* Updated searchGroup parameters

Robin Kluth · Robin Kluth · commit 91095ddf8750 · 2025-04-17T06:33:27.000+02:00
* fix: Check single-valued attributes case insensitive
diff --git a/README.md b/README.md
@@ -66,8 +66,9 @@ There are 5 basic functions:
       default).
   * `$fetchUserDN` determines the user DN, in case you want a bind via a users DN instead of username@hostname
 * `fetchUserData($attributes)`
-  * Queries the LDAP for the logged in user and gets some attributes (adjustable list of attributes)
-* `searchUser($searchFor, $attributes, $searchFilter, $domainKey, $onlyActiveAccounts, $allDomainsHaveToBeReachable)`
+  * Queries the LDAP for the logged-in user and gets some attributes (adjustable list of attributes)
+*
+`searchUser($searchFor, $attributes, $searchFilter, $domainKey, $onlyActiveAccounts, $allDomainsHaveToBeReachable, $baseDN)`
   * Searches for a user in the LDAP-Directory. This requires a search-user which is configured in the component options.
   * The options let you define what attributes you want back and in which you are searching (defaults to lastname,
     firstname, username and class=person).
@@ -77,6 +78,12 @@ There are 5 basic functions:
     false!
   * `$allDomainsHaveToBeReachable` True: All configured domains need to be reachable in order to get a result. If one is
     not reachable, false will be returned
+  * `$baseDN` Overrides the default (domain) basedn.
+*
+`searchGroup($searchFor, $groupAttributes, $userAttributes, $returnMembers, $domainKey, $onlyActiveAccounts, $allDomainsHaveToBeReachable)`
+  * `$searchFor` specifies the groupname (text, partial text (*) or sid)
+  * `$userAttributes` and `$groupAttributes` specify the attributes for the result
+  * Any other parameter has are being passed to `searchUser`, so check the docs there
 * `updateAttributes` lets you update the user attributes
   * `$attributes` The attribute (array keys are the attribute names, the array values are the attribute values)
   * `$dn` The DN which should be updated - if not provided, the eventually previous examined one will be used.
diff --git a/src/LdapAuth.php b/src/LdapAuth.php
@@ -309,9 +309,9 @@ public function login($username, $password, $domainKey = false, $fetchUserDN = f
                 continue;
             }
 
-            $this->_l          = $l;
-            $this->_ldapBaseDn = $domainData['baseDn'];
-            $this->_username   = $username;
+            $this->_l            = $l;
+            $this->_ldapBaseDn   = $domainData['baseDn'];
+            $this->_username     = $username;
             $this->_curDomainHostname = $domainData['hostname'];
             $this->_curDomainKey = $domainKey;
 
@@ -463,8 +463,8 @@ public function searchUser(?string $searchFor, ?array $attributes = [], ?string
 
             Yii::debug('Search-Filter: ' . $searchFilter . " | BaseDN: " . $baseDN, __METHOD__);
 
-            $result          = ldap_read($this->_l, '', '(objectClass=*)', ['supportedControl']);
-            $supControls     = ldap_get_entries($this->_l, $result);
+            $result      = ldap_read($this->_l, '', '(objectClass=*)', ['supportedControl']);
+            $supControls = ldap_get_entries($this->_l, $result);
 
             if (empty($this->_singleValuedAttrs) || !isset($this->_singleValuedAttrs[$domain['hostname']])) {
                 $this->_singleValuedAttrs[$domain['hostname']] = [];
@@ -486,7 +486,7 @@ public function searchUser(?string $searchFor, ?array $attributes = [], ?string
                                 if (stripos($definition, 'SINGLE-VALUE') !== false) {
                                     $match = preg_match("/NAME ['\"](.*?)['\"]/", $definition, $matches);
                                     if ($match && isset($matches[1])) {
-                                        $this->_singleValuedAttrs[$domain['hostname']][] = $matches[1];
+                                        $this->_singleValuedAttrs[$domain['hostname']][] = strtolower($matches[1]);
                                     }
                                 }
                             }
@@ -502,8 +502,6 @@ public function searchUser(?string $searchFor, ?array $attributes = [], ?string
             }
 
 
-
-
             $cookie = '';
             $requestControls = [];
             if (($domain['pagedResultsSize'] ?? 0) > 0) {
@@ -621,18 +619,31 @@ public function searchUser(?string $searchFor, ?array $attributes = [], ?string
 
     /**
      * Searches directly for groups and optionally return its members
-     * @param string|null $searchFor The raw (!) LDAP-Filter. Like (&(objectCategory=group) (|(objectSid=%searchFor%)(cn=*%searchFor%*)))
-     * @param array|null $attributes
+     * @param string|null $searchFor The search value (like in searchUser). Like (&(objectCategory=group) (|(objectSid=%searchFor%)(cn=*%searchFor%*)))
+     * @param array|null $userAttributes
+     * @param array $groupAttributes
+     * @param string|null $searchFilter The LDAP-Filter
      * @param bool $returnMembers Should the function fetch the group members?
      * @param int|null $domainKey
      * @param bool $onlyActiveAccounts
      * @param bool $allDomainsHaveToBeReachable
      * @return array|false
      * @throws ErrorException
      */
-    public function searchGroup(?string $searchFor, ?array $attributes = ['dn', 'member'], bool $returnMembers = false, ?int $domainKey = null, bool $onlyActiveAccounts = false, bool $allDomainsHaveToBeReachable = false)
+    public function searchGroup(?string $searchFor, array $groupAttributes = ['dn', 'member'], ?array $userAttributes = ['dn', 'samaccountname', 'mail'], bool $returnMembers = false, ?string $searchFilter = "", ?int $domainKey = null, bool $onlyActiveAccounts = false, bool $allDomainsHaveToBeReachable = false)
     {
-        $groups = $this->searchUser(null, $attributes, $searchFor, $domainKey, $onlyActiveAccounts, $allDomainsHaveToBeReachable);
+        if (!in_array('dn', $groupAttributes)) {
+            $groupAttributes[] = 'dn';
+        }
+        if (!in_array('member', $groupAttributes)) {
+            $groupAttributes[] = 'member';
+        }
+
+        if (empty($searchFilter)) {
+            $searchFilter = "(&(objectCategory=group) (|(objectSid=%searchFor%)(cn=%searchFor%)))";
+        }
+
+        $groups = $this->searchUser($searchFor, $groupAttributes, $searchFilter, $domainKey, $onlyActiveAccounts, $allDomainsHaveToBeReachable);
 
         if (!$returnMembers) {
             return $groups;
@@ -642,7 +653,7 @@ public function searchGroup(?string $searchFor, ?array $attributes = ['dn', 'mem
             if (!isset($group['member'])) {
                 continue;
             }
-            $groups[$gkey]['users'] = $this->searchUser(null, ['dn'], '(&(objectCategory=person)(memberof=' . $group['dn'] . '))', $group['domainKey']);
+            $groups[$gkey]['users'] = $this->searchUser(null, $userAttributes, '(&(objectCategory=person)(memberof=' . $group['dn'] . '))', $group['domainKey']);
         }
 
         return $groups;
@@ -730,16 +741,13 @@ private function handleEntry($entry)
     {
         $newEntry = [];
         foreach ($entry as $attr => $value) {
-//            Yii::debug('Processing attribute ' . $attr, __FUNCTION__);
 
             if (is_int($attr) || $attr == 'objectsid' || $attr == 'sidhistory' || !isset($value['count'])) {
-//                Yii::debug('Skipping...', __FUNCTION__);
                 continue;
             }
-            $count  = $value['count'];
-//            Yii::debug('Count: ' . $count, __FUNCTION__);
+            $count = $value['count'];
 
-            if ($count > 1 || !in_array($attr, $this->_singleValuedAttrs[$this->_curDomainHostname] ?? [])) {
+            if ($count > 1 || !in_array(strtolower($attr), $this->_singleValuedAttrs[$this->_curDomainHostname] ?? [])) {
                 unset($value['count']);
                 $newEntry[$attr] = $value; // Return value as is, because it contains multiple entries
             } else {
