diff --git a/contrib/openldap/core-fd-conf.schema b/contrib/openldap/core-fd-conf.schema
index 6e9ac07ee6c7fee68079d1dafa4d4ded7befe54b..6084f58c8fd1db8ded41d4388f71683ea1ee1ec5 100644
--- a/contrib/openldap/core-fd-conf.schema
+++ b/contrib/openldap/core-fd-conf.schema
@@ -166,6 +166,12 @@ attributetype ( 1.3.6.1.4.1.38414.8.12.18 NAME 'fdCnPattern'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE)
+attributetype ( 1.3.6.1.4.1.38414.8.12.19 NAME 'fdRestrictRoleMembers'
+ DESC 'FusionDirectory - Restrict role members to users from the same LDAP branch'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
# Password
attributetype ( 1.3.6.1.4.1.38414.8.13.1 NAME 'fdPasswordDefaultHash'
@@ -568,7 +574,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
fdStrictNamingRules $ fdMinId $ fdUidNumberBase $
fdGidNumberBase $ fdUserRDN $ fdGroupRDN $ fdIdAllocationMethod $
fdGidNumberPoolMin $ fdUidNumberPoolMin $ fdGidNumberPoolMax $ fdUidNumberPoolMax $
- fdAclRoleRDN $ fdCnPattern $
+ fdAclRoleRDN $ fdCnPattern $ fdRestrictRoleMembers $
fdPasswordDefaultHash $ fdPasswordMinLength $ fdPasswordMinDiffer $
fdPasswordHook $ fdHandleExpiredAccounts $ fdSaslRealm $ fdSaslExop $
fdForcePasswordDefaultHash $
diff --git a/include/select/class_filterLDAPBlacklist.inc b/include/select/class_filterLDAPBlacklist.inc
index e93695ed5d390a6d4bbb22e8717ac98773193339..dd755483baa93a4f10579665f9228157d8a7ce14 100644
--- a/include/select/class_filterLDAPBlacklist.inc
+++ b/include/select/class_filterLDAPBlacklist.inc
@@ -22,30 +22,51 @@
class filterLDAPBlacklist {
- static function query($parent,$base, $scope, $filter, $attributes, $category, $objectStorage= "")
+ static function query($parent, $base, $scope, $filter, $attributes, $category, $objectStorage = "")
{
- $result = filterLDAP::query($parent,$base, $scope, $filter, $attributes, $category, $objectStorage);
- return(filterLDAPBlacklist::filterByBlacklist($result));
+ $result = filterLDAP::query($parent, $base, $scope, $filter, $attributes, $category, $objectStorage);
+ return filterLDAPBlacklist::filterByBlacklist($result);
}
static function filterByBlacklist($entries)
{
- if(session::is_set('filterBlacklist')){
+ if (session::is_set('filterWhitelist')) {
+ $wlist = session::get('filterWhitelist');
+ if (!empty($wlist)) {
+ foreach ($entries as $id => $entry) {
+ $dn1 = $entry['dn'];
+ $dn2 = $wlist['dn'];
+ if (in_array($entry['dn'], $wlist['dn'])) {
+ continue;
+ }
+ foreach ($wlist['branches'] as $branch) {
+ if (preg_match('/'.preg_quote($branch, '/').'$/', $entry['dn'])) {
+ continue 2;
+ }
+ }
+ unset($entries[$id]);
+ }
+ }
+ }
+ if (session::is_set('filterBlacklist')) {
$blist = session::get('filterBlacklist');
- foreach($blist as $attr_name => $attr_values){
- foreach($attr_values as $match){
- foreach($entries as $id => $entry){
- if(isset($entry[$attr_name])){
+ foreach ($blist as $attr_name => $attr_values) {
+ foreach ($attr_values as $match) {
+ foreach ($entries as $id => $entry) {
+ if (isset($entry[$attr_name])) {
$test = $entry[$attr_name];
- if(!is_array($test)) $test = array($test);
- if(in_array($match, $test)) unset($entries[$id]);
+ if (!is_array($test)) {
+ $test = array($test);
+ }
+ if (in_array($match, $test)) {
+ unset($entries[$id]);
+ }
}
}
}
}
}
- return(array_values($entries));
+ return array_values($entries);
}
}
-
?>
diff --git a/include/simpleplugin/class_dialogAttributes.inc b/include/simpleplugin/class_dialogAttributes.inc
index c000331f484deb8ca74a7d6c45378d5e118eef65..c6bacf197e086e83c80a837a52312f69c9332592 100644
--- a/include/simpleplugin/class_dialogAttributes.inc
+++ b/include/simpleplugin/class_dialogAttributes.inc
@@ -66,6 +66,7 @@ class GenericSelectDialog extends GenericDialog
function dialog_execute ()
{
session::set('filterBlacklist', $this->attribute->getFilterBlackList());
+ session::set('filterWhitelist', $this->attribute->getFilterWhiteList());
return parent::dialog_execute();
}
@@ -189,6 +190,11 @@ class DialogAttribute extends SetAttribute
trigger_error("abstract method");
}
+ function getFilterWhiteList ()
+ {
+ return array();
+ }
+
function loadPostValue ()
{
parent::loadPostValue();
diff --git a/plugins/admin/groups/class_roleGeneric.inc b/plugins/admin/groups/class_roleGeneric.inc
index fa712c4f5f4b7f2b9e8a4d38cb6f5191d889611a..4db9a2fd458eceaa3fcd110a763d63cac7c2d025 100644
--- a/plugins/admin/groups/class_roleGeneric.inc
+++ b/plugins/admin/groups/class_roleGeneric.inc
@@ -18,6 +18,29 @@
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+class RoleMembersAttribute extends UsersAttribute
+{
+ protected $whitelistDns = NULL;
+
+ function getFilterWhiteList()
+ {
+ global $config;
+ if ($config->get_cfg_value('RestrictRoleMembers') == 'TRUE') {
+ if ($this->whitelistDns === NULL) {
+ /* Computes a list of members of all groups within our branch */
+ $groups = objects::ls('ogroup', array('member' => '*'), $this->plugin->base);
+ $this->whitelistDns = call_user_func_array('array_merge_recursive', $groups)['member'];
+ }
+ return array(
+ 'branches' => array($this->plugin->base),
+ 'dn' => $this->whitelistDns,
+ );
+ } else {
+ return array();
+ }
+ }
+}
+
class roleGeneric extends simplePlugin
{
var $mainTab = TRUE;
@@ -74,7 +97,7 @@ class roleGeneric extends simplePlugin
_('Fax number'), _('Fax number'),
'facsimileTelephoneNumber'
),
- new UsersAttribute(
+ new RoleMembersAttribute (
_('Users'), _('Add users for the role'),
'roleOccupant', FALSE
)
diff --git a/plugins/config/class_configInLdap.inc b/plugins/config/class_configInLdap.inc
index c1c931b8ba19ba9115b60ba69acf8cf08c7afe09..2dffa34fbbadeb5c587d93253a15b69fd0feaf18 100644
--- a/plugins/config/class_configInLdap.inc
+++ b/plugins/config/class_configInLdap.inc
@@ -363,6 +363,10 @@ class configInLdap extends simplePlugin
'fdGidNumberPoolMax', FALSE,
0, FALSE, 40000
),
+ new BooleanAttribute (
+ _('Restrict role members'), _('When enabled only users from the same branch or members of groups from the same branch can be added to a role.'),
+ 'fdRestrictRoleMembers'
+ ),
)
),
'debug' => array(