LDAP search filter for ldap:LDAP authsource?

546 views
Skip to first unread message

Peter Schober

unread,
Jun 18, 2010, 5:49:57 PM6/18/10
to simple...@googlegroups.com
Can we have a search.filter option for ldap:LDAP authsources.php?

search.attributes already does an implicit (pseudo-code follows):
(|(search.attributes[0]=%s)(search.attributes[1]=%s)) etc. for all
values of the search.attributes array.

Additionally (or alternatively, since it's a superset) it would be
helpful to merge (&(...)(...)) this with an RFC4515 search filter,
e.g.:

'search.enable' => true,
'search.base' => 'dc=example,dc=org',
'search.attributes' => array('uid'),
'search.filter' => '(&(objectClass=fooPerson)(!(disabledFor=WebSSO))',

This probably has some overlap with the authorize:Authorize module by
Erny, but seems to me is more commonly found in LDAP-aware software,
more generic and slightly more efficient (since you don't have to pull
and configure the attributes to be able to operate your AuthZ logic on
them).

Just a thought,
-peter

ps: I know and have commented myself on how authorisation is the SP's
job in the past, still :)

Olav Morken

unread,
Jun 21, 2010, 2:45:35 AM6/21/10
to simple...@googlegroups.com
On Fri, Jun 18, 2010 at 23:49:57 +0200, Peter Schober wrote:
> Can we have a search.filter option for ldap:LDAP authsources.php?
>
> search.attributes already does an implicit (pseudo-code follows):
> (|(search.attributes[0]=%s)(search.attributes[1]=%s)) etc. for all
> values of the search.attributes array.
>
> Additionally (or alternatively, since it's a superset) it would be
> helpful to merge (&(...)(...)) this with an RFC4515 search filter,
> e.g.:
>
> 'search.enable' => true,
> 'search.base' => 'dc=example,dc=org',
> 'search.attributes' => array('uid'),
> 'search.filter' => '(&(objectClass=fooPerson)(!(disabledFor=WebSSO))',
>
> This probably has some overlap with the authorize:Authorize module by
> Erny, but seems to me is more commonly found in LDAP-aware software,
> more generic and slightly more efficient (since you don't have to pull
> and configure the attributes to be able to operate your AuthZ logic on
> them).

I created issue 325[1] for this feature. I cannot promise anything about
whether or when it will be implemented.

[1] http://code.google.com/p/simplesamlphp/issues/detail?id=325

--
Olav Morken
UNINETT / Feide

rastrano

unread,
Jan 21, 2011, 6:22:42 AM1/21/11
to Olav Morken, simple...@googlegroups.com, Stefano Gargiulo
Hi, i needed this so i implemented it in my installation, i post an
image with the diffs to give a possible way to do it:

http://easycaptures.com/fs/uploaded/321/8089322577.png

it's isn't hard but very useful to achieve things like user self-
registration with admin approval (pending for activation), disabled
users etc...

Best regards,
Stefano.

here my own svn raw diff:

Index: GarrSSO/usr/local/simplesamlphp-1.7.0/config/authsources.php
===================================================================
--- GarrSSO/usr/local/simplesamlphp-1.7.0/config/authsources.php
(revision 66)
+++ GarrSSO/usr/local/simplesamlphp-1.7.0/config/authsources.php
(revision 67)
@@ -148,6 +148,7 @@
// As an alternative to specifying a pattern for the users
DN, it is possible to
// search for the username in a set of attributes. This is
enabled by this option.
'search.enable' => TRUE,
+ 'search.filter' => "(x-garr-ProjectUserMembership=GarrSSO)",
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is
searched, or an
// array of strings, in which case they will be searched in
the order given.
Index: GarrSSO/usr/local/simplesamlphp-1.7.0/lib/SimpleSAML/Auth/
LDAP.php
===================================================================
--- GarrSSO/usr/local/simplesamlphp-1.7.0/lib/SimpleSAML/Auth/LDAP.php
(revision 66)
+++ GarrSSO/usr/local/simplesamlphp-1.7.0/lib/SimpleSAML/Auth/LDAP.php
(revision 67)
@@ -184,7 +184,7 @@
* @throws SimpleSAML_Error_UserNotFound if:
* - Zero entries was found
*/
- private function search($base, $attribute, $value) {
+ private function search($base, $attribute, $value,
$searchFilter=NULL) {

// Create the search filter.
$attribute = self::escape_filter_value($attribute, FALSE);
@@ -203,11 +203,17 @@
// We have only one attribute.
$filter = '(' . $attribute . '=' . $value. ')';

+
+
} else {
// We have an unknown attribute type...
throw $this->makeException('Library - LDAP search(): Search
attribute must be an array or a string', ERR_INTERNAL);
}
-
+ if ($searchFilter!=NULL){
+ $filter= "(&".$filter."".$searchFilter.")";
+ }
+ // array_walk(debug_backtrace(),create_function('$a,
$b','print "{$a[\'function\']}()(".basename($a[\'file\']).":{$a[\'line
\']}); ";'));
+ // die($filter);
// Search using generated filter.
SimpleSAML_Logger::debug('Library - LDAP search(): Searching base
\'' . $base . '\' for \'' . $filter . '\'');
// TODO: Should aliases be dereferenced?
@@ -264,7 +270,7 @@
* - $allowZeroHits er TRUE and no result is found
*
*/
- public function searchfordn($base, $attribute, $value,
$allowZeroHits = FALSE) {
+ public function searchfordn($base, $attribute, $value,
$allowZeroHits = FALSE,$searchFilter=NULL) {

// Traverse all search bases, returning DN if found.
$bases = SimpleSAML_Utilities::arrayize($base);
@@ -272,7 +278,7 @@
foreach ($bases AS $current) {
try {
// Single base search.
- $result = $this->search($current, $attribute, $value);
+ $result = $this->search($current, $attribute, $value,
$searchFilter);
// We don't hawe to look any futher if user is found
if (!empty($result))
return $result;
Index: GarrSSO/usr/local/simplesamlphp-1.7.0/modules/ldap/lib/
ConfigHelper.php
===================================================================
--- GarrSSO/usr/local/simplesamlphp-1.7.0/modules/ldap/lib/
ConfigHelper.php (revision 66)
+++ GarrSSO/usr/local/simplesamlphp-1.7.0/modules/ldap/lib/
ConfigHelper.php (revision 67)
@@ -70,7 +70,9 @@
*/
private $searchBase;

+ private $searchFilter;

+
/**
* The attributes which should match the username.
*/
@@ -136,6 +138,7 @@
}

$this->searchBase = $config->getArrayizeString('search.base');
+ $this->searchFilter = $config-
>getString('search.filter',NULL);
$this->searchAttributes = $config->getArray('search.attributes');

} else {
@@ -184,7 +187,7 @@
}
}

- $dn = $ldap->searchfordn($this->searchBase, $this-
>searchAttributes, $username, TRUE);
+ $dn = $ldap->searchfordn($this->searchBase, $this-
>searchAttributes, $username, TRUE,$this->searchFilter);
if ($dn === NULL) {
/* User not found with search. */
SimpleSAML_Logger::info($this->location . ': Unable to find users
DN. username=\'' . $username . '\'');

>  smime.p7s
> 3KVisualizzaScarica

Reply all
Reply to author
Forward
0 new messages