Check DN is matching configured search parameters before allowing any action on it

htdocs/checkpassword.php

@@ -30,21 +30,29 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($use_checkpasswordhistory) {
-        $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
-        foreach ($password_history as $previous_password) {
-            preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
-            preg_match("/{(?<={).*/", $previous_password, $hash);
-            if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
-                $result = "passwordinhistory";
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
+
+        if ($use_checkpasswordhistory) {
+            $password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
+            foreach ($password_history as $previous_password) {
+                preg_match("/(?<={).*(?=})/", $previous_password, $algorithm);
+                preg_match("/{(?<={).*/", $previous_password, $hash);
+                if (\Ltb\Password::check_password($password, $hash[0], $algorithm[0])) {
+                    $result = "passwordinhistory";
+                }
             }
         }
-    }
-    if (!$result) {
-        $bind = ldap_bind($ldap, $dn, $password);
-        $result = $bind ? "passwordok" : "ldaperror";
-    }
 
+        if (!$result) {
+            $bind = ldap_bind($ldap, $dn, $password);
+            $result = $bind ? "passwordok" : "ldaperror";
+        }
+
+    }
 }
 
 if ($audit_log_file) {

htdocs/disableaccount.php

@@ -28,7 +28,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap) {
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         if ( $directory->disableAccount($ldap, $dn) ) {
             $result = "accountdisabled";
         } else {

htdocs/display.php

@@ -64,6 +64,12 @@
 
     if ($ldap) {
 
+        # DN match
+        if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+            $result = "noentriesfound";
+            error_log("LDAP - $dn not found using the configured search settings, reject request");
+        } else {
+
         # Search attributes
         $attributes = array();
         $search_items = array_merge($display_items, $display_password_items);
@@ -80,8 +86,8 @@
             $result = "ldaperror";
             error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
         } else {
-            $entry = ldap_get_entries($ldap, $search);
-        }
+
+        $entry = ldap_get_entries($ldap, $search);
 
         # Sort attributes values
         foreach ($entry[0] as $attr => $values) {
@@ -118,7 +124,7 @@
             $isAccountEnabled = $directory->isAccountEnabled($ldap, $dn);
         }
 
-    }
+    }}}
 }
 
 $smarty->assign("entry", $entry[0]);

htdocs/enableaccount.php

@@ -28,7 +28,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap) {
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         if ( $directory->enableAccount($ldap, $dn) ) {
             $result = "accountenabled";
         } else {

htdocs/index.php

@@ -86,6 +86,8 @@
   break;
 }
 
+$dnAttribute = $directory->getDnAttribute();
+
 #==============================================================================
 # Other default values
 #==============================================================================

htdocs/lockaccount.php

@@ -28,8 +28,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap)
-    {
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         # Get password policy configuration
         $pwdPolicyConfiguration = $directory->getPwdPolicyConfiguration($ldap, $dn, $ldap_default_ppolicy);
         if ($ldap_lockout_duration) { $pwdPolicyConfiguration['lockout_duration'] = $ldap_lockout_durantion; }

htdocs/resetpassword.php

@@ -42,8 +42,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap) {
-
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         if ( isset($prehook) || isset($posthook) ) {
             $login_search = ldap_read($ldap, $dn, '(objectClass=*)', array($prehook_login, $posthook_login));
             $login_entry = ldap_first_entry( $ldap, $login_search );

htdocs/unlockaccount.php

@@ -35,7 +35,11 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if ($ldap) {
+    # DN match
+    if ( !$ldapInstance->matchDn($dn, $dnAttribute, $ldap_user_filter, $ldap_user_base, $ldap_scope) ) {
+        $result = "noentriesfound";
+        error_log("LDAP - $dn not found using the configured search settings, reject request");
+    } else {
         if ( $directory->unlockAccount($ldap, $dn) ) {
             $result = "accountunlocked";
         } else {