Skip to content

Commit

Permalink
Merge pull request #1892 from ikedas/issue-1853 by ikedas
Browse files Browse the repository at this point in the history 
LDAP: Add `deref` option to specify how to dereference aliases
  • Loading branch information
@ikedas
ikedas authored Sep 22, 2024
2 parents 61bb4dd + a6587f3 commit 096fe95
Show file tree
Hide file tree
Showing 9 changed files with 187 additions and 35 deletions.
109 changes: 92 additions & 17 deletions doc/auth.conf.pod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,36 @@ Search the whole tree below the base object. This is the default.

=back

=item C<deref>

Default value: C<find>

Specifies how to dereference aliases.

Introduced on Sympa 6.2.74.

=over

=item C<never>

Aliases are never dereferenced.

=item C<search>

Aliases are dereferenced in searching subordinates of the base object.

=item C<find>

Aliases are derefernced in locating the base object, but
not in searching subordinates of the base object.
This is the default.

=item C<always>

Aliases are always dereferenced.

=back

=item C<authentication_info_url>

Defines the URL of a document describing LDAP password management. When
Expand Down Expand Up @@ -385,31 +415,50 @@ not defined>:

=over

=item C<ldap_host>
=item C<host>

The LDAP host Sympa will connect to fetch user email. The C<ldap_host>
(formerly C<ldap_host>)

The LDAP host Sympa will connect to fetch user email. The C<host>
include the port number and it may be a comma separated list of redundant
hosts.

=item C<ldap_bind_dn>
=item C<bind_dn>

(formerly C<ldap_bind_dn>)

The DN used to bind to this server. Anonymous bind is used if this parameter
is not defined.

=item C<ldap_bind_password>
=item C<bind_password>

(formerly C<ldap_bind_password>)

The password used unless anonymous bind is used.

=item C<ldap_suffix>
=item C<suffix>

(formerly C<ldap_suffix>)

The LDAP suffix used when searching user email.

=item C<ldap_scope>
=item C<scope>

(formerly C<ldap_scope>)

The scope used when searching user email. Possible values are C<sub>, C<base>
and C<one>.

=item C<ldap_get_email_by_uid_filter>
=item C<deref>

(introduced on 6.2.74)

How to dereference the aliases on searching LDAP.
Possible values are C<never>, C<search>, C<find> and C<always>.

=item C<get_email_by_uid_filter>

(formerly C<ldap_get_email_by_uid_filter>)

The filter used to perform the email search. It can refer to any environment
variables inherited from the SSO module, as shown below.
Expand All @@ -418,12 +467,16 @@ Example:

ldap_get_email_by_uid_filter (mail=[SSL_CLIENT_S_DN_Email])

=item C<ldap_email_attribute>
=item C<email_attribute>

(formerly C<ldap_email_attribute>)

The attribute name to be used as user canonical email. In the current version
of Sympa, only the first value returned by the LDAP server is used.

=item C<ldap_timeout>
=item C<timeout>

(formerly C<ldap_timeout>)

The time out for the search.

Expand Down Expand Up @@ -519,40 +572,62 @@ The proxy validate service path, only used by the Sympa SOAP server.

=over

=item C<ldap_host>
=item C<host>

(formerly C<ldap_host>)

The LDAP host Sympa will connect to fetch user email when user uid is return
by CAS service. The C<ldap_host> includes the port number and it may be a
comma separated list of redundant hosts.

=item C<ldap_bind_dn>
=item C<bind_dn>

(formerly C<ldap_bind_dn>)

The DN used to bind to this server. Anonymous bind is used if this parameter
is not defined.

=item C<ldap_bind_password>
=item C<bind_password>

(formerly C<ldap_bind_password>)

The password used unless anonymous bind is used.

=item C<ldap_suffix>
=item C<suffix>

(formerly C<ldap_suffix>)

The LDAP suffix used when searching user email.

=item C<ldap_scope>
=item C<scope>

(formerly C<ldap_scope>)

The scope used when searching user email. Possible values are C<sub>, C<base>
and C<one>.

=item C<ldap_get_email_by_uid_filter>
=item C<deref>

(introduced on 6.2.74)

How to dereference the aliases on searching LDAP.

=item C<get_email_by_uid_filter>

(formerly C<ldap_get_email_by_uid_filter>)

The filter used to perform the email search.

=item C<ldap_email_attribute>
=item C<email_attribute>

(formerly C<ldap_email_attribute>)

The attribute name to be used as user canonical email. In the current version
of Sympa, only the first value returned by the LDAP server is used.

=item C<ldap_timeout>
=item C<timeout>

(formerly C<ldap_timeout>)

The time out for the search.

Expand Down
1 change: 1 addition & 0 deletions src/cgi/wwsympa.fcgi.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3670,6 +3670,7 @@ sub is_ldap_user {
base => $ldap->{'suffix'},
filter => "$filter",
scope => $ldap->{'scope'},
deref => $ldap->{'deref'},
timeout => $ldap->{'timeout'}
);

Expand Down
16 changes: 11 additions & 5 deletions src/lib/Conf.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -685,12 +685,13 @@ sub _load_auth {
'get_dn_by_uid_filter' => '.+',
'get_dn_by_email_filter' => '.+',
'email_attribute' => Sympa::Regexps::ldap_attrdesc(),
'alternative_email_attribute' => '.*', # Obsoleted
'alternative_email_attribute' => '.*', # Obsoleted
'scope' => 'base|one|sub',
'authentication_info_url' => 'http(s)?:/.*',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'deref' => 'never|search|find|always',
'authentication_info_url' => 'http(s)?:/.*',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1|tlsv1_[123]',
'ssl_ciphers' => '[\w:]+',
'ssl_cert' => '.+',
Expand Down Expand Up @@ -722,6 +723,7 @@ sub _load_auth {
'timeout' => '\d+',
'suffix' => '.+',
'scope' => 'base|one|sub',
'deref' => 'never|search|find|always',
'get_email_by_uid_filter' => '.+',
'email_attribute' => Sympa::Regexps::ldap_attrdesc(),
'use_tls' => 'starttls|ldaps|none',
Expand Down Expand Up @@ -749,6 +751,7 @@ sub _load_auth {
'timeout' => '\d+',
'suffix' => '.+',
'scope' => 'base|one|sub',
'deref' => 'never|search|find|always',
'get_email_by_uid_filter' => '.+',
'email_attribute' => Sympa::Regexps::ldap_attrdesc(),
'use_tls' => 'starttls|ldaps|none',
Expand Down Expand Up @@ -883,10 +886,12 @@ sub _load_auth {
## Force the default scope because '' is interpreted as
## 'base'
$current_paragraph->{'scope'} ||= 'sub';
$current_paragraph->{'deref'} ||= 'find';
} elsif ($current_paragraph->{'auth_type'} eq 'generic_sso') {
## Force the default scope because '' is interpreted as
## 'base'
$current_paragraph->{'scope'} ||= 'sub';
$current_paragraph->{'deref'} ||= 'find';
## default value for http_header_value_separator is ';'
$current_paragraph->{'http_header_value_separator'} ||=
';';
Expand All @@ -903,6 +908,7 @@ sub _load_auth {
## Force the default scope because '' is interpreted as
## 'base'
$current_paragraph->{'scope'} ||= 'sub';
$current_paragraph->{'deref'} ||= 'find';
} elsif ($current_paragraph->{'auth_type'} eq 'user_table') {
;
} elsif ($current_paragraph->{'auth_type'} eq 'cgi') {
Expand Down
1 change: 1 addition & 0 deletions src/lib/Sympa/CLI/test/ldap.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ sub _run {
base => ($options->{suffix} // ''),
filter => $filter,
scope => ($options->{scope} || 'sub'),
deref => ($options->{deref} || 'find'),
attrs =>
($options->{attrs} ? [split /\s*,\s*/, $options->{attrs}] : ['']),
) or die sprintf "Search impossible: %s\n", $db->error;
Expand Down
68 changes: 61 additions & 7 deletions src/lib/Sympa/Config/Schema.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,7 @@ our %pinfo = (
gettext_id => 'Name of the database',
gettext_comment =>
"With SQLite, this must be the full path to database file.\nWith Oracle Database, this must be SID, net service name or easy connection identifier (to use net service name, db_host should be set to \"none\" and HOST, PORT and SERVICE_NAME should be defined in tnsnames.ora file).",
format => '.+',
format => '.+',
occurrence => '1',
},
db_user => {
Expand Down Expand Up @@ -1768,8 +1768,8 @@ our %pinfo = (
default => 'owner',
},
quota => {
context => [qw(list domain site)],
order => 3,
context => [qw(list domain site)],
order => 3,
gettext_id => "quota",
gettext_unit => 'Kbytes',
format => '\d+',
Expand Down Expand Up @@ -3469,6 +3469,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -3650,6 +3659,15 @@ our %pinfo = (
format => ['base', 'one', 'sub'],
default => 'sub'
},
deref1 => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout1 => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -3704,6 +3722,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref2 => {
context => [qw(list)],
order => 12.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout2 => {
context => [qw(list)],
order => 13,
Expand Down Expand Up @@ -3872,8 +3899,8 @@ our %pinfo = (
order => 9,
gettext_id =>
"Directory where the database is stored (used for DBD::CSV only)",
format => '.+',
obsolete => 'db_name',
format => '.+',
obsolete => 'db_name',
not_after => '6.2.70',
},
nosync_time_ranges => {
Expand Down Expand Up @@ -4038,6 +4065,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -4215,6 +4251,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref1 => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout1 => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -4269,6 +4314,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref2 => {
context => [qw(list)],
order => 12.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout2 => {
context => [qw(list)],
order => 13,
Expand Down Expand Up @@ -4432,8 +4486,8 @@ our %pinfo = (
order => 9,
gettext_id =>
"Directory where the database is stored (used for DBD::CSV only)",
format => '.+',
obsolete => 'db_name',
format => '.+',
obsolete => 'db_name',
not_after => '6.2.70',
},
email_entry => {
Expand Down
Loading

0 comments on commit 096fe95

Please sign in to comment.