[sysconfig] More ad/ldap setup fixes

2 files changed, 21 insertions, 4 deletions

diff --git a/modules-available/sysconfig/addmodule_adauth.inc.php b/modules-available/sysconfig/addmodule_adauth.inc.php
index 666c36d1..266327a8 100644
--- a/modules-available/sysconfig/addmodule_adauth.inc.php
+++ b/modules-available/sysconfig/addmodule_adauth.inc.php
@@ -140,10 +140,12 @@ class AdAuth_SelfSearch extends AddModule_Base
 		} else {
 			$uri = "ldap://$server:3268/";
 		}
+
+		$selfSearchBase = Ldap::getSelfSearchBase($binddn, $searchbase);
 		// Set up selfSearch task
 		$taskData = array(
 			'server' => $uri,
-			'searchbase' => $searchbase,
+			'searchbase' => $selfSearchBase,
 			'bindpw' => $bindpw,
 		);
 		if (preg_match(AD_SHORT_REGEX, $binddn, $out) && !empty($out[2])) {
@@ -153,12 +155,12 @@ class AdAuth_SelfSearch extends AddModule_Base
 			$this->originalBindDn = $binddn;
 			$taskData['filter'] = 'sAMAccountName=' . $out[1];
 		} elseif (preg_match('/^cn\=([^\=]+),.*?,dc\=([^\=]+),/i', Ldap::normalizeDn($binddn), $out)) {
-			if (empty($searchbase)) {
+			if (empty($selfSearchBase)) {
 				$this->originalBindDn = $out[2] . '\\' . $out[1];
 				$taskData['filter'] = 'sAMAccountName=' . $out[1];
 			} else {
 				$this->originalBindDn = $binddn;
-				$taskData['filter'] = "distinguishedName=$binddn";
+				$taskData['filter'] = 'distinguishedName=' . Ldap::normalizeDn($binddn);
 			}
 		} else {
 			Message::addError('could-not-determine-binddn', $binddn);
@@ -232,11 +234,12 @@ class AdAuth_HomeAttrCheck extends AddModule_Base
 		} else {
 			$uri = "ldap://$server:$port/";
 		}
+		$selfSearchBase = Ldap::getSelfSearchBase($binddn, $searchbase);
 		preg_match('#^(\w+\=[^\=]+),#', $binddn, $out);
 		$filter = $out[1];
 		$data = array(
 			'server' => $uri,
-			'searchbase' => $searchbase,
+			'searchbase' => $selfSearchBase,
 			'binddn' => $binddn,
 			'bindpw' => $bindpw,
 			'filter' => $filter
diff --git a/modules-available/sysconfig/inc/ldap.inc.php b/modules-available/sysconfig/inc/ldap.inc.php
index ed471f31..23b24885 100644
--- a/modules-available/sysconfig/inc/ldap.inc.php
+++ b/modules-available/sysconfig/inc/ldap.inc.php
@@ -8,4 +8,18 @@ class Ldap
 		return trim(preg_replace('/[,;]\s*/', ',', $dn));
 	}
 
+	public static function getSelfSearchBase($binddn, $searchbase)
+	{
+		// To find ourselves we try to figure out the proper search base, since the given one
+		// might be just for users, not for functional or utility accounts
+		if (preg_match('/,(OU=.*DC=.*)$/i', Ldap::normalizeDn($binddn), $out)) {
+			// Get OU from binddn; works if not given short form of DOMAIN\user or user@domain.fqdn.com
+			$searchbase = $out[1];
+		} elseif (preg_match('/,(DC=.*)$/i', Ldap::normalizeDn($searchbase), $out)) {
+			// Otherwise, shorten search base enough to only consider the DC=..,DC=.. part at the end
+			$searchbase = $out[1];
+		}
+		return $searchbase;
+	}
+
 }