diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2024-05-16 14:34:12 +0200 |
|---|---|---|
| committer | Côme Chilliet <come.chilliet@nextcloud.com> | 2025-01-28 09:55:30 +0100 |
| commit | 002df12cd08f416e655b73f5268c250701cfcf2f (patch) | |
| tree | 6a50c5a16cf0c163e83116a0c498b31992ddc476 | |
| parent | f262fdf4b32a31fc753592e194530a64cf629db0 (diff) | |
| download | nextcloud-server-backport/45364/stable30.tar.gz nextcloud-server-backport/45364/stable30.zip | |
fix(user_ldap): Do not map groups we do not know if they match filterbackport/45364/stable30
When nesting is enabled, filterValidGroups is supposed to check for each
groups if it actually exist, because it may not be visible to
Nextcloud. So in this codepath we disable automapping of groups.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
(cherry picked from commit de77415c70812405c814363f1b2364fea1d6f1c9)
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 13 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 2 |
2 files changed, 11 insertions, 4 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index a4b4650810c..83272bb091e 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -387,10 +387,11 @@ class Access extends LDAPUtility { * * @param string $fdn the dn of the group object * @param string $ldapName optional, the display name of the object + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return string|false with the name to use in Nextcloud, false on DN outside of search DN * @throws \Exception */ - public function dn2groupname($fdn, $ldapName = null) { + public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -398,7 +399,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, false); + return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping); } /** @@ -428,10 +429,11 @@ class Access extends LDAPUtility { * @param bool $isUser optional, whether it is a user object (otherwise group assumed) * @param bool|null $newlyMapped * @param array|null $record + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return false|string with with the name to use in Nextcloud * @throws \Exception */ - public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null) { + public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) { static $intermediates = []; if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) { return false; // is a known intermediate @@ -454,6 +456,11 @@ class Access extends LDAPUtility { return $ncName; } + if (!$autoMapping) { + /* If no auto mapping, stop there */ + return false; + } + //second try: get the UUID and check if it is known. Then, update the DN and return the name. $uuid = $this->getUUID($fdn, $isUser, $record); if (is_string($uuid)) { diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index ba75df02111..c1424164d97 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -1182,7 +1182,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis continue; } $name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null; - $gid = $this->access->dn2groupname($dn, $name); + $gid = $this->access->dn2groupname($dn, $name, false); if (!$gid) { continue; } |