Merge branch 'feature/support-nested-ad-groups-for-roles-12598'

resolves #12598
2016-12-09 10:15:43 +01:00 · 2016-12-09 10:15:43 +01:00 · bcc5b8c1a7
parent 18ea3286d7 01dd60c0fe
commit bcc5b8c1a7
4 changed files with 389 additions and 669 deletions
--- a/application/forms/Config/UserGroup/LdapUserGroupBackendForm.php
+++ b/application/forms/Config/UserGroup/LdapUserGroupBackendForm.php
@ -89,6 +89,22 @@ class LdapUserGroupBackendForm extends Form
            $groupConfigDisabled = $userConfigDisabled = true;
        }

+        if ($formData['type'] === 'msldap') {
+            $this->addElement(
+                'checkbox',
+                'nested_group_search',
+                array(
+                    'description'   => $this->translate(
+                        'Check this box for nested group search in Active Directory based on the user'
+                    ),
+                    'label'         => $this->translate('Nested Group Search')
+                )
+            );
+        } else {
+            // This is required to purge already present options
+            $this->addElement('hidden', 'nested_group_search', array('disabled' => true));
+        }
+
        $this->createGroupConfigElements($defaults, $groupConfigDisabled);
        if (count($userBackends) === 1 || (isset($formData['user_backend']) && $formData['user_backend'] === 'none')) {
            $this->createUserConfigElements($defaults, $userConfigDisabled);
--- a/application/locale/de_DE/LC_MESSAGES/icinga.mo
+++ b/application/locale/de_DE/LC_MESSAGES/icinga.mo
--- a/application/locale/de_DE/LC_MESSAGES/icinga.po
+++ b/application/locale/de_DE/LC_MESSAGES/icinga.po
--- a/library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
+++ b/library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
@ -93,6 +93,13 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
     */
    protected $groupFilter;

+    /**
+     * ActiveDirectory nested group on the user?
+     *
+     * @var bool
+     */
+    protected $nestedGroupSearch;
+
    /**
     * The columns which are not permitted to be queried
     *
@ -364,6 +371,29 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
        return $this->groupFilter;
    }

+    /**
+     * Set nestedGroupSearch for the group query
+     *
+     * @param   bool    $enable
+     *
+     * @return  $this
+     */
+    public function setNestedGroupSearch($enable = true)
+    {
+        $this->nestedGroupSearch = $enable;
+        return $this;
+    }
+
+    /**
+     * Get nestedGroupSearch for the group query
+     *
+     * @return bool
+     */
+    public function getNestedGroupSearch()
+    {
+        return $this->nestedGroupSearch;
+    }
+
    /**
     * Return whether the attribute name where to find a group's member holds ambiguous values
     *
@ -620,10 +650,16 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
            }
        }

+        if ($this->nestedGroupSearch) {
+            $groupMemberAttribute = $this->groupMemberAttribute . ':1.2.840.113556.1.4.1941:';
+        } else {
+            $groupMemberAttribute = $this->groupMemberAttribute;
+        }
+
        $groupQuery = $this->ds
            ->select()
            ->from($this->groupClass, array($this->groupNameAttribute))
-            ->where($this->groupMemberAttribute, $queryValue)
+            ->where($groupMemberAttribute, $queryValue)
            ->setBase($this->groupBaseDn);
        if ($this->groupFilter) {
            $groupQuery->setNativeFilter($this->groupFilter);
@ -706,7 +742,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
            ->setUserNameAttribute($config->get('user_name_attribute', $defaults->user_name_attribute))
            ->setGroupMemberAttribute($config->get('group_member_attribute', $defaults->group_member_attribute))
            ->setGroupFilter($config->group_filter)
-            ->setUserFilter($config->user_filter);
+            ->setUserFilter($config->user_filter)
+            ->setNestedGroupSearch((bool) $config->get('nested_group_search', $defaults->nested_group_search));
    }

    /**
@ -721,7 +758,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
            'user_class'                => 'inetOrgPerson',
            'group_name_attribute'      => 'gid',
            'user_name_attribute'       => 'uid',
-            'group_member_attribute'    => 'member'
+            'group_member_attribute'    => 'member',
+            'nested_group_search'       => '0'
        ));
    }

@ -737,7 +775,8 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
            'user_class'                => 'user',
            'group_name_attribute'      => 'sAMAccountName',
            'user_name_attribute'       => 'sAMAccountName',
-            'group_member_attribute'    => 'member'
+            'group_member_attribute'    => 'member',
+            'nested_group_search'       => '0'
        ));
    }
-}
+}