Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Fix unexpected handling of the 'attributes' setting #397
In authsources.php, taken from the ldap-example:
This suggests that an empty array would return no attributes, but in fact it returns them all, just like a NULL value.
In authsources.php, taken from the ldap-example: // Which attributes should be retrieved from the LDAP server. // This can be an array of attribute names, or NULL, in which case // all attributes are fetched. 'attributes' => NULL, This suggests that an empty array would return no attributes, but in fact it returns them all, just like a NULL value. This change fixes that to make this setting act as you would expect and also takes care of a couple of attributes that were being reused within the same function.
Hi @tvdijen! Thanks so much for this!
You are right, the documentation is misleading and we should fix it (the issue, not the documentation, as I totally believe we should have a way to tell that we don't want any attributes). On the other hand, I'm a bit concerned about backwards-compatibility, as this change could break existing configurations (people having an empty array there because it works to get all the attributes, and all of a sudden getting nothing back from the LDAP after upgrading.
I'm a bit tempted to put this on hold until we have released 1.15 and we can start breaking things properly in 2.0. However, the LDAP class is so incredibly crappy that it is high up in the list for a refactoring (and even substituting it by a new class), and that would break your PR.
What do you think? Is it urgent for you to have this solved?
No, it's not urgent at all.. It's just something I ran into and it only affects my admin logins.
Another thing I noticed, but don't have a solution for, is that you can brute-force someone's password without the account getting locked out.. This kind of contradicts to our (most?) company's security policy.