Tickets :: [#12295] Add POSIX group membership handling for LDAP accounts/groups

6.0.0-alpha10

5/14/25

Summary	Add POSIX group membership handling for LDAP accounts/groups
Queue	Horde Framework Packages
Queue Version	Git master
Type	Enhancement
State	Feedback
Priority	2. Medium
Owners
Requester	Joerg.Pulz (at) frm2 (dot) tum (dot) de
Created	06/03/2013 (4363 days ago)
Due
Updated	01/28/2016 (3394 days ago)
Assigned
Resolved
Milestone
Patch	Yes

01/28/2016 04:16:18 PM	Jan Schneider	Comment #6	Reply to this comment
You must not use global configuration vars in a library. And since you get both the memberuid and posixgidnumber attributes from the same LDAP object ($gid), you can fetch them in one run.

06/04/2013 12:58:10 PM	Joerg (dot) Pulz (at) frm2 (dot) tum (dot) de	Comment #5 New Attachment: horde_posix-group_membership-2.diff	Reply to this comment
New patch without $results array.

06/04/2013 12:25:44 PM	Jan Schneider	Comment #4	Reply to this comment
You can still get rid off the $results array.

06/04/2013 11:35:46 AM	Joerg (dot) Pulz (at) frm2 (dot) tum (dot) de	Comment #3 New Attachment: horde_posix-group_membership-1.diff	Reply to this comment
Jan, thanks for the hint. Attached is a fixed patch.

06/04/2013 09:18:54 AM	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
You can simplify the code and save some if-clauses, if you define $entries as an empty array at the top, and then just merge results into this variable as needed.

06/03/2013 04:16:17 PM	Joerg (dot) Pulz (at) frm2 (dot) tum (dot) de	Comment #1 Priority ⇒ 2. Medium Type ⇒ Enhancement Summary ⇒ Add POSIX group membership handling for LDAP accounts/groups Queue ⇒ Horde Framework Packages Milestone ⇒ Patch ⇒ Yes New Attachment: horde_posix-group_membership.diff State ⇒ New	Reply to this comment
If one is using the LDAP nis.schema to manage POSIX accounts in LDAP the numerical ID of the primary group of the user is normally stored in the gidNumber attribute of the posixAccount. Additional groups are stored in the memberUid attribute of the posixGroup. Vanilla HORDE is unable to retrieve the primary group of the posixAccount, instead only the memberUid attribute of the posixGroup can be evaluated which results in incomplete group member lists. Attached is a patch that adds the necessary bits and pieces to the LDAP group driver to evaluate the primary group of an posixAccount. Result are arrays with merged results of the new primary group and and the default memberUid lookup. NOTE: Only read support as we don't write to LDAP using HORDE. Configuration options are provided for easy setup. Default behavior is unchanged. modified functions: listUsers() - if $this->_params['posix'] is true * get numerical ID ($this->_params['posixgidnumber']) of the group * search LDAP auth basedn ($GLOBALS['conf']['auth']['params']['basedn']) for users with matching group ID * if group has no memberUid attribute return list else return merged and resorted list listGroups() - if $this->_params['posix'] is true * get numerical group ID ($this->_params['posixgidnumber']) of the user with filter ($this->_params['posixfilter']) * get group name ($this->_params['gid']) by numerical group ID * merge and sort results with results from memberUid lookup * return results Added new configuration parameters to conf.xml - posix (Yes/No - true/false) - posixgidnumber (numerical group ID, defaults to LDAP attribute 'gidNumber') - posixfilter (LDAP RFC formatted filtet to match POSIX users, defaults to '(objectclass=posixAccount)')