search.attributes already does an implicit (pseudo-code follows):
(|(search.attributes[0]=%s)(search.attributes[1]=%s)) etc. for all
values of the search.attributes array.
Additionally (or alternatively, since it's a superset) it would be
helpful to merge (&(...)(...)) this with an RFC4515 search filter,
e.g.:
'search.enable' => true,
'search.base' => 'dc=example,dc=org',
'search.attributes' => array('uid'),
'search.filter' => '(&(objectClass=fooPerson)(!(disabledFor=WebSSO))',
This probably has some overlap with the authorize:Authorize module by
Erny, but seems to me is more commonly found in LDAP-aware software,
more generic and slightly more efficient (since you don't have to pull
and configure the attributes to be able to operate your AuthZ logic on
them).
Just a thought,
-peter
ps: I know and have commented myself on how authorisation is the SP's
job in the past, still :)
I created issue 325[1] for this feature. I cannot promise anything about
whether or when it will be implemented.
[1] http://code.google.com/p/simplesamlphp/issues/detail?id=325
--
Olav Morken
UNINETT / Feide
http://easycaptures.com/fs/uploaded/321/8089322577.png
it's isn't hard but very useful to achieve things like user self-
registration with admin approval (pending for activation), disabled
users etc...
Best regards,
Stefano.
here my own svn raw diff:
Index: GarrSSO/usr/local/simplesamlphp-1.7.0/config/authsources.php
===================================================================
--- GarrSSO/usr/local/simplesamlphp-1.7.0/config/authsources.php
(revision 66)
+++ GarrSSO/usr/local/simplesamlphp-1.7.0/config/authsources.php
(revision 67)
@@ -148,6 +148,7 @@
// As an alternative to specifying a pattern for the users
DN, it is possible to
// search for the username in a set of attributes. This is
enabled by this option.
'search.enable' => TRUE,
+ 'search.filter' => "(x-garr-ProjectUserMembership=GarrSSO)",
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is
searched, or an
// array of strings, in which case they will be searched in
the order given.
Index: GarrSSO/usr/local/simplesamlphp-1.7.0/lib/SimpleSAML/Auth/
LDAP.php
===================================================================
--- GarrSSO/usr/local/simplesamlphp-1.7.0/lib/SimpleSAML/Auth/LDAP.php
(revision 66)
+++ GarrSSO/usr/local/simplesamlphp-1.7.0/lib/SimpleSAML/Auth/LDAP.php
(revision 67)
@@ -184,7 +184,7 @@
* @throws SimpleSAML_Error_UserNotFound if:
* - Zero entries was found
*/
- private function search($base, $attribute, $value) {
+ private function search($base, $attribute, $value,
$searchFilter=NULL) {
// Create the search filter.
$attribute = self::escape_filter_value($attribute, FALSE);
@@ -203,11 +203,17 @@
// We have only one attribute.
$filter = '(' . $attribute . '=' . $value. ')';
+
+
} else {
// We have an unknown attribute type...
throw $this->makeException('Library - LDAP search(): Search
attribute must be an array or a string', ERR_INTERNAL);
}
-
+ if ($searchFilter!=NULL){
+ $filter= "(&".$filter."".$searchFilter.")";
+ }
+ // array_walk(debug_backtrace(),create_function('$a,
$b','print "{$a[\'function\']}()(".basename($a[\'file\']).":{$a[\'line
\']}); ";'));
+ // die($filter);
// Search using generated filter.
SimpleSAML_Logger::debug('Library - LDAP search(): Searching base
\'' . $base . '\' for \'' . $filter . '\'');
// TODO: Should aliases be dereferenced?
@@ -264,7 +270,7 @@
* - $allowZeroHits er TRUE and no result is found
*
*/
- public function searchfordn($base, $attribute, $value,
$allowZeroHits = FALSE) {
+ public function searchfordn($base, $attribute, $value,
$allowZeroHits = FALSE,$searchFilter=NULL) {
// Traverse all search bases, returning DN if found.
$bases = SimpleSAML_Utilities::arrayize($base);
@@ -272,7 +278,7 @@
foreach ($bases AS $current) {
try {
// Single base search.
- $result = $this->search($current, $attribute, $value);
+ $result = $this->search($current, $attribute, $value,
$searchFilter);
// We don't hawe to look any futher if user is found
if (!empty($result))
return $result;
Index: GarrSSO/usr/local/simplesamlphp-1.7.0/modules/ldap/lib/
ConfigHelper.php
===================================================================
--- GarrSSO/usr/local/simplesamlphp-1.7.0/modules/ldap/lib/
ConfigHelper.php (revision 66)
+++ GarrSSO/usr/local/simplesamlphp-1.7.0/modules/ldap/lib/
ConfigHelper.php (revision 67)
@@ -70,7 +70,9 @@
*/
private $searchBase;
+ private $searchFilter;
+
/**
* The attributes which should match the username.
*/
@@ -136,6 +138,7 @@
}
$this->searchBase = $config->getArrayizeString('search.base');
+ $this->searchFilter = $config-
>getString('search.filter',NULL);
$this->searchAttributes = $config->getArray('search.attributes');
} else {
@@ -184,7 +187,7 @@
}
}
- $dn = $ldap->searchfordn($this->searchBase, $this-
>searchAttributes, $username, TRUE);
+ $dn = $ldap->searchfordn($this->searchBase, $this-
>searchAttributes, $username, TRUE,$this->searchFilter);
if ($dn === NULL) {
/* User not found with search. */
SimpleSAML_Logger::info($this->location . ': Unable to find users
DN. username=\'' . $username . '\'');
> smime.p7s
> 3KVisualizzaScarica