You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2018-02-15 16:38:57

t_roloff
Member
Registered: 2015-05-22
Posts: 11

GLPI 9.2.1 / User authentication method changes to LDAP

We have a maybe special setup, which leads to unwanted changes of the user authentication method (and other user data):

  • we have set up an ldap/ad server for user import (mainly for assigning users to computers)

  • we have some GLPI internal users (tech staff), which are set up to authenticate against GLPI internal database

  • these users are present in the ldap directory, too, but were never imported to glpi

Since migration to 9.2.1, we observed "random" changes of user data of the glpi internal accounts:

742963	2018-02-14 11:34		User DN	Change to CN=<removed by me>
742962	2018-02-14 11:34		Authentication	Change GLPI internal database to LDAP directory:
742961	2018-02-14 11:34		LDAP directory for authentication	Change   (0) to ad server (1)

Finally, I found that this behaviour is triggered, if the browser is closed without logging out, starting the browser again and logging in.

I'm no php expert, but I think the problem is within inc/auth.class.php, function Login in line 636

                        $this->user->getFromLDAP($ds, $ldap_method, $user_dn['dn'], $login_name,
                                                 !$this->user_present);

which leads to inc/user.class.php, function getFromLDAP in line 1422 ff., where user data gets overwritten by ldap values

         //Set all the search fields
         $this->fields['password'] = "";

[...]

         // force authtype as we retrieve this user by ldap (we could have login with SSO)
         $this->fields["authtype"] = Auth::LDAP;

which seems to lead to an unwanted update in auth.class.php lines 745 ff.

      // Ok, we have gathered sufficient data, if the first return false the user
      // is not present on the DB, so we add him.
      // if not, we update him.
      if ($this->auth_succeded) {
[...]
         if ($DB->isSlave()) {
[...]
         } else {
            if ($this->user_present) {
               // First stripslashes to avoid double slashes
               $input = Toolbox::stripslashes_deep($this->user->fields);
               // Then ensure addslashes
               $input = Toolbox::addslashes_deep($input);

               $this->user->update($input);  <--------------------------------------------- unwanted changes here
            } else if ($CFG_GLPI["is_users_auto_add"]) {
[...]
            } else {
[...]
            }
         }
      }

Offline

#2 2018-02-16 14:20:42

t_roloff
Member
Registered: 2015-05-22
Posts: 11

Re: GLPI 9.2.1 / User authentication method changes to LDAP

p.s. as far as I see there are 3 workarounds:

  • rename glpi users/login that they are not found in ldap anymore

  • always use logout before closing the browser

  • disable the ldap authentication source

Offline

#3 2018-03-22 11:31:13

fabibus
Member
From: Nantes
Registered: 2008-02-05
Posts: 171

Re: GLPI 9.2.1 / User authentication method changes to LDAP

I have the same problem since upgrade 0.90.5 ->9.2.1.... but I can't rename my users, i can't disable ldap auth...
Is there another issue ?
Can I disable auto-merge between glpi internal database and LDAP ? I need it !


Plateforme en exploitation : GLPI 10.0.3 + GLPiinventory 10.0.3sur Fedora 36
PHP 8.1.11 ,Apache/2.4.54, mysql 8

Offline

#4 2018-03-22 12:32:18

t_roloff
Member
Registered: 2015-05-22
Posts: 11

Re: GLPI 9.2.1 / User authentication method changes to LDAP

As far as I see, there is no way to disable the merge. If a user is found in LDAP, password is reset and the authtype is set to LDAP.

Strange enough, nobody od the development team seems to care. Is there a better place to file bugs?

Furthermore, this may lead to a (minor) security issue, if someone creates a user in LDAP with the same name like an local administrator in GLPI. This would lock out the local GLPI admin and the LDAP user would probaly be able to log in as admin...

Offline

#5 2018-03-22 14:17:04

Roshan
Member
Registered: 2017-07-26
Posts: 69

Re: GLPI 9.2.1 / User authentication method changes to LDAP

Hello ,
yes it happened with me. i had created local Administrator account with super admin rights , unfortunately after update and LDAP sync i was no more able to login to glpi with Admin account. though this happened on a test environment its risky to get locked out of GLPI. i guess this is something to do with Synchronization field attribute , im not sure.

Offline

Board footer

Powered by FluxBB