extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2025-02-13 17:00:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

added note about certificate validation and some more diagnostics to error_log, for failed ADS auth

Browse Source
This commit is contained in:
Ralf Becker 2014-02-27 12:05:37 +00:00
parent 208cd55d23
commit f218f9412c
2 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
phpgwapi/inc/class.auth_ads.inc.php
View File

@ -1,6 +1,11 @@
<?php <?php
/** /**
* eGroupWare API - ADS Authentication * EGroupware API - ADS Authentication
*
* To be able to use SSL or TLS you either need:
* a) ldap to have certificate store INCL. used certificate!
* b) add to /etc/openldap/ldap.conf: TLS_REQCERT never
* to tell ldap not to validate certificates (insecure)
* *
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Ralf Becker <ralfbecker@outdoor-training.de> based on auth_ldap from: * @author Ralf Becker <ralfbecker@outdoor-training.de> based on auth_ldap from:
@ -31,6 +36,7 @@ class auth_ads implements auth_backend
*/ */
function authenticate($username, $passwd, $passwd_type='text') function authenticate($username, $passwd, $passwd_type='text')
{ {
unset($passwd_type); // not used by required in function signature
if (preg_match('/[()|&=*,<>!~]/',$username)) if (preg_match('/[()|&=*,<>!~]/',$username))
{ {
return False; return False;
@ -71,12 +77,15 @@ class auth_ads implements auth_backend
{ {
if($allValues[0]['samaccountname'][0] != $username) if($allValues[0]['samaccountname'][0] != $username)
{ {
error_log(__METHOD__."('$username') username has wrong case!");
return false; return false;
} }
} }
if (($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u'))) if (($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')))
{ {
return $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A'; $ret = $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A';
if (!$ret) error_log(__METHOD__."('$username') account_status check returning ".array2string($ret));
return $ret;
} }
// store homedirectory for egw_session->read_repositories // store homedirectory for egw_session->read_repositories
$GLOBALS['auto_create_acct'] = array(); $GLOBALS['auto_create_acct'] = array();
@ -102,6 +111,7 @@ class auth_ads implements auth_backend
return True; return True;
} }
} }
error_log(__METHOD__."('$username') authenticated, but user NOT found!");
/* dn not found or password wrong */ /* dn not found or password wrong */
return False; return False;
} }
@ -140,6 +150,7 @@ class auth_ads implements auth_backend
*/ */
static function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL, $return_mod=false) static function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL, $return_mod=false)
{ {
unset($passwd); // not used but required by function signature
if (!($adldap = accounts_ads::get_adldap())) return false; if (!($adldap = accounts_ads::get_adldap())) return false;
if ($lastpwdchange) if ($lastpwdchange)
@ -225,8 +236,7 @@ class auth_ads implements auth_backend
$GLOBALS['egw_info']['server']['force_pwd_length'] ? $GLOBALS['egw_info']['server']['force_pwd_length'] : 7, $GLOBALS['egw_info']['server']['force_pwd_length'] ? $GLOBALS['egw_info']['server']['force_pwd_length'] : 7,
'yes', // always check with "passwd_forbid_name" enabled 'yes', // always check with "passwd_forbid_name" enabled
$account_id); $account_id);
$msg = $e->getMessage(); $msg = strtr($e->getMessage(), array( // translate possible adLDAP and LDAP error
$msg = strtr($msg, $tr=array( // translate possible adLDAP and LDAP error
'Error' => lang('Error'), 'Error' => lang('Error'),
'Server is unwilling to perform.' => lang('Server is unwilling to perform.'), 'Server is unwilling to perform.' => lang('Server is unwilling to perform.'),
'Your password might not match the password policy.' => lang('Your password might not match the password policy.'), 'Your password might not match the password policy.' => lang('Your password might not match the password policy.'),

7
phpgwapi/inc/class.auth_ldap.inc.php
View File

@ -1,6 +1,11 @@
<?php <?php
/** /**
* eGroupWare API - LDAP Authentication * EGroupware API - LDAP Authentication
*
* To be able to use SSL or TLS you either need:
* a) ldap to have certificate store INCL. used certificate!
* b) add to /etc/openldap/ldap.conf: TLS_REQCERT never
* to tell ldap not to validate certificates (insecure)
* *
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Ralf Becker <ralfbecker@outdoor-training.de> * @author Ralf Becker <ralfbecker@outdoor-training.de>