From 956e18ffcd416771b5c54d53c2a6feb2ff56a3c2 Mon Sep 17 00:00:00 2001 From: Tony Murray Date: Fri, 9 Sep 2016 08:04:03 -0500 Subject: [PATCH] feature: Better error messages for ad_auth (#4385) --- doc/Extensions/Authentication.md | 15 ++++---- html/includes/authenticate.inc.php | 7 +++- .../authentication/active_directory.inc.php | 35 +++++++++++++------ 3 files changed, 39 insertions(+), 18 deletions(-) diff --git a/doc/Extensions/Authentication.md b/doc/Extensions/Authentication.md index e1faa5509b..6698dffebe 100644 --- a/doc/Extensions/Authentication.md +++ b/doc/Extensions/Authentication.md @@ -142,14 +142,15 @@ If you set ```$config['auth_ad_require_groupmembership']``` to 1, the authentica ##### Sample configuration ``` -$config['auth_ad_url'] = "ldaps://your-domain.controll.er"; -$config['auth_ad_check_certificates'] = 1; // or 0 -$config['auth_ad_domain'] = "your-domain.com"; -$config['auth_ad_base_dn'] = "dc=your-domain,dc=com"; +$config['auth_ad_url'] = "ldaps://"; +$config['auth_ad_domain'] = ""; +$config['auth_ad_base_dn'] = ""; +$config['auth_ad_check_certificates'] = true; // require a valid ssl certificate +$config['auth_ad_debug'] = false; // enable for verbose debug messages +$config['active_directory']['users_purge'] = 30; // purge users who haven't logged in for 30 days. +$config['auth_ad_require_groupmembership'] = false; // require users to be members of a group listed below $config['auth_ad_groups']['']['level'] = 10; -$config['auth_ad_groups']['']['level'] = 7; -$config['auth_ad_require_groupmembership'] = 0; -$config['active_directory']['users_purge'] = 14;//Purge users who haven't logged in for 14 days. +$config['auth_ad_groups']['']['level'] = 7; ``` Replace `` with your Active Directory admin-user group and `` with your standard user group. diff --git a/html/includes/authenticate.inc.php b/html/includes/authenticate.inc.php index c5279d0ea7..e869aa6ea6 100644 --- a/html/includes/authenticate.inc.php +++ b/html/includes/authenticate.inc.php @@ -102,7 +102,12 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token exit; } } elseif (isset($_SESSION['username'])) { - $auth_message = 'Authentication Failed'; + global $auth_error; + if (isset($auth_error)) { + $auth_message = $auth_error; + } else { + $auth_message = 'Authentication Failed'; + } unset($_SESSION['authenticated']); dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Authentication Failure'), 'authlog'); } diff --git a/html/includes/authentication/active_directory.inc.php b/html/includes/authentication/active_directory.inc.php index 2994d56c6d..fdbbc91468 100644 --- a/html/includes/authentication/active_directory.inc.php +++ b/html/includes/authentication/active_directory.inc.php @@ -4,10 +4,14 @@ // disable certificate checking before connect if required if (isset($config['auth_ad_check_certificates']) && - $config['auth_ad_check_certificates'] == 0) { + !$config['auth_ad_check_certificates']) { putenv('LDAPTLS_REQCERT=never'); }; +if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) { + ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7); +} + $ldap_connection = @ldap_connect($config['auth_ad_url']); // disable referrals and force ldap version to 3 @@ -17,14 +21,14 @@ ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3); function authenticate($username, $password) { - global $config, $ldap_connection; + global $config, $ldap_connection, $auth_error; if ($ldap_connection) { // bind with sAMAccountName instead of full LDAP DN if ($username && ldap_bind($ldap_connection, "{$username}@{$config['auth_ad_domain']}", $password)) { // group membership in one of the configured groups is required if (isset($config['auth_ad_require_groupmembership']) && - $config['auth_ad_require_groupmembership'] > 0) { + $config['auth_ad_require_groupmembership']) { $search = ldap_search( $ldap_connection, $config['auth_ad_base_dn'], @@ -33,28 +37,39 @@ function authenticate($username, $password) ); $entries = ldap_get_entries($ldap_connection, $search); - $user_authenticated = 0; - foreach ($entries[0]['memberof'] as $entry) { $group_cn = get_cn($entry); if (isset($config['auth_ad_groups'][$group_cn]['level'])) { // user is in one of the defined groups - $user_authenticated = 1; adduser($username); + return 1; } } - return $user_authenticated; + if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) { + if ($entries['count'] == 0) { + $auth_error = 'No groups found for user, check base dn'; + } else { + $auth_error = 'User is not in one of the required groups'; + } + } else { + $auth_error = 'Invalid credentials'; + } + + return 0; } else { // group membership is not required and user is valid adduser($username); return 1; } - } else { - return 0; } + } + + if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) { + ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error); + $auth_error = ldap_error($ldap_connection).'
'.$extended_error; } else { - echo ldap_error($ldap_connection); + $auth_error = ldap_error($ldap_connection); } return 0;