mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Support to bind to an anonymous LDAP user before searching.
Test Plan: N/A Reviewers: codeblock, epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2133 Differential Revision: https://secure.phabricator.com/D4051
This commit is contained in:
parent
fc8d8b6f8c
commit
3b977e3b00
2 changed files with 44 additions and 2 deletions
|
@ -159,6 +159,7 @@ return array(
|
|||
'disqus.application-secret',
|
||||
'phabricator.mail-key',
|
||||
'security.hmac-key',
|
||||
'ldap.anonymous-user-password',
|
||||
),
|
||||
|
||||
|
||||
|
@ -692,6 +693,15 @@ return array(
|
|||
// Should be set to 0 if you use Windows 2003 AD
|
||||
'ldap.referrals' => 1,
|
||||
|
||||
// The anonymous user name to use before searching a user.
|
||||
// Many LDAP installations require login even before searching a user, set
|
||||
// this option to enable it.
|
||||
'ldap.anonymous-user-name' => '',
|
||||
|
||||
// The password of the LDAP anonymous user.
|
||||
'ldap.anonymous-user-password' => '',
|
||||
|
||||
|
||||
// -- Disqus OAuth ---------------------------------------------------------- //
|
||||
|
||||
// Can users use Disqus credentials to login to Phabricator?
|
||||
|
|
|
@ -50,6 +50,18 @@ final class PhabricatorLDAPProvider {
|
|||
return PhabricatorEnv::getEnvConfig('ldap.referrals');
|
||||
}
|
||||
|
||||
public function bindAnonymousUserEnabled() {
|
||||
return strlen(trim($this->getAnonymousUserName())) > 0;
|
||||
}
|
||||
|
||||
public function getAnonymousUserName() {
|
||||
return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name');
|
||||
}
|
||||
|
||||
public function getAnonymousUserPassword() {
|
||||
return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password');
|
||||
}
|
||||
|
||||
public function retrieveUserEmail() {
|
||||
return $this->userData['mail'][0];
|
||||
}
|
||||
|
@ -174,6 +186,24 @@ final class PhabricatorLDAPProvider {
|
|||
private function getUser($attribute, $username) {
|
||||
$conn = $this->getConnection();
|
||||
|
||||
if ($this->bindAnonymousUserEnabled()) {
|
||||
// NOTE: It is very important we suppress any messages that occur here,
|
||||
// because it logs passwords if it reaches an error log of any sort.
|
||||
DarkConsoleErrorLogPluginAPI::enableDiscardMode();
|
||||
$result = ldap_bind(
|
||||
$conn,
|
||||
$this->getAnonymousUserName(),
|
||||
$this->getAnonymousUserPassword());
|
||||
DarkConsoleErrorLogPluginAPI::disableDiscardMode();
|
||||
|
||||
if (!$result) {
|
||||
throw new Exception('Bind anonymous account failed. '.
|
||||
$this->invalidLDAPUserErrorMessage(
|
||||
ldap_errno($conn),
|
||||
ldap_error($conn)));
|
||||
}
|
||||
}
|
||||
|
||||
$query = ldap_sprintf(
|
||||
'%Q=%S',
|
||||
$attribute,
|
||||
|
@ -182,8 +212,10 @@ final class PhabricatorLDAPProvider {
|
|||
$result = ldap_search($conn, $this->getBaseDN(), $query);
|
||||
|
||||
if (!$result) {
|
||||
throw new Exception('Search failed. Please check your LDAP and HTTP '.
|
||||
'logs for more information.');
|
||||
throw new Exception('Search failed. '.
|
||||
$this->invalidLDAPUserErrorMessage(
|
||||
ldap_errno($conn),
|
||||
ldap_error($conn)));
|
||||
}
|
||||
|
||||
$entries = ldap_get_entries($conn, $result);
|
||||
|
|
Loading…
Reference in a new issue