From 323af55b500dcd0cd1e1ce61408a6a416075ef07 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Mon, 17 Nov 2014 16:30:50 +0100 Subject: [PATCH 1/4] inlcude AD primary group in user filter, if a group is selected. fixes #12190 --- apps/user_ldap/lib/wizard.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/apps/user_ldap/lib/wizard.php b/apps/user_ldap/lib/wizard.php index 2e4507a258..68dff22829 100644 --- a/apps/user_ldap/lib/wizard.php +++ b/apps/user_ldap/lib/wizard.php @@ -850,13 +850,23 @@ class Wizard extends LDAPUtility { } $base = $this->configuration->ldapBase[0]; foreach($cns as $cn) { - $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn')); + $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn', 'primaryGroupToken')); if(!$this->ldap->isResource($rr)) { continue; } $er = $this->ldap->firstEntry($cr, $rr); + $attrs = $this->ldap->getAttributes($cr, $er); $dn = $this->ldap->getDN($cr, $er); - $filter .= '(memberof=' . $dn . ')'; + if(empty($dn)) { + continue; + } + $filterPart = '(memberof=' . $dn . ')'; + if(isset($attrs['primaryGroupToken'])) { + $pgt = $attrs['primaryGroupToken'][0]; + $primaryFilterPart = '(primaryGroupID=' . $pgt .')'; + $filterPart = '(|' . $filterPart . $primaryFilterPart . ')'; + } + $filter .= $filterPart; } $filter .= ')'; } From 31de757514ce6b23587161c6e1b15016df11e02f Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 28 Jan 2015 15:52:59 +0100 Subject: [PATCH 2/4] fix counting of users in primary group --- apps/user_ldap/group_ldap.php | 86 +++++++++++++++++++++-------- apps/user_ldap/tests/group_ldap.php | 7 ++- 2 files changed, 69 insertions(+), 24 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index e8d268d3df..b2796aaa61 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -248,33 +248,72 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { return $this->getEntryGroupID($dn, 'primaryGroupID'); } + /** + * returns a filter for a "users in primary group" search or count operation + * + * @param $groupDN + * @param string $search + * @return string + * @throws \Exception + */ + private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') { + $groupID = $this->getGroupPrimaryGroupID($groupDN); + if($groupID === false) { + throw new \Exception('Not a valid group'); + } + + $filterParts = []; + $filterParts[] = $this->access->getFilterForUserCount(); + if(!empty($search)) { + $filterParts[] = $this->access->getFilterPartForUserSearch($search); + } + $filterParts[] = 'primaryGroupID=' . $groupID; + + $filter = $this->access->combineFilterWithAnd($filterParts); + + return $filter; + } + /** * returns a list of users that have the given group as primary group * * @param string $groupDN - * @param $limit + * @param string $search + * @param int $limit * @param int $offset - * @return string[] + * @return \string[] */ - public function getUsersInPrimaryGroup($groupDN, $limit = -1, $offset = 0) { - $groupID = $this->getGroupPrimaryGroupID($groupDN); - if($groupID === false) { + public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) { + try { + $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); + return $this->access->fetchListOfUsers( + $filter, + array($this->access->connection->ldapUserDisplayName, 'dn'), + $limit, + $offset + ); + } catch (\Exception $e) { return array(); } + } - $filter = $this->access->combineFilterWithAnd(array( - $this->access->connection->ldapUserFilter, - 'primaryGroupID=' . $groupID - )); - - $users = $this->access->fetchListOfUsers( - $filter, - array($this->access->connection->ldapUserDisplayName, 'dn'), - $limit, - $offset - ); - - return $users; + /** + * returns the number of users that have the given group as primary group + * + * @param $groupDN + * @param string $search + * @param int $limit + * @param int $offset + * @return int + */ + public function countUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) { + try { + $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); + $users = $this->access->countUsers($filter, array('dn'), $limit, $offset); + return (is_int($users)) ? $users : 0; + } catch (\Exception $e) { + return 0; + } } /** @@ -473,7 +512,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { $groupUsers = array_slice($groupUsers, $offset, $limit); //and get users that have the group as primary - $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $limit, $offset); + $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset); $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); $this->access->connection->writeToCache($cacheKey, $groupUsers); @@ -512,7 +551,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } if(empty($search)) { - $groupUsers = count($members); + $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, ''); + $groupUsers = count($members) + $primaryUsers; + $this->access->connection->writeToCache($cacheKey, $groupUsers); return $groupUsers; } @@ -557,10 +598,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } //and get users that have the group as primary - $primaryUsers = $this->getUsersInPrimaryGroup($groupDN); - $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); + $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search); - return count($groupUsers); + return count($groupUsers) + $primaryUsers; } /** diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php index efd7f803f3..44f0f82c2f 100644 --- a/apps/user_ldap/tests/group_ldap.php +++ b/apps/user_ldap/tests/group_ldap.php @@ -76,10 +76,15 @@ class Test_Group_Ldap extends \Test\TestCase { ->method('readAttribute') ->will($this->returnValue(array('u11', 'u22', 'u33', 'u34'))); + // for primary groups + $access->expects($this->once()) + ->method('countUsers') + ->will($this->returnValue(2)); + $groupBackend = new GroupLDAP($access); $users = $groupBackend->countUsersInGroup('group'); - $this->assertSame(4, $users); + $this->assertSame(6, $users); } public function testCountWithSearchString() { From 953a88785bf71bcf0763e98934d6d2b503f88402 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 28 Jan 2015 23:57:04 +0100 Subject: [PATCH 3/4] :lipstick: --- apps/user_ldap/group_ldap.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index b2796aaa61..bd56dbd56c 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -251,7 +251,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { /** * returns a filter for a "users in primary group" search or count operation * - * @param $groupDN + * @param string $groupDN * @param string $search * @return string * @throws \Exception @@ -281,7 +281,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { * @param string $search * @param int $limit * @param int $offset - * @return \string[] + * @return string[] */ public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) { try { @@ -300,7 +300,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { /** * returns the number of users that have the given group as primary group * - * @param $groupDN + * @param string $groupDN * @param string $search * @param int $limit * @param int $offset @@ -310,7 +310,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { try { $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); $users = $this->access->countUsers($filter, array('dn'), $limit, $offset); - return (is_int($users)) ? $users : 0; + return (int)$users; } catch (\Exception $e) { return 0; } From 73600cfdd80694a9ffa526147d79b231fd85c5b2 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Thu, 29 Jan 2015 00:15:55 +0100 Subject: [PATCH 4/4] and escape the search term --- apps/user_ldap/group_ldap.php | 3 +++ apps/user_ldap/lib/access.php | 2 +- apps/user_ldap/lib/connection.php | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index bd56dbd56c..40d702360f 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -444,6 +444,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { if(!$this->groupExists($gid)) { return array(); } + $search = $this->access->escapeFilterPart($search, true); $cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset; // check for cache of the exact query $groupUsers = $this->access->connection->getFromCache($cacheKey); @@ -557,6 +558,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { $this->access->connection->writeToCache($cacheKey, $groupUsers); return $groupUsers; } + $search = $this->access->escapeFilterPart($search, true); $isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid'); @@ -663,6 +665,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { if(!$this->enabled) { return array(); } + $search = $this->access->escapeFilterPart($search, true); $pagingSize = $this->access->connection->ldapPagingSize; if ((! $this->access->connection->hasPagedResultSupport) || empty($pagingSize)) { diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index b639482394..e041bc32a6 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -958,7 +958,7 @@ class Access extends LDAPUtility implements user\IUserTools { /** * escapes (user provided) parts for LDAP filter * @param string $input, the provided value - * @param bool $allowAsterisk wether in * at the beginning should be preserved + * @param bool $allowAsterisk whether in * at the beginning should be preserved * @return string the escaped string */ public function escapeFilterPart($input, $allowAsterisk = false) { diff --git a/apps/user_ldap/lib/connection.php b/apps/user_ldap/lib/connection.php index a9d21ffc8e..c083e7d55e 100644 --- a/apps/user_ldap/lib/connection.php +++ b/apps/user_ldap/lib/connection.php @@ -32,6 +32,7 @@ namespace OCA\user_ldap\lib; * @property boolean hasPagedResultSupport * @property string[] ldapBaseUsers * @property int|string ldapPagingSize holds an integer + * @property bool|mixed|void ldapGroupMemberAssocAttr */ class Connection extends LDAPUtility { private $ldapConnectionRes = null;