t3ext-ig_ldap_sso_auth icon indicating copy to clipboard operation
t3ext-ig_ldap_sso_auth copied to clipboard

Published 20 hours ago verified publisher icon xperseguers

Several Suggestions for improvement

Open tylkomat opened this issue 3 months ago • 3 comments

We have a fairly complex LDAP structure, but not unusual. As far as I know it is a common structure for openLDAP, but it's one that is not fully supported by this plugin.

dc=example,dc=com/
├─ ou=IT-Services/
│  ├─ ou=WWW/
│  │  ├─ ou=group1/
│  │  │  ├─ ou=typo3/
│  │  │  │  ├─ ou=be/
│  │  │  │  │  ├─ cn=John Doe (alias to cn=John Doe,ou=People,dc=example,dc=com)
├─ ou=People/
│  ├─ cn=John Doe

This structure poses some issues. Here you see our partial configuration, but this configuration does not work without changes to the code base.

BE_USERS Base DN: ou=People,dc=example,dc=com Filter: (&(objectClass=shadowAccount)(uid={USERNAME})) Mapping: realName = <displayname> email = <mailAddressbook> username = <uid>

BE_GROUPS Base DN: ou=WWW,ou=IT-Services,dc=example,dc=com Filter: (&(objectClass=alias)(aliasedObjectName={USERDN})(ou:dn:=typo3)(ou:dn:=be)) Mapping:

tx_igldapssoauth_dn {
  data = field:dn
  replacement.10 {
    search = #cn=.+,ou=be,ou=typo3,(ou=.+)#
    replace = ${1}
    useRegExp = 1
  }
}
title {
  data = field:dn
  replacement.10 {
    search = #(cn=.+,ou=be,ou=typo3,)?ou=(.+),ou=WWW,ou=IT-Services,dc=example,dc=com#
    replace = ${2}
    useRegExp = 1
  }
}

I found the following issues:

  1. An option for following aliases is necessary Then, instead of filtering for all BE_USERS (we have over 10k and there is a hard stop of 2k in the code) I could just filter for the ones which are in groups, since these are the only ones that have access to the typo3. Additionally a filter for duplicates is necessary, as a user can be in many groups. Sorting by name in the end would be nice too.
  2. Not all groups are displayed (only 500 of 570) because pagination is missing in the groups code
  3. Because of our filter to map the groups to users, groups are duplicated per member and need to be filtered. Sorting by name would be nice too
  4. Existing groups are not recognised because the name has to be extracted using typoscript. This extraction happens after the check if the group already exists locally. In the Import LDAP groups (Backend) table title and DN look correct, but nothing is marked green and importing creates a new group, although it already exists.

I'm willing to adopt my previous PR #209 to the new version if you are interested.

tylkomat avatar Oct 30 '24 13:10 tylkomat