1.1.16

robin.kluth · robin.kluth · commit 08927a1f3c3b · 2020-10-08T07:11:11.000+02:00
* New option to let `searchUser` filter output by checking `sidHistory`
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ This extensions adds a simple LDAP-Auth mechanism for your yii2 application
 * User login via LDAP
 * Read self defined LDAP attributes
 * Domain autodetection based on IPFilter.
+* Filter out results by checking every results `sidHistory`
 
 ## Installation
 
@@ -30,6 +31,7 @@ Either you use it as standalone or add this as component:
    'components' => [
       'ldap' => [
             'class' => 'commifreak\yii2\LdapAuth',
+            'filterBySidhistory' => false, // Filter by checking sidHistory?
             'domains' => [
                 ['name' => 'Domain1', 'hostname' => 'domain1.tld', 'autodetectIps' => ['172.31.0.0/16', '192.168.178.0/24', '127.0.0.1'], 'baseDn' => 'DC=Domain1,DC=tld', 'publicSearchUser' => 'example@domain', 'publicSearchUserPassword' => 'secret'],
                 ['name' => 'Domain2', 'hostname' => '192.168.178.14', 'autodetectIps' => ['192.168.178.55'], 'baseDn' => 'DC=Domain2,DC=tld', 'publicSearchUser' => 'example@domain', 'publicSearchUserPassword' => 'secret'],
@@ -40,7 +42,7 @@ Either you use it as standalone or add this as component:
 ]
 ```
 
-You can omit `autodetectIps` if you dont want Ips for a specific domain.
+You can omit `autodetectIps` if you don't want Ips for a specific domain.
 
 __Attention!__ You need to define `baseDn`. This defines the baseDN in where the function will search for the user data!
 
diff --git a/src/LdapAuth.php b/src/LdapAuth.php
@@ -32,6 +32,18 @@ class LdapAuth
         ],
     ];
 
+    /**
+     * If false (default) any user search would return the whole result.
+     * If true, the script checks every users sidHistory and only return results which are newer (migrated).
+     * A use case for `true`: You have two domains and user "Foo" was copied from Domain 1 to Domain 2 without deleting it from Domain 1 - now you have 2 results for a search "Foo", but the entry in Domain 2 has a set "sidHistory" with its sid from Domain 1.
+     * Setting this tp true will filter out the "Foo" from Domain 1, since its sid is listed in the Domain 2 entry of it.
+     *
+     * @see https://docs.microsoft.com/en-us/windows/win32/adschema/a-sidhistory
+     * @see https://ldapwiki.com/wiki/SIDHistory
+     * @var bool
+     */
+    public $filterBySidhistory = false;
+
     private $_ldapBaseDn;
     private $_l;
     private $_username;
@@ -268,12 +280,34 @@ public function searchUser($searchFor, $attributes = "", $searchFilter = "", $au
                     }
                     $sid = self::SIDtoString($entry['objectsid'])[0];
                     $sidHistory = isset($entry['sidhistory']) ? self::SIDtoString($entry['sidhistory']) : null;
+
+
+                    if ($this->filterBySidhistory) {
+                        // Check if this user is maybe already listed in the results - ifo so, determine which one is newer
+                        foreach ($return as $_sid => $_data) {
+                            if (!empty($_data['sidhistory']) && in_array($sid, $_data['sidhistory'])) {
+                                Yii::debug('This user is listed in another users history - skipping');
+                                continue 2;
+                            }
+                        }
+
+                        if ($sidHistory) {
+                            foreach ($sidHistory as $item) {
+                                if (array_key_exists($item, $return)) {
+                                    Yii::debug('User already exists with its sidhistory in results! Unsetting the old entry...');
+                                    unset($return[$item]);
+                                }
+                            }
+                        }
+                    }
+
+
                     $additionalData = ['sid' => $sid, 'sidhistory' => $sidHistory, 'dn' => $entry['dn'], 'domainKey' => $i];
                     if (count($this->domains) > 1) {
                         // Enable domainName output if more than one domains configured
                         $additionalData['domainName'] = $this->domains[$i]['name'];
                     }
-                    array_push($return, array_merge($additionalData, self::handleEntry($entry)));
+                    $return[$sid] = array_merge($additionalData, self::handleEntry($entry));
                 }
             }
             $i++;
