Re: groups based on LDAP attribute

Fri, 22 Nov 2019 12:46:38 -0800 



Hello Martin,

my first idea was the group feature until I saw you had ruled it out.

Then the custom email query function is to the rescue, see
http://www.mailpiler.org/wiki/current:custom-authentication for more.

So let's say you have an ldap attribute called 'aaa' with value 'bbb'

having the required email addresses, and the manager is 
mana...@yourdomain.com.


Then put a similar function to config-site.php:

$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';

function my_custom_func($username = '') {
   $session = Registry::get('session');
   $data = $session->get("auth_data");

   $extra_emails = [];

   if($data['email'] == 'mana...@yourdomain.com') {

      $ldap = new LDAP($ldap_host, $ldap_port, $ldap_helper_dn, 
$ldap_helper_password);


      if($ldap->is_bind_ok()) {
         $query = $ldap->query($ldap_base_dn, "aaa=bbb");
         $extra_emails = $query->rows;
      }
   }

   $data['emails'] = array_merge($data['emails'] , $extra_emails);

   $session->set("auth_data", $data);
}


Note that you may have to fine tune the ldap query, need to do some 
polishing on the $query->rows
part. Also be sure to check out checkLoginAgainstLDAP_real() function in 
model/user/auth.php

to see how it works.


Janos

On 2019-11-22 20:30, Martin Nadvornik wrote:

Hello fellow piler users,

I am currently trying to find a way to give managers the ability to

search e-mails of employees who are not anymore with the company. I 
know

that in general you can give the owner of one address the ability to
access other addresses by using an alias or distribution list. However
in our case the e-mail accounts of prior employees don't exist anymore
and their e-mail addresses should not be reachable. Therore using alias
or distribution lists are not an option.
It would be possible of course to create groups directly in piler but

maintaining such groups by hand is not really efficient. So I am 
looking

for a way to use the group feature using LDAP.

The easiest method for us would be if there was a config value that 
just

tells piler which LDAP attribute to use and just allows the logged in
user access to every addresses listed in the attribute. But this needs
some development effort as far as I can tell.

Is there anyone who has done this before? Any recommendations to solve
this are welcome.

Thanks,
Martin
























					Reply via email to