[root@zbx-web-01 ldap]# diff -u CLdap.php.bak CLdap.php
--- CLdap.php.bak 2024-04-18 10:49:45.181684322 +0000
+++ CLdap.php 2024-04-18 20:53:30.046886862 +0000
@@ -42,6 +42,7 @@
const DEFAULT_FILTER_USER = '(%{attr}=%{user})';
const DEFAULT_FILTER_GROUP = '(%{groupattr}=%{user})';
const DEFAULT_MEMBERSHIP_ATTRIBUTE = 'memberOf';
+ const NESTED_GROUP_FILTER = '(&(sAMAccountName=%{user})(memberOf:1.2.840.113556.1.4.1941:=%{group_dn}))';
/**
* Type of binding made to LDAP server. One of static::BIND_ constant value.
@@ -375,6 +376,11 @@
: $results[$key][0];
}
+ $matched_groups = $this->matchNestedGroups($user['samaccountname']);
+ if(count($matched_groups) > 0) {
+ $user["memberof"] = array_merge($user["memberof"], $matched_groups);
+ }
+
return $user;
}
@@ -556,4 +562,19 @@
return $results;
}
+
+ protected function matchNestedGroups(string $user): array {
+ $matched_groups = []; +
+ foreach ($this->cnf['provision_groups'] as $groupConfig) {
+ $placeholders = ['%{user}' => $user, '%{group_dn}' => $groupConfig['name']];
+ $group_filter = $this->makeFilter(static::NESTED_GROUP_FILTER, $placeholders, LDAP_ESCAPE_FILTER);
+ $search_result = $this->search($this->cnf['base_dn'], $group_filter, [], ['dn']);
+ if ($search_result['count'] > 0) {
+ $matched_groups[] = $groupConfig['name'];
+ }
+ }
+ return $matched_groups;
+ }
+
}