Skip to content

Fixed #13335: Use the app bind in the ldap auth #13739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
vincent-abel wants to merge 1 commit into from
Closed

Fixed #13335: Use the app bind in the ldap auth #13739

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 26 additions & 29 deletions app/Models/Ldap.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,40 +119,37 @@ public static function findAndBindUserLdap($username, $password)

\Log::debug('Filter query: '.$filterQuery);

if (! $ldapbind = @ldap_bind($connection, $userDn, $password)) {
\Log::debug("Status of binding user: $userDn to directory: (directly!) ".($ldapbind ? "success" : "FAILURE"));
if (! $ldapbind = self::bindAdminToLdap($connection)) {
/*
* TODO PLEASE:
*
* this isn't very clear, so it's important to note: the $ldapbind value is never correctly returned - we never 'return true' from self::bindAdminToLdap() (the function
* just "falls off the end" without ever explictly returning 'true')
*
* but it *does* have an interesting side-effect of checking for the LDAP password being incorrectly encrypted with the wrong APP_KEY, so I'm leaving it in for now.
*
* If it *did* correctly return 'true' on a succesful bind, it would _probably_ allow users to log in with an incorrect password. Which would be horrible!
*
* Let's definitely fix this at the next refactor!!!!
*
*/
if ($ldapbind = @ldap_bind($connection, $userDn, $password)) { // IF you can bind user
\Log::debug("Status of binding user: $userDn to directory: (directly!) ".($ldapbind ? "success" : "FAILURE"));
$settings = Setting::getSettings();
$connection = Ldap::connectToLdap();

$ldapbind = self::bindAdminToLdap($connection); // rebind to app account for the search
/*
* As far as i comprehend the logic, from before, this should raise the error in appkey too.
*
*/


\Log::debug("Status of binding Admin user: $userDn to directory instead: ".($ldapbind ? "success" : "FAILURE"));
return false;
}
}

if (! $results = ldap_search($connection, $baseDn, $filterQuery)) {
throw new Exception('Could not search LDAP: ');
}
// felt like we should try those only if the user was ok

if (! $entry = ldap_first_entry($connection, $results)) {
return false;
}
if (! $results = ldap_search($connection, $baseDn, $filterQuery)) {
throw new Exception('Could not search LDAP: ');
}

if (! $user = ldap_get_attributes($connection, $entry)) {
return false;
}
if (! $entry = ldap_first_entry($connection, $results)) {
return false;
}

return array_change_key_case($user);
if (! $user = ldap_get_attributes($connection, $entry)) {
return false;
}

return array_change_key_case($user);
}
return false; // If user didn't bound correctly.
}

/**
Expand Down