Issue Type: New Feature Created: 2008-10-28T08:08:45.000+0000 Last Updated: 2009-08-11T04:26:42.000+0000 Status: Resolved Fix version(s): - 1.9.2 (25/Aug/09)
Reporter: Michael Kliewe (mkliewe) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Auth_Adapter_Ldap
Related issues: Attachments: - BDBAuthAdapterLdap.php
When using Zend_Auth_Adapter_Ldap, there is missing an additional check if a user is member of a specific group.
I found this in an old proposal: http://framework.zend.com/wiki/display/…
'group_dn' : the DN of a group the authenticated user should be member of. If the user is authenticated against the LDAP, but is not member of the specified group, the authentication will fail (not implemented yet).
This feature is also available in PEAR_Auth, and I think many people out there would like to use such a feature, because mostly not everybody in a ldap-directory should be able to login, but specific groups (like e.g. departments in a company, or just admins and not "normal users").
Posted by Michael Kliewe (mkliewe) on 2008-10-31T05:40:01.000+0000
Here are my derived classes where I added the descripted feature.
You can use them to add the functionality to Zend_Ldap and Zend_Auth_Adapter_Ldap.
I'm not a specialist in Zend-Coding-Standards, but it will help you.
I used the following config to use the new feature:
ldap.server1.host = ldap.domain.de ldap.server1.useSsl = false
ldap.server1.accountDomainName = blub.domain.com ldap.server1.accountDomainNameShort = blub ldap.server1.accountCanonicalForm = 3 ldap.server1.accountFilterFormat = "(&(objectClass=user)(sAMAccountName=%s))"
ldap.server1.username = "cn=ldap,ou=myCompany,DC=blub,DC=domain,DC=com" ldap.server1.password = mypwd ldap.server1.baseDn = "DC=blub,DC=domain,DC=com" ldap.server1.bindRequiresDn = true
ldap.server1.groups.1 = "Group 1 Admins" ldap.server1.groups.2 = "Group 2 Germany Account Manager"
ldap.server1.groupAttr = "samAccountName" ldap.server1.groupFilter = "(objectClass=group)" ldap.server1.memberAttr = "member"
Posted by Matthew Weier O'Phinney (matthew) on 2009-08-07T04:45:45.000+0000
Assigning to Stefan Gehrig
Posted by Stefan Gehrig (sgehrig) on 2009-08-07T12:21:25.000+0000
Not sure where to put this new feature... Generally I'd say that this belogs in Zend_Auth_Adapter_Ldap but the current structure will make adding this very hacky as the whole authentication logic is actually situated in Zend_Ldap and all parameters are passed into Zend_Ldap as they are.
I really would like to separate the core LDAP functionality (Zend_Ldap) from everthing that's related to authentication (Zend_Ldap_Auth_Adapter_Ldap) - but that would surely break BC.
I will have a look at this one - perhaps it's possible to refactor the thing and to add the group-membership-feature along the way without breaking BC.
Posted by Stefan Gehrig (sgehrig) on 2009-08-11T04:26:29.000+0000
Feature request closed in trunk rev. 17554.
Added the possibility to pass the following options to Zend_Auth_Adapter_Ldap
<pre class="highlight"> $adapterOptions = array( 'group' => null, // the group the user must be member of; if NULL group-membership-check is disabled 'groupDn' => $ldap->getBaseDn(), // the parent DN under which the groups are located; defaults to the baseDn of the underlying Zend_Ldap 'groupScope' => Zend_Ldap::SEARCH_SCOPE_SUB, // the search scope when searching for groups 'groupAttr' => 'cn', // the attribute name for the RDN 'groupFilter' => 'objectClass=groupOfUniqueNames', // an additional group filter that's added to the search filter 'memberAttr' => 'uniqueMember', // the group attribute in which to look for the user 'memberIsDn' => true // if TRUE then the account DN is used to check membership, otherwise the canonical account name is used );
The options are not passed to the underlying Zend_Ldap so the group-membership-check is only available when using Zend_Auth_Adapter_Ldap.
Have you found an issue?
See the Overview section for more details.