From 60b0e82aa64199bbed7a81a71b7cb1cd0ffd819e Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 18 Jan 2017 13:37:03 +0100 Subject: [sysconfig] More ad/ldap setup fixes --- modules-available/sysconfig/addmodule_adauth.inc.php | 11 +++++++---- modules-available/sysconfig/inc/ldap.inc.php | 14 ++++++++++++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/modules-available/sysconfig/addmodule_adauth.inc.php b/modules-available/sysconfig/addmodule_adauth.inc.php index 666c36d1..266327a8 100644 --- a/modules-available/sysconfig/addmodule_adauth.inc.php +++ b/modules-available/sysconfig/addmodule_adauth.inc.php @@ -140,10 +140,12 @@ class AdAuth_SelfSearch extends AddModule_Base } else { $uri = "ldap://$server:3268/"; } + + $selfSearchBase = Ldap::getSelfSearchBase($binddn, $searchbase); // Set up selfSearch task $taskData = array( 'server' => $uri, - 'searchbase' => $searchbase, + 'searchbase' => $selfSearchBase, 'bindpw' => $bindpw, ); if (preg_match(AD_SHORT_REGEX, $binddn, $out) && !empty($out[2])) { @@ -153,12 +155,12 @@ class AdAuth_SelfSearch extends AddModule_Base $this->originalBindDn = $binddn; $taskData['filter'] = 'sAMAccountName=' . $out[1]; } elseif (preg_match('/^cn\=([^\=]+),.*?,dc\=([^\=]+),/i', Ldap::normalizeDn($binddn), $out)) { - if (empty($searchbase)) { + if (empty($selfSearchBase)) { $this->originalBindDn = $out[2] . '\\' . $out[1]; $taskData['filter'] = 'sAMAccountName=' . $out[1]; } else { $this->originalBindDn = $binddn; - $taskData['filter'] = "distinguishedName=$binddn"; + $taskData['filter'] = 'distinguishedName=' . Ldap::normalizeDn($binddn); } } else { Message::addError('could-not-determine-binddn', $binddn); @@ -232,11 +234,12 @@ class AdAuth_HomeAttrCheck extends AddModule_Base } else { $uri = "ldap://$server:$port/"; } + $selfSearchBase = Ldap::getSelfSearchBase($binddn, $searchbase); preg_match('#^(\w+\=[^\=]+),#', $binddn, $out); $filter = $out[1]; $data = array( 'server' => $uri, - 'searchbase' => $searchbase, + 'searchbase' => $selfSearchBase, 'binddn' => $binddn, 'bindpw' => $bindpw, 'filter' => $filter diff --git a/modules-available/sysconfig/inc/ldap.inc.php b/modules-available/sysconfig/inc/ldap.inc.php index ed471f31..23b24885 100644 --- a/modules-available/sysconfig/inc/ldap.inc.php +++ b/modules-available/sysconfig/inc/ldap.inc.php @@ -8,4 +8,18 @@ class Ldap return trim(preg_replace('/[,;]\s*/', ',', $dn)); } + public static function getSelfSearchBase($binddn, $searchbase) + { + // To find ourselves we try to figure out the proper search base, since the given one + // might be just for users, not for functional or utility accounts + if (preg_match('/,(OU=.*DC=.*)$/i', Ldap::normalizeDn($binddn), $out)) { + // Get OU from binddn; works if not given short form of DOMAIN\user or user@domain.fqdn.com + $searchbase = $out[1]; + } elseif (preg_match('/,(DC=.*)$/i', Ldap::normalizeDn($searchbase), $out)) { + // Otherwise, shorten search base enough to only consider the DC=..,DC=.. part at the end + $searchbase = $out[1]; + } + return $searchbase; + } + } -- cgit v1.2.3-55-g7522