[Davical-general] drivers_ldap.php: add "filter Users by Group" and improve AD support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Davical-general] drivers_ldap.php: add "filter Users by Group" and improve AD support

skotthof
Dear Davical team,

thanks, for accepting my ldap timeout patch last week!
This encouraged me to publish also an other patch concerning drivers_ldap.php

We are using Davical, against an ldap interface from an active directory.
This would be running very fine, but we have a very restrictive computing
center.
We are not allowed to read any suitable attributes from users with our binddn.
Luckily, we are able to read groups and group members.
Because of this, I added  a "filter users by group" feature to drivers_ldap.php
Users which are not a member of the group(s), are denied logging into davical.
This is running stable for more then 1 year now for us in a productive
environment.
Of course, it's not that common, but I think such a feature could be also
interesting for others. And there are some clever ldap driver from other
projects around, supporting filter users by a group.

So in addition to 'filterUsers' I add a 'filterUsersByGroup' in the
configuration, like:
'filterUsersByGroup' => 'CN=fmi0_auth_davical,OU=davical_auth,OU=xxx,DC=xxx,DC=uni-mannheim,DC=de'

This could be a single DN to a group, or multiple DNs of groups.
The groups are "ORed" in the last case.
Implementation is not that complicated, because $this->baseDNUsers in the existing
code is allowed to be an array of multiple base DNs of users.
In getAllUsers() they are queried each:
    foreach($this->baseDNUsers as $baseDNUsers) {
      $entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);

That I'm using, putting the complete list of users from filterByGroup(s)
(as complete DNs) to $this->baseDNUsers.
So getAllUsers() is querying each single user directly in that case,
instead of taken a whole baseDN.
A side effect is, that query every single user will take some time.
But since "Sync LDAP with DAViCal" is executed by cronjob, or manually
I think, this would not be a too big problem.
For us, it is running fine with 50 users.

For query the members of the group before and putting the single user DNs to
$this->baseDNUsers, there is a new function getUsersByGroup()


Additionally, there is a second issue:
When asking our AD for members of a group, the server returns the whole DNs
of the group members.
So I added also some lines in sync_LDAP_groups(),
to get only the CN of the members. (Otherwise the whole DNs are putted as
members to the davical groups.)


The patch is based on the last drivers_ldap.php (I think commit 6b8193ad9).

Would be nice, if filterUsersByGroup would be also included. In that case,
we would be able to run a standard davical after the next release.

Thanks

Sebastian

PS: hope there is no html encoded in this post in the mailing list like last time,
I have only plan text here

--
Sebastian Kotthoff
Rechenzentrum
Universit├Ąt Mannheim
B6, 23-29; Building B; Room 1.16
68159 Mannheim

Tel: +49 621 181 2516
Fax: +49 621 181 2682

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general

drivers_ldap.php.patch (5K) Download Attachment
smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: drivers_ldap.php: add "filter Users by Group" and improve AD support

skotthof
(hopefully in plaintext now)

Dear Davical team,

thanks, for accepting my ldap timeout patch last week!
This encouraged me to publish also an other patch concerning drivers_ldap.php

We are using Davical, against an ldap interface from an active directory.
This would be running very fine, but we have a very restrictive computing
center.
We are not allowed to read any suitable attributes from users with our binddn.
Luckily, we are able to read groups and group members.
Because of this, I added  a "filter users by group" feature to drivers_ldap.php
Users which are not a member of the group(s), are denied logging into davical.
This is running stable for more then 1 year now for us in a productive
environment.
Of course, it's not that common, but I think such a feature could be also
interesting for others. And there are some clever ldap driver from other
projects around, supporting filter users by a group.

So in addition to 'filterUsers' I add a 'filterUsersByGroup' in the
configuration, like:
'filterUsersByGroup' => 'CN=fmi0_auth_davical,OU=davical_auth,OU=xxx,DC=xxx,DC=uni-mannheim,DC=de'

This could be a single DN to a group, or multiple DNs of groups.
The groups are "ORed" in the last case.
Implementation is not that complicated, because $this->baseDNUsers in the existing
code is allowed to be an array of multiple base DNs of users.
In getAllUsers() they are queried each:
    foreach($this->baseDNUsers as $baseDNUsers) {
      $entry = $query($this->connect,$baseDNUsers,$this->filterUsers,$attributes);

That I'm using, putting the complete list of users from filterByGroup(s)
(as complete DNs) to $this->baseDNUsers.
So getAllUsers() is querying each single user directly in that case,
instead of taken a whole baseDN.
A side effect is, that query every single user will take some time.
But since "Sync LDAP with DAViCal" is executed by cronjob, or manually
I think, this would not be a too big problem.
For us, it is running fine with 50 users.

For query the members of the group before and putting the single user DNs to
$this->baseDNUsers, there is a new function getUsersByGroup()


Additionally, there is a second issue:
When asking our AD for members of a group, the server returns the whole DNs
of the group members.
So I added also some lines in sync_LDAP_groups(),
to get only the CN of the members. (Otherwise the whole DNs are putted as
members to the davical groups.)


The patch is based on the last drivers_ldap.php (I think commit 6b8193ad9).

Would be nice, if filterUsersByGroup would be also included. In that case,
we would be able to run a standard davical after the next release.

Thanks

Sebastian

--
Sebastian Kotthoff
Rechenzentrum
Universit├Ąt Mannheim
B6, 23-29; Building B; Room 1.16
68159 Mannheim

Tel: +49 621 181 2516
Fax: +49 621 181 2682

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general

drivers_ldap.php.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: drivers_ldap.php: add "filter Users by Group" and improve AD support

Nicolas Quiniou-Briand
Hi Sebastian,

On 20/06/2014 11:56, skotthof wrote:
> Of course, it's not that common, but I think such a feature could be also
> interesting for others. And there are some clever ldap driver from other
> projects around, supporting filter users by a group.

Great feature.

I have searched this feature in Davical to allow access from outside
(seconde instance) only to members of a group.

Thanks !
--
Nicolas

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general