Commit cabb3e93 authored by Daniel Haag's avatar Daniel Haag
Browse files

do prevent empty password or invalid usernames in ldap authentification, fix...

do prevent empty password or invalid usernames in ldap authentification, fix ldap attribute syncronization
parent 2bd139a4
......@@ -200,7 +200,6 @@ function F_altLogin() {
$ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); // recommended for W2K3
// bind anonymously and get dn for username.
if (K_LDAP_UTF8) {
$ldapusername = utf8_encode($_POST['xuser_name']);
$ldappassword = utf8_encode($_POST['xuser_password']);
......@@ -208,26 +207,41 @@ function F_altLogin() {
$ldapusername = $_POST['xuser_name'];
$ldappassword = $_POST['xuser_password'];
}
// do not allow empty password or username with non alphanumeric chars.
if (
empty($ldapusername) OR
empty($ldappassword) OR
preg_match('/\x00/',$ldapusername) OR
preg_match('/\x00/',$ldappassword) OR
preg_match('/[^a-zA-Z0-9]/',$ldapusername)) {
return false;
}
$lbind = false;
if (K_LDAP_SYSTEM_DN && K_LDAP_SYSTEM_PW) {
// bind with system dn.
$lbind = ldap_bind($ldapconn, K_LDAP_SYSTEM_DN, K_LDAP_SYSTEM_PW);
} else {
// bind directly with the user supplied username and password.
$lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword);
}
if ($lbind) {
// Search user on LDAP tree
sort($ldap_attr);
$ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
if ($search = ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
if ($search = ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, array_values($ldap_attr))) {
if ($rdns = ldap_get_entries($ldapconn, $search)) {
error_log(var_export($rdns,true));
if ( $rdns["count"] == 1 ) {
$rdn = $rdns[0];
if (ldap_bind($ldapconn, $rdn['dn'], $_POST['xuser_password'])) {
@ldap_unbind($ldapconn);
$usr = array();
foreach ($ldap_attr as $k => $v) {
if ((!empty($v)) AND isset($rdn[$v])) {
$usr[$k] = $rdn[$v];
if ((!empty($v)) AND array_key_exists($v,$rdn)) {
if (is_array($rdn[$v])) {
$usr[$k] = $rdn[$v][0];
} else {
$usr[$k] = $rdn[$v];
}
} else {
$usr[$k] = '';
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment