6.0.0-git
2019-05-19

[#8847] Groups and attrisdn in non-flat LDAP directory do not work
Summary Groups and attrisdn in non-flat LDAP directory do not work
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester Klaus.Steinberger (at) physik (dot) uni-muenchen (dot) de
Created 2010-02-02 (3393 days ago)
Due
Updated 2011-07-13 (2867 days ago)
Assigned 2011-07-01 (2879 days ago)
Resolved 2011-07-13 (2867 days ago)
Milestone
Patch No

History
2011-07-13 14:21:45 Jan Schneider State ⇒ Resolved
Milestone ⇒
 
2011-07-01 10:09:47 Jan Schneider Comment #8
Taken from Ben Klang
State ⇒ Feedback
Reply to this comment
2011-04-15 12:05:31 Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #7
New Attachment: Ldap.php.diff Download
Reply to this comment
I have added a patch which should solve attrisdn.

There is one caveat with this patch, as findUserDN runs in the group 
context it uses the search base for groups. If this is different for 
groups and users it will not find the dn.

So maybe there should be the DN stored in the cookie?
Soorry missed the attachement,
2011-04-15 12:04:35 Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #6 Reply to this comment
I have added a patch which should solve attrisdn.

There is one caveat with this patch, as findUserDN runs in the group 
context it uses the search base for groups. If this is different for 
groups and users it will not find the dn.

So maybe there should be the DN stored in the cookie?



2011-04-01 09:54:02 Jan Schneider Comment #5
Assigned to Jan Schneider
Taken from ben
Summary ⇒ Groups and attrisdn in non-flat LDAP directory do not work
Milestone ⇒ 4.1
Reply to this comment
See also ticket #9762.
2010-03-18 11:52:19 Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #4 Reply to this comment
Yes, I notice also the problem with the group administation (though i 
don't use it, as i manage them from Novell Imanager).  I opened ticket 
8851 regarding this.
2010-03-18 08:53:52 falon (at) csi (dot) it Comment #3 Reply to this comment
This patch is useful also for me.
I hope it can be added to next horde release.

I only notice this:
groups over LDAP can work with separate backend.
These parameter:
$conf['auth']['params']['uid']
$conf['auth']['params']['basedn']
could be undefined.

I manually added them to conf.php, but it's better adding them to 
group backend, like:

$conf['group']['params']['uid]


A minor issue: if I login as adminitrator, I can only manage groups 
defined into basedn, I can't see groups in subtree. But all groups 
work as expected, regardless of subtree where they stay.
2010-02-02 16:37:42 Chuck Hagenbuch Assigned to ben
Assigned to Ben Klang
Summary ⇒ groups and attrisdn in non Flat LDAP Directory do not work
State ⇒ Assigned
Priority ⇒ 2. Medium
 
2010-02-02 13:14:53 Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #2
New Attachment: userdn.patch Download
Reply to this comment
I wrote now a patch for this, the code for retrieving the userDN is 
adopted from passwd/config/hooks.php.dist.

But the code opens up a new can of worms. It works, but with a large 
user base (we have over 3000 users) for example the startup of the 
permission widget for kronolith calenders takes a long time, as the 
userdn is retrieved for every known user.

2010-02-02 12:24:26 Klaus (dot) Steinberger (at) physik (dot) uni-muenchen (dot) de Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ groupS and attrisdn in non Flat LDAP Directory do not work
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ No
Reply to this comment
In a LDAP Directory with a hierarchical structure and full DN names as 
group member entries (like Novell Edirectory) getGroupMemberShip will 
not work.

The culprit is the following code:

             if ($GLOBALS['conf']['group']['params']['attrisdn']) {
                 $filter .= $GLOBALS['conf']['auth']['params']['uid'] . '=';
             }
             $filter .= $user;
             if ($GLOBALS['conf']['group']['params']['attrisdn']) {
                 $filter .= ',' . $GLOBALS['conf']['auth']['params']['basedn'];
             }

The code assumes that a user DN is always flat under the basedn. In a 
hierarchical directory structure with sub OU's this not the case, so 
the real user DN must be used here!


Saved Queries