LDAP rewrite, use unique LDAP user and group identifiers on LDAP side as well as fancy (unqiue as far as users a know from LDAP) names on the ownCloud side. It's done via mapping of owncloud names and LDAP identifiers.

some performance enhancements: faster searching for users and groups in their specific subtrees. Reading instead of searching were possible.

thanks for the feedback of Kevin van Kuik
This commit is contained in:
Arthur Schiwon 2012-04-25 20:34:58 +02:00
parent 0933b5e7ab
commit cbba469990
4 changed files with 509 additions and 53 deletions

View File

@ -0,0 +1,95 @@
<?xml version="1.0" encoding="ISO-8859-1" ?>
<database>
<name>*dbname*</name>
<create>true</create>
<overwrite>false</overwrite>
<charset>utf8</charset>
<table>
<name>*dbprefix*ldap_user_mapping</name>
<declaration>
<field>
<name>ldap_dn</name>
<type>text</type>
<notnull>true</notnull>
<length>255</length>
<default></default>
</field>
<field>
<name>owncloud_name</name>
<type>text</type>
<notnull>true</notnull>
<length>255</length>
<default></default>
</field>
<index>
<name>ldap_dn</name>
<unique>true</unique>
<field>
<name>ldap_dn</name>
</field>
</index>
<index>
<name>owncloud_name</name>
<unique>true</unique>
<field>
<name>owncloud_name</name>
<sorting>ascending</sorting>
</field>
</index>
</declaration>
</table>
<table>
<name>*dbprefix*ldap_group_mapping</name>
<declaration>
<field>
<name>ldap_dn</name>
<type>text</type>
<notnull>true</notnull>
<length>255</length>
<default></default>
</field>
<field>
<name>owncloud_name</name>
<type>text</type>
<notnull>true</notnull>
<length>255</length>
<default></default>
</field>
<index>
<name>ldap_dn</name>
<unique>true</unique>
<field>
<name>ldap_dn</name>
</field>
</index>
<index>
<name>owncloud_name</name>
<unique>true</unique>
<field>
<name>owncloud_name</name>
<sorting>ascending</sorting>
</field>
</index>
</declaration>
</table>
</database>

View File

@ -1 +1 @@
0.1 0.1.90

View File

@ -24,11 +24,9 @@
class OC_GROUP_LDAP extends OC_Group_Backend { class OC_GROUP_LDAP extends OC_Group_Backend {
// //group specific settings // //group specific settings
protected $ldapGroupFilter; protected $ldapGroupFilter;
protected $ldapGroupDisplayName;
public function __construct() { public function __construct() {
$this->ldapGroupFilter = OC_Appconfig::getValue('user_ldap', 'ldap_group_filter', '(objectClass=posixGroup)'); $this->ldapGroupFilter = OC_Appconfig::getValue('user_ldap', 'ldap_group_filter', '(objectClass=posixGroup)');
$this->ldapGroupDisplayName = OC_Appconfig::getValue('user_ldap', 'ldap_group_display_name', 'cn');
} }
/** /**
@ -40,18 +38,17 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
* Checks whether the user is member of a group or not. * Checks whether the user is member of a group or not.
*/ */
public function inGroup($uid, $gid) { public function inGroup($uid, $gid) {
$filter = OC_LDAP::combineFilterWithAnd(array( $dn_user = OC_LDAP::username2dn($uid);
$this->ldapGroupFilter, $dn_group = OC_LDAP::groupname2dn($gid);
LDAP_GROUP_MEMBER_ASSOC_ATTR.'='.$uid, // if($dn_group == 'c') {echo('#sdfsdgfds');die($gid);}
$this->ldapGroupDisplayName.'='.$gid // just in case
)); if(!$dn_group || !$dn_user) {
$groups = $this->retrieveList($filter, $this->ldapGroupDisplayName);
if(count($groups) > 0) {
return true;
} else {
return false; return false;
} }
// var_dump($dn_group);
$members = OC_LDAP::readAttribute($dn_group, LDAP_GROUP_MEMBER_ASSOC_ATTR);
return in_array($dn_user, $members);
} }
/** /**
@ -63,12 +60,19 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
* if the user exists at all. * if the user exists at all.
*/ */
public function getUserGroups($uid) { public function getUserGroups($uid) {
$userDN = OC_LDAP::username2dn($uid);
if(!$userDN) {
return array();
}
$filter = OC_LDAP::combineFilterWithAnd(array( $filter = OC_LDAP::combineFilterWithAnd(array(
$this->ldapGroupFilter, $this->ldapGroupFilter,
LDAP_GROUP_MEMBER_ASSOC_ATTR.'='.$uid LDAP_GROUP_MEMBER_ASSOC_ATTR.'='.$userDN
)); ));
$groups = $this->retrieveList($filter, array(OC_LDAP::conf('ldapGroupDisplayName'),'dn'));
$userGroups = OC_LDAP::ownCloudGroupNames($groups);
return $this->retrieveList($filter, $this->ldapGroupDisplayName); return array_unique($userGroups, SORT_LOCALE_STRING);
} }
/** /**
@ -76,22 +80,16 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
* @returns array with user ids * @returns array with user ids
*/ */
public function usersInGroup($gid) { public function usersInGroup($gid) {
$filter = OC_LDAP::combineFilterWithAnd(array( $groupDN = OC_LDAP::groupname2dn($gid);
$this->ldapGroupFilter, if(!$groupDN) {
$this->ldapGroupDisplayName.'='.$gid return array();
));
$userDNs = $this->retrieveList($filter, LDAP_GROUP_MEMBER_ASSOC_ATTR, false);
$users = array();
$attr = OC_LDAP::conf('ldapUserDisplayName');
foreach($userDNs as $dn) {
$uid = OC_LDAP::readAttribute($dn, $attr);
if($uid) {
// if(($uid = OC_LDAP::readAttribute($dn, $attr)) != false){
$users[] = $uid;
} }
$members = OC_LDAP::readAttribute($groupDN, LDAP_GROUP_MEMBER_ASSOC_ATTR);
$result = array();
foreach($members as $member) {
$result[] = OC_LDAP::dn2username($member);
} }
return $users; return array_unique($result, SORT_LOCALE_STRING);
} }
/** /**
@ -101,7 +99,9 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
* Returns a list with all groups * Returns a list with all groups
*/ */
public function getGroups() { public function getGroups() {
return $this->retrieveList($this->ldapGroupFilter, $this->ldapGroupDisplayName); $ldap_groups = $this->retrieveList($this->ldapGroupFilter, array(OC_LDAP::conf('ldapGroupDisplayName'), 'dn'));
$groups = OC_LDAP::ownCloudGroupNames($ldap_groups);
return $groups;
} }
/** /**
@ -120,13 +120,18 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
$list = OC_LDAP::searchUsers($filter, $attr); $list = OC_LDAP::searchUsers($filter, $attr);
} }
if(is_array($list)) { if(is_array($list)) {
if(count($attr) > 1){
return $list;
} else {
return array_unique($list, SORT_LOCALE_STRING); return array_unique($list, SORT_LOCALE_STRING);
} }
}
//error cause actually, maybe throw an exception in future. //error cause actually, maybe throw an exception in future.
return array(); return array();
} }
} }

View File

@ -21,7 +21,8 @@
* *
*/ */
define('LDAP_GROUP_MEMBER_ASSOC_ATTR','uniquemember'); define('LDAP_GROUP_MEMBER_ASSOC_ATTR','uniqueMember');
define('LDAP_GROUP_DISPLAY_NAME_ATTR','cn');
//needed to unbind, because we use OC_LDAP only statically //needed to unbind, because we use OC_LDAP only statically
class OC_LDAP_DESTRUCTOR { class OC_LDAP_DESTRUCTOR {
@ -45,7 +46,9 @@ class OC_LDAP {
static protected $ldapTLS; static protected $ldapTLS;
static protected $ldapNoCase; static protected $ldapNoCase;
// user and group settings, that are needed in both backends // user and group settings, that are needed in both backends
static public $ldapUserDisplayName; static protected $ldapUserDisplayName;
static protected $ldapUserFilter;
static protected $ldapGroupDisplayName;
static public function init() { static public function init() {
self::readConfiguration(); self::readConfiguration();
@ -56,33 +59,343 @@ class OC_LDAP {
@ldap_unbind(self::$ldapConnectionRes); @ldap_unbind(self::$ldapConnectionRes);
} }
/**
* @brief returns a read-only configuration value
* @param $key the name of the configuration value
* @returns the value on success, otherwise null
*
* returns a read-only configuration values
*
* we cannot work with getters, because it is a static class
*/
static public function conf($key) { static public function conf($key) {
if(!self::$configured) {
self::init();
}
$availableProperties = array( $availableProperties = array(
'ldapUserDisplayName', 'ldapUserDisplayName',
'ldapGroupDisplayName',
); );
if(in_array($key, $availableProperties)) { if(in_array($key, $availableProperties)) {
return self::$$key; return self::$$key;
} }
return null;
}
/**
* gives back the database table for the query
*/
static private function getMapTable($isUser) {
if($isUser) {
return '*PREFIX*ldap_user_mapping';
} else {
return '*PREFIX*ldap_group_mapping';
}
}
/**
* @brief returns the LDAP DN for the given internal ownCloud name of the group
* @param $name the ownCloud name in question
* @returns string with the LDAP DN on success, otherwise false
*
* returns the LDAP DN for the given internal ownCloud name of the group
*/
static public function groupname2dn($name) {
return self::ocname2dn($name, false);
}
/**
* @brief returns the LDAP DN for the given internal ownCloud name of the user
* @param $name the ownCloud name in question
* @returns string with the LDAP DN on success, otherwise false
*
* returns the LDAP DN for the given internal ownCloud name of the user
*/
static public function username2dn($name) {
$dn = self::ocname2dn($name, true);
if($dn) {
return $dn;
} else {
//fallback: user is not mapped
$filter = self::combineFilterWithAnd(array(
self::$ldapUserFilter,
self::$ldapUserDisplayName . '=' . $name,
));
$result = self::searchUsers($filter, 'dn');
if(isset($result[0]['dn'])) {
self::mapUser($result[0], $name);
return $result[0];
}
}
return false;
}
static private function ocname2dn($name, $isUser) {
$table = self::getMapTable($isUser);
$query = OC_DB::prepare('
SELECT ldap_dn
FROM '.$table.'
WHERE owncloud_name = ?
');
$record = $query->execute(array($name))->fetchOne();
return $record;
if($name=='Coyotes') {
echo("adsfasdf ");
var_dump($record);
die();
}
if(isset($record['ldap_dn'])) {
return $record['ldap_dn'];
}
return false;
}
/**
* @brief returns the internal ownCloud name for the given LDAP DN of the group
* @param $dn the dn of the group object
* @param $ldapname optional, the display name of the object
* @returns string with with the name to use in ownCloud
*
* returns the internal ownCloud name for the given LDAP DN of the group
*/
static public function dn2groupname($dn, $ldapname = null) {
return self::dn2ocname($dn, $ldapname, false);
}
/**
* @brief returns the internal ownCloud name for the given LDAP DN of the user
* @param $dn the dn of the user object
* @param $ldapname optional, the display name of the object
* @returns string with with the name to use in ownCloud
*
* returns the internal ownCloud name for the given LDAP DN of the user
*/
static public function dn2username($dn, $ldapname = null) {
return self::dn2ocname($dn, $ldapname, true);
}
static public function dn2ocname($dn, $ldapname = null, $isUser = true) {
$table = self::getMapTable($isUser);
if($isUser) {
$nameAttribute = self::conf('ldapUserDisplayName');
} else {
$nameAttribute = self::conf('ldapGroupDisplayName');
}
$query = OC_DB::prepare('
SELECT owncloud_name
FROM '.$table.'
WHERE ldap_dn = ?
');
$component = $query->execute(array($dn))->fetchOne();
if($component) {
return $component;
}
if(is_null($ldapname)) {
$ldapname = self::readAttribute($dn, $nameAttribute);
$ldapname = $ldapname[0];
}
//a new user/group! Then let's try to add it. We're shooting into the blue with the user/group name, assuming that in most cases there will not be a conflict. Otherwise an error will occur and we will continue with our second shot.
if(self::mapComponent($dn, $ldapname, $isUser)) {
return $ldapname;
}
//doh! There is a conflict. We need to distinguish between users/groups. Adding indexes is an idea, but not much of a help for the user. The DN is ugly, but for now the only reasonable way. But we transform it to a readable format and remove the first part to only give the path where this object is located.
$oc_name = self::alternateOwnCloudName($ldapname, $dn);
if(self::mapComponent($dn, $oc_name, $isUser)) {
return $oc_name;
}
//and this of course should never been thrown :)
throw new Exception('LDAP backend: unexpected collision of DN and ownCloud Name.');
}
/**
* @brief gives back the user names as they are used ownClod internally
* @param $ldapGroups an array with the ldap Users result in style of array ( array ('dn' => foo, 'uid' => bar), ... )
* @returns an array with the user names to use in ownCloud
*
* gives back the user names as they are used ownClod internally
*/
static public function ownCloudUserNames($ldapUsers) {
return self::ldap2ownCloudNames($ldapUsers, true);
}
/**
* @brief gives back the group names as they are used ownClod internally
* @param $ldapGroups an array with the ldap Groups result in style of array ( array ('dn' => foo, 'cn' => bar), ... )
* @returns an array with the group names to use in ownCloud
*
* gives back the group names as they are used ownClod internally
*/
static public function ownCloudGroupNames($ldapGroups) {
return self::ldap2ownCloudNames($ldapGroups, false);
}
static private function ldap2ownCloudNames($ldapObjects, $isUsers) {
if($isUsers) {
$knownObjects = self::mappedUsers();
$nameAttribute = self::conf('ldapUserDisplayName');
} else {
$knownObjects = self::mappedGroups();
$nameAttribute = self::conf('ldapGroupDisplayName');
}
$ownCloudNames = array();
foreach($ldapObjects as $ldapObject) {
$key = self::recursiveArraySearch($knownObjects, $ldapObject['dn']);
//everything is fine when we know the group
if($key) {
$ownCloudNames[] = $knownObjects[$key]['owncloud_name'];
continue;
}
//a new group! Then let's try to add it. We're shooting into the blue with the group name, assuming that in most cases there will not be a conflict
if(self::mapComponent($ldapObject['dn'], $ldapObject[$nameAttribute], $isUsers)) {
$ownCloudNames[] = $ldapObject[$nameAttribute];
continue;
}
//doh! There is a conflict. We need to distinguish between groups. Adding indexes is an idea, but not much of a help for the user. The DN is ugly, but for now the only reasonable way. But we transform it to a readable format and remove the first part to only give the path where this entry is located.
$oc_name = self::alternateOwnCloudName($ldapObject[$nameAttribute], $ldapObject['dn']);
if(self::mapComponent($ldapObject['dn'], $oc_name, $isUsers)) {
$ownCloudNames[] = $oc_name;
continue;
}
//and this of course should never been thrown :)
throw new Exception('LDAP backend: unexpected collision of DN and ownCloud Name.');
}
return $ownCloudNames;
}
/**
* @brief creates a hopefully unique name for owncloud based on the display name and the dn of the LDAP object
* @param $name the display name of the object
* @param $dn the dn of the object
* @returns string with with the name to use in ownCloud
*
* creates a hopefully unique name for owncloud based on the display name and the dn of the LDAP object
*/
static private function alternateOwnCloudName($name, $dn) {
$ufn = ldap_dn2ufn($dn);
return $name . ' (' . trim(substr_replace($ufn, '', 0, strpos($ufn, ','))) . ')';
}
/**
* @brief retrieves all known groups from the mappings table
* @returns array with the results
*
* retrieves all known groups from the mappings table
*/
static private function mappedGroups() {
return self::mappedComponents(false);
}
/**
* @brief retrieves all known users from the mappings table
* @returns array with the results
*
* retrieves all known users from the mappings table
*/
static private function mappedUsers() {
return self::mappedComponents(true);
}
static private function mappedComponents($isUsers) {
$table = self::getMapTable($isUsers);
$query = OC_DB::prepare('
SELECT ldap_dn, owncloud_name
FROM '. $table
);
return $query->execute()->fetchAll();
}
/**
* @brief inserts a new group into the mappings table
* @param $dn the record in question
* @param $ocname the name to use in ownCloud
* @returns true on success, false otherwise
*
* inserts a new group into the mappings table
*/
static private function mapGroup($dn, $ocname) {
return self::mapComponent($dn, $ocname, false);
}
/**
* @brief inserts a new user into the mappings table
* @param $dn the record in question
* @param $ocname the name to use in ownCloud
* @returns true on success, false otherwise
*
* inserts a new user into the mappings table
*/
static private function mapUser($dn, $ocname) {
return self::mapComponent($dn, $ocname, true);
}
/**
* @brief inserts a new user or group into the mappings table
* @param $dn the record in question
* @param $ocname the name to use in ownCloud
* @param $isUser is it a user or a group?
* @returns true on success, false otherwise
*
* inserts a new user or group into the mappings table
*/
static private function mapComponent($dn, $ocname, $isUser = true) {
$table = self::getMapTable($isUser);
$insert = OC_DB::prepare('
INSERT IGNORE INTO '.$table.'
(ldap_dn, owncloud_name)
VALUES (?,?)
');
$res = $insert->execute(array($dn, $ocname));
return !OC_DB::isError($res);
} }
/** /**
* @brief reads a given attribute for an LDAP record identified by a DN * @brief reads a given attribute for an LDAP record identified by a DN
* @param $dn the record in question * @param $dn the record in question
* @param $attr the attribute that shall be retrieved * @param $attr the attribute that shall be retrieved
* @returns the value on success, false otherwise * @returns the values in an array on success, false otherwise
* *
* Reads an attribute from an LDAP entry * Reads an attribute from an LDAP entry
*/ */
static public function readAttribute($dn, $attr) { static public function readAttribute($dn, $attr) {
$attr = strtolower($attr);
$cr = self::getConnectionResource(); $cr = self::getConnectionResource();
// echo("<pre>");var_dump($dn);
$rr = ldap_read($cr, $dn, 'objectClass=*', array($attr)); $rr = ldap_read($cr, $dn, 'objectClass=*', array($attr));
if(!$rr) {
echo('<pre>###RA ');var_dump($dn);var_dump(debug_backtrace());die();
}
$er = ldap_first_entry($cr, $rr); $er = ldap_first_entry($cr, $rr);
$result = ldap_get_attributes($cr, $er); $result = ldap_get_attributes($cr, $er);
if($result['count'] > 0){
return $result[$attr][0]; // if($dn == 'cn=Coyotes,cn=groups,dc=blizzz-oc,dc=bzoc') die((var_dump($result)));
if($result[$attr]['count'] > 0){
$values = array();
for($i=0;$i<$result[$attr]['count'];$i++) {
$values[] = $result[$attr][$i];
}
return $values;
} }
return false; return false;
} }
@ -121,15 +434,38 @@ class OC_LDAP {
* Executes an LDAP search * Executes an LDAP search
*/ */
static private function search($filter, $base, $attr = null) { static private function search($filter, $base, $attr = null) {
$sr = ldap_search(self::getConnectionResource(), $base, $filter, array($attr)); if(!is_null($attr) && !is_array($attr)) {
$attr = array(strtolower($attr));
}
$sr = ldap_search(self::getConnectionResource(), $base, $filter, $attr);
$findings = ldap_get_entries(self::getConnectionResource(), $sr ); $findings = ldap_get_entries(self::getConnectionResource(), $sr );
if(!is_null($attr)) { if(!is_null($attr)) {
$selection = array(); $selection = array();
foreach($findings as $item) { $multiarray = false;
if(isset($item[strtolower($attr)])) { if(count($attr) > 1) {
$selection[] = $item[strtolower($attr)][0]; $multiarray = true;
$i = 0;
} }
foreach($findings as $item) {
if($multiarray) {
foreach($attr as $key) {
if(isset($item[$key])) {
if($key != 'dn'){
$selection[$i][$key] = $item[$key][0];
} else {
$selection[$i][$key] = $item[$key];
}
}
}
$i++;
} else {
if(isset($item[$attr[0]])) {
$selection[] = $item[$attr[0]];
}
}
} }
return $selection; return $selection;
} }
@ -204,6 +540,8 @@ class OC_LDAP {
self::$ldapTLS = OC_Appconfig::getValue('user_ldap', 'ldap_tls',0); self::$ldapTLS = OC_Appconfig::getValue('user_ldap', 'ldap_tls',0);
self::$ldapNoCase = OC_Appconfig::getValue('user_ldap', 'ldap_nocase', 0); self::$ldapNoCase = OC_Appconfig::getValue('user_ldap', 'ldap_nocase', 0);
self::$ldapUserDisplayName = OC_Appconfig::getValue('user_ldap', 'ldap_display_name', OC_USER_BACKEND_LDAP_DEFAULT_DISPLAY_NAME); self::$ldapUserDisplayName = OC_Appconfig::getValue('user_ldap', 'ldap_display_name', OC_USER_BACKEND_LDAP_DEFAULT_DISPLAY_NAME);
self::$ldapUserFilter = OC_Appconfig::getValue('user_ldap', 'ldap_userlist_filter','objectClass=person');
self::$ldapGroupDisplayName = OC_Appconfig::getValue('user_ldap', 'ldap_group_display_name', LDAP_GROUP_DISPLAY_NAME_ATTR);
if( if(
!empty(self::$ldapHost) !empty(self::$ldapHost)
@ -247,5 +585,23 @@ class OC_LDAP {
} }
} }
/**
* taken from http://www.php.net/manual/en/function.array-search.php#97645
* TODO: move somewhere, where its better placed since it is not LDAP specific. OC_Helper maybe?
*/
static public function recursiveArraySearch($haystack, $needle, $index = null) {
$aIt = new RecursiveArrayIterator($haystack);
$it = new RecursiveIteratorIterator($aIt);
while($it->valid()) {
if (((isset($index) AND ($it->key() == $index)) OR (!isset($index))) AND ($it->current() == $needle)) {
return $aIt->key();
}
$it->next();
}
return false;
}
} }