ldap auth auditor access patch

This commit is contained in:
SJ 2013-05-03 09:48:32 +02:00
parent 12bb5f0b43
commit a8b87e0ce1
2 changed files with 41 additions and 5 deletions

View File

@ -43,6 +43,7 @@ $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'zimbraAccount';
$config['LDAP_BASE_DN'] = '';
$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'zimbraDistributionList';
$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'zimbraMailForwardingAddress';
$config['LDAP_AUDITOR_MEMBER_DN'] = '';
// AD specific settings

View File

@ -80,9 +80,11 @@ class ModelUserAuth extends Model {
$query = $ldap->query(LDAP_BASE_DN, "(|(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=$username))(&(objectClass=" . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . ")(" . LDAP_DISTRIBUTIONLIST_ATTR . "=$username)" . ")(&(objectClass=" . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . ")(" . LDAP_DISTRIBUTIONLIST_ATTR . "=" . $a['dn'] . ")))", array());
$is_auditor = $this->check_ldap_membership($query->rows);
$emails = $this->get_email_array_from_ldap_attr($query->rows);
$this->add_session_vars($a['cn'], $username, $emails);
$this->add_session_vars($a['cn'], $username, $emails, $is_auditor);
AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP');
@ -101,6 +103,33 @@ class ModelUserAuth extends Model {
}
private function check_ldap_membership($e = array()) {
if(LDAP_AUDITOR_MEMBER_DN == '') { return 0; }
foreach($e as $a) {
foreach (array("member", "memberof") as $memberattr) {
if(isset($a[$memberattr])) {
if(isset($a[$memberattr]['count'])) {
for($i = 0; $i < $a[$memberattr]['count']; $i++) {
if($a[$memberattr][$i] == LDAP_AUDITOR_MEMBER_DN) {
return 1;
}
}
}
else {
if($a[$memberattr] == LDAP_AUDITOR_MEMBER_DN) {
return 1;
}
}
}
}
}
return 0;
}
private function get_email_array_from_ldap_attr($e = array()) {
$data = array();
@ -128,7 +157,7 @@ class ModelUserAuth extends Model {
}
private function add_session_vars($name = '', $email = '', $emails = array()) {
private function add_session_vars($name = '', $email = '', $emails = array(), $is_auditor = 0) {
$a = explode("@", $email);
$uid = $this->model_user_user->get_uid_by_email($email);
@ -139,7 +168,13 @@ class ModelUserAuth extends Model {
$_SESSION['username'] = $name;
$_SESSION['uid'] = $uid;
if($is_auditor == 1) {
$_SESSION['admin_user'] = 2;
} else {
$_SESSION['admin_user'] = 0;
}
$_SESSION['email'] = $email;
$_SESSION['domain'] = $a[1];
$_SESSION['realname'] = $name;
@ -182,7 +217,7 @@ class ModelUserAuth extends Model {
if($imap->login($username, $password)) {
$imap->logout();
$this->add_session_vars($username, $username, array($username));
$this->add_session_vars($username, $username, array($username), 0);
$_SESSION['password'] = $password;
@ -216,7 +251,7 @@ class ModelUserAuth extends Model {
$emails = $this->get_email_array_from_ldap_attr($query->rows);
$this->add_session_vars($a['cn'], $username, $emails);
$this->add_session_vars($a['cn'], $username, $emails, 0);
AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP');