Commit 834c94d26d47d8f05e7cd02c47a70cd9be0327df
1 parent
5c9a5f60
KTS-1786
"Moving Users To a new OU in active Directory Causes - Failed Logins - Auth Failure" Fixed. Added a second authentication check, if the login fails using the dn, then it tries to authenticate using the sAMAccountName. Committed by: Megan Watson Reviewed by: Conrad Vermeulen git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@7919 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
1 changed file
with
58 additions
and
0 deletions
plugins/ktstandard/ldap/ldapbaseauthenticationprovider.inc.php
| ... | ... | @@ -741,6 +741,63 @@ class KTLDAPBaseAuthenticator extends Authenticator { |
| 741 | 741 | return $this->oLdap; |
| 742 | 742 | } |
| 743 | 743 | $res = $this->oLdap->reBind($dn, $sPassword); |
| 744 | + | |
| 745 | + if(PEAR::isError($res)){ | |
| 746 | + // If bind returns false, do a search on the user using the SAMAccountName which should be unique | |
| 747 | + $res = $this->authenticateOnLDAPUsername($oUser, $sPassword); | |
| 748 | + } | |
| 749 | + return $res; | |
| 750 | + } | |
| 751 | + | |
| 752 | + /** | |
| 753 | + * Search for the user on the username / sAMAccountName and authenticate. | |
| 754 | + * If authentication is successful then update the users authentication details (dn) | |
| 755 | + * | |
| 756 | + * @param object $oUser | |
| 757 | + * @param string $sPassword | |
| 758 | + * @return unknown | |
| 759 | + */ | |
| 760 | + function authenticateOnLDAPUsername($oUser, $sPassword){ | |
| 761 | + | |
| 762 | + // Reconnect for the search. | |
| 763 | + $config = array( | |
| 764 | + 'dn' => $this->sSearchUser, | |
| 765 | + 'password' => $this->sSearchPassword, | |
| 766 | + 'host' => $this->sLdapServer, | |
| 767 | + 'base' => $this->sBaseDN, | |
| 768 | + 'options' => array('LDAP_OPT_REFERRALS' => 0), | |
| 769 | + 'tls' => $this->bTls, | |
| 770 | + 'port'=> $this->iLdapPort | |
| 771 | + ); | |
| 772 | + | |
| 773 | + $this->oLdap =& Net_LDAP::connect($config); | |
| 774 | + if (PEAR::isError($this->oLdap)) { | |
| 775 | + return $res; | |
| 776 | + } | |
| 777 | + | |
| 778 | + // Get the users sAMAccountName and search LDAP | |
| 779 | + $sName = $oUser->getAuthenticationDetails2(); | |
| 780 | + if(empty($sName)){ | |
| 781 | + return false; | |
| 782 | + } | |
| 783 | + $aResults = $this->searchUsers($sName); | |
| 784 | + if(PEAR::isError($aResults) || empty($aResults)){ | |
| 785 | + return $aResults; | |
| 786 | + } | |
| 787 | + foreach($aResults as $aEntry){ | |
| 788 | + if($aEntry['sAMAccountName'] == $sName){ | |
| 789 | + $newDn = $aEntry['dn']; | |
| 790 | + break; | |
| 791 | + } | |
| 792 | + } | |
| 793 | + | |
| 794 | + $res = $this->oLdap->reBind($newDn, $sPassword); | |
| 795 | + | |
| 796 | + if(!PEAR::isError($res) && $res){ | |
| 797 | + // If the connection is successful, update the users authentication details with the new dn. | |
| 798 | + $oUser->setAuthenticationDetails($newDn); | |
| 799 | + $oUser->update(); | |
| 800 | + } | |
| 744 | 801 | return $res; |
| 745 | 802 | } |
| 746 | 803 | |
| ... | ... | @@ -850,6 +907,7 @@ class KTLDAPBaseAuthenticator extends Authenticator { |
| 850 | 907 | } |
| 851 | 908 | $sFilter = sprintf('(&(%s)(%s))', $sObjectClasses, $sSearchAttributes); |
| 852 | 909 | $default->log->debug("Search filter is: " . $sFilter); |
| 910 | + | |
| 853 | 911 | $oResult = $this->oLdap->search($rootDn, $sFilter, $aParams); |
| 854 | 912 | if (PEAR::isError($oResult)) { |
| 855 | 913 | return $oResult; | ... | ... |