Merge branch 'master' of https://github.com/grueneedv/simplesamlphp into grueneedv-master

981de790 · Thijs Kinkhorst · c84660c3 · a23c05cb · 981de790 · 981de790
Commit 981de790 authored 8 years ago by Thijs Kinkhorst
--- a/modules/ldap/docs/ldap.md
+++ b/modules/ldap/docs/ldap.md
@@ -462,13 +462,15 @@ a listing of all configuration options and their details.
 		 * that most products have a special query to recursively search
 		 * group membership.
 		 *
-		 * Note: Only ActiveDirectory is currently supported.
+		 * Note: Only ActiveDirectory is currently supported 
+		 * (OpenLDAP is implemented but not supported, see example below).
 		 *
 		 * Default: ''
 		 * Required: No
 		 */
 		'ldap.product' => '',
 		'ldap.product' => 'ActiveDirectory',
+		'ldap.product' => 'OpenLDAP',


 		/**
@@ -559,3 +561,14 @@ required, see the config info above for details.
 		'ldap.basedn' => 'DC=example,DC=org'
 	)

+Example for unsupported OpenLDAP usage. 
+Intention is to filter in 'ou=groups,dc=example,dc=com' for 
+'(memberUid = <UID>)' and take only the attributes 'cn' (=name of the group).
+
+    50 => array(
+        'class' => 'ldap:AttributeAddUsersGroups',
+        'ldap.product' => 'OpenLDAP',
+        'ldap.basedn' => 'ou=groups,dc=example,dc=org',
+        'attribute.member' => 'cn',
+        'attribute.memberof' => 'memberUid',
+    ),
--- a/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php
+++ b/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php
@@ -113,7 +113,30 @@ class sspmod_ldap_Auth_Process_AttributeAddUsersGroups extends sspmod_ldap_Auth_
 				// Pass to the AD specific search
 				$groups = $this->searchActiveDirectory($attributes[$map['dn']][0]);
 				break;
-
+				
+            case 'OPENLDAP':
+                // Log the OpenLDAP specific search
+                SimpleSAML_Logger::debug(
+                    $this->title . 'Searching LDAP using OpenLDAP specific method.'
+                );
+                // Print group search string and search for all group names
+                $openldap_base = $this->config->getString('ldap.basedn','ou=groups,dc=example,dc=com');
+                SimpleSAML_Logger::debug(
+                    $this->title . "Searching for groups in ldap.basedn ".$openldap_base." with filter (".$map['memberof']."=".$attributes['uid'][0].") and attributes ".$map['member']
+                );
+                $groups = array();
+                try {
+                  // Intention is to filter in 'ou=groups,dc=example,dc=com' for '(memberUid = <UID>)' and take only the attributes 'cn' (=name of the group)
+                  $all_groups = $this->getLdap()->searchformultiple( $openldap_base, array($map['memberof'] => $attributes['uid'][0]) , array($map['member']));
+                } catch (SimpleSAML_Error_UserNotFound $e) {
+                  break; // if no groups found return with empty (still just initialized) groups array
+                }
+                // run through all groups and add each to our groups array
+                foreach ( $all_groups as $group_entry ) {
+                  $groups[] .= $group_entry[$map['member']][0];
+                }
+                break;
+                                
 			default:

 				// Log the general search