You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7 » LdapServer.class.php » LdapServer

public function LdapServer::deriveFromEntryGroups in Lightweight Directory Access Protocol (LDAP) 7

return by reference groups/authorizations when groups are defined from entry

Parameters

array $entries. e.g. array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu'): @param string ldap attribute name $entries_attr e.g. dn, cn

@param string $membership_attr e.g. uniquemember @param string $user_ldap_attr e.g. cn, dn, etc. @param boolean $nested if groups should be recursed or not.

@return array of groups specified in the derive from entry

@see tests/DeriveFromEntry/ldap_servers.inc for fuller notes and test example

File

ldap_servers/LdapServer.class.php, line 730
Defines server classes and related functions.

Class

LdapServer
LDAP Server Class

Code

public function deriveFromEntryGroups($entries, $entries_attr, $membership_attr, $user_ldap_attr, $user_ldap_entry, $nested = FALSE) {
  $authorizations = array();
  $matching_user_value = $user_ldap_attr == 'dn' ? $user_ldap_entry['dn'] : $user_ldap_entry['attr'][$user_ldap_attr][0];
  $filter = "(|\n    ({$entries_attr}=" . join(")\n    ({$entries_attr}=", ldap_server_massage_text($entries, 'attr_value', LDAP_SERVER_MASSAGE_QUERY_LDAP)) . ")\n)";
  if (!$nested) {
    $filter = "(&\n  {$filter}  \n  (" . $membership_attr . "=" . ldap_server_massage_text($matching_user_value, 'attr_value', LDAP_SERVER_MASSAGE_QUERY_LDAP) . ")  \n)";
  }
  $tested_groups = array();

  // array of dns already tested to avoid excess queried
  foreach ($this->basedn as $base_dn) {

    // need to search on all basedns one at a time
    $entries = $this
      ->search($base_dn, $filter, array(
      'dn',
      $membership_attr,
      $entries_attr,
      $user_ldap_attr,
      'objectClass',
    ));

    // query for all dns list
    if ($entries !== FALSE) {
      if (!$nested) {

        // if not nested all returned entries are groups that user is member of
        foreach ($entries as $entry) {
          if (isset($entry[$entries_attr])) {
            $group_id = (string) ($entries_attr == 'dn') ? (string) $entry['dn'] : (string) $entry[$entries_attr][0];
            $authorizations[] = $group_id;
            $tested_groups[] = $group_id;
          }
        }
      }
      else {

        // if nested all returned entries are groups.  user is not necessarily a member of them
        if (isset($entries['count'])) {
          unset($entries['count']);
        }
        foreach ($entries as $i => $entry) {
          $group_id = $entries_attr == 'dn' ? (string) $entry['dn'] : (string) $entry[$entries_attr][0];
          if (!in_array($group_id, $tested_groups) && isset($entry[$membership_attr])) {
            $members = $entry[$membership_attr];
            unset($members['count']);

            // user may be direct member of group
            if (in_array($matching_user_value, array_values($members))) {
              $authorizations[] = $group_id;
            }
            else {

              // $derive_from_entry_attr, $user_ldap_attr, $user_ldap_entry $entries, $entries_attr,
              $is_member_via_child_groups = $this
                ->groupsByEntryIsMember($members, $entries_attr, $base_dn, $tested_groups, $membership_attr, $matching_user_value, 0, 10);
              if ($is_member_via_child_groups) {
                $authorizations[] = $group_id;
              }
            }
          }
          $tested_groups[] = $group_id;
        }
      }
    }
  }
  return $authorizations;
}