1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Support to bind to an anonymous LDAP user before searching.

Test Plan: N/A

Reviewers: codeblock, epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2133

Differential Revision: https://secure.phabricator.com/D4051
This commit is contained in:
Hangjun Ye 2012-11-30 04:21:44 -08:00 committed by epriestley
parent fc8d8b6f8c
commit 3b977e3b00
2 changed files with 44 additions and 2 deletions

View file

@ -159,6 +159,7 @@ return array(
'disqus.application-secret',
'phabricator.mail-key',
'security.hmac-key',
'ldap.anonymous-user-password',
),
@ -692,6 +693,15 @@ return array(
// Should be set to 0 if you use Windows 2003 AD
'ldap.referrals' => 1,
// The anonymous user name to use before searching a user.
// Many LDAP installations require login even before searching a user, set
// this option to enable it.
'ldap.anonymous-user-name' => '',
// The password of the LDAP anonymous user.
'ldap.anonymous-user-password' => '',
// -- Disqus OAuth ---------------------------------------------------------- //
// Can users use Disqus credentials to login to Phabricator?

View file

@ -50,6 +50,18 @@ final class PhabricatorLDAPProvider {
return PhabricatorEnv::getEnvConfig('ldap.referrals');
}
public function bindAnonymousUserEnabled() {
return strlen(trim($this->getAnonymousUserName())) > 0;
}
public function getAnonymousUserName() {
return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name');
}
public function getAnonymousUserPassword() {
return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password');
}
public function retrieveUserEmail() {
return $this->userData['mail'][0];
}
@ -174,6 +186,24 @@ final class PhabricatorLDAPProvider {
private function getUser($attribute, $username) {
$conn = $this->getConnection();
if ($this->bindAnonymousUserEnabled()) {
// NOTE: It is very important we suppress any messages that occur here,
// because it logs passwords if it reaches an error log of any sort.
DarkConsoleErrorLogPluginAPI::enableDiscardMode();
$result = ldap_bind(
$conn,
$this->getAnonymousUserName(),
$this->getAnonymousUserPassword());
DarkConsoleErrorLogPluginAPI::disableDiscardMode();
if (!$result) {
throw new Exception('Bind anonymous account failed. '.
$this->invalidLDAPUserErrorMessage(
ldap_errno($conn),
ldap_error($conn)));
}
}
$query = ldap_sprintf(
'%Q=%S',
$attribute,
@ -182,8 +212,10 @@ final class PhabricatorLDAPProvider {
$result = ldap_search($conn, $this->getBaseDN(), $query);
if (!$result) {
throw new Exception('Search failed. Please check your LDAP and HTTP '.
'logs for more information.');
throw new Exception('Search failed. '.
$this->invalidLDAPUserErrorMessage(
ldap_errno($conn),
ldap_error($conn)));
}
$entries = ldap_get_entries($conn, $result);