|
Tuesday 07 August 2007 8:34:51 pm
hey
i am very new to ez publish and so far the first modification ive made is to allow for my ldap setup
basicly my ldap setup has all my users in
ou=Users,dc=domain,dc=com
and then i have
ou=Groups,dc=domain,dc=com
where i have some groups that are just setup like
group cn=website_admins
memberUid=me
memberUid=other_me
etc.
so i wanted to use SimpleMapping configuration so i can just say here are my users, and i want these groups to be put into this ez publish group
i also wanted to ONLY allow those whom have an ldap group map to a ez publish group to be able to login ie
LDAPUserGroupMap[only_this_ldap_group]=login_to_this_ez_publish_group
where if a user in ldap didnt have a map they would fail login rather than goto guest group
first problem i had was simplemapping required groupofuniquenames, then i couldn't restrict logins to certain groups
these two are ez to fix, default login to no privilege group and setting up groupofuniquenames in ldap is ez
but my 3rd bigger problem was when a user is a member of multiple groups how does it decide which group to put them in, well ez publish put them in the first matching group going by alphabetical order of ldap groups
ie
map[bb_ldap]=admin
map[aa_ldap=normal
where a user in both ldap groups would always be mapped to normal so i have written a patch to accommodate my setup
--- ezorig/kernel/classes/datatypes/ezuser/ezldapuser.php 2007-08-07 16:10:09.204831648 +1000
+++ ezdev/kernel/classes/datatypes/ezuser/ezldapuser.php 2007-08-07 17:34:04.639329248 +1000
@@ -184,6 +184,7 @@
$LDAPUserGroupAttributeType = $LDAPIni->variable( 'LDAPSettings', 'LDAPUserGroupAttributeType' );
$LDAPUserGroupAttribute = $LDAPIni->variable( 'LDAPSettings', 'LDAPUserGroupAttribute' );
+ $LDAPGroupMemberAttributeMatch = $LDAPIni->variable( 'LDAPSettings', 'LDAPGroupMemberAttributeMatch' );
if ( $LDAPIni->hasVariable( 'LDAPSettings', 'Utf8Encoding' ) )
{
@@ -255,6 +256,8 @@
$LDAPEmailAttribute );
if ( $LDAPUserGroupAttributeType )
$retrieveAttributes[] = $LDAPUserGroupAttribute;
+ if ( $LDAPGroupMemberAttributeMatch )
+ $retrieveAttributes[] = $LDAPGroupMemberAttributeMatch;
if ( $LDAPSearchScope == "one" )
$sr = ldap_list( $ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes );
@@ -380,6 +383,10 @@
}
}
}
+ else if ( $LDAPUserGroupType == 'map' )
+ {
+ $defaultUserPlacement = false;
+ }
}
$adminUser = eZUser::fetchByName( 'admin' );
@@ -418,6 +425,8 @@
$LDAPGroupMemberAttribute = $LDAPIni->variable( 'LDAPSettings', 'LDAPGroupMemberAttribute' );
$LDAPGroupDescriptionAttribute = $LDAPIni->variable( 'LDAPSettings', 'LDAPGroupDescriptionAttribute' );
+ $KeepGroupMapOrder = $LDAPIni->variable( 'LDAPSettings', 'KeepGroupMapOrder' );
+
$groupSearchingDepth = ( $LDAPGroupMappingType == '1' ) ? 1 : 1000;
// now, get all parents for currently ldap authenticated user
@@ -433,7 +442,22 @@
$groupsTree = array();
$stack = array();
- $newfilter = '(&(objectClass=' . $LDAPGroupClass . ')(' . $LDAPGroupMemberAttribute . '=' . $userData['dn'] . '))';
+
+ if ( $LDAPGroupMemberAttributeMatch )
+ {
+ //ldap_search returns all lowercase attribute names :\
+ $LDAPGroupMemberAttributeMatch = strtolower($LDAPGroupMemberAttributeMatch);
+
+ if ( isset($userData[$LDAPGroupMemberAttributeMatch][0]) )
+ $memberAttribute = $userData[$LDAPGroupMemberAttributeMatch][0];
+ else
+ return false;
+ }
+ else
+ {
+ $memberAttribute = $userData['dn'];
+ }
+ $newfilter = '(&(objectClass=' . $LDAPGroupClass . ')(' . $LDAPGroupMemberAttribute . '=' . $memberAttribute . '))';
$groupsTree[ $userData['dn'] ] = array( 'data' => & $userData,
'parents' => array(),
@@ -472,6 +496,8 @@
if ( count( $groupRow ) > 0 )
{
$userRecord['new_parents'][] = $groupRow[ 0 ][ 'node_id' ];
+ if ( $KeepGroupMapOrder == 'enabled' )
+ $KeepGroupMapOrderArray[$ldapGroupName] = $groupRow[0]['node_id'];
}
}
}
@@ -566,6 +592,24 @@
}
}
+ if ( $defaultUserPlacement === false )
+ {
+ //no default group, no login 4 u
+ return false;
+ }
+
+ if ( $KeepGroupMapOrder == 'enabled' && count($extraNodeAssignments) > 1 )
+ {
+ foreach($LDAPUserGroupMap as $group => $map)
+ {
+ if ( isset($KeepGroupMapOrderArray[$group]) )
+ {
+ $defaultUserPlacement = $KeepGroupMapOrderArray[$group];
+ break;
+ }
+ }
+ }
+
$userAttributes = array( 'login' => $login,
'first_name' => $userData[ $LDAPFirstNameAttribute ][0],
'last_name' => $userData[ $LDAPLastNameAttribute ][0],
--- ezorig/settings/ldap.ini 2007-08-07 16:17:12.386498256 +1000
+++ ezdev/settings/ldap.ini 2007-08-08 13:12:57.549292472 +1000
@@ -26,7 +26,9 @@
LDAPSearchFilters[]
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=uid
-# Could be id or name
+# Options: id, name, map
+# When using map no defualt group will be selected
+# if a user doesnt have any ldap groups mapped for them, they cant login
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
@@ -46,6 +48,10 @@
# Attribute of LDAP user which should be used to obtain groups which user(group) belongs to.
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupMemberAttribute=member
+# Attribute that LDAPGroupMemberAttribute matches against
+# comment out this line to use defualt which is the fully qualifed user dn
+# examples: uid
+#LDAPGroupMemberAttributeMatch=
# Attribute which contain description of LDAP group, optional
LDAPGroupDescriptionAttribute=
# Group names map (from LDAP to ezpublish user-groups),
@@ -69,3 +75,12 @@
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled
+# This setting only applies to LDAPGroupMappingType=SimpleMapping
+# by default you are mapped out to the first group you are found in
+# the order in which it checks is the order of the groups in ldap
+# this will override that order to the order defined in here
+# ie:
+# LDAPUserGroupMap[b]=primary
+# LDAPUserGroupMap[a]=seccondy
+# When enabled a user in both ldap groups will be mapped to primary instead of seccondary
+KeepGroupMapOrder=enabled
now with my ldap setup of groups that arnt groupofuniquenames
say ldap groups
a_everyorne
b_justme
c_todd
where the first group a_eveyorne might hvae
memberUid=me
memberUid=bob
and group b_justme has
memberUid=me
and c_todd
memberUid=todd
then i have ez publish groups
Admins
LesserPeople
now what i want to archive is, map the b_justme group to admins, and a_everyone to lesserpeople
but the user 'todd' is also in my ldap, and i hate him so i don't want him to be able to login at all so i have the following configuration
#do not let todd login
#or more specificaly if he is in a group not mapped to an ez publish group do not let him login
LDAPUserGroupType=map
LDAPGroupMappingType=SimpleMapping
LDAPGroupBaseDN=ou=Groups,dc=domain,dc=com
LDAPGroupNameAttribute=cn
#custom group schema
LDAPGroupClass=posixGroup
LDAPGroupMemberAttribute=memberUid
LDAPGroupMemberAttributeMatch=uid
#map in order of precedence
LDAPUserGroup[b_justme]=Admins
LDAPUserGroup[a_everyone]=LesserPeople
#use my map order
KeepGroupMapOrder=enabled
without the last option i would have been mapped to LesserPeople
because it would check a_everyone (alphabetical order) first and see i am in that group even if the specific code solution my patch offers is not very good i believe the functionality it offers should be included in future versions of ez publish any feedback would be greatly appreciated
|
