Zend Framework

Add possibility to check group-membership in Zend_Auth_Adapter_Ldap

Details

  • Type: New Feature New Feature
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.7 Preview Release
  • Fix Version/s: 1.9.2
  • Component/s: Zend_Auth_Adapter_Ldap
  • Labels:
    None

Description

When using Zend_Auth_Adapter_Ldap, there is missing an additional check if a user is member of a specific group.

I found this in an old proposal:
http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Ldap?showComments=false

'group_dn' : the DN of a group the authenticated user should be member of. If the user is authenticated against the LDAP, but is not member of the specified group, the authentication will fail (not implemented yet).

This feature is also available in PEAR_Auth, and I think many people out there would like to use such a feature, because mostly not everybody in a ldap-directory should be able to login, but specific groups (like e.g. departments in a company, or just admins and not "normal users").

Attachments

  1. File
    BDBAuthAdapterLdap.php
    31/Oct/08 5:40 AM
    5 kB
    Michael Kliewe
  2. File
    BDBLdap.php
    31/Oct/08 5:40 AM
    5 kB
    Michael Kliewe

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Michael Kliewe added a comment -

Here are my derived classes where I added the descripted feature.

You can use them to add the functionality to Zend_Ldap and Zend_Auth_Adapter_Ldap.

I'm not a specialist in Zend-Coding-Standards, but it will help you.

I used the following config to use the new feature:

ldap.server1.host = ldap.domain.de
ldap.server1.useSsl = false

ldap.server1.accountDomainName = blub.domain.com
ldap.server1.accountDomainNameShort = blub
ldap.server1.accountCanonicalForm = 3
ldap.server1.accountFilterFormat = "(&(objectClass=user)(sAMAccountName=%s))"

ldap.server1.username = "cn=ldap,ou=myCompany,DC=blub,DC=domain,DC=com"
ldap.server1.password = mypwd
ldap.server1.baseDn = "DC=blub,DC=domain,DC=com"
ldap.server1.bindRequiresDn = true

ldap.server1.groups.1 = "Group 1 Admins"
ldap.server1.groups.2 = "Group 2 Germany Account Manager"

ldap.server1.groupAttr = "samAccountName"
ldap.server1.groupFilter = "(objectClass=group)"
ldap.server1.memberAttr = "member"

Show
Michael Kliewe added a comment - Here are my derived classes where I added the descripted feature. You can use them to add the functionality to Zend_Ldap and Zend_Auth_Adapter_Ldap. I'm not a specialist in Zend-Coding-Standards, but it will help you. I used the following config to use the new feature: ldap.server1.host = ldap.domain.de ldap.server1.useSsl = false ldap.server1.accountDomainName = blub.domain.com ldap.server1.accountDomainNameShort = blub ldap.server1.accountCanonicalForm = 3 ldap.server1.accountFilterFormat = "(&(objectClass=user)(sAMAccountName=%s))" ldap.server1.username = "cn=ldap,ou=myCompany,DC=blub,DC=domain,DC=com" ldap.server1.password = mypwd ldap.server1.baseDn = "DC=blub,DC=domain,DC=com" ldap.server1.bindRequiresDn = true ldap.server1.groups.1 = "Group 1 Admins" ldap.server1.groups.2 = "Group 2 Germany Account Manager" ldap.server1.groupAttr = "samAccountName" ldap.server1.groupFilter = "(objectClass=group)" ldap.server1.memberAttr = "member"
Hide
Permalink
Matthew Weier O'Phinney added a comment -

Assigning to Stefan Gehrig

Show
Matthew Weier O'Phinney added a comment - Assigning to Stefan Gehrig
Hide
Permalink
Stefan Gehrig added a comment -

Not sure where to put this new feature...
Generally I'd say that this belogs in Zend_Auth_Adapter_Ldap but the current structure will make adding this very hacky as the whole authentication logic is actually situated in Zend_Ldap and all parameters are passed into Zend_Ldap as they are.

I really would like to separate the core LDAP functionality (Zend_Ldap) from everthing that's related to authentication (Zend_Ldap_Auth_Adapter_Ldap) - but that would surely break BC.

I will have a look at this one - perhaps it's possible to refactor the thing and to add the group-membership-feature along the way without breaking BC.

Show
Stefan Gehrig added a comment - Not sure where to put this new feature... Generally I'd say that this belogs in Zend_Auth_Adapter_Ldap but the current structure will make adding this very hacky as the whole authentication logic is actually situated in Zend_Ldap and all parameters are passed into Zend_Ldap as they are. I really would like to separate the core LDAP functionality (Zend_Ldap) from everthing that's related to authentication (Zend_Ldap_Auth_Adapter_Ldap) - but that would surely break BC. I will have a look at this one - perhaps it's possible to refactor the thing and to add the group-membership-feature along the way without breaking BC.
Hide
Permalink
Stefan Gehrig added a comment -

Feature request closed in trunk rev. 17554.

Added the possibility to pass the following options to Zend_Auth_Adapter_Ldap

$adapterOptions = array(
    'group'       => null, // the group the user must be member of; if NULL group-membership-check is disabled
    'groupDn'     => $ldap->getBaseDn(), // the parent DN under which the groups are located; defaults to the baseDn of the underlying Zend_Ldap
    'groupScope'  => Zend_Ldap::SEARCH_SCOPE_SUB, // the search scope when searching for groups
    'groupAttr'   => 'cn', // the attribute name for the RDN
    'groupFilter' => 'objectClass=groupOfUniqueNames', // an additional group filter that's added to the search filter
    'memberAttr'  => 'uniqueMember', // the group attribute in which to look for the user
    'memberIsDn'  => true // if TRUE then the account DN is used to check membership, otherwise the canonical account name is used
);

The options are not passed to the underlying Zend_Ldap so the group-membership-check is only available when using Zend_Auth_Adapter_Ldap.

Show
Stefan Gehrig added a comment - Feature request closed in trunk rev. 17554. Added the possibility to pass the following options to Zend_Auth_Adapter_Ldap 
$adapterOptions = array(
    'group'       => null, // the group the user must be member of; if NULL group-membership-check is disabled
    'groupDn'     => $ldap->getBaseDn(), // the parent DN under which the groups are located; defaults to the baseDn of the underlying Zend_Ldap
    'groupScope'  => Zend_Ldap::SEARCH_SCOPE_SUB, // the search scope when searching for groups
    'groupAttr'   => 'cn', // the attribute name for the RDN
    'groupFilter' => 'objectClass=groupOfUniqueNames', // an additional group filter that's added to the search filter
    'memberAttr'  => 'uniqueMember', // the group attribute in which to look for the user
    'memberIsDn'  => true // if TRUE then the account DN is used to check membership, otherwise the canonical account name is used
);
The options are not passed to the underlying Zend_Ldap so the group-membership-check is only available when using Zend_Auth_Adapter_Ldap.

People

Vote (1)
Watch (4)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.