- previously it was needed as the PHP LDAP handling of paged results was
strange
- but now the read operation would fail, e.g. with extra home dir attribute
set ("Home dir attribute can't be read from LDAP for uid: foobar"
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
- adapters for PHP API version to Support PHP < 7.3
- switch to pass only one base per search
- cookie logic is moved from Access to API adapters
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
the continue (and later the early return) avoided proper looping over the
attribute candidates.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
allows to mark users as offline right away, avoids a gap of being not a
user and causing weird side effects
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* simplifies deletion process
* less strange behaviour when looking up home storage (as long as it is local)
* thus could enable transfer ownerships after user went invisible on ldap
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* reading the config directly will return the value with line breaks
* using the proper accessor gives us all bases in an array
* returns the first matching one
* having user id provided for the group base is strange and does not let
us operate like this. here we return the first one. might change in
future, a backportable fix won't have an API change however.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
there is not such strange return mode. Having invalid user ids caused this
check to fail, and as side effect share limitation to groups to not work.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* uniqueMember was the default so we did not know whether this setting is
desired or the initial value
* autodetection of the user-group association attribute runs only when it
was not set (as far as we knew)
* the default is now empty
* thus LDAPProvider might return this value as well (in exceptional cases)
* if a group base is given (edge case), use this instead of general base
* resolves#12682
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
LDAP plugins must change the createUser method to return the DN, as we
need this to update the cache.
Signed-off-by: Vinicius Cubas Brand <viniciuscb@gmail.com>
This commit fix an error happening when the subadmin tries to create an
user, adding him/her to the group s/he is subadmin of, using a LDAP
User/Group plugin.
This just forces the cache to be reset after an user is added to a
group.
Signed-off-by: Vinicius Cubas Brand <viniciuscb@gmail.com>
Nested groups are now cached in a CappedMemoryCache object to reduce
queries to the LDAP backend.
Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
The previous patch fixed the problem only for one level of indirection
because groupsMatchFilter() had been applied on each recursive call (and
thus there would be no second level if the first level fails the check).
This new implementation replaces the recursive call with a stack that
iterates all nested groups before filtering with groupsMatchFilter().
Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
Currently groupsMatchFilter is called before nested groups are resolved.
This basicly breaks this feature since it is not possible to inherit
membership in a group from another group.
Minimal example:
Group filter: (&(objectClass=group),(cn=nextcloud))
Nested groups: enabled
cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local
objectClass: group
cn=IT,ou=groups,dn=company,dn=local
objectClass: group
memberOf: cn=nextcloud,ou=Nextcloud,ou=groups,dn=company,dn=local
cn=John Doe,ou=users,dn=company,dn=local
objectClass: person
memberOf: cn=IT,ou=groups,dn=company,dn=local
Since 'cn=IT,ou=groups,dn=company,dn=local' doesn't match the group
filter, John wouldn't be a member of group 'nextcloud'.
This patch fixes this by filtering the groups after all nested groups
have been collected. If nested groups is disabled the result will be the
same as without this patch.
Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
* handler registered upon OCA\\Files_External::loadAdditionalBackends
event as user_ldap is loaded before files_external
* new configuration field "ldapExtStorageHomeAttribute" (not in GUI yet)
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
otherwise they will be skipped when the results is being formatted and the
lower-cased result keys do not match.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
parallel search is not compatible with paged search, but the letter is
usually always applied.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
during login they might be cached as non-existing and cause an Exception
in the long run
reduces some duplication, too
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
LDAP servers respond with that even if a limit was passed with the
request. Having this statement logged causes a lot of confusion.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Just some house keeping. IUserTools with used in even older days for
easier creation of Access instances…
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
… when an unmapped user logs in for the first time when background job
mode is ajax and no memcache was configured.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
With 689df9a843 the behaviour to assign only
non-empty config IDs was introduced. Only, this was only effective for CLI
and OCS API.
Related to #3270.
The web UI creates now also a full configuration on first load. This fixes
#5094.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>