ldap authenticates without password

All about webserver configurations, PHP and databases.

Moderator: Thorsten

Post Reply
trf000
Posts: 37
Joined: Tue Nov 23, 2010 5:16 pm

ldap authenticates without password

Post by trf000 » Tue Nov 23, 2010 5:41 pm

Hi, great software by the way.

My issue is with ldap, which i am using on a number of applications. I've changed constants_ldap to

Code: Select all

$PMF_LDAP['ldap_mapping'] = array (
    'name'     => 'cn',
    'username' => 'samaccountname',
    'mail'     => 'mail');
my AD was whining about the case

Now when any user logs in with their AD user/pwd, everything is fine, all user tables are populated. However if they log in with JUST their username, it still authenticates, but all user info is wiped out (email, display name etc.) a wrong password behaves as expected with the message User or password not valid.

thoughts?

Thorsten
Posts: 14744
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: ldap authenticates without password

Post by Thorsten » Tue Nov 23, 2010 8:20 pm

Hi,

I have to check this issue.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

trf000
Posts: 37
Joined: Tue Nov 23, 2010 5:16 pm

Re: ldap authenticates without password

Post by trf000 » Tue Nov 23, 2010 9:48 pm

seems to be a known ldap/AD bug. our workaround has been something like this:

if (empty($password)) {
return false
}

Not sure where to fit this into your code though... index.php maybe?

Thorsten
Posts: 14744
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: ldap authenticates without password

Post by Thorsten » Wed Nov 24, 2010 7:57 am

Hi,

it have to be placed in inc/Ldap.php. I'll add a fix for this issue. Thanks!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

trf000
Posts: 37
Joined: Tue Nov 23, 2010 5:16 pm

Re: ldap authenticates without password

Post by trf000 » Wed Nov 24, 2010 3:44 pm

any chance you could point me to the right spot? I tried adding it here:

Code: Select all

 $this->base = $ldap_base;

        if (!isset($ldap_user) || !isset($ldap_server) || $ldap_server == "" || 
            !isset($ldap_port) || $ldap_port == "" || !isset($ldap_base) || 
            $ldap_base == "" || !isset($ldap_password) || empty($ldap_password)) {
            return false;
        }
Which won't allow a login, but takes the user to an error page.

trf000
Posts: 37
Joined: Tue Nov 23, 2010 5:16 pm

Re: ldap authenticates without password

Post by trf000 » Wed Nov 24, 2010 3:51 pm

below this:

Code: Select all

if (!isset($ldap_user) || !isset($ldap_server) || $ldap_server == "" || 
            !isset($ldap_port) || $ldap_port == "" || !isset($ldap_base) || 
            $ldap_base == "" || !isset($ldap_password)) {
            return false;
        }

I added this:

Code: Select all

if (empty($ldap_password)) {
			$this->error = 'Unable to connect to LDAP server (Error: '.ldap_error($this->ds).')';
			//return false;
		}
Seems to work, though I'm betting you have something better in your fix.

Thorsten
Posts: 14744
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: ldap authenticates without password

Post by Thorsten » Wed Nov 24, 2010 6:55 pm

Hi,

looks good, I'll add it to version 2.6.12. Thanks!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Thorsten
Posts: 14744
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: ldap authenticates without password

Post by Thorsten » Wed Nov 24, 2010 7:06 pm

Hi,

I improved the code... could you please test this class: https://github.com/thorsten/phpMyFAQ/bl ... c/Ldap.php

Thanks!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

trf000
Posts: 37
Joined: Tue Nov 23, 2010 5:16 pm

Re: ldap authenticates without password

Post by trf000 » Fri Dec 03, 2010 10:25 pm

That code will not let me authenticate.

Thorsten
Posts: 14744
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: ldap authenticates without password

Post by Thorsten » Sat Dec 04, 2010 9:45 am

Hi,

thanks for the feedback. I'll revert this commit then.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Post Reply