[Davical-general] LDAP-Authentication

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Davical-general] LDAP-Authentication

Philipp Neuser
Hi everybody,

I stumbled upon a problem during the last hour with the ldapDrivers
class. In the requestUser function ldap_bind is used to check the
password of the user which works totally fine if your ldap doesn't allow
anonymous bind.
If username and/or password are not given, the ldap_bind functions
attemps an anonymous bind and every user can log on without a specifying
a password.
I think it would be better to check for an empty password ;-) and this line:

if ( !@ldap_bind($this->connect, $dnUser, $passwd)) {

is switchted to:

  if ( !@ldap_bind($this->connect, $dnUser, $passwd) || empty($passwd)
|| ($passwd == "")) {

in the requestUser function.


WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
Davical-general mailing list
[hidden email]