Auth\Ldap: Improve attribute mapping

2023-02-28 15:34:35 +01:00 · 2023-02-28 15:34:35 +01:00 · b9a5a60dc9
parent 87e9236af1
commit b9a5a60dc9
3 changed files with 54 additions and 26 deletions
--- a/example/includes/config.yml
+++ b/example/includes/config.yml
@ -252,18 +252,25 @@ auth:
    #bind_with_username: true

    # LDAP user attributes to retreive with their properties:
-    # [LDAP attr name]:
-    #   name: [map name]       # optional, default: LDAP attr name
-    #   type: [type of value]  # optional, default: 'string', possible values: string, bool, int, float
-    #   multivalued: true      # optional, default: false
-    #   default: null          # optional, default: null
+    # [attr name]:
+    #   # LDAP attribute name (optional, default: [attr name])
+    #   ldap_name: [LDAP attr name]
+    #   # Alternative LDAP attribute name to retrieve if the first one is not defined (optional)
+    #   alt_ldap_name: [alternative LDAP attr name]
+    #   # Type of value (optional, default: 'string', possible values: string, bool, int, float)
+    #   type: [type of value]
+    #   # Multivalued attribute (optional, default: false)
+    #   multivalued: true
+    #   # Default attribute value (optional, default: null)
+    #   default: null
    user_attributes:
-      uid:
-        name: 'login'
+      login:
+        ldap_name: 'uid'
        multivalued: false
        default: null
-      cn:
-        name: 'name'
+      name:
+        ldap_name: 'displayName'
+        alt_ldap_name: 'cn'
        multivalued: false
        default: null
      mail:
--- a/skel/config.yml
+++ b/skel/config.yml
@ -252,18 +252,25 @@ auth:
    #bind_with_username: true

    # LDAP user attributes to retreive with their properties:
-    # [LDAP attr name]:
-    #   name: [map name]       # optional, default: LDAP attr name
-    #   type: [type of value]  # optional, default: 'string', possible values: string, bool, int, float
-    #   multivalued: true      # optional, default: false
-    #   default: null          # optional, default: null
+    # [attr name]:
+    #   # LDAP attribute name (optional, default: [attr name])
+    #   ldap_name: [LDAP attr name]
+    #   # Alternative LDAP attribute name to retrieve if the first one is not defined (optional)
+    #   alt_ldap_name: [alternative LDAP attr name]
+    #   # Type of value (optional, default: 'string', possible values: string, bool, int, float)
+    #   type: [type of value]
+    #   # Multivalued attribute (optional, default: false)
+    #   multivalued: true
+    #   # Default attribute value (optional, default: null)
+    #   default: null
    user_attributes:
-      uid:
-        name: 'login'
+      login:
+        ldap_name: 'uid'
        multivalued: false
        default: null
-      cn:
-        name: 'name'
+      name:
+        ldap_name: 'displayName'
+        alt_ldap_name: 'cn'
        multivalued: false
        default: null
      mail:
--- a/src/Auth/Ldap.php
+++ b/src/Auth/Ldap.php
@ -33,8 +33,8 @@ class Ldap extends Backend {
   * @var array<string,array>
   */
  private static $default_user_attributes = array(
-    'uid' => array(
-      'name' => 'login',
+    'login' => array(
+      'ldap_name' => 'uid',
      'type' => 'string',
      'multivalued' => false,
      'default' => null,
@ -44,8 +44,9 @@ class Ldap extends Backend {
      'multivalued' => false,
      'default' => null,
    ),
-    'cn' => array(
-      'name' => 'name',
+    'name' => array(
+      'ldap_name' => 'displayName',
+      'alt_ldap_name' => 'cn',
      'type' => 'string',
      'multivalued' => false,
      'default' => null,
@ -202,12 +203,21 @@ class Ldap extends Backend {
   */
  public static function get_user($username) {
    $attrs = App::get('auth.ldap.user_attributes', self :: $default_user_attributes, 'array');
+    $attrs_names = array();
+    foreach($attrs as $attr => $attr_config) {
+      $name = Config::get("ldap_name", $attr, 'string', false, $attr_config);
+      $alt_name = Config::get("alt_ldap_name", null, 'string', false, $attr_config);
+      if (!in_array($name, $attrs_names))
+        $attrs_names[] = $name;
+      if ($alt_name && !in_array($alt_name, $attrs_names))
+        $attrs_names[] = $alt_name;
+    }
    $users = self :: search(
      str_replace(
        '[username]', Net_LDAP2_Filter::escape($username),
        App::get('auth.ldap.user_filter_by_uid', 'uid=[username]', 'string')
      ),
-      array_keys($attrs),
+      $attrs_names,
      App::get('auth.ldap.user_basedn', null, 'string')
    );
    if (!is_array($users)) {
@ -226,10 +236,14 @@ class Ldap extends Backend {
    }
    $dn = key($users);
    $info = array('dn' => $dn);
-    foreach($attrs as $attr => $attr_config) {
-      $info[Config::get("name", $attr, 'string', false, $attr_config)] = self :: get_attr(
+    foreach($attrs as $name => $attr_config) {
+      $ldap_name = Config::get("ldap_name", null, 'string', false, $attr_config);
+      $alt_ldap_name = Config::get("alt_ldap_name", $name, 'string', false, $attr_config);
+      if (!$ldap_name || is_null(self :: get_attr($users[$dn], $ldap_name)))
+        $ldap_name = $alt_ldap_name;
+      $info[$name] = self :: get_attr(
        $users[$dn],
-        $attr,
+        $ldap_name,
        Config::get("multivalued", false, 'bool', false, $attr_config),
        Config::get("default", null, null, false, $attr_config)
      );