From 979ee667735b091db9158d05fde8b0d337cc902b Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Sat, 18 Aug 2007 13:52:33 +0000 Subject: [PATCH] - allow multibyte search configuration - added ldap_user_filter to add additional restrictions on the user objects used for authentication [Bug #12627] - improved ldap explanations a bit - display searchable subforums of invisible parents in advanced search forum selection [Bug #11395] git-svn-id: file:///svn/phpbb/trunk@8047 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/adm/index.php | 2 +- phpBB/docs/CHANGELOG.html | 2 ++ phpBB/includes/acp/acp_search.php | 2 +- phpBB/includes/auth/auth_ldap.php | 45 +++++++++++++++++++++++-------- phpBB/install/database_update.php | 1 + phpBB/language/en/acp/board.php | 10 ++++--- phpBB/search.php | 8 +++--- 7 files changed, 49 insertions(+), 21 deletions(-) diff --git a/phpBB/adm/index.php b/phpBB/adm/index.php index f99a2f8a73..b8b83a439e 100644 --- a/phpBB/adm/index.php +++ b/phpBB/adm/index.php @@ -477,7 +477,7 @@ function validate_config_vars($config_vars, &$cfg_array, &$error) $cfg_array[$config_name] = trim($cfg_array[$config_name]); // Make sure no NUL byte is present... - if (strpos($cfg_array[$config_name], '\0') !== false || strpos($cfg_array[$config_name], '%00') !== false) + if (strpos($cfg_array[$config_name], "\0") !== false || strpos($cfg_array[$config_name], '%00') !== false) { $cfg_array[$config_name] = ''; break; diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index ee0e2ec46e..26c54d18d4 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -226,6 +226,8 @@ p a {
  • [Fix] Header icons fixed in FF for RTL languages (Bug #14084)
  • [Change] Words in topic titles and post subjects are highlighted on the search results page and viewtopic too now (Bug #13383)
  • [Fix] Made sure strip_bbcode cannot get the idea that a smiley is a BBCode (Bug #14030)
    • +
  • [Change] Added a filter for user objects to LDAP configuration and improved explanations (Bug #12627)
    • +
  • [Fix] Display searchable subforums of invisible parents in advanced search forum selection (Bug #11395)
    • diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 27c3157723..f8d4f1f80d 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -92,7 +92,7 @@ class acp_search unset($search); unset($error); - $cfg_array = (isset($_REQUEST['config'])) ? request_var('config', array('' => '')) : array(); + $cfg_array = (isset($_REQUEST['config'])) ? request_var('config', array('' => ''), true) : array(); $updated = request_var('updated', false); foreach ($settings as $config_name => $var_type) diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index ff6ff3edd1..1e90aebe7e 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -46,7 +46,7 @@ function init_ldap() $search = @ldap_search( $ldap, $config['ldap_base_dn'], - '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($user->data['username'])) . ')', + ldap_user_filter($user->data['username']), (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), 0, 1 @@ -114,7 +114,7 @@ function login_ldap(&$username, &$password) $search = @ldap_search( $ldap, $config['ldap_base_dn'], - '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')', + ldap_user_filter($username), (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), 0, 1 @@ -215,6 +215,25 @@ function login_ldap(&$username, &$password) ); } +/** +* Generates a filter string for ldap_search to find a user +* +* @param $username string Username identifying the searched user +* +* @return string A filter string for ldap_search +*/ +function ldap_user_filter($username) +{ + global $config; + + $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; + if ($config['ldap_user_filter']) + { + $filter = "(&$filter({$config['ldap_user_filter']}))"; + } + return $filter; +} + /** * Escapes an LDAP AttributeValue */ @@ -237,14 +256,6 @@ function acp_ldap(&$new)

    ' . $user->lang['LDAP_SERVER_EXPLAIN'] . '
    -
    -

    ' . $user->lang['LDAP_USER_EXPLAIN'] . '
    -
    -
    -
    -

    ' . $user->lang['LDAP_PASSWORD_EXPLAIN'] . '
    -
    -

    ' . $user->lang['LDAP_DN_EXPLAIN'] . '
    @@ -253,16 +264,28 @@ function acp_ldap(&$new)

    ' . $user->lang['LDAP_UID_EXPLAIN'] . '
    +
    +

    ' . $user->lang['LDAP_USER_FILTER_EXPLAIN'] . '
    +
    +

    ' . $user->lang['LDAP_EMAIL_EXPLAIN'] . '
    +
    +

    ' . $user->lang['LDAP_USER_EXPLAIN'] . '
    +
    +
    +
    +

    ' . $user->lang['LDAP_PASSWORD_EXPLAIN'] . '
    +
    +
    '; // These are fields required in the config table return array( 'tpl' => $tpl, - 'config' => array('ldap_server', 'ldap_user', 'ldap_password', 'ldap_base_dn', 'ldap_uid', 'ldap_email') + 'config' => array('ldap_server', 'ldap_base_dn', 'ldap_uid', 'ldap_user_filter', 'ldap_email', 'ldap_user', 'ldap_password') ); } diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index 5179979f5f..393d1d3082 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -1496,6 +1496,7 @@ if (version_compare($current_version, '3.0.RC4', '<=')) // Setting this here again because new installations may not have it... set_config('cron_lock', '0', true); + set_config('ldap_user_filter', ''); $no_updates = false; } diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index af88b47db5..8c1f502b09 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -304,13 +304,15 @@ $lang = array_merge($lang, array( 'LDAP_NO_EMAIL' => 'The specified e-mail attribute does not exist.', 'LDAP_NO_IDENTITY' => 'Could not find a login identity for %s.', 'LDAP_PASSWORD' => 'LDAP password', - 'LDAP_PASSWORD_EXPLAIN' => 'Leave blank to use anonymous access. Else fill in the password for the above user. WARNING: This password will be stored as plain text in the database visible to everybody who can access your database.', + 'LDAP_PASSWORD_EXPLAIN' => 'Leave blank to use anonymous binding. Else fill in the password for the above user. Required for Active Directory Servers. WARNING: This password will be stored as plain text in the database visible to everybody who can access your database or who can view this configuration page.', 'LDAP_SERVER' => 'LDAP server name', - 'LDAP_SERVER_EXPLAIN' => 'If using LDAP this is the name or IP address of the server.', + 'LDAP_SERVER_EXPLAIN' => 'If using LDAP this is the hostname or IP address of the LDAP server. Alternatively you can specify an URL like ldap://hostname:port/', 'LDAP_UID' => 'LDAP uid', 'LDAP_UID_EXPLAIN' => 'This is the key under which to search for a given login identity, e.g. uid, sn, etc.', - 'LDAP_USER' => 'LDAP user', - 'LDAP_USER_EXPLAIN' => 'Leave blank to use anonymous access. If filled in phpBB will connect to the LDAP server as the specified user.', + 'LDAP_USER' => 'LDAP user dn', + 'LDAP_USER_EXPLAIN' => 'Leave blank to use anonymous binding. If filled in phpBB uses the specified distinguished name on login attempts to find the correct user, e.g. uid=Username,ou=MyUnit,o=MyCompany,c=US. Required for Active Directory Servers.', + 'LDAP_USER_FILTER' => 'LDAP user filter', + 'LDAP_USER_FILTER_EXPLAIN' => 'Optionally you can further limit the searched objects with additional filters. For example objectClass=posixGroup would result in the use of (&(uid=$username)(objectClass=posixGroup))', )); // Server Settings diff --git a/phpBB/search.php b/phpBB/search.php index 9a50ce2fcb..d9010b73a8 100644 --- a/phpBB/search.php +++ b/phpBB/search.php @@ -939,9 +939,9 @@ while ($row = $db->sql_fetchrow($result)) continue; } - if (!$auth->acl_get('f_list', $row['forum_id']) || $row['forum_type'] == FORUM_LINK || ($row['forum_password'] && !$row['user_id'])) + if ($row['forum_type'] == FORUM_LINK || ($row['forum_password'] && !$row['user_id'])) { - // if the user does not have permissions to list this forum skip to the next branch + // if this forum is a link or password protected (user has not entered the password yet) then skip to the next branch continue; } @@ -964,9 +964,9 @@ while ($row = $db->sql_fetchrow($result)) $right = $row['right_id']; - if (!$auth->acl_get('f_search', $row['forum_id'])) + if ($auth->acl_gets('!f_search', '!f_list', $row['forum_id'])) { - // if the user does not have permissions to search this forum skip only this forum/category + // if the user does not have permissions to search or see this forum skip only this forum/category continue; }