Merge pull request #50500 from nextcloud/backport/50480/stable29

AndyScherzinger · web-flow · commit c15b158432eb · 2025-01-28T23:01:36.000+01:00
[stable29] fix(user_ldap): Do not map groups we do not know if they match filter
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
@@ -449,18 +449,19 @@ public function username2dn($name) {
 	 *
 	 * @param string $fdn the dn of the group object
 	 * @param string $ldapName optional, the display name of the object
+	 * @param bool $autoMapping Should the group be mapped if not yet mapped
 	 * @return string|false with the name to use in Nextcloud, false on DN outside of search DN
 	 * @throws \Exception
 	 */
-	public function dn2groupname($fdn, $ldapName = null) {
+	public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) {
 		//To avoid bypassing the base DN settings under certain circumstances
 		//with the group support, check whether the provided DN matches one of
 		//the given Bases
 		if (!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseGroups)) {
 			return false;
 		}
 
-		return $this->dn2ocname($fdn, $ldapName, false);
+		return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping);
 	}
 
 	/**
@@ -490,10 +491,11 @@ public function dn2username($fdn, $ldapName = null) {
 	 * @param bool $isUser optional, whether it is a user object (otherwise group assumed)
 	 * @param bool|null $newlyMapped
 	 * @param array|null $record
+	 * @param bool $autoMapping Should the group be mapped if not yet mapped
 	 * @return false|string with with the name to use in Nextcloud
 	 * @throws \Exception
 	 */
-	public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null) {
+	public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) {
 		static $intermediates = [];
 		if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) {
 			return false; // is a known intermediate
@@ -516,6 +518,11 @@ public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped
 			return $ncName;
 		}
 
+		if (!$autoMapping) {
+			/* If no auto mapping, stop there */
+			return false;
+		}
+
 		//second try: get the UUID and check if it is known. Then, update the DN and return the name.
 		$uuid = $this->getUUID($fdn, $isUser, $record);
 		if (is_string($uuid)) {
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
@@ -1219,7 +1219,7 @@ protected function filterValidGroups(array $listOfGroups): array {
 				continue;
 			}
 			$name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null;
-			$gid = $this->access->dn2groupname($dn, $name);
+			$gid = $this->access->dn2groupname($dn, $name, false);
 			if (!$gid) {
 				continue;
 			}

Original file line number	Diff line number	Diff line change
`@@ -1219,7 +1219,7 @@ protected function filterValidGroups(array $listOfGroups): array {`
`1219`	`1219`	`continue;`
`1220`	`1220`	`}`
`1221`	`1221`	`$name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null;`
`1222`		`- $gid = $this->access->dn2groupname($dn, $name);`
	`1222`	`+ $gid = $this->access->dn2groupname($dn, $name, false);`
`1223`	`1223`	`if (!$gid) {`
`1224`	`1224`	`continue;`
`1225`	`1225`	`}`