Project

General

Profile

pfSense_LDAP_RFC2307GroupFilter.diff

Steve Powers, 05/16/2019 07:21 AM

View differences:

src/etc/inc/auth.inc
1407 1407
		}
1408 1408
		$ldapauthcont = $authcfg['ldap_authcn'];
1409 1409
		$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
1410
		$ldapgroupattribute = $authcfg['ldap_attr_member'];
1410 1411
		$ldapextendedqueryenabled = $authcfg['ldap_extended_enabled'];
1411 1412
		$ldapextendedquery = $authcfg['ldap_extended_query'];
1412 1413
		$ldapfilter = "";
1413 1414
		if (!$ldapextendedqueryenabled) {
1414 1415
			$ldapfilter = "({$ldapnameattribute}={$username})";
1415 1416
		} else {
1416
			$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
1417
			if (isset($authcfg['ldap_rfc2307'])) {
1418
				$ldapfilter = "({$ldapnameattribute}={$username})";
1419
				$ldapgroupfilter = "(&({$ldapgroupattribute}={$username})({$ldapextendedquery}))";
1420
			} else {
1421
				$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
1422
			}
1417 1423
		}
1418 1424
		$ldaptype = "";
1419 1425
		$ldapver = $authcfg['ldap_protver'];
......
1513 1519
		/* Support legacy auth container specification. */
1514 1520
		if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) {
1515 1521
			$search = @$ldapfunc($ldap, $ldac_split, $ldapfilter);
1522
			if (isset($ldapgroupfilter)) {
1523
				$groupsearch = @$ldapfunc($ldap, $ldac_split, $ldapgroupfilter);
1524
			}
1516 1525
		} else {
1517 1526
			$search = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapfilter);
1527
			if (isset($ldapgroupfilter)) {
1528
				$groupsearch = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapgroupfilter);
1529
			}
1530
		}
1531

  
1532
		if (isset($ldapgroupfilter) && !$groupsearch) {
1533
			log_error(sprintf(gettext("Extended group search resulted in error: %s"), ldap_error($ldap)));
1534
			continue;
1518 1535
		}
1519 1536
		if (!$search) {
1520 1537
			log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
1521 1538
			continue;
1522 1539
		}
1540
		if (isset($groupsearch)) {
1541
			$validgroup = ldap_count_entries($ldap, $groupsearch);
1542
			if ($debug) {
1543
				log_auth(sprintf(gettext("LDAP group search: %s results."), $validgroup));
1544
			}
1545
		}
1523 1546
		$info = ldap_get_entries($ldap, $search);
1524 1547
		$matches = $info['count'];
1525 1548
		if ($matches == 1) {
......
1559 1582
		log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
1560 1583
	}
1561 1584

  
1585
	if ($debug && isset($ldapgroupfilter) && $validgroup < 1) {
1586
		log_auth(sprintf(gettext('Logged in successfully as %1$s but did not match any field in extended query.'), $username));
1587
	}
1588

  
1562 1589
	/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
1563 1590
	@ldap_unbind($ldap);
1564 1591

  
1592
	if (isset($ldapgroupfilter) && $validgroup < 1) {
1593
		return false;
1594
	}
1595

  
1565 1596
	return true;
1566 1597
}
1567 1598

  
src/usr/local/www/system_authservers.php
656 656
	'Query',
657 657
	'text',
658 658
	$pconfig['ldap_extended_query']
659
))->setHelp('Example: memberOf=CN=Groupname,OU=MyGroups,DC=example,DC=com');
659
))->setHelp('Example (MSAD): memberOf=CN=Groupname,OU=MyGroups,DC=example,DC=com<br>Example (2307): |(&(objectClass=posixGroup)(cn=Groupname)(memberUid=*))(&(objectClass=posixGroup)(cn=anotherGroup)(memberUid=*))');
660 660

  
661 661
$section->add($group);
662 662