LDAP group: support for memberUid, fix for oc-594

5 files changed, 49 insertions, 8 deletions

diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php
index 96a7fe5068e..591ba41253c 100755
--- a/apps/user_ldap/group_ldap.php
+++ b/apps/user_ldap/group_ldap.php
@@ -24,9 +24,11 @@
 class OC_GROUP_LDAP extends OC_Group_Backend {
 // 	//group specific settings
 	protected $ldapGroupFilter;
+	protected $ldapGroupMemberAssocAttr;
 
 	public function __construct() {
-		$this->ldapGroupFilter      = OCP\Config::getAppValue('user_ldap', 'ldap_group_filter', '(objectClass=posixGroup)');
+		$this->ldapGroupFilter          = OCP\Config::getAppValue('user_ldap', 'ldap_group_filter', '(objectClass=posixGroup)');
+		$this->ldapGroupMemberAssocAttr = OCP\Config::getAppValue('user_ldap', 'ldap_group_member_assoc_attribute', 'uniqueMember');
 	}
 
 	/**
@@ -44,7 +46,22 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
 		if(!$dn_group || !$dn_user) {
 			return false;
 		}
-		$members = OC_LDAP::readAttribute($dn_group, LDAP_GROUP_MEMBER_ASSOC_ATTR);
+		$members = OC_LDAP::readAttribute($dn_group, $this->ldapGroupMemberAssocAttr);
+
+		//extra work if we don't get back user DNs
+		//TODO: this can be done with one LDAP query
+		if(strtolower($this->ldapGroupMemberAssocAttr) == 'memberuid') {
+			$dns = array();
+			foreach($members as $uid) {
+				$filter = str_replace('%uid', $uid, OC_LDAP::conf('ldapLoginFilter'));
+				$ldap_users = OC_LDAP::fetchListOfUsers($filter, 'dn');
+				if(count($ldap_users) < 1) {
+					continue;
+				}
+				$dns[] = $ldap_users[0];
+			}
+			$members = $dns;
+		}
 
 		return in_array($dn_user, $members);
 	}
@@ -63,9 +80,20 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
 			return array();
 		}
 
+		//uniqueMember takes DN, memberuid the uid, so we need to distinguish
+		if(strtolower($this->ldapGroupMemberAssocAttr) == 'uniquemember') {
+			$uid = $userDN;
+		} else if(strtolower($this->ldapGroupMemberAssocAttr) == 'memberuid') {
+			$result = OC_LDAP::readAttribute($userDN, 'uid');
+			$uid = $result[0];
+		} else {
+			// just in case
+			$uid = $userDN;
+		}
+
 		$filter = OC_LDAP::combineFilterWithAnd(array(
 			$this->ldapGroupFilter,
-			LDAP_GROUP_MEMBER_ASSOC_ATTR.'='.$userDN
+			$this->ldapGroupMemberAssocAttr.'='.$uid
 		));
 		$groups = OC_LDAP::fetchListOfGroups($filter, array(OC_LDAP::conf('ldapGroupDisplayName'),'dn'));
 		$userGroups = OC_LDAP::ownCloudGroupNames($groups);
@@ -82,9 +110,19 @@ class OC_GROUP_LDAP extends OC_Group_Backend {
 		if(!$groupDN) {
 			return array();
 		}
-		$members = OC_LDAP::readAttribute($groupDN, LDAP_GROUP_MEMBER_ASSOC_ATTR);
+		$members = OC_LDAP::readAttribute($groupDN, $this->ldapGroupMemberAssocAttr);
 		$result = array();
 		foreach($members as $member) {
+			if(strtolower($this->ldapGroupMemberAssocAttr) == 'memberuid') {
+				$filter = str_replace('%uid', $member, OC_LDAP::conf('ldapLoginFilter'));
+				$ldap_users = OC_LDAP::fetchListOfUsers($filter, 'dn');
+				if(count($ldap_users) < 1) {
+					continue;
+				}
+				$result[] = OC_LDAP::dn2username($ldap_users[0]);
+				continue;
+			}
+			//de-facto else
 		    $result[] = OC_LDAP::dn2username($member);
 		}
 		return array_unique($result, SORT_LOCALE_STRING);
diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php
index 9de03a07fef..30806a63b08 100755
--- a/apps/user_ldap/lib_ldap.php
+++ b/apps/user_ldap/lib_ldap.php
@@ -49,6 +49,7 @@ class OC_LDAP {
 	static protected $ldapUserDisplayName;
 	static protected $ldapUserFilter;
 	static protected $ldapGroupDisplayName;
+	static protected $ldapLoginFilter;
 
 	static public function init() {
 		self::readConfiguration();
@@ -76,6 +77,7 @@ class OC_LDAP {
 		$availableProperties = array(
 			'ldapUserDisplayName',
 			'ldapGroupDisplayName',
+			'ldapLoginFilter'
 		);
 
 		if(in_array($key, $availableProperties)) {
@@ -574,6 +576,7 @@ class OC_LDAP {
 			self::$ldapNoCase           = OCP\Config::getAppValue('user_ldap', 'ldap_nocase', 0);
 			self::$ldapUserDisplayName  = OCP\Config::getAppValue('user_ldap', 'ldap_display_name', OC_USER_BACKEND_LDAP_DEFAULT_DISPLAY_NAME);
 			self::$ldapUserFilter       = OCP\Config::getAppValue('user_ldap', 'ldap_userlist_filter','objectClass=person');
+			self::$ldapLoginFilter      = OCP\Config::getAppValue('user_ldap', 'ldap_login_filter', '(uid=%uid)');
 			self::$ldapGroupDisplayName = OCP\Config::getAppValue('user_ldap', 'ldap_group_display_name', LDAP_GROUP_DISPLAY_NAME_ATTR);
 
 			if(empty(self::$ldapBaseUsers)) {
diff --git a/apps/user_ldap/settings.php b/apps/user_ldap/settings.php
index 343a659ea26..de7110fe9a8 100755
--- a/apps/user_ldap/settings.php
+++ b/apps/user_ldap/settings.php
@@ -20,7 +20,7 @@
  * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
  *
  */
-$params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr');
+$params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute');
 
 OCP\Util::addscript('user_ldap', 'settings');
 
@@ -50,5 +50,6 @@ foreach($params as $param){
 // settings with default values
 $tmpl->assign( 'ldap_port', OCP\Config::getAppValue('user_ldap', 'ldap_port', OC_USER_BACKEND_LDAP_DEFAULT_PORT));
 $tmpl->assign( 'ldap_display_name', OCP\Config::getAppValue('user_ldap', 'ldap_display_name', OC_USER_BACKEND_LDAP_DEFAULT_DISPLAY_NAME));
+$tmpl->assign( 'ldap_group_member_assoc_attribute', OCP\Config::getAppValue('user_ldap', 'ldap_group_member_assoc_attribute', 'uniqueMember'));
 
 return $tmpl->fetchPage();
diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php
index cb3beac9797..48e136668d1 100644
--- a/apps/user_ldap/templates/settings.php
+++ b/apps/user_ldap/templates/settings.php
@@ -17,6 +17,7 @@
 		<p><label for="ldap_port"><?php echo $l->t('Port');?></label><input type="text" id="ldap_port" name="ldap_port" value="<?php echo $_['ldap_port']; ?>" /></p>
 		<p><label for="ldap_base_users"><?php echo $l->t('Base User Tree');?></label><input type="text" id="ldap_base_users" name="ldap_base_users" value="<?php echo $_['ldap_base_users']; ?>" /></p>
 		<p><label for="ldap_base_groups"><?php echo $l->t('Base Group Tree');?></label><input type="text" id="ldap_base_groups" name="ldap_base_groups" value="<?php echo $_['ldap_base_groups']; ?>" /></p>
+		<p><label for="ldap_group_member_assoc_attribute"><?php echo $l->t('Group-Member association');?></label><select id="ldap_group_member_assoc_attribute" name="ldap_group_member_assoc_attribute"><option value="uniqueMember"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'uniqueMember')) echo ' selected'; ?>>uniqueMember</option><option value="memberUid"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'memberUid')) echo ' selected'; ?>>memberUid</option></select></p>
 		<p><input type="checkbox" id="ldap_tls" name="ldap_tls" value="1"<?php if ($_['ldap_tls']) echo ' checked'; ?>><label for="ldap_tls"><?php echo $l->t('Use TLS');?></label></p>
 		<p><input type="checkbox" id="ldap_nocase" name="ldap_nocase" value="1"<?php if (isset($_['ldap_nocase']) && ($_['ldap_nocase'])) echo ' checked'; ?>><label for="ldap_nocase"><?php echo $l->t('Case insensitve LDAP server (Windows)');?></label></p>
 		<p><label for="ldap_display_name"><?php echo $l->t('Display Name Field');?></label><input type="text" id="ldap_display_name" name="ldap_display_name" value="<?php echo $_['ldap_display_name']; ?>" />
diff --git a/apps/user_ldap/user_ldap.php b/apps/user_ldap/user_ldap.php
index e40d06d3d55..ba66c7a9ca8 100755
--- a/apps/user_ldap/user_ldap.php
+++ b/apps/user_ldap/user_ldap.php
@@ -27,7 +27,6 @@ class OC_USER_LDAP extends OC_User_Backend {
 
 	// cached settings
 	protected $ldapUserFilter;
-	protected $ldapLoginFilter;
 	protected $ldapQuotaAttribute;
 	protected $ldapQuotaDefault;
 	protected $ldapEmailAttribute;
@@ -37,7 +36,6 @@ class OC_USER_LDAP extends OC_User_Backend {
 
 	public function __construct() {
 		$this->ldapUserFilter      = OCP\Config::getAppValue('user_ldap', 'ldap_userlist_filter', '(objectClass=posixAccount)');
-		$this->ldapLoginFilter     = OCP\Config::getAppValue('user_ldap', 'ldap_login_filter', '(uid=%uid)');
 		$this->ldapQuotaAttribute  = OCP\Config::getAppValue('user_ldap', 'ldap_quota_attr', '');
 		$this->ldapQuotaDefault    = OCP\Config::getAppValue('user_ldap', 'ldap_quota_def', '');
 		$this->ldapEmailAttribute  = OCP\Config::getAppValue('user_ldap', 'ldap_email_attr', '');
@@ -83,7 +81,7 @@ class OC_USER_LDAP extends OC_User_Backend {
 	 */
 	public function checkPassword($uid, $password){
 		//find out dn of the user name
-		$filter = str_replace('%uid', $uid, $this->ldapLoginFilter);
+		$filter = str_replace('%uid', $uid, OC_LDAP::conf('ldapLoginFilter'));
 		$ldap_users = OC_LDAP::fetchListOfUsers($filter, 'dn');
 		if(count($ldap_users) < 1) {
 			return false;