0001-added-an-option-to-bind-an-ldap-account-before-searc.patch (3,480 bytes)
From 703d4c7fb9c463a3e5a7a7f372669fbf0c704ada Mon Sep 17 00:00:00 2001
From: Hannes Georg <hannes.georg@xing.com>
Date: Wed, 14 Mar 2012 14:36:03 +0100
Subject: [PATCH] added an option to bind an ldap-account before searching it
---
wwwroot/inc/auth.php | 17 ++++++++++++++---
wwwroot/inc/install.php | 3 +++
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/wwwroot/inc/auth.php b/wwwroot/inc/auth.php
index 77e03a6..b17cce7 100644
--- a/wwwroot/inc/auth.php
+++ b/wwwroot/inc/auth.php
@@ -391,6 +391,10 @@ function queryLDAPServer ($username, $password)
throw new RackTablesError ('LDAP misconfiguration: LDAP TLS required but not successfully negotiated.', RackTablesError::MISCONFIGURED);
}
+ if (array_key_exists ('options', $LDAP_options) and is_array ($LDAP_options['options']))
+ foreach ($LDAP_options['options'] as $opt_code => $opt_value)
+ ldap_set_option ($connect, $opt_code, $opt_value);
+
// Decide on the username we will actually authenticate for.
if (isset ($LDAP_options['domain']) and strlen ($LDAP_options['domain']))
$auth_user_name = $username . "@" . $LDAP_options['domain'];
@@ -402,6 +406,16 @@ function queryLDAPServer ($username, $password)
strlen ($LDAP_options['search_attr'])
)
{
+ // If a search_bind_rdn is supplied, bind to that and use it to search.
+ // This is required unless a server offers anonymous searching.
+ // Using bind again on the connection works as expected.
+ // The password is optional as it might be optional on server, too.
+ if( isset( $LDAP_options['search_bind_rdn'] ) && strlen( $LDAP_options['search_bind_rdn'] ) ){
+ $search_bind = @ldap_bind( $connect, $LDAP_options['search_bind_rdn'], isset($LDAP_options['search_bind_password']) ? $LDAP_options['search_bind_password'] : null );
+ if( $search_bind === FALSE ){
+ throw new RackTablesError ('LDAP misconfiguration. You have specified a search_bin_rdn'.(isset($LDAP_options['search_bind_password']) ? ' and a search_bind_password' : ' without a search_bind_password').', but the server refused it with: '.ldap_error($connect), RackTablesError::MISCONFIGURED);
+ }
+ }
$results = @ldap_search ($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "=${username})", array("dn"));
if ($results === FALSE)
return array ('result' => 'CAN');
@@ -416,9 +430,6 @@ function queryLDAPServer ($username, $password)
}
else
throw new RackTablesError ('LDAP misconfiguration. Cannon build username for authentication.', RackTablesError::MISCONFIGURED);
- if (array_key_exists ('options', $LDAP_options) and is_array ($LDAP_options['options']))
- foreach ($LDAP_options['options'] as $opt_code => $opt_value)
- ldap_set_option ($connect, $opt_code, $opt_value);
$bind = @ldap_bind ($connect, $auth_user_name, $password);
if ($bind === FALSE)
switch (ldap_errno ($connect))
diff --git a/wwwroot/inc/install.php b/wwwroot/inc/install.php
index cfaf199..7ad76ae 100644
--- a/wwwroot/inc/install.php
+++ b/wwwroot/inc/install.php
@@ -260,6 +260,9 @@ function init_config ()
# 'domain' => 'example.com',
# 'search_attr' => '',
# 'search_dn' => '',
+# // The following credentials will be used when searching for the user's dn:
+# 'search_bind_rdn' => null,
+# 'search_bind_password' => null,
# 'displayname_attrs' => '',
# 'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3),
# 'use_tls' => 2, // 0 == don't attempt, 1 == attempt, 2 == require
--
1.7.5.4
