mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: Moved AD user and group filter functions into ActiveDirectoryAuthorizer (#8545)

Browse Source
This commit is contained in:
Tony Murray
2018-04-11 04:06:46 -05:00
committed by Neil Lathwood
parent 6a26ac6dac
commit 9152becec7
3 changed files with 37 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
LibreNMS/Authentication/ADAuthorizationAuthorizer.php
View File

@@ -96,7 +96,7 @@ class ADAuthorizationAuthorizer extends MysqlAuthorizer
$search = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
ActiveDirectoryAuthorizer::userFilter($username),
array('samaccountname')
);
$entries = ldap_get_entries($this->ldap_connection, $search);
@@ -127,7 +127,7 @@ class ADAuthorizationAuthorizer extends MysqlAuthorizer
$search = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
ActiveDirectoryAuthorizer::userFilter($username),
array('memberOf')
);
$entries = ldap_get_entries($this->ldap_connection, $search);
@@ -159,7 +159,7 @@ class ADAuthorizationAuthorizer extends MysqlAuthorizer
$search = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
ActiveDirectoryAuthorizer::userFilter($username),
$attributes
);
$entries = ldap_get_entries($this->ldap_connection, $search);
@@ -223,7 +223,7 @@ class ADAuthorizationAuthorizer extends MysqlAuthorizer
$result = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
ActiveDirectoryAuthorizer::userFilter($username),
$attributes
);
$entries = ldap_get_entries($this->ldap_connection, $result);
@@ -267,7 +267,7 @@ class ADAuthorizationAuthorizer extends MysqlAuthorizer
$result = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_group_filter($samaccountname),
ActiveDirectoryAuthorizer::groupFilter($samaccountname),
$attributes
);
$entries = ldap_get_entries($this->ldap_connection, $result);

38
LibreNMS/Authentication/ActiveDirectoryAuthorizer.php
View File

@@ -114,7 +114,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
Config::get('auth_ad_base_dn'),
// add 'LDAP_MATCHING_RULE_IN_CHAIN to the user filter to search for $username in nested $group_dn
// limiting to "DN" for shorter array
"(&" . get_auth_ad_user_filter($username) . "(memberOf:1.2.840.113556.1.4.1941:=$group_dn))",
"(&" . static::userFilter($username) . "(memberOf:1.2.840.113556.1.4.1941:=$group_dn))",
array("DN")
);
$entries = ldap_get_entries($this->ldap_connection, $search);
@@ -129,7 +129,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
$search = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
static::userFilter($username),
array('samaccountname')
);
$entries = ldap_get_entries($this->ldap_connection, $search);
@@ -176,7 +176,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
$search = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
static::userFilter($username),
$attributes
);
$entries = ldap_get_entries($this->ldap_connection, $search);
@@ -288,7 +288,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
$search = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
static::userFilter($username),
$attributes
);
$result = ldap_get_entries($this->ldap_connection, $search);
@@ -304,7 +304,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
$result = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_user_filter($username),
static::userFilter($username),
$attributes
);
$entries = ldap_get_entries($this->ldap_connection, $result);
@@ -350,7 +350,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
$result = ldap_search(
$this->ldap_connection,
Config::get('auth_ad_base_dn'),
get_auth_ad_group_filter($samaccountname),
static::groupFilter($samaccountname),
$attributes
);
$entries = ldap_get_entries($this->ldap_connection, $result);
@@ -456,4 +456,30 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
ldap_set_option($this->ldap_connection, LDAP_OPT_REFERRALS, 0);
ldap_set_option($this->ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
}
public static function userFilter($username)
{
// don't return disabled users
$user_filter = "(&(samaccountname=$username)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))";
$extra = Config::get('auth_ad_user_filter');
if ($extra) {
$user_filter .= $extra;
}
$user_filter .= ')';
return $user_filter;
}
public static function groupFilter($groupname)
{
$group_filter = "(samaccountname=$groupname)";
$extra = Config::get('auth_ad_group_filter');
if ($extra) {
$group_filter = "(&$extra$group_filter)";
}
return $group_filter;
}
}

23
includes/common.php
View File

@@ -1466,29 +1466,6 @@ if (!function_exists('starts_with')) {
}
}
function get_auth_ad_user_filter($username)
{
global $config;
// don't return disabled users
$user_filter = "(&(samaccountname=$username)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))";
if ($config['auth_ad_user_filter']) {
$user_filter .= $config['auth_ad_user_filter'];
}
$user_filter .= ')';
return $user_filter;
}
function get_auth_ad_group_filter($groupname)
{
global $config;
$group_filter = "(samaccountname=$groupname)";
if ($config['auth_ad_group_filter']) {
$group_filter = "(&{$config['auth_ad_group_filter']}$group_filter)";
}
return $group_filter;
}
/**
* Print a list of items up to a max amount
* If over that number, a line will print the total items