diff options
author | blizzz <blizzz@arthur-schiwon.de> | 2020-08-12 16:42:08 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-12 16:42:08 +0300 |
commit | 33db8a97c9c6d392eea02b7964783777a3ed282a (patch) | |
tree | aba07ff5cdc890776c3a8c4443dfc17929e94d0b /apps | |
parent | 527bec1706d2545911838e4e0c74a8729e7c3bae (diff) | |
parent | 8fd575527d5935e0e33abb3db0d1543e1bd91ef7 (diff) |
Merge pull request #22203 from nextcloud/backport/21559/stable19
[stable19] shortcut in reading nested group members when IN_CHAIN is available
Diffstat (limited to 'apps')
-rw-r--r-- | apps/user_ldap/lib/Configuration.php | 7 | ||||
-rw-r--r-- | apps/user_ldap/lib/Connection.php | 1 | ||||
-rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 38 | ||||
-rw-r--r-- | apps/user_ldap/tests/Group_LDAPTest.php | 33 |
4 files changed, 77 insertions, 2 deletions
diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index 81e33e6244f..5a7c732ab7b 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -45,6 +45,10 @@ class Configuration { public const AVATAR_PREFIX_NONE = 'none'; public const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:'; + public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown'; + public const LDAP_SERVER_FEATURE_AVAILABLE = 'available'; + public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable'; + protected $configPrefix = null; protected $configRead = false; /** @@ -110,6 +114,7 @@ class Configuration { 'ldapDynamicGroupMemberURL' => null, 'ldapDefaultPPolicyDN' => null, 'ldapExtStorageHomeAttribute' => null, + 'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN, ]; /** @@ -482,6 +487,7 @@ class Configuration { 'ldap_default_ppolicy_dn' => '', 'ldap_user_avatar_rule' => 'default', 'ldap_ext_storage_home_attribute' => '', + 'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN, ]; } @@ -543,6 +549,7 @@ class Configuration { 'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL', 'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN', 'ldap_ext_storage_home_attribute' => 'ldapExtStorageHomeAttribute', + 'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState', 'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig ]; return $array; diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php index 0cc93a08e6f..f4ead2a383d 100644 --- a/apps/user_ldap/lib/Connection.php +++ b/apps/user_ldap/lib/Connection.php @@ -67,6 +67,7 @@ use OCP\ILogger; * @property string[] ldapBaseGroups * @property string ldapGroupFilter * @property string ldapGroupDisplayName + * @property string ldapMatchingRuleInChainState */ class Connection extends LDAPUtility { private $ldapConnectionRes = null; diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 6b62f88123e..54a8eaf08ae 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -235,6 +235,37 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD if ($groupMembers !== null) { return $groupMembers; } + + if ($this->access->connection->ldapNestedGroups + && $this->access->connection->useMemberOfToDetectMembership + && $this->access->connection->hasMemberOfFilterSupport + && $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE + ) { + $attemptedLdapMatchingRuleInChain = true; + // compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others) + $filter = $this->access->combineFilterWithAnd([ + $this->access->connection->ldapUserFilter, + $this->access->connection->ldapUserDisplayName . '=*', + 'memberof:1.2.840.113556.1.4.1941:=' . $dnGroup + ]); + $memberRecords = $this->access->fetchListOfUsers( + $filter, + $this->access->userManager->getAttributes(true) + ); + $result = array_reduce($memberRecords, function ($carry, $record) { + $carry[] = $record['dn'][0]; + return $carry; + }, []); + if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) { + return $result; + } elseif (!empty($memberRecords)) { + $this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE; + $this->access->connection->saveConfiguration(); + return $result; + } + // when feature availability is unknown, and the result is empty, continue and test with original approach + } + $seen[$dnGroup] = 1; $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr); if (is_array($members)) { @@ -247,6 +278,13 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD $allMembers += $this->getDynamicGroupMembers($dnGroup); $this->access->connection->writeToCache($cacheKey, $allMembers); + if (isset($attemptedLdapMatchingRuleInChain) + && $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN + && !empty($allMembers) + ) { + $this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE; + $this->access->connection->saveConfiguration(); + } return $allMembers; } diff --git a/apps/user_ldap/tests/Group_LDAPTest.php b/apps/user_ldap/tests/Group_LDAPTest.php index 60b8b06b3cf..60ec90c1efb 100644 --- a/apps/user_ldap/tests/Group_LDAPTest.php +++ b/apps/user_ldap/tests/Group_LDAPTest.php @@ -71,6 +71,8 @@ class Group_LDAPTest extends TestCase { ->method('getConnection') ->willReturn($connector); + $access->userManager = $this->createMock(Manager::class); + return $access; } @@ -121,12 +123,19 @@ class Group_LDAPTest extends TestCase { $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); + $access->expects($this->any()) + ->method('combineFilterWithAnd') + ->willReturn('pseudo=filter'); // for primary groups $access->expects($this->once()) ->method('countUsers') ->willReturn(2); + $access->userManager->expects($this->any()) + ->method('getAttributes') + ->willReturn(['displayName', 'mail']); + $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->countUsersInGroup('group'); @@ -166,6 +175,13 @@ class Group_LDAPTest extends TestCase { $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); + $access->expects($this->any()) + ->method('combineFilterWithAnd') + ->willReturn('pseudo=filter'); + + $access->userManager->expects($this->any()) + ->method('getAttributes') + ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->countUsersInGroup('group', '3'); @@ -541,7 +557,10 @@ class Group_LDAPTest extends TestCase { $access->expects($this->any()) ->method('combineFilterWithAnd') ->willReturn('pseudo=filter'); - $access->userManager = $this->createMock(Manager::class); + + $access->userManager->expects($this->any()) + ->method('getAttributes') + ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->usersInGroup('foobar'); @@ -582,7 +601,10 @@ class Group_LDAPTest extends TestCase { $access->expects($this->any()) ->method('combineFilterWithAnd') ->willReturn('pseudo=filter'); - $access->userManager = $this->createMock(Manager::class); + + $access->userManager->expects($this->any()) + ->method('getAttributes') + ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->usersInGroup('foobar'); @@ -621,6 +643,13 @@ class Group_LDAPTest extends TestCase { $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); + $access->expects($this->any()) + ->method('combineFilterWithAnd') + ->willReturn('pseudo=filter'); + + $access->userManager->expects($this->any()) + ->method('getAttributes') + ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->countUsersInGroup('foobar'); |