gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2024-11-26 15:32:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

do not use a general dn for a user if ldap filter is set

Browse Source
This commit is contained in:
Uwe Steinmann 2023-08-25 20:17:47 +02:00
parent 83923eba59
commit c10d5ebb9b
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
inc/inc.ClassLdapAuthentication.php
View File

@ -153,7 +153,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
* address. * address.
*/ */
if ($bind) { if ($bind) {
if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) { if (!empty($settings->_ldapFilter)) {
$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")"); $search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
} else { } else {
$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username); $search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
@ -168,18 +168,25 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
/* If the previous bind failed, try it with the users creditionals /* If the previous bind failed, try it with the users creditionals
* by simply setting $dn to a guessed dn (see above) * by simply setting $dn to a guessed dn (see above)
* FIXME: This is probably a bad idea because users filtered out * Don't do this if a filter is set because users filtered out
* may still be able to authenticate, because $tmpDN could be a * may still be able to authenticate, because $tmpDN could be a
* valid DN. Example: if baseDN is 'dc=seeddms,dc=org' and the * valid DN which do not match the filter criteria.
* Example: if baseDN is 'dc=seeddms,dc=org' and the
* user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org' * user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org'
* If that user was filtered out, because filter was set to '(mail=*)' * If that user was filtered out, because filter was set to '(mail=*)'
* and the user doesn't have a mail address, then $dn will not be * and the user doesn't have a mail address, then $dn will not be
* set and $tmpDN will be used instead, allowing a successfull bind. * set and $tmpDN will be used instead, allowing a successfull bind.
*/ */
if (is_bool($dn)) { if (is_bool($dn) && empty($settings->_ldapFilter)) {
$dn = $tmpDN; $dn = $tmpDN;
} }
/* Without a dn don't even try to bind. It won't work anyway */
if(!$dn) {
ldap_close($ds);
return null;
}
/* Check if user already exists in the database. Return with an error /* Check if user already exists in the database. Return with an error
* only if the sql statements fails, but not if no user was found. * only if the sql statements fails, but not if no user was found.
*/ */
@ -193,7 +200,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
$bind = @ldap_bind($ds, $dn, $password); $bind = @ldap_bind($ds, $dn, $password);
if (!$bind) { if (!$bind) {
ldap_close($ds); ldap_close($ds);
return false; return null;
} }
// Successfully authenticated. Now check to see if the user exists within // Successfully authenticated. Now check to see if the user exists within