diff --git a/htdocs/checkpassword.php b/htdocs/checkpassword.php index 1ed709f..7322625 100644 --- a/htdocs/checkpassword.php +++ b/htdocs/checkpassword.php @@ -30,21 +30,29 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($use_checkpasswordhistory) { - $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory"); - foreach ($password_history as $previous_password) { - preg_match("/(?<={).*(?=})/", $previous_password, $algorithm); - preg_match("/{(?<={).*/", $previous_password, $hash); - if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) { - $result = "passwordinhistory"; + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { + + if ($use_checkpasswordhistory) { + $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory"); + foreach ($password_history as $previous_password) { + preg_match("/(?<={).*(?=})/", $previous_password, $algorithm); + preg_match("/{(?<={).*/", $previous_password, $hash); + if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) { + $result = "passwordinhistory"; + } } } - } - if (!$result) { - $bind = ldap_bind($ldap, $dn, $password); - $result = $bind ? "passwordok" : "ldaperror"; - } + if (!$result) { + $bind = ldap_bind($ldap, $dn, $password); + $result = $bind ? "passwordok" : "ldaperror"; + } + + } } if ($audit_log_file) { diff --git a/htdocs/disableaccount.php b/htdocs/disableaccount.php index f54b424..c2b9301 100644 --- a/htdocs/disableaccount.php +++ b/htdocs/disableaccount.php @@ -28,7 +28,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( $directory->disableAccount($ldap, $dn) ) { $result = "accountdisabled"; } else { diff --git a/htdocs/display.php b/htdocs/display.php index 8413070..65afaf4 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -64,6 +64,12 @@ if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { + # Search attributes $attributes = array(); $search_items = array_merge($display_items, $display_password_items); @@ -80,8 +86,8 @@ $result = "ldaperror"; error_log("LDAP - Search error $errno (".ldap_error($ldap).")"); } else { - $entry = ldap_get_entries($ldap, $search); - } + + $entry = ldap_get_entries($ldap, $search); # Sort attributes values foreach ($entry[0] as $attr => $values) { @@ -118,7 +124,7 @@ $isAccountEnabled = $directory->isAccountEnabled($ldap, $dn); } - } + }}} } $smarty->assign("entry", $entry[0]); diff --git a/htdocs/enableaccount.php b/htdocs/enableaccount.php index 0756186..095b124 100644 --- a/htdocs/enableaccount.php +++ b/htdocs/enableaccount.php @@ -28,7 +28,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( $directory->enableAccount($ldap, $dn) ) { $result = "accountenabled"; } else { diff --git a/htdocs/index.php b/htdocs/index.php index c2a48f4..55452b2 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -86,6 +86,8 @@ break; } +$dnAttribute = $directory->getDnAttribute(); + #============================================================================== # Other default values #============================================================================== diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index ad22e95..a4bb003 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -28,8 +28,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) - { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { # Get password policy configuration $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy); if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; } diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php index db9e565..f442038 100644 --- a/htdocs/resetpassword.php +++ b/htdocs/resetpassword.php @@ -42,8 +42,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { - + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( isset($prehook) || isset($posthook) ) { $login_search = ldap_read($ldap, $dn, '(objectClass=*)', array($prehook_login, $posthook_login)); $login_entry = ldap_first_entry( $ldap, $login_search ); diff --git a/htdocs/unlockaccount.php b/htdocs/unlockaccount.php index 388e6ba..862a0d3 100644 --- a/htdocs/unlockaccount.php +++ b/htdocs/unlockaccount.php @@ -35,7 +35,11 @@ $ldap = $ldap_connection[0]; $result = $ldap_connection[1]; - if ($ldap) { + # DN match + if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) { + $result = "noentriesfound"; + error_log("LDAP - $dn not found using the configured search settings, reject request"); + } else { if ( $directory->unlockAccount($ldap, $dn) ) { $result = "accountunlocked"; } else {