requiring bind when using LDAP
Erin
Here is a quick work up for those that cannot use anonymous bind.
Files:
Init.php
actions/LoginAction.php
finders/UserFinder.php
In Init.php:
1) add the following line for the username that is to bind to LDAP:
define("LDAP_BIND_USER", "bindingusername");
Replace bindingusername with username.
2) add the following line for the username's password to bind to LDAP:
define("LDAP_BIND_PASS", "bindingpassword");
Replace bindingpassword with username's password.
In actions/LoginAction.php:
1) In class LoginAction > in method perform(), locate the line:
userId = $userFact->authenticate($username, md5($password));
and remove the md5() function:
$userId = $userFact->authenticate($username, $password);
In finders/UserFinder.php:
1) In class UserFinder, locate method authenticateLDAP() and replace the entire method with the following:
function authenticateLDAP($username, $password) {
if ((strlen($username) < 1) || (strlen($password) < 1)) {
return(FALSE); // return false during production
//die("LDAP Error: in authenticateLDAP, either username($username), password($password) or both are not set");
}
global $ldapConfig;
// make initial connection
if (!$conn = ldap_connect($ldapConfig['host'], $ldapConfig['port']))
die("LDAP Error: Could not connect(1) to host {$ldapConfig['host']} on port {$ldapConfig['port']}");
// prepare connection for initial bind
$rdn = "uid=$username," . $ldapConfig['baseDN'];
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
if(!$bind = ldap_bind($conn, LDAP_BIND_USER, LDAP_BIND_PASS))
die("LDAP Error: Could not bind to connection using username: '" . LDAP_BIND_USER . "' with password: '" . LDAP_BIND_PASS . "'");
// prepare for search tpo retrieve the DN of the user
$filter = "(uid=$username)";
$attrib = array("*");
if (!$sr = ldap_search($conn, $ldapConfig['baseDN'], $filter, $attrib)) {
die("LDAP Error(". ldap_errno($conn) . "): Could not perform search to retrieve DN using:" .
"\nbaseDN: '{$ldapConfig["baseDN"]}' , filter: '$filter', attrib: '$attrib'. " .
"\nLDAP ERROR: " . ldap_error($conn)
);
}
// get the user's DN
if (!$entry = ldap_get_entries($conn, $sr)) {
die("LDAP Error: Could not get entries");
} elseif (ldap_errno($conn) > 0 ) {
die("LDAP Error(" . ldap_error($conn) . "). LDAP Error: " . ldap_errno($conn));
} else {
@$User_dn = $entry[0]['dn'];
if (strlen($User_dn) < 3) {
return(FALSE); // return false during production
//die("LDAP Error: getting the User_dn entry did not work properly. User_dn='$User_dn'");
}
}
// unbind first connection
ldap_unbind($conn);
// Second bind to verify username and password
// Are the credentials valid?
if (!$conn2 = ldap_connect($ldapConfig['host'], $ldapConfig['port']))
die("LDAP Error: Could not connect(2) to host {$ldapConfig['host']} on port {$ldapConfig['port']}");
//echo "<p>conn2 = $conn2, User_dn='$User_dn', username='$username', password='$password'</p>";
// finally verify the username and password submitted thru the form
if (!$r = ldap_bind($conn2, $User_dn, $password)) {
return(FALSE);
die("LDAP Error: Could not bind to connection using user DN: '$User_dn' with password: '$password'");
}
// unbind second connection
@ldap_close($conn2);
// You are connected! Return true or something!
return($r);
}
2) In class UserFinder > in method authenticate(), replace the the following line that calls the authenticateDB so the password passed is now MD5ed:
if ($result = $this->authenticateDB($username,$password)) {
to this:
if ($result = $this->authenticateDB($username,md5($password))) {
For debugging purposes the return()’s can be commented out and the die()’s can be uncommented.
These changes have not been committed to the source.
I did not work a condition in changes for checking for anonymous bind or not. If would be simple enough to add later.
Cheers,
~Erin