/Icinga/Protocol/Ldap/Connection.php
@ -214,20 +214,20 @@ class Connection
    /**
     * Fetch the distinguished name of the first result of the given query
     *
-     * @param       $query   The query returning the result set
+     * @param Query $query   The query returning the result set
     * @param array $fields  The fields to fetch
     *
     * @return string        Returns the distinguished name, or false when the given query yields no results
     * @throws LdapException When the query result is empty and contains no DN to fetch
     */
-    public function fetchDN($query, $fields = array())
+    public function fetchDN(Query $query, $fields = array())
    {
        $rows = $this->fetchAll($query, $fields);
        if (count($rows) !== 1) {
            throw new LdapException(
                sprintf(
                    'Cannot fetch single DN for %s',
-                    $query
+                    $query->create()
                )
            );
        }