From 41469a4570c25d1b309bd81f7fb31dbe016d47d0 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Sat, 1 Feb 2014 21:52:45 +0100
Subject: [PATCH] clean up and test ldap code

---
 op/op.Login.php | 86 +++++++++++++++++++------------------------------
 1 file changed, 34 insertions(+), 52 deletions(-)

diff --git a/op/op.Login.php b/op/op.Login.php
index 27d1947cf..5c1ba9fb9 100644
--- a/op/op.Login.php
+++ b/op/op.Login.php
@@ -69,37 +69,40 @@ if ((!isset($pwd) || strlen($pwd)==0) && ($login != $guestUser->getLogin()))  {
 // LDAP Sign In
 //
 
-/* new code by doudoux - TO BE TESTED */
-if (isset($settings->_ldapBaseDN)) {
-	$ldapSearchAttribut = "uid=";
-	$tmpDN = "uid=".$login.",".$settings->_ldapBaseDN;
-}
-
-if (isset($settings->_ldapType))
-{
-    if ($settings->_ldapType==1)
-    {
-        $ldapSearchAttribut = "sAMAccountName=";
-        $tmpDN = $login.'@'.$settings->_ldapAccountDomainName;
-    }
-} 
-/* end of new code */
-
-
+/* Initialy set $user to false. It will contain a valid user record
+ * if authentication against ldap succeeds.
+ * _ldapHost will only have a value if the ldap connector has been enabled
+ */
 $user = false;
 if (isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) {
 	if (isset($settings->_ldapPort) && is_int($settings->_ldapPort)) {
 		$ds = ldap_connect($settings->_ldapHost, $settings->_ldapPort);
-	}
-	else {
+	} else {
 		$ds = ldap_connect($settings->_ldapHost);
 	}
+
 	if (!is_bool($ds)) {
+		/* Check if ldap base dn is set, and use ldap server if it is */
+		if (isset($settings->_ldapBaseDN)) {
+			$ldapSearchAttribut = "uid=";
+			$tmpDN = "uid=".$login.",".$settings->_ldapBaseDN;
+		}
+
+		/* Active directory has a different base dn */
+		if (isset($settings->_ldapType)) {
+			if ($settings->_ldapType==1) {
+				$ldapSearchAttribut = "sAMAccountName=";
+				$tmpDN = $login.'@'.$settings->_ldapAccountDomainName;
+			}
+		} 
+
 		// Ensure that the LDAP connection is set to use version 3 protocol.
 		// Required for most authentication methods, including SASL.
 		ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
 
-		// try an authenticated/anonymous bind first. If it succeeds, get the DN for the user.
+		// try an authenticated/anonymous bind first.
+		// If it succeeds, get the DN for the user and use it for an authentication
+		// with the users password.
 		$bind = false;
 		if (isset($settings->_ldapBindDN)) {
 			$bind = @ldap_bind($ds, $settings->_ldapBindDN, $settings->_ldapBindPw);
@@ -107,55 +110,34 @@ if (isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) {
 			$bind = @ldap_bind($ds);
 		}
 		$dn = false;
-				
-		/* new code by doudoux - TO BE TESTED */
-	        if ($bind) {        
-	            $search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$login);
-	            if (!is_bool($search)) {
-	                $info = ldap_get_entries($ds, $search);
-	                if (!is_bool($info) && $info["count"]>0) {
-	                    $dn = $info[0]['dn'];
-	                }
-	            }
-	        } 
-		/* end of new code */
-		
-		/* old code */
-		if ($bind) {
-			$search = ldap_search($ds, $settings->_ldapBaseDN, "uid=".$login);
+		/* If bind succeed, then get the dn of for the user */
+		if ($bind) {        
+			$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$login);
 			if (!is_bool($search)) {
 				$info = ldap_get_entries($ds, $search);
 				if (!is_bool($info) && $info["count"]>0) {
 					$dn = $info[0]['dn'];
 				}
 			}
-		}
-		/* end of old code */
+		} 
 
-		
+		/* If the previous bind failed, try it with the users creditionals
+		 * by simply setting $dn to a default string
+		 */
 		if (is_bool($dn)) {
-			// This is the fallback position, in case the anonymous bind does not
-			// succeed.
-			
-			/* new code by doudoux  - TO BE TESTED */
 			$dn = $tmpDN;
-			/* old code */
-			//$dn = "uid=".$login.",".$settings->_ldapBaseDN; 
-			
 		}
+
+		/* No do the actual authentication of the user */
 		$bind = @ldap_bind($ds, $dn, $pwd);
 		if ($bind) {
 			// Successfully authenticated. Now check to see if the user exists within
-			// the database. If not, add them in, but do not add their password.
+			// the database. If not, add them in if _restricted is not set,
+			// but do not add their password.
 			$user = $dms->getUserByLogin($login);
 			if (is_bool($user) && !$settings->_restricted) {
 				// Retrieve the user's LDAP information.
-				
-				
-				/* new code by doudoux  - TO BE TESTED */
 				$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut . $login); 
-				/* old code */
-				//$search = ldap_search($ds, $dn, "uid=".$login);
 				
 				if (!is_bool($search)) {
 					$info = ldap_get_entries($ds, $search);