- Added search.filter to allow for custom LDAP search filters

ff5497e9 · David Yang · 3e6647e1 · ff5497e9 · ff5497e9 · ff5497e9
Commit ff5497e9 authored 9 years ago by David Yang
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -303,6 +303,9 @@ $config = array(
        // array of strings, in which case they will be searched in the order given.
        'search.base' => 'ou=people,dc=example,dc=org',

+        // Additional LDAP filters appended to the default search
+        'search.filter' => '(objectclass=inetorgperson)',
+
        // The attribute(s) the username should match against.
        //
        // This is an array with one or more attribute names. Any of the attributes in

--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -202,7 +202,7 @@ class SimpleSAML_Auth_LDAP {
     * @throws SimpleSAML_Error_UserNotFound if:
     * - Zero entries was found
     */
-    private function search($base, $attribute, $value) {
+    private function search($base, $attribute, $value, $searchFilter=NULL) {

        // Create the search filter
        $attribute = self::escape_filter_value($attribute, FALSE);
@@ -213,6 +213,11 @@ class SimpleSAML_Auth_LDAP {
        }
        $filter = '(|' . $filter . ')';

+        // Append LDAP filters if defined
+        if ($searchFilter!=NULL) {
+            $filter = "(&".$filter."".$searchFilter.")";
+        }
+
        // Search using generated filter
        SimpleSAML_Logger::debug('Library - LDAP search(): Searching base \'' . $base . '\' for \'' . $filter . '\'');
        // TODO: Should aliases be dereferenced?
@@ -271,7 +276,7 @@ class SimpleSAML_Auth_LDAP {
     * - $allowZeroHits er TRUE and no result is found
     *
     */
-    public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE) {
+    public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE, $searchFilter = NULL) {

        // Traverse all search bases, returning DN if found
        $bases = SimpleSAML\Utils\Arrays::arrayize($base);
@@ -279,7 +284,8 @@ class SimpleSAML_Auth_LDAP {
        foreach ($bases AS $current) {
            try {
                // Single base search
-                $result = $this->search($current, $attribute, $value);
+                $result = $this->search($current, $attribute, $value, $searchFilter);
+
                // We don't hawe to look any futher if user is found
                if (!empty($result)) {
                    return $result;

--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -81,6 +81,10 @@ class sspmod_ldap_ConfigHelper {
 	 */
 	private $searchBase;

+	/**
+	 * Additional LDAP filter fields for the search
+	 */
+	private $searchFilter;

 	/**
 	 * The attributes which should match the username.
@@ -149,6 +153,7 @@ class sspmod_ldap_ConfigHelper {
 			}

 			$this->searchBase = $config->getArrayizeString('search.base');
+			$this->searchFilter = $config->getString('search.filter',NULL);
 			$this->searchAttributes = $config->getArray('search.attributes');

 		} else {
@@ -197,7 +202,7 @@ class sspmod_ldap_ConfigHelper {
 				}
 			}

-			$dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE);
+			$dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE, $this->searchFilter);
 			if ($dn === NULL) {
 				/* User not found with search. */
 				SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');