65 Commits

Author SHA1 Message Date
Johannes Meyer
3c69a63ce3 LdapUserGroupBackend: Log what the ambiguity check does 2018-10-08 10:34:27 +02:00
Eric Lippmann
4a000d0098 Revert "Merge branch 'bugfix/domain-aware-auth-non-domain-ldap-group-backend-3250'"
This reverts commit 5cb7deda20c4e69a5461ec646af2fedfb3a151a0, reversing
changes made to 02391e648be2f29b28ddbf7a08ebe6459a0fc6d7.

The change must be reverted because it makes it impossible to load groups
if domain aware auth is not enabled and the authenticated user specifies a domain.

refs #3324
2018-03-19 13:10:47 +01:00
Alexander A. Klimov
7227e10824 LdapUserGroupBackend: implement Inspectable
refs #3233
2018-01-19 16:31:24 +01:00
lippserd
ddfafb27f6
Merge pull request #3256 from Icinga/bugfix/multi-domain-support-broken-3232
Make multi-domain authn working w/ upper-case domains in user names
2018-01-17 11:57:48 +01:00
Alexander A. Klimov
8c7ccce4a7 Make multi-domain authn working w/ upper-case domains in user names
refs #3232
2018-01-16 10:36:22 +01:00
Paolo Schiro
c806099e1b Avoid including domain users in a group not belonging to a domain
Signed-off-by: Alexander A. Klimov <alexander.klimov@icinga.com>

refs #3250
2018-01-15 11:19:35 +01:00
Markus Frosch
f65759ace8 LdapUserGroupBackend: Base ambiguity decision based on isDN
Problem was: When a DN did not contain the same base DN, the check failed

This happens when you have an entry referencing a DN of another domain.
(And this value is tested as a sample)
2017-10-20 15:17:11 +02:00
Eric Lippmann
ab7fa9f925 Add domain part to user groups if the user group backend is reponsible for a domain 2017-07-31 09:03:40 +02:00
Eric Lippmann
b13c38b65b Auth/Groups: Prefer the domain from the LDAP/MSAD user backend
If a LDAP/MSAD user group backend is linked w/ a user backend, the domain from the user backend is preferred over the domain configured for the user group backend.
2017-07-11 17:09:24 +02:00
Eric Lippmann
cfbd5c500e Make LDAP user group backends domain-aware
refs #2153
2017-06-12 13:31:07 +02:00
Johannes Meyer
181e2ef05c Swag: Fix swag (aka a whole bunch of code style issues..) 2017-01-27 14:48:59 +01:00
Johannes Meyer
0716f87852 Update german translation 2016-12-13 13:57:27 +01:00
Alexander A. Klimov
648f088564 Conform to coding guidelines
refs #12598
2016-12-07 17:45:50 +01:00
Rune Darrud
59f1a70d5e Add support for nested AD groups resolved from the user
This will make sure that nested groups also work with roles.

Signed-off-by: Alexander A. Klimov <alexander.klimov@icinga.com>

refs #12598
2016-12-07 17:15:59 +01:00
Alexander A. Klimov
32876ca8ae LdapUserGroupBackend: respect config option group_filter
refs #11142
2016-02-11 15:49:28 +01:00
Alexander A. Klimov
474803fee4 Change all license headers to only reflect a file's year of creation
refs #11000
2016-02-08 15:41:00 +01:00
Johannes Meyer
916c417666 LdapUserGroupBackend: Avoid inspecting a group with no members
fixes #10659
2015-11-24 09:45:49 +01:00
Johannes Meyer
8bf4e8d217 LdapUserGroupBackend: Set a query's base DN when a table gets required
This ensures that the query receives the correct base DN even if the table
gets adjusted by calling from() subsequently.

refs #10567
2015-11-11 12:54:49 +01:00
Johannes Meyer
2917f352b5 Merge branch 'master' into bugfix/unreliable-attribute-ambiguity-check-10567
Conflicts:
	library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
	library/Icinga/Protocol/Ldap/LdapConnection.php
2015-11-11 11:53:19 +01:00
Johannes Meyer
453aa864cc LdapUserGroupBackend: Set the appropriate base dn when resolving dns
refs #10567
2015-11-11 11:38:32 +01:00
Johannes Meyer
72f3ba1161 LdapUserGroupBackend: Offer "user_name" as filter column instead of "user"
refs #10370
2015-11-10 11:52:06 +01:00
Johannes Meyer
d56056bba7 LdapUserGroupBackend: Utilize $virtualTables 2015-11-10 09:56:58 +01:00
Johannes Meyer
c416216822 LdapUserGroupBackend: Fix typo in method requireTable()
refs #10370
2015-11-09 16:00:55 +01:00
Johannes Meyer
ffcc2ed56b LdapUserGroupBackend: Fix exception when searching for single chars
refs #10370
2015-11-09 16:00:24 +01:00
Johannes Meyer
9b826e6e5f Drop class Ldap\Expression and introduce LdapQuery::$nativeFilter
I'm about to add support for our Data\Filter implementation, since it cannot
parse native LDAP filters and a user may have configured such, we need to
differentiate the two types of filter.

refs #10370
2015-11-09 13:04:02 +01:00
Johannes Meyer
cfb26e22b3 LdapUserGroupBackend: Dynamically verify member attribute ambiguity
refs #10567
2015-11-09 11:41:11 +01:00
Johannes Meyer
99719bec7d Merge branch 'master' into bugfix/broken-user-and-group-management-10367
Conflicts:
	library/Icinga/Authentication/User/LdapUserBackend.php
	library/Icinga/Authentication/UserGroup/LdapUserGroupBackend.php
2015-10-29 08:52:07 +01:00
Johannes Meyer
36340aafa6 Repository: Ensure that we'll internally only work with virtual table names
refs #10367
2015-10-27 13:31:47 +01:00
Johannes Meyer
0b9a141591 LdapUserGroupBackend: Use the group_base_dn as user_base_dn..
..if neither the config nor the defaults provide a value.

refs #10402
2015-10-20 11:28:18 +02:00
Markus Frosch
33956e02f8 Fix collection of user_base_dn from the UserBackend
Currently the group_base_dn is used, unless a user_base_dn is configured in the group backend.

refs #10402
2015-10-20 10:02:42 +02:00
Johannes Meyer
8ed489c637 LdapUserGroupBackend: Add method persistUserName()
refs #10367
refs #10370
2015-10-16 15:28:44 +02:00
Johannes Meyer
58fc87b2e5 Repository: Ensure that we'll internally only work with virtual table names
refs #10367
2015-10-16 14:46:44 +02:00
Johannes Meyer
33037eebbb Revert "Fix group base DN is erroneously used in place of user base DN"
This reverts commit ac7546d9f2f166a3bebbbb9d5941b2084c1ce00b.
2015-10-16 10:08:14 +02:00
Johannes Meyer
34bf0c3cb0 Add method getUserBackendName() to UserGroupBackendInterface
refs #10367
refs #10373
2015-10-15 15:28:03 +02:00
Eric Lippmann
331822ad15 Merge pull request #47 from anenviousguest/master 2015-10-15 12:53:10 +02:00
Vladislav Ponomarev
ac7546d9f2 Fix group base DN is erroneously used in place of user base DN
refs #10340
refs #10367

Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>
2015-10-15 12:52:17 +02:00
Johannes Meyer
d6432cd881 LdapUserGroupBackend: Fix invalid query column initialization, again
I've mistakenly reverted a change from Aaron Collins that would have
prevented this issue from occuring.

fixes #10318
2015-10-09 03:53:22 +02:00
Johannes Meyer
8358f82885 LdapUserGroupBackend: Do not consider every "member" as a "user"
Not all members of a group are actual user objects. I would have liked to
actually only show real users, but this is currently not possible.

refs #9772
2015-09-29 11:29:05 +02:00
Johannes Meyer
d33b1954aa LdapUserGroupBackend: Fetch the uid for a member's DN
refs #9772
2015-09-29 09:48:57 +02:00
Johannes Meyer
ef1a81897b LdapUserGroupBackend: Automatically unfold the user_name attribute
refs #9772
2015-09-29 09:48:22 +02:00
Johannes Meyer
b7ddb6e4c2 LdapUserGroupBackend: Register the user backend for later use
refs #9772
2015-09-29 09:44:01 +02:00
Johannes Meyer
e7e3520375 LdapUserGroupBackend: Fix method getMemberships()
refs #9950
2015-09-28 10:57:17 +02:00
Johannes Meyer
e5f2174c1e LdapUserGroupBackend: Restore method requireTable()
refs #9950
2015-09-25 16:24:16 +02:00
Johannes Meyer
fe9ee48d65 LdapUserGroupBackend: Fix incorrect table name initialization
refs #9950
2015-09-25 16:23:13 +02:00
Johannes Meyer
b19ecbfb43 LdapUserGroupBackend: Remove the remaining code duplicates
refs #9950
refs #9772
2015-09-25 16:21:33 +02:00
Aaron Collins
23631c8f39 changed order of posix check
refs #9950

Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>
2015-09-25 14:35:08 +02:00
Aaron Collins
73715c94b1 Fixes for ldap group auth
The current LdapUserGroupBackend was incomplete and suffered from a little over zealous copy pasta.  It had over written certain functions that where unnecessary such as the constructor and a table validator.  This patch aims to clean those up.  Additionally it also makes this group auth work with posixGroup that use the username as the member identifier and not just inetGroups that use the full dn

refs #9950

Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>
2015-09-25 14:34:33 +02:00
Matthias Jentsch
b69311165c Conform to coding guidelines 2015-09-22 14:53:29 +02:00
Matthias Jentsch
42fb1a174b Do not crash when ldap_dn is defined in additional variables
refs #9950
2015-09-22 14:08:15 +02:00
Matthias Jentsch
46f2f71c57 Improve logging of membership queries
refs #9950
2015-09-22 13:02:08 +02:00