View Issue Details

IDProjectCategoryView StatusLast Update
1475RackTablesdefaultpublic2015-05-18 01:46
Reportersimon2 Assigned To 
PrioritylowSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version0.20.8 
Summary1475: Combined HTTPD trust for username, with LDAP search for group membership
DescriptionRegarding user authorization in secret.php:

$user_auth_src = 'ldap' queries a directory service.
$user_auth_src = 'httpd' takes the username from the webserver.

The wiki page on LDAP says "The drawback of [using httpd] is that group membership information wouldn't be available at RackTables level".

This means there's no way to use Kerberos to the webserver to authorise the user without a password prompt, and also use LDAP to query for group membership.

I added code for a new source called 'httpdldap', in auth.php. This takes the username from the webserver like httpd, and the group membership from the configured LDAP server, connecting with the search_bind_rdn and search_bind_password.


In auth.php:
function authorize() phase 2 the 'httpd' case is used for 'httpdldap' as well.
function authorize() phase 4 the 'ldap' case is used for 'httpdldap', passing no password for ldap auth. (real 'ldap' connections should still work because phase 2 mandates a password before we get here).
function QueryLDAP() gets a new global, so it can check $auth_usr_src.
function QueryLDAP() gets a change so after deciding on a username, if it's using 'httpdldap' for auth then it rebinds with the given search_bind_rdn details instead of the user supplied details, or throws an error if they aren't set.

I'm attaching a patch (auth.php.patch) which is a diff of the original RackTables 0.20.8 auth.php and my edited one.

It's not thoroughly tested.
Steps To ReproduceApache/Kerberos SSO/'httpd' -> seamless login, but no groups.
Apache/Kerberos SSO/'ldap' -> login prompt, groups.
Apache/Kerberos SSO/patched 'httpdldap' -> seamless login and groups.
TagsNo tags attached.

Activities

simon2

simon2

2015-05-18 01:46

reporter  

auth.php.patch (2,772 bytes)   
--- auth.php.orig   2015-05-18 00:16:05.298179556 +0100
+++ auth.php    2015-05-18 00:33:34.622177357 +0100
@@ -52,7 +52,7 @@
                throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED);
            $remote_username = $_SERVER['PHP_AUTH_USER'];
            break;
-       case 'httpd' == $user_auth_src:
+       case ('httpd' == $user_auth_src) or ('httpdldap' == $user_auth_src):
            if
            (
                ! isset ($_SERVER['REMOTE_USER']) or
@@ -97,9 +97,9 @@
            if (authenticated_via_database ($userinfo, $_SERVER['PHP_AUTH_PW']))
                return; // success
            break; // failure
-       case 'ldap' == $user_auth_src:
+       case ('ldap' == $user_auth_src) or ('httpdldap' == $user_auth_src):
            $ldap_dispname = '';
-           if (! authenticated_via_ldap ($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname))
+           if (! authenticated_via_ldap ($remote_username, (isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''), $ldap_dispname))
                break; // failure
            $remote_displayname = strlen ($userinfo['user_realname']) ? // local value is most preferred
                $userinfo['user_realname'] :
@@ -465,7 +465,7 @@
 //
 function queryLDAPServer ($username, $password)
 {
-   global $LDAP_options;
+   global $LDAP_options, $user_auth_src;

    if(extension_loaded('ldap') === FALSE)
        throw new RackTablesError ('LDAP misconfiguration. LDAP PHP Module is not installed.', RackTablesError::MISCONFIGURED);
@@ -531,7 +531,23 @@
    }
    else
        throw new RackTablesError ('LDAP misconfiguration. Cannon build username for authentication.', RackTablesError::MISCONFIGURED);
-   $bind = @ldap_bind ($connect, $auth_user_name, $password);
+
+    // With httpdldap, we took the username from the webserver, but we have no password
+    // so reconnect with the search_bind_* details to find the user's group membership
+    if ('httpdldap' == $user_auth_src) {
+        if (
+            !isset ($LDAP_options['search_bind_rdn']) or
+            !strlen ($LDAP_options['search_bind_rdn']) or
+            !isset ($LDAP_options['search_bind_password']) or
+            !strlen ($LDAP_options['search_bind_password'])
+        ) {
+            throw new RackTablesError ('To use httpdldap auth, you must specify search_bind_rdn and search_bind_password.', RackTablesError::MISCONFIGURED);
+        }
+        $bind = @ldap_bind ($connect, $LDAP_options['search_bind_rdn'], $LDAP_options['search_bind_password']);
+    } else {
+        $bind = @ldap_bind ($connect, $auth_user_name, $password);
+    }
+
    if ($bind === FALSE)
        switch (ldap_errno ($connect))
        {

auth.php.patch (2,772 bytes)   

Issue History

Date Modified Username Field Change
2015-05-18 01:39 simon2 New Issue
2015-05-18 01:39 simon2 File Added: auth.php.patch
2015-05-18 01:46 simon2 File Deleted: auth.php.patch
2015-05-18 01:46 simon2 File Added: auth.php.patch