From 222efdce8f0f7d4f2d5c3cbb9c45e798248abbf5 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Mon, 31 Dec 2007 22:55:27 +0000
Subject: Remove the need to define authetnication containers.  Now a user can
 login anywhere in the LDAP tree and will use the groups to deterimine the
 access privs.

Work sponsored-by: Centipede Networks
---
 etc/inc/auth.inc | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index aa31f08..3f88069 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -723,6 +723,9 @@ function ldap_get_groups($username) {
 		$status = htpasswd_backed($username, $passwd);
 		return $status;	
 	}
+	
+    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
 
 	if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
 	    log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}.  Defaulting to built-in htpasswd_backed()");
@@ -732,12 +735,8 @@ function ldap_get_groups($username) {
 
 	/* user specified login containers */
 	$ldac_split = split(";", $ldapauthcontainers);
-	foreach($ldac_split as $ldac) {
-		$search = ldap_search($ldap, $ldac, $ldapfilter, array('memberOf'));
-		if($search) 
-			break; // found the container
-	}
-
+	$search = ldap_search($ldap, $ldapsearchbase, $ldapfilter);
+	
 	if(!$search) {
 		log_error("ERROR!  Could not locate User group container for username {}$username}.");
 		log_error("        Please ensure that the needed container is defined in the ldap auth containers setting feature.");
@@ -746,6 +745,20 @@ function ldap_get_groups($username) {
 	}
 	
 	$info = ldap_get_entries($ldap, $search);
+
+	/* find home container */
+    foreach($info as $inf) {
+            $inf_split = split(",", $inf['dn']);
+            $ou = $inf_split[1];
+    }
+
+	if(!$ou) {
+		log_error("Could not resolve users home container for {$username}");
+		return false;
+	}
+
+	$search = ldap_search($ldap, $ou . "," . $ldapsearchbase, $ldapfilter, array('memberOf'));
+	$info = ldap_get_entries($ldap, $search);
 	
 	$memberof = array();
 	
@@ -761,7 +774,9 @@ function ldap_get_groups($username) {
 	/* Time to close LDAP connection */
 	ldap_close($ldap);
 	
-	log_error("Returning groups " . print_r($memberof,true) . " for user $username");
+	$groups = print_r($memberof,true);
+	
+	log_error("Returning groups " . $groups  . " for user $username");
 	
 	return $memberof;
 }
-- 
cgit v1.1