Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] fixes LDAP bind authentication using wrong username #21588

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] fixes LDAP bind authentication using wrong username #21588

wants to merge 1 commit into from

Conversation

haffmans
Copy link

Q A
Branch? 3.2
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
License MIT

I'm trying to set up LDAP authentication where users can log in using their e-mail address, which should get resolved to the 'uid' field in the directory. After this the authentication should be based on this uid. I'm working against '389 directory server' as set up by a Kolab install. This does not seem to allow binding based on e.g. the mail field of a user.

The LDAP user provider is able to resolve the user. This is the (redacted) provider config I'm using:

    providers:
        kolab:
            ldap:
                service: ldap
                base_dn: 'ou=People,dc=example,dc=com'
                search_dn: "%ldap_search_dn%"
                search_password: "%ldap_search_password%"
                default_roles: ROLE_ADMIN
                uid_key: uid
                filter: '(&(|(objectclass=inetorgperson))(|(mailPrimaryAddress={username})(mail={username})))'

I noticed the User object created by the LdapUserProvider is correctly set the the uid field of the user.

However, the LDAP Bind Authentication Provider does not use the username as provided by the user provider. Instead it uses the username as submitted in the token when binding. This means users cannot login.

The fix is to use $user->getUsername() instead of $token->getUsername() in checkAuthentication(). This way the resolved username is used and the authentication works correctly.

@haffmans
[Security] fixes LDAP bind authentication using wrong username
8fc58cb 
This fixes that the LDAP bind authentication ignores the uid_key
configuration of the LDAP user provider. It will now use the username of
the User object instead of the token's username.
@nicolas-grekas
Copy link
Member

ping @csarrazi

@nicolas-grekas nicolas-grekas added this to the 3.2 milestone Feb 18, 2017
@fabpot
Copy link
Member

fabpot commented Mar 1, 2017

@csarrazi Can you have a look at this PR? Thanks.

@csarrazi
Copy link
Contributor

csarrazi commented Mar 1, 2017

This has already been fixed in the master branch by #21402

Also, the reason why we use the token's username is because we should not rely on the user provider to provide the username. This works fine when you are using the LDAP user provider, but it may fail should you use another user provider.

E.g. If you want to authenticate using your LDAP server, but rely on the database to store user-related information.

@fabpot
Copy link
Member

fabpot commented Mar 1, 2017

@csarrazi Thanks for the quick feedback. So, can we close this one then?

@csarrazi
Copy link
Contributor

csarrazi commented Mar 1, 2017

Yes, we can close it.

@haffmans, can you check whether your problem is fixed with @lsmith77's fix (by using the master branch)? Thanks

@fabpot fabpot closed this Mar 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
3.2
Development

Successfully merging this pull request may close these issues.
5 participants
@haffmans @nicolas-grekas @fabpot @csarrazi @carsonbot