diff options
author | jim-p <jimp@pfsense.org> | 2015-09-14 14:36:16 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-09-14 14:36:31 -0400 |
commit | 149efbeac4e6eaa9d8062f26bbc172c86020e231 (patch) | |
tree | 70f4de95dd8a97f01a85456deea6bbd62afc7ef7 /src | |
parent | d137967b79096540b0b6d5d74b773c559dd5616c (diff) | |
download | pfsense-149efbeac4e6eaa9d8062f26bbc172c86020e231.zip pfsense-149efbeac4e6eaa9d8062f26bbc172c86020e231.tar.gz |
Add support for LDAP RFC2307 style group membership. Resolves #4923
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/auth.inc | 25 | ||||
-rw-r--r-- | src/usr/local/www/system_authservers.php | 28 |
2 files changed, 45 insertions, 8 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 23dcab7..6f19ee4 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -1032,7 +1032,11 @@ function ldap_get_groups($username, $authcfg) { $ldapauthcont = $authcfg['ldap_authcn']; $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']); - $ldapfilter = "({$ldapnameattribute}={$username})"; + if (isset($authcfg['ldap_rfc2307'])) { + $ldapfilter = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$username}))"; + } else { + $ldapfilter = "({$ldapnameattribute}={$username})"; + } $ldaptype = ""; $ldapver = $authcfg['ldap_protver']; if (empty($ldapbindun) || empty($ldapbindpw)) { @@ -1048,7 +1052,11 @@ function ldap_get_groups($username, $authcfg) { return false; } - $ldapdn = $_SESSION['ldapdn']; + if (isset($authcfg['ldap_rfc2307'])) { + $ldapdn = $ldapbasedn; + } else { + $ldapdn = $_SESSION['ldapdn']; + } /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */ $ldapgroupattribute = strtolower($ldapgroupattribute); @@ -1102,14 +1110,15 @@ function ldap_get_groups($username, $authcfg) { $search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); $info = @ldap_get_entries($ldap, $search); - $countem = $info["count"]; + $gresults = isset($authcfg['ldap_rfc2307']) ? $info : $info[0][$ldapgroupattribute]; - if (is_array($info[0][$ldapgroupattribute])) { + if(is_array($gresults)) { /* Iterate through the groups and throw them into an array */ - foreach ($info[0][$ldapgroupattribute] as $member) { - if (stristr($member, "CN=") !== false) { - $membersplit = explode(",", $member); - $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]); + foreach ($gresults as $grp) { + if (((isset($authcfg['ldap_rfc2307'])) && (stristr($grp["dn"], "CN=") !== false)) + || ((!isset($authcfg['ldap_rfc2307'])) && (stristr($grp, "CN=") !== false))) { + $grpsplit = isset($authcfg['ldap_rfc2307']) ? explode(",", $grp["dn"]) : explode(",", $grp); + $memberof[] = preg_replace("/CN=/i", "", $grpsplit[0]); } } } diff --git a/src/usr/local/www/system_authservers.php b/src/usr/local/www/system_authservers.php index 1bf47ea..72780b1 100644 --- a/src/usr/local/www/system_authservers.php +++ b/src/usr/local/www/system_authservers.php @@ -143,8 +143,10 @@ if ($act == "edit") { $pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user']; $pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group']; $pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member']; + $pconfig['ldap_attr_groupobj'] = $a_server[$id]['ldap_attr_groupobj']; $pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']); $pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']); + $pconfig['ldap_rfc2307'] = isset($a_server[$id]['ldap_rfc2307']); if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw']) { $pconfig['ldap_anon'] = true; @@ -296,6 +298,9 @@ if ($_POST) { $server['ldap_attr_user'] = $pconfig['ldap_attr_user']; $server['ldap_attr_group'] = $pconfig['ldap_attr_group']; $server['ldap_attr_member'] = $pconfig['ldap_attr_member']; + + $server['ldap_attr_groupobj'] = empty($pconfig['ldap_attr_groupobj']) ? "posixGroup" : $pconfig['ldap_attr_groupobj']; + if ($pconfig['ldap_utf8'] == "yes") { $server['ldap_utf8'] = true; } else { @@ -306,6 +311,11 @@ if ($_POST) { } else { unset($server['ldap_nostrip_at']); } + if ($pconfig['ldap_rfc2307'] == "yes") { + $server['ldap_rfc2307'] = true; + } else { + unset($server['ldap_rfc2307']); + } if (!$pconfig['ldap_anon']) { @@ -641,6 +651,24 @@ $section->addInput(new Form_Input( )); $section->addInput(new Form_Checkbox( + 'ldap_rfc2307', + 'RFC 2307 Groups', + 'LDAP Server uses RFC 2307 style group membership', + $pconfig['ldap_rfc2307'] +))->setHelp('RFC 2307 style group membership has members listed on the group '. + 'object rather than using groups listed on user object. Leave unchecked '. + 'for Active Directory style group membership (RFC 2307bis).'); + +$section->addInput(new Form_Input( + 'ldap_attr_groupobj', + 'Group Object Class', + 'text', + $pconfig['ldap_attr_groupobj'], + ['placeholder' => 'posixGroup'] +))->setHelp('Object class used for groups in RFC2307 mode. '. + 'Typically "posixGroup" or "group".'); + +$section->addInput(new Form_Checkbox( 'ldap_utf8', 'UTF8 Encode', 'UTF8 encode LDAP parameters before sending them to the server.', |