From 0fd8ab5b5999ba5147a56e69fe7c5d4ff0b0ede7 Mon Sep 17 00:00:00 2001 From: David Patzke Date: Thu, 6 Jun 2019 11:11:33 +0200 Subject: [PATCH] Change way of obtaining groups to use UserDN for search --- Security/Provider/LDAPUserProvider.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Security/Provider/LDAPUserProvider.php b/Security/Provider/LDAPUserProvider.php index 2fc311b..3303f2b 100644 --- a/Security/Provider/LDAPUserProvider.php +++ b/Security/Provider/LDAPUserProvider.php @@ -86,13 +86,18 @@ public function loadUserByUsername($username) $this->ldapClient->bind($this->baseDn,$this->basePw); $username = $this->ldapClient->escape($username, '', LDAP_ESCAPE_FILTER); $userQuery = str_replace('{username}', $username, $this->userQuery); - $user = $this->ldapClient->find($this->userDN,$userQuery, '(objectClass=*)'); - + $user = $this->ldapClient->find($this->userDN,$userQuery, ''); + if($user){ + // We assume here that our username has to be unique otherwise login would not work in general. + // LDAP search gives us a result set, so our user has to be the first entry and using user[0] should be save. + // According to RFC https://tools.ietf.org/html/rfc4511#page-20 a search result must provide the attribute + // and resulting from that we can always be save that $user[0]['dn']; will have the correct value! + $ldapGroupSearchQuery = str_replace('{userDN}', $user[0]['dn'], $this->groupQuery); $groups = $this->defaultRoles; - - $ldapGroupSearchQuery = str_replace('{username}', $username, $this->groupQuery); + + $ldapGroups = $this->ldapClient->find($this->groupBaseDN,$ldapGroupSearchQuery); if($ldapGroups) {