ldap authenticates without password

trf000 · Post by **trf000** » Tue Nov 23, 2010 5:41 pm

Hi, great software by the way.

My issue is with ldap, which i am using on a number of applications. I've changed constants_ldap to

Code: Select all

$PMF_LDAP['ldap_mapping'] = array (
    'name'     => 'cn',
    'username' => 'samaccountname',
    'mail'     => 'mail');

my AD was whining about the case

Now when any user logs in with their AD user/pwd, everything is fine, all user tables are populated. However if they log in with JUST their username, it still authenticates, but all user info is wiped out (email, display name etc.) a wrong password behaves as expected with the message User or password not valid.

thoughts?

Post by **Thorsten** » Tue Nov 23, 2010 8:20 pm

Hi,

I have to check this issue.

bye
Thorsten

trf000 · Post by **trf000** » Tue Nov 23, 2010 9:48 pm

seems to be a known ldap/AD bug. our workaround has been something like this:

if (empty($password)) {
return false
}

Not sure where to fit this into your code though... index.php maybe?

Post by **Thorsten** » Wed Nov 24, 2010 7:57 am

Hi,

it have to be placed in inc/Ldap.php. I'll add a fix for this issue. Thanks!

bye
Thorsten

trf000 · Post by **trf000** » Wed Nov 24, 2010 3:44 pm

any chance you could point me to the right spot? I tried adding it here:

Code: Select all

 $this->base = $ldap_base;

        if (!isset($ldap_user) || !isset($ldap_server) || $ldap_server == "" || 
            !isset($ldap_port) || $ldap_port == "" || !isset($ldap_base) || 
            $ldap_base == "" || !isset($ldap_password) || empty($ldap_password)) {
            return false;
        }

Which won't allow a login, but takes the user to an error page.

trf000 · Post by **trf000** » Wed Nov 24, 2010 3:51 pm

below this:

Code: Select all

if (!isset($ldap_user) || !isset($ldap_server) || $ldap_server == "" || 
            !isset($ldap_port) || $ldap_port == "" || !isset($ldap_base) || 
            $ldap_base == "" || !isset($ldap_password)) {
            return false;
        }

I added this:

Code: Select all

if (empty($ldap_password)) {
			$this->error = 'Unable to connect to LDAP server (Error: '.ldap_error($this->ds).')';
			//return false;
		}

Seems to work, though I'm betting you have something better in your fix.

Post by **Thorsten** » Wed Nov 24, 2010 6:55 pm

Hi,

looks good, I'll add it to version 2.6.12. Thanks!

bye
Thorsten

Post by **Thorsten** » Wed Nov 24, 2010 7:06 pm

Hi,

I improved the code... could you please test this class: https://github.com/thorsten/phpMyFAQ/bl ... c/Ldap.php

Thanks!

bye
Thorsten

trf000 · Post by **trf000** » Fri Dec 03, 2010 10:25 pm

That code will not let me authenticate.

Post by **Thorsten** » Sat Dec 04, 2010 9:45 am

Hi,

thanks for the feedback. I'll revert this commit then.

bye
Thorsten

phpMyFAQ

ldap authenticates without password

ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password

Re: ldap authenticates without password