diff --git a/webui/config.php b/webui/config.php index 06a618f4..36da5703 100644 --- a/webui/config.php +++ b/webui/config.php @@ -43,6 +43,7 @@ $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'zimbraAccount'; $config['LDAP_BASE_DN'] = ''; $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'zimbraDistributionList'; $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'zimbraMailForwardingAddress'; +$config['LDAP_AUDITOR_MEMBER_DN'] = ''; // AD specific settings diff --git a/webui/model/user/auth.php b/webui/model/user/auth.php index 5211cb0e..728b05dd 100644 --- a/webui/model/user/auth.php +++ b/webui/model/user/auth.php @@ -80,9 +80,11 @@ class ModelUserAuth extends Model { $query = $ldap->query(LDAP_BASE_DN, "(|(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=$username))(&(objectClass=" . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . ")(" . LDAP_DISTRIBUTIONLIST_ATTR . "=$username)" . ")(&(objectClass=" . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . ")(" . LDAP_DISTRIBUTIONLIST_ATTR . "=" . $a['dn'] . ")))", array()); + $is_auditor = $this->check_ldap_membership($query->rows); + $emails = $this->get_email_array_from_ldap_attr($query->rows); - $this->add_session_vars($a['cn'], $username, $emails); + $this->add_session_vars($a['cn'], $username, $emails, $is_auditor); AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP'); @@ -101,6 +103,33 @@ class ModelUserAuth extends Model { } + private function check_ldap_membership($e = array()) { + if(LDAP_AUDITOR_MEMBER_DN == '') { return 0; } + + foreach($e as $a) { + foreach (array("member", "memberof") as $memberattr) { + if(isset($a[$memberattr])) { + + if(isset($a[$memberattr]['count'])) { + for($i = 0; $i < $a[$memberattr]['count']; $i++) { + if($a[$memberattr][$i] == LDAP_AUDITOR_MEMBER_DN) { + return 1; + } + } + } + else { + if($a[$memberattr] == LDAP_AUDITOR_MEMBER_DN) { + return 1; + } + } + } + } + } + + return 0; + } + + private function get_email_array_from_ldap_attr($e = array()) { $data = array(); @@ -128,7 +157,7 @@ class ModelUserAuth extends Model { } - private function add_session_vars($name = '', $email = '', $emails = array()) { + private function add_session_vars($name = '', $email = '', $emails = array(), $is_auditor = 0) { $a = explode("@", $email); $uid = $this->model_user_user->get_uid_by_email($email); @@ -139,7 +168,13 @@ class ModelUserAuth extends Model { $_SESSION['username'] = $name; $_SESSION['uid'] = $uid; - $_SESSION['admin_user'] = 0; + + if($is_auditor == 1) { + $_SESSION['admin_user'] = 2; + } else { + $_SESSION['admin_user'] = 0; + } + $_SESSION['email'] = $email; $_SESSION['domain'] = $a[1]; $_SESSION['realname'] = $name; @@ -182,7 +217,7 @@ class ModelUserAuth extends Model { if($imap->login($username, $password)) { $imap->logout(); - $this->add_session_vars($username, $username, array($username)); + $this->add_session_vars($username, $username, array($username), 0); $_SESSION['password'] = $password; @@ -216,7 +251,7 @@ class ModelUserAuth extends Model { $emails = $this->get_email_array_from_ldap_attr($query->rows); - $this->add_session_vars($a['cn'], $username, $emails); + $this->add_session_vars($a['cn'], $username, $emails, 0); AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP');