Support to bind to an anonymous LDAP user before searching.

Test Plan: N/A Reviewers: codeblock, epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2133 Differential Revision: https://secure.phabricator.com/D4051
2024-11-22 14:52:41 +01:00 · 2012-11-30 04:21:44 -08:00 · 2012-11-30 04:21:44 -08:00 · 3b977e3b00
commit 3b977e3b00
parent fc8d8b6f8c
2 changed files with 44 additions and 2 deletions
--- a/conf/default.conf.php
+++ b/conf/default.conf.php
@ -159,6 +159,7 @@ return array(
    'disqus.application-secret',
    'phabricator.mail-key',
    'security.hmac-key',
+    'ldap.anonymous-user-password',
  ),


@ -692,6 +693,15 @@ return array(
  // Should be set to 0 if you use Windows 2003 AD
  'ldap.referrals' => 1,

+  // The anonymous user name to use before searching a user.
+  // Many LDAP installations require login even before searching a user, set
+  // this option to enable it.
+  'ldap.anonymous-user-name'     => '',
+
+  // The password of the LDAP anonymous user.
+  'ldap.anonymous-user-password' => '',
+
+
 // -- Disqus OAuth ---------------------------------------------------------- //

  // Can users use Disqus credentials to login to Phabricator?
--- a/src/applications/auth/ldap/PhabricatorLDAPProvider.php
+++ b/src/applications/auth/ldap/PhabricatorLDAPProvider.php
@ -50,6 +50,18 @@ final class PhabricatorLDAPProvider {
    return PhabricatorEnv::getEnvConfig('ldap.referrals');
  }

+  public function bindAnonymousUserEnabled() {
+    return strlen(trim($this->getAnonymousUserName())) > 0;
+  }
+
+  public function getAnonymousUserName() {
+    return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name');
+  }
+
+  public function getAnonymousUserPassword() {
+    return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password');
+  }
+
  public function retrieveUserEmail() {
    return $this->userData['mail'][0];
  }
@ -174,6 +186,24 @@ final class PhabricatorLDAPProvider {
  private function getUser($attribute, $username) {
    $conn = $this->getConnection();

+    if ($this->bindAnonymousUserEnabled()) {
+      // NOTE: It is very important we suppress any messages that occur here,
+      // because it logs passwords if it reaches an error log of any sort.
+      DarkConsoleErrorLogPluginAPI::enableDiscardMode();
+      $result = ldap_bind(
+        $conn,
+        $this->getAnonymousUserName(),
+        $this->getAnonymousUserPassword());
+      DarkConsoleErrorLogPluginAPI::disableDiscardMode();
+
+      if (!$result) {
+        throw new Exception('Bind anonymous account failed. '.
+          $this->invalidLDAPUserErrorMessage(
+            ldap_errno($conn),
+            ldap_error($conn)));
+      }
+    }
+
    $query = ldap_sprintf(
      '%Q=%S',
      $attribute,
@ -182,8 +212,10 @@ final class PhabricatorLDAPProvider {
    $result = ldap_search($conn, $this->getBaseDN(), $query);

    if (!$result) {
-      throw new Exception('Search failed. Please check your LDAP and HTTP '.
-        'logs for more information.');
+      throw new Exception('Search failed. '.
+        $this->invalidLDAPUserErrorMessage(
+          ldap_errno($conn),
+          ldap_error($conn)));
    }

    $entries = ldap_get_entries($conn, $result);