[#8847] Groups and attrisdn in non-flat LDAP directory do not work
Summary Groups and attrisdn in non-flat LDAP directory do not work
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Resolved
Priority 2. Medium
Owners jan@horde.org
Requester Klaus.Steinberger@physik.uni-muenchen.de
Created 2010-02-02 (3816 days ago)
Due
Updated 2011-07-13 (3290 days ago)
Assigned 2011-07-01 (3302 days ago)
Resolved 2011-07-13 (3290 days ago)
Milestone
Patch No

Comments
Klaus.Steinberger@physik.uni-muenchen.de 2010-02-02 12:24:26
In a LDAP Directory with a hierarchical structure and full DN names as 
group member entries (like Novell Edirectory) getGroupMemberShip will 
not work.

The culprit is the following code:

             if ($GLOBALS['conf']['group']['params']['attrisdn']) {
                 $filter .= $GLOBALS['conf']['auth']['params']['uid'] . '=';
             }
             $filter .= $user;
             if ($GLOBALS['conf']['group']['params']['attrisdn']) {
                 $filter .= ',' . $GLOBALS['conf']['auth']['params']['basedn'];
             }

The code assumes that a user DN is always flat under the basedn. In a 
hierarchical directory structure with sub OU's this not the case, so 
the real user DN must be used here!



Klaus.Steinberger@physik.uni-muenchen.de 2010-02-02 13:14:53
I wrote now a patch for this, the code for retrieving the userDN is 
adopted from passwd/config/hooks.php.dist.

But the code opens up a new can of worms. It works, but with a large 
user base (we have over 3000 users) for example the startup of the 
permission widget for kronolith calenders takes a long time, as the 
userdn is retrieved for every known user.


falon@csi.it 2010-03-18 08:53:52
This patch is useful also for me.
I hope it can be added to next horde release.

I only notice this:
groups over LDAP can work with separate backend.
These parameter:
$conf['auth']['params']['uid']
$conf['auth']['params']['basedn']
could be undefined.

I manually added them to conf.php, but it's better adding them to 
group backend, like:

$conf['group']['params']['uid]


A minor issue: if I login as adminitrator, I can only manage groups 
defined into basedn, I can't see groups in subtree. But all groups 
work as expected, regardless of subtree where they stay.

Klaus.Steinberger@physik.uni-muenchen.de 2010-03-18 11:52:19
Yes, I notice also the problem with the group administation (though i 
don't use it, as i manage them from Novell Imanager).  I opened ticket 
8851 regarding this.

Jan Schneider <jan@horde.org> 2011-04-01 09:54:02
See also ticket #9762.

Klaus.Steinberger@physik.uni-muenchen.de 2011-04-15 12:04:35
I have added a patch which should solve attrisdn.

There is one caveat with this patch, as findUserDN runs in the group 
context it uses the search base for groups. If this is different for 
groups and users it will not find the dn.

So maybe there should be the DN stored in the cookie?




Klaus.Steinberger@physik.uni-muenchen.de 2011-04-15 12:05:31
> I have added a patch which should solve attrisdn.
>
> There is one caveat with this patch, as findUserDN runs in the group 
> context it uses the search base for groups. If this is different for 
> groups and users it will not find the dn.
>
> So maybe there should be the DN stored in the cookie?

Soorry missed the attachement,

Jan Schneider <jan@horde.org> 2011-07-01 10:09:47