public bool MemberOfGroup(string user, string group)
{
string groupDn = Settings.Store.GroupDnPattern;
string groupAttribute = Settings.Store.GroupMemberAttrib;
string groupGidAttribute = Settings.Store.GroupGidAttrib;
string groupGidAttributeIU = Settings.Store.GroupGidAttribIU;
if (string.IsNullOrEmpty(groupDn))
throw new Exception("Can't resolve group DN, group DN pattern missing.");
if (string.IsNullOrEmpty(groupAttribute))
throw new Exception("Can't resolve group membership, group attribute missing.");
groupDn = Regex.Replace(groupDn, @"\%g", group);
string target = user;
// If the group attribute is "uniqueMember" or "member" then the LDAP server
// is using groupOfUniqueNames or groupOfNames object class. The group
// list uses full DNs instead of just uids, so we need to expand the
// username to the full DN.
if (groupAttribute.Equals("uniqueMember", StringComparison.CurrentCultureIgnoreCase) ||
groupAttribute.Equals("member", StringComparison.CurrentCultureIgnoreCase))
{
// Try to generate the full DN for the user.
m_logger.DebugFormat("Attempting to generate DN for user {0}", user);
target = this.GetUserDN(user);
if (target == null)
{
m_logger.Error("Unable to generate DN for user, using username.");
target = user;
}
}
string filter = string.Format("({0}={1})", groupAttribute, target);
m_logger.DebugFormat("Searching for group membership, DN: {0} Filter: {1}", groupDn, filter);
try
{
// Basic group check
SearchRequest req = new SearchRequest(groupDn, filter, SearchScope.Base, new string[] {"dn"});
req.Aliases = (DereferenceAlias)((int)Settings.Store.Dereference);
SearchResponse resp = (SearchResponse)m_conn.SendRequest(req);
if( resp.Entries.Count > 0)
{
return true;
}
//We go and search for the GID of a group and see if the user has this GID set to.
//A group should only have 1 GID set, a user can have more than 1.
//We only check this if the user provides us with Attributes.
//We need not use this method if the user was allready found using the default way above.
//If this fails, we return 'False'
// Check if we have attributes to search for
if (!string.IsNullOrEmpty(groupGidAttribute) &&
!string.IsNullOrEmpty(groupGidAttributeIU ) )
{
m_logger.DebugFormat("User not found in group, trying GID method");
m_logger.DebugFormat("Using groupGidAttribute '{0}' to search for the GID", groupGidAttribute, target, groupDn);
// Go get the GID for the group
SearchRequest gidReq = new SearchRequest(groupDn, groupGidAttribute+"=*", SearchScope.Base, new string[] { groupGidAttribute });
gidReq.Aliases = (DereferenceAlias)((int)Settings.Store.Dereference);
SearchResponse gidResp = (SearchResponse)m_conn.SendRequest(gidReq);
// Check if we have one, and only one response
if (gidResp.Entries.Count == 1 && gidResp.Entries[0].Attributes[groupGidAttribute].Count == 1)
{
// Put the first answer in a string
string gidForGroup = gidResp.Entries[0].Attributes[groupGidAttribute][0].ToString();
m_logger.DebugFormat("Found GID to be {0}", gidForGroup);
string gidFilter = string.Format("({0}={1})", groupGidAttributeIU, gidForGroup);
string userDN = FindUserDN(user);
m_logger.DebugFormat("Searching in '{0}' for {1} ", userDN, gidFilter);
//Go search to check is user is member
SearchRequest gidIUReq = new SearchRequest(userDN, gidFilter, SearchScope.Base, new string[] { groupGidAttributeIU });
gidIUReq.Aliases = (DereferenceAlias)((int)Settings.Store.Dereference);
SearchResponse gidIUResp = (SearchResponse)m_conn.SendRequest(gidIUReq);
return gidIUResp.Entries.Count > 0;
}
else
{
m_logger.DebugFormat("Could not find the GID ({0}) for group {1}",groupGidAttribute, groupDn);
}
}
//Nothing was found
return false;
}
catch (DirectoryOperationException e)
{
m_logger.ErrorFormat("Error when checking for group membership: {0}", e.Message);
return false;
}
}