Fixes #5595: LDAP authentication requires accounts to be manually cre…

…ated first.
mantisbt · Jul 15, 2009 · ac370f4 · ac370f4
1 parent 74a1057
commit ac370f4
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 19 deletions.
diff --git a/core/authentication_api.php b/core/authentication_api.php
@@ -180,12 +180,20 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) {
 
 	$t_login_method = config_get( 'login_method' );
 
-	if( false === $t_user_id ) {
-		if( BASIC_AUTH == $t_login_method ) {
-			# attempt to create the user if using BASIC_AUTH
+	if ( false === $t_user_id ) {
+		if ( BASIC_AUTH == $t_login_method ) {
+			$t_auto_create = true;
+		} else if ( LDAP == $t_login_method && ldap_authenticate_by_username( $p_username, $p_password ) ) {
+			$t_auto_create = true;
+		} else {
+			$t_auto_create = false;
+		}
+
+		if ( $t_auto_create ) {
+			# attempt to create the user
 			$t_cookie_string = user_create( $p_username, $p_password );
 
-			if( false === $t_cookie_string ) {
+			if ( false === $t_cookie_string ) {
 				# it didn't work
 				return false;
 			}

diff --git a/core/ldap_api.php b/core/ldap_api.php
@@ -208,24 +208,37 @@ function ldap_authenticate( $p_user_id, $p_password ) {
 	# if password is empty and ldap allows anonymous login, then
 	# the user will be able to login, hence, we need to check
 	# for this special case.
-	if( is_blank( $p_password ) ) {
+	if ( is_blank( $p_password ) ) {
 		return false;
 	}
 
+	$t_username = user_get_field( $p_user_id, 'username' );
+
+	return ldap_authenticate_by_username( $t_username, $p_password );
+}
+
+/**
+ * Authenticates an user via LDAP given the username and password.
+ *
+ * @param string $p_username The user name.
+ * @param string $p_password The password.
+ * @return true: authenticated, false: failed to authenticate.
+ */
+function ldap_authenticate_by_username( $p_username, $p_password ) {
 	if ( ldap_simulation_is_enabled() ) {
-		return ldap_simulation_authenticate( $p_user_id, $p_password );
+		return ldap_simulation_authenticate_by_username( $p_username, $p_password );
 	}
 
 	$t_ldap_organization = config_get( 'ldap_organization' );
 	$t_ldap_root_dn = config_get( 'ldap_root_dn' );
 
-	$t_username = user_get_field( $p_user_id, 'username' );
 	$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' );
 	$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
 	$t_search_attrs = array(
 		$t_ldap_uid_field,
 		'dn',
 	);
+
 	$t_ds = ldap_connect_bind();
 
 	# Search for the user id
@@ -335,16 +348,14 @@ function ldap_simulatiom_realname_from_username( $p_username ) {
 /**
  * Authenticates the specified user id / password based on the simulation data.
  *
- * @param string $p_user_id   The user id.
+ * @param string $p_username   The username.
  * @param string $p_password  The password.
  * @return bool true for authenticated, false otherwise.
  */
-function ldap_simulation_authenticate( $p_user_id, $p_password ) {
-	$t_username = user_get_field( $p_user_id, 'username' );
-
-	$t_user = ldap_simulation_get_user( $t_username );
+function ldap_simulation_authenticate_by_username( $p_username, $p_password ) {
+	$t_user = ldap_simulation_get_user( $p_username );
 	if ( $t_user === null ) {
-		log_event( LOG_LDAP, "ldap_simulation_authenticate: user '$t_username' not found." );
+		log_event( LOG_LDAP, "ldap_simulation_authenticate: user '$p_username' not found." );
 		return false;
 	}
 
@@ -353,6 +364,6 @@ function ldap_simulation_authenticate( $p_user_id, $p_password ) {
 		return false;
 	}
 
-	log_event( LOG_LDAP, "ldap_simulation_authenticate: authentication successful for user '$t_username'." );
+	log_event( LOG_LDAP, "ldap_simulation_authenticate: authentication successful for user '$p_username'." );
 	return true;
 }
diff --git a/core/print_api.php b/core/print_api.php
@@ -1547,7 +1547,10 @@ function print_hr( $p_hr_size = null, $p_hr_width = null ) {
 
 # prints the signup link
 function print_signup_link() {
-	if(( ON == config_get_global( 'allow_signup' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
+	if ( ( ON == config_get_global( 'allow_signup' ) ) &&
+	     ( LDAP != config_get_global( 'login_method' ) ) &&
+	     ( ON == config_get( 'enable_email_notification' ) )
+	   ) {
 		print_bracket_link( 'signup_page.php', lang_get( 'signup_link' ) );
 	}
 }
@@ -1559,9 +1562,11 @@ function print_login_link() {
 
 # prints the lost pwd link
 function print_lost_password_link() {
-
 	# lost password feature disabled or reset password via email disabled -> stop here!
-	if(( ON == config_get( 'lost_password_feature' ) ) && ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
+	if ( ( LDAP != config_get_global( 'login_method' ) ) &&
+	     ( ON == config_get( 'lost_password_feature' ) ) &&
+	     ( ON == config_get( 'send_reset_password' ) ) &&
+	     ( ON == config_get( 'enable_email_notification' ) ) ) {
 		print_bracket_link( 'lost_pwd_page.php', lang_get( 'lost_password_link' ) );
 	}
 }

diff --git a/lost_pwd_page.php b/lost_pwd_page.php
@@ -27,7 +27,8 @@
 	require_once( 'core.php' );
 
 	# lost password feature disabled or reset password via email disabled -> stop here!
-	if( OFF == config_get( 'lost_password_feature' ) ||
+	if ( LDAP == config_get_global( 'login_method' ) ||
+		OFF == config_get( 'lost_password_feature' ) ||
 		OFF == config_get( 'send_reset_password' )  ||
 	 	OFF == config_get( 'enable_email_notification' ) ) {
 		trigger_error( ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR );

diff --git a/signup_page.php b/signup_page.php
@@ -26,7 +26,7 @@
 	require_once( 'core.php' );
 
 	# Check for invalid access to signup page
-	if ( OFF == config_get_global( 'allow_signup' ) ) {
+	if ( OFF == config_get_global( 'allow_signup' ) || LDAP == config_get_global( 'login_method' ) ) {
 		print_header_redirect( 'login_page.php' );
 	}