We are trying to use the LDAPAuth module to authenticate to eDirectory located on a Netware 6.5 box. After putting the initial settings in and setting authentication to LDAP only the server connection seems to be working ok and we can see LDAP resolving the username on the netware server dstrace screen.
The problem is when users login with an incorrect password they get a message :- "LDAP server: Resource id #54 utente LDAP: Array" if they now hit F5 they get an IE refresh warning and then the usual "logging you in, please wait!" message and after that they are logged in. This basically means that users can bypass the password process and get in as anyone!
Can anyone shed any light on our situation? It is something to do with ldapauth creating a dummy PN user?
Thanks in advance!
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 07:01 AM
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 06:41 AM
- ehdwma created topic »Hide "Register new account" and change template to 3 col« 06:27 AM
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 01:29 AM
- mdee created topic »How to implement returnpage ?« 01:00 AM
- nestormateo responded to »Fillters in Clip« 24. May
- damon responded to »Can the Updated Version Check be Turned Off (Z 1.3)« 24. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
LDAPAuth problems
-
**unknown user**
- Rank: Registered User
- Registered: Mar 16, 2002
- Last visit: Nov 24, 2004
- Posts: 2
Posted: Oct 28, 2004 - 04:32 AM
-
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 413
Posted: Oct 28, 2004 - 05:45 AM
Well it would sound to me like the user has a local cookie stored and the auth is reading the local cookie for the session try to dump the cookies from IE and then login with the F5 option. I have been working with this and open LDAP and have had some cookie issues like this, but I haven't figured out a true fix as of yet.
-SUNADMN -
**unknown user**
- Rank: Registered User
- Registered: Mar 16, 2002
- Last visit: Nov 24, 2004
- Posts: 2
Posted: Oct 29, 2004 - 02:33 AM
Unfortunately I don't think it is a cookie problem, i've tried in on a fresh machine with no cookies and it still the same. If I put in an existing username and a bad password I get the error but if I then press F5 it logs me in as that person. Any more ideas? Do we need to have the any other LDAP modules installed on the linux box? I've noticed other posts about LDAPAuth that say it give error responses but all we seem to get is the weird "LDAP server: Resource id #54 utente LDAP: Array" error
Help! -
- Rank: Registered User
- Registered: Sep 14, 2004
- Last visit: Oct 21, 2009
- Posts: 12
Posted: Nov 12, 2006 - 01:47 PM
Hi there MattH (or anyone else who may be able to assist). I just installed LDAPAuth on Postnuke (both fresh installs) and get the same problem. Do you know if it's been resolved or if a workaround is available?
Many thanks,
Gregory -
**unknown user**
- Rank: Freshman
- Registered: Mar 16, 2002
- Last visit: Nov 22, 2006
- Posts: 53
Posted: Nov 13, 2006 - 01:45 AM
I have tested this one both my servers and it does not appear to be a problem for us. Where did you get your copy of LDAPAuth? I'm wondering if it might be a problem with the pnUser.php fiel that you have. Although I'm not really sure. -
**unknown user**
- Rank: Freshman
- Registered: Mar 16, 2002
- Last visit: Nov 22, 2006
- Posts: 53
Posted: Nov 14, 2006 - 01:31 AM
I opened up the pnuserapi file with the ldapauth module and found a section that describes your problem. Around line 123 you should see the compare password section. If you read the comments there, it describes the very problem you are having. The actual code there has been commented out as well. If you will delete the /* and *? that may correct the problem.
I actually have an older version of the code on a server and teh compare passwords code is a bit different. If removing /* & */ do not correct the problem, let me know and I will post the code I have in my old version. -
- Rank: Registered User
- Registered: Sep 14, 2004
- Last visit: Oct 21, 2009
- Posts: 12
Posted: Nov 19, 2006 - 12:42 PM
Thanks Kandiil. That's the exact source of the problem, and the error message is directly above:
Quote
// Hacked by Paolo Canavese
$ldap_passwd = ldap_bind($ldap_ds, $info[0]["dn"], $pass);
echo "utente LDAP: $info[0]\n";
if ($ldap_passwd !== true) {
return false;
}
My code looks like:
Quote
// comapre the passwords
//I had to add a @ (at) symbol befor the ldap_compare call. This is because if a User (or Hacker) put a name in the User's Login Name field, that exists in the Directory buth no "userpassword" attribute is present, he could log in to Postnuke with any Password.
//If a Directory entry have no Password attribute and the user log in using this Directory entry (username) he will get a errormessage. When he reloads the Page here, Postnuke open with this user logged in.
/*$compare_result = @ldap_compare($ldap_ds, $info[0]["dn"], "userpassword", $pass);
if ($compare_result !== true) {
return false;
}*/
When I uncomment the lines in question, it fails every time, even after a refresh. I'd really appreciate it if you could send me your code.
Thanks again for your very prompt and informative reply,
Gregory -
**unknown user**
- Rank: Freshman
- Registered: Mar 16, 2002
- Last visit: Nov 22, 2006
- Posts: 53
Posted: Nov 21, 2006 - 10:42 AM
I made a post and then got to thinking about it. The code on my server is not right. It has me a bit nervous now and I think I need to test it a bit more.
What I did remember was that PostNuke .8 will have LDAP support. I took a look at the module and I don't see anything different there except for the use of ' instead of ". I'm not much of a programmer, but I think it's worth a try.
Quote
$compare_result = @ldap_compare($ldap_ds, $info[0]['dn'], 'userpassword', $args['pass']);
if ($compare_result !== true) {
return false;
}
Let me know if that helps or if it still broken.
edited by: Kandiil, Nov 21, 2006 - 06:01 PM -
- Rank: Registered User
- Registered: Sep 14, 2004
- Last visit: Oct 21, 2009
- Posts: 12
Posted: Nov 21, 2006 - 11:53 AM
Thanks again, Kandill.
Unfortunately you are right. It still has the same problem, and it returns true (ie password correct) regardless of which password I enter.
I was looking on a PHP website (I'm very green to this stuff) and they recommended:
Quote
Just a side note that this is not how you'd ever AUTHENTICATE someone, just an example code.
The common way to authenticate is to get the users name, use search and perhaps selection to the user to get her DN (single value) then attempt to BIND to the ldapserver using that dn and the offered password. If it works, then it's the right password.
Note that the password offered MUST NOT BE EMPTY or many LDAPs will presume you meant to authenticate anonymously and it will succeed, leaving you thinking it's the right password.
...
Not probably, will. With PHP 4.0.4 and openldap 1.2.9 this little script, even with the correct attributes for the password does not do the job. Would superb if it did!
...
Interesting example. Apart from the fact that very few people would allow comaprisions of the password attribute for security reasons. The attribute name of "password" does not match the usual schemas.
They say that this is a better way:
Quote
So I'll try that over the next few days. It looks more secure anyway, so it might be a better way of doing things.
-
- Rank: Registered User
- Registered: Sep 14, 2004
- Last visit: Oct 21, 2009
- Posts: 12
Posted: Nov 21, 2006 - 11:56 AM
Sorry. Using HTML, not the URL tags. Should have previewed. Oops!
LDAP Compare, complete with opinions down the bottom:
http://au.php.net/ma…on.ldap-compare.php
Suggested way:
http://au.php.net/ma…ction.ldap-bind.php -
- Rank: Registered User
- Registered: Sep 14, 2004
- Last visit: Oct 21, 2009
- Posts: 12
Posted: Nov 21, 2006 - 04:58 PM
OK. Here goes. I have got limited success!:
Firstly, AD LDAP authentication will work with a null password, so we should include a check to prohibit null passwords (the bit in bold around line 53):
Quote
if ((!isset($uname)) ||
(!isset($pass)) ||
($pass == "")) {
pnSessionSetVar('errormsg', _MODARGSERROR);
return false;
}
Then, this seems to work in an ungraceful way:
Quote
$compare_result = ldap_bind($ldap_ds, $info[0]["dn"], $pass);
if ($compare_result) {
echo "LDAP bind successful... $compare_result. Please refresh your screen.";
} else {
echo "Incorrect password. Please go back and try again.";
return false;
}
I haven't got it to go back to the reenter password thing again, but it's at least working for now. Stay tuned!
When I get this pretty, is there a place I should submit these changes for testing and possible inclusion in the original?
Thanks,
Gregory -
**unknown user**
- Rank: Freshman
- Registered: Mar 16, 2002
- Last visit: Nov 22, 2006
- Posts: 53
Posted: Nov 22, 2006 - 02:21 AM
Nice work Leibel. You might want to contact one of the developers. Seeing as the original code is problematic, I wonder if the code they have in .8 will be as well.
When you get it cleaned up, if you would not mind, please post it here. I for one need to make some changes to my ldapauth.
Thanks Again.
- Moderated by:
- Support
Users on-line
- 0 users
This list is based on users active over the last 60 minutes.
