6.0.0-beta1
7/23/25

[#2610] ldap auth driver does not list users
Summary ldap auth driver does not list users
Queue Horde Framework Packages
Queue Version HEAD
Type Enhancement
State Rejected
Priority 1. Low
Owners
Requester s.pamies (at) banality (dot) de
Created 09/16/2005 (7250 days ago)
Due
Updated 02/01/2006 (7112 days ago)
Assigned 12/02/2005 (7173 days ago)
Resolved 02/01/2006 (7112 days ago)
Milestone
Patch No

History
02/01/2006 05:30:02 PM Jan Schneider Comment #9
Type ⇒ Enhancement
State ⇒ Rejected
Priority ⇒ 1. Low
Reply to this comment
No feedback.
01/12/2006 12:20:57 AM Jan Schneider Comment #8 Reply to this comment
Any news?
12/03/2005 02:02:19 PM s (dot) pamies (at) banality (dot) de Comment #7 Reply to this comment
Are you still going to come up with a patch for this?
Yes - didn't do anything for that one because I didn't get any answer 
to my question if such a patch would be welcome and if it should patch 
horde like mentioned below.



I will look after this after 14th Dec.


12/02/2005 05:07:10 AM Chuck Hagenbuch Comment #6
Taken from Horde DevelopersHorde Developers
State ⇒ Feedback
Reply to this comment
Are you still going to come up with a patch for this?
10/21/2005 04:37:58 PM Jan Schneider Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
09/17/2005 04:29:29 PM s (dot) pamies (at) banality (dot) de Comment #5 Reply to this comment
My requirements;
Users can login with just their userid (firstname_lastname)
I think we have different requirements: We're dealing mostly with 
companies having mail addresses like support@company where two or more 
users are using horde. Actually we have more than 20 support accounts 
and over 130 domains.
To do this, I elected to use the mail attribute to authenticate
against, instead of the uid attribute.  But it displays the results I
want, gives users a shorter userid to type, and only requires a patch
to login.php.  Seems less convoluted to me.
What about an alternative solution, that should cover both (and 
future, perhaps more weird) usecases? I'm thinking about an additional 
ldap auth property where you can input a second filter string for all 
ldap_search queries other than login. You can make it optionally 
('Take the login filter'[default], 'Define another'). Wouldn't be that 
big change and would cover the current needs.



If you and the horde developers like that idea I can come up with a patch.
09/17/2005 03:34:45 PM kevin_myer (at) iu13 (dot) org Comment #4 Reply to this comment
I have the exact same situation on my install.  However, I have 
elected to handle it differently than this solution.



My requirements;

Users can login with just their userid (firstname_lastname)

The userid that gets stored must contain their userid and domain 
(firstname_lastname@example.com)

Listing of users should display only the userid portion - the domain 
is not necessary



Index: login.php

===================================================================

RCS file: /repository/horde/login.php,v

retrieving revision 2.184

diff -u -r2.184 login.php

--- login.php   16 Aug 2005 12:42:15 -0000      2.184

+++ login.php   17 Sep 2005 15:26:02 -0000

@@ -79,7 +79,12 @@

      /* Destroy any existing session on login and make sure to use a

       * new session ID, to avoid session fixation issues. */

      Horde::getCleanSession();

-    if ($auth->authenticate(Util::getPost('horde_user'),

+    $username = Util::getPost('horde_user');

+    if (!strstr($username,"@"))

+    {

+      $username .= "@example.com";

+    }

+    if ($auth->authenticate($username,

                              array('password' => 
Util::getPost('horde_pass')))) {

          $entry = sprintf('Login success for %s [%s] to Horde',

                           Auth::getAuth(), $_SERVER['REMOTE_ADDR']);



Then, use the following hook:



if (!function_exists('_username_hook_tobackend')) {

     function _username_hook_tobackend($userID)

     {

         global $conf;

       $vdomain = $conf['mailer']['params']['localhost'];

         $userID = substr($userID, 0, -(strlen($vdomain)+1));

         return $userID;

     }

}



To do this, I elected to use the mail attribute to authenticate 
against, instead of the uid attribute.  But it displays the results I 
want, gives users a shorter userid to type, and only requires a patch 
to login.php.  Seems less convoluted to me.



I probably could clean up that even more and not require a patch at 
all, if I used the preauthenticate hook, but haven' t had the time to 
do that.


09/16/2005 07:01:43 PM s (dot) pamies (at) banality (dot) de Comment #3 Reply to this comment
This patch doesn't make any sense. Can please explain *exactly* what
you're trying to fix?
Ok - let's suppose that your $filter is something like this: 
(&(objectClass=posixAccount)(uid=%u@%d))



In our installation this is needed to correctly resolve usernames at 
login (our login names include the domain -> support@banality.de). But 
when you want to list available users (Configuration->Users), then you 
do not want to have the uid query part, because ldap_search yields no 
result w/o %u and %d replacements and they also make no sense for 
searching.



Resumee:



a) We want that filter string for login

b) We do _not_ want the uid part upon listUsers() operation, so we try 
to recognize such (for search purposes malformed) filter strings in 
listUsers() and extract only the objectClass part.
09/16/2005 06:43:12 PM Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
This patch doesn't make any sense. Can please explain *exactly* what 
you're trying to fix?
09/16/2005 05:15:57 PM s (dot) pamies (at) banality (dot) de Comment #1
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ ldap auth driver does not list users
Queue ⇒ Horde Framework Packages
New Attachment: ldap.php.patch Download
State ⇒ Unconfirmed
Reply to this comment
The ldap auth driver does not list users if you have a custom 
filtering expression like (&(objectClass=posixAccount)(uid=%u@%d)) 
set. Quick fix attached.

Saved Queries