feature: Better error messages for ad_auth (#4385)

2024-10-07 16:52:45 +00:00 · 2016-09-09 08:04:03 -05:00
parent 833f509c36
commit 956e18ffcd
3 changed files with 39 additions and 18 deletions
--- a/doc/Extensions/Authentication.md
+++ b/doc/Extensions/Authentication.md
@@ -142,14 +142,15 @@ If you set ```$config['auth_ad_require_groupmembership']``` to 1, the authentica
 ##### Sample configuration

 ```
-$config['auth_ad_url']                      = "ldaps://your-domain.controll.er";
-$config['auth_ad_check_certificates']       = 1; // or 0
-$config['auth_ad_domain']                   = "your-domain.com";
-$config['auth_ad_base_dn']                  = "dc=your-domain,dc=com";
+$config['auth_ad_url']                     = "ldaps://<your-domain.controll.er>";
+$config['auth_ad_domain']                  = "<your-domain.com>";
+$config['auth_ad_base_dn']                 = "<dc=your-domain,dc=com>";
+$config['auth_ad_check_certificates']      = true;  // require a valid ssl certificate
+$config['auth_ad_debug']                   = false; // enable for verbose debug messages
+$config['active_directory']['users_purge'] = 30;    // purge users who haven't logged in for 30 days.
+$config['auth_ad_require_groupmembership'] = false; // require users to be members of a group listed below
 $config['auth_ad_groups']['<ad-admingroup>']['level'] = 10;
-$config['auth_ad_groups']['<ad-usergroup>']['level']   = 7;
-$config['auth_ad_require_groupmembership']  = 0;
-$config['active_directory']['users_purge']  = 14;//Purge users who haven't logged in for 14 days.
+$config['auth_ad_groups']['<ad-usergroup>']['level']  = 7;
 ```

 Replace `<ad-admingroup>` with your Active Directory admin-user group and `<ad-usergroup>` with your standard user group.
--- a/html/includes/authenticate.inc.php
+++ b/html/includes/authenticate.inc.php
@@ -102,7 +102,12 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
            exit;
        }
    } elseif (isset($_SESSION['username'])) {
-        $auth_message = 'Authentication Failed';
+        global $auth_error;
+        if (isset($auth_error)) {
+            $auth_message = $auth_error;
+        } else {
+            $auth_message = 'Authentication Failed';
+        }
        unset($_SESSION['authenticated']);
        dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Authentication Failure'), 'authlog');
    }
--- a/html/includes/authentication/active_directory.inc.php
+++ b/html/includes/authentication/active_directory.inc.php
@@ -4,10 +4,14 @@

 // disable certificate checking before connect if required
 if (isset($config['auth_ad_check_certificates']) &&
-          $config['auth_ad_check_certificates'] == 0) {
+          !$config['auth_ad_check_certificates']) {
    putenv('LDAPTLS_REQCERT=never');
 };

+if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) {
+    ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
+}
+
 $ldap_connection = @ldap_connect($config['auth_ad_url']);

 // disable referrals and force ldap version to 3
@@ -17,14 +21,14 @@ ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);

 function authenticate($username, $password)
 {
-    global $config, $ldap_connection;
+    global $config, $ldap_connection, $auth_error;

    if ($ldap_connection) {
        // bind with sAMAccountName instead of full LDAP DN
        if ($username && ldap_bind($ldap_connection, "{$username}@{$config['auth_ad_domain']}", $password)) {
            // group membership in one of the configured groups is required
            if (isset($config['auth_ad_require_groupmembership']) &&
-                $config['auth_ad_require_groupmembership'] > 0) {
+                $config['auth_ad_require_groupmembership']) {
                $search = ldap_search(
                    $ldap_connection,
                    $config['auth_ad_base_dn'],
@@ -33,28 +37,39 @@ function authenticate($username, $password)
                );
                $entries = ldap_get_entries($ldap_connection, $search);

-                $user_authenticated = 0;
-                
                foreach ($entries[0]['memberof'] as $entry) {
                    $group_cn = get_cn($entry);
                    if (isset($config['auth_ad_groups'][$group_cn]['level'])) {
                        // user is in one of the defined groups
-                        $user_authenticated = 1;
                        adduser($username);
+                        return 1;
                    }
                }

-                return $user_authenticated;
+                if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) {
+                    if ($entries['count'] == 0) {
+                        $auth_error = 'No groups found for user, check base dn';
+                    } else {
+                        $auth_error = 'User is not in one of the required groups';
+                    }
+                } else {
+                    $auth_error = 'Invalid credentials';
+                }
+
+                return 0;
            } else {
                // group membership is not required and user is valid
                adduser($username);
                return 1;
            }
-        } else {
-            return 0;
        }
+    }
+
+    if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) {
+        ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);
+        $auth_error = ldap_error($ldap_connection).'<br />'.$extended_error;
    } else {
-        echo ldap_error($ldap_connection);
+        $auth_error = ldap_error($ldap_connection);
    }

    return 0;