diff --git a/lam/HISTORY b/lam/HISTORY index 171acb7d..d3357ce9 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,6 +1,7 @@ March 2014 4.5 - IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes - Personal: allow to set fields read-only + - Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD) 18.12.2013 4.4 - PyKota support: users, groups, printers, billing codes diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 1613695d..c99d087b 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -713,6 +713,15 @@ Have fun!
Version specific upgrade instructions +
+ 4.4 -> 4.5 + + LAM will no longer follow referrals by default. This is ok for + most installations. If you use LDAP referrals please activate + referral following for your server profile (tab General settings + -> Server settings -> Advanced options). +
+
4.3 -> 4.4 @@ -1234,6 +1243,10 @@ Have fun! linkend="a_accessLevelPasswordReset">this page for details on the different access levels. + By default LAM will not follow LDAP referrals. This is ok for + most installations. If you use LDAP referrals please activate the + referral option in advanced settings. + diff --git a/lam/docs/manual-sources/images/configProfiles4.png b/lam/docs/manual-sources/images/configProfiles4.png index c3eef00b..a1adea61 100644 Binary files a/lam/docs/manual-sources/images/configProfiles4.png and b/lam/docs/manual-sources/images/configProfiles4.png differ diff --git a/lam/help/help.inc b/lam/help/help.inc index 1f4c892d..0d0957b6 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -82,6 +82,8 @@ $helpArray = array ( _("dc=yourcompany,dc=com")), "204" => array ("Headline" => _("SSL certificate"), "Text" => _("This is only needed for TLS/SSL connections. By default, LAM will use the certificate authorities installed on your system. If you have a private CA in your company you can upload your CA certificates here and override the system certificates.")), + "205" => array ("Headline" => _("Follow referrals"), + "Text" => _("Specifies if LAM should automatically follow referrals. Activate if you use referrals in your LDAP directory.")), "206" => array ("Headline" => _("List attributes"), "Text" => _("This is the list of attributes to show in the account list. The entries can either be predefined values, \"#attribute\", or individual ones, \"attribute:description\". Several entries are separated by semicolons.") . "


" . diff --git a/lam/lib/config.inc b/lam/lib/config.inc index fc13e9f2..e84ef2ad 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -258,6 +258,9 @@ class LAMConfig { /** enables/disables TLS encryption */ private $useTLS; + /** automatically follow referrals */ + private $followReferrals = 'false'; + /** Array of string: users with admin rights */ private $Admins; @@ -349,7 +352,7 @@ class LAMConfig { private $lamProMailText = ''; /** List of all settings in config file */ - private $settings = array("ServerURL", "useTLS", "Passwd", "Admins", "treesuffix", + private $settings = array("ServerURL", "useTLS", "followReferrals", "Passwd", "Admins", "treesuffix", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", "modules", "activeTypes", "types", "tools", "accessLevel", 'loginMethod', 'loginSearchSuffix', 'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject', @@ -516,6 +519,7 @@ class LAMConfig { // check if we have to add new entries (e.g. if user upgraded LAM and has an old config file) if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n"); if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n"); + if (!in_array("followReferrals", $saved)) array_push($file_array, "\n\n# follow referrals\n" . "followReferrals: " . $this->followReferrals . "\n"); if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n"); if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" . "# names have to be seperated by semicolons\n" . @@ -638,7 +642,7 @@ class LAMConfig { /** * Sets if TLS is activated. * - * @param String yes or no + * @param String $useTLS yes or no * @return boolean true if $useTLS has correct format */ public function setUseTLS($useTLS) { @@ -649,6 +653,23 @@ class LAMConfig { return false; } + /** + * Returns if referrals should be followed. + * + * @return String true or false + */ + public function getFollowReferrals() { + return $this->followReferrals; + } + + /** + * Sets if referrals should be followed. + * + * @param String $followReferrals true or false + */ + public function setFollowReferrals($followReferrals) { + $this->followReferrals = $followReferrals; + } /** * Returns an array of string with all admin names diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc index 12488d25..b145d425 100644 --- a/lam/lib/ldap.inc +++ b/lam/lib/ldap.inc @@ -100,6 +100,9 @@ class Ldap{ if ($this->server) { // use LDAPv3 ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3); + // referral following + $followReferrals = ($this->conf->getFollowReferrals() === 'true') ? 1 : 0; + ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals); // start TLS if specified $useTLS = $this->conf->getUseTLS(); if (isset($useTLS) && ($useTLS == "yes")) { diff --git a/lam/templates/3rdParty/pla/lib/ds_myldap.php b/lam/templates/3rdParty/pla/lib/ds_myldap.php index 08d08c16..8e23b575 100644 --- a/lam/templates/3rdParty/pla/lib/ds_myldap.php +++ b/lam/templates/3rdParty/pla/lib/ds_myldap.php @@ -186,7 +186,9 @@ class myldap extends DS { /* Disabling this makes it possible to browse the tree for Active Directory, and seems * to not affect other LDAP servers (tested with OpenLDAP) as phpLDAPadmin explicitly * specifies deref behavior for each ldap_search operation. */ - ldap_set_option($resource,LDAP_OPT_REFERRALS,1); + // TODO provide upstream patch if PLA gets active again + $followReferrals = ($_SESSION['config']->getFollowReferrals() === 'true') ? 1 : 0; + ldap_set_option($resource,LDAP_OPT_REFERRALS, $followReferrals); # Try to fire up TLS is specified in the config if ($this->isTLSEnabled()) diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php index 72a19c14..b1f8ed7c 100644 --- a/lam/templates/config/confmain.php +++ b/lam/templates/config/confmain.php @@ -253,6 +253,7 @@ $searchLimitOptions = array( $limitSelect = new htmlTableExtendedSelect('searchLimit', $searchLimitOptions, array($conf->get_searchLimit()), _("LDAP search limit"), '222'); $limitSelect->setHasDescriptiveElements(true); $serverSettingsContent->addElement($limitSelect, true); + // access level is only visible in Pro version if (isLAMProVersion()) { $accessOptions = array( @@ -265,6 +266,17 @@ if (isLAMProVersion()) { $serverSettingsContent->addElement($accessSelect, true); } +// advanced options +$advancedOptionsContent = new htmlTable(); +// referrals +$followReferrals = ($conf->getFollowReferrals() === 'true'); +$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('followReferrals',$followReferrals , _('Follow referrals'), '205'), true); + +// build advanced options box +$advancedOptions = new htmlAccordion('advancedOptions_server', array(_('Advanced options') => $advancedOptionsContent), false); +$advancedOptions->colspan = 15; +$serverSettingsContent->addElement($advancedOptions, true); + $serverSettings = new htmlFieldset($serverSettingsContent, _("Server settings"), '../../graphics/profiles.png'); $container->addElement($serverSettings, true); $container->addElement(new htmlSpacer(null, '10px'), true); @@ -486,6 +498,12 @@ function checkInput() { if ((strpos($_POST['serverurl'], 'ldaps://') !== false) && ($_POST['useTLS'] == 'yes')) { $errors[] = array("ERROR", _('You cannot use SSL and TLS encryption at the same time. Please use either "ldaps://" or TLS.')); } + if (isset($_POST['followReferrals']) && ($_POST['followReferrals'] == 'on')) { + $conf->setFollowReferrals('true'); + } + else { + $conf->setFollowReferrals('false'); + } /* if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) { $errors[] = array("ERROR", _("Cache timeout is invalid!")); }*/