From a10a327dbfea5b6e31ac83a494767436b37dde24 Mon Sep 17 00:00:00 2001
From: David Coutadeur <david.coutadeur@worteks.com>
Date: Wed, 10 Jul 2024 14:40:26 +0200
Subject: [PATCH] add a $ldap_scope parameter (#921)

---
 composer.json                   | 2 +-
 conf/config.inc.php             | 1 +
 docs/config_ldap.rst            | 9 +++++++++
 htdocs/change.php               | 2 +-
 htdocs/changecustompwdfield.php | 2 +-
 htdocs/changesshkey.php         | 2 +-
 htdocs/resetbyquestions.php     | 2 +-
 htdocs/resetbytoken.php         | 2 +-
 htdocs/sendsms.php              | 2 +-
 htdocs/sendtoken.php            | 2 +-
 htdocs/setattributes.php        | 2 +-
 htdocs/setquestions.php         | 4 ++--
 rest/v1/adminchangepassword.php | 2 +-
 rest/v1/changepassword.php      | 2 +-
 rest/v1/checkpassword.php       | 2 +-
 scripts/encrypt_answers.php     | 2 +-
 scripts/multi_ldap_change.php   | 2 +-
 17 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/composer.json b/composer.json
index c3afe9e8..83504521 100644
--- a/composer.json
+++ b/composer.json
@@ -1,6 +1,6 @@
 {
     "require": {
-        "ltb-project/ltb-common": "v0.2.1",
+        "ltb-project/ltb-common": "dev-main",
         "bjeavons/zxcvbn-php": "^1.0",
         "twbs/bootstrap": "v5.3.3",
         "defuse/php-encryption": "2.4.0",
diff --git a/conf/config.inc.php b/conf/config.inc.php
index 6d8d0d4f..7e7f54ad 100644
--- a/conf/config.inc.php
+++ b/conf/config.inc.php
@@ -44,6 +44,7 @@
 $ldap_login_attribute = "uid";
 $ldap_fullname_attribute = "cn";
 $ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
+$ldap_scope = "sub"; # possible values: sub, one, base
 $ldap_use_exop_passwd = false;
 $ldap_use_ppolicy_control = false;
 $ldap_network_timeout = 10;
diff --git a/docs/config_ldap.rst b/docs/config_ldap.rst
index 1aeca7a9..f5f89a62 100644
--- a/docs/config_ldap.rst
+++ b/docs/config_ldap.rst
@@ -143,6 +143,15 @@ The filter can be set in ``$ldap_filter``:
 
 .. tip:: The string ``{login}`` is replaced by submitted login.
 
+The scope can be set in ``$ldap_scope``:
+
+.. code-block:: php
+
+   $ldap_scope = "sub";
+
+.. tip:: sub is the default value. Possible values are sub, one, or base
+
+
 Extensions
 ----------
 
diff --git a/htdocs/change.php b/htdocs/change.php
index 9a4039c8..6f2c518b 100644
--- a/htdocs/change.php
+++ b/htdocs/change.php
@@ -76,7 +76,7 @@
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
         $errno = ldap_errno($ldap);
         if ( $errno ) {
diff --git a/htdocs/changecustompwdfield.php b/htdocs/changecustompwdfield.php
index a88f591e..0de0718a 100644
--- a/htdocs/changecustompwdfield.php
+++ b/htdocs/changecustompwdfield.php
@@ -146,7 +146,7 @@ function set_default_value(&$variable, $defaultValue)
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
         $errno = ldap_errno($ldap);
         if ( $errno ) {
diff --git a/htdocs/changesshkey.php b/htdocs/changesshkey.php
index 2a9af68a..5d20a721 100644
--- a/htdocs/changesshkey.php
+++ b/htdocs/changesshkey.php
@@ -70,7 +70,7 @@
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
         $errno = ldap_errno($ldap);
         if ( $errno ) {
diff --git a/htdocs/resetbyquestions.php b/htdocs/resetbyquestions.php
index b1ee9fbd..ddfcd4a0 100644
--- a/htdocs/resetbyquestions.php
+++ b/htdocs/resetbyquestions.php
@@ -111,7 +111,7 @@
 
             # Search for user
             $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-            $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+            $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
             $errno = ldap_errno($ldap);
             if ( $errno ) {
diff --git a/htdocs/resetbytoken.php b/htdocs/resetbytoken.php
index 6901e9f3..83777ac4 100644
--- a/htdocs/resetbytoken.php
+++ b/htdocs/resetbytoken.php
@@ -106,7 +106,7 @@
 
             # Search for user
             $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-            $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+            $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
             $errno = ldap_errno($ldap);
             if ( $errno ) {
diff --git a/htdocs/sendsms.php b/htdocs/sendsms.php
index 968eb396..688c181b 100644
--- a/htdocs/sendsms.php
+++ b/htdocs/sendsms.php
@@ -353,7 +353,7 @@ function get_user_infos($ldapInstance, $ldap_base, $ldap_filter,
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter, $search_attributes);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter, $search_attributes);
 
         $errno = ldap_errno($ldap);
         if ($errno) {
diff --git a/htdocs/sendtoken.php b/htdocs/sendtoken.php
index e9f0ada3..f08455e6 100644
--- a/htdocs/sendtoken.php
+++ b/htdocs/sendtoken.php
@@ -77,7 +77,7 @@
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
         $errno = ldap_errno($ldap);
         if ( $errno ) {
diff --git a/htdocs/setattributes.php b/htdocs/setattributes.php
index a464ed44..cc6a8884 100644
--- a/htdocs/setattributes.php
+++ b/htdocs/setattributes.php
@@ -68,7 +68,7 @@
 
     # Search for user
     $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-    $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+    $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
     $errno = ldap_errno($ldap);
     if ( $errno ) {
diff --git a/htdocs/setquestions.php b/htdocs/setquestions.php
index 4fa1c274..f9e6a2f6 100644
--- a/htdocs/setquestions.php
+++ b/htdocs/setquestions.php
@@ -91,7 +91,7 @@
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
         $errno = ldap_errno($ldap);
         if ( $errno ) {
@@ -134,7 +134,7 @@
     }
 
     # Check objectClass presence and pull back previous answers.
-    $search = ldap_search($ldap, $userdn, "(objectClass=*)", array("objectClass", $answer_attribute) );
+    $search = $ldapInstance->search_with_scope($ldap_scope, $userdn, "(objectClass=*)", array("objectClass", $answer_attribute) );
 
     $errno = ldap_errno($ldap);
     if ( $errno ) {
diff --git a/rest/v1/adminchangepassword.php b/rest/v1/adminchangepassword.php
index f7397408..cb233e9b 100644
--- a/rest/v1/adminchangepassword.php
+++ b/rest/v1/adminchangepassword.php
@@ -33,7 +33,7 @@
 
     # Search for user
     $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-    $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+    $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
     $errno = ldap_errno($ldap);
     if ( $errno ) {
diff --git a/rest/v1/changepassword.php b/rest/v1/changepassword.php
index 9595978f..cc0f490e 100644
--- a/rest/v1/changepassword.php
+++ b/rest/v1/changepassword.php
@@ -34,7 +34,7 @@
 if ( $ldap ) {
     # Search for user
     $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-    $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+    $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
     $errno = ldap_errno($ldap);
     if ( $errno ) {
diff --git a/rest/v1/checkpassword.php b/rest/v1/checkpassword.php
index 9a63ccb3..dfa1c5e4 100644
--- a/rest/v1/checkpassword.php
+++ b/rest/v1/checkpassword.php
@@ -25,7 +25,7 @@
 
         # Search for user
         $ldap_filter = str_replace("{login}", $login, $ldap_filter);
-        $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+        $search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
         $errno = ldap_errno($ldap);
         if ( $errno ) {
diff --git a/scripts/encrypt_answers.php b/scripts/encrypt_answers.php
index c21fb700..420d1814 100644
--- a/scripts/encrypt_answers.php
+++ b/scripts/encrypt_answers.php
@@ -45,7 +45,7 @@
 
 # Search all users
 $ldap_filter = str_replace("{login}", "*", $ldap_filter);
-$search = ldap_search($ldap, $ldap_base, $ldap_filter);
+$search = $ldapInstance->search_with_scope($ldap_scope, $ldap_base, $ldap_filter);
 
 if (!$search) {
     $errno = ldap_errno($ldap);
diff --git a/scripts/multi_ldap_change.php b/scripts/multi_ldap_change.php
index 9c805921..68615ead 100644
--- a/scripts/multi_ldap_change.php
+++ b/scripts/multi_ldap_change.php
@@ -66,7 +66,7 @@
     } else {
         $s_ldap_base = $ldap_base;
     }
-    $search = ldap_search($ldap, $s_ldap_base, $s_ldap_filter);
+    $search = $ldapInstance->search_with_scope($ldap_scope, $s_ldap_base, $s_ldap_filter);
 
     $errno = ldap_errno($ldap);
     if ( $errno ) {