View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0011488mantisbtfeaturepublic2010-02-10 08:492014-01-03 05:56
Reporterrrp Assigned Todregad  
PrioritynormalSeveritytweakReproducibilityN/A
Status closedResolutionduplicate 
Summary0011488: LDAP group based autentication
Description

In many applications use LDAP group based autentication. Mantis LDAP autentication system allow to limit acess to only one branch in LDAP tree but does not allow limit mantis access to only one LDAP group.

Patch attached ...

Additional Information

This is similar to http://www.mantisbt.org/bugs/view.php?id=11470 but based on members in group instead of user attribute

TagsNo tags attached.
Attached Files
mantis-ldap-group.diff (1,948 bytes)    
Wspólne podkatalogi: core-org2/disposable i core/disposable
diff -C3 core-org2/ldap_api.php core/ldap_api.php
*** core-org2/ldap_api.php	2010-02-10 13:05:00.000000000 +0000
--- core/ldap_api.php	2010-02-10 13:18:51.000000000 +0000
***************
*** 138,143 ****
--- 138,149 ----
  		$t_ldap_uid_field	= config_get( 'ldap_uid_field', 'uid' ) ;
  		$t_search_filter 	= "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
  		$t_search_attrs  	= array( $t_ldap_uid_field, 'dn' );
+ 
+ 		$t_ldap_group_dn		= config_get( 'ldap_group_dn', '');
+ 		$t_ldap_group_member_field	= config_get( 'ldap_group_member_field', 'memberuid' ) ;
+ 		$t_search_attrs_group	  	= array( $t_ldap_group_member_field, 'dn' );
+ 		$t_search_filter_group	 	= "(&($t_ldap_group_member_field=$t_username))";
+ 
  		$t_ds            	= ldap_connect_bind();
  
  		# Search for the user id
***************
*** 153,160 ****
  
  				# Attempt to bind with the DN and password
  				if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
! 					$t_authenticated = true;
! 					break; # Don't need to go any further
  				}
  			}
  		}
--- 159,179 ----
  
  				# Attempt to bind with the DN and password
  				if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
! 					if ($t_ldap_group_dn != '') {
! 						# check for group mantis for this user
! 						$t_sr2	= ldap_read( $t_ds, $t_ldap_group_dn, $t_search_filter_group, $t_search_attrs_group);
! 						$t_info2	= ldap_get_entries( $t_ds, $t_sr2 );
! 						if ($t_info2[0]['memberuid']) {
! 							# We don't need check recived memberuid listi ($t_info2[0]['memberuid'])
! 							# becouse filter in ldap_read() guarantees (if $t_info2[0]['memberuid'] is not empty)
! 							# occurrence $t_username in this list
! 							$t_authenticated = true;
! 							break; # Don't need to go any further
! 						}
! 					} else {
! 						$t_authenticated = true;
! 						break; # Don't need to go any further
! 					}
  				}
  			}
  		}
mantis-ldap-group.diff (1,948 bytes)   
mantis.ldap_group.for_1.2.5.diff (1,673 bytes)    
*** core/ldap_api.php.orig	2011-04-05 18:24:17.000000000 +0000
--- core/ldap_api.php	2011-07-22 11:29:15.000000000 +0000
***************
*** 360,365 ****
--- 360,370 ----
  			'dn',
  		);
  
+  		$t_ldap_group_dn		= config_get( 'ldap_group_dn', '');
+  		$t_ldap_group_member_field	= config_get( 'ldap_group_member_field', 'memberuid' ) ;
+  		$t_search_attrs_group	  	= array( $t_ldap_group_member_field, 'dn' );
+  		$t_search_filter_group	 	= "(&($t_ldap_group_member_field=$c_username))";
+ 
  		# Bind
  		log_event( LOG_LDAP, "Binding to LDAP server" );
  		$t_ds = ldap_connect_bind();
***************
*** 396,403 ****
  
  				# Attempt to bind with the DN and password
  				if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
! 					$t_authenticated = true;
! 					break;
  				}
  			}
  		} else {
--- 401,421 ----
  
  				# Attempt to bind with the DN and password
  				if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
!  					if ($t_ldap_group_dn != '') {
!  						# check for group mantis for this user
!  						$t_sr2	= ldap_read( $t_ds, $t_ldap_group_dn, $t_search_filter_group, $t_search_attrs_group);
!  						$t_info2	= ldap_get_entries( $t_ds, $t_sr2 );
!  						if ($t_info2[0]['memberuid']) {
!  							# We don't need check recived memberuid listi ($t_info2[0]['memberuid'])
!  							# becouse filter in ldap_read() guarantees (if $t_info2[0]['memberuid'] is not empty)
!  							# occurrence $t_username in this list
!  							$t_authenticated = true;
!  							break; # Don't need to go any further
!  						}
!  					} else {
!  						$t_authenticated = true;
!  						break; # Don't need to go any further
!  					}
  				}
  			}
  		} else {
mantis.ldap_group.for_1.2.5.diff (1,673 bytes)   

Relationships

Relationship GraphDependency Graph
duplicate of 0009124 new LDAP group authentication 
related to 0011470 closeddregad auto-create mantis account for LDAP users 

Activities

jiriksykora

jiriksykora

2013-02-18 06:08

reporter   ~0035203

I have this conf works every users from ou fine but I want set up goup cn=mantis
and auth only poeple from thid group what i need add to confid patch mantis.ldap_group.for_1.2.5.diff aplied

$g_allow_signup = OFF;
$g_use_ldap_email = ON;
$g_lost_password_feature = OFF;
$g_ldap_protocol_version = 3;
$g_login_method = LDAP;
$g_ldap_uid_field = 'uid';
$g_ldap_server = 'ldap://ldap.company.cz:389';
$g_ldap_root_dn = 'ou=users,dc=company,dc=cz';
$g_use_ldap_realname = ON;
$g_log_level = LOG_LDAP;
$g_log_destination = 'file:/var/log/mantisbt.log'