From 1697a56468b466bbf626df90f220e688ea8af313 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Wed, 20 Jun 2007 06:49:02 +0000
Subject: [PATCH] "- fixed handling of passwords with special chars - made
 handling of empty passwords more obvious - fixed primary group to use
 negative group-id"

---
 phpgwapi/inc/class.auth_ldap.inc.php | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/phpgwapi/inc/class.auth_ldap.inc.php b/phpgwapi/inc/class.auth_ldap.inc.php
index 50be22c449..0dfdbba7dd 100644
--- a/phpgwapi/inc/class.auth_ldap.inc.php
+++ b/phpgwapi/inc/class.auth_ldap.inc.php
@@ -38,10 +38,6 @@
 		 */
 		function authenticate($username, $passwd)
 		{
-			if (ereg('[()|&=*,<>!~]',$username))
-			{
-				return False;
-			}
 			// allow non-ascii in username & password
 			$username = $GLOBALS['egw']->translation->convert($username,$GLOBALS['egw']->translation->charset(),'utf-8');
 			$passwd = $GLOBALS['egw']->translation->convert($passwd,$GLOBALS['egw']->translation->charset(),'utf-8');
@@ -62,7 +58,7 @@
 			$attributes	= array('uid','dn','givenName','sn','mail','uidNumber','gidNumber','shadowExpire');
 
 			$filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)';
-			$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter);
+			$filter = str_replace(array('%user','%domain'),array(ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),$filter);
 
 			if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
 			{
@@ -84,16 +80,10 @@
 					return false;	// account is expired
 				}
 				$userDN = $allValues[0]['dn'];
-				/*
-				generate a bogus password to pass if the user doesn't give us one
-				this gets around systems that are anonymous search enabled
-				*/
-				if (empty($passwd))
-				{
-					$passwd = crypt(microtime());
-				}
+
 				// try to bind as the user with user suplied password
-				if (@ldap_bind($ldap, $userDN, $passwd))
+				// only if a non-empty password given, in case anonymous search is enabled
+				if (!empty($passwd) && @ldap_bind($ldap, $userDN, $passwd))
 				{
 					if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap')
 					{
@@ -106,12 +96,13 @@
 								'sn'        => 'lastname',
 								'uidnumber' => 'account_id',
 								'mail'      => 'email',
-								'gidnumber' => 'primary_group',
 							) as $ldap_name => $acct_name)
 							{
 								$GLOBALS['auto_create_acct'][$acct_name] =
 									$GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
 							}
+							// our group-ids are negative
+							$GLOBALS['auto_create_acct']['primary_group'] = -$allValues[0]['gidnumber'][0];
 							return True;
 						}
 						return ($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')) &&