From 5bd8df784e340af2a071ffacd482a6ddd15137c9 Mon Sep 17 00:00:00 2001 From: Robin Sheat Date: Wed, 18 Sep 2013 17:16:51 +1200 Subject: [PATCH] Bug 10908: restore non-anonymous auth_by_bind LDAP options Recent changes to LDAP broke auth_by_bind in many situations. This bug resets the behaviour to what it used to be, however also allows the new behaviour by adding the 'anonymous_bind' parameter to the LDAP config. Testing: 1) Find an LDAP configuration that was broken recently that uses auth_by_bind 2) Apply this patch 3) See if it works again. Additionally, testing the original path in the case of 'anonymous_bind' being set should probably be done too, but I have no idea about the LDAP server config for that. Signed-off-by: Ulrich Kleiber Signed-off-by: Brendan Gallagher Signed-off-by: Galen Charlton --- C4/Auth_with_ldap.pm | 58 ++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm index bf5393643a..47c3056a60 100644 --- a/C4/Auth_with_ldap.pm +++ b/C4/Auth_with_ldap.pm @@ -112,26 +112,46 @@ sub checkpw_ldap { #$debug and $db->debug(5); my $userldapentry; - if ( $ldap->{auth_by_bind} ) { - # Perform an anonymous bind - my $res = $db->bind; - if ( $res->code ) { - $debug and warn "Anonymous LDAP bind failed: ". description($res); - return 0; - } - - # Perform a LDAP search for the given username - my $search = search_method($db, $userid) or return 0; # warnings are in the sub - $userldapentry = $search->shift_entry; + if ( $ldap->{auth_by_bind} ) { + my $principal_name; + if ( $ldap->{anonymous_bind} ) { + + # Perform an anonymous bind + my $res = $db->bind; + if ( $res->code ) { + warn "Anonymous LDAP bind failed: " . description($res); + return 0; + } - # Perform a LDAP bind for the given username using the matched DN - $res = $db->bind( $userldapentry->dn, password => $password ); - if ( $res->code ) { - $debug and warn "LDAP bind failed as kohauser $userid: ". description($res); - return 0; - } + # Perform a LDAP search for the given username + my $search = search_method( $db, $userid ) + or return 0; # warnings are in the sub + $userldapentry = $search->shift_entry; + $principal_name = $userldapentry->dn; + } + else { + $principal_name = $ldap->{principal_name}; + if ( $principal_name and $principal_name =~ /\%/ ) { + $principal_name = sprintf( $principal_name, $userid ); + } + else { + $principal_name = $userid; + } + } - } else { + # Perform a LDAP bind for the given username using the matched DN + my $res = $db->bind( $principal_name, password => $password ); + if ( $res->code ) { + warn "LDAP bind failed as kohauser $userid: " . description($res); + return 0; + } + if ( !defined($userldapentry) + && ( $config{update} or $config{replicate} ) ) + { + my $search = search_method( $db, $userid ) or return 0; + $userldapentry = $search->shift_entry; + } + } else { my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname, password=>$ldappassword); if ($res->code) { # connection refused warn "LDAP bind failed as ldapuser " . ($ldapname || '[ANONYMOUS]') . ": " . description($res); @@ -415,6 +435,8 @@ Example XML stanza for LDAP configuration in KOHA_CONF. 1 0 + 0 -- 2.39.5