Enable syncing of more LDAP groups

Resolves: #55
operasoftware · Oct 31, 2021 · 946c6ff · 946c6ff
1 parent 41bd1b7
commit 946c6ff
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 16 deletions.
diff --git a/config/config-sample.ini b/config/config-sample.ini
@@ -138,6 +138,9 @@ group_member_value = uid
 ; interface
 admin_group_cn = ska-administrators
 
+; Other LDAP groups that should have their memberships synced
+;sync_groups[] = ldap_group_name
+
 [inventory]
 ; SSH Key Authority will read the contents of the file /etc/uuid (if it
 ; exists) when syncing with a server. If a value is found, it can be used as a

diff --git a/model/user.php b/model/user.php
@@ -298,7 +298,7 @@ public function check_csrf_token($token) {
  * @throws UserNotFoundException if the user is not found in LDAP
  */
  public function get_details_from_ldap() {
- global $config;
+ global $config, $group_dir;
  $attributes = array();
  $attributes[] = 'dn';
  $attributes[] = $config['ldap']['user_id'];
@@ -327,8 +327,35 @@ public function get_details_from_ldap() {
  $this->admin = 0;
  $group_member = $ldapuser[strtolower($config['ldap']['group_member_value'])];
  $ldapgroups = $this->ldap->search($config['ldap']['dn_group'], LDAP::escape($config['ldap']['group_member']).'='.LDAP::escape($group_member), array('cn'));
+ $memberships = array();
  foreach($ldapgroups as $ldapgroup) {
- if($ldapgroup['cn'] == $config['ldap']['admin_group_cn']) $this->admin = 1;
+ $memberships[$ldapgroup['cn']] = true;
+ }
+ if(isset($config['ldap']['sync_groups']) && is_array($config['ldap']['sync_groups'])) {
+ $syncgroups = $config['ldap']['sync_groups'];
+ } else {
+ $syncgroups = array();
+ }
+ $syncgroups[] = $config['ldap']['admin_group_cn'];
+ foreach($syncgroups as $syncgroup) {
+ try {
+ $group = $group_dir->get_group_by_name($syncgroup);
+ } catch(GroupNotFoundException $e) {
+ $group = new Group;
+ $group->name = $syncgroup;
+ $group->system = 1;
+ $group_dir->add_group($group);
+ }
+ if(isset($memberships[$syncgroup])) {
+ if($syncgroup == $config['ldap']['admin_group_cn']) $this->admin = 1;
+ if(!$this->member_of($group)) {
+ $group->add_member($this);
+ }
+ } else {
+ if($this->member_of($group)) {
+ $group->delete_member($this);
+ }
+ }
  }
  } else {
  throw new UserNotFoundException('User does not exist.');

diff --git a/scripts/ldap_update.php b/scripts/ldap_update.php
@@ -35,14 +35,6 @@
  $user_dir->add_user($active_user);
 }
 
-try {
- $sysgrp = $group_dir->get_group_by_name($config['ldap']['admin_group_cn']);
-} catch(GroupNotFoundException $e) {
- $sysgrp = new Group;
- $sysgrp->name = $config['ldap']['admin_group_cn'];
- $sysgrp->system = 1;
- $group_dir->add_group($sysgrp);
-}
 foreach($users as $user) {
  if($user->auth_realm == 'LDAP') {
  $active = $user->active;
@@ -88,12 +80,6 @@
  }
  }
  }
- if($user->admin && $user->active && !$user->member_of($sysgrp)) {
- $sysgrp->add_member($user);
- }
- if(!($user->admin && $user->active) && $user->member_of($sysgrp)) {
- $sysgrp->delete_member($user);
- }
  $user->update();
  }
 }