summaryrefslogtreecommitdiffstats
path: root/modules-available/sysconfig
diff options
context:
space:
mode:
authorSimon Rettberg2017-01-18 13:37:03 +0100
committerSimon Rettberg2017-01-18 13:37:03 +0100
commit60b0e82aa64199bbed7a81a71b7cb1cd0ffd819e (patch)
tree28c4f3bd22e39e9480d295361c42afa0044c57e6 /modules-available/sysconfig
parentinstall.js: Fix coloring for an error case (diff)
downloadslx-admin-60b0e82aa64199bbed7a81a71b7cb1cd0ffd819e.tar.gz
slx-admin-60b0e82aa64199bbed7a81a71b7cb1cd0ffd819e.tar.xz
slx-admin-60b0e82aa64199bbed7a81a71b7cb1cd0ffd819e.zip
[sysconfig] More ad/ldap setup fixes
Diffstat (limited to 'modules-available/sysconfig')
-rw-r--r--modules-available/sysconfig/addmodule_adauth.inc.php11
-rw-r--r--modules-available/sysconfig/inc/ldap.inc.php14
2 files changed, 21 insertions, 4 deletions
diff --git a/modules-available/sysconfig/addmodule_adauth.inc.php b/modules-available/sysconfig/addmodule_adauth.inc.php
index 666c36d1..266327a8 100644
--- a/modules-available/sysconfig/addmodule_adauth.inc.php
+++ b/modules-available/sysconfig/addmodule_adauth.inc.php
@@ -140,10 +140,12 @@ class AdAuth_SelfSearch extends AddModule_Base
} else {
$uri = "ldap://$server:3268/";
}
+
+ $selfSearchBase = Ldap::getSelfSearchBase($binddn, $searchbase);
// Set up selfSearch task
$taskData = array(
'server' => $uri,
- 'searchbase' => $searchbase,
+ 'searchbase' => $selfSearchBase,
'bindpw' => $bindpw,
);
if (preg_match(AD_SHORT_REGEX, $binddn, $out) && !empty($out[2])) {
@@ -153,12 +155,12 @@ class AdAuth_SelfSearch extends AddModule_Base
$this->originalBindDn = $binddn;
$taskData['filter'] = 'sAMAccountName=' . $out[1];
} elseif (preg_match('/^cn\=([^\=]+),.*?,dc\=([^\=]+),/i', Ldap::normalizeDn($binddn), $out)) {
- if (empty($searchbase)) {
+ if (empty($selfSearchBase)) {
$this->originalBindDn = $out[2] . '\\' . $out[1];
$taskData['filter'] = 'sAMAccountName=' . $out[1];
} else {
$this->originalBindDn = $binddn;
- $taskData['filter'] = "distinguishedName=$binddn";
+ $taskData['filter'] = 'distinguishedName=' . Ldap::normalizeDn($binddn);
}
} else {
Message::addError('could-not-determine-binddn', $binddn);
@@ -232,11 +234,12 @@ class AdAuth_HomeAttrCheck extends AddModule_Base
} else {
$uri = "ldap://$server:$port/";
}
+ $selfSearchBase = Ldap::getSelfSearchBase($binddn, $searchbase);
preg_match('#^(\w+\=[^\=]+),#', $binddn, $out);
$filter = $out[1];
$data = array(
'server' => $uri,
- 'searchbase' => $searchbase,
+ 'searchbase' => $selfSearchBase,
'binddn' => $binddn,
'bindpw' => $bindpw,
'filter' => $filter
diff --git a/modules-available/sysconfig/inc/ldap.inc.php b/modules-available/sysconfig/inc/ldap.inc.php
index ed471f31..23b24885 100644
--- a/modules-available/sysconfig/inc/ldap.inc.php
+++ b/modules-available/sysconfig/inc/ldap.inc.php
@@ -8,4 +8,18 @@ class Ldap
return trim(preg_replace('/[,;]\s*/', ',', $dn));
}
+ public static function getSelfSearchBase($binddn, $searchbase)
+ {
+ // To find ourselves we try to figure out the proper search base, since the given one
+ // might be just for users, not for functional or utility accounts
+ if (preg_match('/,(OU=.*DC=.*)$/i', Ldap::normalizeDn($binddn), $out)) {
+ // Get OU from binddn; works if not given short form of DOMAIN\user or user@domain.fqdn.com
+ $searchbase = $out[1];
+ } elseif (preg_match('/,(DC=.*)$/i', Ldap::normalizeDn($searchbase), $out)) {
+ // Otherwise, shorten search base enough to only consider the DC=..,DC=.. part at the end
+ $searchbase = $out[1];
+ }
+ return $searchbase;
+ }
+
}