mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: Prevent accidental anonymous binds (#4784)

Browse Source 
* Prevent ldap and Active Directory authentication from allowing anonymous binds

* fix style
This commit is contained in:
jonathon-k
2016-10-13 09:19:36 -06:00
committed by Tony Murray
parent e7bbde6b52
commit ba9672b986
2 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
html/includes/authentication/active_directory.inc.php
View File

@@ -25,7 +25,7 @@ function authenticate($username, $password)
if ($ldap_connection) {
// bind with sAMAccountName instead of full LDAP DN
if ($username && ldap_bind($ldap_connection, "{$username}@{$config['auth_ad_domain']}", $password)) {
if ($username && $password && ldap_bind($ldap_connection, "{$username}@{$config['auth_ad_domain']}", $password)) {
// group membership in one of the configured groups is required
if (isset($config['auth_ad_require_groupmembership']) &&
$config['auth_ad_require_groupmembership']) {
@@ -66,7 +66,9 @@ function authenticate($username, $password)
}
}
if (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) {
if (!isset($password) || $password == '') {
$auth_error = "A password is required";
} elseif (isset($config['auth_ad_debug']) && $config['auth_ad_debug']) {
ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);
$auth_error = ldap_error($ldap_connection).'<br />'.$extended_error;
} else {

4
html/includes/authentication/ldap.inc.php
View File

@@ -20,7 +20,7 @@ function authenticate($username, $password)
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, $config['auth_ldap_version']);
}
if (ldap_bind($ldap_connection, $config['auth_ldap_prefix'].$username.$config['auth_ldap_suffix'], $password)) {
if ($password && ldap_bind($ldap_connection, $config['auth_ldap_prefix'].$username.$config['auth_ldap_suffix'], $password)) {
if (!$config['auth_ldap_group']) {
return 1;
} else {
@@ -37,6 +37,8 @@ function authenticate($username, $password)
}
}
}
} elseif (!isset($password) || $password == '') {
echo 'A password is required';
} else {
echo ldap_error($ldap_connection);
}