#109 Logging in with LDAP

open
nobody
None
5
2012-10-11
2004-11-09
Ernie Oporto
No

I have the CVS distro from 2004/11/09. With
USER_AUTH_ORDER="LDAP", my users are able to just type
the username and hit enter at the HomePage without
being prompted for a password. Similarly, when I just
click "Sign in as" at the HomePage and then login at
the next page with just the username and blank
password, I can get in successfully. False usernames
that do not match the LDAP database are correctly
rejected, however, so some contact with the LDAP server
is being made. How can I make sure that users must
type a correct password in order to login? I am able
to view and edit Wiki pages correctly, so this last
issue remains before I can deploy.

My config.php:

ENABLE_PAGEPERM = true
ENABLE_DOUBLECLICKEDIT = true
ENABLE_XHTML_XML = false
WIKI_NAME = PhpWiki
ENABLE_REVERSE_DNS = true
ADMIN_USER = wikiadmin
ADMIN_PASSWD = pass
ENCRYPTED_PASSWD = true
ZIPDUMP_AUTH = false
ENABLE_RAW_HTML = false
ENABLE_RAW_HTML_LOCKEDONLY = true
ENABLE_RAW_HTML_SAFE = true
STRICT_MAILABLE_PAGEDUMPS = false
DEFAULT_DUMP_DIR = /tmp/wikidump
HTML_DUMP_DIR = /tmp/wikidumphtml
HTML_DUMP_SUFFIX = .html
MAX_UPLOAD_SIZE = 16777216
MINOR_EDIT_TIMEOUT = 604800
CACHE_CONTROL = LOOSE
CACHE_CONTROL_MAX_AGE = 600
COOKIE_EXPIRATION_DAYS = 365
DATABASE_TYPE = SQL
DATABASE_DSN = "mysql://user:pass@sqlserver/phpwiki"
DATABASE_SESSION_TABLE = session
DATABASE_DIRECTORY = /tmp
DATABASE_DBA_HANDLER = gdbm
DATABASE_TIMEOUT = 5
MAJOR_MAX_AGE = 32
MAJOR_KEEP = 8
MINOR_MAX_AGE = 7
MINOR_KEEP = 4
AUTHOR_MAX_AGE = 365
AUTHOR_KEEP = 8
AUTHOR_MIN_AGE = 7
AUTHOR_MAX_KEEP = 20
ALLOW_ANON_USER = true
ALLOW_ANON_EDIT = false
ALLOW_BOGO_LOGIN = false
ALLOW_USER_PASSWORDS = true
USER_AUTH_ORDER = "LDAP"
USER_AUTH_POLICY = strict
LDAP_AUTH_HOST = "ldap://ldaphost:389"
LDAP_BASE_DN = "o=ldap.org"
LDAP_AUTH_USER = "CN=LDAPDirectory"
LDAP_AUTH_PASSWORD = "pass"
GROUP_METHOD = WIKIPAGE
DBAUTH_AUTH_CRYPT_METHOD = plain
EDITING_POLICY = EditingPolicy
THEME = default
CHARSET = iso-8859-1
DEFAULT_LANGUAGE = en
WIKI_PGSRC = pgsrc
DEFAULT_WIKI_PGSRC = pgsrc
DEFAULT_WIKI_PAGES = "ReleaseNotes:SteveWainstead:TestPage"
ALLOWED_PROTOCOLS =
"http|https|mailto|ftp|news|nntp|ssh|gopher"
INLINE_IMAGES = "png|jpg|gif"
WIKI_NAME_REGEXP =
"(?<![[:alnum:]])(?:[[:upper:]][[:lower:]]+){2,}(?![[:alnum:]])"
SUBPAGE_SEPARATOR = /
INTERWIKI_MAP_FILE = lib/interwiki.map
WARN_NONPUBLIC_INTERWIKIMAP = false
KEYWORDS = "Category:Topic"
COPYRIGHTPAGE_TITLE = "GNU General Public License"
COPYRIGHTPAGE_URL =
"http://www.gnu.org/copyleft/gpl.html#SEC1"
AUTHORPAGE_TITLE = The PhpWiki Programming Team
AUTHORPAGE_URL =
http://phpwiki.org/ThePhpWikiProgrammingTeam
TOC_FULL_SYNTAX = true
PLUGIN_CACHED_DATABASE = file
PLUGIN_CACHED_CACHE_DIR = /tmp/cache
PLUGIN_CACHED_FILENAME_PREFIX = phpwiki
PLUGIN_CACHED_HIGHWATER = 4194304
PLUGIN_CACHED_LOWWATER = 3145728
PLUGIN_CACHED_MAXLIFETIME = 2592000
PLUGIN_CACHED_MAXARGLEN = 1000
PLUGIN_CACHED_USECACHE = true
PLUGIN_CACHED_FORCE_SYNCMAP = true
PLUGIN_CACHED_IMGTYPES = "png|gif|gd|gd2|jpeg|wbmp|xbm|xpm"

Discussion

  • Ernie Oporto
    Ernie Oporto
    2004-11-09

    Logged In: YES
    user_id=3668

    Figured it out:
    Line 554 in the CVS version of lib/WikiUserNew.php I added this:

        if ($passwd == '')
            return _("Invalid password.");
    

    so that now anyone trying to work around this issue by just
    entering a username won't be able to spoof someone else's
    username. Empty passwords are a definite no-no, but
    probably should be enforced somewhere other than phpWiki.
    Still, it would be good to see this adopted into the code.

     
  • Reini Urban
    Reini Urban
    2004-11-24

    Logged In: YES
    user_id=13755

    I changed the default to
    PASSWORD_LENGTH_MINIMUM = 0
    (needed for passwordless bogo login, the default)

    if you set this to 2 or 3 it should work.