From dc0749ecce232a5a68d83fbde965ee4ee8e36d00 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sun, 11 Oct 2015 14:44:16 -0400 Subject: Improve LDAP auth --- app/Auth/Ldap.php | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) (limited to 'app/Auth') diff --git a/app/Auth/Ldap.php b/app/Auth/Ldap.php index a3c7522c..3a48c402 100644 --- a/app/Auth/Ldap.php +++ b/app/Auth/Ldap.php @@ -30,6 +30,17 @@ class Ldap extends Base return LDAP_SERVER; } + /** + * Get LDAP bind type + * + * @access public + * @return integer + */ + public function getLdapBindType() + { + return LDAP_BIND_TYPE; + } + /** * Get LDAP server port * @@ -265,7 +276,7 @@ class Ldap extends Base public function connect() { if (! function_exists('ldap_connect')) { - $this->logger->error('The PHP LDAP extension is required'); + $this->logger->error('LDAP: The PHP LDAP extension is required'); return false; } @@ -277,7 +288,7 @@ class Ldap extends Base $ldap = ldap_connect($this->getLdapServer(), $this->getLdapPort()); if ($ldap === false) { - $this->logger->error('Unable to connect to the LDAP server'); + $this->logger->error('LDAP: Unable to connect to the LDAP server'); return false; } @@ -287,7 +298,7 @@ class Ldap extends Base ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 1); if (LDAP_START_TLS && ! @ldap_start_tls($ldap)) { - $this->logger->error('Unable to use ldap_start_tls()'); + $this->logger->error('LDAP: Unable to use ldap_start_tls()'); return false; } @@ -301,16 +312,15 @@ class Ldap extends Base * @param resource $ldap * @param string $username * @param string $password - * @param string $ldap_type * @return boolean */ - public function bind($ldap, $username, $password, $ldap_type = LDAP_BIND_TYPE) + public function bind($ldap, $username, $password) { - if ($ldap_type === 'user') { - $ldap_username = $this->getLdapUserPattern($username); + if ($this->getLdapBindType() === 'user') { + $ldap_username = sprintf($this->getLdapUsername(), $username); $ldap_password = $password; } - else if ($ldap_type === 'proxy') { + else if ($this->getLdapBindType() === 'proxy') { $ldap_username = $this->getLdapUsername(); $ldap_password = $this->getLdapPassword(); } @@ -320,6 +330,8 @@ class Ldap extends Base } if (! @ldap_bind($ldap, $ldap_username, $ldap_password)) { + $this->logger->error('LDAP: Unable to bind to server with: '.$ldap_username); + $this->logger->error('LDAP: bind type='.$this->getLdapBindType()); return false; } @@ -337,8 +349,11 @@ class Ldap extends Base */ public function getProfile($ldap, $username, $password) { - $entries = $this->executeQuery($ldap, $this->getLdapUserPattern($username)); + $user_pattern = $this->getLdapUserPattern($username); + $entries = $this->executeQuery($ldap, $user_pattern); + if ($entries === false) { + $this->logger->error('LDAP: Unable to get user profile: '.$user_pattern); return false; } @@ -346,6 +361,10 @@ class Ldap extends Base return $this->prepareProfile($ldap, $entries, $username); } + if (DEBUG) { + $this->logger->debug('LDAP: wrong password for '.$entries[0]['dn']); + } + return false; } @@ -442,7 +461,7 @@ class Ldap extends Base */ private function executeQuery($ldap, $query) { - $sr = ldap_search($ldap, $this->getLdapBaseDn(), $query, $this->getProfileAttributes()); + $sr = @ldap_search($ldap, $this->getLdapBaseDn(), $query, $this->getProfileAttributes()); if ($sr === false) { return false; } -- cgit v1.2.3