nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-31 03:34:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Retain original i_use_mode_kerberos behavior, add fallback option

Browse Source 
Add a new value for i_use_mode_kerberos: "allow_fallback_ldap_auth",
which will fallback to username/password authentication when the
REMOTE_USER value is unset.
This commit is contained in:
Stonewall Jackson 2024-04-01 07:57:00 -04:00
parent 0ba94e91de
commit d3a0c89eca
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
inc/drivers_ldap.php
View File

@ -252,7 +252,6 @@ class ldapDriver
global $c;
$entry=NULL;
$skip_password_check = false;
// We get the DN of the USER
$query = $this->ldap_query_one;
# ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
@ -275,25 +274,31 @@ class ldapDriver
$dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));
if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
$authenticated = false;
$use_kerberos_only = isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing";
$use_kerberos_with_fallback = isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "allow_fallback_to_ldap_auth";
if ($use_kerberos_only or $use_kerberos_with_fallback) {
if (isset($_SERVER["REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
if ($username == $_SERVER["REMOTE_USER"]) {
$skip_password_check = true;
$authenticated = true;
} else {
return false;
}
} elseif (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
if ($username == $_SERVER["REDIRECT_REMOTE_USER"]) {
$skip_password_check = true;
$authenticated = true;
} else {
return false;
}
} elseif ($use_kerberos_only) {
return false;
}
}
if (!$skip_password_check) {
if (!$authenticated) {
if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
// See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );