lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-20 03:16:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

System: Access: Servers - add "Default groups" option to add standard groups when a radius/ldap user logs in. closes https://github.com/opnsense/core/issues/8065 (fix ldap connector, remove read properties requirement)

Browse Source
This commit is contained in:
Ad Schellevis 2024-11-19 08:45:05 +01:00
parent 3a696d257d
commit e70cd0c611
1 changed files with 39 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
View File

@ -526,47 +526,47 @@ class LDAP extends Base implements IAuthConnector
}
}
}
// update group policies when applicable
if ($this->ldapSyncMemberOf || $this->ldapSyncCreateLocalUsers) {
// list of enabled groups, so we can ignore some local groups if needed
$sync_groups = [];
$default_groups = [];
if (!empty($this->ldapSyncMemberOfLimit)) {
$sync_groups = explode(",", strtolower($this->ldapSyncMemberOfLimit));
}
if (!empty($this->ldapSyncDefaultGroups)) {
$default_groups = explode(",", strtolower($this->ldapSyncDefaultGroups));
}
if ($this->ldapSyncMemberOfConstraint) {
// Filter "memberOf" results to those recorded in ldapAuthcontainers, where
// the first part of the member is considered the group name, the rest should be an exact
// (case insensitive) match.
// (e.g. : cn=mygroup,cn=users,dc=opnsense,dc=local matches cn=users,dc=opnsense,dc=local)
$membersOf = [];
$tmp_containers = explode(";", strtolower($this->ldapAuthcontainers));
foreach (explode("\n", $this->lastAuthProperties['memberof']) as $member) {
foreach ($tmp_containers as $tmp_container) {
$tmp = explode(",", strtolower($member), 2);
if (count($tmp) > 1 && $tmp[1] == $tmp_container) {
$membersOf[] = $member;
}
}
}
$membersOf = implode("\n", $membersOf);
} else {
$membersOf = $this->lastAuthProperties['memberof'];
}
$this->setGroupMembership(
$username,
$membersOf,
$sync_groups,
$this->ldapSyncCreateLocalUsers,
$default_groups
);
}
}
}
// update group policies when applicable
if (($this->ldapSyncMemberOf && $this->ldapReadProperties)|| $this->ldapSyncCreateLocalUsers) {
// list of enabled groups, so we can ignore some local groups if needed
$sync_groups = [];
$default_groups = [];
if (!empty($this->ldapSyncMemberOfLimit)) {
$sync_groups = explode(",", strtolower($this->ldapSyncMemberOfLimit));
}
if (!empty($this->ldapSyncDefaultGroups)) {
$default_groups = explode(",", strtolower($this->ldapSyncDefaultGroups));
}
if ($this->ldapSyncMemberOfConstraint) {
// Filter "memberOf" results to those recorded in ldapAuthcontainers, where
// the first part of the member is considered the group name, the rest should be an exact
// (case insensitive) match.
// (e.g. : cn=mygroup,cn=users,dc=opnsense,dc=local matches cn=users,dc=opnsense,dc=local)
$membersOf = [];
$tmp_containers = explode(";", strtolower($this->ldapAuthcontainers));
foreach (explode("\n", $this->lastAuthProperties['memberof']) as $member) {
foreach ($tmp_containers as $tmp_container) {
$tmp = explode(",", strtolower($member), 2);
if (count($tmp) > 1 && $tmp[1] == $tmp_container) {
$membersOf[] = $member;
}
}
}
$membersOf = implode("\n", $membersOf);
} else {
$membersOf = $this->lastAuthProperties['memberof'];
}
$this->setGroupMembership(
$username,
$membersOf,
$sync_groups,
$this->ldapSyncCreateLocalUsers,
$default_groups
);
}
}
return $ldap_is_connected;