nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-25 02:34:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Support fallback to LDAP password with i_use_mode_kerberos

Browse Source 
Currently, when `i_use_mode_kerberos` is enabled in the LDAP driver,
Davical checks the `REMOTE_USER` server variable, followed by the
`REDIRECT_REMOTE_USER` variable, for a matching username. If a matching
username is not found, authentication fails immediately.

This commit modifies the LDAP driver to fallback to standard LDAP
password authentication when `i_use_mode_kerberos` is enabled and
neither of these server variables are set. This allows
non-kerberos-enabled clients to authenticate as well.

Fixes #323
This commit is contained in:
Stonewall Jackson 2024-03-27 11:27:06 -04:00
parent 786a9f5591
commit 0ba94e91de
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
inc/drivers_ldap.php
View File

@ -252,6 +252,7 @@ class ldapDriver
global $c;
$entry=NULL;
$skip_password_check = false;
// We get the DN of the USER
$query = $this->ldap_query_one;
# ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
@ -277,26 +278,33 @@ class ldapDriver
if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
if (isset($_SERVER["REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
if ($username != $_SERVER["REMOTE_USER"]) {
if ($username == $_SERVER["REMOTE_USER"]) {
$skip_password_check = true;
} else {
return false;
}
} else {
} elseif (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) {
if ($username == $_SERVER["REDIRECT_REMOTE_USER"]) {
$skip_password_check = true;
} else {
return false;
}
}
}
else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
// See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
return false;
}
else {
if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
if (!$skip_password_check) {
if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
// See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
return false;
}
else {
if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
return false;
}
}
}
dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,