summaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2015-08-26 11:42:47 +0200
committerMorris Jobke <hey@morrisjobke.de>2015-08-26 11:42:47 +0200
commit27af0e82ddba29512a4a5fe08cbd060cc6251264 (patch)
treee2e1e8f721305e3abdb95f13ac55e921db61c4c1 /apps
parent7ed8c7f75c0aa035b44e7db6fa1f9f486dedbdf8 (diff)
parenta55f233e9ffac7d492733f50a37343b4243898bf (diff)
downloadnextcloud-server-27af0e82ddba29512a4a5fe08cbd060cc6251264.tar.gz
nextcloud-server-27af0e82ddba29512a4a5fe08cbd060cc6251264.zip
Merge pull request #18042 from GreenArchon/master
Properly nest groups when using memberOf to detect group membership, …
Diffstat (limited to 'apps')
-rw-r--r--apps/user_ldap/group_ldap.php35
-rw-r--r--apps/user_ldap/tests/group_ldap.php7
2 files changed, 35 insertions, 7 deletions
diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php
index 1bc0392a7d7..a5fc59d3b07 100644
--- a/apps/user_ldap/group_ldap.php
+++ b/apps/user_ldap/group_ldap.php
@@ -182,6 +182,36 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
}
/**
+ * @param string $DN
+ * @param array|null &$seen
+ * @return array
+ */
+ private function _getGroupDNsFromMemberOf($DN, &$seen = null) {
+ if ($seen === null) {
+ $seen = array();
+ }
+ if (array_key_exists($DN, $seen)) {
+ // avoid loops
+ return array();
+ }
+ $seen[$DN] = 1;
+ $groups = $this->access->readAttribute($DN, 'memberOf');
+ if (!is_array($groups)) {
+ return array();
+ }
+ $groups = $this->access->groupsMatchFilter($groups);
+ $allGroups = $groups;
+ $nestedGroups = $this->access->connection->ldapNestedGroups;
+ if (intval($nestedGroups) === 1) {
+ foreach ($groups as $group) {
+ $subGroups = $this->_getGroupDNsFromMemberOf($group, $seen);
+ $allGroups = array_merge($allGroups, $subGroups);
+ }
+ }
+ return $allGroups;
+ }
+
+ /**
* translates a primary group ID into an ownCloud internal name
* @param string $gid as given by primaryGroupID on AD
* @param string $dn a DN that belongs to the same domain as the group
@@ -377,10 +407,8 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
if(intval($this->access->connection->hasMemberOfFilterSupport) === 1
&& intval($this->access->connection->useMemberOfToDetectMembership) === 1
) {
- $groupDNs = $this->access->readAttribute($userDN, 'memberOf');
-
+ $groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
if (is_array($groupDNs)) {
- $groupDNs = $this->access->groupsMatchFilter($groupDNs);
foreach ($groupDNs as $dn) {
$groupName = $this->access->dn2groupname($dn);
if(is_string($groupName)) {
@@ -390,6 +418,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
}
}
}
+
if($primaryGroup !== false) {
$groups[] = $primaryGroup;
}
diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php
index f716618ce48..805238e7d37 100644
--- a/apps/user_ldap/tests/group_ldap.php
+++ b/apps/user_ldap/tests/group_ldap.php
@@ -395,16 +395,15 @@ class Test_Group_Ldap extends \Test\TestCase {
->method('username2dn')
->will($this->returnValue($dn));
- $access->expects($this->once())
+ $access->expects($this->exactly(3))
->method('readAttribute')
- ->with($dn, 'memberOf')
- ->will($this->returnValue(['cn=groupA,dc=foobar', 'cn=groupB,dc=foobar']));
+ ->will($this->onConsecutiveCalls(['cn=groupA,dc=foobar', 'cn=groupB,dc=foobar'], [], []));
$access->expects($this->exactly(2))
->method('dn2groupname')
->will($this->returnArgument(0));
- $access->expects($this->once())
+ $access->expects($this->exactly(3))
->method('groupsMatchFilter')
->will($this->returnArgument(0));