diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php index 4a976cd149..95ca7c833a 100644 --- a/LibreNMS/Authentication/LdapAuthorizer.php +++ b/LibreNMS/Authentication/LdapAuthorizer.php @@ -21,12 +21,21 @@ class LdapAuthorizer extends AuthorizerBase return true; } else { foreach ($ldap_groups as $ldap_group) { - $ldap_comparison = ldap_compare( - $connection, - $ldap_group, - Config::get('auth_ldap_groupmemberattr', 'memberUid'), - $this->getMembername($username) - ); + if (Config::get('auth_ldap_userdn') === true) { + $ldap_comparison = ldap_compare( + $connection, + $ldap_group, + Config::get('auth_ldap_groupmemberattr', 'memberUid'), + $this->getFullDn($username) + ); + } else { + $ldap_comparison = ldap_compare( + $connection, + $ldap_group, + Config::get('auth_ldap_groupmemberattr', 'memberUid'), + $this->getMembername($username) + ); + } if ($ldap_comparison === true) { return true; } @@ -99,7 +108,11 @@ class LdapAuthorizer extends AuthorizerBase if (count($group_names) > 1) { $ldap_group_filter = "(|{$ldap_group_filter})"; } - $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getMembername($username) . "))"; + if (Config::get('auth_ldap_userdn') === true) { + $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getFullDn($username) . "))"; + } else { + $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getMembername($username) . "))"; + } $search = ldap_search($connection, Config::get('auth_ldap_groupbase'), $filter); $entries = ldap_get_entries($connection, $search); diff --git a/doc/Extensions/Authentication.md b/doc/Extensions/Authentication.md index 706343c5b8..5213410d2f 100644 --- a/doc/Extensions/Authentication.md +++ b/doc/Extensions/Authentication.md @@ -158,6 +158,7 @@ $config['auth_ldap_group'] = 'cn=groupname,ou=groups,dc=example,dc=com'; // gen $config['auth_ldap_groupmemberattr'] = 'memberUid'; // attribute to use to see if a user is a member of a group $config['auth_ldap_uid_attribute'] = 'uidnumber'; // attribute for unique id $config['auth_ldap_debug'] = false; // enable for verbose debug messages +$config['auth_ldap_userdn'] = true; // Uses a users full DN as the value of the member attribute in a group instead of member: username. (it’s member: uid=username,ou=groups,dc=domain,dc=com) ``` ### LDAP bind user (optional) diff --git a/includes/defaults.inc.php b/includes/defaults.inc.php index 7c6b104ebd..3858c59266 100644 --- a/includes/defaults.inc.php +++ b/includes/defaults.inc.php @@ -647,6 +647,8 @@ $config['auth_ldap_groupmemberattr'] = 'memberUid'; $config['auth_ldap_emailattr'] = 'mail'; $config['auth_ldap_cache_ttl'] = 300; // How long in seconds should ldap* module cache user information in $_SESSION +$config['auth_ldap_userdn'] = false; +// Uses a users full DN as the value of the member attribute in a group (instead of member: username, it’s member: uid=username,ou=groups,dc=domain,dc=com). // Active Directory Authentication $config['auth_ad_user_filter'] = "(objectclass=user)";