Hello,
Thank you for your ldapextauth plugin module for gforge. I made some
improvments to adapt it to my environment. I have an AD and I am using
the sAMAccountName field as login username, so your current
implementation is currently unusable because it use the username as bind
dn. I change the way an account is validated: first of all, the login is
tried with the provided username and password trying to bind with
dn=username, then if it fails, a connection is made with a predefined
user and password and the correct dn is recovered for such username
provided, if any. The login is then re-tried with the updated dn.
After applying the patch, you have to add two new variable to config.php
for the predefined bind dn.
$sys_ldap_binddn = "cn=padl,cn=Users,dc=comune,dc=prato,dc=local";
$sys_ldap_bindpwd = "***********";
Leandro
-----------------------
Dott. Leandro Dardini
Comune di Prato
Sistema Informativo
Via Cairoli, 16
59100 - Prato (Italy)
Phone : +39 0574615216
Fax : +39 0574615212
---
/usr/local/src/gforge-trunk.orig/gforge/plugins/ldapextauth/include/LdapExtAuthPlugin.class
2007-05-08 09:21:27.000000000 +0200
+++ ./plugins/ldapextauth/include/LdapExtAuthPlugin.class 2007-05-09
16:52:16.000000000 +0200
@@ -36,6 +36,8 @@
$this->base_dn = $sys_ldap_dn ;
$this->ldap_server = $sys_ldap_server ;
$this->ldap_port = $sys_ldap_port ;
+ $this->ldap_binddn = $sys_ldap_binddn;
+ $this->ldap_bindpwd = $sys_ldap_bindpwd;
if ($base_dn) {
$this->base_dn = $base_dn ;
}
@@ -71,7 +73,6 @@
function AuthUser ($loginname, $passwd) {
global $feedback,$Language;
-
if (!$this->ldap_conn) {
$this->ldap_conn = ldap_connect ($this->ldap_server,
$this->ldap_port);
@@ -84,129 +85,156 @@
$GLOBALS['ldap_auth_failed']=true;
return false;
}
-
+
$u = user_get_object_by_name ($loginname) ;
- if ($u) {
+ if ($u) {
// User exists in DB
- if (@ldap_bind($this->ldap_conn, $dn, $passwd)) {
- // Password from form is valid in LDAP
- if (session_login_valid_dbonly ($loginname,
$passwd, false)) {
- // Also according to DB
- $GLOBALS['ldap_auth_failed']=false;
- return true ;
- } else {
- // Passwords mismatch, update DB's
- $u->setPasswd ($passwd) ;
- $GLOBALS['ldap_auth_failed']=false;
- return true ;
+ // Try to connect using the provided dn
+ if (! @ldap_bind($this->ldap_conn, $dn, $passwd)) {
+ // user not authenticated, try recovering
connection dn for user
+ if (@ldap_bind($this->ldap_conn,
$this->ldap_binddn, $this->ldap_bindpwd)) {
+ if ($this->ldap_kind=="AD"){
+ $res = ldap_search
($this->ldap_conn, $this->base_dn, "sAMAccountName=".$loginname) ;
+ } else {
+ $res = ldap_read
($this->ldap_conn, $dn, "objectclass=*") ;
+ }
+ $info = ldap_get_entries
($this->ldap_conn,$res);
+ $ldapentry = $info[0] ;
+
+ $mappedinfo =
plugin_ldapextauth_mapping ($ldapentry) ;
+ $dn=$mappedinfo['binddn'];
+ if ( ! @ldap_bind($this->ldap_conn,
$dn, $passwd)) {
+
$GLOBALS['ldap_auth_failed']=true;
+ $feedback=_('Invalid Password
Or User Name');
+ return false ;
+ }
}
- } else {
- // Wrong password according to LDAP
- $feedback=_('Invalid Password Or User Name');
- $GLOBALS['ldap_auth_failed']=true;
- return false ;
+ }
+ // Password from form is valid in LDAP
+ if (session_login_valid_dbonly ($loginname, $passwd,
false)) {
+ // Also according to DB
+ $GLOBALS['ldap_auth_failed']=false;
+ return true ;
}
} else {
// User doesn't exist in DB yet
- if (@ldap_bind($this->ldap_conn, $dn, $passwd)) {
- // User authenticated
- // Now get her info
- if ($this->ldap_kind=="AD"){
- $res = ldap_search ($this->ldap_conn,
$this->base_dn, "sAMAccountName=".$loginname) ;
- } else {
- $res = ldap_read ($this->ldap_conn,
$dn, "objectclass=*") ;
- }
- $info = ldap_get_entries
($this->ldap_conn,$res);
- $ldapentry = $info[0] ;
-
- $mappedinfo = plugin_ldapextauth_mapping
($ldapentry) ;
+ // Try to connect using the provided dn
+ if (! @ldap_bind($this->ldap_conn, $dn, $passwd)) {
+ // user not authenticated, try recovering
connection dn for user
+ if (@ldap_bind($this->ldap_conn,
$this->ldap_binddn, $this->ldap_bindpwd)) {
+ if ($this->ldap_kind=="AD"){
+ $res = ldap_search
($this->ldap_conn, $this->base_dn, "sAMAccountName=".$loginname) ;
+ } else {
+ $res = ldap_read
($this->ldap_conn, $dn, "objectclass=*") ;
+ }
+ $info = ldap_get_entries
($this->ldap_conn,$res);
+ $ldapentry = $info[0] ;
- // Insert into DB
- $u = new User () ;
-
- $unix_name = $loginname ;
- $firstname = '' ;
- $lastname = '' ;
- $password1 = $passwd ;
- $password2 = $passwd ;
- $email = '' ;
- $mail_site = 1 ;
- $mail_va = 0 ;
- $language_id = 1 ;
- $timezone = 'GMT' ;
- $jabber_address = '' ;
- $jabber_only = 0 ;
- $theme_id = 1 ;
- $unix_box = '' ;
- $address = '' ;
- $address2 = '' ;
- $phone = '' ;
- $fax = '' ;
- $title = '' ;
- $ccode = 'US' ;
- $send_mail = false ;
-
- if ($mappedinfo['firstname']) {
- $firstname = $mappedinfo['firstname'] ;
- }
- if ($mappedinfo['lastname']) {
- $lastname = $mappedinfo['lastname'] ;
- }
- if ($mappedinfo['email']) {
- $email = $mappedinfo['email'] ;
- }
- if ($mappedinfo['language_id']) {
- $language_id =
$mappedinfo['language_id'] ;
- }
- if ($mappedinfo['timezone']) {
- $timezone = $mappedinfo['timezone'] ;
- }
- if ($mappedinfo['jabber_address']) {
- $jabber_address =
$mappedinfo['jabber_address'] ;
- }
- if ($mappedinfo['address']) {
- $address = $mappedinfo['address'] ;
- }
- if ($mappedinfo['address2']) {
- $address2 = $mappedinfo['address2'] ;
- }
- if ($mappedinfo['phone']) {
- $phone = $mappedinfo['phone'] ;
- }
- if ($mappedinfo['fax']) {
- $fax = $mappedinfo['fax'] ;
- }
- if ($mappedinfo['title']) {
- $title = $mappedinfo['title'] ;
- }
- if ($mappedinfo['ccode']) {
- $ccode = $mappedinfo['ccode'] ;
- }
- if ($mappedinfo['themeid']) {
- $theme_id = $mappedinfo['themeid'] ;
- }
-
- if (!$u->create
($unix_name,$firstname,$lastname,$password1,$password2,$email,
-
$mail_site,$mail_va,$language_id,$timezone,$jabber_address,$jabber_only,$theme_id,
- $unix_box, $address, $address2,
$phone, $fax, $title, $ccode, $send_mail)) {
- $GLOBALS['ldap_auth_failed']=true;
- $feedback = "<br>Error Creating User:
".$u->getErrorMessage();
- return false;
- }
-
- if (!$u->setStatus ('A')) {
+ $mappedinfo =
plugin_ldapextauth_mapping ($ldapentry) ;
+ $dn=$mappedinfo['binddn'];
+ if ( ! @ldap_bind($this->ldap_conn,
$dn, $passwd)) {
+
$GLOBALS['ldap_auth_failed']=true;
+ $feedback=_('Invalid Password
Or User Name');
+ return false ; // Probably
ignored, but just in case
+ }
+ } else {
+ $feedback=_('Invalid Password Or User
Name for bind account');
$GLOBALS['ldap_auth_failed']=true;
- $feedback = "<br>Error Activating User:
".$u->getErrorMessage();
- return false;
+ return false ;
}
- $GLOBALS['ldap_auth_failed']=false;
- $GLOBALS['ldap_first_login']=true;
- return true ;
+ }
+ // User authenticated
+ // Now get her info
+ if ($this->ldap_kind=="AD"){
+ $res = ldap_search ($this->ldap_conn,
$this->base_dn, "sAMAccountName=".$loginname) ;
} else {
+ $res = ldap_read ($this->ldap_conn, $dn,
"objectclass=*") ;
+ }
+ $info = ldap_get_entries ($this->ldap_conn,$res);
+ $ldapentry = $info[0] ;
+
+ $mappedinfo = plugin_ldapextauth_mapping ($ldapentry) ;
+
+ // Insert into DB
+ $u = new User () ;
+
+ $unix_name = $loginname ;
+ $firstname = '' ;
+ $lastname = '' ;
+ $password1 = $passwd ;
+ $password2 = $passwd ;
+ $email = '' ;
+ $mail_site = 1 ;
+ $mail_va = 0 ;
+ $language_id = 1 ;
+ $timezone = 'GMT' ;
+ $jabber_address = '' ;
+ $jabber_only = 0 ;
+ $theme_id = 1 ;
+ $unix_box = '' ;
+ $address = '' ;
+ $address2 = '' ;
+ $phone = '' ;
+ $fax = '' ;
+ $title = '' ;
+ $ccode = 'US' ;
+ $send_mail = false ;
+
+ if ($mappedinfo['firstname']) {
+ $firstname = $mappedinfo['firstname'] ;
+ }
+ if ($mappedinfo['lastname']) {
+ $lastname = $mappedinfo['lastname'] ;
+ }
+ if ($mappedinfo['email']) {
+ $email = $mappedinfo['email'] ;
+ }
+ if ($mappedinfo['language_id']) {
+ $language_id = $mappedinfo['language_id'] ;
+ }
+ if ($mappedinfo['timezone']) {
+ $timezone = $mappedinfo['timezone'] ;
+ }
+ if ($mappedinfo['jabber_address']) {
+ $jabber_address = $mappedinfo['jabber_address']
;
+ }
+ if ($mappedinfo['address']) {
+ $address = $mappedinfo['address'] ;
+ }
+ if ($mappedinfo['address2']) {
+ $address2 = $mappedinfo['address2'] ;
+ }
+ if ($mappedinfo['phone']) {
+ $phone = $mappedinfo['phone'] ;
+ }
+ if ($mappedinfo['fax']) {
+ $fax = $mappedinfo['fax'] ;
+ }
+ if ($mappedinfo['title']) {
+ $title = $mappedinfo['title'] ;
+ }
+ if ($mappedinfo['ccode']) {
+ $ccode = $mappedinfo['ccode'] ;
+ }
+ if ($mappedinfo['themeid']) {
+ $theme_id = $mappedinfo['themeid'] ;
+ }
+ if (!$u->create
($unix_name,$firstname,$lastname,$password1,$password2,$email,
+
$mail_site,$mail_va,$language_id,$timezone,$jabber_address,$jabber_only,$theme_id,
+ $unix_box, $address, $address2,
$phone, $fax, $title, $ccode, $send_mail)) {
+ $GLOBALS['ldap_auth_failed']=true;
+ $feedback = "<br>Error Creating User:
".$u->getErrorMessage();
+ return false;
+ }
+
+ if (!$u->setStatus ('A')) {
$GLOBALS['ldap_auth_failed']=true;
- $feedback=_('Invalid Password Or User Name');
- return false ; // Probably ignored, but just in
case
+ $feedback = "<br>Error Activating User:
".$u->getErrorMessage();
+ return false;
}
+ $GLOBALS['ldap_auth_failed']=false;
+ $GLOBALS['ldap_first_login']=true;
+ return true ;
}
}
}
