From c3000beb5f6443d9f12ca339dfce3fe7729d00f4 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Wed, 2 Sep 2020 13:56:35 +0200 Subject: [PATCH] * ActiveDirectory: implement addtional user or group filter --- api/src/Accounts/Ads.php | 54 ++++++++++++++++++++---------- api/src/Contacts/Ads.php | 3 ++ setup/templates/default/config.tpl | 8 +++++ 3 files changed, 48 insertions(+), 17 deletions(-) diff --git a/api/src/Accounts/Ads.php b/api/src/Accounts/Ads.php index c67de28e50..f3c5e14c79 100644 --- a/api/src/Accounts/Ads.php +++ b/api/src/Accounts/Ads.php @@ -1017,6 +1017,41 @@ class Ads return 0; } + /** + * Get LDAP filter for user, groups or both + * + * @param string|null $account_type u = user, g = group, default null = try both + * @return string string with LDAP filter + */ + public function type_filter($account_type=null) + { + switch ($account_type) + { + default: // user or groups + case 'u': + $type_filter = '(samaccounttype=' . adLDAP::ADLDAP_NORMAL_ACCOUNT . ')'; + if (!empty($this->frontend->config['ads_user_filter'])) + { + $type_filter = '(&' . $type_filter . $this->frontend->config['ads_user_filter'] . ')'; + } + if ($account_type === 'u') break; + $user_filter = $type_filter; + // fall through + case 'g': + $type_filter = '(|(samaccounttype=' . adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP . + ')(samaccounttype=' . adLDAP::ADLDAP_SECURITY_LOCAL_GROUP . '))'; + if (!empty($this->frontend->config['ads_group_filter'])) + { + $type_filter = '(&' . $type_filter . $this->frontend->config['ads_group_filter'] . ')'; + } + if ($account_type === 'g') break; + // user or groups + $type_filter = '(|' . $user_filter . $type_filter . ')'; + break; + } + return $type_filter; + } + /** * Query ADS by (optional) filter and (optional) account-type filter * @@ -1030,24 +1065,9 @@ class Ads */ protected function filter($attr_filter, $account_type=null, array $attrs=null, array $accounts=array()) { - switch($account_type) - { - case 'u': - $type_filter = '(samaccounttype='.adLDAP::ADLDAP_NORMAL_ACCOUNT.')'; - break; - case 'g': - $type_filter = '(|(samaccounttype='.adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP. - ')(samaccounttype='.adLDAP::ADLDAP_SECURITY_LOCAL_GROUP.'))'; - break; - default: - $type_filter = '(|(samaccounttype='.adLDAP::ADLDAP_NORMAL_ACCOUNT. - ')(samaccounttype='.adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP. - ')(samaccounttype='.adLDAP::ADLDAP_SECURITY_LOCAL_GROUP.'))'; - break; - } if (!$attr_filter) { - $filter = $type_filter; + $filter = $this->type_filter($account_type); } else { @@ -1063,7 +1083,7 @@ class Ads $filter .= '('.$attr.'='.$this->adldap->utilities()->ldapSlashes($value).')'; } } - $filter .= $type_filter.')'; + $filter .= $this->type_filter($account_type).')'; } $sri = ldap_search($ds=$this->ldap_connection(), $context=$this->ads_context(), $filter, $attrs ? $attrs : self::$default_attributes); diff --git a/api/src/Contacts/Ads.php b/api/src/Contacts/Ads.php index 3b2e367346..811e28cf24 100644 --- a/api/src/Contacts/Ads.php +++ b/api/src/Contacts/Ads.php @@ -102,6 +102,9 @@ class Ads extends Ldap //$this->sharedContactsDN = 'ou=shared,ou=contacts,'. $this->ldap_config['ldap_contact_context']; $this->allContactsDN = $this->accountContactsDN = $this->accounts_ads->ads_context(); + // get filter for accounts (incl. additional filter from setup) + $this->accountsFilter = $this->accounts_ads->type_filter('u'); + if ($ds) { $this->ds = $ds; diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl index bd68e5d0f1..e31e0d55c4 100644 --- a/setup/templates/default/config.tpl +++ b/setup/templates/default/config.tpl @@ -411,6 +411,14 @@ + + {lang_Additional_user_filter_(optional)}: + + + + {lang_Additional_group_filter_(optional)}: + + {lang_Attributes_for_new_users}
{lang_use_%u_for_username,_leave_empty_to_no_set}