nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-26 02:44:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Support fallback to LDAP password with i_use_mode_kerberos

Browse Source 
Currently, when `i_use_mode_kerberos` is enabled in the LDAP driver,
Davical checks the `REMOTE_USER` server variable, followed by the
`REDIRECT_REMOTE_USER` variable, for a matching username. If a matching
username is not found, authentication fails immediately.

This commit modifies the LDAP driver to fallback to standard LDAP
password authentication when `i_use_mode_kerberos` is enabled and
neither of these server variables are set. This allows
non-kerberos-enabled clients to authenticate as well.

Fixes #323
This commit is contained in:
Stonewall Jackson 2024-03-27 11:27:06 -04:00
parent 786a9f5591
commit 0ba94e91de
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
inc/drivers_ldap.php
View File

@ -252,6 +252,7 @@ class ldapDriver
global $c; global $c;
$entry=NULL; $entry=NULL;
$skip_password_check = false;
// We get the DN of the USER // We get the DN of the USER
$query = $this->ldap_query_one; $query = $this->ldap_query_one;
# ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); # ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
@ -277,17 +278,23 @@ class ldapDriver
if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") { if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
if (isset($_SERVER["REMOTE_USER"])) { if (isset($_SERVER["REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]); dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
if ($username != $_SERVER["REMOTE_USER"]) { if ($username == $_SERVER["REMOTE_USER"]) {
return false; $skip_password_check = true;
}
} else { } else {
return false;
}
} elseif (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]); dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
if ($username != $_SERVER["REDIRECT_REMOTE_USER"]) { if ($username == $_SERVER["REDIRECT_REMOTE_USER"]) {
$skip_password_check = true;
} else {
return false; return false;
} }
} }
} }
else if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
if (!$skip_password_check) {
if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
// See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser ); dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );
return false; return false;
@ -298,6 +305,7 @@ class ldapDriver
return false; return false;
} }
} }
}
dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser, dbg_error_log( "LDAP", "drivers_ldap : Bound to user %s using password %s", $dnUser,
(isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') ); (isset($c->dbg['password']) && $c->dbg['password'] ? $passwd : 'another delicious password for the debugging monster!') );