You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7.2 » LdapServer.class.php » LdapServer

public function LdapServer::groupUserMembershipsFromUserAttr in Lightweight Directory Access Protocol (LDAP) 7.2

Same name and namespace in other branches
  1. 8.2 ldap_servers/LdapServer.class.php \LdapServer::groupUserMembershipsFromUserAttr()

Get list of all groups that a user is a member of by using memberOf attribute first, then if nesting is true, using group entries to find parent groups.

If $nested = TRUE, list will include all parent group. That is if user is a member of "programmer" group and "programmer" group is a member of "it" group, user is a member of both "programmer" and "it" groups.

If $nested = FALSE, list will only include groups user is in directly.

Parameters

mixed:

  • drupal user object (stdClass Object)

    • ldap entry of user (array) (with top level keys of 'dn', 'mail', 'sid' and 'attr' )
    • ldap dn of user (array)
    • drupal username of user (string)

bool $nested: if groups should be recursed or not.

Return value

array of group dns

1 call to LdapServer::groupUserMembershipsFromUserAttr()
LdapServer::groupMembershipsFromUser in ldap_servers/LdapServer.class.php
Get list of all groups that a user is a member of.

File

ldap_servers/LdapServer.class.php, line 1807
Defines server classes and related functions.

Class

LdapServer
LDAP Server Class.

Code

public function groupUserMembershipsFromUserAttr($user, $nested = NULL) {
  if (!$this->groupUserMembershipsConfigured) {
    return FALSE;
  }
  if ($nested === NULL) {
    $nested = $this->groupNested;
  }
  $not_user_ldap_entry = empty($user['attr'][$this->groupUserMembershipsAttr]);

  // If drupal user passed in, try to get user_ldap_entry.
  if ($not_user_ldap_entry) {
    $user = $this
      ->userUserToExistingLdapEntry($user);
    $not_user_ldap_entry = empty($user['attr'][$this->groupUserMembershipsAttr]);
    if ($not_user_ldap_entry) {

      // user's membership attribute is not present.  either misconfigured or query failed.
      return FALSE;
    }
  }

  // If not exited yet, $user must be user_ldap_entry.
  $user_ldap_entry = $user;
  $all_group_dns = [];
  $tested_group_ids = [];
  $level = 0;
  $member_group_dns = $user_ldap_entry['attr'][$this->groupUserMembershipsAttr];
  if (isset($member_group_dns['count'])) {
    unset($member_group_dns['count']);
  }
  $ors = [];
  foreach ($member_group_dns as $i => $member_group_dn) {
    $all_group_dns[] = $member_group_dn;
    if ($nested) {
      if ($this->groupMembershipsAttrMatchingUserAttr == 'dn') {
        $member_value = $member_group_dn;
      }
      else {
        $member_value = ldap_servers_get_first_rdn_value_from_dn($member_group_dn, $this->groupMembershipsAttrMatchingUserAttr);
      }
      $ors[] = $this->groupMembershipsAttr . '=' . ldap_pear_escape_filter_value($member_value);
    }
  }
  if ($nested && count($ors)) {
    $count = count($ors);

    // Only 50 or so per query.
    for ($i = 0; $i < $count; $i = $i + LDAP_SERVER_LDAP_QUERY_CHUNK) {
      $current_ors = array_slice($ors, $i, LDAP_SERVER_LDAP_QUERY_CHUNK);

      // e.g. (|(cn=group1)(cn=group2)) or   (|(dn=cn=group1,ou=blah...)(dn=cn=group2,ou=blah...))
      $or = '(|(' . join(")(", $current_ors) . '))';
      $query_for_parent_groups = '(&(objectClass=' . $this->groupObjectClass . ')' . $or . ')';

      // Need to search on all basedns one at a time.
      foreach ($this->basedn as $base_dn) {

        // No attributes, just dns needed.
        $group_entries = $this
          ->search($base_dn, $query_for_parent_groups);
        if ($group_entries !== FALSE && $level < LDAP_SERVER_LDAP_QUERY_RECURSION_LIMIT) {
          $this
            ->groupMembershipsFromEntryRecursive($group_entries, $all_group_dns, $tested_group_ids, $level + 1, LDAP_SERVER_LDAP_QUERY_RECURSION_LIMIT);
        }
      }
    }
  }
  return $all_group_dns;
}