Skip to content

Commit

Permalink
Check DN is matching configured search parameters before allowing any…
Browse files Browse the repository at this point in the history
… action on it (#174)
  • Loading branch information
coudot authored Nov 5, 2024
1 parent 34e5a0e commit 7d7599a
Show file tree
Hide file tree
Showing 8 changed files with 56 additions and 22 deletions.
32 changes: 20 additions & 12 deletions htdocs/checkpassword.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,29 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($use_checkpasswordhistory) {
$password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
foreach ($password_history as $previous_password) {
preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
preg_match("/{(?<={).*/", $previous_password, $hash);
if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
$result = "passwordinhistory";
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {

if ($use_checkpasswordhistory) {
$password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
foreach ($password_history as $previous_password) {
preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
preg_match("/{(?<={).*/", $previous_password, $hash);
if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
$result = "passwordinhistory";
}
}
}
}
if (!$result) {
$bind = ldap_bind($ldap, $dn, $password);
$result = $bind ? "passwordok" : "ldaperror";
}

if (!$result) {
$bind = ldap_bind($ldap, $dn, $password);
$result = $bind ? "passwordok" : "ldaperror";
}

}
}

if ($audit_log_file) {
Expand Down
6 changes: 5 additions & 1 deletion htdocs/disableaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( $directory->disableAccount($ldap, $dn) ) {
$result = "accountdisabled";
} else {
Expand Down
12 changes: 9 additions & 3 deletions htdocs/display.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@

if ($ldap) {

# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {

# Search attributes
$attributes = array();
$search_items = array_merge($display_items, $display_password_items);
Expand All @@ -80,8 +86,8 @@
$result = "ldaperror";
error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
} else {
$entry = ldap_get_entries($ldap, $search);
}

$entry = ldap_get_entries($ldap, $search);

# Sort attributes values
foreach ($entry[0] as $attr => $values) {
Expand Down Expand Up @@ -118,7 +124,7 @@
$isAccountEnabled = $directory->isAccountEnabled($ldap, $dn);
}

}
}}}
}

$smarty->assign("entry", $entry[0]);
Expand Down
6 changes: 5 additions & 1 deletion htdocs/enableaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( $directory->enableAccount($ldap, $dn) ) {
$result = "accountenabled";
} else {
Expand Down
2 changes: 2 additions & 0 deletions htdocs/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@
break;
}

$dnAttribute = $directory->getDnAttribute();

#==============================================================================
# Other default values
#==============================================================================
Expand Down
7 changes: 5 additions & 2 deletions htdocs/lockaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap)
{
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
# Get password policy configuration
$pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_duration; }
Expand Down
7 changes: 5 additions & 2 deletions htdocs/resetpassword.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {

# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( isset($prehook) || isset($posthook) ) {
$login_search = ldap_read($ldap, $dn, '(objectClass=*)', array($prehook_login, $posthook_login));
$login_entry = ldap_first_entry( $ldap, $login_search );
Expand Down
6 changes: 5 additions & 1 deletion htdocs/unlockaccount.php
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,11 @@
$ldap = $ldap_connection[0];
$result = $ldap_connection[1];

if ($ldap) {
# DN match
if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
$result = "noentriesfound";
error_log("LDAP - $dn not found using the configured search settings, reject request");
} else {
if ( $directory->unlockAccount($ldap, $dn) ) {
$result = "accountunlocked";
} else {
Expand Down

0 comments on commit 7d7599a

Please sign in to comment.