Skip to content

Commit

Permalink
System: Access: Servers - add "Default groups" option to add standard…
Browse files Browse the repository at this point in the history 
… groups when a radius/ldap user logs in. closes #8065 (fix ldap connector, remove read properties requirement)
  • Loading branch information
@AdSchellevis
AdSchellevis committed Nov 19, 2024
1 parent 3a696d2 commit e70cd0c
Showing 1 changed file with 35 additions and 35 deletions.
70 changes: 35 additions & 35 deletions src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -526,46 +526,46 @@ public function authenticate($username, $password)
}
}
}
// update group policies when applicable
if ($this->ldapSyncMemberOf || $this->ldapSyncCreateLocalUsers) {
// list of enabled groups, so we can ignore some local groups if needed
$sync_groups = [];
$default_groups = [];
if (!empty($this->ldapSyncMemberOfLimit)) {
$sync_groups = explode(",", strtolower($this->ldapSyncMemberOfLimit));
}
if (!empty($this->ldapSyncDefaultGroups)) {
$default_groups = explode(",", strtolower($this->ldapSyncDefaultGroups));
}
}
}
// update group policies when applicable
if (($this->ldapSyncMemberOf && $this->ldapReadProperties)|| $this->ldapSyncCreateLocalUsers) {
// list of enabled groups, so we can ignore some local groups if needed
$sync_groups = [];
$default_groups = [];
if (!empty($this->ldapSyncMemberOfLimit)) {
$sync_groups = explode(",", strtolower($this->ldapSyncMemberOfLimit));
}
if (!empty($this->ldapSyncDefaultGroups)) {
$default_groups = explode(",", strtolower($this->ldapSyncDefaultGroups));
}

if ($this->ldapSyncMemberOfConstraint) {
// Filter "memberOf" results to those recorded in ldapAuthcontainers, where
// the first part of the member is considered the group name, the rest should be an exact
// (case insensitive) match.
// (e.g. : cn=mygroup,cn=users,dc=opnsense,dc=local matches cn=users,dc=opnsense,dc=local)
$membersOf = [];
$tmp_containers = explode(";", strtolower($this->ldapAuthcontainers));
foreach (explode("\n", $this->lastAuthProperties['memberof']) as $member) {
foreach ($tmp_containers as $tmp_container) {
$tmp = explode(",", strtolower($member), 2);
if (count($tmp) > 1 && $tmp[1] == $tmp_container) {
$membersOf[] = $member;
}
}
if ($this->ldapSyncMemberOfConstraint) {
// Filter "memberOf" results to those recorded in ldapAuthcontainers, where
// the first part of the member is considered the group name, the rest should be an exact
// (case insensitive) match.
// (e.g. : cn=mygroup,cn=users,dc=opnsense,dc=local matches cn=users,dc=opnsense,dc=local)
$membersOf = [];
$tmp_containers = explode(";", strtolower($this->ldapAuthcontainers));
foreach (explode("\n", $this->lastAuthProperties['memberof']) as $member) {
foreach ($tmp_containers as $tmp_container) {
$tmp = explode(",", strtolower($member), 2);
if (count($tmp) > 1 && $tmp[1] == $tmp_container) {
$membersOf[] = $member;
}
$membersOf = implode("\n", $membersOf);
} else {
$membersOf = $this->lastAuthProperties['memberof'];
}
$this->setGroupMembership(
$username,
$membersOf,
$sync_groups,
$this->ldapSyncCreateLocalUsers,
$default_groups
);
}
$membersOf = implode("\n", $membersOf);
} else {
$membersOf = $this->lastAuthProperties['memberof'];
}
$this->setGroupMembership(
$username,
$membersOf,
$sync_groups,
$this->ldapSyncCreateLocalUsers,
$default_groups
);
}
}

Expand Down

0 comments on commit e70cd0c

Please sign in to comment.