2 commits - lib/Auth lib/ext
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Thu Aug 30 16:05:46 CEST 2012
lib/Auth/LDAP.php | 106 +++++---------------------------------------------
lib/ext/Net/LDAP3.php | 17 +++++++-
2 files changed, 26 insertions(+), 97 deletions(-)
New commits:
commit 2a6fa89737d7447706cdb848e5b8bfc2aeffc71b
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Thu Aug 30 14:40:07 2012 +0100
The login() function should notice the $username argument actually contains a distinguished name
diff --git a/lib/ext/Net/LDAP3.php b/lib/ext/Net/LDAP3.php
index 4acdf1c..2ea7833 100644
--- a/lib/ext/Net/LDAP3.php
+++ b/lib/ext/Net/LDAP3.php
@@ -777,6 +777,19 @@ class Net_LDAP3
return NULL;
}
+ $entry_dn = $this->entry_dn($username);
+
+ if (!empty($entry_dn)) {
+ $bound = $this->bind($entry_dn, $password);
+
+ if (!$bound) {
+ new PEAR_Error("Could not bind with " . $entry_dn);
+ return NULL;
+ }
+
+ return $entry_dn;
+ }
+
$base_dn = $this->config_get('root_dn');
if (empty($base_dn)) {
@@ -804,7 +817,7 @@ class Net_LDAP3
$filter = "(&(|(mail=%s)(alias=%s)(uid=%s))(objectclass=inetorgperson))";
}
- $this->_debug($filter);
+ $this->_debug("Net::LDAP3::login() original filter: " . $filter);
$replace_patterns = Array(
'/%s/' => $username,
@@ -815,7 +828,7 @@ class Net_LDAP3
$filter = preg_replace(array_keys($replace_patterns), array_values($replace_patterns), $filter);
- $this->_debug($filter);
+ $this->_debug("Net::LDAP3::login() actual filter: " . $filter);
$result = $this->search($base_dn, $filter, 'sub');
commit ba2f0c255d2e055f7e81dbe7e4b0fec29437caf5
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Thu Aug 30 14:37:14 2012 +0100
Relay an authentication request to Net_LDAP3::login(), and use the results to store in our session
Make sure search() only binds with user credentials if actual user credentials are available
Obsoletes function _get_user_dn()
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 43051db..8d5e384 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -104,81 +104,22 @@ class LDAP extends Net_LDAP3 {
* @return bool|string User ID or False on failure
*/
public function authenticate($username, $password) {
- Log::debug("LDAP: authentication request for $username");
+ Log::debug("Auth::LDAP: authentication request for $username");
if (!$this->connect()) {
return false;
}
- // Attempt to explode the username to see if it is in fact a DN,
- // such as would be the case for 'cn=Directory Manager' or
- // 'uid=admin'.
- $subject = $this->entry_dn($username);
+ $result = $this->login($username, $password);
- if (!$subject) {
- list($this->userid, $this->domain) = $this->_qualify_id($username);
- $root_dn = $this->config_get("root_dn");
-
- // Compose a filter to find the subject dn.
- // Use the kolab_user_filter first, if configured, and the user_filter
- // as a fallback.
- // Use the auth_attrs configured.
- $filter = '(&';
-
- $user_filter = $this->conf->get('kolab_user_filter');
-
- if (!$user_filter) {
- $user_filter = $this->conf->get('user_filter');
- }
-
- $filter .= $user_filter;
-
- $auth_attrs = $this->conf->get_list('auth_attributes');
-
- console("Using authentication attributes", $auth_attrs);
- if (count($auth_attrs) > 0) {
- $filter .= '(|';
-
- foreach ($auth_attrs as $attr) {
- $filter .= '(' . $attr . '=' . $this->userid . ')';
- $filter .= '(' . $attr . '=' . $this->userid . '@' . $this->domain . ')';
- }
-
- $filter .= ')';
- } else {
- // Default to uid.
- $filter .= '(|(uid=' . $this->userid . '))';
- }
-
- $filter .= ')';
-
- console("LDAP::authenticate() using filter " . $filter);
-
- $subject_dn = $this->_get_user_dn($root_dn, $filter);
- } else {
- $subject_dn = $subject;
+ if (!$result) {
+ return FALSE;
}
- if ($this->bind($subject_dn, $password)) {
-// $this->_unbind();
-
- if (isset($_SESSION['user'])) {
- $_SESSION['user']->user_root_dn = $root_dn;
- $_SESSION['user']->user_bind_dn = $subject_dn;
- $_SESSION['user']->user_bind_pw = $password;
-
- Log::debug("LDAP: Successfully bound with User DN: " . $_SESSION['user']->user_bind_dn);
- }
- else {
- Log::debug("LDAP: Successfully bound with User DN: $subject_dn but not saving it to the session");
- }
+ $_SESSION['user']->user_bind_dn = $result;
+ $_SESSION['user']->user_bind_pw = $password;
- // @TODO: return unique attribute
- return $subject_dn;
- }
- else {
- return false;
- }
+ return $result;
}
public function domain_add($domain, $parent_domain = false, $prepopulate = true) {
@@ -810,7 +751,10 @@ class LDAP extends Net_LDAP3 {
}
public function search($base_dn, $filter = '(objectclass=*)', $scope = 'sub', $sort = NULL, $search = Array()) {
- $this->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
+ if (isset($_SESSION['user']->user_bind_dn) && !empty($_SESSION['user']->user_bind_dn)) {
+ $this->bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
+ }
+
Log::trace("Relaying search to parent:" . var_export($base_dn, TRUE));
return parent::search($base_dn, $filter, $scope, $sort, $search);
}
@@ -1302,34 +1246,6 @@ class LDAP extends Net_LDAP3 {
return true;
}
- /*
- Utility functions
- */
-
- private function _get_user_dn($root_dn, $search_filter) {
- // TODO: Why does this use privileged credentials?
- if (($this->bind($this->conf->get('bind_dn'), $this->conf->get('bind_pw'))) == false) {
- //message("WARNING: Invalid Service bind credentials supplied");
- $this->bind($this->conf->get('manager_bind_dn'), $this->conf->get('manager_bind_pw'));
- }
-
- console("Searching for a user dn in $root_dn, with search filter: $search_filter");
-
- $search_results = ldap_search($this->conn, $root_dn, $search_filter);
-
- if (!$search_results || ldap_count_entries($this->conn, $search_results) == 0) {
- //message("No entries found for the user dn in " . __METHOD__);
- return false;
- }
-
- if (($first_entry = ldap_first_entry($this->conn, $search_results)) == false) {
- return false;
- }
-
- $user_dn = ldap_get_dn($this->conn, $first_entry);
- return $user_dn;
- }
-
/**
* Probe the root dn with the user credentials.
*
More information about the commits
mailing list