Thread: Re: [openupload-devel] LDAP Password\Group Issues
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
openupload-devel
|
From: Alessandro B. <ts...@br...> - 2009-08-18 15:59:45
|
Hi, I defenatly need to write some documentation on this one :) Weir, Jason ha scritto: > I've got OpenUpload installed on a Debian machine authenticating to > Win2K3 AD via LDAP - I'm seeing a couple issues. > > 1. Does OpenUpload cache the passwords - after I did a password change > I could no longer log in unless I used the old password. No, it only authenticates the user against AD at the login and then checks for the user information with the user specified in the configuration (the user remains authenticated until the logout or session expires) OpenUpload uses the standard ldap functions to authenticate, so probably it must be something with AD or Linux caching... I suppose you change the password with AD :) > 2. Seems to be an issue with long\complicated passwords, my password > contains spaces and special characters and always fails at login, if I > change it to "simple" I log in just fine. Any ideas? Hmm, no idea. It shouldn't as far as Open Upload gets the password, it tries to authenticate against AD, and if it succeeds it looks up user info and groups using the lookup user configured in the config.inc.php Maybe the password needs to be escaped in the code before authenticating. I'll check if this is OpenUpload fault or something else. > 3. The read-me was unclear how I setup user and admin groups in AD.. > I've got 2 groups "OpenUpload Admins" and "OpenUpload Users" created and > populated in AD - how do I configure OpenUpload to reference those > groups? > Here is the best way to setup Open Upload with LDAP/AD. 1. Run the setup and change 'admins' and 'registered' group names to the ones corresponding to the ones of your AD. (Using the default authentication with users in the database). This will populate the ACL with the correct group names in the database. i.e. admins => "OpenUpload Admins" and registered => "OpenUpload Users" 2. Once the setup is as you wish, change the config.inc.php (lookup the config.inc.php.example) and copy over the AD part, adapting the configuration. (which I suppose you already did) 3. Change the authentication module change the authentication method in the config.inc.php to ldap 4. Probably you would need to change the 'cn' to 'samaccountname' with active directory in user and group fields. 5. Login with an administrator, and then login with a User, to verify that eveything is working Alessandro |
|
From: Weir, J. <jas...@nh...> - 2009-08-18 16:16:19
|
I did change my password via AD - I'll do some more testing... As for the complicated password - no doubt there are some characters in my password that would need to be escaped.. I run into this issues all the time with PHP and Perl... I'll go back through your directions to get the LDAP groups setup again.. Thanks, -J -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Tuesday, August 18, 2009 11:59 AM To: ope...@li... Subject: Re: [openupload-devel] LDAP Password\Group Issues Hi, I defenatly need to write some documentation on this one :) Weir, Jason ha scritto: > I've got OpenUpload installed on a Debian machine authenticating to > Win2K3 AD via LDAP - I'm seeing a couple issues. > > 1. Does OpenUpload cache the passwords - after I did a password > change I could no longer log in unless I used the old password. No, it only authenticates the user against AD at the login and then checks for the user information with the user specified in the configuration (the user remains authenticated until the logout or session expires) OpenUpload uses the standard ldap functions to authenticate, so probably it must be something with AD or Linux caching... I suppose you change the password with AD :) > 2. Seems to be an issue with long\complicated passwords, my password > contains spaces and special characters and always fails at login, if I > change it to "simple" I log in just fine. Any ideas? Hmm, no idea. It shouldn't as far as Open Upload gets the password, it tries to authenticate against AD, and if it succeeds it looks up user info and groups using the lookup user configured in the config.inc.php Maybe the password needs to be escaped in the code before authenticating. I'll check if this is OpenUpload fault or something else. > 3. The read-me was unclear how I setup user and admin groups in AD.. > I've got 2 groups "OpenUpload Admins" and "OpenUpload Users" created > and populated in AD - how do I configure OpenUpload to reference those > groups? > Here is the best way to setup Open Upload with LDAP/AD. 1. Run the setup and change 'admins' and 'registered' group names to the ones corresponding to the ones of your AD. (Using the default authentication with users in the database). This will populate the ACL with the correct group names in the database. i.e. admins => "OpenUpload Admins" and registered => "OpenUpload Users" 2. Once the setup is as you wish, change the config.inc.php (lookup the config.inc.php.example) and copy over the AD part, adapting the configuration. (which I suppose you already did) 3. Change the authentication module change the authentication method in the config.inc.php to ldap 4. Probably you would need to change the 'cn' to 'samaccountname' with active directory in user and group fields. 5. Login with an administrator, and then login with a User, to verify that eveything is working Alessandro ------------------------------------------------------------------------ ------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openupload-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openupload-devel ________________________________________________________________________ _____________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Andy H. <and...@eu...> - 2009-08-18 16:16:44
|
Alessandro Briosi wrote: > Hi, > I defenatly need to write some documentation on this one :) > > > Also, once you've gotten it working, don't click on users or groups in the Admin page... It will overwrite parts of the config. -Andy |
|
From: Weir, J. <jas...@nh...> - 2009-08-18 16:19:02
|
Good tip - I definitely would have screwed that one up.. -J -----Original Message----- From: Andy Hester [mailto:and...@eu...] Sent: Tuesday, August 18, 2009 12:04 PM To: OpenUpload Delvel and General talk Subject: Re: [openupload-devel] LDAP Password\Group Issues Alessandro Briosi wrote: > Hi, > I defenatly need to write some documentation on this one :) > > > Also, once you've gotten it working, don't click on users or groups in the Admin page... It will overwrite parts of the config. -Andy _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-18 16:38:45
|
Andy, you mean change the configuration via the admin page? Users and Groups should be disabled when using AD/LDAP... Alessandro Weir, Jason ha scritto: > Good tip - I definitely would have screwed that one up.. > > -J > > -----Original Message----- > From: Andy Hester [mailto:and...@eu...] > Sent: Tuesday, August 18, 2009 12:04 PM > To: OpenUpload Delvel and General talk > Subject: Re: [openupload-devel] LDAP Password\Group Issues > > > Alessandro Briosi wrote: >> Hi, >> I defenatly need to write some documentation on this one :) >> >> >> > Also, once you've gotten it working, don't click on users or groups in > the Admin page... It will overwrite parts of the config. > > -Andy > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Weir, J. <jas...@nh...> - 2009-08-18 18:13:27
|
Re-running setup and having the LDAP config correct worked perfectly. For reference here is my LADP config for Win2k3 AD $CONFIG['ldap']['host'] = '*********'; $CONFIG['ldap']['type'] = 'AD'; $CONFIG['ldap']['user'] = '*********'; $CONFIG['ldap']['password'] = '*********'; $CONFIG['ldap']['domain'] = 'nhrs.org'; $CONFIG['ldap']['basedn'] = 'dc=nhrs,dc=org'; $CONFIG['ldap']['userdn'] = 'dc=nhrs,dc=org'; $CONFIG['ldap']['userclass']='user'; $CONFIG['ldap']['uid']='samaccountname'; $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => 'name', 'memberof' => 'group_id', 'mail' => 'email'); $CONFIG['ldap']['groupdn'] = 'dc=nhrs,dc=org'; $CONFIG['ldap']['groupclass']='group'; $CONFIG['ldap']['gid']='distinguishedname'; $CONFIG['ldap']['groupfields'] = array ( 'cn' => 'name', 'name' => 'description' ); The password cache issue went away - not sure what was going on there.. I'm still having the password issue - I'll poke around and see if I can escape the password.. Thanks! -Jason -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Tuesday, August 18, 2009 11:59 AM To: ope...@li... Subject: Re: [openupload-devel] LDAP Password\Group Issues Hi, I defenatly need to write some documentation on this one :) Weir, Jason ha scritto: > I've got OpenUpload installed on a Debian machine authenticating to > Win2K3 AD via LDAP - I'm seeing a couple issues. > > 1. Does OpenUpload cache the passwords - after I did a password > change I could no longer log in unless I used the old password. No, it only authenticates the user against AD at the login and then checks for the user information with the user specified in the configuration (the user remains authenticated until the logout or session expires) OpenUpload uses the standard ldap functions to authenticate, so probably it must be something with AD or Linux caching... I suppose you change the password with AD :) > 2. Seems to be an issue with long\complicated passwords, my password > contains spaces and special characters and always fails at login, if I > change it to "simple" I log in just fine. Any ideas? Hmm, no idea. It shouldn't as far as Open Upload gets the password, it tries to authenticate against AD, and if it succeeds it looks up user info and groups using the lookup user configured in the config.inc.php Maybe the password needs to be escaped in the code before authenticating. I'll check if this is OpenUpload fault or something else. > 3. The read-me was unclear how I setup user and admin groups in AD.. > I've got 2 groups "OpenUpload Admins" and "OpenUpload Users" created > and populated in AD - how do I configure OpenUpload to reference those > groups? > Here is the best way to setup Open Upload with LDAP/AD. 1. Run the setup and change 'admins' and 'registered' group names to the ones corresponding to the ones of your AD. (Using the default authentication with users in the database). This will populate the ACL with the correct group names in the database. i.e. admins => "OpenUpload Admins" and registered => "OpenUpload Users" 2. Once the setup is as you wish, change the config.inc.php (lookup the config.inc.php.example) and copy over the AD part, adapting the configuration. (which I suppose you already did) 3. Change the authentication module change the authentication method in the config.inc.php to ldap 4. Probably you would need to change the 'cn' to 'samaccountname' with active directory in user and group fields. 5. Login with an administrator, and then login with a User, to verify that eveything is working Alessandro ------------------------------------------------------------------------ ------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openupload-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openupload-devel ________________________________________________________________________ _____________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Weir, J. <jas...@nh...> - 2009-08-26 19:12:21
|
What I've found is after I log in for the first time I can subsequently log off and back in with any password including a blank password. OpenUpload lets me log in but I get a "invalid password" failure audit in Active Directory - If I try it enough times my AD account will get locked out. I never get an invalid password from OpenUpload.. Ideas? -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Tuesday, August 18, 2009 11:59 AM To: ope...@li... Subject: Re: [openupload-devel] LDAP Password\Group Issues Hi, I defenatly need to write some documentation on this one :) Weir, Jason ha scritto: > I've got OpenUpload installed on a Debian machine authenticating to > Win2K3 AD via LDAP - I'm seeing a couple issues. > > 1. Does OpenUpload cache the passwords - after I did a password > change I could no longer log in unless I used the old password. No, it only authenticates the user against AD at the login and then checks for the user information with the user specified in the configuration (the user remains authenticated until the logout or session expires) OpenUpload uses the standard ldap functions to authenticate, so probably it must be something with AD or Linux caching... _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-26 21:18:11
|
Wow, that's pretty bad. You mean that if the first login is successfull, then any subseguent logins succeed even with a wrong password? Or it always let's you in? With LDAP server I have no such behavier. This are some possibilities: 1. ACL problem, logout is not permitted (?) 2. ldap_bind always returns true, which would be odd (what version of php are you using?) 3. There is some strange session behavier/bug 4. AD is somehow returning the wrong value for the LDAP query (very unlikely, what Windows Server is it? 2000/2003/2008) 5. Found out a missing disconnect in the ldap.inc.php line: 48 insert before 'return true;' $this->disconnect(); 6. Maybe some php coding error? have you checked the apache logs? I need to check this, but will have to wait when I get around to an AD server first. Alessandro Weir, Jason ha scritto: > What I've found is after I log in for the first time I can subsequently > log off and back in with any password including a blank password. > OpenUpload lets me log in but I get a "invalid password" failure audit > in Active Directory - If I try it enough times my AD account will get > locked out. I never get an invalid password from OpenUpload.. > > Ideas? > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Tuesday, August 18, 2009 11:59 AM > To: ope...@li... > Subject: Re: [openupload-devel] LDAP Password\Group Issues > > > Hi, > I defenatly need to write some documentation on this one :) > > > Weir, Jason ha scritto: >> I've got OpenUpload installed on a Debian machine authenticating to >> Win2K3 AD via LDAP - I'm seeing a couple issues. >> >> 1. Does OpenUpload cache the passwords - after I did a password >> change I could no longer log in unless I used the old password. > > No, it only authenticates the user against AD at the login and then > checks for the user information with the user specified in the > configuration (the user remains authenticated until the logout or > session expires) > OpenUpload uses the standard ldap functions to authenticate, so probably > > it must be something with AD or Linux caching... > > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Weir, J. <jas...@nh...> - 2009-08-26 22:33:19
|
Yes - if first login is successful subsequent logins succeed no matter what the password is - but Open Upload is passing whatever password I use to AD because after 5 bad passwords my account gets locked out..
1. I'm part of the Open Upload admins group and the ACL looks like allow everything
2. PHP Version 5.2.9-0.dotdeb.2
3. ok
4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
5. like this?
47 if (@ldap_bind($this->ds, $uid, $password)) {
48 $this->disconnect();
49 return true;
50 }
6. Nothing jumped out at me. Not much of any errors..
this has to be cached somewhere persistent because I tried restarting the Open Upload server and clearing out my browser cache\cookies and it still accepts a blank\bad password. I even tried logging in from a different workstation using a different browser.
I don't mind doing some testing if you can tell me what you need..
Thanks,
-Jason
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Wed 8/26/2009 5:17 PM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Wow, that's pretty bad.
You mean that if the first login is successfull, then any subseguent
logins succeed even with a wrong password? Or it always let's you in?
With LDAP server I have no such behavier.
This are some possibilities:
1. ACL problem, logout is not permitted (?)
2. ldap_bind always returns true, which would be odd (what version of
php are you using?)
3. There is some strange session behavier/bug
4. AD is somehow returning the wrong value for the LDAP query (very
unlikely, what Windows Server is it? 2000/2003/2008)
5. Found out a missing disconnect in the ldap.inc.php
line: 48 insert before 'return true;'
$this->disconnect();
6. Maybe some php coding error? have you checked the apache logs?
I need to check this, but will have to wait when I get around to an AD
server first.
Alessandro
Weir, Jason ha scritto:
> What I've found is after I log in for the first time I can subsequently
> log off and back in with any password including a blank password.
> OpenUpload lets me log in but I get a "invalid password" failure audit
> in Active Directory - If I try it enough times my AD account will get
> locked out. I never get an invalid password from OpenUpload..
>
> Ideas?
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Tuesday, August 18, 2009 11:59 AM
> To: ope...@li...
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Hi,
> I defenatly need to write some documentation on this one :)
>
>
> Weir, Jason ha scritto:
>> I've got OpenUpload installed on a Debian machine authenticating to
>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>
>> 1. Does OpenUpload cache the passwords - after I did a password
>> change I could no longer log in unless I used the old password.
>
> No, it only authenticates the user against AD at the login and then
> checks for the user information with the user specified in the
> configuration (the user remains authenticated until the logout or
> session expires)
> OpenUpload uses the standard ldap functions to authenticate, so probably
>
> it must be something with AD or Linux caching...
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-27 06:54:48
|
Hi Jason,
Weir, Jason ha scritto:
> Yes - if first login is successful subsequent logins succeed no matter what the password is - but Open Upload is passing whatever password I use to AD because after 5 bad passwords my account gets locked out..
>
> 1. I'm part of the Open Upload admins group and the ACL looks like allow everything
> 2. PHP Version 5.2.9-0.dotdeb.2
> 3. ok
> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
> 5. like this?
>
> 47 if (@ldap_bind($this->ds, $uid, $password)) {
> 48 $this->disconnect();
> 49 return true;
> 50 }
>
yes.
> 6. Nothing jumped out at me. Not much of any errors..
>
> this has to be cached somewhere persistent because I tried restarting the Open Upload server and clearing out my browser cache\cookies and it still accepts a blank\bad password. I even tried logging in from a different workstation using a different browser.
>
> I don't mind doing some testing if you can tell me what you need..
great, but I have no idea. OpenUpload uses sessions, but it does only
authenticate if the user the first time, and as you stated the
authentication fails when you logout/login.
So for some reason the ldap_bind is returning true.
I'll write down some code so you can check this. I'll also do some tests.
If you are using other apps in php (open source) can you tell me which
one is working, so I can have a check on how they did implement
authentication?
|
|
From: Alessandro B. <ts...@br...> - 2009-08-27 08:56:11
|
Hi Jason,
I'm testing against an AD, and what I get is the same result for users
other than the Administrator (which is the same I use to check the user
information).
The problem is that ldap_bind returns true to openupload ... (and that's
pretty odd), with an openldap backend everything is good...
I'll investigate and let you know. Once I figure this out will be
releasing a 0.4.1 version.
Alessandro
Weir, Jason ha scritto:
> Yes - if first login is successful subsequent logins succeed no matter what the password is - but Open Upload is passing whatever password I use to AD because after 5 bad passwords my account gets locked out..
>
> 1. I'm part of the Open Upload admins group and the ACL looks like allow everything
> 2. PHP Version 5.2.9-0.dotdeb.2
> 3. ok
> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
> 5. like this?
>
> 47 if (@ldap_bind($this->ds, $uid, $password)) {
> 48 $this->disconnect();
> 49 return true;
> 50 }
>
> 6. Nothing jumped out at me. Not much of any errors..
>
> this has to be cached somewhere persistent because I tried restarting the Open Upload server and clearing out my browser cache\cookies and it still accepts a blank\bad password. I even tried logging in from a different workstation using a different browser.
>
> I don't mind doing some testing if you can tell me what you need..
>
> Thanks,
> -Jason
>
>
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Wed 8/26/2009 5:17 PM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
> Wow, that's pretty bad.
>
> You mean that if the first login is successfull, then any subseguent
> logins succeed even with a wrong password? Or it always let's you in?
>
>
>
> With LDAP server I have no such behavier.
>
> This are some possibilities:
> 1. ACL problem, logout is not permitted (?)
> 2. ldap_bind always returns true, which would be odd (what version of
> php are you using?)
> 3. There is some strange session behavier/bug
> 4. AD is somehow returning the wrong value for the LDAP query (very
> unlikely, what Windows Server is it? 2000/2003/2008)
> 5. Found out a missing disconnect in the ldap.inc.php
> line: 48 insert before 'return true;'
> $this->disconnect();
> 6. Maybe some php coding error? have you checked the apache logs?
>
> I need to check this, but will have to wait when I get around to an AD
> server first.
>
> Alessandro
>
> Weir, Jason ha scritto:
>> What I've found is after I log in for the first time I can subsequently
>> log off and back in with any password including a blank password.
>> OpenUpload lets me log in but I get a "invalid password" failure audit
>> in Active Directory - If I try it enough times my AD account will get
>> locked out. I never get an invalid password from OpenUpload..
>>
>> Ideas?
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Tuesday, August 18, 2009 11:59 AM
>> To: ope...@li...
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi,
>> I defenatly need to write some documentation on this one :)
>>
>>
>> Weir, Jason ha scritto:
>>> I've got OpenUpload installed on a Debian machine authenticating to
>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>
>>> 1. Does OpenUpload cache the passwords - after I did a password
>>> change I could no longer log in unless I used the old password.
>> No, it only authenticates the user against AD at the login and then
>> checks for the user information with the user specified in the
>> configuration (the user remains authenticated until the logout or
>> session expires)
>> OpenUpload uses the standard ldap functions to authenticate, so probably
>>
>> it must be something with AD or Linux caching...
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Alessandro B. <ts...@br...> - 2009-08-27 10:42:16
|
Hi Jason,
could you confirm that this fixes the problem?
I found out that the real problem should be an empty password (?)... and
maybe the missing disconnect.
This will not allow users with empty password to access (which is pretty
resonable)
Change the authenticate method in the ldap.inc.php with this one:
function authenticate($login,$password) {
$result = false;
$this->disconnect();
if ($this->connect()) {
if ($this->config['type'] != 'AD') {
$uid = $this->ufield.'='.$login.','.$this->config['userdn'];
} else {
$uid = $login.'@'.$this->config['domain'];
}
if ($uid!=NULL and $password!=NULL) {
/* prevent injection, thanks to Jason Weir */
$uid = addcslashes($uid, '!\',+"\\<>;*');
$passwords = addcslashes($password, '!\',+"\\<>;*');
if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
$result = true;
}
}
$this->disconnect();
}
return $result;
}
Let me know,
Alessandro
Alessandro Briosi ha scritto:
> Hi Jason,
> I'm testing against an AD, and what I get is the same result for users
> other than the Administrator (which is the same I use to check the user
> information).
> The problem is that ldap_bind returns true to openupload ... (and that's
> pretty odd), with an openldap backend everything is good...
>
> I'll investigate and let you know. Once I figure this out will be
> releasing a 0.4.1 version.
>
> Alessandro
>
>
> Weir, Jason ha scritto:
>> Yes - if first login is successful subsequent logins succeed no matter what the password is - but Open Upload is passing whatever password I use to AD because after 5 bad passwords my account gets locked out..
>>
>> 1. I'm part of the Open Upload admins group and the ACL looks like allow everything
>> 2. PHP Version 5.2.9-0.dotdeb.2
>> 3. ok
>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>> 5. like this?
>>
>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>> 48 $this->disconnect();
>> 49 return true;
>> 50 }
>>
>> 6. Nothing jumped out at me. Not much of any errors..
>>
>> this has to be cached somewhere persistent because I tried restarting the Open Upload server and clearing out my browser cache\cookies and it still accepts a blank\bad password. I even tried logging in from a different workstation using a different browser.
>>
>> I don't mind doing some testing if you can tell me what you need..
>>
>> Thanks,
>> -Jason
>>
>>
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Wed 8/26/2009 5:17 PM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>> Wow, that's pretty bad.
>>
>> You mean that if the first login is successfull, then any subseguent
>> logins succeed even with a wrong password? Or it always let's you in?
>>
>>
>>
>> With LDAP server I have no such behavier.
>>
>> This are some possibilities:
>> 1. ACL problem, logout is not permitted (?)
>> 2. ldap_bind always returns true, which would be odd (what version of
>> php are you using?)
>> 3. There is some strange session behavier/bug
>> 4. AD is somehow returning the wrong value for the LDAP query (very
>> unlikely, what Windows Server is it? 2000/2003/2008)
>> 5. Found out a missing disconnect in the ldap.inc.php
>> line: 48 insert before 'return true;'
>> $this->disconnect();
>> 6. Maybe some php coding error? have you checked the apache logs?
>>
>> I need to check this, but will have to wait when I get around to an AD
>> server first.
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> What I've found is after I log in for the first time I can subsequently
>>> log off and back in with any password including a blank password.
>>> OpenUpload lets me log in but I get a "invalid password" failure audit
>>> in Active Directory - If I try it enough times my AD account will get
>>> locked out. I never get an invalid password from OpenUpload..
>>>
>>> Ideas?
>>>
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>> To: ope...@li...
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi,
>>> I defenatly need to write some documentation on this one :)
>>>
>>>
>>> Weir, Jason ha scritto:
>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>
>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>> change I could no longer log in unless I used the old password.
>>> No, it only authenticates the user against AD at the login and then
>>> checks for the user information with the user specified in the
>>> configuration (the user remains authenticated until the logout or
>>> session expires)
>>> OpenUpload uses the standard ldap functions to authenticate, so probably
>>>
>>> it must be something with AD or Linux caching...
>> _____________________________________________________________________________________________
>>
>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>>
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Openupload-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Weir, J. <jas...@nh...> - 2009-08-27 11:53:18
|
That seems to have fixed the blank password problem but I can still
login with any non-blank password.
I am no longer getting locked out and I don't see the password failure
messages in AD any more - it looks like after I am logged in the first
time it never authenticates against AD again..
Looks like $passwords should be $password on line 54
I still have an issue with addcslashes - I had to use addslashes.
With addcslashes I always get a invalid password message and my AD
account gets locked out after 5 tries.
Can you test with a password that has spaces and special characters
specifically single quote and exclamation mark and see if you see the
same thing.
Thanks!
-J
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Thursday, August 27, 2009 6:42 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Hi Jason,
could you confirm that this fixes the problem?
I found out that the real problem should be an empty password (?)... and
maybe the missing disconnect.
This will not allow users with empty password to access (which is pretty
resonable)
Change the authenticate method in the ldap.inc.php with this one:
function authenticate($login,$password) {
$result = false;
$this->disconnect();
if ($this->connect()) {
if ($this->config['type'] != 'AD') {
$uid = $this->ufield.'='.$login.','.$this->config['userdn'];
} else {
$uid = $login.'@'.$this->config['domain'];
}
if ($uid!=NULL and $password!=NULL) {
/* prevent injection, thanks to Jason Weir */
$uid = addcslashes($uid, '!\',+"\\<>;*');
$passwords = addcslashes($password, '!\',+"\\<>;*');
if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
$result = true;
}
}
$this->disconnect();
}
return $result;
}
Let me know,
Alessandro
Alessandro Briosi ha scritto:
> Hi Jason,
> I'm testing against an AD, and what I get is the same result for users
> other than the Administrator (which is the same I use to check the
user
> information).
> The problem is that ldap_bind returns true to openupload ... (and
that's
> pretty odd), with an openldap backend everything is good...
>
> I'll investigate and let you know. Once I figure this out will be
> releasing a 0.4.1 version.
>
> Alessandro
>
> Weir, Jason ha scritto:
>> Yes - if first login is successful subsequent logins succeed no
>> matter what the password is - but Open Upload is passing whatever
>> password I use to AD because after 5 bad passwords my account gets
>> locked out..
>>
>> 1. I'm part of the Open Upload admins group and the ACL looks like
>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>> 5. like this?
>>
>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>> 48 $this->disconnect();
>> 49 return true;
>> 50 }
>>
>> 6. Nothing jumped out at me. Not much of any errors..
>>
>> this has to be cached somewhere persistent because I tried restarting
>> the Open Upload server and clearing out my browser cache\cookies and
>> it still accepts a blank\bad password. I even tried logging in from
>> a different workstation using a different browser.
>>
>> I don't mind doing some testing if you can tell me what you need..
>>
>> Thanks,
>> -Jason
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Wed 8/26/2009 5:17 PM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>> Wow, that's pretty bad.
>>
>> You mean that if the first login is successfull, then any subseguent
>> logins succeed even with a wrong password? Or it always let's you in?
>>
>> With LDAP server I have no such behavier.
>>
>> This are some possibilities:
>> 1. ACL problem, logout is not permitted (?)
>> 2. ldap_bind always returns true, which would be odd (what version of
>> php are you using?)
>> 3. There is some strange session behavier/bug
>> 4. AD is somehow returning the wrong value for the LDAP query (very
>> unlikely, what Windows Server is it? 2000/2003/2008)
>> 5. Found out a missing disconnect in the ldap.inc.php
>> line: 48 insert before 'return true;'
>> $this->disconnect();
>> 6. Maybe some php coding error? have you checked the apache logs?
>>
>> I need to check this, but will have to wait when I get around to an
>> AD
>> server first.
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> What I've found is after I log in for the first time I can
>>> subsequently log off and back in with any password including a blank
>>> password. OpenUpload lets me log in but I get a "invalid password"
>>> failure audit in Active Directory - If I try it enough times my AD
>>> account will get locked out. I never get an invalid password from
>>> OpenUpload..
>>>
>>> Ideas?
>>>
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>> To: ope...@li...
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi,
>>> I defenatly need to write some documentation on this one :)
>>>
>>>
>>> Weir, Jason ha scritto:
>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>
>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>> change I could no longer log in unless I used the old password.
>>> No, it only authenticates the user against AD at the login and then
>>> checks for the user information with the user specified in the
>>> configuration (the user remains authenticated until the logout or
>>> session expires)
>>> OpenUpload uses the standard ldap functions to authenticate, so
probably
>>>
>>> it must be something with AD or Linux caching...
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-27 12:48:49
|
hmm, ok. Though I do get authenticated every time (bad or good)...
I'll do some more tests as you suggest.
Alessandro
Weir, Jason ha scritto:
> That seems to have fixed the blank password problem but I can still
> login with any non-blank password.
>
> I am no longer getting locked out and I don't see the password failure
> messages in AD any more - it looks like after I am logged in the first
> time it never authenticates against AD again..
>
> Looks like $passwords should be $password on line 54
>
> I still have an issue with addcslashes - I had to use addslashes.
>
> With addcslashes I always get a invalid password message and my AD
> account gets locked out after 5 tries.
>
> Can you test with a password that has spaces and special characters
> specifically single quote and exclamation mark and see if you see the
> same thing.
>
> Thanks!
>
> -J
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 6:42 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Hi Jason,
> could you confirm that this fixes the problem?
> I found out that the real problem should be an empty password (?)... and
>
> maybe the missing disconnect.
>
> This will not allow users with empty password to access (which is pretty
>
> resonable)
>
> Change the authenticate method in the ldap.inc.php with this one:
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection, thanks to Jason Weir */
> $uid = addcslashes($uid, '!\',+"\\<>;*');
> $passwords = addcslashes($password, '!\',+"\\<>;*');
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Let me know,
> Alessandro
>
> Alessandro Briosi ha scritto:
>> Hi Jason,
>> I'm testing against an AD, and what I get is the same result for users
>> other than the Administrator (which is the same I use to check the
> user
>> information).
>> The problem is that ldap_bind returns true to openupload ... (and
> that's
>> pretty odd), with an openldap backend everything is good...
>>
>> I'll investigate and let you know. Once I figure this out will be
>> releasing a 0.4.1 version.
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> Yes - if first login is successful subsequent logins succeed no
>>> matter what the password is - but Open Upload is passing whatever
>>> password I use to AD because after 5 bad passwords my account gets
>>> locked out..
>>>
>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>> 5. like this?
>>>
>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>> 48 $this->disconnect();
>>> 49 return true;
>>> 50 }
>>>
>>> 6. Nothing jumped out at me. Not much of any errors..
>>>
>>> this has to be cached somewhere persistent because I tried restarting
>
>>> the Open Upload server and clearing out my browser cache\cookies and
>>> it still accepts a blank\bad password. I even tried logging in from
>>> a different workstation using a different browser.
>>>
>>> I don't mind doing some testing if you can tell me what you need..
>>>
>>> Thanks,
>>> -Jason
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Wed 8/26/2009 5:17 PM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>> Wow, that's pretty bad.
>>>
>>> You mean that if the first login is successfull, then any subseguent
>>> logins succeed even with a wrong password? Or it always let's you in?
>>>
>>> With LDAP server I have no such behavier.
>>>
>>> This are some possibilities:
>>> 1. ACL problem, logout is not permitted (?)
>>> 2. ldap_bind always returns true, which would be odd (what version of
>>> php are you using?)
>>> 3. There is some strange session behavier/bug
>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>> 5. Found out a missing disconnect in the ldap.inc.php
>>> line: 48 insert before 'return true;'
>>> $this->disconnect();
>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>
>>> I need to check this, but will have to wait when I get around to an
>>> AD
>>> server first.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> What I've found is after I log in for the first time I can
>>>> subsequently log off and back in with any password including a blank
>
>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>> failure audit in Active Directory - If I try it enough times my AD
>>>> account will get locked out. I never get an invalid password from
>>>> OpenUpload..
>>>>
>>>> Ideas?
>>>>
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>> To: ope...@li...
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>>
>>>> Hi,
>>>> I defenatly need to write some documentation on this one :)
>>>>
>>>>
>>>> Weir, Jason ha scritto:
>>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>
>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>> change I could no longer log in unless I used the old password.
>>>> No, it only authenticates the user against AD at the login and then
>>>> checks for the user information with the user specified in the
>>>> configuration (the user remains authenticated until the logout or
>>>> session expires)
>>>> OpenUpload uses the standard ldap functions to authenticate, so
> probably
>>>> it must be something with AD or Linux caching...
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Alessandro B. <ts...@br...> - 2009-08-27 13:22:52
|
Jason,
I have done other tests with the addcslashes, the fact is that php
already escapes the ' \ etc, so the solution I found is to use the
stripslashes function. this should fix the problem (at least it does
using ' \ ! and space which I tested)
I though do not encounter the authentication succeeding after a logout
and login again with a wrong password (!?), which seems to be the
corretct thing. And in the Win log I do see the wrong or good access
registered.
This should work.
function authenticate($login,$password) {
$result = false;
$this->disconnect();
if ($this->connect()) {
if ($this->config['type'] != 'AD') {
$uid = $this->ufield.'='.$login.','.$this->config['userdn'];
} else {
$uid = $login.'@'.$this->config['domain'];
}
if ($uid!=NULL and $password!=NULL) {
/* prevent injection (?), and special chars, thanks to Jason
Weir */
$uid = stripslashes($uid);
$password = stripslashes($password);
if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
$result = true;
}
}
$this->disconnect();
}
return $result;
}
Alessandro
Weir, Jason ha scritto:
> That seems to have fixed the blank password problem but I can still
> login with any non-blank password.
>
> I am no longer getting locked out and I don't see the password failure
> messages in AD any more - it looks like after I am logged in the first
> time it never authenticates against AD again..
>
> Looks like $passwords should be $password on line 54
>
> I still have an issue with addcslashes - I had to use addslashes.
>
> With addcslashes I always get a invalid password message and my AD
> account gets locked out after 5 tries.
>
> Can you test with a password that has spaces and special characters
> specifically single quote and exclamation mark and see if you see the
> same thing.
>
> Thanks!
>
> -J
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 6:42 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Hi Jason,
> could you confirm that this fixes the problem?
> I found out that the real problem should be an empty password (?)... and
>
> maybe the missing disconnect.
>
> This will not allow users with empty password to access (which is pretty
>
> resonable)
>
> Change the authenticate method in the ldap.inc.php with this one:
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection, thanks to Jason Weir */
> $uid = addcslashes($uid, '!\',+"\\<>;*');
> $passwords = addcslashes($password, '!\',+"\\<>;*');
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Let me know,
> Alessandro
>
> Alessandro Briosi ha scritto:
>> Hi Jason,
>> I'm testing against an AD, and what I get is the same result for users
>> other than the Administrator (which is the same I use to check the
> user
>> information).
>> The problem is that ldap_bind returns true to openupload ... (and
> that's
>> pretty odd), with an openldap backend everything is good...
>>
>> I'll investigate and let you know. Once I figure this out will be
>> releasing a 0.4.1 version.
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> Yes - if first login is successful subsequent logins succeed no
>>> matter what the password is - but Open Upload is passing whatever
>>> password I use to AD because after 5 bad passwords my account gets
>>> locked out..
>>>
>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>> 5. like this?
>>>
>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>> 48 $this->disconnect();
>>> 49 return true;
>>> 50 }
>>>
>>> 6. Nothing jumped out at me. Not much of any errors..
>>>
>>> this has to be cached somewhere persistent because I tried restarting
>
>>> the Open Upload server and clearing out my browser cache\cookies and
>>> it still accepts a blank\bad password. I even tried logging in from
>>> a different workstation using a different browser.
>>>
>>> I don't mind doing some testing if you can tell me what you need..
>>>
>>> Thanks,
>>> -Jason
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Wed 8/26/2009 5:17 PM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>> Wow, that's pretty bad.
>>>
>>> You mean that if the first login is successfull, then any subseguent
>>> logins succeed even with a wrong password? Or it always let's you in?
>>>
>>> With LDAP server I have no such behavier.
>>>
>>> This are some possibilities:
>>> 1. ACL problem, logout is not permitted (?)
>>> 2. ldap_bind always returns true, which would be odd (what version of
>>> php are you using?)
>>> 3. There is some strange session behavier/bug
>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>> 5. Found out a missing disconnect in the ldap.inc.php
>>> line: 48 insert before 'return true;'
>>> $this->disconnect();
>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>
>>> I need to check this, but will have to wait when I get around to an
>>> AD
>>> server first.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> What I've found is after I log in for the first time I can
>>>> subsequently log off and back in with any password including a blank
>
>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>> failure audit in Active Directory - If I try it enough times my AD
>>>> account will get locked out. I never get an invalid password from
>>>> OpenUpload..
>>>>
>>>> Ideas?
>>>>
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>> To: ope...@li...
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>>
>>>> Hi,
>>>> I defenatly need to write some documentation on this one :)
>>>>
>>>>
>>>> Weir, Jason ha scritto:
>>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>
>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>> change I could no longer log in unless I used the old password.
>>>> No, it only authenticates the user against AD at the login and then
>>>> checks for the user information with the user specified in the
>>>> configuration (the user remains authenticated until the logout or
>>>> session expires)
>>>> OpenUpload uses the standard ldap functions to authenticate, so
> probably
>>>> it must be something with AD or Linux caching...
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Alessandro B. <ts...@br...> - 2009-08-27 13:25:10
|
Just to be sure, you are doing a log out right?
Alessandro
Alessandro Briosi ha scritto:
> Jason,
> I have done other tests with the addcslashes, the fact is that php
> already escapes the ' \ etc, so the solution I found is to use the
> stripslashes function. this should fix the problem (at least it does
> using ' \ ! and space which I tested)
>
> I though do not encounter the authentication succeeding after a logout
> and login again with a wrong password (!?), which seems to be the
> corretct thing. And in the Win log I do see the wrong or good access
> registered.
>
> This should work.
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection (?), and special chars, thanks to Jason
> Weir */
> $uid = stripslashes($uid);
> $password = stripslashes($password);
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Alessandro
>
> Weir, Jason ha scritto:
>> That seems to have fixed the blank password problem but I can still
>> login with any non-blank password.
>>
>> I am no longer getting locked out and I don't see the password failure
>> messages in AD any more - it looks like after I am logged in the first
>> time it never authenticates against AD again..
>>
>> Looks like $passwords should be $password on line 54
>>
>> I still have an issue with addcslashes - I had to use addslashes.
>>
>> With addcslashes I always get a invalid password message and my AD
>> account gets locked out after 5 tries.
>>
>> Can you test with a password that has spaces and special characters
>> specifically single quote and exclamation mark and see if you see the
>> same thing.
>>
>> Thanks!
>>
>> -J
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 6:42 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi Jason,
>> could you confirm that this fixes the problem?
>> I found out that the real problem should be an empty password (?)... and
>>
>> maybe the missing disconnect.
>>
>> This will not allow users with empty password to access (which is pretty
>>
>> resonable)
>>
>> Change the authenticate method in the ldap.inc.php with this one:
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection, thanks to Jason Weir */
>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Let me know,
>> Alessandro
>>
>> Alessandro Briosi ha scritto:
>>> Hi Jason,
>>> I'm testing against an AD, and what I get is the same result for users
>>> other than the Administrator (which is the same I use to check the
>> user
>>> information).
>>> The problem is that ldap_bind returns true to openupload ... (and
>> that's
>>> pretty odd), with an openldap backend everything is good...
>>>
>>> I'll investigate and let you know. Once I figure this out will be
>>> releasing a 0.4.1 version.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> Yes - if first login is successful subsequent logins succeed no
>>>> matter what the password is - but Open Upload is passing whatever
>>>> password I use to AD because after 5 bad passwords my account gets
>>>> locked out..
>>>>
>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>>> 5. like this?
>>>>
>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>> 48 $this->disconnect();
>>>> 49 return true;
>>>> 50 }
>>>>
>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>
>>>> this has to be cached somewhere persistent because I tried restarting
>>>> the Open Upload server and clearing out my browser cache\cookies and
>>>> it still accepts a blank\bad password. I even tried logging in from
>>>> a different workstation using a different browser.
>>>>
>>>> I don't mind doing some testing if you can tell me what you need..
>>>>
>>>> Thanks,
>>>> -Jason
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Wed 8/26/2009 5:17 PM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>> Wow, that's pretty bad.
>>>>
>>>> You mean that if the first login is successfull, then any subseguent
>>>> logins succeed even with a wrong password? Or it always let's you in?
>>>>
>>>> With LDAP server I have no such behavier.
>>>>
>>>> This are some possibilities:
>>>> 1. ACL problem, logout is not permitted (?)
>>>> 2. ldap_bind always returns true, which would be odd (what version of
>>>> php are you using?)
>>>> 3. There is some strange session behavier/bug
>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>> line: 48 insert before 'return true;'
>>>> $this->disconnect();
>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>
>>>> I need to check this, but will have to wait when I get around to an
>>>> AD
>>>> server first.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> What I've found is after I log in for the first time I can
>>>>> subsequently log off and back in with any password including a blank
>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>> account will get locked out. I never get an invalid password from
>>>>> OpenUpload..
>>>>>
>>>>> Ideas?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>> To: ope...@li...
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>>
>>>>> Hi,
>>>>> I defenatly need to write some documentation on this one :)
>>>>>
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>
>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>> change I could no longer log in unless I used the old password.
>>>>> No, it only authenticates the user against AD at the login and then
>>>>> checks for the user information with the user specified in the
>>>>> configuration (the user remains authenticated until the logout or
>>>>> session expires)
>>>>> OpenUpload uses the standard ldap functions to authenticate, so
>> probably
>>>>> it must be something with AD or Linux caching...
>>
>> _____________________________________________________________________________________________
>>
>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Openupload-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Alessandro B. <ts...@br...> - 2009-08-27 14:09:47
|
Ok, this is related to magic quotes ...
I think they should be disabled ... I'll check how to do it
programmatically.
Alessandro
Alessandro Briosi ha scritto:
> Just to be sure, you are doing a log out right?
>
> Alessandro
>
> Alessandro Briosi ha scritto:
>> Jason,
>> I have done other tests with the addcslashes, the fact is that php
>> already escapes the ' \ etc, so the solution I found is to use the
>> stripslashes function. this should fix the problem (at least it does
>> using ' \ ! and space which I tested)
>>
>> I though do not encounter the authentication succeeding after a logout
>> and login again with a wrong password (!?), which seems to be the
>> corretct thing. And in the Win log I do see the wrong or good access
>> registered.
>>
>> This should work.
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection (?), and special chars, thanks to Jason
>> Weir */
>> $uid = stripslashes($uid);
>> $password = stripslashes($password);
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> That seems to have fixed the blank password problem but I can still
>>> login with any non-blank password.
>>>
>>> I am no longer getting locked out and I don't see the password failure
>>> messages in AD any more - it looks like after I am logged in the first
>>> time it never authenticates against AD again..
>>>
>>> Looks like $passwords should be $password on line 54
>>>
>>> I still have an issue with addcslashes - I had to use addslashes.
>>>
>>> With addcslashes I always get a invalid password message and my AD
>>> account gets locked out after 5 tries.
>>>
>>> Can you test with a password that has spaces and special characters
>>> specifically single quote and exclamation mark and see if you see the
>>> same thing.
>>>
>>> Thanks!
>>>
>>> -J
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Thursday, August 27, 2009 6:42 AM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi Jason,
>>> could you confirm that this fixes the problem?
>>> I found out that the real problem should be an empty password (?)... and
>>>
>>> maybe the missing disconnect.
>>>
>>> This will not allow users with empty password to access (which is pretty
>>>
>>> resonable)
>>>
>>> Change the authenticate method in the ldap.inc.php with this one:
>>>
>>> function authenticate($login,$password) {
>>> $result = false;
>>> $this->disconnect();
>>> if ($this->connect()) {
>>> if ($this->config['type'] != 'AD') {
>>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>>> } else {
>>> $uid = $login.'@'.$this->config['domain'];
>>> }
>>> if ($uid!=NULL and $password!=NULL) {
>>> /* prevent injection, thanks to Jason Weir */
>>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>>> $result = true;
>>> }
>>> }
>>> $this->disconnect();
>>> }
>>> return $result;
>>> }
>>>
>>> Let me know,
>>> Alessandro
>>>
>>> Alessandro Briosi ha scritto:
>>>> Hi Jason,
>>>> I'm testing against an AD, and what I get is the same result for users
>>>> other than the Administrator (which is the same I use to check the
>>> user
>>>> information).
>>>> The problem is that ldap_bind returns true to openupload ... (and
>>> that's
>>>> pretty odd), with an openldap backend everything is good...
>>>>
>>>> I'll investigate and let you know. Once I figure this out will be
>>>> releasing a 0.4.1 version.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> Yes - if first login is successful subsequent logins succeed no
>>>>> matter what the password is - but Open Upload is passing whatever
>>>>> password I use to AD because after 5 bad passwords my account gets
>>>>> locked out..
>>>>>
>>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>>>> 5. like this?
>>>>>
>>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>>> 48 $this->disconnect();
>>>>> 49 return true;
>>>>> 50 }
>>>>>
>>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>>
>>>>> this has to be cached somewhere persistent because I tried restarting
>>>>> the Open Upload server and clearing out my browser cache\cookies and
>>>>> it still accepts a blank\bad password. I even tried logging in from
>>>>> a different workstation using a different browser.
>>>>>
>>>>> I don't mind doing some testing if you can tell me what you need..
>>>>>
>>>>> Thanks,
>>>>> -Jason
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Wed 8/26/2009 5:17 PM
>>>>> To: OpenUpload Delvel and General talk
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>> Wow, that's pretty bad.
>>>>>
>>>>> You mean that if the first login is successfull, then any subseguent
>>>>> logins succeed even with a wrong password? Or it always let's you in?
>>>>>
>>>>> With LDAP server I have no such behavier.
>>>>>
>>>>> This are some possibilities:
>>>>> 1. ACL problem, logout is not permitted (?)
>>>>> 2. ldap_bind always returns true, which would be odd (what version of
>>>>> php are you using?)
>>>>> 3. There is some strange session behavier/bug
>>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>>> line: 48 insert before 'return true;'
>>>>> $this->disconnect();
>>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>>
>>>>> I need to check this, but will have to wait when I get around to an
>>>>> AD
>>>>> server first.
>>>>>
>>>>> Alessandro
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> What I've found is after I log in for the first time I can
>>>>>> subsequently log off and back in with any password including a blank
>>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>>> account will get locked out. I never get an invalid password from
>>>>>> OpenUpload..
>>>>>>
>>>>>> Ideas?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>>> To: ope...@li...
>>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I defenatly need to write some documentation on this one :)
>>>>>>
>>>>>>
>>>>>> Weir, Jason ha scritto:
>>>>>>> I've got OpenUpload installed on a Debian machine authenticating to
>>>>>>> Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>>
>>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>>> change I could no longer log in unless I used the old password.
>>>>>> No, it only authenticates the user against AD at the login and then
>>>>>> checks for the user information with the user specified in the
>>>>>> configuration (the user remains authenticated until the logout or
>>>>>> session expires)
>>>>>> OpenUpload uses the standard ldap functions to authenticate, so
>>> probably
>>>>>> it must be something with AD or Linux caching...
>>> _____________________________________________________________________________________________
>>>
>>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>>> trial. Simplify your report design, integration and deployment - and focus on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Openupload-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Openupload-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Weir, J. <jas...@nh...> - 2009-08-27 14:03:31
|
Looks like that did it - now it acts as it should.
With a blank password it does not try to authenticate - no invalid
password in the AD log
With a invalid password it return invalid password and does not log me
in - see invalid password in the AD log
With a valid password it logs in successfully - see a valid login in the
AD log.
Thanks for taking care of this.
-J
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Thursday, August 27, 2009 9:23 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Jason,
I have done other tests with the addcslashes, the fact is that php
already escapes the ' \ etc, so the solution I found is to use the
stripslashes function. this should fix the problem (at least it does
using ' \ ! and space which I tested)
I though do not encounter the authentication succeeding after a logout
and login again with a wrong password (!?), which seems to be the
corretct thing. And in the Win log I do see the wrong or good access
registered.
This should work.
function authenticate($login,$password) {
$result = false;
$this->disconnect();
if ($this->connect()) {
if ($this->config['type'] != 'AD') {
$uid = $this->ufield.'='.$login.','.$this->config['userdn'];
} else {
$uid = $login.'@'.$this->config['domain'];
}
if ($uid!=NULL and $password!=NULL) {
/* prevent injection (?), and special chars, thanks to Jason
Weir */
$uid = stripslashes($uid);
$password = stripslashes($password);
if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
$result = true;
}
}
$this->disconnect();
}
return $result;
}
Alessandro
Weir, Jason ha scritto:
> That seems to have fixed the blank password problem but I can still
> login with any non-blank password.
>
> I am no longer getting locked out and I don't see the password failure
> messages in AD any more - it looks like after I am logged in the first
> time it never authenticates against AD again..
>
> Looks like $passwords should be $password on line 54
>
> I still have an issue with addcslashes - I had to use addslashes.
>
> With addcslashes I always get a invalid password message and my AD
> account gets locked out after 5 tries.
>
> Can you test with a password that has spaces and special characters
> specifically single quote and exclamation mark and see if you see the
> same thing.
>
> Thanks!
>
> -J
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 6:42 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Hi Jason,
> could you confirm that this fixes the problem?
> I found out that the real problem should be an empty password (?)...
> and
>
> maybe the missing disconnect.
>
> This will not allow users with empty password to access (which is
> pretty
>
> resonable)
>
> Change the authenticate method in the ldap.inc.php with this one:
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection, thanks to Jason Weir */
> $uid = addcslashes($uid, '!\',+"\\<>;*');
> $passwords = addcslashes($password, '!\',+"\\<>;*');
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Let me know,
> Alessandro
>
> Alessandro Briosi ha scritto:
>> Hi Jason,
>> I'm testing against an AD, and what I get is the same result for
>> users other than the Administrator (which is the same I use to check
>> the
> user
>> information).
>> The problem is that ldap_bind returns true to openupload ... (and
> that's
>> pretty odd), with an openldap backend everything is good...
>>
>> I'll investigate and let you know. Once I figure this out will be
>> releasing a 0.4.1 version.
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> Yes - if first login is successful subsequent logins succeed no
>>> matter what the password is - but Open Upload is passing whatever
>>> password I use to AD because after 5 bad passwords my account gets
>>> locked out..
>>>
>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>> 5. like this?
>>>
>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>> 48 $this->disconnect();
>>> 49 return true;
>>> 50 }
>>>
>>> 6. Nothing jumped out at me. Not much of any errors..
>>>
>>> this has to be cached somewhere persistent because I tried
>>> restarting
>
>>> the Open Upload server and clearing out my browser cache\cookies and
>>> it still accepts a blank\bad password. I even tried logging in from
>>> a different workstation using a different browser.
>>>
>>> I don't mind doing some testing if you can tell me what you need..
>>>
>>> Thanks,
>>> -Jason
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Wed 8/26/2009 5:17 PM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>> Wow, that's pretty bad.
>>>
>>> You mean that if the first login is successfull, then any subseguent
>>> logins succeed even with a wrong password? Or it always let's you
>>> in?
>>>
>>> With LDAP server I have no such behavier.
>>>
>>> This are some possibilities:
>>> 1. ACL problem, logout is not permitted (?)
>>> 2. ldap_bind always returns true, which would be odd (what version
>>> of php are you using?) 3. There is some strange session behavier/bug
>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>> 5. Found out a missing disconnect in the ldap.inc.php
>>> line: 48 insert before 'return true;'
>>> $this->disconnect();
>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>
>>> I need to check this, but will have to wait when I get around to an
>>> AD
>>> server first.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> What I've found is after I log in for the first time I can
>>>> subsequently log off and back in with any password including a
blank
>
>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>> failure audit in Active Directory - If I try it enough times my AD
>>>> account will get locked out. I never get an invalid password from
>>>> OpenUpload..
>>>>
>>>> Ideas?
>>>>
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>> To: ope...@li...
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>>
>>>> Hi,
>>>> I defenatly need to write some documentation on this one :)
>>>>
>>>>
>>>> Weir, Jason ha scritto:
>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>
>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>> change I could no longer log in unless I used the old password.
>>>> No, it only authenticates the user against AD at the login and then
>>>> checks for the user information with the user specified in the
>>>> configuration (the user remains authenticated until the logout or
>>>> session expires) OpenUpload uses the standard ldap functions to
>>>> authenticate, so
> probably
>>>> it must be something with AD or Linux caching...
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-27 14:10:51
|
Great, I'll need to have a check with magic quotes, to overcome the
slashes behavier in the password, but probably will have to do it
outside the ldap module.
Just to be sure, do you have magic quotes on in your php.ini ?
They are deprecated so I should defenatly check this out. Applying a
stripslashes when magic quotes are off could lead to the opposite problem :(
Alessandro
Weir, Jason ha scritto:
> Looks like that did it - now it acts as it should.
>
> With a blank password it does not try to authenticate - no invalid
> password in the AD log
> With a invalid password it return invalid password and does not log me
> in - see invalid password in the AD log
> With a valid password it logs in successfully - see a valid login in the
> AD log.
>
> Thanks for taking care of this.
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 9:23 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Jason,
> I have done other tests with the addcslashes, the fact is that php
> already escapes the ' \ etc, so the solution I found is to use the
> stripslashes function. this should fix the problem (at least it does
> using ' \ ! and space which I tested)
>
> I though do not encounter the authentication succeeding after a logout
> and login again with a wrong password (!?), which seems to be the
> corretct thing. And in the Win log I do see the wrong or good access
> registered.
>
> This should work.
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection (?), and special chars, thanks to Jason
> Weir */
> $uid = stripslashes($uid);
> $password = stripslashes($password);
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Alessandro
>
> Weir, Jason ha scritto:
>> That seems to have fixed the blank password problem but I can still
>> login with any non-blank password.
>>
>> I am no longer getting locked out and I don't see the password failure
>
>> messages in AD any more - it looks like after I am logged in the first
>
>> time it never authenticates against AD again..
>>
>> Looks like $passwords should be $password on line 54
>>
>> I still have an issue with addcslashes - I had to use addslashes.
>>
>> With addcslashes I always get a invalid password message and my AD
>> account gets locked out after 5 tries.
>>
>> Can you test with a password that has spaces and special characters
>> specifically single quote and exclamation mark and see if you see the
>> same thing.
>>
>> Thanks!
>>
>> -J
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 6:42 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi Jason,
>> could you confirm that this fixes the problem?
>> I found out that the real problem should be an empty password (?)...
>> and
>>
>> maybe the missing disconnect.
>>
>> This will not allow users with empty password to access (which is
>> pretty
>>
>> resonable)
>>
>> Change the authenticate method in the ldap.inc.php with this one:
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection, thanks to Jason Weir */
>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Let me know,
>> Alessandro
>>
>> Alessandro Briosi ha scritto:
>>> Hi Jason,
>>> I'm testing against an AD, and what I get is the same result for
>>> users other than the Administrator (which is the same I use to check
>>> the
>> user
>>> information).
>>> The problem is that ldap_bind returns true to openupload ... (and
>> that's
>>> pretty odd), with an openldap backend everything is good...
>>>
>>> I'll investigate and let you know. Once I figure this out will be
>>> releasing a 0.4.1 version.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> Yes - if first login is successful subsequent logins succeed no
>>>> matter what the password is - but Open Upload is passing whatever
>>>> password I use to AD because after 5 bad passwords my account gets
>>>> locked out..
>>>>
>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok
>>>> 4. Windows 2K3 - other apps that I do LDAP auth on seem to work fine
>>>> 5. like this?
>>>>
>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>> 48 $this->disconnect();
>>>> 49 return true;
>>>> 50 }
>>>>
>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>
>>>> this has to be cached somewhere persistent because I tried
>>>> restarting
>>>> the Open Upload server and clearing out my browser cache\cookies and
>>>> it still accepts a blank\bad password. I even tried logging in from
>
>>>> a different workstation using a different browser.
>>>>
>>>> I don't mind doing some testing if you can tell me what you need..
>>>>
>>>> Thanks,
>>>> -Jason
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Wed 8/26/2009 5:17 PM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>> Wow, that's pretty bad.
>>>>
>>>> You mean that if the first login is successfull, then any subseguent
>
>>>> logins succeed even with a wrong password? Or it always let's you
>>>> in?
>>>>
>>>> With LDAP server I have no such behavier.
>>>>
>>>> This are some possibilities:
>>>> 1. ACL problem, logout is not permitted (?)
>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>> of php are you using?) 3. There is some strange session behavier/bug
>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>> line: 48 insert before 'return true;'
>>>> $this->disconnect();
>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>
>>>> I need to check this, but will have to wait when I get around to an
>>>> AD
>>>> server first.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> What I've found is after I log in for the first time I can
>>>>> subsequently log off and back in with any password including a
> blank
>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>> account will get locked out. I never get an invalid password from
>>>>> OpenUpload..
>>>>>
>>>>> Ideas?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>> To: ope...@li...
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>>
>>>>> Hi,
>>>>> I defenatly need to write some documentation on this one :)
>>>>>
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>
>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>> change I could no longer log in unless I used the old password.
>>>>> No, it only authenticates the user against AD at the login and then
>
>>>>> checks for the user information with the user specified in the
>>>>> configuration (the user remains authenticated until the logout or
>>>>> session expires) OpenUpload uses the standard ldap functions to
>>>>> authenticate, so
>> probably
>>>>> it must be something with AD or Linux caching...
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Weir, J. <jas...@nh...> - 2009-08-27 14:17:46
|
Here is my php.ini says
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from
exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
I see that its depreciated in php 5.3.0 and removed from 6.0 all
together
Should I disable it and we will go from there?
-J
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Thursday, August 27, 2009 10:11 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Great, I'll need to have a check with magic quotes, to overcome the
slashes behavier in the password, but probably will have to do it
outside the ldap module.
Just to be sure, do you have magic quotes on in your php.ini ? They are
deprecated so I should defenatly check this out. Applying a
stripslashes when magic quotes are off could lead to the opposite
problem :(
Alessandro
Weir, Jason ha scritto:
> Looks like that did it - now it acts as it should.
>
> With a blank password it does not try to authenticate - no invalid
> password in the AD log With a invalid password it return invalid
> password and does not log me in - see invalid password in the AD log
> With a valid password it logs in successfully - see a valid login in
the
> AD log.
>
> Thanks for taking care of this.
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 9:23 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Jason,
> I have done other tests with the addcslashes, the fact is that php
> already escapes the ' \ etc, so the solution I found is to use the
> stripslashes function. this should fix the problem (at least it does
> using ' \ ! and space which I tested)
>
> I though do not encounter the authentication succeeding after a logout
> and login again with a wrong password (!?), which seems to be the
> corretct thing. And in the Win log I do see the wrong or good access
> registered.
>
> This should work.
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection (?), and special chars, thanks to Jason
> Weir */
> $uid = stripslashes($uid);
> $password = stripslashes($password);
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Alessandro
>
> Weir, Jason ha scritto:
>> That seems to have fixed the blank password problem but I can still
>> login with any non-blank password.
>>
>> I am no longer getting locked out and I don't see the password
>> failure
>
>> messages in AD any more - it looks like after I am logged in the
>> first
>
>> time it never authenticates against AD again..
>>
>> Looks like $passwords should be $password on line 54
>>
>> I still have an issue with addcslashes - I had to use addslashes.
>>
>> With addcslashes I always get a invalid password message and my AD
>> account gets locked out after 5 tries.
>>
>> Can you test with a password that has spaces and special characters
>> specifically single quote and exclamation mark and see if you see the
>> same thing.
>>
>> Thanks!
>>
>> -J
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 6:42 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi Jason,
>> could you confirm that this fixes the problem?
>> I found out that the real problem should be an empty password (?)...
>> and
>>
>> maybe the missing disconnect.
>>
>> This will not allow users with empty password to access (which is
>> pretty
>>
>> resonable)
>>
>> Change the authenticate method in the ldap.inc.php with this one:
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection, thanks to Jason Weir */
>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Let me know,
>> Alessandro
>>
>> Alessandro Briosi ha scritto:
>>> Hi Jason,
>>> I'm testing against an AD, and what I get is the same result for
>>> users other than the Administrator (which is the same I use to check
>>> the
>> user
>>> information).
>>> The problem is that ldap_bind returns true to openupload ... (and
>> that's
>>> pretty odd), with an openldap backend everything is good...
>>>
>>> I'll investigate and let you know. Once I figure this out will be
>>> releasing a 0.4.1 version.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> Yes - if first login is successful subsequent logins succeed no
>>>> matter what the password is - but Open Upload is passing whatever
>>>> password I use to AD because after 5 bad passwords my account gets
>>>> locked out..
>>>>
>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>> this?
>>>>
>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>> 48 $this->disconnect();
>>>> 49 return true;
>>>> 50 }
>>>>
>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>
>>>> this has to be cached somewhere persistent because I tried
>>>> restarting
>>>> the Open Upload server and clearing out my browser cache\cookies
and
>>>> it still accepts a blank\bad password. I even tried logging in
from
>
>>>> a different workstation using a different browser.
>>>>
>>>> I don't mind doing some testing if you can tell me what you need..
>>>>
>>>> Thanks,
>>>> -Jason
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Wed 8/26/2009 5:17 PM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>> Wow, that's pretty bad.
>>>>
>>>> You mean that if the first login is successfull, then any
>>>> subseguent
>
>>>> logins succeed even with a wrong password? Or it always let's you
>>>> in?
>>>>
>>>> With LDAP server I have no such behavier.
>>>>
>>>> This are some possibilities:
>>>> 1. ACL problem, logout is not permitted (?)
>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>> of php are you using?) 3. There is some strange session
behavier/bug
>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>> line: 48 insert before 'return true;'
>>>> $this->disconnect();
>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>
>>>> I need to check this, but will have to wait when I get around to an
>>>> AD server first.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> What I've found is after I log in for the first time I can
>>>>> subsequently log off and back in with any password including a
> blank
>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>> account will get locked out. I never get an invalid password from
>>>>> OpenUpload..
>>>>>
>>>>> Ideas?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>> To: ope...@li...
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>>
>>>>> Hi,
>>>>> I defenatly need to write some documentation on this one :)
>>>>>
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>
>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>> change I could no longer log in unless I used the old password.
>>>>> No, it only authenticates the user against AD at the login and
>>>>> then
>
>>>>> checks for the user information with the user specified in the
>>>>> configuration (the user remains authenticated until the logout or
>>>>> session expires) OpenUpload uses the standard ldap functions to
>>>>> authenticate, so
>> probably
>>>>> it must be something with AD or Linux caching...
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Weir, J. <jas...@nh...> - 2009-08-27 14:27:44
|
I disable Magic quotes, restarted apache and saw no difference in how it
acts - still working fine..
-J
-----Original Message-----
From: Weir, Jason [mailto:jas...@nh...]
Sent: Thursday, August 27, 2009 10:18 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Here is my php.ini says
; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from
exec(), etc. magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
I see that its depreciated in php 5.3.0 and removed from 6.0 all
together
Should I disable it and we will go from there?
-J
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Thursday, August 27, 2009 10:11 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
Great, I'll need to have a check with magic quotes, to overcome the
slashes behavier in the password, but probably will have to do it
outside the ldap module.
Just to be sure, do you have magic quotes on in your php.ini ? They are
deprecated so I should defenatly check this out. Applying a
stripslashes when magic quotes are off could lead to the opposite
problem :(
Alessandro
Weir, Jason ha scritto:
> Looks like that did it - now it acts as it should.
>
> With a blank password it does not try to authenticate - no invalid
> password in the AD log With a invalid password it return invalid
> password and does not log me in - see invalid password in the AD log
> With a valid password it logs in successfully - see a valid login in
the
> AD log.
>
> Thanks for taking care of this.
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 9:23 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Jason,
> I have done other tests with the addcslashes, the fact is that php
> already escapes the ' \ etc, so the solution I found is to use the
> stripslashes function. this should fix the problem (at least it does
> using ' \ ! and space which I tested)
>
> I though do not encounter the authentication succeeding after a logout
> and login again with a wrong password (!?), which seems to be the
> corretct thing. And in the Win log I do see the wrong or good access
> registered.
>
> This should work.
>
> function authenticate($login,$password) {
> $result = false;
> $this->disconnect();
> if ($this->connect()) {
> if ($this->config['type'] != 'AD') {
> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
> } else {
> $uid = $login.'@'.$this->config['domain'];
> }
> if ($uid!=NULL and $password!=NULL) {
> /* prevent injection (?), and special chars, thanks to Jason
> Weir */
> $uid = stripslashes($uid);
> $password = stripslashes($password);
> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
> $result = true;
> }
> }
> $this->disconnect();
> }
> return $result;
> }
>
> Alessandro
>
> Weir, Jason ha scritto:
>> That seems to have fixed the blank password problem but I can still
>> login with any non-blank password.
>>
>> I am no longer getting locked out and I don't see the password
>> failure
>
>> messages in AD any more - it looks like after I am logged in the
>> first
>
>> time it never authenticates against AD again..
>>
>> Looks like $passwords should be $password on line 54
>>
>> I still have an issue with addcslashes - I had to use addslashes.
>>
>> With addcslashes I always get a invalid password message and my AD
>> account gets locked out after 5 tries.
>>
>> Can you test with a password that has spaces and special characters
>> specifically single quote and exclamation mark and see if you see the
>> same thing.
>>
>> Thanks!
>>
>> -J
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 6:42 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Hi Jason,
>> could you confirm that this fixes the problem?
>> I found out that the real problem should be an empty password (?)...
>> and
>>
>> maybe the missing disconnect.
>>
>> This will not allow users with empty password to access (which is
>> pretty
>>
>> resonable)
>>
>> Change the authenticate method in the ldap.inc.php with this one:
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection, thanks to Jason Weir */
>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Let me know,
>> Alessandro
>>
>> Alessandro Briosi ha scritto:
>>> Hi Jason,
>>> I'm testing against an AD, and what I get is the same result for
>>> users other than the Administrator (which is the same I use to check
>>> the
>> user
>>> information).
>>> The problem is that ldap_bind returns true to openupload ... (and
>> that's
>>> pretty odd), with an openldap backend everything is good...
>>>
>>> I'll investigate and let you know. Once I figure this out will be
>>> releasing a 0.4.1 version.
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> Yes - if first login is successful subsequent logins succeed no
>>>> matter what the password is - but Open Upload is passing whatever
>>>> password I use to AD because after 5 bad passwords my account gets
>>>> locked out..
>>>>
>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>> this?
>>>>
>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>> 48 $this->disconnect();
>>>> 49 return true;
>>>> 50 }
>>>>
>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>
>>>> this has to be cached somewhere persistent because I tried
>>>> restarting the Open Upload server and clearing out my browser
>>>> cache\cookies
and
>>>> it still accepts a blank\bad password. I even tried logging in
from
>
>>>> a different workstation using a different browser.
>>>>
>>>> I don't mind doing some testing if you can tell me what you need..
>>>>
>>>> Thanks,
>>>> -Jason
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Wed 8/26/2009 5:17 PM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>> Wow, that's pretty bad.
>>>>
>>>> You mean that if the first login is successfull, then any
>>>> subseguent
>
>>>> logins succeed even with a wrong password? Or it always let's you
>>>> in?
>>>>
>>>> With LDAP server I have no such behavier.
>>>>
>>>> This are some possibilities:
>>>> 1. ACL problem, logout is not permitted (?)
>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>> of php are you using?) 3. There is some strange session
behavier/bug
>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>> line: 48 insert before 'return true;'
>>>> $this->disconnect();
>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>
>>>> I need to check this, but will have to wait when I get around to an
>>>> AD server first.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> What I've found is after I log in for the first time I can
>>>>> subsequently log off and back in with any password including a
> blank
>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>>>>> failure audit in Active Directory - If I try it enough times my AD
>>>>> account will get locked out. I never get an invalid password from
>>>>> OpenUpload..
>>>>>
>>>>> Ideas?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>> To: ope...@li...
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>>
>>>>> Hi,
>>>>> I defenatly need to write some documentation on this one :)
>>>>>
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>
>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>> change I could no longer log in unless I used the old password.
>>>>> No, it only authenticates the user against AD at the login and
>>>>> then
>
>>>>> checks for the user information with the user specified in the
>>>>> configuration (the user remains authenticated until the logout or
>>>>> session expires) OpenUpload uses the standard ldap functions to
>>>>> authenticate, so
>> probably
>>>>> it must be something with AD or Linux caching...
________________________________________________________________________
_____________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.
------------------------------------------------------------------------
------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and
focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openupload-devel mailing list Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openupload-devel
________________________________________________________________________
_____________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-27 15:02:49
|
well, the problem would raise if you have a password like
abc\'a\\ (not escaped)
this would fail as stripslashes is applied.
So I need to check if magic_quotes are enabled, but it's good to remove
the stripslashes and disable magic_quotes (the check would only be for
whoever is still using magic_quotes).
Thanks for the help.
Alessandro
Weir, Jason ha scritto:
> I disable Magic quotes, restarted apache and saw no difference in how it
> acts - still working fine..
>
> -J
>
> -----Original Message-----
> From: Weir, Jason [mailto:jas...@nh...]
> Sent: Thursday, August 27, 2009 10:18 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Here is my php.ini says
>
> ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On
>
> ; Magic quotes for runtime-generated data, e.g. data from SQL, from
> exec(), etc. magic_quotes_runtime = Off
>
> ; Use Sybase-style magic quotes (escape ' with '' instead of \').
> magic_quotes_sybase = Off
>
> I see that its depreciated in php 5.3.0 and removed from 6.0 all
> together
>
> Should I disable it and we will go from there?
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 10:11 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Great, I'll need to have a check with magic quotes, to overcome the
> slashes behavier in the password, but probably will have to do it
> outside the ldap module.
>
> Just to be sure, do you have magic quotes on in your php.ini ? They are
> deprecated so I should defenatly check this out. Applying a
> stripslashes when magic quotes are off could lead to the opposite
> problem :(
>
> Alessandro
>
> Weir, Jason ha scritto:
>> Looks like that did it - now it acts as it should.
>>
>> With a blank password it does not try to authenticate - no invalid
>> password in the AD log With a invalid password it return invalid
>> password and does not log me in - see invalid password in the AD log
>> With a valid password it logs in successfully - see a valid login in
> the
>> AD log.
>>
>> Thanks for taking care of this.
>>
>> -J
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 9:23 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Jason,
>> I have done other tests with the addcslashes, the fact is that php
>> already escapes the ' \ etc, so the solution I found is to use the
>> stripslashes function. this should fix the problem (at least it does
>> using ' \ ! and space which I tested)
>>
>> I though do not encounter the authentication succeeding after a logout
>
>> and login again with a wrong password (!?), which seems to be the
>> corretct thing. And in the Win log I do see the wrong or good access
>> registered.
>>
>> This should work.
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection (?), and special chars, thanks to Jason
>> Weir */
>> $uid = stripslashes($uid);
>> $password = stripslashes($password);
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> That seems to have fixed the blank password problem but I can still
>>> login with any non-blank password.
>>>
>>> I am no longer getting locked out and I don't see the password
>>> failure
>>> messages in AD any more - it looks like after I am logged in the
>>> first
>>> time it never authenticates against AD again..
>>>
>>> Looks like $passwords should be $password on line 54
>>>
>>> I still have an issue with addcslashes - I had to use addslashes.
>>>
>>> With addcslashes I always get a invalid password message and my AD
>>> account gets locked out after 5 tries.
>>>
>>> Can you test with a password that has spaces and special characters
>>> specifically single quote and exclamation mark and see if you see the
>
>>> same thing.
>>>
>>> Thanks!
>>>
>>> -J
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Thursday, August 27, 2009 6:42 AM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi Jason,
>>> could you confirm that this fixes the problem?
>>> I found out that the real problem should be an empty password (?)...
>>> and
>>>
>>> maybe the missing disconnect.
>>>
>>> This will not allow users with empty password to access (which is
>>> pretty
>>>
>>> resonable)
>>>
>>> Change the authenticate method in the ldap.inc.php with this one:
>>>
>>> function authenticate($login,$password) {
>>> $result = false;
>>> $this->disconnect();
>>> if ($this->connect()) {
>>> if ($this->config['type'] != 'AD') {
>>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>>> } else {
>>> $uid = $login.'@'.$this->config['domain'];
>>> }
>>> if ($uid!=NULL and $password!=NULL) {
>>> /* prevent injection, thanks to Jason Weir */
>>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>>> $result = true;
>>> }
>>> }
>>> $this->disconnect();
>>> }
>>> return $result;
>>> }
>>>
>>> Let me know,
>>> Alessandro
>>>
>>> Alessandro Briosi ha scritto:
>>>> Hi Jason,
>>>> I'm testing against an AD, and what I get is the same result for
>>>> users other than the Administrator (which is the same I use to check
>
>>>> the
>>> user
>>>> information).
>>>> The problem is that ldap_bind returns true to openupload ... (and
>>> that's
>>>> pretty odd), with an openldap backend everything is good...
>>>>
>>>> I'll investigate and let you know. Once I figure this out will be
>>>> releasing a 0.4.1 version.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> Yes - if first login is successful subsequent logins succeed no
>>>>> matter what the password is - but Open Upload is passing whatever
>>>>> password I use to AD because after 5 bad passwords my account gets
>>>>> locked out..
>>>>>
>>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>>> this?
>>>>>
>>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>>> 48 $this->disconnect();
>>>>> 49 return true;
>>>>> 50 }
>>>>>
>>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>>
>>>>> this has to be cached somewhere persistent because I tried
>>>>> restarting the Open Upload server and clearing out my browser
>>>>> cache\cookies
> and
>>>>> it still accepts a blank\bad password. I even tried logging in
> from
>>>>> a different workstation using a different browser.
>>>>>
>>>>> I don't mind doing some testing if you can tell me what you need..
>>>>>
>>>>> Thanks,
>>>>> -Jason
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Wed 8/26/2009 5:17 PM
>>>>> To: OpenUpload Delvel and General talk
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>> Wow, that's pretty bad.
>>>>>
>>>>> You mean that if the first login is successfull, then any
>>>>> subseguent
>>>>> logins succeed even with a wrong password? Or it always let's you
>>>>> in?
>>>>>
>>>>> With LDAP server I have no such behavier.
>>>>>
>>>>> This are some possibilities:
>>>>> 1. ACL problem, logout is not permitted (?)
>>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>>> of php are you using?) 3. There is some strange session
> behavier/bug
>>>>> 4. AD is somehow returning the wrong value for the LDAP query (very
>
>>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>>> line: 48 insert before 'return true;'
>>>>> $this->disconnect();
>>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>>
>>>>> I need to check this, but will have to wait when I get around to an
>
>>>>> AD server first.
>>>>>
>>>>> Alessandro
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> What I've found is after I log in for the first time I can
>>>>>> subsequently log off and back in with any password including a
>> blank
>>>>>> password. OpenUpload lets me log in but I get a "invalid password"
>
>>>>>> failure audit in Active Directory - If I try it enough times my AD
>
>>>>>> account will get locked out. I never get an invalid password from
>
>>>>>> OpenUpload..
>>>>>>
>>>>>> Ideas?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>>> To: ope...@li...
>>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I defenatly need to write some documentation on this one :)
>>>>>>
>>>>>>
>>>>>> Weir, Jason ha scritto:
>>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>>
>>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>>> change I could no longer log in unless I used the old password.
>>>>>> No, it only authenticates the user against AD at the login and
>>>>>> then
>>>>>> checks for the user information with the user specified in the
>>>>>> configuration (the user remains authenticated until the logout or
>>>>>> session expires) OpenUpload uses the standard ldap functions to
>>>>>> authenticate, so
>>> probably
>>>>>> it must be something with AD or Linux caching...
>
>
> ________________________________________________________________________
> _____________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
> ------------------------------------------------------------------------
> ------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
>
>
> ________________________________________________________________________
> _____________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Weir, J. <jas...@nh...> - 2009-08-27 15:08:05
|
With magic quotes disabled do we then need addcslashes to handle your
example password?
-----Original Message-----
From: Alessandro Briosi [mailto:ts...@br...]
Sent: Thursday, August 27, 2009 11:03 AM
To: OpenUpload Delvel and General talk
Subject: Re: [openupload-devel] LDAP Password\Group Issues
well, the problem would raise if you have a password like
abc\'a\\ (not escaped)
this would fail as stripslashes is applied.
So I need to check if magic_quotes are enabled, but it's good to remove
the stripslashes and disable magic_quotes (the check would only be for
whoever is still using magic_quotes).
Thanks for the help.
Alessandro
Weir, Jason ha scritto:
> I disable Magic quotes, restarted apache and saw no difference in how
> it acts - still working fine..
>
> -J
>
> -----Original Message-----
> From: Weir, Jason [mailto:jas...@nh...]
> Sent: Thursday, August 27, 2009 10:18 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Here is my php.ini says
>
> ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc =
> On
>
> ; Magic quotes for runtime-generated data, e.g. data from SQL, from
> exec(), etc. magic_quotes_runtime = Off
>
> ; Use Sybase-style magic quotes (escape ' with '' instead of \').
> magic_quotes_sybase = Off
>
> I see that its depreciated in php 5.3.0 and removed from 6.0 all
> together
>
> Should I disable it and we will go from there?
>
> -J
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 10:11 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> Great, I'll need to have a check with magic quotes, to overcome the
> slashes behavier in the password, but probably will have to do it
> outside the ldap module.
>
> Just to be sure, do you have magic quotes on in your php.ini ? They
> are deprecated so I should defenatly check this out. Applying a
> stripslashes when magic quotes are off could lead to the opposite
> problem :(
>
> Alessandro
>
> Weir, Jason ha scritto:
>> Looks like that did it - now it acts as it should.
>>
>> With a blank password it does not try to authenticate - no invalid
>> password in the AD log With a invalid password it return invalid
>> password and does not log me in - see invalid password in the AD log
>> With a valid password it logs in successfully - see a valid login in
> the
>> AD log.
>>
>> Thanks for taking care of this.
>>
>> -J
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 9:23 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Jason,
>> I have done other tests with the addcslashes, the fact is that php
>> already escapes the ' \ etc, so the solution I found is to use the
>> stripslashes function. this should fix the problem (at least it does
>> using ' \ ! and space which I tested)
>>
>> I though do not encounter the authentication succeeding after a
>> logout
>
>> and login again with a wrong password (!?), which seems to be the
>> corretct thing. And in the Win log I do see the wrong or good access
>> registered.
>>
>> This should work.
>>
>> function authenticate($login,$password) {
>> $result = false;
>> $this->disconnect();
>> if ($this->connect()) {
>> if ($this->config['type'] != 'AD') {
>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>> } else {
>> $uid = $login.'@'.$this->config['domain'];
>> }
>> if ($uid!=NULL and $password!=NULL) {
>> /* prevent injection (?), and special chars, thanks to Jason
>> Weir */
>> $uid = stripslashes($uid);
>> $password = stripslashes($password);
>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>> $result = true;
>> }
>> }
>> $this->disconnect();
>> }
>> return $result;
>> }
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> That seems to have fixed the blank password problem but I can still
>>> login with any non-blank password.
>>>
>>> I am no longer getting locked out and I don't see the password
>>> failure messages in AD any more - it looks like after I am logged in
>>> the first
>>> time it never authenticates against AD again..
>>>
>>> Looks like $passwords should be $password on line 54
>>>
>>> I still have an issue with addcslashes - I had to use addslashes.
>>>
>>> With addcslashes I always get a invalid password message and my AD
>>> account gets locked out after 5 tries.
>>>
>>> Can you test with a password that has spaces and special characters
>>> specifically single quote and exclamation mark and see if you see
the
>
>>> same thing.
>>>
>>> Thanks!
>>>
>>> -J
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Thursday, August 27, 2009 6:42 AM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Hi Jason,
>>> could you confirm that this fixes the problem?
>>> I found out that the real problem should be an empty password (?)...
>>> and
>>>
>>> maybe the missing disconnect.
>>>
>>> This will not allow users with empty password to access (which is
>>> pretty
>>>
>>> resonable)
>>>
>>> Change the authenticate method in the ldap.inc.php with this one:
>>>
>>> function authenticate($login,$password) {
>>> $result = false;
>>> $this->disconnect();
>>> if ($this->connect()) {
>>> if ($this->config['type'] != 'AD') {
>>> $uid =
$this->ufield.'='.$login.','.$this->config['userdn'];
>>> } else {
>>> $uid = $login.'@'.$this->config['domain'];
>>> }
>>> if ($uid!=NULL and $password!=NULL) {
>>> /* prevent injection, thanks to Jason Weir */
>>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>>> $result = true;
>>> }
>>> }
>>> $this->disconnect();
>>> }
>>> return $result;
>>> }
>>>
>>> Let me know,
>>> Alessandro
>>>
>>> Alessandro Briosi ha scritto:
>>>> Hi Jason,
>>>> I'm testing against an AD, and what I get is the same result for
>>>> users other than the Administrator (which is the same I use to
check
>
>>>> the
>>> user
>>>> information).
>>>> The problem is that ldap_bind returns true to openupload ... (and
>>> that's
>>>> pretty odd), with an openldap backend everything is good...
>>>>
>>>> I'll investigate and let you know. Once I figure this out will be
>>>> releasing a 0.4.1 version.
>>>>
>>>> Alessandro
>>>>
>>>> Weir, Jason ha scritto:
>>>>> Yes - if first login is successful subsequent logins succeed no
>>>>> matter what the password is - but Open Upload is passing whatever
>>>>> password I use to AD because after 5 bad passwords my account gets
>>>>> locked out..
>>>>>
>>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>>> this?
>>>>>
>>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>>> 48 $this->disconnect();
>>>>> 49 return true;
>>>>> 50 }
>>>>>
>>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>>
>>>>> this has to be cached somewhere persistent because I tried
>>>>> restarting the Open Upload server and clearing out my browser
>>>>> cache\cookies
> and
>>>>> it still accepts a blank\bad password. I even tried logging in
> from
>>>>> a different workstation using a different browser.
>>>>>
>>>>> I don't mind doing some testing if you can tell me what you need..
>>>>>
>>>>> Thanks,
>>>>> -Jason
>>>>> -----Original Message-----
>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>> Sent: Wed 8/26/2009 5:17 PM
>>>>> To: OpenUpload Delvel and General talk
>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>
>>>>> Wow, that's pretty bad.
>>>>>
>>>>> You mean that if the first login is successfull, then any
>>>>> subseguent logins succeed even with a wrong password? Or it always
>>>>> let's you in?
>>>>>
>>>>> With LDAP server I have no such behavier.
>>>>>
>>>>> This are some possibilities:
>>>>> 1. ACL problem, logout is not permitted (?)
>>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>>> of php are you using?) 3. There is some strange session
> behavier/bug
>>>>> 4. AD is somehow returning the wrong value for the LDAP query
>>>>> (very
>
>>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>>> line: 48 insert before 'return true;' $this->disconnect();
>>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>>
>>>>> I need to check this, but will have to wait when I get around to
>>>>> an
>
>>>>> AD server first.
>>>>>
>>>>> Alessandro
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> What I've found is after I log in for the first time I can
>>>>>> subsequently log off and back in with any password including a
>> blank
>>>>>> password. OpenUpload lets me log in but I get a "invalid
>>>>>> password"
>
>>>>>> failure audit in Active Directory - If I try it enough times my
>>>>>> AD
>
>>>>>> account will get locked out. I never get an invalid password
>>>>>> from
>
>>>>>> OpenUpload..
>>>>>>
>>>>>> Ideas?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>>> To: ope...@li...
>>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I defenatly need to write some documentation on this one :)
>>>>>>
>>>>>>
>>>>>> Weir, Jason ha scritto:
>>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>>
>>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>>> change I could no longer log in unless I used the old password.
>>>>>> No, it only authenticates the user against AD at the login and
>>>>>> then checks for the user information with the user specified in
>>>>>> the configuration (the user remains authenticated until the
>>>>>> logout or session expires) OpenUpload uses the standard ldap
>>>>>> functions to authenticate, so
>>> probably
>>>>>> it must be something with AD or Linux caching...
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-27 15:28:59
|
no, no addcslashes needed for authentication, it's not a query! So if
there is an injection possibility it's php security bug.
Though we should use it with the user name/group query afterwards
probably (though I'm not sure one can even create a user/group with * #
or other strange chars, afair # can be used in groups).
Alessandro
Weir, Jason ha scritto:
> With magic quotes disabled do we then need addcslashes to handle your
> example password?
>
> -----Original Message-----
> From: Alessandro Briosi [mailto:ts...@br...]
> Sent: Thursday, August 27, 2009 11:03 AM
> To: OpenUpload Delvel and General talk
> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>
>
> well, the problem would raise if you have a password like
>
> abc\'a\\ (not escaped)
>
> this would fail as stripslashes is applied.
> So I need to check if magic_quotes are enabled, but it's good to remove
> the stripslashes and disable magic_quotes (the check would only be for
> whoever is still using magic_quotes).
>
> Thanks for the help.
>
> Alessandro
>
>
> Weir, Jason ha scritto:
>> I disable Magic quotes, restarted apache and saw no difference in how
>> it acts - still working fine..
>>
>> -J
>>
>> -----Original Message-----
>> From: Weir, Jason [mailto:jas...@nh...]
>> Sent: Thursday, August 27, 2009 10:18 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Here is my php.ini says
>>
>> ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc =
>> On
>>
>> ; Magic quotes for runtime-generated data, e.g. data from SQL, from
>> exec(), etc. magic_quotes_runtime = Off
>>
>> ; Use Sybase-style magic quotes (escape ' with '' instead of \').
>> magic_quotes_sybase = Off
>>
>> I see that its depreciated in php 5.3.0 and removed from 6.0 all
>> together
>>
>> Should I disable it and we will go from there?
>>
>> -J
>>
>> -----Original Message-----
>> From: Alessandro Briosi [mailto:ts...@br...]
>> Sent: Thursday, August 27, 2009 10:11 AM
>> To: OpenUpload Delvel and General talk
>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>
>>
>> Great, I'll need to have a check with magic quotes, to overcome the
>> slashes behavier in the password, but probably will have to do it
>> outside the ldap module.
>>
>> Just to be sure, do you have magic quotes on in your php.ini ? They
>> are deprecated so I should defenatly check this out. Applying a
>> stripslashes when magic quotes are off could lead to the opposite
>> problem :(
>>
>> Alessandro
>>
>> Weir, Jason ha scritto:
>>> Looks like that did it - now it acts as it should.
>>>
>>> With a blank password it does not try to authenticate - no invalid
>>> password in the AD log With a invalid password it return invalid
>>> password and does not log me in - see invalid password in the AD log
>>> With a valid password it logs in successfully - see a valid login in
>> the
>>> AD log.
>>>
>>> Thanks for taking care of this.
>>>
>>> -J
>>>
>>> -----Original Message-----
>>> From: Alessandro Briosi [mailto:ts...@br...]
>>> Sent: Thursday, August 27, 2009 9:23 AM
>>> To: OpenUpload Delvel and General talk
>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>
>>>
>>> Jason,
>>> I have done other tests with the addcslashes, the fact is that php
>>> already escapes the ' \ etc, so the solution I found is to use the
>>> stripslashes function. this should fix the problem (at least it does
>>> using ' \ ! and space which I tested)
>>>
>>> I though do not encounter the authentication succeeding after a
>>> logout
>>> and login again with a wrong password (!?), which seems to be the
>>> corretct thing. And in the Win log I do see the wrong or good access
>>> registered.
>>>
>>> This should work.
>>>
>>> function authenticate($login,$password) {
>>> $result = false;
>>> $this->disconnect();
>>> if ($this->connect()) {
>>> if ($this->config['type'] != 'AD') {
>>> $uid = $this->ufield.'='.$login.','.$this->config['userdn'];
>>> } else {
>>> $uid = $login.'@'.$this->config['domain'];
>>> }
>>> if ($uid!=NULL and $password!=NULL) {
>>> /* prevent injection (?), and special chars, thanks to Jason
>>> Weir */
>>> $uid = stripslashes($uid);
>>> $password = stripslashes($password);
>>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>>> $result = true;
>>> }
>>> }
>>> $this->disconnect();
>>> }
>>> return $result;
>>> }
>>>
>>> Alessandro
>>>
>>> Weir, Jason ha scritto:
>>>> That seems to have fixed the blank password problem but I can still
>>>> login with any non-blank password.
>>>>
>>>> I am no longer getting locked out and I don't see the password
>>>> failure messages in AD any more - it looks like after I am logged in
>
>>>> the first
>>>> time it never authenticates against AD again..
>>>>
>>>> Looks like $passwords should be $password on line 54
>>>>
>>>> I still have an issue with addcslashes - I had to use addslashes.
>>>>
>>>> With addcslashes I always get a invalid password message and my AD
>>>> account gets locked out after 5 tries.
>>>>
>>>> Can you test with a password that has spaces and special characters
>>>> specifically single quote and exclamation mark and see if you see
> the
>>>> same thing.
>>>>
>>>> Thanks!
>>>>
>>>> -J
>>>> -----Original Message-----
>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>> Sent: Thursday, August 27, 2009 6:42 AM
>>>> To: OpenUpload Delvel and General talk
>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>
>>>>
>>>> Hi Jason,
>>>> could you confirm that this fixes the problem?
>>>> I found out that the real problem should be an empty password (?)...
>>>> and
>>>>
>>>> maybe the missing disconnect.
>>>>
>>>> This will not allow users with empty password to access (which is
>>>> pretty
>>>>
>>>> resonable)
>>>>
>>>> Change the authenticate method in the ldap.inc.php with this one:
>>>>
>>>> function authenticate($login,$password) {
>>>> $result = false;
>>>> $this->disconnect();
>>>> if ($this->connect()) {
>>>> if ($this->config['type'] != 'AD') {
>>>> $uid =
> $this->ufield.'='.$login.','.$this->config['userdn'];
>>>> } else {
>>>> $uid = $login.'@'.$this->config['domain'];
>>>> }
>>>> if ($uid!=NULL and $password!=NULL) {
>>>> /* prevent injection, thanks to Jason Weir */
>>>> $uid = addcslashes($uid, '!\',+"\\<>;*');
>>>> $passwords = addcslashes($password, '!\',+"\\<>;*');
>>>> if (@ldap_bind($this->ds, $uid, $password)===TRUE) {
>>>> $result = true;
>>>> }
>>>> }
>>>> $this->disconnect();
>>>> }
>>>> return $result;
>>>> }
>>>>
>>>> Let me know,
>>>> Alessandro
>>>>
>>>> Alessandro Briosi ha scritto:
>>>>> Hi Jason,
>>>>> I'm testing against an AD, and what I get is the same result for
>>>>> users other than the Administrator (which is the same I use to
> check
>>>>> the
>>>> user
>>>>> information).
>>>>> The problem is that ldap_bind returns true to openupload ... (and
>>>> that's
>>>>> pretty odd), with an openldap backend everything is good...
>>>>>
>>>>> I'll investigate and let you know. Once I figure this out will be
>>>>> releasing a 0.4.1 version.
>>>>>
>>>>> Alessandro
>>>>>
>>>>> Weir, Jason ha scritto:
>>>>>> Yes - if first login is successful subsequent logins succeed no
>>>>>> matter what the password is - but Open Upload is passing whatever
>>>>>> password I use to AD because after 5 bad passwords my account gets
>
>>>>>> locked out..
>>>>>>
>>>>>> 1. I'm part of the Open Upload admins group and the ACL looks like
>
>>>>>> allow everything 2. PHP Version 5.2.9-0.dotdeb.2 3. ok 4. Windows
>>>>>> 2K3 - other apps that I do LDAP auth on seem to work fine 5. like
>>>>>> this?
>>>>>>
>>>>>> 47 if (@ldap_bind($this->ds, $uid, $password)) {
>>>>>> 48 $this->disconnect();
>>>>>> 49 return true;
>>>>>> 50 }
>>>>>>
>>>>>> 6. Nothing jumped out at me. Not much of any errors..
>>>>>>
>>>>>> this has to be cached somewhere persistent because I tried
>>>>>> restarting the Open Upload server and clearing out my browser
>>>>>> cache\cookies
>> and
>>>>>> it still accepts a blank\bad password. I even tried logging in
>> from
>>>>>> a different workstation using a different browser.
>>>>>>
>>>>>> I don't mind doing some testing if you can tell me what you need..
>>>>>>
>>>>>> Thanks,
>>>>>> -Jason
>>>>>> -----Original Message-----
>>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>>> Sent: Wed 8/26/2009 5:17 PM
>>>>>> To: OpenUpload Delvel and General talk
>>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>>
>>>>>> Wow, that's pretty bad.
>>>>>>
>>>>>> You mean that if the first login is successfull, then any
>>>>>> subseguent logins succeed even with a wrong password? Or it always
>
>>>>>> let's you in?
>>>>>>
>>>>>> With LDAP server I have no such behavier.
>>>>>>
>>>>>> This are some possibilities:
>>>>>> 1. ACL problem, logout is not permitted (?)
>>>>>> 2. ldap_bind always returns true, which would be odd (what version
>>>>>> of php are you using?) 3. There is some strange session
>> behavier/bug
>>>>>> 4. AD is somehow returning the wrong value for the LDAP query
>>>>>> (very
>>>>>> unlikely, what Windows Server is it? 2000/2003/2008)
>>>>>> 5. Found out a missing disconnect in the ldap.inc.php
>>>>>> line: 48 insert before 'return true;' $this->disconnect();
>>>>>> 6. Maybe some php coding error? have you checked the apache logs?
>>>>>>
>>>>>> I need to check this, but will have to wait when I get around to
>>>>>> an
>>>>>> AD server first.
>>>>>>
>>>>>> Alessandro
>>>>>>
>>>>>> Weir, Jason ha scritto:
>>>>>>> What I've found is after I log in for the first time I can
>>>>>>> subsequently log off and back in with any password including a
>>> blank
>>>>>>> password. OpenUpload lets me log in but I get a "invalid
>>>>>>> password"
>>>>>>> failure audit in Active Directory - If I try it enough times my
>>>>>>> AD
>>>>>>> account will get locked out. I never get an invalid password
>>>>>>> from
>>>>>>> OpenUpload..
>>>>>>>
>>>>>>> Ideas?
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Alessandro Briosi [mailto:ts...@br...]
>>>>>>> Sent: Tuesday, August 18, 2009 11:59 AM
>>>>>>> To: ope...@li...
>>>>>>> Subject: Re: [openupload-devel] LDAP Password\Group Issues
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>> I defenatly need to write some documentation on this one :)
>>>>>>>
>>>>>>>
>>>>>>> Weir, Jason ha scritto:
>>>>>>>> I've got OpenUpload installed on a Debian machine authenticating
>>>>>>>> to Win2K3 AD via LDAP - I'm seeing a couple issues.
>>>>>>>>
>>>>>>>> 1. Does OpenUpload cache the passwords - after I did a password
>>>>>>>> change I could no longer log in unless I used the old password.
>>>>>>> No, it only authenticates the user against AD at the login and
>>>>>>> then checks for the user information with the user specified in
>>>>>>> the configuration (the user remains authenticated until the
>>>>>>> logout or session expires) OpenUpload uses the standard ldap
>>>>>>> functions to authenticate, so
>>>> probably
>>>>>>> it must be something with AD or Linux caching...
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Andy H. <and...@eu...> - 2009-08-27 14:39:02
|
Alessandro Briosi wrote: > Hi Jason, > could you confirm that this fixes the problem? > I found out that the real problem should be an empty password (?)... and > maybe the missing disconnect. > > This will not allow users with empty password to access (which is pretty > resonable) > > Change the authenticate method in the ldap.inc.php with this one: > I applied the code you supplied and mine is working correctly now. I did confirm that I had a problem before. Thanks, Andy |
Thanks for helping keep SourceForge clean.
X