From 8c3fc47338fed6c35ea21a6524d6c1a109861ebf Mon Sep 17 00:00:00 2001 From: = <=> Date: Wed, 5 Oct 2011 16:47:21 -0400 Subject: [PATCH] Bug #6979 I removed several lines of code in the checkpw_ldap subroutine where LDAP authentication takes place, in the "else" part of the conditional that checks for the auth_by_bind config parameter. I added several lines to check whether the user can log in to LDAP using their DN and the password supplied in the login form. If they are able to bind, login contiues as normal and the LDAP attributes can be harvested as normal if the update options are turned on. The routine that was in place was failing because it was trying to check against a non-existent LDAP entry attribute called 'userpassword'. Instead of checking against a 'userpassword' attribute, the routine really should be checking to make sure the user can actually bind to LDAP. That's what I set up, and it is a safer way to test authentication against LDAP. Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall --- C4/Auth_with_ldap.pm | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm index 3a7c3e3205..2ad3ee90c3 100644 --- a/C4/Auth_with_ldap.pm +++ b/C4/Auth_with_ldap.pm @@ -124,6 +124,7 @@ sub checkpw_ldap { #$debug and $db->debug(5); my $userldapentry; + # first, LDAP authentication if ( $ldap->{auth_by_bind} ) { my $principal_name; if ( $ldap->{anonymous_bind} ) { @@ -182,11 +183,12 @@ sub checkpw_ldap { } my $search = search_method($db, $userid) or return 0; # warnings are in the sub $userldapentry = $search->shift_entry; - my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password ); - if ($cmpmesg->code != 6) { - warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg); - return -1; - } + my $dn = $userldapentry->dn; + my $user_ldap_bind_ret = $db->bind($dn, password => $password); + if ($user_ldap_bind_ret->code) { + warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($user_ldap_bind_ret); + return -1; + } } # To get here, LDAP has accepted our user's login attempt. -- 2.39.5