| public MemberOfGroup ( string user, string group ) : bool | ||
| user | string | |
| group | string | |
| Результат | bool | |
public bool MemberOfGroup(string user, string group)
{
string groupDn = Settings.Store.GroupDnPattern;
string groupAttribute = Settings.Store.GroupMemberAttrib;
string groupGidAttribute = Settings.Store.GroupGidAttrib;
string groupGidAttributeIU = Settings.Store.GroupGidAttribIU;
if (string.IsNullOrEmpty(groupDn))
throw new Exception("Can't resolve group DN, group DN pattern missing.");
if (string.IsNullOrEmpty(groupAttribute))
throw new Exception("Can't resolve group membership, group attribute missing.");
groupDn = Regex.Replace(groupDn, @"\%g", group);
string target = user;
// If the group attribute is "uniqueMember" or "member" then the LDAP server
// is using groupOfUniqueNames or groupOfNames object class. The group
// list uses full DNs instead of just uids, so we need to expand the
// username to the full DN.
if (groupAttribute.Equals("uniqueMember", StringComparison.CurrentCultureIgnoreCase) ||
groupAttribute.Equals("member", StringComparison.CurrentCultureIgnoreCase))
{
// Try to generate the full DN for the user.
m_logger.DebugFormat("Attempting to generate DN for user {0}", user);
target = this.GetUserDN(user);
if (target == null)
{
m_logger.Error("Unable to generate DN for user, using username.");
target = user;
}
}
string filter = string.Format("({0}={1})", groupAttribute, target);
m_logger.DebugFormat("Searching for group membership, DN: {0} Filter: {1}", groupDn, filter);
try
{
// Basic group check
SearchRequest req = new SearchRequest(groupDn, filter, SearchScope.Base, new string[] {"dn"});
req.Aliases = (DereferenceAlias)((int)Settings.Store.Dereference);
SearchResponse resp = (SearchResponse)m_conn.SendRequest(req);
if( resp.Entries.Count > 0)
{
return true;
}
//We go and search for the GID of a group and see if the user has this GID set to.
//A group should only have 1 GID set, a user can have more than 1.
//We only check this if the user provides us with Attributes.
//We need not use this method if the user was allready found using the default way above.
//If this fails, we return 'False'
// Check if we have attributes to search for
if (!string.IsNullOrEmpty(groupGidAttribute) &&
!string.IsNullOrEmpty(groupGidAttributeIU ) )
{
m_logger.DebugFormat("User not found in group, trying GID method");
m_logger.DebugFormat("Using groupGidAttribute '{0}' to search for the GID", groupGidAttribute, target, groupDn);
// Go get the GID for the group
SearchRequest gidReq = new SearchRequest(groupDn, groupGidAttribute+"=*", SearchScope.Base, new string[] { groupGidAttribute });
gidReq.Aliases = (DereferenceAlias)((int)Settings.Store.Dereference);
SearchResponse gidResp = (SearchResponse)m_conn.SendRequest(gidReq);
// Check if we have one, and only one response
if (gidResp.Entries.Count == 1 && gidResp.Entries[0].Attributes[groupGidAttribute].Count == 1)
{
// Put the first answer in a string
string gidForGroup = gidResp.Entries[0].Attributes[groupGidAttribute][0].ToString();
m_logger.DebugFormat("Found GID to be {0}", gidForGroup);
string gidFilter = string.Format("({0}={1})", groupGidAttributeIU, gidForGroup);
string userDN = FindUserDN(user);
m_logger.DebugFormat("Searching in '{0}' for {1} ", userDN, gidFilter);
//Go search to check is user is member
SearchRequest gidIUReq = new SearchRequest(userDN, gidFilter, SearchScope.Base, new string[] { groupGidAttributeIU });
gidIUReq.Aliases = (DereferenceAlias)((int)Settings.Store.Dereference);
SearchResponse gidIUResp = (SearchResponse)m_conn.SendRequest(gidIUReq);
return gidIUResp.Entries.Count > 0;
}
else
{
m_logger.DebugFormat("Could not find the GID ({0}) for group {1}",groupGidAttribute, groupDn);
}
}
//Nothing was found
return false;
}
catch (DirectoryOperationException e)
{
m_logger.ErrorFormat("Error when checking for group membership: {0}", e.Message);
return false;
}
}
public BooleanResult AuthenticatedUserGateway(SessionProperties properties)
{
m_logger.Debug("LDAP Plugin Gateway");
List <string> addedGroups = new List <string>();
LdapServer serv = properties.GetTrackedSingle <LdapServer>();
// If the server is unavailable, we go ahead and succeed anyway.
if (serv == null)
{
m_logger.ErrorFormat("AuthenticatedUserGateway: Internal error, LdapServer object not available.");
return(new BooleanResult()
{
Success = true,
Message = "LDAP server not available"
});
}
try
{
UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
string user = userInfo.Username;
List <GroupGatewayRule> rules = GroupRuleLoader.GetGatewayRules();
bool boundToServ = false;
foreach (GroupGatewayRule rule in rules)
{
bool inGroup = false;
// Don't need to check for group membership if the rule is to be always applied.
if (rule.RuleCondition != GroupRule.Condition.ALWAYS)
{
// If we haven't bound to server yet, do so.
if (!boundToServ)
{
serv.BindForSearch();
boundToServ = true;
}
inGroup = serv.MemberOfGroup(user, rule.Group);
m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not",
rule.Group);
}
if (rule.RuleMatch(inGroup))
{
m_logger.InfoFormat("Adding user {0} to local group {1}, due to rule \"{2}\"",
user, rule.LocalGroup, rule.ToString());
addedGroups.Add(rule.LocalGroup);
userInfo.AddGroup(new GroupInformation()
{
Name = rule.LocalGroup
});
}
}
}
catch (Exception e)
{
m_logger.ErrorFormat("Error during gateway: {0}", e);
// Error does not cause failure
return(new BooleanResult()
{
Success = true, Message = e.Message
});
}
string message = "";
if (addedGroups.Count > 0)
{
message = string.Format("Added to groups: {0}", string.Join(", ", addedGroups));
}
else
{
message = "No groups added.";
}
return(new BooleanResult()
{
Success = true, Message = message
});
}
