Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP: Add deref option to specify how to dereference aliases #1892

Merged
merged 2 commits into from
Sep 22, 2024
Merged

LDAP: Add deref option to specify how to dereference aliases #1892

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f5edcdd
LDAP: Add `deref` option to specify how to dereference aliases
ikedas Sep 8, 2024
a6587f3
Update documentation
ikedas Sep 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 92 additions & 17 deletions doc/auth.conf.pod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,36 @@ Search the whole tree below the base object. This is the default.

=back

=item C<deref>

Default value: C<find>

Specifies how to dereference aliases.

Introduced on Sympa 6.2.74.

=over

=item C<never>

Aliases are never dereferenced.

=item C<search>

Aliases are dereferenced in searching subordinates of the base object.

=item C<find>

Aliases are derefernced in locating the base object, but
not in searching subordinates of the base object.
This is the default.

=item C<always>

Aliases are always dereferenced.

=back

=item C<authentication_info_url>

Defines the URL of a document describing LDAP password management. When
Expand Down Expand Up @@ -385,31 +415,50 @@ not defined>:

=over

=item C<ldap_host>
=item C<host>

The LDAP host Sympa will connect to fetch user email. The C<ldap_host>
(formerly C<ldap_host>)

The LDAP host Sympa will connect to fetch user email. The C<host>
include the port number and it may be a comma separated list of redundant
hosts.

=item C<ldap_bind_dn>
=item C<bind_dn>

(formerly C<ldap_bind_dn>)

The DN used to bind to this server. Anonymous bind is used if this parameter
is not defined.

=item C<ldap_bind_password>
=item C<bind_password>

(formerly C<ldap_bind_password>)

The password used unless anonymous bind is used.

=item C<ldap_suffix>
=item C<suffix>

(formerly C<ldap_suffix>)

The LDAP suffix used when searching user email.

=item C<ldap_scope>
=item C<scope>

(formerly C<ldap_scope>)

The scope used when searching user email. Possible values are C<sub>, C<base>
and C<one>.

=item C<ldap_get_email_by_uid_filter>
=item C<deref>

(introduced on 6.2.74)

How to dereference the aliases on searching LDAP.
Possible values are C<never>, C<search>, C<find> and C<always>.

=item C<get_email_by_uid_filter>

(formerly C<ldap_get_email_by_uid_filter>)

The filter used to perform the email search. It can refer to any environment
variables inherited from the SSO module, as shown below.
Expand All @@ -418,12 +467,16 @@ Example:

ldap_get_email_by_uid_filter (mail=[SSL_CLIENT_S_DN_Email])

=item C<ldap_email_attribute>
=item C<email_attribute>

(formerly C<ldap_email_attribute>)

The attribute name to be used as user canonical email. In the current version
of Sympa, only the first value returned by the LDAP server is used.

=item C<ldap_timeout>
=item C<timeout>

(formerly C<ldap_timeout>)

The time out for the search.

Expand Down Expand Up @@ -519,40 +572,62 @@ The proxy validate service path, only used by the Sympa SOAP server.

=over

=item C<ldap_host>
=item C<host>

(formerly C<ldap_host>)

The LDAP host Sympa will connect to fetch user email when user uid is return
by CAS service. The C<ldap_host> includes the port number and it may be a
comma separated list of redundant hosts.

=item C<ldap_bind_dn>
=item C<bind_dn>

(formerly C<ldap_bind_dn>)

The DN used to bind to this server. Anonymous bind is used if this parameter
is not defined.

=item C<ldap_bind_password>
=item C<bind_password>

(formerly C<ldap_bind_password>)

The password used unless anonymous bind is used.

=item C<ldap_suffix>
=item C<suffix>

(formerly C<ldap_suffix>)

The LDAP suffix used when searching user email.

=item C<ldap_scope>
=item C<scope>

(formerly C<ldap_scope>)

The scope used when searching user email. Possible values are C<sub>, C<base>
and C<one>.

=item C<ldap_get_email_by_uid_filter>
=item C<deref>

(introduced on 6.2.74)

How to dereference the aliases on searching LDAP.

=item C<get_email_by_uid_filter>

(formerly C<ldap_get_email_by_uid_filter>)

The filter used to perform the email search.

=item C<ldap_email_attribute>
=item C<email_attribute>

(formerly C<ldap_email_attribute>)

The attribute name to be used as user canonical email. In the current version
of Sympa, only the first value returned by the LDAP server is used.

=item C<ldap_timeout>
=item C<timeout>

(formerly C<ldap_timeout>)

The time out for the search.

Expand Down
1 change: 1 addition & 0 deletions src/cgi/wwsympa.fcgi.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3657,6 +3657,7 @@ sub is_ldap_user {
base => $ldap->{'suffix'},
filter => "$filter",
scope => $ldap->{'scope'},
deref => $ldap->{'deref'},
timeout => $ldap->{'timeout'}
);

Expand Down
16 changes: 11 additions & 5 deletions src/lib/Conf.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -685,12 +685,13 @@ sub _load_auth {
'get_dn_by_uid_filter' => '.+',
'get_dn_by_email_filter' => '.+',
'email_attribute' => Sympa::Regexps::ldap_attrdesc(),
'alternative_email_attribute' => '.*', # Obsoleted
'alternative_email_attribute' => '.*', # Obsoleted
'scope' => 'base|one|sub',
'authentication_info_url' => 'http(s)?:/.*',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'deref' => 'never|search|find|always',
'authentication_info_url' => 'http(s)?:/.*',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1|tlsv1_[123]',
'ssl_ciphers' => '[\w:]+',
'ssl_cert' => '.+',
Expand Down Expand Up @@ -722,6 +723,7 @@ sub _load_auth {
'timeout' => '\d+',
'suffix' => '.+',
'scope' => 'base|one|sub',
'deref' => 'never|search|find|always',
'get_email_by_uid_filter' => '.+',
'email_attribute' => Sympa::Regexps::ldap_attrdesc(),
'use_tls' => 'starttls|ldaps|none',
Expand Down Expand Up @@ -749,6 +751,7 @@ sub _load_auth {
'timeout' => '\d+',
'suffix' => '.+',
'scope' => 'base|one|sub',
'deref' => 'never|search|find|always',
'get_email_by_uid_filter' => '.+',
'email_attribute' => Sympa::Regexps::ldap_attrdesc(),
'use_tls' => 'starttls|ldaps|none',
Expand Down Expand Up @@ -883,10 +886,12 @@ sub _load_auth {
## Force the default scope because '' is interpreted as
## 'base'
$current_paragraph->{'scope'} ||= 'sub';
$current_paragraph->{'deref'} ||= 'find';
} elsif ($current_paragraph->{'auth_type'} eq 'generic_sso') {
## Force the default scope because '' is interpreted as
## 'base'
$current_paragraph->{'scope'} ||= 'sub';
$current_paragraph->{'deref'} ||= 'find';
## default value for http_header_value_separator is ';'
$current_paragraph->{'http_header_value_separator'} ||=
';';
Expand All @@ -903,6 +908,7 @@ sub _load_auth {
## Force the default scope because '' is interpreted as
## 'base'
$current_paragraph->{'scope'} ||= 'sub';
$current_paragraph->{'deref'} ||= 'find';
} elsif ($current_paragraph->{'auth_type'} eq 'user_table') {
;
} elsif ($current_paragraph->{'auth_type'} eq 'cgi') {
Expand Down
1 change: 1 addition & 0 deletions src/lib/Sympa/CLI/test/ldap.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ sub _run {
base => ($options->{suffix} // ''),
filter => $filter,
scope => ($options->{scope} || 'sub'),
deref => ($options->{deref} || 'find'),
attrs =>
($options->{attrs} ? [split /\s*,\s*/, $options->{attrs}] : ['']),
) or die sprintf "Search impossible: %s\n", $db->error;
Expand Down
68 changes: 61 additions & 7 deletions src/lib/Sympa/Config/Schema.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,7 @@ our %pinfo = (
gettext_id => 'Name of the database',
gettext_comment =>
"With SQLite, this must be the full path to database file.\nWith Oracle Database, this must be SID, net service name or easy connection identifier (to use net service name, db_host should be set to \"none\" and HOST, PORT and SERVICE_NAME should be defined in tnsnames.ora file).",
format => '.+',
format => '.+',
occurrence => '1',
},
db_user => {
Expand Down Expand Up @@ -1717,8 +1717,8 @@ our %pinfo = (
default => 'owner',
},
quota => {
context => [qw(list domain site)],
order => 3,
context => [qw(list domain site)],
order => 3,
gettext_id => "quota",
gettext_unit => 'Kbytes',
format => '\d+',
Expand Down Expand Up @@ -3418,6 +3418,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -3599,6 +3608,15 @@ our %pinfo = (
format => ['base', 'one', 'sub'],
default => 'sub'
},
deref1 => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout1 => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -3653,6 +3671,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref2 => {
context => [qw(list)],
order => 12.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout2 => {
context => [qw(list)],
order => 13,
Expand Down Expand Up @@ -3821,8 +3848,8 @@ our %pinfo = (
order => 9,
gettext_id =>
"Directory where the database is stored (used for DBD::CSV only)",
format => '.+',
obsolete => 'db_name',
format => '.+',
obsolete => 'db_name',
not_after => '6.2.70',
},
nosync_time_ranges => {
Expand Down Expand Up @@ -3987,6 +4014,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -4164,6 +4200,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref1 => {
context => [qw(list)],
order => 5.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout1 => {
context => [qw(list)],
order => 6,
Expand Down Expand Up @@ -4218,6 +4263,15 @@ our %pinfo = (
occurrence => '1',
default => 'sub'
},
deref2 => {
context => [qw(list)],
order => 12.5,
gettext_id => "dereferencing aliases",
format => ['never', 'search', 'find', 'always'],
occurrence => '1',
default => 'find',
not_before => '6.2.74',
},
timeout2 => {
context => [qw(list)],
order => 13,
Expand Down Expand Up @@ -4381,8 +4435,8 @@ our %pinfo = (
order => 9,
gettext_id =>
"Directory where the database is stored (used for DBD::CSV only)",
format => '.+',
obsolete => 'db_name',
format => '.+',
obsolete => 'db_name',
not_after => '6.2.70',
},
email_entry => {
Expand Down
Loading
Loading