search

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.
https://extensions.typo3.org/extension/ig_ldap_sso_auth
27 stars 68 forks source link

Handling the primary usergroup that is not in <memberOf> #6

Open janmayer opened 6 years ago

janmayer commented 6 years ago

In the ldap system I integrate typo3 with, each user has a primary usergroup via <gidnumber>, but this group is not in the <memberOf> list. I need both group membership sources for correct permissions.

I have currently jury-rigged this in via 

--- a/Classes/Library/Authentication.php 
+++ b/Classes/Library/Authentication.php 
@@ -456,6 +456,9 @@
                     !(bool)static::$config['GroupsNotSynchronize'],
                     $ldapInstance
                 );
+                $primaryGroup = $ldapInstance->search(static::$config['groups']['basedn'], '(&(gidnumber='.$ldapUser['gidnumber'][0].')(objectClass=posixGroup))', $ldapGroupAttributes);
+                $ldapGroups[] = $primaryGroup[0];
+                $ldapGroups['count']++;
             }
         } else {
             // Get LDAP groups from DN of user.

Is there a better / official way to do this?

Thanks.

xperseguers commented 6 years ago

I'd say that

  1. You should check for non-empty content of this column before using it
  2. It makes sense to include it in the if branch you chose because in fact, the primary group in Linux, is another one than the list of groups the user is member of

You could probably just push a real PR.

xperseguers commented 4 years ago

Just had a look at information from an Active Directory and there is no gidnumber column returned. I wonder if this is related to Active Directory vs OpenLDAP or if this column may not be present in either cases.

Possibly independently of this answer, I wonder if this should be added as a configuration option; something like "Include group membership from user's primary group ID"?

janit42 commented 4 years ago

@xperseguers , the gidNumber attribute is part of the NIS Schema extension described in RFC2307. If this schema extension is activated in any given LDAP server, you can use it (but you don't have to) - depends on how the LDAP data is structured in a given organization.

One should expect a lot of LDAP servers used in a unix environment to be set up with that extension. Not sure whether OpenLDAP has it enabled by default but I would think so. It's not enabled in a native AD and I'd guess it is used there rarely (but it can be added and used).

Long story short: the coloumn may or may not be present in either case (AD vs OpenLDAP [vs random LDAP server]), so if support for gidNumber would be added, making its configurable would be a strong suggestion. Even if it's supported, there may be cases where some users have a gidNumber while others have not (e.g. an AD serving Windows and Unix machines with some users Windows only and others on Unix or on both.

@janmayer

A lot of organizations I'm aware of play it save and put members explicitly into the group represented by the gidNumber as a lot of LDAP coupled tools are unaware of gidNumber.