From 979f811ea9c6e7f8ba31fcfea4a14d19248e3dfa Mon Sep 17 00:00:00 2001
From: TheGreatDoc <32565115+TheGreatDoc@users.noreply.github.com>
Date: Sun, 5 Aug 2018 14:52:54 +0200
Subject: [PATCH] Allow to use full DN as value for member attribute instead of
 member: username (#8969)

Allow to use full DN as value for member attribute instead of member: username

I dont use LDAP so this should be tested with both methods.

For using fulldn as user `$config['ldap_auth_userdn'] = true;` must be set in config.php

This comes from https://community.librenms.org/t/feature-request-full-dn-as-group-member-attibute-in-ldap-auth/4805

DO NOT DELETE THIS TEXT

#### Please note

> Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting.

- [ x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/)

#### Testers

If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`
---
 LibreNMS/Authentication/LdapAuthorizer.php | 27 ++++++++++++++++------
 doc/Extensions/Authentication.md           |  1 +
 includes/defaults.inc.php                  |  2 ++
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php
index 4a976cd149..95ca7c833a 100644
--- a/LibreNMS/Authentication/LdapAuthorizer.php
+++ b/LibreNMS/Authentication/LdapAuthorizer.php
@@ -21,12 +21,21 @@ class LdapAuthorizer extends AuthorizerBase
                     return true;
                 } else {
                     foreach ($ldap_groups as $ldap_group) {
-                        $ldap_comparison = ldap_compare(
-                            $connection,
-                            $ldap_group,
-                            Config::get('auth_ldap_groupmemberattr', 'memberUid'),
-                            $this->getMembername($username)
-                        );
+                        if (Config::get('auth_ldap_userdn') === true) {
+                            $ldap_comparison = ldap_compare(
+                                $connection,
+                                $ldap_group,
+                                Config::get('auth_ldap_groupmemberattr', 'memberUid'),
+                                $this->getFullDn($username)
+                            );
+                        } else {
+                            $ldap_comparison = ldap_compare(
+                                $connection,
+                                $ldap_group,
+                                Config::get('auth_ldap_groupmemberattr', 'memberUid'),
+                                $this->getMembername($username)
+                            );
+                        }
                         if ($ldap_comparison === true) {
                             return true;
                         }
@@ -99,7 +108,11 @@ class LdapAuthorizer extends AuthorizerBase
             if (count($group_names) > 1) {
                 $ldap_group_filter = "(|{$ldap_group_filter})";
             }
-            $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getMembername($username) . "))";
+            if (Config::get('auth_ldap_userdn') === true) {
+                $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getFullDn($username) . "))";
+            } else {
+                $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getMembername($username) . "))";
+            }
             $search = ldap_search($connection, Config::get('auth_ldap_groupbase'), $filter);
             $entries = ldap_get_entries($connection, $search);
 
diff --git a/doc/Extensions/Authentication.md b/doc/Extensions/Authentication.md
index 706343c5b8..5213410d2f 100644
--- a/doc/Extensions/Authentication.md
+++ b/doc/Extensions/Authentication.md
@@ -158,6 +158,7 @@ $config['auth_ldap_group']  = 'cn=groupname,ou=groups,dc=example,dc=com'; // gen
 $config['auth_ldap_groupmemberattr'] = 'memberUid'; // attribute to use to see if a user is a member of a group
 $config['auth_ldap_uid_attribute'] = 'uidnumber';   // attribute for unique id
 $config['auth_ldap_debug'] = false;                 // enable for verbose debug messages
+$config['auth_ldap_userdn'] = true;                 // Uses a users full DN as the value of the member attribute in a group instead of member: username. (it’s member: uid=username,ou=groups,dc=domain,dc=com)
 ```
 
 ### LDAP bind user (optional)
diff --git a/includes/defaults.inc.php b/includes/defaults.inc.php
index 7c6b104ebd..3858c59266 100644
--- a/includes/defaults.inc.php
+++ b/includes/defaults.inc.php
@@ -647,6 +647,8 @@ $config['auth_ldap_groupmemberattr']            = 'memberUid';
 $config['auth_ldap_emailattr']                  = 'mail';
 $config['auth_ldap_cache_ttl'] = 300;
 // How long in seconds should ldap* module cache user information in $_SESSION
+$config['auth_ldap_userdn']                     = false;
+// Uses a users full DN as the value of the member attribute in a group (instead of member: username, it’s member: uid=username,ou=groups,dc=domain,dc=com).
 
 // Active Directory Authentication
 $config['auth_ad_user_filter'] = "(objectclass=user)";