You are here

Home » API reference » LDAP integration 5.2 » ldapgroups.module

function _ldapgroups_detect_groups in LDAP integration 5.2

Same name and namespace in other branches
  1. 5 ldapgroups.module \_ldapgroups_detect_groups()
  2. 6 ldapgroups.inc \_ldapgroups_detect_groups()
1 call to _ldapgroups_detect_groups()
ldapgroups_user_login in ./ldapgroups.module

File

./ldapgroups.module, line 305

Code

function _ldapgroups_detect_groups() {
  global $ldap, $user;

  // Nothing to do if the user is not LDAP authentified
  // or there are no groups configured
  $row = db_fetch_object(db_query("SELECT ldap_groups_in_dn, ldap_groups_in_attr, ldap_groups_as_entries, ldap_group_dn_attribute, ldap_group_attr, ldap_group_entries, ldap_group_entries_attribute FROM {ldapauth} WHERE name = '%s'", $ldap
    ->getOption('name')));
  $groups_in_dn = $row->ldap_groups_in_dn;
  $groups_in_attr = $row->ldap_groups_in_attr;
  $groups_as_entries = $row->ldap_groups_as_entries;
  $group_dn_attribute = $row->ldap_group_dn_attribute ? $row->ldap_group_dn_attribute : LDAP_DEFAULT_GROUP_DN_ATTRIBUTE;
  $group_attr = $row->ldap_group_attr;
  $group_entries = $row->ldap_group_entries ? $row->ldap_group_entries : '';
  if (!($groups_in_dn || $groups_in_attr || $groups_as_entries)) {
    return false;
  }

  // first try to connect with the stored user's DN and password
  // If unsuccessful, connect with the BINDDN and BINDPW stored in the database for this config
  $dn = isset($_SESSION['ldap_login']['dn']) ? $_SESSION['ldap_login']['dn'] : '';
  $pass = isset($_SESSION['ldap_login']['pass']) ? $_SESSION['ldap_login']['pass'] : '';
  if (!$ldap
    ->connect($dn, $pass)) {
    $row = db_fetch_object(db_query("SELECT binddn, bindpw FROM {ldapauth} WHERE name = '%s'", $ldap
      ->getOption('name')));
    $dn = $row->binddn;
    $pass = $row->bindpw;
    if (!$ldap
      ->connect($dn, $pass)) {
      watchdog('user', "User login: user {$user->name}'s data could not be read in the LDAP directory", WATCHDOG_WARNING);
      return false;
    }
  }

  // Strategy 1: group extracted from user's DN
  $dn_groups = array();
  if ($groups_in_dn && ($dn_group_attr = $group_dn_attribute)) {
    $pairs = explode(',', $user->ldap_dn);
    foreach ($pairs as $p) {
      $pair = explode('=', $p);
      if (trim($pair[0]) == $dn_group_attr) {
        $dn_groups[] = trim($pair[1]);
      }
    }
  }

  // Strategy 2: groups in user attributes
  $attrib_groups = array();
  if ($groups_in_attr && ($attributes = $group_attr)) {
    $attributes_array = explode("\r\n", $attributes);
    foreach ($attributes_array as $attribute) {
      $tmp = $ldap
        ->retrieveMultiAttribute($user->ldap_dn, $attribute);
      $attrib_groups = array_merge($attrib_groups, $tmp);
    }
  }

  // Strategy 3: groups as entries
  $entries_groups = array();
  if ($groups_as_entries && ($branches = $group_entries)) {
    $branches_array = explode("\r\n", $branches);
    $group_attr = $row->ldap_group_entries_attribute ? $row->ldap_group_entries_attribute : LDAP_DEFAULT_GROUP_ENTRIES_ATTRIBUTE;
    foreach ($branches_array as $branch) {
      $entries = $ldap
        ->search($branch, "{$group_attr}={$user->ldap_dn}", array(
        $group_attr,
      ));
      if ($entries['count'] == 0) {
        $entries = $ldap
          ->search($branch, "{$group_attr}={$user->name}", array(
          $group_attr,
        ));
      }
      foreach ($entries as $entry) {
        if (isset($entry['dn'])) {
          $entries_groups[] = $entry['dn'];
        }
      }
    }
  }
  $ldap
    ->disconnect();
  return array_merge($dn_groups, $attrib_groups, $entries_groups);
}