Auth\Ldap: Improve attribute mapping

This commit is contained in:
Benjamin Renard 2023-02-28 15:34:35 +01:00
parent 87e9236af1
commit b9a5a60dc9
Signed by: bn8
GPG key ID: 3E2E1CE1907115BC
3 changed files with 54 additions and 26 deletions

View file

@ -252,18 +252,25 @@ auth:
#bind_with_username: true #bind_with_username: true
# LDAP user attributes to retreive with their properties: # LDAP user attributes to retreive with their properties:
# [LDAP attr name]: # [attr name]:
# name: [map name] # optional, default: LDAP attr name # # LDAP attribute name (optional, default: [attr name])
# type: [type of value] # optional, default: 'string', possible values: string, bool, int, float # ldap_name: [LDAP attr name]
# multivalued: true # optional, default: false # # Alternative LDAP attribute name to retrieve if the first one is not defined (optional)
# default: null # optional, default: null # alt_ldap_name: [alternative LDAP attr name]
# # Type of value (optional, default: 'string', possible values: string, bool, int, float)
# type: [type of value]
# # Multivalued attribute (optional, default: false)
# multivalued: true
# # Default attribute value (optional, default: null)
# default: null
user_attributes: user_attributes:
uid: login:
name: 'login' ldap_name: 'uid'
multivalued: false multivalued: false
default: null default: null
cn: name:
name: 'name' ldap_name: 'displayName'
alt_ldap_name: 'cn'
multivalued: false multivalued: false
default: null default: null
mail: mail:

View file

@ -252,18 +252,25 @@ auth:
#bind_with_username: true #bind_with_username: true
# LDAP user attributes to retreive with their properties: # LDAP user attributes to retreive with their properties:
# [LDAP attr name]: # [attr name]:
# name: [map name] # optional, default: LDAP attr name # # LDAP attribute name (optional, default: [attr name])
# type: [type of value] # optional, default: 'string', possible values: string, bool, int, float # ldap_name: [LDAP attr name]
# multivalued: true # optional, default: false # # Alternative LDAP attribute name to retrieve if the first one is not defined (optional)
# default: null # optional, default: null # alt_ldap_name: [alternative LDAP attr name]
# # Type of value (optional, default: 'string', possible values: string, bool, int, float)
# type: [type of value]
# # Multivalued attribute (optional, default: false)
# multivalued: true
# # Default attribute value (optional, default: null)
# default: null
user_attributes: user_attributes:
uid: login:
name: 'login' ldap_name: 'uid'
multivalued: false multivalued: false
default: null default: null
cn: name:
name: 'name' ldap_name: 'displayName'
alt_ldap_name: 'cn'
multivalued: false multivalued: false
default: null default: null
mail: mail:

View file

@ -33,8 +33,8 @@ class Ldap extends Backend {
* @var array<string,array> * @var array<string,array>
*/ */
private static $default_user_attributes = array( private static $default_user_attributes = array(
'uid' => array( 'login' => array(
'name' => 'login', 'ldap_name' => 'uid',
'type' => 'string', 'type' => 'string',
'multivalued' => false, 'multivalued' => false,
'default' => null, 'default' => null,
@ -44,8 +44,9 @@ class Ldap extends Backend {
'multivalued' => false, 'multivalued' => false,
'default' => null, 'default' => null,
), ),
'cn' => array( 'name' => array(
'name' => 'name', 'ldap_name' => 'displayName',
'alt_ldap_name' => 'cn',
'type' => 'string', 'type' => 'string',
'multivalued' => false, 'multivalued' => false,
'default' => null, 'default' => null,
@ -202,12 +203,21 @@ class Ldap extends Backend {
*/ */
public static function get_user($username) { public static function get_user($username) {
$attrs = App::get('auth.ldap.user_attributes', self :: $default_user_attributes, 'array'); $attrs = App::get('auth.ldap.user_attributes', self :: $default_user_attributes, 'array');
$attrs_names = array();
foreach($attrs as $attr => $attr_config) {
$name = Config::get("ldap_name", $attr, 'string', false, $attr_config);
$alt_name = Config::get("alt_ldap_name", null, 'string', false, $attr_config);
if (!in_array($name, $attrs_names))
$attrs_names[] = $name;
if ($alt_name && !in_array($alt_name, $attrs_names))
$attrs_names[] = $alt_name;
}
$users = self :: search( $users = self :: search(
str_replace( str_replace(
'[username]', Net_LDAP2_Filter::escape($username), '[username]', Net_LDAP2_Filter::escape($username),
App::get('auth.ldap.user_filter_by_uid', 'uid=[username]', 'string') App::get('auth.ldap.user_filter_by_uid', 'uid=[username]', 'string')
), ),
array_keys($attrs), $attrs_names,
App::get('auth.ldap.user_basedn', null, 'string') App::get('auth.ldap.user_basedn', null, 'string')
); );
if (!is_array($users)) { if (!is_array($users)) {
@ -226,10 +236,14 @@ class Ldap extends Backend {
} }
$dn = key($users); $dn = key($users);
$info = array('dn' => $dn); $info = array('dn' => $dn);
foreach($attrs as $attr => $attr_config) { foreach($attrs as $name => $attr_config) {
$info[Config::get("name", $attr, 'string', false, $attr_config)] = self :: get_attr( $ldap_name = Config::get("ldap_name", null, 'string', false, $attr_config);
$alt_ldap_name = Config::get("alt_ldap_name", $name, 'string', false, $attr_config);
if (!$ldap_name || is_null(self :: get_attr($users[$dn], $ldap_name)))
$ldap_name = $alt_ldap_name;
$info[$name] = self :: get_attr(
$users[$dn], $users[$dn],
$attr, $ldap_name,
Config::get("multivalued", false, 'bool', false, $attr_config), Config::get("multivalued", false, 'bool', false, $attr_config),
Config::get("default", null, null, false, $attr_config) Config::get("default", null, null, false, $attr_config)
); );