diff --git a/modules/ldap/docs/ldap.txt b/modules/ldap/docs/ldap.txt
index c19141e14c53c8e99caa346394081f5b56dbdc90..f24dc8b58e476475178f5efc719cb555aff8a949 100644
--- a/modules/ldap/docs/ldap.txt
+++ b/modules/ldap/docs/ldap.txt
@@ -249,6 +249,24 @@ specific configuration options:
*/
'attributes' => array('mail', 'jpegPhoto' => 'jpegphoto'),
+ /**
+ * The attribute policy that defines what to do with attributes that are
+ * already part of the attributes of the user. Can be one of:
+ *
+ * - add: blindly add the values. If the attribute already exists and has
+ * the same value, the result of the filter will be two equal values.
+ *
+ * - merge: carefully merge the values. If a value is already part of
+ * the attribute, do not add a duplicate.
+ *
+ * - replace: if the attribute is present before running the filter,
+ * replace its values with the ones obtained at this point.
+ *
+ * Default: merge
+ * Required: No
+ */
+ 'attribute.policy' => 'merge',
+
/**
* The search filter to find the user in LDAP.
*
diff --git a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
index 4f0b412d4e647662db8cb9766f3b040e25bc44bf..4a311b86f0ea8d28d620c1a29efc002ab14b0364 100644
--- a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
+++ b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
@@ -48,6 +48,13 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
protected $search_filter;
+ /**
+ * What to do with attributes when the target already exists. Either replace, merge or add.
+ *
+ * @var string
+ */
+ protected $attr_policy;
+
/**
* Initialize this filter.
*
@@ -114,6 +121,9 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
$this->search_attributes[$new_attribute] = $this->config->getString('search.attribute');
}
$this->search_filter = $this->config->getString('search.filter');
+
+ // get the attribute policy
+ $this->attr_policy = $this->config->getString('attribute.policy', 'merge');
}
@@ -145,11 +155,17 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
$filter = str_replace($arrSearch, $arrReplace, $this->search_filter);
if (strpos($filter, '%') !== FALSE) {
- SimpleSAML_Logger::info('There are non-existing attributes in the search filter. ('.
+ SimpleSAML_Logger::info('AttributeAddFromLDAP: There are non-existing attributes in the search filter. ('.
$this->search_filter.')');
return;
}
+ if (!in_array($this->attr_policy, array('merge', 'replace', 'add'))) {
+ SimpleSAML_Logger::warning("AttributeAddFromLDAP: 'attribute.policy' must be one of 'merge',".
+ "'replace' or 'add'.");
+ return;
+ }
+
// search for matching entries
try {
$entries = $this->getLdap()->searchformultiple($this->base_dn, $filter,
@@ -164,11 +180,23 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
if (is_numeric($target)) {
$target = $name;
}
+
+ if (isset($attributes[$target]) && $this->attr_policy === 'replace') {
+ unset($attributes[$target]);
+ }
$name = strtolower($name);
if (isset($entry[$name])) {
unset($entry[$name]['count']);
if (isset($attributes[$target])) {
- $attributes[$target] = array_merge($attributes[$target], array_values($entry[$name]));
+ foreach(array_values($entry[$name]) as $value) {
+ if ($this->attr_policy === 'merge') {
+ if (!in_array($value, $attributes[$target])) {
+ $attributes[$target][] = $value;
+ }
+ } else {
+ $attributes[$target][] = $value;
+ }
+ }
} else {
$attributes[$target] = array_values($entry[$name]);
}