From b9a5a60dc93e7f2a2e7ef131500730fb7c2c9f05 Mon Sep 17 00:00:00 2001
From: Benjamin Renard <brenard@easter-eggs.com>
Date: Tue, 28 Feb 2023 15:34:35 +0100
Subject: [PATCH] Auth\Ldap: Improve attribute mapping

---
 example/includes/config.yml | 25 ++++++++++++++++---------
 skel/config.yml             | 25 ++++++++++++++++---------
 src/Auth/Ldap.php           | 30 ++++++++++++++++++++++--------
 3 files changed, 54 insertions(+), 26 deletions(-)

diff --git a/example/includes/config.yml b/example/includes/config.yml
index 7013bd3..809663a 100644
--- a/example/includes/config.yml
+++ b/example/includes/config.yml
@@ -252,18 +252,25 @@ auth:
     #bind_with_username: true
 
     # LDAP user attributes to retreive with their properties:
-    # [LDAP attr name]:
-    #   name: [map name]       # optional, default: LDAP attr name
-    #   type: [type of value]  # optional, default: 'string', possible values: string, bool, int, float
-    #   multivalued: true      # optional, default: false
-    #   default: null          # optional, default: null
+    # [attr name]:
+    #   # LDAP attribute name (optional, default: [attr name])
+    #   ldap_name: [LDAP attr name]
+    #   # Alternative LDAP attribute name to retrieve if the first one is not defined (optional)
+    #   alt_ldap_name: [alternative LDAP attr name]
+    #   # Type of value (optional, default: 'string', possible values: string, bool, int, float)
+    #   type: [type of value]
+    #   # Multivalued attribute (optional, default: false)
+    #   multivalued: true
+    #   # Default attribute value (optional, default: null)
+    #   default: null
     user_attributes:
-      uid:
-        name: 'login'
+      login:
+        ldap_name: 'uid'
         multivalued: false
         default: null
-      cn:
-        name: 'name'
+      name:
+        ldap_name: 'displayName'
+        alt_ldap_name: 'cn'
         multivalued: false
         default: null
       mail:
diff --git a/skel/config.yml b/skel/config.yml
index 9dbbfe6..642d81c 100644
--- a/skel/config.yml
+++ b/skel/config.yml
@@ -252,18 +252,25 @@ auth:
     #bind_with_username: true
 
     # LDAP user attributes to retreive with their properties:
-    # [LDAP attr name]:
-    #   name: [map name]       # optional, default: LDAP attr name
-    #   type: [type of value]  # optional, default: 'string', possible values: string, bool, int, float
-    #   multivalued: true      # optional, default: false
-    #   default: null          # optional, default: null
+    # [attr name]:
+    #   # LDAP attribute name (optional, default: [attr name])
+    #   ldap_name: [LDAP attr name]
+    #   # Alternative LDAP attribute name to retrieve if the first one is not defined (optional)
+    #   alt_ldap_name: [alternative LDAP attr name]
+    #   # Type of value (optional, default: 'string', possible values: string, bool, int, float)
+    #   type: [type of value]
+    #   # Multivalued attribute (optional, default: false)
+    #   multivalued: true
+    #   # Default attribute value (optional, default: null)
+    #   default: null
     user_attributes:
-      uid:
-        name: 'login'
+      login:
+        ldap_name: 'uid'
         multivalued: false
         default: null
-      cn:
-        name: 'name'
+      name:
+        ldap_name: 'displayName'
+        alt_ldap_name: 'cn'
         multivalued: false
         default: null
       mail:
diff --git a/src/Auth/Ldap.php b/src/Auth/Ldap.php
index 581f33f..562ae5a 100644
--- a/src/Auth/Ldap.php
+++ b/src/Auth/Ldap.php
@@ -33,8 +33,8 @@ class Ldap extends Backend {
    * @var array<string,array>
    */
   private static $default_user_attributes = array(
-    'uid' => array(
-      'name' => 'login',
+    'login' => array(
+      'ldap_name' => 'uid',
       'type' => 'string',
       'multivalued' => false,
       'default' => null,
@@ -44,8 +44,9 @@ class Ldap extends Backend {
       'multivalued' => false,
       'default' => null,
     ),
-    'cn' => array(
-      'name' => 'name',
+    'name' => array(
+      'ldap_name' => 'displayName',
+      'alt_ldap_name' => 'cn',
       'type' => 'string',
       'multivalued' => false,
       'default' => null,
@@ -202,12 +203,21 @@ class Ldap extends Backend {
    */
   public static function get_user($username) {
     $attrs = App::get('auth.ldap.user_attributes', self :: $default_user_attributes, 'array');
+    $attrs_names = array();
+    foreach($attrs as $attr => $attr_config) {
+      $name = Config::get("ldap_name", $attr, 'string', false, $attr_config);
+      $alt_name = Config::get("alt_ldap_name", null, 'string', false, $attr_config);
+      if (!in_array($name, $attrs_names))
+        $attrs_names[] = $name;
+      if ($alt_name && !in_array($alt_name, $attrs_names))
+        $attrs_names[] = $alt_name;
+    }
     $users = self :: search(
       str_replace(
         '[username]', Net_LDAP2_Filter::escape($username),
         App::get('auth.ldap.user_filter_by_uid', 'uid=[username]', 'string')
       ),
-      array_keys($attrs),
+      $attrs_names,
       App::get('auth.ldap.user_basedn', null, 'string')
     );
     if (!is_array($users)) {
@@ -226,10 +236,14 @@ class Ldap extends Backend {
     }
     $dn = key($users);
     $info = array('dn' => $dn);
-    foreach($attrs as $attr => $attr_config) {
-      $info[Config::get("name", $attr, 'string', false, $attr_config)] = self :: get_attr(
+    foreach($attrs as $name => $attr_config) {
+      $ldap_name = Config::get("ldap_name", null, 'string', false, $attr_config);
+      $alt_ldap_name = Config::get("alt_ldap_name", $name, 'string', false, $attr_config);
+      if (!$ldap_name || is_null(self :: get_attr($users[$dn], $ldap_name)))
+        $ldap_name = $alt_ldap_name;
+      $info[$name] = self :: get_attr(
         $users[$dn],
-        $attr,
+        $ldap_name,
         Config::get("multivalued", false, 'bool', false, $attr_config),
         Config::get("default", null, null, false, $attr_config)
       );