diff --git a/lib/SP/Providers/Auth/Ldap/LdapActions.php b/lib/SP/Providers/Auth/Ldap/LdapActions.php index 1f43476b..e81a9e7e 100644 --- a/lib/SP/Providers/Auth/Ldap/LdapActions.php +++ b/lib/SP/Providers/Auth/Ldap/LdapActions.php @@ -159,7 +159,7 @@ final class LdapActions * * @return bool|array */ - protected function getResults($filter, array $attributes = null) + protected function getResults($filter, array $attributes = null, $searchBase = null) { $cookie = ''; $results = []; @@ -167,8 +167,11 @@ final class LdapActions do { ldap_control_paged_result($this->ldapHandler, 1000, false, $cookie); - $searchRes = @ldap_search($this->ldapHandler, $this->ldapParams->getSearchBase(), $filter, $attributes); - + if (empty($searchBase)) { + $searchBase = $this->ldapParams->getSearchBase(); + } + $searchRes = @ldap_search($this->ldapHandler, $searchBase, $filter, $attributes); + if (!$searchRes) { return false; } @@ -249,9 +252,9 @@ final class LdapActions * @return array * @throws LdapException */ - public function getObjects($filter, array $attributes = self::USER_ATTRIBUTES) + public function getObjects($filter, array $attributes = self::USER_ATTRIBUTES, $searchBase = null) { - $searchResults = $this->getResults($filter, $attributes); + $searchResults = $this->getResults($filter, $attributes, $searchBase); if ($searchResults === false) { $this->eventDispatcher->notifyEvent('ldap.search', diff --git a/lib/SP/Providers/Auth/Ldap/LdapMsAds.php b/lib/SP/Providers/Auth/Ldap/LdapMsAds.php index c51d2290..22324242 100644 --- a/lib/SP/Providers/Auth/Ldap/LdapMsAds.php +++ b/lib/SP/Providers/Auth/Ldap/LdapMsAds.php @@ -116,7 +116,7 @@ final class LdapMsAds extends Ldap return true; } - return $this->checkUserInGroupByFilter($userLogin); + return $this->checkUserInGroupByFilter($userLogin, $userDn); } /** @@ -125,17 +125,14 @@ final class LdapMsAds extends Ldap * @return bool * @throws LdapException */ - private function checkUserInGroupByFilter(string $userLogin): bool + private function checkUserInGroupByFilter(string $userLogin, string $userDn): bool { $groupDn = $this->getGroupDn(); - - $filter = '(&(|' - . LdapUtil::getAttributesForFilter(self::FILTER_USER_ATTRIBUTES, $userLogin) - . ')(|' + $filter = '(|' . LdapUtil::getAttributesForFilter(self::FILTER_GROUP_ATTRIBUTES, $groupDn) - . '))'; + . ')'; - $searchResults = $this->ldapActions->getObjects($filter, ['dn']); + $searchResults = $this->ldapActions->getObjects($filter, ['dn'], $userDn); if (isset($searchResults['count']) && (int)$searchResults['count'] === 0 diff --git a/lib/SP/Providers/Auth/Ldap/LdapMsAzureAd.php b/lib/SP/Providers/Auth/Ldap/LdapMsAzureAd.php index 4454484b..ededc16c 100644 --- a/lib/SP/Providers/Auth/Ldap/LdapMsAzureAd.php +++ b/lib/SP/Providers/Auth/Ldap/LdapMsAzureAd.php @@ -116,7 +116,7 @@ final class LdapMsAzureAd extends Ldap return true; } - return $this->checkUserInGroupByFilter($userLogin); + return $this->checkUserInGroupByFilter($userLogin, $userDn); } /** @@ -125,17 +125,15 @@ final class LdapMsAzureAd extends Ldap * @return bool * @throws LdapException */ - private function checkUserInGroupByFilter(string $userLogin): bool + private function checkUserInGroupByFilter(string $userLogin, string $userDn): bool { $groupDn = $this->getGroupDn(); - $filter = '(&(|' - . LdapUtil::getAttributesForFilter(self::FILTER_USER_ATTRIBUTES, $userLogin) - . ')(|' + $filter = '(|' . LdapUtil::getAttributesForFilter(self::FILTER_GROUP_ATTRIBUTES, $groupDn) - . '))'; + . ')'; - $searchResults = $this->ldapActions->getObjects($filter, ['dn']); + $searchResults = $this->ldapActions->getObjects($filter, ['dn'], $userDn); if (isset($searchResults['count']) && (int)$searchResults['count'] === 0