From 57a8fa1b2270c7916c19cb1cf748888aa9a9c7d6 Mon Sep 17 00:00:00 2001
From: Roland Tapken <roland@bitarbeiter.net>
Date: Wed, 7 Feb 2018 12:02:58 +0100
Subject: [PATCH 1/2] Apply ldapUserFilter on members of group

Refers to issue #8220

user_ldap configured with custom filters for active directory access
(group-member-association is "member"). Then it can happen that the
members of a group contain members that don't belong to the users
available in Nextcloud (the most trivial reason is that the user filter
contains "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" to exclude
disabled users from being imported).

This can be fixed by applying the ldapUserFilter when resolving the UID
for a DN fetched from the group's member list.

Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
---
 apps/user_ldap/lib/Access.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 02f69715f4cc4..fe286f88a833c 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -565,7 +565,11 @@ public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped
 		}
 
 		if(is_null($ldapName)) {
-			$ldapName = $this->readAttribute($fdn, $nameAttribute);
+			if ($isUser) {
+				$ldapName = $this->readAttribute($fdn, $nameAttribute, $this->connection->ldapUserFilter);
+			} else {
+				$ldapName = $this->readAttribute($fdn, $nameAttribute);
+			}
 			if(!isset($ldapName[0]) && empty($ldapName[0])) {
 				\OCP\Util::writeLog('user_ldap', 'No or empty name for '.$fdn.'.', \OCP\Util::INFO);
 				return false;

From ed7870327571c3a840051a972a84ecdc262db728 Mon Sep 17 00:00:00 2001
From: Roland Tapken <roland@bitarbeiter.net>
Date: Wed, 7 Mar 2018 12:18:46 +0100
Subject: [PATCH 2/2] dn2ocname: also apply group filter to readAttribute()

Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
---
 apps/user_ldap/lib/Access.php | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index fe286f88a833c..f0740f8921f96 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -539,9 +539,11 @@ public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped
 		if($isUser) {
 			$mapper = $this->getUserMapper();
 			$nameAttribute = $this->connection->ldapUserDisplayName;
+			$filter = $this->connection->ldapUserFilter;
 		} else {
 			$mapper = $this->getGroupMapper();
 			$nameAttribute = $this->connection->ldapGroupDisplayName;
+			$filter = $this->connection->ldapGroupFilter;
 		}
 
 		//let's try to retrieve the Nextcloud name from the mappings table
@@ -565,13 +567,9 @@ public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped
 		}
 
 		if(is_null($ldapName)) {
-			if ($isUser) {
-				$ldapName = $this->readAttribute($fdn, $nameAttribute, $this->connection->ldapUserFilter);
-			} else {
-				$ldapName = $this->readAttribute($fdn, $nameAttribute);
-			}
+			$ldapName = $this->readAttribute($fdn, $nameAttribute, $filter);
 			if(!isset($ldapName[0]) && empty($ldapName[0])) {
-				\OCP\Util::writeLog('user_ldap', 'No or empty name for '.$fdn.'.', \OCP\Util::INFO);
+				\OCP\Util::writeLog('user_ldap', 'No or empty name for '.$fdn.' with filter '.$filter.'.', \OCP\Util::INFO);
 				return false;
 			}
 			$ldapName = $ldapName[0];