6.0.0-git
2018-12-16

[#12295] Add POSIX group membership handling for LDAP accounts/groups
Summary Add POSIX group membership handling for LDAP accounts/groups
Queue Horde Framework Packages
Queue Version Git master
Type Enhancement
State Feedback
Priority 2. Medium
Owners
Requester Joerg.Pulz (at) frm2 (dot) tum (dot) de
Created 2013-06-03 (2022 days ago)
Due
Updated 2016-01-28 (1053 days ago)
Assigned
Resolved
Milestone
Patch Yes

History
2016-01-28 16:16:18 Jan Schneider Comment #6 Reply to this comment
You must not use global configuration vars in a library.
And since you get both the memberuid and posixgidnumber attributes 
from the same LDAP object ($gid), you can fetch them in one run.
2013-06-04 12:58:10 Joerg (dot) Pulz (at) frm2 (dot) tum (dot) de Comment #5
New Attachment: horde_posix-group_membership-2.diff Download
Reply to this comment
New patch without $results array.
2013-06-04 12:25:44 Jan Schneider Comment #4 Reply to this comment
You can still get rid off the $results array.
2013-06-04 11:35:46 Joerg (dot) Pulz (at) frm2 (dot) tum (dot) de Comment #3
New Attachment: horde_posix-group_membership-1.diff Download
Reply to this comment
Jan, thanks for the hint.

Attached is a fixed patch.
2013-06-04 09:18:54 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
You can simplify the code and save some if-clauses, if you define 
$entries as an empty array at the top, and then just merge results 
into this variable as needed.
2013-06-03 16:16:17 Joerg (dot) Pulz (at) frm2 (dot) tum (dot) de Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 2. Medium
Summary ⇒ Add POSIX group membership handling for LDAP accounts/groups
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ Yes
New Attachment: horde_posix-group_membership.diff Download
Reply to this comment
If one is using the LDAP nis.schema to manage POSIX accounts in LDAP 
the numerical ID of the primary group of the user is normally stored 
in the gidNumber attribute of the posixAccount. Additional groups are 
stored in the memberUid attribute of the posixGroup.
Vanilla HORDE is unable to retrieve the primary group of the 
posixAccount, instead only the memberUid attribute of the posixGroup 
can be evaluated which results in incomplete group member lists.

Attached is a patch that adds the necessary bits and pieces to the 
LDAP group driver to evaluate the primary group of an posixAccount. 
Result are arrays with merged results of the new primary group and and 
the default memberUid lookup.

NOTE: Only read support as we don't write to LDAP using HORDE.

Configuration options are provided for easy setup. Default behavior is 
unchanged.

modified functions:
listUsers()
- if $this->_params['posix'] is true
* get numerical ID ($this->_params['posixgidnumber']) of the group
* search LDAP auth basedn 
($GLOBALS['conf']['auth']['params']['basedn']) for users with matching 
group ID
* if group has no memberUid attribute return list else return merged 
and resorted list

listGroups()
- if $this->_params['posix'] is true
* get numerical group ID ($this->_params['posixgidnumber']) of the 
user with filter ($this->_params['posixfilter'])
* get group name ($this->_params['gid']) by numerical group ID
* merge and sort results with results from memberUid lookup
* return results

Added new configuration parameters to conf.xml
- posix (Yes/No - true/false)
- posixgidnumber (numerical group ID, defaults to LDAP attribute 'gidNumber')
- posixfilter (LDAP RFC formatted filtet to match POSIX users, 
defaults to '(objectclass=posixAccount)')

Saved Queries