summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2015-09-14 14:36:16 -0400
committerjim-p <jimp@pfsense.org>2015-09-14 14:36:31 -0400
commit149efbeac4e6eaa9d8062f26bbc172c86020e231 (patch)
tree70f4de95dd8a97f01a85456deea6bbd62afc7ef7 /src
parentd137967b79096540b0b6d5d74b773c559dd5616c (diff)
downloadpfsense-149efbeac4e6eaa9d8062f26bbc172c86020e231.zip
pfsense-149efbeac4e6eaa9d8062f26bbc172c86020e231.tar.gz
Add support for LDAP RFC2307 style group membership. Resolves #4923
Diffstat (limited to 'src')
-rw-r--r--src/etc/inc/auth.inc25
-rw-r--r--src/usr/local/www/system_authservers.php28
2 files changed, 45 insertions, 8 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 23dcab7..6f19ee4 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -1032,7 +1032,11 @@ function ldap_get_groups($username, $authcfg) {
$ldapauthcont = $authcfg['ldap_authcn'];
$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
$ldapgroupattribute = strtolower($authcfg['ldap_attr_member']);
- $ldapfilter = "({$ldapnameattribute}={$username})";
+ if (isset($authcfg['ldap_rfc2307'])) {
+ $ldapfilter = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$username}))";
+ } else {
+ $ldapfilter = "({$ldapnameattribute}={$username})";
+ }
$ldaptype = "";
$ldapver = $authcfg['ldap_protver'];
if (empty($ldapbindun) || empty($ldapbindpw)) {
@@ -1048,7 +1052,11 @@ function ldap_get_groups($username, $authcfg) {
return false;
}
- $ldapdn = $_SESSION['ldapdn'];
+ if (isset($authcfg['ldap_rfc2307'])) {
+ $ldapdn = $ldapbasedn;
+ } else {
+ $ldapdn = $_SESSION['ldapdn'];
+ }
/*Convert attribute to lowercase. php ldap arrays put everything in lowercase */
$ldapgroupattribute = strtolower($ldapgroupattribute);
@@ -1102,14 +1110,15 @@ function ldap_get_groups($username, $authcfg) {
$search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute));
$info = @ldap_get_entries($ldap, $search);
- $countem = $info["count"];
+ $gresults = isset($authcfg['ldap_rfc2307']) ? $info : $info[0][$ldapgroupattribute];
- if (is_array($info[0][$ldapgroupattribute])) {
+ if(is_array($gresults)) {
/* Iterate through the groups and throw them into an array */
- foreach ($info[0][$ldapgroupattribute] as $member) {
- if (stristr($member, "CN=") !== false) {
- $membersplit = explode(",", $member);
- $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
+ foreach ($gresults as $grp) {
+ if (((isset($authcfg['ldap_rfc2307'])) && (stristr($grp["dn"], "CN=") !== false))
+ || ((!isset($authcfg['ldap_rfc2307'])) && (stristr($grp, "CN=") !== false))) {
+ $grpsplit = isset($authcfg['ldap_rfc2307']) ? explode(",", $grp["dn"]) : explode(",", $grp);
+ $memberof[] = preg_replace("/CN=/i", "", $grpsplit[0]);
}
}
}
diff --git a/src/usr/local/www/system_authservers.php b/src/usr/local/www/system_authservers.php
index 1bf47ea..72780b1 100644
--- a/src/usr/local/www/system_authservers.php
+++ b/src/usr/local/www/system_authservers.php
@@ -143,8 +143,10 @@ if ($act == "edit") {
$pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user'];
$pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group'];
$pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member'];
+ $pconfig['ldap_attr_groupobj'] = $a_server[$id]['ldap_attr_groupobj'];
$pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']);
$pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']);
+ $pconfig['ldap_rfc2307'] = isset($a_server[$id]['ldap_rfc2307']);
if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw']) {
$pconfig['ldap_anon'] = true;
@@ -296,6 +298,9 @@ if ($_POST) {
$server['ldap_attr_user'] = $pconfig['ldap_attr_user'];
$server['ldap_attr_group'] = $pconfig['ldap_attr_group'];
$server['ldap_attr_member'] = $pconfig['ldap_attr_member'];
+
+ $server['ldap_attr_groupobj'] = empty($pconfig['ldap_attr_groupobj']) ? "posixGroup" : $pconfig['ldap_attr_groupobj'];
+
if ($pconfig['ldap_utf8'] == "yes") {
$server['ldap_utf8'] = true;
} else {
@@ -306,6 +311,11 @@ if ($_POST) {
} else {
unset($server['ldap_nostrip_at']);
}
+ if ($pconfig['ldap_rfc2307'] == "yes") {
+ $server['ldap_rfc2307'] = true;
+ } else {
+ unset($server['ldap_rfc2307']);
+ }
if (!$pconfig['ldap_anon']) {
@@ -641,6 +651,24 @@ $section->addInput(new Form_Input(
));
$section->addInput(new Form_Checkbox(
+ 'ldap_rfc2307',
+ 'RFC 2307 Groups',
+ 'LDAP Server uses RFC 2307 style group membership',
+ $pconfig['ldap_rfc2307']
+))->setHelp('RFC 2307 style group membership has members listed on the group '.
+ 'object rather than using groups listed on user object. Leave unchecked '.
+ 'for Active Directory style group membership (RFC 2307bis).');
+
+$section->addInput(new Form_Input(
+ 'ldap_attr_groupobj',
+ 'Group Object Class',
+ 'text',
+ $pconfig['ldap_attr_groupobj'],
+ ['placeholder' => 'posixGroup']
+))->setHelp('Object class used for groups in RFC2307 mode. '.
+ 'Typically "posixGroup" or "group".');
+
+$section->addInput(new Form_Checkbox(
'ldap_utf8',
'UTF8 Encode',
'UTF8 encode LDAP parameters before sending them to the server.',
OpenPOWER on IntegriCloud