From 3408aa9bb38b0c64dac8287a6872cec0ba2294b7 Mon Sep 17 00:00:00 2001 From: kkalev Date: Mon, 29 Sep 2003 14:16:25 +0000 Subject: [PATCH] Allow for defining the ldap_filter used when searching for a user. The filter supports dynamic variables like %u (username) and %U (username provided though http auth) --- Changelog | 2 ++ conf/admin.conf | 11 +++++++++++ lib/ldap/defaults.php3 | 8 ++++++-- lib/ldap/functions.php3 | 10 ++++++++++ lib/ldap/user_info.php3 | 8 ++++++-- 5 files changed, 35 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index 98dcb70..937c89a 100644 --- a/Changelog +++ b/Changelog @@ -42,6 +42,8 @@ Ver 1.63: * Also check for $server != '' in stats.php3. Bug noted by Ulrich Walcher * Consider the account locked either if Dialup-Access == FALSE or if it is not set at all * Calculate weekly used time correctly (from Sunday 00:00:00) +* Allow for defining the ldap_filter used when searching for a user. The filter supports dynamic variables + like %u (username) and %U (username provided though http auth) Ver 1.62: * Remove one sql query from user_admin which was not needed. * Instead of a query like "LIKE 'YYYY-MM-DD%'" use "AcctStopTime >= 'YYYY-MM-DD 00:00:00 AND AcctStopTime diff --git a/conf/admin.conf b/conf/admin.conf index 22da124..73708f0 100644 --- a/conf/admin.conf +++ b/conf/admin.conf @@ -167,6 +167,17 @@ ldap_regular_profile_attr: dialupregularprofile # Uncomment to enable ldap debug # #ldap_debug: true +# +# Allow for defining the ldap filter used when searching for a user +# Variables supported: +# %u: username +# %U: username provided though http authentication +# +# One use of this would be to restrict access to only the user's belonging to +# a specific administrator like this: +# ldap_filter: (&(uid=%u)(manager=uid=%U,ou=admins,o=company,c=com)) +# +#ldap_filter: (uid=%u) # diff --git a/lib/ldap/defaults.php3 b/lib/ldap/defaults.php3 index 0005cb1..3583098 100644 --- a/lib/ldap/defaults.php3 +++ b/lib/ldap/defaults.php3 @@ -27,9 +27,13 @@ if ($config[ldap_default_dn] != ''){ } if ($regular_profile_attr != ''){ $get_attrs = array("$regular_profile_attr"); + if ($config[ldap_filter] != '') + $filter = ldap_xlat($config[ldap_filter],$login,$config); + else + $filter = 'uid=' . $login; if ($config[ldap_debug] == 'true') - print "DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='uid=$login'
\n"; - $sr=@ldap_search($ds,"$config[ldap_base]","uid=" . $login,$get_attrs); + print "DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'
\n"; + $sr=@ldap_search($ds,"$config[ldap_base]",$filter,$get_attrs); if ($info = @ldap_get_entries($ds,$sr)){ for($i=0;$i<$info[0][$regular_profile_attr]["count"];$i++){ $dn2 = $info[0][$regular_profile_attr][$i]; diff --git a/lib/ldap/functions.php3 b/lib/ldap/functions.php3 index 01f568b..60e82f2 100644 --- a/lib/ldap/functions.php3 +++ b/lib/ldap/functions.php3 @@ -67,4 +67,14 @@ function closedb($ds,$config) if ($ds) @ldap_close($ds); } +function ldap_xlat($filter,$login,$config) +{ + $string = $filter; + if ($filter != ''){ + $string = preg_replace('/%u/',$login,$string); + $string = preg_replace('/%U/',$HTTP_SERVER_VARS["PHP_AUTH_USER"],$string); + } + + return $string; +} ?> diff --git a/lib/ldap/user_info.php3 b/lib/ldap/user_info.php3 index e704bc0..33fe3fb 100644 --- a/lib/ldap/user_info.php3 +++ b/lib/ldap/user_info.php3 @@ -30,9 +30,13 @@ if ($config[general_decode_normal_attributes] == 'yes') $ds=@ldap_connect("$config[ldap_server]"); // must be a valid ldap server! if ($ds) { $r=@da_ldap_bind($ds,$config); + if ($config[ldap_filter] != '') + $filter = ldap_xlat($config[ldap_filter],$login,$config); + else + $filter = 'uid=' . $login; if ($config[ldap_debug] == 'true') - print "DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='uid=$login'
\n"; - $sr=@ldap_search($ds,"$config[ldap_base]", 'uid=' . $login); + print "DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'
\n"; + $sr=@ldap_search($ds,"$config[ldap_base]", $filter); $info = @ldap_get_entries($ds, $sr); $dn = $info[0]['dn']; if ($dn == '') -- 2.39.5