Update the LDAP password validation because some servers will not include "userpassword" to the LDAP entries result (#1547)

This commit is contained in:
Alex Tselegidis 2024-06-01 15:35:57 +02:00
parent 9d7e0ba94e
commit 08f8315313

View file

@ -97,52 +97,19 @@ class Ldap_client
$user = $this->CI->accounts->get_user_by_username($username);
if (empty($user['ldap_dn'])) {
return null;
return null; // User does not exist in Easy!Appointments
}
// Connect to LDAP server
$host = setting('ldap_host');
$port = (int) setting('ldap_port');
$user_dn = setting('ldap_user_dn');
$ldap_password = setting('ldap_password');
$ldap_host = setting('ldap_host');
$ldap_port = (int) setting('ldap_port');
$connection = @ldap_connect($host, $port);
$connection = @ldap_connect($ldap_host, $ldap_port);
if (!$connection) {
throw new Exception('Could not connect to LDAP server: ' . @ldap_error($connection));
}
@ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_set_option($connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
$bind = @ldap_bind($connection, $user_dn, $ldap_password);
if (!$bind) {
throw new Exception('LDAP bind failed: ' . @ldap_error($connection));
}
// Check the provided password against the LDAP service
$filter = '(objectclass=*)';
$result = @ldap_search($connection, $user['ldap_dn'], $filter);
if (!$result) {
return null;
}
$ldap_entries = @ldap_get_entries($connection, $result);
foreach ($ldap_entries as $ldap_entry) {
if (!is_array($ldap_entry) || empty($ldap_entry['dn']) || $ldap_entry['dn'] !== $user['ldap_dn']) {
continue;
}
if (!$this->validate_password($password, $ldap_entry['userpassword'][0])) {
continue;
}
$user_bind = @ldap_bind($connection, $user['ldap_dn'], $password);
if ($user_bind) {
$role = $this->CI->roles_model->find($user['id_roles']);
$default_timezone = $this->CI->timezones->get_default_timezone();