add more code documentation

2024-11-26 15:32:13 +00:00 · 2023-08-25 12:33:35 +02:00 · 2023-08-25 12:33:35 +02:00 · c51088a3b6
commit c51088a3b6
parent 8ac054cb72
1 changed files with 11 additions and 1 deletions
--- a/inc/inc.ClassLdapAuthentication.php
+++ b/inc/inc.ClassLdapAuthentication.php
@ -110,6 +110,9 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {

 		if (!is_bool($ds)) {
 			/* Check if ldap base dn is set, and use ldap server if it is */
+			/* $tmpDN will be set to a 'wild' guess how the user's dn might
+			 * look like if searching for that user didn't return a dn.
+			 */
 			if (isset($settings->_ldapBaseDN)) {
 				$ldapSearchAttribut = "uid=";
 				$tmpDN = "uid=".$username.",".$settings->_ldapBaseDN;
@ -164,7 +167,14 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			}

 			/* If the previous bind failed, try it with the users creditionals
-			 * by simply setting $dn to a default string
+			 * by simply setting $dn to a guessed dn (see above)
+			 * FIXME: This is probably a bad idea because users filtered out
+			 * may still be able to authenticate, because $tmpDN could be a
+			 * valid DN. Example: if baseDN is 'dc=seeddms,dc=org' and the
+			 * user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org'
+			 * If that user was filtered out, because filter was set to '(mail=*)'
+			 * and the user doesn't have a mail address, then $dn will not be
+			 * set and $tmpDN will be used instead, allowing a successfull bind.
 			 */
 			if (is_bool($dn)) {
 				$dn = $tmpDN;