[PATCH PROPOSITION] LDAP Group mapping code patch proposition #6065
Description
Describe the Bug
Hi,
Following this issue: #5730
As mentioned by @lucaguindani, auth fails on systems where groups returned in the memberOf attribute are in short format and not in "fqdn"
IE: memberOf: mygroup instead of memberOf: cn=mygroup,ou=other,ou=thing,c=tld
After digging in the code, I added a few lines that triggers a ldap search in case of the checked group is in short format.
File app/Access/LdapService.php
@@ -428,6 +428,12 @@
*/
protected function extractGroupsFromSearchResponseEntry(array $ldapEntry): array
{
+ $ldapConnection = $this->getConnection();
+ $this->bindSystemUser($ldapConnection);
+
+ $followReferrals = $this->config['follow_referrals'] ? 1 : 0;
+ $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals);
+
$groupsAttr = strtolower($this->config['group_attribute']);
$groupDNs = [];
$count = 0;
@@ -435,9 +441,16 @@
if (isset($ldapEntry[$groupsAttr]['count'])) {
$count = (int) $ldapEntry[$groupsAttr]['count'];
}
-
+ $baseDn = $this->config['base_dn'];
for ($i = 0; $i < $count; $i++) {
$dn = $ldapEntry[$groupsAttr][$i];
+ if (!preg_match("/=$dn;/", $dn)) {
+ $read = $this->ldap->search($ldapConnection, $baseDn, "(cn=$dn)", ['dn']);
+ $result = $this->ldap->getEntries($ldapConnection, $read);
+ if (isset($result[0]['dn'])) {
+ $dn = $result[0]['dn'];
+ }
+ }
if (!in_array($dn, $groupDNs)) {
$groupDNs[] = $dn;
}
That fixed the site on my side.
Not sure if it's the best was to propose a patch but here it is.
Cheers,
Steps to Reproduce
Configure LDAP (with a ldap directory returning group membership in short format)
Enable LDAP group mapping in .env
Try to connect
Expected Behaviour
The connection should work, but it fails.
Screenshots or Additional Context
No response
Browser Details
No response
Exact BookStack Version
v26.03.1