1 files changed, 27 insertions, 3 deletions

diff --git a/inc/auth/ldap.class.php b/inc/auth/ldap.class.php
index c51924135..fc1a7ddb6 100644
--- a/inc/auth/ldap.class.php
+++ b/inc/auth/ldap.class.php
@@ -27,7 +27,9 @@ class auth_ldap extends auth_basic {
             return;
         }
 
-        if(empty($this->cnf['groupkey'])) $this->cnf['groupkey'] = 'cn';
+        if(empty($this->cnf['groupkey']))   $this->cnf['groupkey']   = 'cn';
+        if(empty($this->cnf['userscope']))  $this->cnf['userscope']  = 'sub';
+        if(empty($this->cnf['groupscope'])) $this->cnf['groupscope'] = 'sub';
 
         // auth_ldap currently just handles authentication, so no
         // capabilities are set
@@ -171,7 +173,7 @@ class auth_ldap extends auth_basic {
             $filter = "(ObjectClass=*)";
         }
 
-        $sr     = @ldap_search($this->con, $base, $filter);
+        $sr     = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['userscope']);
         $result = @ldap_get_entries($this->con, $sr);
         if($this->cnf['debug']){
             msg('LDAP user search: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__);
@@ -219,7 +221,7 @@ class auth_ldap extends auth_basic {
         if ($this->cnf['grouptree'] && $this->cnf['groupfilter']) {
             $base   = $this->_makeFilter($this->cnf['grouptree'], $user_result);
             $filter = $this->_makeFilter($this->cnf['groupfilter'], $user_result);
-            $sr = @ldap_search($this->con, $base, $filter, array($this->cnf['groupkey']));
+            $sr = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['groupscope'], array($this->cnf['groupkey']));
             if(!$sr){
                 msg("LDAP: Reading group memberships failed",-1);
                 if($this->cnf['debug']){
@@ -352,6 +354,28 @@ class auth_ldap extends auth_basic {
 
         return true;
     }
+
+    /**
+     * Wraps around ldap_search, ldap_list or ldap_read depending on $scope
+     *
+     * @param  $scope string - can be 'base', 'one' or 'sub'
+     * @author Andreas Gohr <andi@splitbrain.org>
+     */
+    function _ldapsearch($link_identifier, $base_dn, $filter, $scope='sub', $attributes=null,
+                         $attrsonly=0, $sizelimit=0, $timelimit=0, $deref=LDAP_DEREF_NEVER){
+        if(is_null($attributes)) $attributes = array();
+
+        if($scope == 'base'){
+            return @ldap_read($link_identifier, $base_dn, $filter, $attributes,
+                             $attrsonly, $sizelimit, $timelimit, $deref);
+        }elseif($scope == 'one'){
+            return @ldap_list($link_identifier, $base_dn, $filter, $attributes,
+                             $attrsonly, $sizelimit, $timelimit, $deref);
+        }else{
+            return @ldap_search($link_identifier, $base_dn, $filter, $attributes,
+                                $attrsonly, $sizelimit, $timelimit, $deref);
+        }
+    }
 }
 
 //Setup VIM: ex: et ts=4 enc=utf-8 :