diff --git a/doc/auth.conf.pod b/doc/auth.conf.pod index 351fa69a4..29a9cc540 100644 --- a/doc/auth.conf.pod +++ b/doc/auth.conf.pod @@ -205,6 +205,36 @@ Search the whole tree below the base object. This is the default. =back +=item C + +Default value: C + +Specifies how to dereference aliases. + +Introduced on Sympa 6.2.74. + +=over + +=item C + +Aliases are never dereferenced. + +=item C + +Aliases are dereferenced in searching subordinates of the base object. + +=item C + +Aliases are derefernced in locating the base object, but +not in searching subordinates of the base object. +This is the default. + +=item C + +Aliases are always dereferenced. + +=back + =item C Defines the URL of a document describing LDAP password management. When @@ -385,31 +415,50 @@ not defined>: =over -=item C +=item C -The LDAP host Sympa will connect to fetch user email. The C +(formerly C) + +The LDAP host Sympa will connect to fetch user email. The C include the port number and it may be a comma separated list of redundant hosts. -=item C +=item C + +(formerly C) The DN used to bind to this server. Anonymous bind is used if this parameter is not defined. -=item C +=item C + +(formerly C) The password used unless anonymous bind is used. -=item C +=item C + +(formerly C) The LDAP suffix used when searching user email. -=item C +=item C + +(formerly C) The scope used when searching user email. Possible values are C, C and C. -=item C +=item C + +(introduced on 6.2.74) + +How to dereference the aliases on searching LDAP. +Possible values are C, C, C and C. + +=item C + +(formerly C) The filter used to perform the email search. It can refer to any environment variables inherited from the SSO module, as shown below. @@ -418,12 +467,16 @@ Example: ldap_get_email_by_uid_filter (mail=[SSL_CLIENT_S_DN_Email]) -=item C +=item C + +(formerly C) The attribute name to be used as user canonical email. In the current version of Sympa, only the first value returned by the LDAP server is used. -=item C +=item C + +(formerly C) The time out for the search. @@ -519,40 +572,62 @@ The proxy validate service path, only used by the Sympa SOAP server. =over -=item C +=item C + +(formerly C) The LDAP host Sympa will connect to fetch user email when user uid is return by CAS service. The C includes the port number and it may be a comma separated list of redundant hosts. -=item C +=item C + +(formerly C) The DN used to bind to this server. Anonymous bind is used if this parameter is not defined. -=item C +=item C + +(formerly C) The password used unless anonymous bind is used. -=item C +=item C + +(formerly C) The LDAP suffix used when searching user email. -=item C +=item C + +(formerly C) The scope used when searching user email. Possible values are C, C and C. -=item C +=item C + +(introduced on 6.2.74) + +How to dereference the aliases on searching LDAP. + +=item C + +(formerly C) The filter used to perform the email search. -=item C +=item C + +(formerly C) The attribute name to be used as user canonical email. In the current version of Sympa, only the first value returned by the LDAP server is used. -=item C +=item C + +(formerly C) The time out for the search. diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in index c808e79bc..e8dd77360 100644 --- a/src/cgi/wwsympa.fcgi.in +++ b/src/cgi/wwsympa.fcgi.in @@ -3670,6 +3670,7 @@ sub is_ldap_user { base => $ldap->{'suffix'}, filter => "$filter", scope => $ldap->{'scope'}, + deref => $ldap->{'deref'}, timeout => $ldap->{'timeout'} ); diff --git a/src/lib/Conf.pm b/src/lib/Conf.pm index adad50534..613940f71 100644 --- a/src/lib/Conf.pm +++ b/src/lib/Conf.pm @@ -685,12 +685,13 @@ sub _load_auth { 'get_dn_by_uid_filter' => '.+', 'get_dn_by_email_filter' => '.+', 'email_attribute' => Sympa::Regexps::ldap_attrdesc(), - 'alternative_email_attribute' => '.*', # Obsoleted + 'alternative_email_attribute' => '.*', # Obsoleted 'scope' => 'base|one|sub', - 'authentication_info_url' => 'http(s)?:/.*', - 'use_tls' => 'starttls|ldaps|none', - 'use_ssl' => '1', # Obsoleted - 'use_start_tls' => '1', # Obsoleted + 'deref' => 'never|search|find|always', + 'authentication_info_url' => 'http(s)?:/.*', + 'use_tls' => 'starttls|ldaps|none', + 'use_ssl' => '1', # Obsoleted + 'use_start_tls' => '1', # Obsoleted 'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1|tlsv1_[123]', 'ssl_ciphers' => '[\w:]+', 'ssl_cert' => '.+', @@ -722,6 +723,7 @@ sub _load_auth { 'timeout' => '\d+', 'suffix' => '.+', 'scope' => 'base|one|sub', + 'deref' => 'never|search|find|always', 'get_email_by_uid_filter' => '.+', 'email_attribute' => Sympa::Regexps::ldap_attrdesc(), 'use_tls' => 'starttls|ldaps|none', @@ -749,6 +751,7 @@ sub _load_auth { 'timeout' => '\d+', 'suffix' => '.+', 'scope' => 'base|one|sub', + 'deref' => 'never|search|find|always', 'get_email_by_uid_filter' => '.+', 'email_attribute' => Sympa::Regexps::ldap_attrdesc(), 'use_tls' => 'starttls|ldaps|none', @@ -883,10 +886,12 @@ sub _load_auth { ## Force the default scope because '' is interpreted as ## 'base' $current_paragraph->{'scope'} ||= 'sub'; + $current_paragraph->{'deref'} ||= 'find'; } elsif ($current_paragraph->{'auth_type'} eq 'generic_sso') { ## Force the default scope because '' is interpreted as ## 'base' $current_paragraph->{'scope'} ||= 'sub'; + $current_paragraph->{'deref'} ||= 'find'; ## default value for http_header_value_separator is ';' $current_paragraph->{'http_header_value_separator'} ||= ';'; @@ -903,6 +908,7 @@ sub _load_auth { ## Force the default scope because '' is interpreted as ## 'base' $current_paragraph->{'scope'} ||= 'sub'; + $current_paragraph->{'deref'} ||= 'find'; } elsif ($current_paragraph->{'auth_type'} eq 'user_table') { ; } elsif ($current_paragraph->{'auth_type'} eq 'cgi') { diff --git a/src/lib/Sympa/CLI/test/ldap.pm b/src/lib/Sympa/CLI/test/ldap.pm index 7919e5383..79410b6a1 100644 --- a/src/lib/Sympa/CLI/test/ldap.pm +++ b/src/lib/Sympa/CLI/test/ldap.pm @@ -89,6 +89,7 @@ sub _run { base => ($options->{suffix} // ''), filter => $filter, scope => ($options->{scope} || 'sub'), + deref => ($options->{deref} || 'find'), attrs => ($options->{attrs} ? [split /\s*,\s*/, $options->{attrs}] : ['']), ) or die sprintf "Search impossible: %s\n", $db->error; diff --git a/src/lib/Sympa/Config/Schema.pm b/src/lib/Sympa/Config/Schema.pm index b157b3f1b..cba3664bf 100644 --- a/src/lib/Sympa/Config/Schema.pm +++ b/src/lib/Sympa/Config/Schema.pm @@ -348,7 +348,7 @@ our %pinfo = ( gettext_id => 'Name of the database', gettext_comment => "With SQLite, this must be the full path to database file.\nWith Oracle Database, this must be SID, net service name or easy connection identifier (to use net service name, db_host should be set to \"none\" and HOST, PORT and SERVICE_NAME should be defined in tnsnames.ora file).", - format => '.+', + format => '.+', occurrence => '1', }, db_user => { @@ -1768,8 +1768,8 @@ our %pinfo = ( default => 'owner', }, quota => { - context => [qw(list domain site)], - order => 3, + context => [qw(list domain site)], + order => 3, gettext_id => "quota", gettext_unit => 'Kbytes', format => '\d+', @@ -3469,6 +3469,15 @@ our %pinfo = ( occurrence => '1', default => 'sub' }, + deref => { + context => [qw(list)], + order => 5.5, + gettext_id => "dereferencing aliases", + format => ['never', 'search', 'find', 'always'], + occurrence => '1', + default => 'find', + not_before => '6.2.74', + }, timeout => { context => [qw(list)], order => 6, @@ -3650,6 +3659,15 @@ our %pinfo = ( format => ['base', 'one', 'sub'], default => 'sub' }, + deref1 => { + context => [qw(list)], + order => 5.5, + gettext_id => "dereferencing aliases", + format => ['never', 'search', 'find', 'always'], + occurrence => '1', + default => 'find', + not_before => '6.2.74', + }, timeout1 => { context => [qw(list)], order => 6, @@ -3704,6 +3722,15 @@ our %pinfo = ( occurrence => '1', default => 'sub' }, + deref2 => { + context => [qw(list)], + order => 12.5, + gettext_id => "dereferencing aliases", + format => ['never', 'search', 'find', 'always'], + occurrence => '1', + default => 'find', + not_before => '6.2.74', + }, timeout2 => { context => [qw(list)], order => 13, @@ -3872,8 +3899,8 @@ our %pinfo = ( order => 9, gettext_id => "Directory where the database is stored (used for DBD::CSV only)", - format => '.+', - obsolete => 'db_name', + format => '.+', + obsolete => 'db_name', not_after => '6.2.70', }, nosync_time_ranges => { @@ -4038,6 +4065,15 @@ our %pinfo = ( occurrence => '1', default => 'sub' }, + deref => { + context => [qw(list)], + order => 5.5, + gettext_id => "dereferencing aliases", + format => ['never', 'search', 'find', 'always'], + occurrence => '1', + default => 'find', + not_before => '6.2.74', + }, timeout => { context => [qw(list)], order => 6, @@ -4215,6 +4251,15 @@ our %pinfo = ( occurrence => '1', default => 'sub' }, + deref1 => { + context => [qw(list)], + order => 5.5, + gettext_id => "dereferencing aliases", + format => ['never', 'search', 'find', 'always'], + occurrence => '1', + default => 'find', + not_before => '6.2.74', + }, timeout1 => { context => [qw(list)], order => 6, @@ -4269,6 +4314,15 @@ our %pinfo = ( occurrence => '1', default => 'sub' }, + deref2 => { + context => [qw(list)], + order => 12.5, + gettext_id => "dereferencing aliases", + format => ['never', 'search', 'find', 'always'], + occurrence => '1', + default => 'find', + not_before => '6.2.74', + }, timeout2 => { context => [qw(list)], order => 13, @@ -4432,8 +4486,8 @@ our %pinfo = ( order => 9, gettext_id => "Directory where the database is stored (used for DBD::CSV only)", - format => '.+', - obsolete => 'db_name', + format => '.+', + obsolete => 'db_name', not_after => '6.2.70', }, email_entry => { diff --git a/src/lib/Sympa/DataSource/LDAP.pm b/src/lib/Sympa/DataSource/LDAP.pm index 6b7670d47..17998e68f 100644 --- a/src/lib/Sympa/DataSource/LDAP.pm +++ b/src/lib/Sympa/DataSource/LDAP.pm @@ -69,13 +69,15 @@ sub _open_operation { my $ldap_filter = $options{filter} || $self->{filter}; my $ldap_attrs = $options{attrs} || $self->{attrs}; my $ldap_scope = $options{scope} || $self->{scope}; + my $ldap_deref = $options{deref} || $self->{deref}; my @args = ( - base => $ldap_suffix, - filter => $ldap_filter, - attrs => [split /\s*,\s*/, $ldap_attrs], - scope => $ldap_scope, - control=> $self->{_page} ? [$self->{_page}] : [] + base => $ldap_suffix, + filter => $ldap_filter, + attrs => [split /\s*,\s*/, $ldap_attrs], + scope => $ldap_scope, + deref => $ldap_deref, + control => $self->{_page} ? [$self->{_page}] : [] ); my $mesg = $self->{_db}->do_operation('search', @args); diff --git a/src/lib/Sympa/ListOpt.pm b/src/lib/Sympa/ListOpt.pm index cf1466817..a2ada0c68 100644 --- a/src/lib/Sympa/ListOpt.pm +++ b/src/lib/Sympa/ListOpt.pm @@ -106,6 +106,14 @@ our %list_option = ( 'one' => {'gettext_id' => 'one level'}, 'sub' => {'gettext_id' => 'subtree'}, + # include_ldap_2level_query.deref2, include_ldap_2level_query.deref1, + # include_ldap_query.deref + 'never' => {'gettext_id' => 'never'}, + 'search' => + {'gettext_id' => 'in searching subordinates of the base object'}, + 'find' => {'gettext_id' => 'in locating the base object'}, + 'always' => {'gettext_id' => 'always'}, + # include_ldap_query.use_tls, include_ldap_2level_query.use_tls, # include_ldap_ca.use_tls, include_ldap_2level_ca.use_tls 'starttls' => {'gettext_id' => 'use STARTTLS'}, diff --git a/src/lib/Sympa/Scenario.pm b/src/lib/Sympa/Scenario.pm index 180454158..6701ed65c 100644 --- a/src/lib/Sympa/Scenario.pm +++ b/src/lib/Sympa/Scenario.pm @@ -1404,6 +1404,7 @@ sub do_search { base => "$ldap_conf{'suffix'}", filter => "$filter", scope => "$ldap_conf{'scope'}", + deref => "$ldap_conf{'deref'}", attrs => ['1.1'] ); unless ($mesg) { @@ -1583,7 +1584,8 @@ sub _load_ldap_configuration { return; } - my @valid_options = qw(host suffix filter scope bind_dn bind_password + my @valid_options = + qw(host suffix filter scope deref bind_dn bind_password use_tls ssl_version ssl_ciphers ssl_cert ssl_key ca_verify ca_path ca_file); my @required_options = qw(host suffix filter); @@ -1596,6 +1598,7 @@ sub _load_ldap_configuration { 'suffix' => undef, 'filter' => undef, 'scope' => 'sub', + 'deref' => 'find', 'bind_dn' => undef, 'bind_password' => undef ); diff --git a/src/lib/Sympa/WWW/Auth.pm b/src/lib/Sympa/WWW/Auth.pm index a8865a231..d5c61dcc0 100644 --- a/src/lib/Sympa/WWW/Auth.pm +++ b/src/lib/Sympa/WWW/Auth.pm @@ -259,6 +259,7 @@ sub ldap_authentication { base => $ldap->{'suffix'}, filter => $filter, scope => $ldap->{'scope'}, + deref => $ldap->{'deref'}, timeout => $ldap->{'timeout'} ); unless ($mesg and $entry = $mesg->shift_entry) { @@ -339,6 +340,7 @@ sub get_email_by_net_id { base => $auth->{suffix}, filter => $filter, scope => $auth->{scope}, + deref => $auth->{deref}, timeout => $auth->{timeout}, attrs => [$auth->{email_attribute}], );