You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2018-07-10 20:11:07

mose
Guest
Registered: 2018-07-06
Posts: 3

9.3.0 internal users cannot authenticate with ldap

If an account is manually created and then switched to ldap authentication, the user cannot access the interface after logging in. They receive the error "You don't have right to connect" (should be "You do not have rights to connect"). The problem is that when doing ldap authentication, the routines want to find a dn stored in the database. There is no dn, because the account was not autocreated from  ldap. There is no option in the user's settings to enter a dn. Besides, a dn is neither needed nor wanted, because ldap is only used for authentication, not account creation/update.

The following change to ldapAuth in authldap.class.php allows a user to be looked up by name and identified as present, if a dn or sync field does not exist in the database for the account.

Old Code
======
         if ($auth->user->getFromDBbyDn(toolbox::addslashes_deep($user_dn))) {
            //There's already an existing user in DB with the same DN but its login field has changed
            $auth->user->fields['name'] = $login;
            $auth->user_present         = true;
            $auth->user_dn              = $user_dn;
         } else if ($user_sync !== null && $auth->user->getFromDBbySyncField($user_sync)) {
            //user login/dn have changed
            $auth->user->fields['name']      = $login;
            $auth->user->fields['user_dn']   = $user_dn;
            $auth->user_present              = true;
            $auth->user_dn                   = $user_dn;
         } else { // The user is a new user
            $auth->user_present = false;
         }


New Code
======
         if ($auth->user->getFromDBbyDn(toolbox::addslashes_deep($user_dn))) {
            //There's already an existing user in DB with the same DN but its login field has changed
            $auth->user->fields['name'] = $login;
            $auth->user_present         = true;
            $auth->user_dn              = $user_dn;
         } else if ($user_sync !== null && $auth->user->getFromDBbySyncField($user_sync)) {
            //user login/dn have changed
            $auth->user->fields['name']      = $login;
            $auth->user->fields['user_dn']   = $user_dn;
            $auth->user_present              = true;
            $auth->user_dn                   = $user_dn;
         } else if ($auth->user->getFromDBbyName($login)) {
            $auth->user_present         = true;
            $auth->user_dn              = $user_dn;
         } else { // The user is a new user
            $auth->user_present = false;
         }

Offline

#2 2018-07-11 13:59:03

mose
Guest
Registered: 2018-07-06
Posts: 3

Re: 9.3.0 internal users cannot authenticate with ldap

I have made two changes to the code above. First, when switching an internal user to ldap authentication, it might be desired to auto-update the user information in glpi. The old code is the same as above. The updated code for ldapAuth in authldap.class.php is below. Lines have been added to save the dn and login name for later update, if necessary.

New Code
=======
         if ($auth->user->getFromDBbyDn(toolbox::addslashes_deep($user_dn))) {
            //There's already an existing user in DB with the same DN but its login field has changed
            $auth->user->fields['name'] = $login;
            $auth->user_present         = true;
            $auth->user_dn              = $user_dn;
         } else if ($user_sync !== null && $auth->user->getFromDBbySyncField($user_sync)) {
            //user login/dn have changed
            $auth->user->fields['name']      = $login;
            $auth->user->fields['user_dn']   = $user_dn;
            $auth->user_present              = true;
            $auth->user_dn                   = $user_dn;
         } else if ($auth->user->getFromDBbyName($login)) {
            $auth->user->fields['name']      = $login;
            $auth->user->fields['user_dn']   = $user_dn;
            $auth->user_present              = true;
            $auth->user_dn                   = $user_dn;
         } else { // The user is a new user
            $auth->user_present = false;
         }

Second, the code in the function "login" in auth.class.php assumes that if login is successful and ldap was used, it should always update the entry. That assumption is incorrect. If auto-add is disabled, then auto-update should disabled, as well, assuming internal accounts will be managed locally. The following change is needed for function "login" in auth.class.php. A check allows the update if auto-add is enabled.

Old Code
======
            if ($this->user_present) {
               // First stripslashes to avoid double slashes
               $input = Toolbox::stripslashes_deep($this->user->fields);
               // Then ensure addslashes
               $input = Toolbox::addslashes_deep($input);

               $this->user->update($input);
            } else if ($CFG_GLPI["is_users_auto_add"]) {
               // Auto add user
               // First stripslashes to avoid double slashes
               $input = Toolbox::stripslashes_deep($this->user->fields);
               // Then ensure addslashes
               $input = Toolbox::addslashes_deep($input);
               unset ($this->user->fields);
               $this->user->add($input);
            } else {
               // Auto add not enable so auth failed
               $this->addToError(__('User not authorized to connect in GLPI'));
               $this->auth_succeded = false;
            }


New Code
======
            if ($this->user_present) {
               if ($CFG_GLPI["is_users_auto_add"]) {
                   // First stripslashes to avoid double slashes
                   $input = Toolbox::stripslashes_deep($this->user->fields);
                   // Then ensure addslashes
                   $input = Toolbox::addslashes_deep($input);

                   $this->user->update($input);
               }
            } else if ($CFG_GLPI["is_users_auto_add"]) {
               // Auto add user
               // First stripslashes to avoid double slashes
               $input = Toolbox::stripslashes_deep($this->user->fields);
               // Then ensure addslashes
               $input = Toolbox::addslashes_deep($input);
               unset ($this->user->fields);
               $this->user->add($input);
            } else {
               // Auto add not enable so auth failed
               $this->addToError(__('User not authorized to connect in GLPI'));
               $this->auth_succeded = false;
            }

Offline

Board footer

Powered by FluxBB