From 43e5b490e8c0a5c4fd88352621ad28a64e613eab Mon Sep 17 00:00:00 2001 From: Rolando Isidoro Date: Fri, 19 Oct 2012 15:57:36 +0100 Subject: [PATCH] Bug 7973- Allow for new type of LDAP authentication This patch aims to solve the LDAP bind authentication method. Here are some considerations: - This is a standalone patch, so all the previous submitted ones are rendered obsolete; - LDAP bind authentication is now done in 3 steps: 1 - LDAP anonymous bind; 2 - LDAP search entry for the given username; 3 - LDAP bind with the DN of the found entry + the given password. - The process fails if none or more than 1 entries are found for the given username; - The setting in koha-conf.xml isn't used anymore; - The patch is backwards compatible, so users already using the previously implemented LDAP bind authentication should be able to use it the same. http://bugs.koha-community.org/show_bug.cgi?id=7973 Signed-off-by: Vitor Fernandes Signed-off-by: Dobrica Pavlinusic Signed-off-by: Katrin Fischer Passes all tests and QA script and has 2 solid sign offs. Signed-off-by: Jared Camins-Esakov --- C4/Auth_with_ldap.pm | 41 ++++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm index f3c1f7f39d..d29d8e8ad5 100644 --- a/C4/Auth_with_ldap.pm +++ b/C4/Auth_with_ldap.pm @@ -105,30 +105,27 @@ sub checkpw_ldap { my $db = Net::LDAP->new(\@hosts); #$debug and $db->debug(5); my $userldapentry; - if ( $ldap->{auth_by_bind} ) { - my $principal_name = $ldap->{principal_name}; - if ($principal_name and $principal_name =~ /\%/) { - $principal_name = sprintf($principal_name,$userid); - } else { - $principal_name = $userid; - } - my $res = $db->bind( $principal_name, password => $password ); - if ( $res->code ) { - $debug and warn "LDAP bind failed as kohauser $principal_name: ". description($res); - return 0; - } - # FIXME dpavlin -- we really need $userldapentry leater on even if using auth_by_bind! + if ( $ldap->{auth_by_bind} ) { + # Perform an anonymous bind + my $res = $db->bind; + if ( $res->code ) { + $debug and warn "Anonymous LDAP bind failed: ". description($res); + return 0; + } + + # Perform a LDAP search for the given username + my $search = search_method($db, $userid) or return 0; # warnings are in the sub + $userldapentry = $search->shift_entry; - # BUG #5094 - # 2010-08-04 JeremyC - # a $userldapentry is only needed if either updating or replicating are enabled - if($config{update} or $config{replicate}) { - my $search = search_method($db, $userid) or return 0; # warnings are in the sub - $userldapentry = $search->shift_entry; - } + # Perform a LDAP bind for the given username using the matched DN + my $res = $db->bind( $userldapentry->dn, password => $password ); + if ( $res->code ) { + $debug and warn "LDAP bind failed as kohauser $userid: ". description($res); + return 0; + } - } else { + } else { my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname, password=>$ldappassword); if ($res->code) { # connection refused warn "LDAP bind failed as ldapuser " . ($ldapname || '[ANONYMOUS]') . ": " . description($res); @@ -419,8 +416,6 @@ Example XML stanza for LDAP configuration in KOHA_CONF. 1 0 - %s@my_domain.com - -- 2.39.5