Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] fixes LDAP bind authentication using wrong username#21588

Closed
haffmans wants to merge 1 commit intosymfony:3.2from
haffmans:haffmans/ldap_auth_uid_key_fix
Closed

[Security] fixes LDAP bind authentication using wrong username#21588
haffmans wants to merge 1 commit intosymfony:3.2from
haffmans:haffmans/ldap_auth_uid_key_fix

Conversation

@haffmans
Copy link
Copy Markdown

@haffmans haffmans commented Feb 12, 2017

Q A
Branch? 3.2
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
License MIT

I'm trying to set up LDAP authentication where users can log in using their e-mail address, which should get resolved to the 'uid' field in the directory. After this the authentication should be based on this uid. I'm working against '389 directory server' as set up by a Kolab install. This does not seem to allow binding based on e.g. the mail field of a user.

The LDAP user provider is able to resolve the user. This is the (redacted) provider config I'm using:

    providers:
        kolab:
            ldap:
                service: ldap
                base_dn: 'ou=People,dc=example,dc=com'
                search_dn: "%ldap_search_dn%"
                search_password: "%ldap_search_password%"
                default_roles: ROLE_ADMIN
                uid_key: uid
                filter: '(&(|(objectclass=inetorgperson))(|(mailPrimaryAddress={username})(mail={username})))'

I noticed the User object created by the LdapUserProvider is correctly set the the uid field of the user.

However, the LDAP Bind Authentication Provider does not use the username as provided by the user provider. Instead it uses the username as submitted in the token when binding. This means users cannot login.

The fix is to use $user->getUsername() instead of $token->getUsername() in checkAuthentication(). This way the resolved username is used and the authentication works correctly.

@haffmans
[Security] fixes LDAP bind authentication using wrong username
8fc58cb 
This fixes that the LDAP bind authentication ignores the uid_key
configuration of the LDAP user provider. It will now use the username of
the User object instead of the token's username.
@nicolas-grekas
Copy link
Copy Markdown
Member

nicolas-grekas commented Feb 14, 2017

ping @csarrazi

@nicolas-grekas nicolas-grekas added this to the 3.2 milestone Feb 18, 2017
@fabpot
Copy link
Copy Markdown
Member

fabpot commented Mar 1, 2017

@csarrazi Can you have a look at this PR? Thanks.

@csarrazi
Copy link
Copy Markdown
Contributor

csarrazi commented Mar 1, 2017

This has already been fixed in the master branch by #21402

Also, the reason why we use the token's username is because we should not rely on the user provider to provide the username. This works fine when you are using the LDAP user provider, but it may fail should you use another user provider.

E.g. If you want to authenticate using your LDAP server, but rely on the database to store user-related information.

@fabpot
Copy link
Copy Markdown
Member

fabpot commented Mar 1, 2017

@csarrazi Thanks for the quick feedback. So, can we close this one then?

@csarrazi
Copy link
Copy Markdown
Contributor

csarrazi commented Mar 1, 2017

Yes, we can close it.

@haffmans, can you check whether your problem is fixed with @lsmith77's fix (by using the master branch)? Thanks

@fabpot fabpot closed this Mar 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Bug Security Status: Needs Review

Projects

None yet

Milestone

3.2

Development

Successfully merging this pull request may close these issues.

5 participants

@haffmans @nicolas-grekas @fabpot @csarrazi @carsonbot