View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
442 | RackTables | default | public | 2011-06-29 14:50 | 2012-03-17 10:04 |
Reporter | infrastation | Assigned To | |||
Priority | low | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Target Version | 0.19.12 | Fixed in Version | 0.19.12 | ||
Summary | 442: non-anonymous LDAP binding | ||||
Description | The request is to develop code to handle optional LDAP configuration parameters (bind_username and bind_password) to bind respectively (the current implementation uses anonymous binding). | ||||
Tags | No tags attached. | ||||
2012-03-14 13:39
|
0001-added-an-option-to-bind-an-ldap-account-before-searc.patch (3,480 bytes)
From 703d4c7fb9c463a3e5a7a7f372669fbf0c704ada Mon Sep 17 00:00:00 2001 From: Hannes Georg <hannes.georg@xing.com> Date: Wed, 14 Mar 2012 14:36:03 +0100 Subject: [PATCH] added an option to bind an ldap-account before searching it --- wwwroot/inc/auth.php | 17 ++++++++++++++--- wwwroot/inc/install.php | 3 +++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/wwwroot/inc/auth.php b/wwwroot/inc/auth.php index 77e03a6..b17cce7 100644 --- a/wwwroot/inc/auth.php +++ b/wwwroot/inc/auth.php @@ -391,6 +391,10 @@ function queryLDAPServer ($username, $password) throw new RackTablesError ('LDAP misconfiguration: LDAP TLS required but not successfully negotiated.', RackTablesError::MISCONFIGURED); } + if (array_key_exists ('options', $LDAP_options) and is_array ($LDAP_options['options'])) + foreach ($LDAP_options['options'] as $opt_code => $opt_value) + ldap_set_option ($connect, $opt_code, $opt_value); + // Decide on the username we will actually authenticate for. if (isset ($LDAP_options['domain']) and strlen ($LDAP_options['domain'])) $auth_user_name = $username . "@" . $LDAP_options['domain']; @@ -402,6 +406,16 @@ function queryLDAPServer ($username, $password) strlen ($LDAP_options['search_attr']) ) { + // If a search_bind_rdn is supplied, bind to that and use it to search. + // This is required unless a server offers anonymous searching. + // Using bind again on the connection works as expected. + // The password is optional as it might be optional on server, too. + if( isset( $LDAP_options['search_bind_rdn'] ) && strlen( $LDAP_options['search_bind_rdn'] ) ){ + $search_bind = @ldap_bind( $connect, $LDAP_options['search_bind_rdn'], isset($LDAP_options['search_bind_password']) ? $LDAP_options['search_bind_password'] : null ); + if( $search_bind === FALSE ){ + throw new RackTablesError ('LDAP misconfiguration. You have specified a search_bin_rdn'.(isset($LDAP_options['search_bind_password']) ? ' and a search_bind_password' : ' without a search_bind_password').', but the server refused it with: '.ldap_error($connect), RackTablesError::MISCONFIGURED); + } + } $results = @ldap_search ($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "=${username})", array("dn")); if ($results === FALSE) return array ('result' => 'CAN'); @@ -416,9 +430,6 @@ function queryLDAPServer ($username, $password) } else throw new RackTablesError ('LDAP misconfiguration. Cannon build username for authentication.', RackTablesError::MISCONFIGURED); - if (array_key_exists ('options', $LDAP_options) and is_array ($LDAP_options['options'])) - foreach ($LDAP_options['options'] as $opt_code => $opt_value) - ldap_set_option ($connect, $opt_code, $opt_value); $bind = @ldap_bind ($connect, $auth_user_name, $password); if ($bind === FALSE) switch (ldap_errno ($connect)) diff --git a/wwwroot/inc/install.php b/wwwroot/inc/install.php index cfaf199..7ad76ae 100644 --- a/wwwroot/inc/install.php +++ b/wwwroot/inc/install.php @@ -260,6 +260,9 @@ function init_config () # 'domain' => 'example.com', # 'search_attr' => '', # 'search_dn' => '', +# // The following credentials will be used when searching for the user's dn: +# 'search_bind_rdn' => null, +# 'search_bind_password' => null, # 'displayname_attrs' => '', # 'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3), # 'use_tls' => 2, // 0 == don't attempt, 1 == attempt, 2 == require -- 1.7.5.4 |
Hi, I added a patch. The new options are $LDAP_options['search_bind_rdn'] and $LDAP_options['search_bind_password']. Thank you! Hannes |
|
Committed revision 5010. Please note how indentation, newlines and lettercase were changed to meet the style of surrounding code. Also, please take care to update the wiki page (the permission should be setup by now): https://sourceforge.net/apps/mediawiki/racktables/index.php?title=LDAP Thank you. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2011-06-29 14:50 | infrastation | New Issue | |
2012-03-14 13:39 |
|
File Added: 0001-added-an-option-to-bind-an-ldap-account-before-searc.patch | |
2012-03-14 13:42 |
|
Note Added: 0000630 | |
2012-03-17 10:04 | infrastation | Note Added: 0000632 | |
2012-03-17 10:04 | infrastation | Assigned To | => user292 |
2012-03-17 10:04 | infrastation | Status | new => closed |
2012-03-17 10:04 | infrastation | Resolution | open => fixed |
2012-03-17 10:04 | infrastation | Fixed in Version | => 0.19.12 |
2012-03-17 10:04 | infrastation | Target Version | => 0.19.12 |