-
-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticating User via LDAP not working properly - solution included #5695
Comments
working like a charm... User which should be logged in isn't staticly bound to baseDN but can be found by filter query... as in many other systems Thanks for your effort |
@Patrock ... the problem is that the filter query cannot be run by the user who is trying to log in, hence why it's critical to use the bind user as it covers all the cases. If you look at the original LDAP code from version 3.6.3 you will notice that the code is almost exactly as I wrote it above. It probably got shaved a little too much in subsequent versions. Anyway, I hope this helps. |
Thank you! |
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail. |
Well, Stale Bot, I had to make the above changes to get it to work. Guessing that hasn't been merged since nobody closed this. :-) |
Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know! |
Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail. |
This issue has been automatically closed because it has not had recent activity. If you believe this is still an issue, please confirm that this issue is still happening in the most recent version of Snipe-IT and reply to this thread to re-open it. |
In the latest version of the application (and presumably since v3.0), the LDAP authentication is not working as expected.
Looking at "app/Models/Ldap.php", function "findAndBindUserLdap($username, $password) attempts to bind the user directly to LDAP, thus defeating the purpose of having a system configured bind user and breaking the application for administrators who depend on the configured bind user to find & authenticate the credentials passed to the function.
With that in mind, the line (#99):
if (!$ldapbind = @ldap_bind($connection, $userDn, $password)) {
Should be replaced by:
$ldaprdn = $settings->ldap_uname;
$ldappass = \Crypt::decrypt(Setting::getSettings()->ldap_pword);
if (!$ldapbind = @ldap_bind($connection, $ldaprdn, $ldappass)) {
(this ensures that we are binding to LDAP using the configured bind user)
and then after successfully finding the first entry in the $filterQuery on line #110 the following code should be added:
if( !$userDn = @ldap_get_dn($connection, $entry) ) {
return false;
}
if( !$isbound = ldap_bind($connection, $userDn, $password) ) {
return false;
}
(this ensures that the username and password that were passed are valid credentials)
I hope this helps people who are having trouble authenticating using LDAP in an environment where a Bind user is absolutely required for any type of query.
Aladin
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: