[Davical-general] LDAP-Authentication

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Davical-general] LDAP-Authentication

Philipp Neuser
Hi everybody,

I stumbled upon a problem during the last hour with the ldapDrivers
class. In the requestUser function ldap_bind is used to check the
password of the user which works totally fine if your ldap doesn't allow
anonymous bind.
If username and/or password are not given, the ldap_bind functions
attemps an anonymous bind and every user can log on without a specifying
a password.
I think it would be better to check for an empty password ;-) and this line:

if ( !@ldap_bind($this->connect, $dnUser, $passwd)) {

is switchted to:

  if ( !@ldap_bind($this->connect, $dnUser, $passwd) || empty($passwd)
|| ($passwd == "")) {

in the requestUser function.

Regards,
Philipp

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general