From d3a0c89ecac17f56409c2f4b654132b0c11cd98b Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Mon, 1 Apr 2024 07:57:00 -0400
Subject: [PATCH] Retain original i_use_mode_kerberos behavior, add fallback
 option

Add a new value for i_use_mode_kerberos: "allow_fallback_ldap_auth",
which will fallback to username/password authentication when the
REMOTE_USER value is unset.
---
 inc/drivers_ldap.php | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/inc/drivers_ldap.php b/inc/drivers_ldap.php
index 0b1abe91..37bed5ca 100644
--- a/inc/drivers_ldap.php
+++ b/inc/drivers_ldap.php
@@ -252,7 +252,6 @@ class ldapDriver
     global $c;
 
     $entry=NULL;
-    $skip_password_check = false;
     // We get the DN of the USER
     $query = $this->ldap_query_one;
     # ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
@@ -275,25 +274,31 @@ class ldapDriver
 
     $dnUser = ldap_get_dn($this->connect, ldap_first_entry($this->connect,$entry));
 
-    if ( isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing") {
+    $authenticated = false;
+    $use_kerberos_only = isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "i_know_what_i_am_doing";
+    $use_kerberos_with_fallback = isset($c->authenticate_hook['config']['i_use_mode_kerberos']) && $c->authenticate_hook['config']['i_use_mode_kerberos'] == "allow_fallback_to_ldap_auth";
+
+    if ($use_kerberos_only or $use_kerberos_with_fallback) {
       if (isset($_SERVER["REMOTE_USER"])) {
         dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REMOTE_USER"]);
         if ($username == $_SERVER["REMOTE_USER"]) {
-          $skip_password_check = true;
+          $authenticated = true;
         } else {
           return false;
         }
       } elseif (isset($_SERVER["REDIRECT_REMOTE_USER"])) {
         dbg_error_log( "LOG", "drivers_ldap : Skipping password Check for user %s which should be the same as %s",$username , $_SERVER["REDIRECT_REMOTE_USER"]);
         if ($username == $_SERVER["REDIRECT_REMOTE_USER"]) {
-          $skip_password_check = true;
+          $authenticated = true;
         } else {
           return false;
         }
+      } elseif ($use_kerberos_only) {
+        return false;
       }
     }
 
-    if (!$skip_password_check) {
+    if (!$authenticated) {
       if ( empty($passwd) || preg_match('/[\x00-\x19]/',$passwd) ) {
         // See http://www.php.net/manual/en/function.ldap-bind.php#73718 for more background
         dbg_error_log( 'LDAP', 'drivers_ldap : user %s supplied empty or invalid password: login rejected', $dnUser );