added option if referrals should be followed

This commit is contained in:
Roland Gruber 2014-01-12 10:18:35 +00:00
parent fe3463b77a
commit 14a619989e
8 changed files with 63 additions and 3 deletions

View File

@ -1,6 +1,7 @@
March 2014 4.5
- IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
- Personal: allow to set fields read-only
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
18.12.2013 4.4
- PyKota support: users, groups, printers, billing codes

View File

@ -713,6 +713,15 @@ Have fun!
<section id="a_versUpgrade">
<title>Version specific upgrade instructions</title>
<section>
<title>4.4 -&gt; 4.5</title>
<para>LAM will no longer follow referrals by default. This is ok for
most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings
-&gt; Server settings -&gt; Advanced options).</para>
</section>
<section>
<title>4.3 -&gt; 4.4</title>
@ -1234,6 +1243,10 @@ Have fun!
linkend="a_accessLevelPasswordReset">this page</link> for details on
the different access levels.</para>
<para>By default LAM will not follow LDAP referrals. This is ok for
most installations. If you use LDAP referrals please activate the
referral option in advanced settings.</para>
<screenshot>
<mediaobject>
<imageobject>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 30 KiB

View File

@ -82,6 +82,8 @@ $helpArray = array (
_("dc=yourcompany,dc=com")),
"204" => array ("Headline" => _("SSL certificate"),
"Text" => _("This is only needed for TLS/SSL connections. By default, LAM will use the certificate authorities installed on your system. If you have a private CA in your company you can upload your CA certificates here and override the system certificates.")),
"205" => array ("Headline" => _("Follow referrals"),
"Text" => _("Specifies if LAM should automatically follow referrals. Activate if you use referrals in your LDAP directory.")),
"206" => array ("Headline" => _("List attributes"),
"Text" => _("This is the list of attributes to show in the account list. The entries can either be predefined values, \"#attribute\", or individual ones, \"attribute:description\". Several entries are separated by semicolons.") .
"<br><br><br><big><b>" .

View File

@ -258,6 +258,9 @@ class LAMConfig {
/** enables/disables TLS encryption */
private $useTLS;
/** automatically follow referrals */
private $followReferrals = 'false';
/** Array of string: users with admin rights */
private $Admins;
@ -349,7 +352,7 @@ class LAMConfig {
private $lamProMailText = '';
/** List of all settings in config file */
private $settings = array("ServerURL", "useTLS", "Passwd", "Admins", "treesuffix",
private $settings = array("ServerURL", "useTLS", "followReferrals", "Passwd", "Admins", "treesuffix",
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types", "tools", "accessLevel", 'loginMethod', 'loginSearchSuffix',
'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
@ -516,6 +519,7 @@ class LAMConfig {
// check if we have to add new entries (e.g. if user upgraded LAM and has an old config file)
if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n");
if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n");
if (!in_array("followReferrals", $saved)) array_push($file_array, "\n\n# follow referrals\n" . "followReferrals: " . $this->followReferrals . "\n");
if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n");
if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" .
"# names have to be seperated by semicolons\n" .
@ -638,7 +642,7 @@ class LAMConfig {
/**
* Sets if TLS is activated.
*
* @param String yes or no
* @param String $useTLS yes or no
* @return boolean true if $useTLS has correct format
*/
public function setUseTLS($useTLS) {
@ -649,6 +653,23 @@ class LAMConfig {
return false;
}
/**
* Returns if referrals should be followed.
*
* @return String true or false
*/
public function getFollowReferrals() {
return $this->followReferrals;
}
/**
* Sets if referrals should be followed.
*
* @param String $followReferrals true or false
*/
public function setFollowReferrals($followReferrals) {
$this->followReferrals = $followReferrals;
}
/**
* Returns an array of string with all admin names

View File

@ -100,6 +100,9 @@ class Ldap{
if ($this->server) {
// use LDAPv3
ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3);
// referral following
$followReferrals = ($this->conf->getFollowReferrals() === 'true') ? 1 : 0;
ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals);
// start TLS if specified
$useTLS = $this->conf->getUseTLS();
if (isset($useTLS) && ($useTLS == "yes")) {

View File

@ -186,7 +186,9 @@ class myldap extends DS {
/* Disabling this makes it possible to browse the tree for Active Directory, and seems
* to not affect other LDAP servers (tested with OpenLDAP) as phpLDAPadmin explicitly
* specifies deref behavior for each ldap_search operation. */
ldap_set_option($resource,LDAP_OPT_REFERRALS,1);
// TODO provide upstream patch if PLA gets active again
$followReferrals = ($_SESSION['config']->getFollowReferrals() === 'true') ? 1 : 0;
ldap_set_option($resource,LDAP_OPT_REFERRALS, $followReferrals);
# Try to fire up TLS is specified in the config
if ($this->isTLSEnabled())

View File

@ -253,6 +253,7 @@ $searchLimitOptions = array(
$limitSelect = new htmlTableExtendedSelect('searchLimit', $searchLimitOptions, array($conf->get_searchLimit()), _("LDAP search limit"), '222');
$limitSelect->setHasDescriptiveElements(true);
$serverSettingsContent->addElement($limitSelect, true);
// access level is only visible in Pro version
if (isLAMProVersion()) {
$accessOptions = array(
@ -265,6 +266,17 @@ if (isLAMProVersion()) {
$serverSettingsContent->addElement($accessSelect, true);
}
// advanced options
$advancedOptionsContent = new htmlTable();
// referrals
$followReferrals = ($conf->getFollowReferrals() === 'true');
$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('followReferrals',$followReferrals , _('Follow referrals'), '205'), true);
// build advanced options box
$advancedOptions = new htmlAccordion('advancedOptions_server', array(_('Advanced options') => $advancedOptionsContent), false);
$advancedOptions->colspan = 15;
$serverSettingsContent->addElement($advancedOptions, true);
$serverSettings = new htmlFieldset($serverSettingsContent, _("Server settings"), '../../graphics/profiles.png');
$container->addElement($serverSettings, true);
$container->addElement(new htmlSpacer(null, '10px'), true);
@ -486,6 +498,12 @@ function checkInput() {
if ((strpos($_POST['serverurl'], 'ldaps://') !== false) && ($_POST['useTLS'] == 'yes')) {
$errors[] = array("ERROR", _('You cannot use SSL and TLS encryption at the same time. Please use either "ldaps://" or TLS.'));
}
if (isset($_POST['followReferrals']) && ($_POST['followReferrals'] == 'on')) {
$conf->setFollowReferrals('true');
}
else {
$conf->setFollowReferrals('false');
}
/* if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
$errors[] = array("ERROR", _("Cache timeout is invalid!"));
}*/