From e70cd0c611550094725a0251da8ec137d170ff1d Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 19 Nov 2024 08:45:05 +0100 Subject: [PATCH] System: Access: Servers - add "Default groups" option to add standard groups when a radius/ldap user logs in. closes https://github.com/opnsense/core/issues/8065 (fix ldap connector, remove read properties requirement) --- .../mvc/app/library/OPNsense/Auth/LDAP.php | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php index e20e41d9d76..8cd81ee29d4 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php @@ -526,46 +526,46 @@ public function authenticate($username, $password) } } } - // update group policies when applicable - if ($this->ldapSyncMemberOf || $this->ldapSyncCreateLocalUsers) { - // list of enabled groups, so we can ignore some local groups if needed - $sync_groups = []; - $default_groups = []; - if (!empty($this->ldapSyncMemberOfLimit)) { - $sync_groups = explode(",", strtolower($this->ldapSyncMemberOfLimit)); - } - if (!empty($this->ldapSyncDefaultGroups)) { - $default_groups = explode(",", strtolower($this->ldapSyncDefaultGroups)); - } + } + } + // update group policies when applicable + if (($this->ldapSyncMemberOf && $this->ldapReadProperties)|| $this->ldapSyncCreateLocalUsers) { + // list of enabled groups, so we can ignore some local groups if needed + $sync_groups = []; + $default_groups = []; + if (!empty($this->ldapSyncMemberOfLimit)) { + $sync_groups = explode(",", strtolower($this->ldapSyncMemberOfLimit)); + } + if (!empty($this->ldapSyncDefaultGroups)) { + $default_groups = explode(",", strtolower($this->ldapSyncDefaultGroups)); + } - if ($this->ldapSyncMemberOfConstraint) { - // Filter "memberOf" results to those recorded in ldapAuthcontainers, where - // the first part of the member is considered the group name, the rest should be an exact - // (case insensitive) match. - // (e.g. : cn=mygroup,cn=users,dc=opnsense,dc=local matches cn=users,dc=opnsense,dc=local) - $membersOf = []; - $tmp_containers = explode(";", strtolower($this->ldapAuthcontainers)); - foreach (explode("\n", $this->lastAuthProperties['memberof']) as $member) { - foreach ($tmp_containers as $tmp_container) { - $tmp = explode(",", strtolower($member), 2); - if (count($tmp) > 1 && $tmp[1] == $tmp_container) { - $membersOf[] = $member; - } - } + if ($this->ldapSyncMemberOfConstraint) { + // Filter "memberOf" results to those recorded in ldapAuthcontainers, where + // the first part of the member is considered the group name, the rest should be an exact + // (case insensitive) match. + // (e.g. : cn=mygroup,cn=users,dc=opnsense,dc=local matches cn=users,dc=opnsense,dc=local) + $membersOf = []; + $tmp_containers = explode(";", strtolower($this->ldapAuthcontainers)); + foreach (explode("\n", $this->lastAuthProperties['memberof']) as $member) { + foreach ($tmp_containers as $tmp_container) { + $tmp = explode(",", strtolower($member), 2); + if (count($tmp) > 1 && $tmp[1] == $tmp_container) { + $membersOf[] = $member; } - $membersOf = implode("\n", $membersOf); - } else { - $membersOf = $this->lastAuthProperties['memberof']; } - $this->setGroupMembership( - $username, - $membersOf, - $sync_groups, - $this->ldapSyncCreateLocalUsers, - $default_groups - ); } + $membersOf = implode("\n", $membersOf); + } else { + $membersOf = $this->lastAuthProperties['memberof']; } + $this->setGroupMembership( + $username, + $membersOf, + $sync_groups, + $this->ldapSyncCreateLocalUsers, + $default_groups + ); } }