Authenticating User via LDAP not working properly - solution included

[aalaily]

In the latest version of the application (and presumably since v3.0), the LDAP authentication is not working as expected.

Looking at "app/Models/Ldap.php", function "findAndBindUserLdap($username, $password) attempts to bind the user directly to LDAP, thus defeating the purpose of having a system configured bind user and breaking the application for administrators who depend on the configured bind user to find & authenticate the credentials passed to the function.

With that in mind, the line (#99):
if (!$ldapbind = @ldap_bind($connection, $userDn, $password)) {

Should be replaced by:
$ldaprdn = $settings->ldap_uname;
$ldappass = \Crypt::decrypt(Setting::getSettings()->ldap_pword);
if (!$ldapbind = @ldap_bind($connection, $ldaprdn, $ldappass)) {
(this ensures that we are binding to LDAP using the configured bind user)

and then after successfully finding the first entry in the $filterQuery on line #110 the following code should be added:

if( !$userDn = @ldap_get_dn($connection, $entry) ) {
return false;
}
if( !$isbound = ldap_bind($connection, $userDn, $password) ) {
return false;
}
(this ensures that the username and password that were passed are valid credentials)

I hope this helps people who are having trouble authenticating using LDAP in an environment where a Bind user is absolutely required for any type of query.

Aladin

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[Patrock]

working like a charm... User which should be logged in isn't staticly bound to baseDN but can be found by filter query... as in many other systems

Thanks for your effort

[aalaily]

@Patrock ... the problem is that the filter query cannot be run by the user who is trying to log in, hence why it's critical to use the bind user as it covers all the cases.

If you look at the original LDAP code from version 3.6.3 you will notice that the code is almost exactly as I wrote it above. It probably got shaved a little too much in subsequent versions.

Anyway, I hope this helps.

[sduensin]

Thank you!

[stale]

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

[sduensin]

Well, Stale Bot, I had to make the above changes to get it to work. Guessing that hasn't been merged since nobody closed this. :-)

[stale]

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

[stale]

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

[stale]

This issue has been automatically closed because it has not had recent activity. If you believe this is still an issue, please confirm that this issue is still happening in the most recent version of Snipe-IT and reply to this thread to re-open it.