Context Navigation

← Previous Change
Next Change →

AuthenticatorLDAP.php

Timestamp:

10/22/07 15:06:20 (5 years ago)

Author:

benoitg

Message:

Major security fix: Fix the authenticator for a security breach where a user could get Internet access using an empty username. LocalUser? and LDAP were definitely vulnerable, RADIUS may have been.

Files:

: 1 modified

trunk/wifidog-auth/wifidog/classes/Authenticators/AuthenticatorLDAP.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/wifidog-auth/wifidog/classes/Authenticators/AuthenticatorLDAP.php

r1249	r1304
125	125	* @return void
126	126	*/
127		public function __construct($account_orgin, $host, $rdn, $pass, $o, $filter)
	127	public function __construct($account_orgin, $host, $rdn, $pass, $o, $filter)
128	128	{
129	129	// Call parent constructor
130	130	parent::__construct($account_orgin);
131	131
132		$this->mldap_hostname = $host;
133		$this->mldap_filter = $filter;
134		$this->mldap_o = $o;
135		$this->mldap_rdn = trim($rdn);
136		$this->mldap_pass = trim($pass);
	132	$this->mldap_hostname = $host;
	133	$this->mldap_filter = $filter;
	134	$this->mldap_o = $o;
	135	$this->mldap_rdn = trim($rdn);
	136	$this->mldap_pass = trim($pass);
137	137	}
138	138
…	…
151	151
152	152	*/
153		private function checkLdapUser($username, $password, $ldap_server, $o, $f, &$errmsg = null )
154		{
155		// Init values
156		$rtval = true;
157
158		// Check if php-ldap extension is loaded
159		if (Dependency::check("ldap", $errmsg)) {
160		if ($connect = @ldap_connect($ldap_server)) {
161		// if connected to ldap server
162		ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
163
164		// bind to ldap connection
	153	private function checkLdapUser($username, $password, $ldap_server, $o, $f, &$errmsg = null )
	154	{
	155	// Init values
	156	$rtval = true;
	157
	158	// Check if php-ldap extension is loaded
	159	if (Dependency::check("ldap", $errmsg)) {
	160	if ($connect = @ldap_connect($ldap_server)) {
	161	// if connected to ldap server
	162	ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
	163
	164	// bind to ldap connection
165	165	if (strlen(trim($this->mldap_rdn)) == 0) {
166		if (($bind = @ldap_bind($connect)) == false) {
167		$errmsg = _("Error while connecting to the LDAP server.");
168		return false;
169		}
170		} else {
171		if (($bind = @ldap_bind($connect, $this->mldap_rdn, $this->mldap_pass )) == false) {
172		$errmsg = _("Error while connecting to the LDAP server.");
173		return false;
174		}
175		}
176
177		// search for user
178		if (($res_id = ldap_search($connect, "o=$o", "$f=$username")) == false) {
179		$errmsg = _("Error while obtaining your LDAP information.");
180
181		return false;
182		}
183
184		if (ldap_count_entries($connect, $res_id) != 1) {
185		$errmsg = _("Error while obtaining your username or password from the LDAP server.");
186
187		return false;
188		}
189
190		if (($entry_id = ldap_first_entry($connect, $res_id)) == false) {
191		$errmsg = _("Error while obtaining your username or password from the LDAP server.");
192
193		return false;
194		}
195
196		if (($user_dn = ldap_get_dn($connect, $entry_id)) == false) {
197		$errmsg = _("Error while obtaining your username or password from the LDAP server.");
198
199		return false;
200		}
201
202		//Authenticate the User
203		if (($link_id = ldap_bind($connect, $user_dn, $password)) == false) {
204		$errmsg = _("Error in username or password.");
205
206		return false;
207		}
208
209		return true;
210		} else {
211		$errmsg = _("Error connecting to the LDAP Server.");
212		}
213
214		ldap_close($connect);
215		} else {
216		$rtval = false;
217		}
218		}
	166	if (($bind = @ldap_bind($connect)) == false) {
	167	$errmsg = _("Error while connecting to the LDAP server.");
	168	return false;
	169	}
	170	} else {
	171	if (($bind = @ldap_bind($connect, $this->mldap_rdn, $this->mldap_pass )) == false) {
	172	$errmsg = _("Error while connecting to the LDAP server.");
	173	return false;
	174	}
	175	}
	176
	177	// search for user
	178	if (($res_id = ldap_search($connect, "o=$o", "$f=$username")) == false) {
	179	$errmsg = _("Error while obtaining your LDAP information.");
	180
	181	return false;
	182	}
	183
	184	if (ldap_count_entries($connect, $res_id) != 1) {
	185	$errmsg = _("Error while obtaining your username or password from the LDAP server.");
	186
	187	return false;
	188	}
	189
	190	if (($entry_id = ldap_first_entry($connect, $res_id)) == false) {
	191	$errmsg = _("Error while obtaining your username or password from the LDAP server.");
	192
	193	return false;
	194	}
	195
	196	if (($user_dn = ldap_get_dn($connect, $entry_id)) == false) {
	197	$errmsg = _("Error while obtaining your username or password from the LDAP server.");
	198
	199	return false;
	200	}
	201
	202	//Authenticate the User
	203	if (($link_id = ldap_bind($connect, $user_dn, $password)) == false) {
	204	$errmsg = _("Error in username or password.");
	205
	206	return false;
	207	}
	208
	209	return true;
	210	} else {
	211	$errmsg = _("Error connecting to the LDAP Server.");
	212	}
	213
	214	ldap_close($connect);
	215	} else {
	216	$rtval = false;
	217	}
	218	}
219	219
220	220	/**
…	…
231	231	* otherwise.
232	232	*/
233		public function login($username, $password, &$errmsg = null)
234		{
235
236		$db = AbstractDb::getObject();
237
238		// Init values
239		$retval = false;
240		$username = $db->EscapeString($username);
241		$password = $db->EscapeString($password);
242
243		// Check if php-ldap extension is loaded
244		if (Dependency::check("ldap", $errmsg)) {
245		if ($this->checkLdapUser($username, $password, $this->mldap_hostname, $this->mldap_o, $this->mldap_filter, $errmsg)) {
246		//LDAP Authentication Successful
247		$sql = "SELECT user_id, pass FROM users WHERE (username='$username') AND account_origin='".$this->getNetwork()->getId()."'";
248
249		$db->ExecSqlUniqueRes($sql, $user_info, false);
250
251		if ($user_info != null) {
252		$user = User::getObject($user_info['user_id']);
253
254		if ($user->isUserValid($errmsg)) {
255		$retval = $user;
256		User::setCurrentUser($user);
257		$errmsg = _("Login successfull");
258		} else {
259		$retval = false;
260		//Error already been set
261		}
262		} else {
263		$user = User::createUser(get_guid(), $username, $this->getNetwork(), "", "");
264		$retval = &$user;
265		$user->setAccountStatus(ACCOUNT_STATUS_ALLOWED);
266		User::setCurrentUser($user);
267		$errmsg = _("Login successfull");
268		}
269		} else {
270		~~return~~ false;
271		//Error already been set
272		}
273		}
274
275		return $retval;
276		}
	233	public function login($username, $password, &$errmsg = null)
	234	{
	235
	236	$db = AbstractDb::getObject();
	237
	238	// Init values
	239	$retval = false;
	240	$username = $db->EscapeString($username);
	241	$password = $db->EscapeString($password);
	242
	243	// Check if php-ldap extension is loaded
	244	if (Dependency::check("ldap", $errmsg)) {
	245	if ($this->checkLdapUser($username, $password, $this->mldap_hostname, $this->mldap_o, $this->mldap_filter, $errmsg)) {
	246	//LDAP Authentication Successful
	247	$sql = "SELECT user_id, pass FROM users WHERE (username='$username') AND account_origin='".$this->getNetwork()->getId()."'";
	248
	249	$db->ExecSqlUniqueRes($sql, $user_info, false);
	250
	251	if ($user_info != null) {
	252	$user = User::getObject($user_info['user_id']);
	253
	254	if ($user->isUserValid($errmsg)) {
	255	$retval = $user;
	256	User::setCurrentUser($user);
	257	$errmsg = _("Login successfull");
	258	} else {
	259	$retval = false;
	260	//Error already been set
	261	}
	262	} else {
	263	$user = User::createUser(get_guid(), $username, $this->getNetwork(), "", "");
	264	$retval = &$user;
	265	$user->setAccountStatus(ACCOUNT_STATUS_ALLOWED);
	266
	267	$errmsg = _("Login successfull");
	268	}
	269	} else {
	270	$retval = false;
	271	//Error already been set
	272	}
	273	}
	274	User::setCurrentUser($retval);
	275	return $retval;
	276	}
277	277
278	278	/**

Context Navigation

Changeset 1304 for trunk/wifidog-auth/wifidog/classes/Authenticators/AuthenticatorLDAP.php

Legend:

trunk/wifidog-auth/wifidog/classes/Authenticators/AuthenticatorLDAP.php

Download in other formats: