From 02be0aef292f998dc805cd506aec9430ffe276a3 Mon Sep 17 00:00:00 2001 From: Web5 Date: Sun, 24 Mar 2013 11:50:11 -0400 Subject: [PATCH] Fix LDAP plugin error and add option disabling anonymous login befor bind --- plugins/auth_ldap/init.php | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/plugins/auth_ldap/init.php b/plugins/auth_ldap/init.php index e1a4c49f1..8a7488e1c 100644 --- a/plugins/auth_ldap/init.php +++ b/plugins/auth_ldap/init.php @@ -10,12 +10,13 @@ * Configuration * Put the following options in config.php and customize them for your environment * - * define('LDAP_AUTH_SERVER_URI, 'ldaps://LDAPServerHostname:port/'); - * define('LDAP_AUTH_USETLS, FALSE); // Enable TLS Support for ldaps:// + * define('LDAP_AUTH_SERVER_URI', 'ldaps://LDAPServerHostname:port/'); + * define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps:// * define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate * define('LDAP_AUTH_BINDDN', 'cn=serviceaccount,dc=example,dc=com'); * define('LDAP_AUTH_BINDPW', 'ServiceAccountsPassword'); * define('LDAP_AUTH_BASEDN', 'dc=example,dc=com'); + * define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); * // ??? will be replaced with the entered username(escaped) at login * define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=person)(uid=???))'); */ @@ -54,7 +55,7 @@ class Auth_Ldap extends Plugin implements IAuthModule { } private function _log($msg) { - trigger_error($msg, E_USER_WARN); + trigger_error($msg, E_USER_WARNING); } function authenticate($login, $password) { @@ -73,10 +74,15 @@ class Auth_Ldap extends Plugin implements IAuthModule { return FALSE; } $ldapConnParams=array( - 'host'=>$parsedURI['scheme'].'://'.$parsedURI['host'], + 'host'=>$parsedURI['host'], 'basedn'=>LDAP_AUTH_BASEDN, 'options' => array('LDAP_OPT_REFERRALS' => 0) ); + + if (!LDAP_AUTH_ANONYMOUSBEFOREBIND) { + $ldapConnParams['binddn']= LDAP_AUTH_BINDDN; + $ldapConnParams['bindpw']= LDAP_AUTH_BINDPW; + } $ldapConnParams['starttls']= defined('LDAP_AUTH_USETLS') ? LDAP_AUTH_USETLS : FALSE; @@ -92,11 +98,13 @@ class Auth_Ldap extends Plugin implements IAuthModule { $this->_log('Could not connect to LDAP Server: '.$ldapConn->getMessage()); return FALSE; } - // Bind with service account - $binding=$ldapConn->bind(LDAP_AUTH_BINDDN, LDAP_AUTH_BINDPW); - if (Net_LDAP2::isError($binding)) { - $this->_log('Cound not bind service account: '.$binding->getMessage()); - return FALSE; + // Bind with service account if orignal connexion was anonymous + if (LDAP_AUTH_ANONYMOUSBEFOREBIND) { + $binding=$ldapConn->bind(LDAP_AUTH_BINDDN, LDAP_AUTH_BINDPW); + if (Net_LDAP2::isError($binding)) { + $this->_log('Cound not bind service account: '.$binding->getMessage()); + return FALSE; + } } //Searching for user $completedSearchFiler=str_replace('???',$login,LDAP_AUTH_SEARCHFILTER);