Page 1 of 1
ldap authenticates without password
Posted: Tue Nov 23, 2010 5:41 pm
by trf000
Hi, great software by the way.
My issue is with ldap, which i am using on a number of applications. I've changed constants_ldap to
Code: Select all
$PMF_LDAP['ldap_mapping'] = array (
'name' => 'cn',
'username' => 'samaccountname',
'mail' => 'mail');
my AD was whining about the case
Now when any user logs in with their AD user/pwd, everything is fine, all user tables are populated. However if they log in with JUST their username, it still authenticates, but all user info is wiped out (email, display name etc.) a wrong password behaves as expected with the message User or password not valid.
thoughts?
Re: ldap authenticates without password
Posted: Tue Nov 23, 2010 8:20 pm
by Thorsten
Hi,
I have to check this issue.
bye
Thorsten
Re: ldap authenticates without password
Posted: Tue Nov 23, 2010 9:48 pm
by trf000
seems to be a known ldap/AD bug. our workaround has been something like this:
if (empty($password)) {
return false
}
Not sure where to fit this into your code though... index.php maybe?
Re: ldap authenticates without password
Posted: Wed Nov 24, 2010 7:57 am
by Thorsten
Hi,
it have to be placed in inc/Ldap.php. I'll add a fix for this issue. Thanks!
bye
Thorsten
Re: ldap authenticates without password
Posted: Wed Nov 24, 2010 3:44 pm
by trf000
any chance you could point me to the right spot? I tried adding it here:
Code: Select all
$this->base = $ldap_base;
if (!isset($ldap_user) || !isset($ldap_server) || $ldap_server == "" ||
!isset($ldap_port) || $ldap_port == "" || !isset($ldap_base) ||
$ldap_base == "" || !isset($ldap_password) || empty($ldap_password)) {
return false;
}
Which won't allow a login, but takes the user to an error page.
Re: ldap authenticates without password
Posted: Wed Nov 24, 2010 3:51 pm
by trf000
below this:
Code: Select all
if (!isset($ldap_user) || !isset($ldap_server) || $ldap_server == "" ||
!isset($ldap_port) || $ldap_port == "" || !isset($ldap_base) ||
$ldap_base == "" || !isset($ldap_password)) {
return false;
}
I added this:
Code: Select all
if (empty($ldap_password)) {
$this->error = 'Unable to connect to LDAP server (Error: '.ldap_error($this->ds).')';
//return false;
}
Seems to work, though I'm betting you have something better in your fix.
Re: ldap authenticates without password
Posted: Wed Nov 24, 2010 6:55 pm
by Thorsten
Hi,
looks good, I'll add it to version 2.6.12. Thanks!
bye
Thorsten
Re: ldap authenticates without password
Posted: Wed Nov 24, 2010 7:06 pm
by Thorsten
Hi,
I improved the code... could you please test this class:
https://github.com/thorsten/phpMyFAQ/bl ... c/Ldap.php
Thanks!
bye
Thorsten
Re: ldap authenticates without password
Posted: Fri Dec 03, 2010 10:25 pm
by trf000
That code will not let me authenticate.
Re: ldap authenticates without password
Posted: Sat Dec 04, 2010 9:45 am
by Thorsten
Hi,
thanks for the feedback. I'll revert this commit then.
bye
Thorsten