minsoochoo/phorge
minsoochoo/phorge
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Support to bind to an anonymous LDAP user before searching.

Browse source 
Test Plan: N/A

Reviewers: codeblock, epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2133

Differential Revision: https://secure.phabricator.com/D4051
This commit is contained in:
Hangjun Ye 2012-11-30 04:21:44 -08:00 committed by epriestley
parent fc8d8b6f8c
commit 3b977e3b00
2 changed files with 44 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
conf/default.conf.php
View file

@ -159,6 +159,7 @@ return array(
'disqus.application-secret', 'disqus.application-secret',
'phabricator.mail-key', 'phabricator.mail-key',
'security.hmac-key', 'security.hmac-key',
'ldap.anonymous-user-password',
), ),
@ -692,6 +693,15 @@ return array(
// Should be set to 0 if you use Windows 2003 AD // Should be set to 0 if you use Windows 2003 AD
'ldap.referrals' => 1, 'ldap.referrals' => 1,
// The anonymous user name to use before searching a user.
// Many LDAP installations require login even before searching a user, set
// this option to enable it.
'ldap.anonymous-user-name' => '',
// The password of the LDAP anonymous user.
'ldap.anonymous-user-password' => '',
// -- Disqus OAuth ---------------------------------------------------------- // // -- Disqus OAuth ---------------------------------------------------------- //
// Can users use Disqus credentials to login to Phabricator? // Can users use Disqus credentials to login to Phabricator?

36
src/applications/auth/ldap/PhabricatorLDAPProvider.php
View file

@ -50,6 +50,18 @@ final class PhabricatorLDAPProvider {
return PhabricatorEnv::getEnvConfig('ldap.referrals'); return PhabricatorEnv::getEnvConfig('ldap.referrals');
} }
public function bindAnonymousUserEnabled() {
return strlen(trim($this->getAnonymousUserName())) > 0;
}
public function getAnonymousUserName() {
return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name');
}
public function getAnonymousUserPassword() {
return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password');
}
public function retrieveUserEmail() { public function retrieveUserEmail() {
return $this->userData['mail'][0]; return $this->userData['mail'][0];
} }
@ -174,6 +186,24 @@ final class PhabricatorLDAPProvider {
private function getUser($attribute, $username) { private function getUser($attribute, $username) {
$conn = $this->getConnection(); $conn = $this->getConnection();
if ($this->bindAnonymousUserEnabled()) {
// NOTE: It is very important we suppress any messages that occur here,
// because it logs passwords if it reaches an error log of any sort.
DarkConsoleErrorLogPluginAPI::enableDiscardMode();
$result = ldap_bind(
$conn,
$this->getAnonymousUserName(),
$this->getAnonymousUserPassword());
DarkConsoleErrorLogPluginAPI::disableDiscardMode();
if (!$result) {
throw new Exception('Bind anonymous account failed. '.
$this->invalidLDAPUserErrorMessage(
ldap_errno($conn),
ldap_error($conn)));
}
}
$query = ldap_sprintf( $query = ldap_sprintf(
'%Q=%S', '%Q=%S',
$attribute, $attribute,
@ -182,8 +212,10 @@ final class PhabricatorLDAPProvider {
$result = ldap_search($conn, $this->getBaseDN(), $query); $result = ldap_search($conn, $this->getBaseDN(), $query);
if (!$result) { if (!$result) {
throw new Exception('Search failed. Please check your LDAP and HTTP '. throw new Exception('Search failed. '.
'logs for more information.'); $this->invalidLDAPUserErrorMessage(
ldap_errno($conn),
ldap_error($conn)));
} }
$entries = ldap_get_entries($conn, $result); $entries = ldap_get_entries($conn, $result);