en Copyright 2025 Java http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#fb75804e73edf4af608854927a231691f3206614 Parse AD bind error messages for more info for the userThis is mainly to tell users when their password expired or needs to bechanged. List of files: /plugin/pureldap/classes/ADClient.php Thu, 17 Jul 2025 13:50:14 +0000 Andreas Gohr <gohr@cosmocode.de> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#9bafffea15cbe74b15e43cf6bb87ec8340d9eccd prefer userPrincipalName over samAccountNameThis allows for longer usernames than 20 chars.This assumes that all userPrincipalNames use the same Domain asconfigured in the plugin. If that's not the case things will probablynot work or behave strangely. List of files: /plugin/pureldap/classes/ADClient.php Tue, 05 Dec 2023 10:46:04 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#208fe81a1d46425114eb6a90e8eceeed153c5f2d automatic code style fixes List of files: /plugin/pureldap/classes/ADClient.php Tue, 05 Dec 2023 08:13:56 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#0f498d06932ad0cbbdcc8844b96d4913174c7968 implement password expiry warnings. fixes #4 List of files: /plugin/pureldap/classes/ADClient.php Thu, 03 Aug 2023 15:48:44 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#08ace392be71b69ddc8b1eda246fad47272b7606 support password changesInternally this also changes the behviour to stay authenticated as theactual user if the user logged in. This is needed to allow self-servicepassword changes.This commit also contains a few cleanups. List of files: /plugin/pureldap/classes/ADClient.php Wed, 02 Aug 2023 10:08:55 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#5dcabeda2fad4e4ee9d5e2783f1e5e830b0344f4 make use of file system caching optional List of files: /plugin/pureldap/classes/ADClient.php Fri, 30 Jul 2021 06:22:05 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#e7339d5a8ae85d8bb79a5552d9633163199d0038 Local handling of nested groupsAll previous attempts to handle nested groups in a performant matterfailed. Neither recursive requests nor using theLDAP_MATCHING_RULE_IN_CHAIN mechanism were sufficently fast enough to dobulk requests on users.This now takes a completely different approach. When recursive groupsare enabled, a single (paged) request for all groups is done. The listof these groups together with their parent info is then used to resolveany nested group memberships.The group cache is saved in filesystem for the duration of the securitytimeout configuration.Future enhancements should:* see if the cache class could also be used for other caches currently implemented in Client.php* make the use of filesystem caching configurable List of files: /plugin/pureldap/classes/ADClient.php Thu, 29 Jul 2021 13:44:49 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#746af42c292254b2bee8add59eee910acce87636 fix the double call to getUserGroups() List of files: /plugin/pureldap/classes/ADClient.php Wed, 28 Jul 2021 14:48:38 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#7a36c1b4d10d91d0ba5fea2c9897f8554f51571f add support for nested groups when filtering users by groupAnd this is where we hit the performance problems. A naive approach isto simply run a query using LDAP_MATCHING_RULE_IN_CHAIN on the memberOfattribute. But this is super slow (thanks Microsoft!)Instead we first look up the given filter groups (to allow for substringmatching), then resolve them recursively and then build a or filter forall found groups.Still takes about 3 to 4 seconds :-/ List of files: /plugin/pureldap/classes/ADClient.php Wed, 28 Jul 2021 13:48:14 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#f17bb68b5a2d095b69b9e951aa10c6b366b7a7ce new approach for recursive groupsInstead of implementing the recursion client side, we ask the AD serverto resolve nested group memberships for us. This saves potentially manynetwork requests but may have performance penalties on the AD serverside. However it ensures, we can't make a mistake and thus makes ourcode safer to run - also turns out my first attempt was checking nestedgroups backwards.See https://stackoverflow.com/q/40024425 for more discussions onperformance for this.A config option allows to use the former much faster approach for setupswithout nested groups.Still to do: supporting user lookups by group this way. List of files: /plugin/pureldap/classes/ADClient.php Wed, 28 Jul 2021 12:53:28 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#51e92298dc2659aef3c4ac2b51b0dcda2b4f854a first go at recursive group memberships List of files: /plugin/pureldap/classes/ADClient.php Wed, 28 Jul 2021 11:54:47 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#e7c3e817b85f67dafbf3573fc580a3703888c9fa another workaround for preg quoting List of files: /plugin/pureldap/classes/ADClient.php Thu, 15 Jul 2021 08:06:29 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#c2500b4410d7943a5b4952a0bb25d20d1a95cb79 make the primary group configurableBecause the Domain Users group can be localized, this makes itconfigurable. The authAD library had a config to use "real" primarygroups where it would look up the primary group by calculating the SIDand doing another check. We could copy that mechanism if needed lateron. List of files: /plugin/pureldap/classes/ADClient.php Thu, 15 Jul 2021 07:47:31 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#204fba68543421287b88b2a48c04b5dea32b5394 group handling improvements* properly handle uppercase group names* use constants for filter types* properly handle Domain Users lookups List of files: /plugin/pureldap/classes/ADClient.php Thu, 15 Jul 2021 07:01:54 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#a1128cc0f2573cbe769f582d613c9ccb9fc94dee rework username handlingBackground Info---------------Active Directory has at least three different way how users areidentified:1) sAMAccountName: userThe sAMAccountName is what users usually know as their username. It'swhat they usually log in with on their workstation. It is howeverlacking the actual domain to which to login. Typically it is prefixed bya netbios domain for login. Eg. DOMAIN\userNote: The samaccount name is also limited to 20 characters because oflegacy reasons.2) userPrincipalName: user@domain.somethingThe userPrincipalName contains something that looks like a domain. Butit may be actually different to the Domain managed by the AD. Becauseof... reasons? See https://serverfault.com/a/9281163) bind ID: user@domain.extNow, loggin in (eg. doing a LDAP bind) can use different mechanisms. TheuserPrincipalName works, user@domain (different from the UPN) shouldwork too.DokuWiki requirements:----------------------In DokuWiki we need a unique username, that stays the same on everylogin. (logging in with or without the domain part should identify thesame user).We also need this name to be usable to run additional LDAP queries. Eg.find groups with this user name.We also want users to be able to login without having to type the domainpart.This patch----------So with this patch we use the samaccount name to identify a user. Forlogging in, we add the configured account suffix (aka the domain). Afterthat we only use the domainless user name everywhere.In a future update we may (re)introduce the multidomain support fromauthAD. When we do, this will probably force us to use the suffix partin the usernames to different different domain users (something theauthAD plugin doesn't do which is probably wrong). But for most peoplethe single suffix approach should be fine. List of files: /plugin/pureldap/classes/ADClient.php Thu, 08 Jul 2021 09:33:55 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#9c590892fd92272f32265b97584f4f97be2fffc7 only fetch the attributes we needthis should lower the memory requirements and might speed things up abit List of files: /plugin/pureldap/classes/ADClient.php Wed, 07 Jul 2021 11:14:48 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#b914569fe2bf0cc586f78951bd0c636bc6597916 allow fetching of additional user attributesCurrently we reuqest all attributes from the server and only filterlater. This needs fixing. List of files: /plugin/pureldap/classes/ADClient.php Wed, 07 Jul 2021 10:57:14 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#fce018da7ff57fa3fbbabe650e4a6afd1da5aab2 clean up group filter stringsAs mentioned in splitbrain/dokuwiki#3028 the data passed in filters isill defined currently. This is a very very simple workaround for stringspassed by cosmocode/groupusers List of files: /plugin/pureldap/classes/ADClient.php Wed, 07 Jul 2021 09:53:46 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#6d90d5c87387cafcb884bda8c1b3c7ab80656146 some cleanup for the options List of files: /plugin/pureldap/classes/ADClient.php Wed, 07 Jul 2021 08:18:34 +0000 Andreas Gohr <andi@splitbrain.org> http://127.0.0.1:8080/history/plugin/pureldap/classes/ADClient.php#1b0eb9b3a1bfc52e83acfddba0436b7a01febb22 return sorted resultsmakes testing easier List of files: /plugin/pureldap/classes/ADClient.php Wed, 01 Apr 2020 19:00:51 +0000 Andreas Gohr <andi@splitbrain.org>