Zitat von st...@ing-steen.se:
> Hello Jan!
>
>>
>> Message: 2
>> Date: Thu, 15 Apr 2010 09:44:10 +0200
>> From: Jan Schneider <j...@horde.org>
>> To: imp@lists.horde.org
>> Subject: Re: [imp] Limit ldap user lists based on group membership.
>> Message-ID: <20100415094410.75972wtpz6jyr...@neo.wg.de>
>> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
>> format="flowed"
>>
>> Zitat von st...@ing-steen.se:
>>
>> >> Zitat von st...@ing-steen.se:
>> >>
>> >> >
>> >> > Hello Folks!
>> >> >
>> >> > How do I limit user list based on a the ldap group of the
> administrator
>> >> > logged in (all is posix users and groups + shadow account) ?
>> >> >
>> >> > In my case ldap group is same as the logged in users mail
> domain.
>> >> > I have been looking around in the code, admin/user.php uses
>> > $users =
>> >> > $auth->listUsers(); for listing users.
>> >> >
>> >> > Or.. maby Horde was not designed for more advanced user
> administration
>> >> > tasks..
>> >>
>> >> No, it's not indeed. You can try to work around this by adding some
>> >> PHP code to horde/config/conf.php. You can change the filters in
the
>> >> auth configuration dynamically, based on the current user. If your
>> >> user names are full DNs, you can simply extract the group from
>> >> Auth::getAuth(). Otherwise you'd have to do a separate LDAP lookup.
>> >
>> > I tried to add some PHP code in horde/config/conf.php which set
$conf
>> > ['auth']['params']['filter'] so it sorts our users by group fails
with
>> > Auth::getAuth(), It seems like conf.php is read in before I have the
> user
>> > logged in, only I could get hold of logged in user at this stage it
> would
>> > work, Faking a user by setting it static in conf.php additional code
> makes
>> > it work for that user.
>> >
>> > Then trying use set _horde_hook_preauthenticate almost works, now
>> > Auth::getAuth()is populated correctly and $GLOBALS
>> > ['conf']['auth']['params']['filter'] is also set, BUT the value
seems
> to
>> > get lost, because if I print it out in the lib/Horde/Auth/ldap.php
>> > listUsers() function (echo 'filter ' . $filter;) the old filter
value
> get
>> > back again.
>> >
>> > I got the feeling that it is something with GLOBALS preventing me to
> set a
>> > proper value to filter, how do I confinue ?
>>
>> The configuration is cached in the session. Try a:
>> $GLOBALS['registry']->clearCache();
>> before changing the configuration parameter.
>>
>> Jan.
>>
>
> Thanks for the swift reply!
>
> I added the clearCache in the hook before setting the variable and it
did
> not help either, result is exactly the same as before:
>
> $GLOBALS['registry']->clearCache();
> $GLOBALS['conf']['auth']['params']['filter'] =
> '(&(objectclass=shadowaccount)(|(gidNumber=' . $ggg .
> ')(uid=kalle)(uid=Administrator)))';
>
> $ggg contains the LDAP evaluated group id.
Probably because the configuration is reloaded on the next request,
because the cache has been emptied.
Try re-adding the dynamic code to conf.php, and call clearCache() in
the postauthenticate hoook. This way the configuration should be
reloaded on the request after the authentication request, so you have
the user name available when building the filter in conf.php.
As another safe-guard you can only set the filter if the user has
already been authenticated, i.e.:
if (Auth::getAuth()) {
$conf['ldap']['params']['filter'] = 'foo' . Auth::getAuth() . 'bar';
}
Hello Jan!
Thanks, it did not help, same result!
It seems like horde never enters the 'safe-guard', to be noticed, I tried
both preauth hook and post hook, same result, it did not work.
In chonf.php:
.
.
.
if (Auth::getAuth()) {
$ds = @ldap_connect('127.0.0.1');
@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, '3');
@ldap_bind($ds, 'cn=Manager,dc=my-domain,dc=com', 'horde');
$searchResults = @ldap_search($ds,
'dc=Users,dc=my-domain,dc=com', 'uid=' . Auth::getAuth());
$information = @ldap_get_entries($ds, $searchResults);
@ldap_close($ds);
$ggg = $information[0]['gidnumber'][0];
$uuu = $information[0]['uid'][0];
if ( $uuu != $conf['auth']['superadmin'] ) {
$conf['auth']['params']['filter'] =
'(&(objectclass=shadowaccount)(gidNumber=' . $ggg . '))';
}
}
And in hooks.php:
.
.
.
if (!function_exists('_horde_hook_postauthenticate')) {
function _horde_hook_postauthenticate($userID, $credential, $realm)
{
$GLOBALS['registry']->clearCache();
$ret = true;
return $ret;
}
}
Also to check if the code was/is reloaded, we did change the conf.php
manually and saved it during one session, same result,
the $GLOBALS['conf']['auth']['params']['filter'] did not change.
I also hacked the ldap.php file to see if there was some problems setting
the GLOBALS variable:
$GLOBALS['conf']['auth']['params']['filter'] =
'(&(objectclass=shadowaccount)(|(gidNumber=1002)))'
$filter = $this->_getParamFilter();
echo $filter;
Result that is printed:
(objectclass=shadowaccount)
Not the expected (&(objectclass=shadowaccount)(|(gidNumber=1002)))
This verifies that there is some problems setting the $GLOBALS
['conf']['auth']['params']['filter'], maby it is a limitation in horde ??
