[ZendTo] Issue with AD authentication and authLDAPMemberRole

M A Young m.a.young at durham.ac.uk
Thu Mar 29 16:25:44 BST 2018

I have been testing zendto 5 for a possible update of our zendto server. 
We currently use AD authentication and set 'authLDAPMemberKey' and 
'authLDAPMemberRole' to limit access which doesn't work in zendto 5.

After looking at the code I traced the problem to the code block

              // This will make it search nested groups properly.
              // The magic number is the LDAP_MATCHING_RULE_IN_CHAIN oid.
              // https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
              $filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$ldapDN))";
              $search = ldap_search($ldapConn, $ldapBase, $filter);
              if ($search && ($groups = ldap_get_entries($ldapConn, $search))) {
                foreach ($groups as $group) {
                  $groupDN = $group['dn'];
                  if (strtolower($groupDN) === $this->_ldapMemberRole) {
                    $authorisationPassed = TRUE;

which occurs twice and it doesn't work for us because the LDAP base for 
people and for groups is different for us so it doesn't find any groups 
and the group test fails. Would it be possible to set the group base in 
the preferences.php file e.g authLDAPGroupBaseDN1 so the code covers this 
possibility - it could default to the standard LDAP base if not set.

I also noticed that the group search is inefficient because it fetches the 
whole contents of the matching groups (which could include long lists of 
members of the groups) when we only care about the DN. We could limit this 
just to the dn with the next argument to the ldap_search line, so it would 
become something like

$search = ldap_search($ldapConn, $ldapGroupBase, $filter, array('dn'));

I might be able to put together a patch if these changes sound like a good 

	Michael Young

More information about the ZendTo mailing list