Re: [openupload-devel] LDAP Password\Group Issues
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] LDAP Password\Group Issues
|
From: Weir, J. <jas...@nh...> - 2009-08-27 14:27:44
|
I disable Magic quotes, restarted apache and saw no difference in how it
acts - still working fine..
-J
-----Original Message-----
From: Weir, Jason [mailto:jas...@nh...]
Sent: Thursday, August 27, 2009 10:18 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Here is my php.ini says
; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from
exec(), etc. magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
I see that its depreciated in php 5.3.0 and removed from 6.0 all
together
Should I disable it and we will go from there?
-J
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Thursday, August 27, 2009 10:11 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Great, I'll need to have a check with magic quotes, to overcome the
slashes behavier in the password, but probably will have to do it
outside the ldap module.
Just to be sure, do you have magic quotes on in your php.ini ? They are
deprecated so I should defenatly check this out. Applying a
stripslashes when magic quotes are off could lead to the opposite
problem :(
Alessandro
Weir, Jason ha scritto:
> Looks like that did it - now it acts as it should.
>
> With a blank password it does not try to authenticate - no invalid
> password in the AD log With a invalid password it return invalid
> password and does not log me in - see invalid password in the AD log
> With a valid password it logs in successfully - see a valid login in
the
> AD log.
>
> Thanks for taking care of this.
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 9:23 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Jason,
> I have done other tests with the addcslashes, the fact is that php
> already escapes the ' \ etc, so the solution I found is to use the
> stripslashes function. this should fix the problem (at least it does
> using ' \ ! and space which I tested)
>
> I though do not encounter the authentication succeeding after a logout
> and login again with a wrong password (!?), which seems to be the
> corretct thing. And in the Win log I do see the wrong or good access
> registered.
>
> This should work.
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection (?), and special chars, thanks to Jason
> Weir */
> $uid = stripslashes($uid);
> $password = stripslashes($password);
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Alessandro
>
> Weir, Jason ha scritto:
>> That seems to have fixed the blank password problem but I can still
>> login with any non-blank password.
>>
>> I am no longer getting locked out and I don't see the password
>> failure
>
>> messages in AD any more - it looks like after I am logged in the
>> first
>
>> time it never authenticates against AD again..
>>
>> Looks like $passwords should be $password on line 54
>>
>> I still have an issue with addcslashes - I had to use addslashes.
>>
>> With addcslashes I always get a invalid password message and my AD
>> account gets locked out after 5 tries.
>>
>> Can you test with a password that has spaces and special characters
>> specifically single quote and exclamation mark and see if you see the
>> same thing.
>>
>> Thanks!
>>
>> -J
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 6:42 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi Jason,
>> could you confirm that this fixes the problem?
>> I found out that the real problem should be an empty password (?)...
>> and
>>
>> maybe the missing disconnect.
>>
>> This will not allow users with empty password to access (which is
>> pretty
>>
>> resonable)
>>
>> Change the authenticate method in the ldap.inc.php with this one:
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection, thanks to Jason Weir */
>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Let me know,
>> Alessandro
>>
>> Alessandro Briosi ha scritto:
>>> Hi Jason,
>>> I'm testing against an AD, and what I get is the same result for
>>> users other than the Administrator (which is the same I use to check
>>> the
>> user
>>> information).
>>> The problem is that ldap_bind returns true to openupload ... (and
>> that's
>>> pretty odd), with an openldap backend everything is good...
>>>
>>> I'll investigate and let you know. Once I figure this out will be
>>> releasing a 0.4.1 version.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> Yes - if first login is successful subsequent logins succeed no
>>>> matter what the password is - but Open Upload is passing whatever
>>>> password I use to AD because after 5 bad passwords my account gets
>>>> locked out..
>>>>
>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>> this?
>>>>
>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>> 48 $this->disconnect();
>>>> 49 return true;
>>>> 50 }
>>>>
>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>
>>>> this has to be cached somewhere persistent because I tried
>>>> restarting the Open Upload server and clearing out my browser
>>>> cache\cookies
and
>>>> it still accepts a blank\bad password. I even tried logging in
from
>
>>>> a different workstation using a different browser.
>>>>
>>>> I don't mind doing some testing if you can tell me what you need..
>>>>
>>>> Thanks,
>>>> -Jason
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Wed 8/26/2009 5:17 PM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>> Wow, that's pretty bad.
>>>>
>>>> You mean that if the first login is successfull, then any
>>>> subseguent
>
>>>> logins succeed even with a wrong password? Or it always let's you
>>>> in?
>>>>
>>>> With LDAP server I have no such behavier.
>>>>
>>>> This are some possibilities:
>>>> 1. ACL problem, logout is not permitted (?)
>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>> of php are you using?) 3. There is some strange session
behavier/bug
>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>> line: 48 insert before 'return true;'
>>>> $this->disconnect();
>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>
>>>> I need to check this, but will have to wait when I get around to an
>>>> AD server first.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> What I've found is after I log in for the first time I can
>>>>> subsequently log off and back in with any password including a
> blank
>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>> account will get locked out. I never get an invalid password from
>>>>> OpenUpload..
>>>>>
>>>>> Ideas?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>> To: ope...@li...
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>>
>>>>> Hi,
>>>>> I defenatly need to write some documentation on this one :)
>>>>>
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>
>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>> change I could no longer log in unless I used the old password.
>>>>> No, it only authenticates the user against AD at the login and
>>>>> then
>
>>>>> checks for the user information with the user specified in the
>>>>> configuration (the user remains authenticated until the logout or
>>>>> session expires) OpenUpload uses the standard ldap functions to
>>>>> authenticate, so
>> probably
>>>>> it must be something with AD or Linux caching...
________________________________________________________________________
_____________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.
------------------------------------------------------------------------
------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and
focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openupload-devel mailing list Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openupload-devel
________________________________________________________________________
_____________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
