Re: [openupload-devel] LDAP Password\Group Issues
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] LDAP Password\Group Issues
|
From: Alessandro B. <ts...@br...> - 2009-08-27 13:25:10
|
Just to be sure, you are doing a log out right?
Alessandro
Alessandro Briosi ha scritto:
> Jason,
> I have done other tests with the addcslashes, the fact is that php
> already escapes the ' \ etc, so the solution I found is to use the
> stripslashes function. this should fix the problem (at least it does
> using ' \ ! and space which I tested)
>
> I though do not encounter the authentication succeeding after a logout
> and login again with a wrong password (!?), which seems to be the
> corretct thing. And in the Win log I do see the wrong or good access
> registered.
>
> This should work.
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection (?), and special chars, thanks to Jason
> Weir */
> $uid = stripslashes($uid);
> $password = stripslashes($password);
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Alessandro
>
> Weir, Jason ha scritto:
>> That seems to have fixed the blank password problem but I can still
>> login with any non-blank password.
>>
>> I am no longer getting locked out and I don't see the password failure
>> messages in AD any more - it looks like after I am logged in the first
>> time it never authenticates against AD again..
>>
>> Looks like $passwords should be $password on line 54
>>
>> I still have an issue with addcslashes - I had to use addslashes.
>>
>> With addcslashes I always get a invalid password message and my AD
>> account gets locked out after 5 tries.
>>
>> Can you test with a password that has spaces and special characters
>> specifically single quote and exclamation mark and see if you see the
>> same thing.
>>
>> Thanks!
>>
>> -J
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 6:42 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi Jason,
>> could you confirm that this fixes the problem?
>> I found out that the real problem should be an empty password (?)... and
>>
>> maybe the missing disconnect.
>>
>> This will not allow users with empty password to access (which is pretty
>>
>> resonable)
>>
>> Change the authenticate method in the ldap.inc.php with this one:
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection, thanks to Jason Weir */
>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Let me know,
>> Alessandro
>>
>> Alessandro Briosi ha scritto:
>>> Hi Jason,
>>> I'm testing against an AD, and what I get is the same result for users
>>> other than the Administrator (which is the same I use to check the
>> user
>>> information).
>>> The problem is that ldap_bind returns true to openupload ... (and
>> that's
>>> pretty odd), with an openldap backend everything is good...
>>>
>>> I'll investigate and let you know. Once I figure this out will be
>>> releasing a 0.4.1 version.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> Yes - if first login is successful subsequent logins succeed no
>>>> matter what the password is - but Open Upload is passing whatever
>>>> password I use to AD because after 5 bad passwords my account gets
>>>> locked out..
>>>>
>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>>> 5. like this?
>>>>
>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>> 48 $this->disconnect();
>>>> 49 return true;
>>>> 50 }
>>>>
>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>
>>>> this has to be cached somewhere persistent because I tried restarting
>>>> the Open Upload server and clearing out my browser cache\cookies and
>>>> it still accepts a blank\bad password. I even tried logging in from
>>>> a different workstation using a different browser.
>>>>
>>>> I don't mind doing some testing if you can tell me what you need..
>>>>
>>>> Thanks,
>>>> -Jason
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Wed 8/26/2009 5:17 PM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>> Wow, that's pretty bad.
>>>>
>>>> You mean that if the first login is successfull, then any subseguent
>>>> logins succeed even with a wrong password? Or it always let's you in?
>>>>
>>>> With LDAP server I have no such behavier.
>>>>
>>>> This are some possibilities:
>>>> 1. ACL problem, logout is not permitted (?)
>>>> 2. ldap_bind always returns true, which would be odd (what version of
>>>> php are you using?)
>>>> 3. There is some strange session behavier/bug
>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>> line: 48 insert before 'return true;'
>>>> $this->disconnect();
>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>
>>>> I need to check this, but will have to wait when I get around to an
>>>> AD
>>>> server first.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> What I've found is after I log in for the first time I can
>>>>> subsequently log off and back in with any password including a blank
>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>> account will get locked out. I never get an invalid password from
>>>>> OpenUpload..
>>>>>
>>>>> Ideas?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>> To: ope...@li...
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>>
>>>>> Hi,
>>>>> I defenatly need to write some documentation on this one :)
>>>>>
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>
>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>> change I could no longer log in unless I used the old password.
>>>>> No, it only authenticates the user against AD at the login and then
>>>>> checks for the user information with the user specified in the
>>>>> configuration (the user remains authenticated until the logout or
>>>>> session expires)
>>>>> OpenUpload uses the standard ldap functions to authenticate, so
>> probably
>>>>> it must be something with AD or Linux caching...
>>
>> _____________________________________________________________________________________________
>>
>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Openupload-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
