From 0ba94e91de3e4101bc6ab495a6fdb3ac7b9065ba Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Wed, 27 Mar 2024 11:27:06 -0400
Subject: [PATCH] Support fallback to LDAP password with i_use_mode_kerberos

Currently, when `i_use_mode_kerberos` is enabled in the LDAP driver,
Davical checks the `REMOTE_USER` server variable, followed by the
`REDIRECT_REMOTE_USER` variable, for a matching username. If a matching
username is not found, authentication fails immediately.

This commit modifies the LDAP driver to fallback to standard LDAP
password authentication when `i_use_mode_kerberos` is enabled and
neither of these server variables are set. This allows
non-kerberos-enabled clients to authenticate as well.

Fixes #323
---
 inc/drivers_ldap.php | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/inc/drivers_ldap.php b/inc/drivers_ldap.php
index 01e3dd31..0b1abe91 100644
--- a/inc/drivers_ldap.php
+++ b/inc/drivers_ldap.php
@@ -252,6 +252,7 @@ class ldapDriver
     global $c;
 
     $entry=NULL;
+    $skip_password_check = false;
     // We get the DN of the USER
     $query = $this->ldap_query_one;
     # ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
@@ -277,26 +278,33 @@ class ldapDriver
     if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
       if (isset($_SERVER["REMOTE_USER"])) {
         dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
-        if ($username != $_SERVER["REMOTE_USER"]) {
+        if ($username == $_SERVER["REMOTE_USER"]) {
+          $skip_password_check = true;
+        } else {
           return false;
         }
-      } else {
+      } elseif (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
         dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
-        if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) {
+        if ($username == $_SERVER["REDIRECT_REMOTE_USER"]) {
+          $skip_password_check = true;
+        } else {
           return false;
         }
       }
     }
-    else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
-      // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
-      dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
-      return false;
-    }
-    else {
-      if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
-        dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
+
+    if (!$skip_password_check) {
+      if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
+        // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
+        dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
         return false;
       }
+      else {
+        if ( !@ldap_bind($this->connect, $dnUser, $passwd) ) {
+          dbg_error_log( "LDAP", "drivers_ldap : Failed to bind to user %s ", $dnUser );
+          return false;
+        }
+      }
     }
 
     dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,