This is my initial research and fix for the code in LDAPAuthenticateUser.php. The following code is suspect:
if (!empty($GLOBALS['ldap_config']->settings['ldap_group_attr_req_dn'])
&& $GLOBALS['ldap_config']->settings['ldap_group_attr_req_dn'] == 1) {
$GLOBALS['log']->debug("ldapauth: Checking for group membership using full user dn");
$user_search = "($group_attr=" . $group_user_attr . "=" . $user_uid . "," . $base_dn . ")";
The building of $user_search for doing group search assumes the user is found in the $base_dn OU, which may or may not be the case. This should have the full DN of the user (which may be in a sub-OU of base_dn), not built based on $base_dn.
Also note, the section that fetches user info from Directory is also badly written in the sense that it also uses the BaseDN rather than the users DN path.
What should really happen is the user lookup should happen, the DN is returned, a re-bind with that DN, and that DN manipulated (by way of removing the leading uid, CN or whatever) to provide the LDAP directory (or container) to make group checks and anything else with…
Not probably the best way to fix it, but I added:
// My code added
preg_match('/.*?\,(.*)/', $bind_user, $matches);
$GLOBALS['log']->debug("User Search DN: $matches[1]");
$my_dn = $matches[1];
I added that to just before the following:
if ($bind) {
// Authentication succeeded, get info from LDAP directoryI had to change $bind_dn to $my_dn in two place below this code:
$result = @ldap_search($ldapconn, $bind_dn, $name_filter, $attrs);becomes
$result = @ldap_search($ldapconn, $my_dn, $name_filter, $attrs);and
$user_search = "($group_attr=" . $group_user_attr . "=" . $user_uid . "," . $my_dn . ")";becomes
$user_search = "($group_attr=" . $group_user_attr . "=" . $user_uid . "," . $my_dn . ")";Hope this helps someone use the groups