From faa75201a1ce46750b23debf765bc182b98cc5d4 Mon Sep 17 00:00:00 2001
From: nuxsmin <nuxsmin@syspass.org>
Date: Wed, 31 Aug 2016 19:38:41 +0200
Subject: [PATCH] * [FIX] Fixed LDAP group listing issue when there are more
 than one group with the same name. The first one is picked. Thanks to
 @eth0h4ckr  for the feedback. #264

---
 inc/Auth.class.php    |  2 +-
 inc/Ldap.class.php    | 44 ++++++++++++++++++++++---------------------
 inc/LdapADS.class.php |  2 +-
 3 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/inc/Auth.class.php b/inc/Auth.class.php
index 3310c83b..2bb58b4a 100644
--- a/inc/Auth.class.php
+++ b/inc/Auth.class.php
@@ -96,7 +96,7 @@ class Auth
                 }
                 // Comprobamos que el usuario está en el grupo indicado buscando en los atributos del grupo
             } else {
-                $ldapGroupAccess = (Ldap::isADS()) ? LdapADS::searchADUserInGroup($userLogin) : Ldap::searchUserInGroup($userDN);
+                $ldapGroupAccess = Ldap::isADS() ? LdapADS::searchADUserInGroup($userLogin) : Ldap::searchUserInGroup($userDN);
             }
         } else {
             $ldapGroupAccess = true;
diff --git a/inc/Ldap.class.php b/inc/Ldap.class.php
index cee1a938..27bfe8df 100644
--- a/inc/Ldap.class.php
+++ b/inc/Ldap.class.php
@@ -125,7 +125,7 @@ class Ldap
         $log = new Log(__FUNCTION__);
 
         // Habilitar la traza si el modo debug está habilitado
-        if (Config::getValue('debug')){
+        if (Config::getValue('debug')) {
             @ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
         }
 
@@ -213,9 +213,9 @@ class Ldap
     {
         $log = new Log(__FUNCTION__);
         $groupName = self::getGroupName();
-        $filter = ($groupName) ? $groupName : self::$_ldapGroup ;
+        $filter = $groupName ?: self::$_ldapGroup;
         $filter = '(cn=' . $filter . ')';
-        $filterAttr = array("dn", "cn");
+        $filterAttr = array('dn', 'cn');
 
         $searchRes = @ldap_search(self::$_ldapConn, self::$_searchBase, $filter, $filterAttr);
 
@@ -229,7 +229,7 @@ class Ldap
             throw new \Exception(_('Error al buscar RDN de grupo'));
         }
 
-        if (@ldap_count_entries(self::$_ldapConn, $searchRes) === 1) {
+        if (@ldap_count_entries(self::$_ldapConn, $searchRes) > 0) {
             $ldapSearchData = @ldap_get_entries(self::$_ldapConn, $searchRes);
 
             if (!$ldapSearchData) {
@@ -241,7 +241,7 @@ class Ldap
                 throw new \Exception(_('Error al buscar RDN de grupo'));
             }
 
-            return $ldapSearchData[0]["dn"];
+            return $ldapSearchData[0]['dn'];
         } else {
             $log->addDescription(_('Error al buscar RDN de grupo'));
             $log->addDescription(sprintf('%s: %s', _('Grupo'), $filter));
@@ -252,6 +252,22 @@ class Ldap
         }
     }
 
+    /**
+     * Obtener el nombre del grupo a partir del CN
+     *
+     * @return bool
+     */
+    private static function getGroupName()
+    {
+        if (isset(self::$_ldapGroup)
+            && preg_match('/^cn=([\w\s\d-]+)(,.*)?$/i', self::$_ldapGroup, $groupName)
+        ) {
+            return $groupName[1];
+        }
+
+        return false;
+    }
+
     /**
      * Comprobar si los parámetros necesario de LDAP están establecidos.
      *
@@ -292,7 +308,7 @@ class Ldap
             $filter = '(&(|(samaccountname=' . $userLogin . ')(cn=' . $userLogin . ')(uid=' . $userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
         }
 
-        $filterAttr = array("dn", "displayname", "samaccountname", "mail", "memberof", "lockouttime", "fullname", "groupmembership", "mail", "sn", "givenname");
+        $filterAttr = array("dn", 'displayname', 'samaccountname', 'mail', 'memberof', 'lockouttime', 'fullname', 'groupmembership', 'mail', 'sn', 'givenname');
 
         $searchRes = @ldap_search(self::$_ldapConn, self::$_searchBase, $filter, $filterAttr);
 
@@ -387,7 +403,7 @@ class Ldap
         $userDN = self::escapeLdapDN($userDN);
 
         $filter = '(&(cn=' . $groupDN . ')(|(member=' . $userDN . ')(uniqueMember=' . $userDN . '))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=group)))';
-        $filterAttr = array("member", "uniqueMember");
+        $filterAttr = array('member', 'uniqueMember');
 
         $searchRes = @ldap_search(self::$_ldapConn, self::$_searchBase, $filter, $filterAttr);
 
@@ -411,20 +427,6 @@ class Ldap
         return true;
     }
 
-    /**
-     * Obtener el nombre del grupo a partir del CN
-     *
-     * @return bool
-     */
-    private static function getGroupName()
-    {
-        if (isset(self::$_ldapGroup) && preg_match('/^(cn=[\w\s-]+)(,.*)?$/i', self::$_ldapGroup, $groupName)) {
-            return $groupName[1];
-        }
-
-        return false;
-    }
-
     /**
      * Escapar carácteres especiales en el RDN de LDAP.
      *
diff --git a/inc/LdapADS.class.php b/inc/LdapADS.class.php
index 4a895194..ffb7e6f6 100644
--- a/inc/LdapADS.class.php
+++ b/inc/LdapADS.class.php
@@ -97,7 +97,7 @@ class LdapADS extends Ldap
         }
 
         $filter = '(memberof:1.2.840.113556.1.4.1941:=' . $groupDN . ')';
-        $filterAttr = array("sAMAccountName");
+        $filterAttr = array('sAMAccountName');
 
         $searchRes = @ldap_search(Ldap::$_ldapConn, Ldap::$_searchBase, $filter, $filterAttr);