LDAP: shortcut in reading nested group members when IN_CHAIN is available

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

apps/user_ldap/lib/Configuration.php

@@ -45,6 +45,10 @@ class Configuration {
 	public const AVATAR_PREFIX_NONE = 'none';
 	public const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:';
 
+	public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown';
+	public const LDAP_SERVER_FEATURE_AVAILABLE = 'available';
+	public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable';
+
 	protected $configPrefix = null;
 	protected $configRead = false;
 	/**
@@ -110,6 +114,7 @@ class Configuration {
 		'ldapDynamicGroupMemberURL' => null,
 		'ldapDefaultPPolicyDN' => null,
 		'ldapExtStorageHomeAttribute' => null,
+		'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN,
 	];
 
 	/**
@@ -482,6 +487,7 @@ class Configuration {
 			'ldap_default_ppolicy_dn'           => '',
 			'ldap_user_avatar_rule'             => 'default',
 			'ldap_ext_storage_home_attribute'   => '',
+			'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN,
 		];
 	}
 
@@ -543,6 +549,7 @@ class Configuration {
 			'ldap_dynamic_group_member_url'     => 'ldapDynamicGroupMemberURL',
 			'ldap_default_ppolicy_dn'           => 'ldapDefaultPPolicyDN',
 			'ldap_ext_storage_home_attribute'   => 'ldapExtStorageHomeAttribute',
+			'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState',
 			'ldapIgnoreNamingRules'             => 'ldapIgnoreNamingRules',	// sysconfig
 		];
 		return $array;

apps/user_ldap/lib/Group_LDAP.php

@@ -235,6 +235,31 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
 		if ($groupMembers !== null) {
 			return $groupMembers;
 		}
+
+		if ($this->access->connection->ldapNestedGroups
+			&& $this->access->connection->useMemberOfToDetectMembership
+			&& $this->access->connection->hasMemberOfFilterSupport
+			&& $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE
+		) {
+			$attemptedLdapMatchingRuleInChain = true;
+			// compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others)
+			$filter = $this->access->combineFilterWithAnd([$this->access->connection->ldapUserFilter, 'memberof:1.2.840.113556.1.4.1941:=' . $dnGroup]);
+			$memberRecords = $this->access->fetchListOfUsers(
+				$filter,
+				$this->access->userManager->getAttributes(true)
+			);
+			if (!empty($memberRecords)) {
+				if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN) {
+					$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
+					$this->access->connection->saveConfiguration();
+				}
+				return array_reduce($memberRecords, function ($carry, $record) {
+					$carry[] = $record['dn'][0];
+					return $carry;
+				}, []);
+			}
+		}
+
 		$seen[$dnGroup] = 1;
 		$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
 		if (is_array($members)) {
@@ -247,6 +272,10 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
 		$allMembers += $this->getDynamicGroupMembers($dnGroup);
 
 		$this->access->connection->writeToCache($cacheKey, $allMembers);
+		if (isset($attemptedLdapMatchingRuleInChain) && !empty($allMembers)) {
+			$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
+			$this->access->connection->saveConfiguration();
+		}
 		return $allMembers;
 	}
 

apps/user_ldap/tests/Group_LDAPTest.php

@@ -71,6 +71,8 @@ class Group_LDAPTest extends TestCase {
 			->method('getConnection')
 			->willReturn($connector);
 
+		$access->userManager = $this->createMock(Manager::class);
+
 		return $access;
 	}