Add scope options to LDAP auth backend FS#1832

The scope for the LDAP searches for users and groups can now be set using the new options 'userscope' and 'groupscope'. Valid options are 'base', 'one' and 'sub'. Defaults to 'sub'.

Add scope options to LDAP auth backend FS#1832
The scope for the LDAP searches for users and groups can now be set using the new options 'userscope' and 'groupscope'. Valid options are 'base', 'one' and 'sub'. Defaults to 'sub'.
de3427db · Andreas Gohr · e2cf9671 · de3427db
Commit de3427db authored 14 years ago by Andreas Gohr
--- a/inc/auth/ldap.class.php
+++ b/inc/auth/ldap.class.php
@@ -27,7 +27,9 @@ class auth_ldap extends auth_basic {
            return;
        }

-        if(empty($this->cnf['groupkey'])) $this->cnf['groupkey'] = 'cn';
+        if(empty($this->cnf['groupkey']))   $this->cnf['groupkey']   = 'cn';
+        if(empty($this->cnf['userscope']))  $this->cnf['userscope']  = 'sub';
+        if(empty($this->cnf['groupscope'])) $this->cnf['groupscope'] = 'sub';

        // auth_ldap currently just handles authentication, so no
        // capabilities are set
@@ -171,7 +173,7 @@ class auth_ldap extends auth_basic {
            $filter = "(ObjectClass=*)";
        }

-        $sr     = @ldap_search($this->con, $base, $filter);
+        $sr     = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['userscope']);
        $result = @ldap_get_entries($this->con, $sr);
        if($this->cnf['debug']){
            msg('LDAP user search: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__);
@@ -219,7 +221,7 @@ class auth_ldap extends auth_basic {
        if ($this->cnf['grouptree'] && $this->cnf['groupfilter']) {
            $base   = $this->_makeFilter($this->cnf['grouptree'], $user_result);
            $filter = $this->_makeFilter($this->cnf['groupfilter'], $user_result);
-            $sr = @ldap_search($this->con, $base, $filter, array($this->cnf['groupkey']));
+            $sr = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['groupscope'], array($this->cnf['groupkey']));
            if(!$sr){
                msg("LDAP: Reading group memberships failed",-1);
                if($this->cnf['debug']){
@@ -352,6 +354,28 @@ class auth_ldap extends auth_basic {

        return true;
    }
+
+    /**
+     * Wraps around ldap_search, ldap_list or ldap_read depending on $scope
+     *
+     * @param  $scope string - can be 'base', 'one' or 'sub'
+     * @author Andreas Gohr <andi@splitbrain.org>
+     */
+    function _ldapsearch($link_identifier, $base_dn, $filter, $scope='sub', $attributes=null,
+                         $attrsonly=0, $sizelimit=0, $timelimit=0, $deref=LDAP_DEREF_NEVER){
+        if(is_null($attributes)) $attributes = array();
+
+        if($scope == 'base'){
+            return @ldap_read($link_identifier, $base_dn, $filter, $attributes,
+                             $attrsonly, $sizelimit, $timelimit, $deref);
+        }elseif($scope == 'one'){
+            return @ldap_list($link_identifier, $base_dn, $filter, $attributes,
+                             $attrsonly, $sizelimit, $timelimit, $deref);
+        }else{
+            return @ldap_search($link_identifier, $base_dn, $filter, $attributes,
+                                $attrsonly, $sizelimit, $timelimit, $deref);
+        }
+    }
 }

 //Setup VIM: ex: et ts=4 enc=utf-8 :