6.0.0-beta1
7/6/25

[#8847] Groups and attrisdn in non-flat LDAP directory do not work
Summary Groups and attrisdn in non-flat LDAP directory do not work
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester Klaus.Steinberger (at) physik (dot) uni-muenchen (dot) de
Created 02/02/2010 (5633 days ago)
Due
Updated 07/13/2011 (5107 days ago)
Assigned 07/01/2011 (5119 days ago)
Resolved 07/13/2011 (5107 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
07/13/2011 02:21:45 PM Jan Schneider State ⇒ Resolved
Milestone ⇒
 
07/01/2011 10:09:47 AM Jan Schneider Comment #8
Taken from Ben Klang
State ⇒ Feedback
Reply to this comment
04/15/2011 12:05:31 PM Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #7
New Attachment: Ldap.php.diff Download
Reply to this comment
I have added a patch which should solve attrisdn.

There is one caveat with this patch, as findUserDN runs in the group 
context it uses the search base for groups. If this is different for 
groups and users it will not find the dn.

So maybe there should be the DN stored in the cookie?
Soorry missed the attachement,
04/15/2011 12:04:35 PM Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #6 Reply to this comment
I have added a patch which should solve attrisdn.

There is one caveat with this patch, as findUserDN runs in the group 
context it uses the search base for groups. If this is different for 
groups and users it will not find the dn.

So maybe there should be the DN stored in the cookie?



04/01/2011 09:54:02 AM Jan Schneider Comment #5
Assigned to Jan Schneider
Taken from ben
Summary ⇒ Groups and attrisdn in non-flat LDAP directory do not work
Milestone ⇒ 4.1
Reply to this comment
See also ticket #9762.
03/18/2010 11:52:19 AM Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #4 Reply to this comment
Yes, I notice also the problem with the group administation (though i 
don't use it, as i manage them from Novell Imanager).  I opened ticket 
8851 regarding this.
03/18/2010 08:53:52 AM falon (at) csi (dot) it Comment #3 Reply to this comment
This patch is useful also for me.
I hope it can be added to next horde release.

I only notice this:
groups over LDAP can work with separate backend.
These parameter:
$conf['auth']['params']['uid']
$conf['auth']['params']['basedn']
could be undefined.

I manually added them to conf.php, but it's better adding them to 
group backend, like:

$conf['group']['params']['uid]


A minor issue: if I login as adminitrator, I can only manage groups 
defined into basedn, I can't see groups in subtree. But all groups 
work as expected, regardless of subtree where they stay.
02/02/2010 04:37:42 PM Chuck Hagenbuch Assigned to Ben Klang
Priority ⇒ 2. Medium
State ⇒ Assigned
Summary ⇒ groups and attrisdn in non Flat LDAP Directory do not work
Assigned to ben
 
02/02/2010 01:14:53 PM Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #2
New Attachment: userdn.patch Download
Reply to this comment
I wrote now a patch for this, the code for retrieving the userDN is 
adopted from passwd/config/hooks.php.dist.

But the code opens up a new can of worms. It works, but with a large 
user base (we have over 3000 users) for example the startup of the 
permission widget for kronolith calenders takes a long time, as the 
userdn is retrieved for every known user.

02/02/2010 12:24:26 PM Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #1
Priority ⇒ 3. High
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Summary ⇒ groupS and attrisdn in non Flat LDAP Directory do not work
Type ⇒ Bug
Queue ⇒ Horde Framework Packages
Reply to this comment
In a LDAP Directory with a hierarchical structure and full DN names as 
group member entries (like Novell Edirectory) getGroupMemberShip will 
not work.

The culprit is the following code:

             if ($GLOBALS['conf']['group']['params']['attrisdn']) {
                 $filter .= $GLOBALS['conf']['auth']['params']['uid'] . '=';
             }
             $filter .= $user;
             if ($GLOBALS['conf']['group']['params']['attrisdn']) {
                 $filter .= ',' . $GLOBALS['conf']['auth']['params']['basedn'];
             }

The code assumes that a user DN is always flat under the basedn. In a 
hierarchical directory structure with sub OU's this not the case, so 
the real user DN must be used here!


Saved Queries