Apply ldapUserFilter on members of group

Refers to issue #8220

user_ldap configured with custom filters for active directory access
(group-member-association is "member"). Then it can happen that the
members of a group contain members that don't belong to the users
available in Nextcloud (the most trivial reason is that the user filter
contains "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" to exclude
disabled users from being imported).

This can be fixed by applying the ldapUserFilter when resolving the UID
for a DN fetched from the group's member list.

Signed-off-by: Roland Tapken <roland@bitarbeiter.net>

1 files changed, 5 insertions, 1 deletions

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 3d182077764..e255156dcf6 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -564,7 +564,11 @@ class Access extends LDAPUtility implements IUserTools {
 		}
 
 		if(is_null($ldapName)) {
-			$ldapName = $this->readAttribute($fdn, $nameAttribute);
+			if ($isUser) {
+				$ldapName = $this->readAttribute($fdn, $nameAttribute, $this->connection->ldapUserFilter);
+			} else {
+				$ldapName = $this->readAttribute($fdn, $nameAttribute);
+			}
 			if(!isset($ldapName[0]) && empty($ldapName[0])) {
 				\OCP\Util::writeLog('user_ldap', 'No or empty name for '.$fdn.'.', \OCP\Util::INFO);
 				return false;