From 65f74215d3e5b90f25759b03923e637960d31398 Mon Sep 17 00:00:00 2001 From: jonathon-k Date: Fri, 21 Oct 2016 10:22:13 -0600 Subject: [PATCH] feature: Add an option for ad authentication to have a default level (#4801) * Add an option for ad authentication to have a default level * rework as a flag indicating unspecified access is global read * Fix indentation --- doc/Extensions/Authentication.md | 2 +- html/includes/authentication/active_directory.inc.php | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/Extensions/Authentication.md b/doc/Extensions/Authentication.md index 273df94b38..9f11fcc65d 100644 --- a/doc/Extensions/Authentication.md +++ b/doc/Extensions/Authentication.md @@ -140,7 +140,7 @@ If you have issues with secure LDAP try setting `$config['auth_ad_check_certific ##### Require actual membership of the configured groups -If you set ```$config['auth_ad_require_groupmembership']``` to 1, the authenticated user has to be a member of the specific group. Otherwise all users can authenticate, but are limited to user level 0 and only have access to shared dashboards. +If you set ```$config['auth_ad_require_groupmembership']``` to 1, the authenticated user has to be a member of the specific group. Otherwise all users can authenticate, and will be either level 0 or you may set ```$config['auth_ad_global_read']``` to 1 and all users will have read only access unless otherwise specified. > Cleanup of old accounts is done using the authlog. You will need to set the cleanup date for when old accounts will be purged which will happen AUTOMATICALLY. > Please ensure that you set the $config['authlog_purge'] value to be greater than $config['active_directory]['users_purge'] otherwise old users won't be removed. diff --git a/html/includes/authentication/active_directory.inc.php b/html/includes/authentication/active_directory.inc.php index b8c2261f72..11f6d154cc 100644 --- a/html/includes/authentication/active_directory.inc.php +++ b/html/includes/authentication/active_directory.inc.php @@ -156,6 +156,11 @@ function get_userlevel($username) global $config, $ldap_connection; $userlevel = 0; + if (isset($config['auth_ad_require_groupmembership']) && $config['auth_ad_require_groupmembership'] == 0) { + if (isset($config['auth_ad_global_read']) && $config['auth_ad_global_read'] === 1) { + $userlevel = 5; + } + } // Find all defined groups $username is in $search = ldap_search( @@ -254,7 +259,7 @@ function get_userlist() 'email' => $userhash[$key]['email'] ); } - + return $userlist; }