LDAP: when checking group for matching filter, also take base DN into consideration. Fixes #17516

This commit is contained in:
Arthur Schiwon 2015-07-09 12:19:04 +02:00
parent 2b86ba43e3
commit bfdf39b9bd
4 changed files with 96 additions and 2 deletions

View File

@ -382,7 +382,12 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
if (is_array($groupDNs)) {
$groupDNs = $this->access->groupsMatchFilter($groupDNs);
foreach ($groupDNs as $dn) {
$groups[] = $this->access->dn2groupname($dn);
$groupName = $this->access->dn2groupname($dn);
if(is_string($groupName)) {
// be sure to never return false if the dn could not be
// resolved to a name, for whatever reason.
$groups[] = $groupName;
}
}
}
if($primaryGroup !== false) {

View File

@ -365,10 +365,21 @@ class Access extends LDAPUtility implements user\IUserTools {
continue;
}
// Check the base DN first. If this is not met already, we don't
// need to ask the server at all.
if(!$this->isDNPartOfBase($dn, $this->connection->ldapBaseGroups)) {
$this->connection->writeToCache($cacheKey, false);
continue;
}
$result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter);
if(is_array($result)) {
$this->connection->writeToCache($cacheKey, true);
$validGroupDNs[] = $dn;
} else {
$this->connection->writeToCache($cacheKey, false);
}
}
return $validGroupDNs;
}

View File

@ -43,6 +43,7 @@ class IntegrationTestAccessGroupsMatchFilter {
public function init() {
require('setup-scripts/createExplicitUsers.php');
require('setup-scripts/createExplicitGroups.php');
require('setup-scripts/createExplicitGroupsDifferentOU.php');
$this->initLDAPWrapper();
$this->initConnection();
@ -55,7 +56,7 @@ class IntegrationTestAccessGroupsMatchFilter {
* If a test failed, the script is exited with return code 1.
*/
public function run() {
$cases = ['case1', 'case2'];
$cases = ['case1', 'case2', 'case3'];
foreach ($cases as $case) {
print("running $case " . PHP_EOL);
@ -106,6 +107,30 @@ class IntegrationTestAccessGroupsMatchFilter {
return $status;
}
/**
* Tests whether a filter for limited groups is effective when more existing
* groups were passed for validation.
*
* @return bool
*/
private function case3() {
$this->connection->setConfiguration(['ldapGroupFilter' => '(objectclass=groupOfNames)']);
$dns = [
'cn=RedGroup,ou=Groups,' . $this->base,
'cn=PurpleGroup,ou=Groups,' . $this->base,
'cn=SquaredCircleGroup,ou=SpecialGroups,' . $this->base
];
$result = $this->access->groupsMatchFilter($dns);
$status =
count($result) === 2
&& in_array('cn=RedGroup,ou=Groups,' . $this->base, $result)
&& in_array('cn=PurpleGroup,ou=Groups,' . $this->base, $result);
return $status;
}
/**
* initializes the Access test instance
*/
@ -129,6 +154,7 @@ class IntegrationTestAccessGroupsMatchFilter {
'ldapHost' => $this->server['host'],
'ldapPort' => $this->server['port'],
'ldapBase' => $this->base,
'ldapBaseGroups' => 'ou=Groups,' . $this->base,
'ldapAgentName' => $this->server['dn'],
'ldapAgentPassword' => $this->server['pwd'],
'ldapUserFilter' => 'objectclass=inetOrgPerson',

View File

@ -0,0 +1,52 @@
<?php
if(php_sapi_name() !== 'cli') {
print('Only via CLI, please.');
exit(1);
}
include __DIR__ . '/config.php';
$cr = ldap_connect($host, $port);
ldap_set_option($cr, LDAP_OPT_PROTOCOL_VERSION, 3);
$ok = ldap_bind($cr, $adn, $apwd);
if (!$ok) {
die(ldap_error($cr));
}
$ouName = 'SpecialGroups';
$ouDN = 'ou=' . $ouName . ',' . $bdn;
//creates an OU
if (true) {
$entry = [];
$entry['objectclass'][] = 'top';
$entry['objectclass'][] = 'organizationalunit';
$entry['ou'] = $ouName;
$b = ldap_add($cr, $ouDN, $entry);
if (!$b) {
die(ldap_error($cr));
}
}
$groups = ['SquareGroup', 'CircleGroup', 'TriangleGroup', 'SquaredCircleGroup'];
// groupOfNames requires groups to have at least one member
// the member used is created by createExplicitUsers.php script
$omniMember = 'uid=alice,ou=Users,' . $bdn;
foreach ($groups as $cn) {
$newDN = 'cn=' . $cn . ',' . $ouDN;
$entry = [];
$entry['cn'] = $cn;
$entry['objectclass'][] = 'groupOfNames';
$entry['member'][] = $omniMember;
$ok = ldap_add($cr, $newDN, $entry);
if ($ok) {
echo('created group ' . ': ' . $entry['cn'] . PHP_EOL);
} else {
die(ldap_error($cr));
}
}