| Index: trunk/extensions/LdapAuthentication/LdapAuthentication.php |
| — | — | @@ -1304,10 +1304,21 @@ |
| 1305 | 1305 | # The first entry is always a count |
| 1306 | 1306 | $memberOfMembers = $this->userInfo[0]["memberof"]; |
| 1307 | 1307 | array_shift( $memberOfMembers ); |
| 1308 | | - $groups = array( "dn" => array(), "short" => array() ); |
| 1309 | | - foreach ( $memberOfMembers as $mem ) { |
| | 1308 | + $groups = array( "dn"=> array(), "short"=>array() ); |
| | 1309 | + |
| | 1310 | + foreach( $memberOfMembers as $mem ) { |
| 1310 | 1311 | array_push( $groups["dn"], strtolower( $mem ) ); |
| | 1312 | + |
| | 1313 | + // Get short name of group |
| | 1314 | + $memAttrs = explode( ',', strtolower( $mem ) ); |
| | 1315 | + if ( isset( $memAttrs[0] ) ) { |
| | 1316 | + $memAttrs = explode( '=', $memAttrs[0] ); |
| | 1317 | + if ( isset( $memAttrs[0] ) ) { |
| | 1318 | + array_push( $groups["short"], strtolower( $memAttrs[1] ) ); |
| | 1319 | + } |
| | 1320 | + } |
| 1311 | 1321 | } |
| | 1322 | + |
| 1312 | 1323 | $this->userLDAPGroups = $groups; |
| 1313 | 1324 | } |
| 1314 | 1325 | } else { |
| — | — | @@ -1393,7 +1404,8 @@ |
| 1394 | 1405 | global $wgLDAPGroupObjectclass, $wgLDAPGroupAttribute, $wgLDAPGroupNameAttribute; |
| 1395 | 1406 | global $wgLDAPProxyAgent, $wgLDAPProxyAgentPassword; |
| 1396 | 1407 | global $wgUser; |
| 1397 | | - |
| | 1408 | + global $wgLDAPGroupsUseMemberOf; |
| | 1409 | + |
| 1398 | 1410 | $this->printDebug( "Entering searchGroups", NONSENSITIVE ); |
| 1399 | 1411 | |
| 1400 | 1412 | $base = $this->getBaseDN( GROUPDN ); |
| — | — | @@ -1402,15 +1414,11 @@ |
| 1403 | 1415 | $attribute = $wgLDAPGroupAttribute[$_SESSION['wsDomain']]; |
| 1404 | 1416 | $nameattribute = $wgLDAPGroupNameAttribute[$_SESSION['wsDomain']]; |
| 1405 | 1417 | |
| 1406 | | - // We actually want to search for * not \2a |
| 1407 | | - $value = $dn; |
| 1408 | | - if ( $value != "*" ) |
| 1409 | | - $value = $this->getLdapEscapedString( $value ); |
| | 1418 | + // We actually want to search for * not \2a, ensure we don't escape * |
| | 1419 | + $value = $dn; |
| | 1420 | + if ( $value != "*" ) |
| | 1421 | + $value = $this->getLdapEscapedString( $value ); |
| 1410 | 1422 | |
| 1411 | | - $filter = "(&($attribute=$value)(objectclass=$objectclass))"; |
| 1412 | | - |
| 1413 | | - $this->printDebug( "Search string: $filter", SENSITIVE ); |
| 1414 | | - |
| 1415 | 1423 | if ( isset( $wgLDAPProxyAgent[$_SESSION['wsDomain']] ) ) { |
| 1416 | 1424 | // We'll try to bind as the proxyagent as the proxyagent should normally have more |
| 1417 | 1425 | // rights than the user. If the proxyagent fails to bind, we will still be able |
| — | — | @@ -1419,6 +1427,61 @@ |
| 1420 | 1428 | $bind = $this->bindAs( $wgLDAPProxyAgent[$_SESSION['wsDomain']], $wgLDAPProxyAgentPassword[$_SESSION['wsDomain']] ); |
| 1421 | 1429 | } |
| 1422 | 1430 | |
| | 1431 | + $groups = array( "short" => array(), "dn" => array() ); |
| | 1432 | + |
| | 1433 | + // AD does not include the primary group in the list of groups, we have to find it ourselves. |
| | 1434 | + // TODO: find a way to only do this search for AD domains. |
| | 1435 | + if ( $dn != "*" ) { |
| | 1436 | + $PGfilter = "(&(distinguishedName=$value)(objectclass=user))"; |
| | 1437 | + $this->printDebug( "User Filter: $PGfilter", SENSITIVE ); |
| | 1438 | + $PGinfo = @ldap_search( $ldapconn, $base, $PGfilter ); |
| | 1439 | + $PGentries = @ldap_get_entries( $ldapconn, $PGinfo ); |
| | 1440 | + if ( $PGentries ) { |
| | 1441 | + $Usid = $PGentries[0]['objectsid'][0]; |
| | 1442 | + $PGrid = $PGentries[0]['primarygroupid'][0]; |
| | 1443 | + $PGsid = bin2hex( $Usid ); |
| | 1444 | + for ( $i=0; $i < 56; $i += 2 ) { |
| | 1445 | + $PGSID[] = substr( $PGsid, $i, 2 ); |
| | 1446 | + } |
| | 1447 | + $dPGrid = dechex( $PGrid ); |
| | 1448 | + $dPGrid = str_pad( $dPGrid, 8, '0', STR_PAD_LEFT ); |
| | 1449 | + $PGRID = array(); |
| | 1450 | + for ( $i = 0; $i < 8; $i += 2 ) { |
| | 1451 | + array_push( $PGRID, substr( $dPGrid, $i, 2 ) ); |
| | 1452 | + } |
| | 1453 | + for ( $i = 24; $i < 28; $i++ ) { |
| | 1454 | + $PGSID[$i] = array_pop( $PGRID ); |
| | 1455 | + } |
| | 1456 | + foreach ( $PGSID as $PGsid_bit ) { |
| | 1457 | + $PGsid_string .= "\\" . $PGsid_bit; |
| | 1458 | + } |
| | 1459 | + $PGfilter = "(&(objectSid=$PGsid_string)(objectclass=$objectclass))"; |
| | 1460 | + $this->printDebug( "Primary Group Filter: $PGfilter", SENSITIVE ); |
| | 1461 | + $info = @ldap_search( $ldapconn, $base, $PGfilter ); |
| | 1462 | + $PGentries = @ldap_get_entries( $ldapconn, $info ); |
| | 1463 | + array_shift( $PGentries ); |
| | 1464 | + $dnMember = strtolower( $PGentry[0]['dn'] ); |
| | 1465 | + $groups["dn"][] = $dnMember; |
| | 1466 | + // Get short name of group |
| | 1467 | + $memAttrs = explode( ',', strtolower( $dnMember ) ); |
| | 1468 | + if ( isset( $memAttrs[0] ) ) { |
| | 1469 | + $memAttrs = explode( '=', $memAttrs[0] ); |
| | 1470 | + if ( isset( $memAttrs[0] ) ) { |
| | 1471 | + $groups["short"][] = strtolower( $memAttrs[1] ); |
| | 1472 | + } |
| | 1473 | + } |
| | 1474 | + |
| | 1475 | + } |
| | 1476 | + } |
| | 1477 | + |
| | 1478 | + $filter = "(&($attribute=$value)(objectclass=$objectclass))"; |
| | 1479 | + |
| | 1480 | + $this->printDebug( "Search string: $filter", SENSITIVE ); |
| | 1481 | + |
| | 1482 | + $filter = "(&($attribute=$value)(objectclass=$objectclass))"; |
| | 1483 | + |
| | 1484 | + $this->printDebug( "Search string: $filter", SENSITIVE ); |
| | 1485 | + |
| 1423 | 1486 | $info = @ldap_search( $this->ldapconn, $base, $filter ); |
| 1424 | 1487 | # if ( $info["count"] < 1 ) { |
| 1425 | 1488 | if ( !$info ) { |
| — | — | @@ -1435,7 +1498,6 @@ |
| 1436 | 1499 | array_shift( $entries ); |
| 1437 | 1500 | |
| 1438 | 1501 | // Let's get a list of both full dn groups and shortname groups |
| 1439 | | - $groups = array( "short" => array(), "dn" => array() ); |
| 1440 | 1502 | foreach ( $entries as $entry ) { |
| 1441 | 1503 | $shortMember = strtolower( $entry[$nameattribute][0] ); |
| 1442 | 1504 | $dnMember = strtolower( $entry['dn'] ); |
| — | — | @@ -1489,6 +1551,16 @@ |
| 1490 | 1552 | |
| 1491 | 1553 | $this->printDebug( "Entering setGroups.", NONSENSITIVE ); |
| 1492 | 1554 | |
| | 1555 | + # Add ldap groups as local groups |
| | 1556 | + if ( isset( $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) && $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) { |
| | 1557 | + $this->printDebug( "Adding all groups to wgGroupPermissions: ", SENSITIVE, $this->allLDAPGroups ); |
| | 1558 | + |
| | 1559 | + foreach ( $this->allLDAPGroups["short"] as $ldapgroup ) { |
| | 1560 | + if ( !array_key_exists( $ldapgroup, $wgGroupPermissions ) ) |
| | 1561 | + $wgGroupPermissions[$ldapgroup] = array(); |
| | 1562 | + } |
| | 1563 | + } |
| | 1564 | + |
| 1493 | 1565 | # add groups permissions |
| 1494 | 1566 | $localAvailGrps = $user->getAllGroups(); |
| 1495 | 1567 | $localUserGrps = $user->getEffectiveGroups(); |
| — | — | @@ -1504,17 +1576,6 @@ |
| 1505 | 1577 | $this->printDebug( "Locally managed groups is unset, using defaults: ", SENSITIVE, $locallyManagedGrps ); |
| 1506 | 1578 | } |
| 1507 | 1579 | |
| 1508 | | - |
| 1509 | | - # Add ldap groups as local groups |
| 1510 | | - if ( isset( $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) && $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) { |
| 1511 | | - $this->printDebug( "Adding all groups to wgGroupPermissions: ", SENSITIVE, $this->allLDAPGroups ); |
| 1512 | | - |
| 1513 | | - foreach ( $this->allLDAPGroups["short"] as $ldapgroup ) { |
| 1514 | | - if ( !array_key_exists( $ldapgroup, $wgGroupPermissions ) ) |
| 1515 | | - $wgGroupPermissions[$ldapgroup] = array(); |
| 1516 | | - } |
| 1517 | | - } |
| 1518 | | - |
| 1519 | 1580 | $this->printDebug( "Available groups are: ", NONSENSITIVE, $localAvailGrps ); |
| 1520 | 1581 | $this->printDebug( "Effective groups are: ", NONSENSITIVE, $localUserGrps ); |
| 1521 | 1582 | |