Re: [openupload-devel] LDAP Password\Group Issues
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] LDAP Password\Group Issues
|
From: Alessandro B. <ts...@br...> - 2009-08-27 10:42:16
|
Hi Jason,
could you confirm that this fixes the problem?
I found out that the real problem should be an empty password (?)... and
maybe the missing disconnect.
This will not allow users with empty password to access (which is pretty
resonable)
Change the authenticate method in the ldap.inc.php with this one:
function authenticate($login,$password) {
$result = false;
$this->disconnect();
if ($this->connect()) {
if ($this->config['type'] != 'AD') {
$uid = $this->ufield.'='.$login.','.$this->config['userdn'];
} else {
$uid = $login.'@'.$this->config['domain'];
}
if ($uid!=NULL and $password!=NULL) {
/* prevent injection, thanks to Jason Weir */
$uid = addcslashes($uid, '!\',+"\\<>;*');
$passwords = addcslashes($password, '!\',+"\\<>;*');
if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
$result = true;
}
}
$this->disconnect();
}
return $result;
}
Let me know,
Alessandro
Alessandro Briosi ha scritto:
> Hi Jason,
> I'm testing against an AD, and what I get is the same result for users
> other than the Administrator (which is the same I use to check the user
> information).
> The problem is that ldap_bind returns true to openupload ... (and that's
> pretty odd), with an openldap backend everything is good...
>
> I'll investigate and let you know. Once I figure this out will be
> releasing a 0.4.1 version.
>
> Alessandro
>
>
> Weir, Jason ha scritto:
>> Yes - if first login is successful subsequent logins succeed no matter what the password is - but Open Upload is passing whatever password I use to AD because after 5 bad passwords my account gets locked out..
>>
>> 1. I'm part of the Open Upload admins group and the ACL looks like allow everything
>> 2. PHP Version 5.2.9-0.dotdeb.2
>> 3. ok
>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>> 5. like this?
>>
>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>> 48 $this->disconnect();
>> 49 return true;
>> 50 }
>>
>> 6. Nothing jumped out at me. Not much of any errors..
>>
>> this has to be cached somewhere persistent because I tried restarting the Open Upload server and clearing out my browser cache\cookies and it still accepts a blank\bad password. I even tried logging in from a different workstation using a different browser.
>>
>> I don't mind doing some testing if you can tell me what you need..
>>
>> Thanks,
>> -Jason
>>
>>
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Wed 8/26/2009 5:17 PM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>> Wow, that's pretty bad.
>>
>> You mean that if the first login is successfull, then any subseguent
>> logins succeed even with a wrong password? Or it always let's you in?
>>
>>
>>
>> With LDAP server I have no such behavier.
>>
>> This are some possibilities:
>> 1. ACL problem, logout is not permitted (?)
>> 2. ldap_bind always returns true, which would be odd (what version of
>> php are you using?)
>> 3. There is some strange session behavier/bug
>> 4. AD is somehow returning the wrong value for the LDAP query (very
>> unlikely, what Windows Server is it? 2000/2003/2008)
>> 5. Found out a missing disconnect in the ldap.inc.php
>> line: 48 insert before 'return true;'
>> $this->disconnect();
>> 6. Maybe some php coding error? have you checked the apache logs?
>>
>> I need to check this, but will have to wait when I get around to an AD
>> server first.
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> What I've found is after I log in for the first time I can subsequently
>>> log off and back in with any password including a blank password.
>>> OpenUpload lets me log in but I get a "invalid password" failure audit
>>> in Active Directory - If I try it enough times my AD account will get
>>> locked out. I never get an invalid password from OpenUpload..
>>>
>>> Ideas?
>>>
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>> To: ope...@li...
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi,
>>> I defenatly need to write some documentation on this one :)
>>>
>>>
>>> Weir, Jason ha scritto:
>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>
>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>> change I could no longer log in unless I used the old password.
>>> No, it only authenticates the user against AD at the login and then
>>> checks for the user information with the user specified in the
>>> configuration (the user remains authenticated until the logout or
>>> session expires)
>>> OpenUpload uses the standard ldap functions to authenticate, so probably
>>>
>>> it must be something with AD or Linux caching...
>> _____________________________________________________________________________________________
>>
>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>>
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Openupload-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
