Merge pull request #22203 from nextcloud/backport/21559/stable19
[stable19] shortcut in reading nested group members when IN_CHAIN is available
This commit is contained in:
commit
33db8a97c9
|
@ -45,6 +45,10 @@ class Configuration {
|
||||||
public const AVATAR_PREFIX_NONE = 'none';
|
public const AVATAR_PREFIX_NONE = 'none';
|
||||||
public const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:';
|
public const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:';
|
||||||
|
|
||||||
|
public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown';
|
||||||
|
public const LDAP_SERVER_FEATURE_AVAILABLE = 'available';
|
||||||
|
public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable';
|
||||||
|
|
||||||
protected $configPrefix = null;
|
protected $configPrefix = null;
|
||||||
protected $configRead = false;
|
protected $configRead = false;
|
||||||
/**
|
/**
|
||||||
|
@ -110,6 +114,7 @@ class Configuration {
|
||||||
'ldapDynamicGroupMemberURL' => null,
|
'ldapDynamicGroupMemberURL' => null,
|
||||||
'ldapDefaultPPolicyDN' => null,
|
'ldapDefaultPPolicyDN' => null,
|
||||||
'ldapExtStorageHomeAttribute' => null,
|
'ldapExtStorageHomeAttribute' => null,
|
||||||
|
'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN,
|
||||||
];
|
];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -482,6 +487,7 @@ class Configuration {
|
||||||
'ldap_default_ppolicy_dn' => '',
|
'ldap_default_ppolicy_dn' => '',
|
||||||
'ldap_user_avatar_rule' => 'default',
|
'ldap_user_avatar_rule' => 'default',
|
||||||
'ldap_ext_storage_home_attribute' => '',
|
'ldap_ext_storage_home_attribute' => '',
|
||||||
|
'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN,
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -543,6 +549,7 @@ class Configuration {
|
||||||
'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL',
|
'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL',
|
||||||
'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN',
|
'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN',
|
||||||
'ldap_ext_storage_home_attribute' => 'ldapExtStorageHomeAttribute',
|
'ldap_ext_storage_home_attribute' => 'ldapExtStorageHomeAttribute',
|
||||||
|
'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState',
|
||||||
'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig
|
'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig
|
||||||
];
|
];
|
||||||
return $array;
|
return $array;
|
||||||
|
|
|
@ -67,6 +67,7 @@ use OCP\ILogger;
|
||||||
* @property string[] ldapBaseGroups
|
* @property string[] ldapBaseGroups
|
||||||
* @property string ldapGroupFilter
|
* @property string ldapGroupFilter
|
||||||
* @property string ldapGroupDisplayName
|
* @property string ldapGroupDisplayName
|
||||||
|
* @property string ldapMatchingRuleInChainState
|
||||||
*/
|
*/
|
||||||
class Connection extends LDAPUtility {
|
class Connection extends LDAPUtility {
|
||||||
private $ldapConnectionRes = null;
|
private $ldapConnectionRes = null;
|
||||||
|
|
|
@ -235,6 +235,37 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
|
||||||
if ($groupMembers !== null) {
|
if ($groupMembers !== null) {
|
||||||
return $groupMembers;
|
return $groupMembers;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($this->access->connection->ldapNestedGroups
|
||||||
|
&& $this->access->connection->useMemberOfToDetectMembership
|
||||||
|
&& $this->access->connection->hasMemberOfFilterSupport
|
||||||
|
&& $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE
|
||||||
|
) {
|
||||||
|
$attemptedLdapMatchingRuleInChain = true;
|
||||||
|
// compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others)
|
||||||
|
$filter = $this->access->combineFilterWithAnd([
|
||||||
|
$this->access->connection->ldapUserFilter,
|
||||||
|
$this->access->connection->ldapUserDisplayName . '=*',
|
||||||
|
'memberof:1.2.840.113556.1.4.1941:=' . $dnGroup
|
||||||
|
]);
|
||||||
|
$memberRecords = $this->access->fetchListOfUsers(
|
||||||
|
$filter,
|
||||||
|
$this->access->userManager->getAttributes(true)
|
||||||
|
);
|
||||||
|
$result = array_reduce($memberRecords, function ($carry, $record) {
|
||||||
|
$carry[] = $record['dn'][0];
|
||||||
|
return $carry;
|
||||||
|
}, []);
|
||||||
|
if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) {
|
||||||
|
return $result;
|
||||||
|
} elseif (!empty($memberRecords)) {
|
||||||
|
$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
|
||||||
|
$this->access->connection->saveConfiguration();
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
// when feature availability is unknown, and the result is empty, continue and test with original approach
|
||||||
|
}
|
||||||
|
|
||||||
$seen[$dnGroup] = 1;
|
$seen[$dnGroup] = 1;
|
||||||
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
|
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
|
||||||
if (is_array($members)) {
|
if (is_array($members)) {
|
||||||
|
@ -247,6 +278,13 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
|
||||||
$allMembers += $this->getDynamicGroupMembers($dnGroup);
|
$allMembers += $this->getDynamicGroupMembers($dnGroup);
|
||||||
|
|
||||||
$this->access->connection->writeToCache($cacheKey, $allMembers);
|
$this->access->connection->writeToCache($cacheKey, $allMembers);
|
||||||
|
if (isset($attemptedLdapMatchingRuleInChain)
|
||||||
|
&& $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN
|
||||||
|
&& !empty($allMembers)
|
||||||
|
) {
|
||||||
|
$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
|
||||||
|
$this->access->connection->saveConfiguration();
|
||||||
|
}
|
||||||
return $allMembers;
|
return $allMembers;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -71,6 +71,8 @@ class Group_LDAPTest extends TestCase {
|
||||||
->method('getConnection')
|
->method('getConnection')
|
||||||
->willReturn($connector);
|
->willReturn($connector);
|
||||||
|
|
||||||
|
$access->userManager = $this->createMock(Manager::class);
|
||||||
|
|
||||||
return $access;
|
return $access;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -121,12 +123,19 @@ class Group_LDAPTest extends TestCase {
|
||||||
$access->expects($this->any())
|
$access->expects($this->any())
|
||||||
->method('isDNPartOfBase')
|
->method('isDNPartOfBase')
|
||||||
->willReturn(true);
|
->willReturn(true);
|
||||||
|
$access->expects($this->any())
|
||||||
|
->method('combineFilterWithAnd')
|
||||||
|
->willReturn('pseudo=filter');
|
||||||
|
|
||||||
// for primary groups
|
// for primary groups
|
||||||
$access->expects($this->once())
|
$access->expects($this->once())
|
||||||
->method('countUsers')
|
->method('countUsers')
|
||||||
->willReturn(2);
|
->willReturn(2);
|
||||||
|
|
||||||
|
$access->userManager->expects($this->any())
|
||||||
|
->method('getAttributes')
|
||||||
|
->willReturn(['displayName', 'mail']);
|
||||||
|
|
||||||
$groupBackend = new GroupLDAP($access, $pluginManager);
|
$groupBackend = new GroupLDAP($access, $pluginManager);
|
||||||
$users = $groupBackend->countUsersInGroup('group');
|
$users = $groupBackend->countUsersInGroup('group');
|
||||||
|
|
||||||
|
@ -166,6 +175,13 @@ class Group_LDAPTest extends TestCase {
|
||||||
$access->expects($this->any())
|
$access->expects($this->any())
|
||||||
->method('isDNPartOfBase')
|
->method('isDNPartOfBase')
|
||||||
->willReturn(true);
|
->willReturn(true);
|
||||||
|
$access->expects($this->any())
|
||||||
|
->method('combineFilterWithAnd')
|
||||||
|
->willReturn('pseudo=filter');
|
||||||
|
|
||||||
|
$access->userManager->expects($this->any())
|
||||||
|
->method('getAttributes')
|
||||||
|
->willReturn(['displayName', 'mail']);
|
||||||
|
|
||||||
$groupBackend = new GroupLDAP($access, $pluginManager);
|
$groupBackend = new GroupLDAP($access, $pluginManager);
|
||||||
$users = $groupBackend->countUsersInGroup('group', '3');
|
$users = $groupBackend->countUsersInGroup('group', '3');
|
||||||
|
@ -541,7 +557,10 @@ class Group_LDAPTest extends TestCase {
|
||||||
$access->expects($this->any())
|
$access->expects($this->any())
|
||||||
->method('combineFilterWithAnd')
|
->method('combineFilterWithAnd')
|
||||||
->willReturn('pseudo=filter');
|
->willReturn('pseudo=filter');
|
||||||
$access->userManager = $this->createMock(Manager::class);
|
|
||||||
|
$access->userManager->expects($this->any())
|
||||||
|
->method('getAttributes')
|
||||||
|
->willReturn(['displayName', 'mail']);
|
||||||
|
|
||||||
$groupBackend = new GroupLDAP($access, $pluginManager);
|
$groupBackend = new GroupLDAP($access, $pluginManager);
|
||||||
$users = $groupBackend->usersInGroup('foobar');
|
$users = $groupBackend->usersInGroup('foobar');
|
||||||
|
@ -582,7 +601,10 @@ class Group_LDAPTest extends TestCase {
|
||||||
$access->expects($this->any())
|
$access->expects($this->any())
|
||||||
->method('combineFilterWithAnd')
|
->method('combineFilterWithAnd')
|
||||||
->willReturn('pseudo=filter');
|
->willReturn('pseudo=filter');
|
||||||
$access->userManager = $this->createMock(Manager::class);
|
|
||||||
|
$access->userManager->expects($this->any())
|
||||||
|
->method('getAttributes')
|
||||||
|
->willReturn(['displayName', 'mail']);
|
||||||
|
|
||||||
$groupBackend = new GroupLDAP($access, $pluginManager);
|
$groupBackend = new GroupLDAP($access, $pluginManager);
|
||||||
$users = $groupBackend->usersInGroup('foobar');
|
$users = $groupBackend->usersInGroup('foobar');
|
||||||
|
@ -621,6 +643,13 @@ class Group_LDAPTest extends TestCase {
|
||||||
$access->expects($this->any())
|
$access->expects($this->any())
|
||||||
->method('isDNPartOfBase')
|
->method('isDNPartOfBase')
|
||||||
->willReturn(true);
|
->willReturn(true);
|
||||||
|
$access->expects($this->any())
|
||||||
|
->method('combineFilterWithAnd')
|
||||||
|
->willReturn('pseudo=filter');
|
||||||
|
|
||||||
|
$access->userManager->expects($this->any())
|
||||||
|
->method('getAttributes')
|
||||||
|
->willReturn(['displayName', 'mail']);
|
||||||
|
|
||||||
$groupBackend = new GroupLDAP($access, $pluginManager);
|
$groupBackend = new GroupLDAP($access, $pluginManager);
|
||||||
$users = $groupBackend->countUsersInGroup('foobar');
|
$users = $groupBackend->countUsersInGroup('foobar');
|
||||||
|
|
Loading…
Reference in New Issue