Re: [openupload-devel] LDAP Password\Group Issues
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] LDAP Password\Group Issues
|
From: Alessandro B. <ts...@br...> - 2009-08-27 15:02:49
|
well, the problem would raise if you have a password like
abc\'a\\ (not escaped)
this would fail as stripslashes is applied.
So I need to check if magic_quotes are enabled, but it's good to remove
the stripslashes and disable magic_quotes (the check would only be for
whoever is still using magic_quotes).
Thanks for the help.
Alessandro
Weir, Jason ha scritto:
> I disable Magic quotes, restarted apache and saw no difference in how it
> acts - still working fine..
>
> -J
>
> -----Original Message-----
> From: Weir, Jason [mailto:jas...@nh...]
> Sent: Thursday, August 27, 2009 10:18 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Here is my php.ini says
>
> ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On
>
> ; Magic quotes for runtime-generated data, e.g. data from SQL, from
> exec(), etc. magic_quotes_runtime = Off
>
> ; Use Sybase-style magic quotes (escape ' with '' instead of \').
> magic_quotes_sybase = Off
>
> I see that its depreciated in php 5.3.0 and removed from 6.0 all
> together
>
> Should I disable it and we will go from there?
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 10:11 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Great, I'll need to have a check with magic quotes, to overcome the
> slashes behavier in the password, but probably will have to do it
> outside the ldap module.
>
> Just to be sure, do you have magic quotes on in your php.ini ? They are
> deprecated so I should defenatly check this out. Applying a
> stripslashes when magic quotes are off could lead to the opposite
> problem :(
>
> Alessandro
>
> Weir, Jason ha scritto:
>> Looks like that did it - now it acts as it should.
>>
>> With a blank password it does not try to authenticate - no invalid
>> password in the AD log With a invalid password it return invalid
>> password and does not log me in - see invalid password in the AD log
>> With a valid password it logs in successfully - see a valid login in
> the
>> AD log.
>>
>> Thanks for taking care of this.
>>
>> -J
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 9:23 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Jason,
>> I have done other tests with the addcslashes, the fact is that php
>> already escapes the ' \ etc, so the solution I found is to use the
>> stripslashes function. this should fix the problem (at least it does
>> using ' \ ! and space which I tested)
>>
>> I though do not encounter the authentication succeeding after a logout
>
>> and login again with a wrong password (!?), which seems to be the
>> corretct thing. And in the Win log I do see the wrong or good access
>> registered.
>>
>> This should work.
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection (?), and special chars, thanks to Jason
>> Weir */
>> $uid = stripslashes($uid);
>> $password = stripslashes($password);
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> That seems to have fixed the blank password problem but I can still
>>> login with any non-blank password.
>>>
>>> I am no longer getting locked out and I don't see the password
>>> failure
>>> messages in AD any more - it looks like after I am logged in the
>>> first
>>> time it never authenticates against AD again..
>>>
>>> Looks like $passwords should be $password on line 54
>>>
>>> I still have an issue with addcslashes - I had to use addslashes.
>>>
>>> With addcslashes I always get a invalid password message and my AD
>>> account gets locked out after 5 tries.
>>>
>>> Can you test with a password that has spaces and special characters
>>> specifically single quote and exclamation mark and see if you see the
>
>>> same thing.
>>>
>>> Thanks!
>>>
>>> -J
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Thursday, August 27, 2009 6:42 AM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi Jason,
>>> could you confirm that this fixes the problem?
>>> I found out that the real problem should be an empty password (?)...
>>> and
>>>
>>> maybe the missing disconnect.
>>>
>>> This will not allow users with empty password to access (which is
>>> pretty
>>>
>>> resonable)
>>>
>>> Change the authenticate method in the ldap.inc.php with this one:
>>>
>>> function authenticate($login,$password) {
>>> $result = false;
>>> $this->disconnect();
>>> if ($this->connect()) {
>>> if ($this->config['type'] != 'AD') {
>>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>>> } else {
>>> $uid = $login.'@'.$this->config['domain'];
>>> }
>>> if ($uid!=NULL and $password!=NULL) {
>>> /* prevent injection, thanks to Jason Weir */
>>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>>> $result = true;
>>> }
>>> }
>>> $this->disconnect();
>>> }
>>> return $result;
>>> }
>>>
>>> Let me know,
>>> Alessandro
>>>
>>> Alessandro Briosi ha scritto:
>>>> Hi Jason,
>>>> I'm testing against an AD, and what I get is the same result for
>>>> users other than the Administrator (which is the same I use to check
>
>>>> the
>>> user
>>>> information).
>>>> The problem is that ldap_bind returns true to openupload ... (and
>>> that's
>>>> pretty odd), with an openldap backend everything is good...
>>>>
>>>> I'll investigate and let you know. Once I figure this out will be
>>>> releasing a 0.4.1 version.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> Yes - if first login is successful subsequent logins succeed no
>>>>> matter what the password is - but Open Upload is passing whatever
>>>>> password I use to AD because after 5 bad passwords my account gets
>>>>> locked out..
>>>>>
>>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>>> this?
>>>>>
>>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>>> 48 $this->disconnect();
>>>>> 49 return true;
>>>>> 50 }
>>>>>
>>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>>
>>>>> this has to be cached somewhere persistent because I tried
>>>>> restarting the Open Upload server and clearing out my browser
>>>>> cache\cookies
> and
>>>>> it still accepts a blank\bad password. I even tried logging in
> from
>>>>> a different workstation using a different browser.
>>>>>
>>>>> I don't mind doing some testing if you can tell me what you need..
>>>>>
>>>>> Thanks,
>>>>> -Jason
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Wed 8/26/2009 5:17 PM
>>>>> To: OpenUpload Delvel and General talk
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>> Wow, that's pretty bad.
>>>>>
>>>>> You mean that if the first login is successfull, then any
>>>>> subseguent
>>>>> logins succeed even with a wrong password? Or it always let's you
>>>>> in?
>>>>>
>>>>> With LDAP server I have no such behavier.
>>>>>
>>>>> This are some possibilities:
>>>>> 1. ACL problem, logout is not permitted (?)
>>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>>> of php are you using?) 3. There is some strange session
> behavier/bug
>>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>
>>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>>> line: 48 insert before 'return true;'
>>>>> $this->disconnect();
>>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>>
>>>>> I need to check this, but will have to wait when I get around to an
>
>>>>> AD server first.
>>>>>
>>>>> Alessandro
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> What I've found is after I log in for the first time I can
>>>>>> subsequently log off and back in with any password including a
>> blank
>>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>
>>>>>> failure audit in Active Directory - If I try it enough times my AD
>
>>>>>> account will get locked out. I never get an invalid password from
>
>>>>>> OpenUpload..
>>>>>>
>>>>>> Ideas?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>>> To: ope...@li...
>>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I defenatly need to write some documentation on this one :)
>>>>>>
>>>>>>
>>>>>> Weir, Jason ha scritto:
>>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>>
>>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>>> change I could no longer log in unless I used the old password.
>>>>>> No, it only authenticates the user against AD at the login and
>>>>>> then
>>>>>> checks for the user information with the user specified in the
>>>>>> configuration (the user remains authenticated until the logout or
>>>>>> session expires) OpenUpload uses the standard ldap functions to
>>>>>> authenticate, so
>>> probably
>>>>>> it must be something with AD or Linux caching...
>
>
> ________________________________________________________________________
> _____________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
> ------------------------------------------------------------------------
> ------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
>
>
> ________________________________________________________________________
> _____________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
