Issues

ZF-4730: Add possibility to check group-membership in Zend_Auth_Adapter_Ldap

Description

When using Zend_Auth_Adapter_Ldap, there is missing an additional check if a user is member of a specific group.

I found this in an old proposal: http://framework.zend.com/wiki/display/…

'group_dn' : the DN of a group the authenticated user should be member of. If the user is authenticated against the LDAP, but is not member of the specified group, the authentication will fail (not implemented yet).

This feature is also available in PEAR_Auth, and I think many people out there would like to use such a feature, because mostly not everybody in a ldap-directory should be able to login, but specific groups (like e.g. departments in a company, or just admins and not "normal users").

Comments

Here are my derived classes where I added the descripted feature.

You can use them to add the functionality to Zend_Ldap and Zend_Auth_Adapter_Ldap.

I'm not a specialist in Zend-Coding-Standards, but it will help you.

I used the following config to use the new feature:

ldap.server1.host = ldap.domain.de ldap.server1.useSsl = false

ldap.server1.accountDomainName = blub.domain.com ldap.server1.accountDomainNameShort = blub ldap.server1.accountCanonicalForm = 3 ldap.server1.accountFilterFormat = "(&(objectClass=user)(sAMAccountName=%s))"

ldap.server1.username = "cn=ldap,ou=myCompany,DC=blub,DC=domain,DC=com" ldap.server1.password = mypwd ldap.server1.baseDn = "DC=blub,DC=domain,DC=com" ldap.server1.bindRequiresDn = true

ldap.server1.groups.1 = "Group 1 Admins" ldap.server1.groups.2 = "Group 2 Germany Account Manager"

ldap.server1.groupAttr = "samAccountName" ldap.server1.groupFilter = "(objectClass=group)" ldap.server1.memberAttr = "member"

Assigning to Stefan Gehrig

Not sure where to put this new feature... Generally I'd say that this belogs in Zend_Auth_Adapter_Ldap but the current structure will make adding this very hacky as the whole authentication logic is actually situated in Zend_Ldap and all parameters are passed into Zend_Ldap as they are.

I really would like to separate the core LDAP functionality (Zend_Ldap) from everthing that's related to authentication (Zend_Ldap_Auth_Adapter_Ldap) - but that would surely break BC.

I will have a look at this one - perhaps it's possible to refactor the thing and to add the group-membership-feature along the way without breaking BC.

Feature request closed in trunk rev. 17554.

Added the possibility to pass the following options to Zend_Auth_Adapter_Ldap


$adapterOptions = array(
    'group'       => null, // the group the user must be member of; if NULL group-membership-check is disabled
    'groupDn'     => $ldap->getBaseDn(), // the parent DN under which the groups are located; defaults to the baseDn of the underlying Zend_Ldap
    'groupScope'  => Zend_Ldap::SEARCH_SCOPE_SUB, // the search scope when searching for groups
    'groupAttr'   => 'cn', // the attribute name for the RDN
    'groupFilter' => 'objectClass=groupOfUniqueNames', // an additional group filter that's added to the search filter
    'memberAttr'  => 'uniqueMember', // the group attribute in which to look for the user
    'memberIsDn'  => true // if TRUE then the account DN is used to check membership, otherwise the canonical account name is used
);

The options are not passed to the underlying Zend_Ldap so the group-membership-check is only available when using Zend_Auth_Adapter_Ldap.