#21 Fixes ldap authentication in version .80 beta (20050208)
The ldap authentication function in version .80 works
in simple situations, but for anything more complex, it
fails. This is because the function takes the username,
appends the specified base dn ($ldapserverroot), and
attempts to authenticate. If no base dn is specified,
which is desirable in some situations, the
authentication will fail. The usual way to perform ldap
authentication is to bind anonymously first, and search
the ldap tree for the user. Then, if the user is found,
use the retrieved dn information to attempt an
authenticated bind. I made those changes to
owl.php.lib, and now an empty base dn is possible.
Directions for patch:
-Copy owl.lib.php.diff into owlroot/lib/
-cd to owlroot/lib/
-back up owl.lib.php
-run `patch < owl.lib.php.diff'
If you don't want to use the patch, or it doesn't work
for some reason, replace the function
ldap_authenticate() (lines 3741 - 3771) with:
function ldap_authenticate($u, $p)
{
global $default;
$base = $default->ldapserverroot;
$filter =
"(&(objectClass=person)($default->ldapuserattr=$u))";
// Connect to ldap server
$dsCon = ldap_connect($default->ldapserver);
// Make sure we connected
if (!($dsCon))
{
printError("Sorry, cannot contact LDAP server");
return(1);
}
ldap_set_option($dsCon, LDAP_OPT_PROTOCOL_VERSION,
$default->ldapprotocolversion);
// According to PHP documentation,
LDAP_OPT_REFERRALS=0 drastically improves performance
// in some situations, and is often required for
Windows 2003 Server Active Directory lookups
// See comments at
http://www.php.net/manual/en/function.ldap-search.php
ldap_set_option($dsCon, LDAP_OPT_REFERRALS, 0);
// Bind anonymously
$anonbind = ldap_bind($dsCon);
if(!($anonbind))
{
printError("Could not complete anonymous bind");
return(1);
}
// Attempt to find the user in the tree
$results = ldap_search($dsCon, $base, $filter);
if(!($results))
{
printError("Invalid search");
return(1);
}
// Retrieve the user info
$info = ldap_get_entries($dsCon, $results);
if(!($info["count"]))
{
printError("User does not exist");
return(1);
}
// Pull the DN from the retrieved information
$dn = $info[0]["dn"];
// Attempt to authenticate, if it works, the
password is acceptable
$bind = ldap_bind($dsCon, $dn, $p);
if(!($bind))
{
ldap_close($dsCon);
return(1);
}
else
{
// If we got here, the username/password worked.
ldap_close($dsCon);
return (0);
}
}
Patch for owl.lib.php to fix ldap authentication