tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

LdapUserGroupBackend: Dynamically verify member attribute ambiguity 

refs #10567
This commit is contained in:
Johannes Meyer 2015-11-09 11:41:11 +01:00
parent 6551a86d4d
commit cfb26e22b3
1 changed files with 42 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
View File

@ -72,6 +72,13 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
*/
protected $groupMemberAttribute;
/**
* Whether the attribute name where to find a group's member holds ambiguous values
*
* @var bool
*/
protected $ambiguousMemberAttribute;
/**
* The custom LDAP filter to apply on a user query
*
@ -357,6 +364,39 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
return $this->groupFilter;
}
/**
* Return whether the attribute name where to find a group's member holds ambiguous values
*
* @return bool
*
* @throws ProgrammingError In case either $this->groupClass or $this->groupMemberAttribute
* has not been set yet
*/
protected function isMemberAttributeAmbiguous()
{
if ($this->ambiguousMemberAttribute === null) {
if ($this->groupClass === null) {
throw new ProgrammingError(
'It is required to set the objectClass where to look for groups first'
);
} elseif ($this->groupMemberAttribute === null) {
throw new ProgrammingError(
'It is required to set a attribute name where to find a group\'s members first'
);
}
$sampleValue = $this->ds
->select()
->from($this->groupClass, array($this->groupMemberAttribute))
->setUnfoldAttribute($this->groupMemberAttribute)
->setBase($this->groupBaseDn)
->fetchOne();
$this->ambiguousMemberAttribute = !$this->isRelatedDn($sampleValue);
}
return $this->ambiguousMemberAttribute;
}
/**
* Return a new query for the given columns
*
@ -431,19 +471,9 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
* Initialize this repository's conversion rules
*
* @return array
*
* @throws ProgrammingError In case either $this->groupClass or $this->groupMemberAttribute
* has not been set yet
*/
protected function initializeConversionRules()
{
if ($this->groupClass === null) {
throw new ProgrammingError('It is required to set the objectClass where to look for groups first');
}
if ($this->groupMemberAttribute === null) {
throw new ProgrammingError('It is required to set a attribute name where to find a group\'s members first');
}
$rules = array(
'group' => array(
'created_at' => 'generalized_time',
@ -454,7 +484,7 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
'last_modified' => 'generalized_time'
)
);
if (! $this->isAmbiguous($this->groupClass, $this->groupMemberAttribute)) {
if (! $this->isMemberAttributeAmbiguous()) {
$rules['group_membership']['user_name'] = 'user_name';
$rules['group_membership']['user'] = 'user_name';
$rules['group']['user_name'] = 'user_name';
@ -566,7 +596,7 @@ class LdapUserGroupBackend extends LdapRepository implements UserGroupBackendInt
*/
public function getMemberships(User $user)
{
if ($this->isAmbiguous($this->groupClass, $this->groupMemberAttribute)) {
if ($this->isMemberAttributeAmbiguous()) {
$queryValue = $user->getUsername();
} elseif (($queryValue = $user->getAdditional('ldap_dn')) === null) {
$userQuery = $this->ds