[#12295] Add POSIX group membership handling for LDAP accounts/groups
Summary Add POSIX group membership handling for LDAP accounts/groups
Queue Horde Framework Packages
Queue Version Git master
Type Enhancement
State Feedback
Priority 2. Medium
Requester Joerg.Pulz@frm2.tum.de
Created 2013-06-03 (3039 days ago)
Updated 2016-01-28 (2070 days ago)
Patch Yes

Joerg.Pulz@frm2.tum.de 2013-06-03 16:16:17
If one is using the LDAP nis.schema to manage POSIX accounts in LDAP 
the numerical ID of the primary group of the user is normally stored 
in the gidNumber attribute of the posixAccount. Additional groups are 
stored in the memberUid attribute of the posixGroup.
Vanilla HORDE is unable to retrieve the primary group of the 
posixAccount, instead only the memberUid attribute of the posixGroup 
can be evaluated which results in incomplete group member lists.

Attached is a patch that adds the necessary bits and pieces to the 
LDAP group driver to evaluate the primary group of an posixAccount. 
Result are arrays with merged results of the new primary group and and 
the default memberUid lookup.

NOTE: Only read support as we don't write to LDAP using HORDE.

Configuration options are provided for easy setup. Default behavior is 

modified functions:
- if $this->_params['posix'] is true
* get numerical ID ($this->_params['posixgidnumber']) of the group
* search LDAP auth basedn 
($GLOBALS['conf']['auth']['params']['basedn']) for users with matching 
group ID
* if group has no memberUid attribute return list else return merged 
and resorted list

- if $this->_params['posix'] is true
* get numerical group ID ($this->_params['posixgidnumber']) of the 
user with filter ($this->_params['posixfilter'])
* get group name ($this->_params['gid']) by numerical group ID
* merge and sort results with results from memberUid lookup
* return results

Added new configuration parameters to conf.xml
- posix (Yes/No - true/false)
- posixgidnumber (numerical group ID, defaults to LDAP attribute 'gidNumber')
- posixfilter (LDAP RFC formatted filtet to match POSIX users, 
defaults to '(objectclass=posixAccount)')

Jan Schneider <jan@horde.org> 2013-06-04 09:18:54
You can simplify the code and save some if-clauses, if you define 
$entries as an empty array at the top, and then just merge results 
into this variable as needed.

Joerg.Pulz@frm2.tum.de 2013-06-04 11:35:46
Jan, thanks for the hint.

Attached is a fixed patch.

Jan Schneider <jan@horde.org> 2013-06-04 12:25:44
You can still get rid off the $results array.

Joerg.Pulz@frm2.tum.de 2013-06-04 12:58:10
New patch without $results array.

Jan Schneider <jan@horde.org> 2016-01-28 16:16:18
You must not use global configuration vars in a library.
And since you get both the memberuid and posixgidnumber attributes 
from the same LDAP object ($gid), you can fetch them in one run.