|
|
@ -185,6 +185,20 @@ class UsersController extends LDAPController {
|
|
|
|
return this.ldap_server.auth_dn()
|
|
|
|
return this.ldap_server.auth_dn()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
parse_iam_targets(filter, target_ids = []) {
|
|
|
|
|
|
|
|
if ( Array.isArray(filter?.filters) ) {
|
|
|
|
|
|
|
|
for ( const sub_filter of filter.filters ) {
|
|
|
|
|
|
|
|
target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)]
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
} else if ( filter?.attribute ) {
|
|
|
|
|
|
|
|
if ( filter.attribute === 'iamtarget' ) {
|
|
|
|
|
|
|
|
target_ids.push(filter.value)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return target_ids
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// TODO flitter-orm chunk query
|
|
|
|
// TODO flitter-orm chunk query
|
|
|
|
// TODO generalize scoped search logic
|
|
|
|
// TODO generalize scoped search logic
|
|
|
|
async search_people(req, res, next) {
|
|
|
|
async search_people(req, res, next) {
|
|
|
@ -192,6 +206,7 @@ class UsersController extends LDAPController {
|
|
|
|
return next(new LDAP.InsufficientAccessRightsError())
|
|
|
|
return next(new LDAP.InsufficientAccessRightsError())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
const iam_targets = this.parse_iam_targets(req.filter)
|
|
|
|
if ( req.scope === 'base' ) {
|
|
|
|
if ( req.scope === 'base' ) {
|
|
|
|
// If scope is base, check if the base DN matches the filter.
|
|
|
|
// If scope is base, check if the base DN matches the filter.
|
|
|
|
// If so, return it. Else, return empty.
|
|
|
|
// If so, return it. Else, return empty.
|
|
|
@ -200,17 +215,17 @@ class UsersController extends LDAPController {
|
|
|
|
const user = await this.get_resource_from_dn(req.dn)
|
|
|
|
const user = await this.get_resource_from_dn(req.dn)
|
|
|
|
|
|
|
|
|
|
|
|
// Make sure the user is ldap visible && match the filter
|
|
|
|
// Make sure the user is ldap visible && match the filter
|
|
|
|
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap()) ) {
|
|
|
|
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
|
|
|
|
|
|
|
|
|
|
|
|
// If so, send the object
|
|
|
|
// If so, send the object
|
|
|
|
res.send({
|
|
|
|
res.send({
|
|
|
|
dn: user.dn,//.format(this.configs.get('ldap:server.format')),
|
|
|
|
dn: user.dn,//.format(this.configs.get('ldap:server.format')),
|
|
|
|
attributes: await user.to_ldap(),
|
|
|
|
attributes: await user.to_ldap(iam_targets),
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
this.output.debug({
|
|
|
|
this.output.debug({
|
|
|
|
dn: user.dn.format(this.configs.get('ldap:server.format')),
|
|
|
|
dn: user.dn.format(this.configs.get('ldap:server.format')),
|
|
|
|
attributes: await user.to_ldap(),
|
|
|
|
attributes: await user.to_ldap(iam_targets),
|
|
|
|
})
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
this.output.debug(`User base search failed: either user not found, not visible, or filter mismatch`)
|
|
|
|
this.output.debug(`User base search failed: either user not found, not visible, or filter mismatch`)
|
|
|
@ -229,12 +244,12 @@ class UsersController extends LDAPController {
|
|
|
|
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
|
|
|
|
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
|
|
|
|
|
|
|
|
|
|
|
|
// Check if the filter matches
|
|
|
|
// Check if the filter matches
|
|
|
|
if ( req.filter.matches(await user.to_ldap()) ) {
|
|
|
|
if ( req.filter.matches(await user.to_ldap(iam_targets)) ) {
|
|
|
|
|
|
|
|
|
|
|
|
// If so, send the object
|
|
|
|
// If so, send the object
|
|
|
|
res.send({
|
|
|
|
res.send({
|
|
|
|
dn: user.dn,//.format(this.configs.get('ldap:server.format')),
|
|
|
|
dn: user.dn,//.format(this.configs.get('ldap:server.format')),
|
|
|
|
attributes: await user.to_ldap(),
|
|
|
|
attributes: await user.to_ldap(iam_targets),
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -253,12 +268,12 @@ class UsersController extends LDAPController {
|
|
|
|
if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
|
|
|
|
if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
|
|
|
|
|
|
|
|
|
|
|
|
// Check if filter matches
|
|
|
|
// Check if filter matches
|
|
|
|
if ( req.filter.matches(await user.to_ldap()) ) {
|
|
|
|
if ( req.filter.matches(await user.to_ldap(iam_targets)) ) {
|
|
|
|
|
|
|
|
|
|
|
|
// If so, send the object
|
|
|
|
// If so, send the object
|
|
|
|
res.send({
|
|
|
|
res.send({
|
|
|
|
dn: user.dn,//.format(this.configs.get('ldap:server.format')),
|
|
|
|
dn: user.dn,//.format(this.configs.get('ldap:server.format')),
|
|
|
|
attributes: await user.to_ldap(),
|
|
|
|
attributes: await user.to_ldap(iam_targets),
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|