DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-03-05 20:52:15 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge d77a508f59 into 91f3e07b83

Browse source
This commit is contained in:
shkuviak 2025-03-05 17:19:34 +00:00 committed by GitHub
parent 91f3e07b83 d77a508f59
commit 8f8908c6e6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 20 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
app/Models/Ldap.php
View file

@ -95,7 +95,7 @@ class Ldap extends Model
$connection = self::connectToLdap(); $connection = self::connectToLdap();
$ldap_username_field = $settings->ldap_username_field; $ldap_username_field = $settings->ldap_username_field;
$baseDn = $settings->ldap_basedn; $baseDn = $settings->ldap_basedn;
$userDn = $ldap_username_field.'='.$username.','.$settings->ldap_basedn; $userDn = null;
if ($settings->is_ad == '1') { if ($settings->is_ad == '1') {
// Check if they are using the userprincipalname for the username field. // Check if they are using the userprincipalname for the username field.
@ -119,38 +119,29 @@ class Ldap extends Model
Log::debug('Filter query: '.$filterQuery); Log::debug('Filter query: '.$filterQuery);
// Find user in LDAP
$findResult = self::findLdapUsers(filter: $filterQuery);
if ($findResult['count'] != 1) {
Log::debug("No or multiple users found for query $filterQuery. baseDn: $baseDn");
return false;
}
// Ensure found user ldap attributes match the required attributes
if (! $findResult[0][$ldap_username_field] == $username) {
Log::debug("Username from LDAP does not match the username provided.");
return false;
}
// Once user found, bind to LDAP
if ($userDn === null) {
$userDn = $findResult[0]['dn'];
}
if (! $ldapbind = @ldap_bind($connection, $userDn, $password)) { if (! $ldapbind = @ldap_bind($connection, $userDn, $password)) {
Log::debug("Status of binding user: $userDn to directory: (directly!) ".($ldapbind ? "success" : "FAILURE")); Log::debug("Could not bind to LDAP as $userDn");
if (! $ldapbind = self::bindAdminToLdap($connection)) {
/*
* TODO PLEASE:
*
* this isn't very clear, so it's important to note: the $ldapbind value is never correctly returned - we never 'return true' from self::bindAdminToLdap() (the function
* just "falls off the end" without ever explictly returning 'true')
*
* but it *does* have an interesting side-effect of checking for the LDAP password being incorrectly encrypted with the wrong APP_KEY, so I'm leaving it in for now.
*
* If it *did* correctly return 'true' on a succesful bind, it would _probably_ allow users to log in with an incorrect password. Which would be horrible!
*
* Let's definitely fix this at the next refactor!!!!
*
*/
Log::debug("Status of binding Admin user: $userDn to directory instead: ".($ldapbind ? "success" : "FAILURE"));
return false;
}
}
if (! $results = ldap_search($connection, $baseDn, $filterQuery)) {
throw new Exception('Could not search LDAP: ');
}
if (! $entry = ldap_first_entry($connection, $results)) {
return false; return false;
} }
if (! $user = ldap_get_attributes($connection, $entry)) { $user = $findResult[0];
return false;
}
return array_change_key_case($user); return array_change_key_case($user);
} }