An error occurred while loading the file. Please try again.
-
Côme Chilliet authoredAvoids PHP errors and shows the actual LDAP error when there is a problem for fetching connected user. issue #6175
Unverified0b153aba
<?php/* This code is part of FusionDirectory (http://www.fusiondirectory.org/) Copyright (C) 2003-2010 Cajus Pollmeier Copyright (C) 2011-2020 FusionDirectory This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.*//*! * \file class_userinfo.inc * Source code for the class userinfo *//* Define shadow states */define('POSIX_ACCOUNT_EXPIRED', 1);define('POSIX_WARN_ABOUT_EXPIRATION', 2);define('POSIX_FORCE_PASSWORD_CHANGE', 4);define('POSIX_DISALLOW_PASSWORD_CHANGE', 8);/*! * \brief Class userinfo * This class contains all informations and functions * about user */class userinfo{ var $dn; var $cn; var $uid; var $sn = ''; var $givenName = ''; var $gidNumber = -1; var $language = ""; var $groups = []; var $roles = []; /*! \brief LDAP attributes of this user at login */ protected $cachedAttrs = []; protected $result_cache = []; protected $ignoreACL = FALSE; protected $ACL = []; protected $ACLperPath = []; /*! \brief LDAP size limit handler */ protected $sizeLimitHandler; /*! \brief Current management base */ protected $currentBase; /*! \brief Password change should be forced */ protected $forcePasswordChange = FALSE; function __construct ($userdn) {7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
global $config;
$this->dn = $userdn;
$this->ignoreACL = ($config->get_cfg_value('ignoreAcl') == $this->dn);
$this->loadLDAPInfo();
/* Initialize ACL_CACHE */
$this->reset_acl_cache();
$this->sizeLimitHandler = new ldapSizeLimit();
}
/*! \brief Loads user information from LDAP */
function loadLDAPInfo ()
{
global $config;
$ldap = $config->get_ldap_link();
$ldap->cat($this->dn, ['*']);
$attrs = $ldap->fetch(TRUE);
if (!$ldap->success()) {
throw new FusionDirectoryLdapError($this->dn, LDAP_SEARCH, $ldap->get_error(), $ldap->get_errno());
}
$this->uid = $attrs['uid'][0];
if (isset($attrs['cn'][0])) {
$this->cn = $attrs['cn'][0];
} elseif (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])) {
$this->cn = $attrs['givenName'][0].' '.$attrs['sn'][0];
} else {
$this->cn = $attrs['uid'][0];
}
if (isset($attrs['gidNumber'][0])) {
$this->gidNumber = $attrs['gidNumber'][0];
}
if (isset($attrs['sn'][0])) {
$this->sn = $attrs['sn'][0];
}
if (isset($attrs['givenName'][0])) {
$this->givenName = $attrs['givenName'][0];
}
/* Assign user language */
if (isset($attrs['preferredLanguage'][0])) {
$this->language = $attrs['preferredLanguage'][0];
}
$this->cachedAttrs = $attrs;
}
/*!
* \brief Reset acl cache
*/
public function reset_acl_cache ()
{
/* Initialize ACL_CACHE */
session::set('ACL_CACHE', []);
}
/*!
* \brief Load an acl
*/
function loadACL ()
{
global $config, $plist;
$this->ACL = [];
$this->groups = [];
$this->roles = [];
$this->result_cache = [];
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
$this->reset_acl_cache();
$ldap = $config->get_ldap_link();
$ldap->cd($config->current['BASE']);
$targetFilterLimit = $config->get_cfg_value('AclTargetFilterLimit', 100);
/* Get member groups... */
$ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
while ($attrs = $ldap->fetch()) {
$this->groups[$attrs['dn']] = $attrs['dn'];
}
/* Get member POSIX groups... */
$ldap->search('(&(objectClass=posixGroup)(memberUid='.ldap_escape_f($this->uid).'))', ['dn']);
while ($attrs = $ldap->fetch()) {
$this->groups[$attrs['dn']] = $attrs['dn'];
}
/* Get member roles... */
$ldap->search('(&(objectClass=organizationalRole)(roleOccupant='.ldap_escape_f($this->dn).'))', ['dn']);
while ($attrs = $ldap->fetch()) {
$this->roles[$attrs['dn']] = $attrs['dn'];
}
/* Crawl through ACLs and move relevant to the tree */
$ldap->search('(objectClass=gosaACL)', ['dn', 'gosaAclEntry']);
$ACLsContent = [];
while ($attrs = $ldap->fetch()) {
/* Insert links in ACL array */
$mergedAcls = [];
for ($i = 0; $i < $attrs['gosaAclEntry']['count']; $i++) {
$mergedAcls = array_merge($mergedAcls, acl::explodeACL($attrs['gosaAclEntry'][$i]));
}
$ACLsContent[$attrs['dn']] = $mergedAcls;
}
$ACLsContentResolved = [];
/* Resolve roles here */
foreach ($ACLsContent as $dn => $ACLRules) {
foreach ($ACLRules as $ACLRule) {
$ldap->cat($ACLRule['acl'], ['gosaAclTemplate']);
$attrs = $ldap->fetch();
if (!isset($attrs['gosaAclTemplate'])) {
continue;
}
$interesting = FALSE;
/* Inspect members... */
foreach (array_keys($ACLRule['members']) as $member) {
/* Wildcard? */
if ($member === 'G:*') {
$interesting = TRUE;
break;
}
list($memberType, $memberDn) = explode(':', $member, 2);
switch ($memberType) {
case 'G':
if (in_array_ics($memberDn, $this->groups)) {
$interesting = TRUE;
break 2;
}
break;
case 'R':
if (in_array_ics($memberDn, $this->roles)) {
$interesting = TRUE;
break 2;
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
}
break;
case 'U':
if (mb_strtolower($memberDn) === mb_strtolower($this->dn)) {
$interesting = TRUE;
break 2;
}
break;
default:
throw new FusionDirectoryException('Unknown ACL member type '.$memberType);
}
}
if (!$interesting) {
continue;
}
if (!empty($ACLRule['userfilter']) && !$ldap->object_match_filter($this->dn, $ACLRule['userfilter'])) {
/* We do not match the user filter */
continue;
}
if (!empty($ACLRule['targetfilter'])) {
$ldap->cd($dn);
$ldap->set_size_limit($targetFilterLimit);
$targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f');
$ldap->search($targetFilter, ['dn']);
if ($ldap->hitSizeLimit()) {
$error = new FusionDirectoryError(
htmlescape(sprintf(
_('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'),
$targetFilterLimit
))
);
$error->display();
}
$targetDns = [];
while ($targetAttrs = $ldap->fetch()) {
$targetDns[] = $targetAttrs['dn'];
}
$ldap->set_size_limit(0);
} else {
$targetDns = [$dn];
}
$roleAcls = acl::explodeRole($attrs['gosaAclTemplate']);
foreach ($roleAcls as $roleAcl) {
foreach ($targetDns as $targetDn) {
$ACLsContentResolved[$targetDn][] = [
'acl' => $roleAcl,
'type' => $ACLRule['type'],
'members' => $ACLRule['members'],
];
}
}
}
}
/* Sort by tree depth */
uksort(
$ACLsContentResolved,
function ($dn1, $dn2)
{
return substr_count($dn1, ',') <=> substr_count($dn2, ',');
}
);
/* Insert in $this->ACL */
foreach ($ACLsContentResolved as $dn => $ACLRules) {
foreach ($ACLRules as $idx => $ACLRule) {