search

kanboard / kanboard

Kanban project management software
https://kanboard.org
MIT License
8.47k stars 1.8k forks source link

LDAP: Proxy: fname.lname=NG: username=OK #1495

Closed poing closed 8 years ago

poing commented 8 years ago

When using a third-party LDAP provider, single usernames can authenticate. But usenames with a dot . can not. PHP LDAP works with the provider for other applications, so there could be an escape issue in kanboard.

guest = OK guest.user = FAILS

// LDAP server hostname
define('LDAP_SERVER', 'ldap.jumpcloud.com');

// LDAP bind type: "anonymous", "user" or "proxy"
define('LDAP_BIND_TYPE', 'proxy');

// LDAP username to use with proxy mode
define('LDAP_USERNAME', 'uid=PROXYAUTH,ou=Users,o=PRIVATE,dc=jumpcloud,dc=com');

// LDAP password to use for proxy mode
define('LDAP_PASSWORD', 'PA$$W0RD');

// LDAP account base, i.e. root of all user account
// Example: ou=People,dc=example,dc=com
define('LDAP_ACCOUNT_BASE', 'ou=Users,o=PRIVATE,dc=jumpcloud,dc=com');

// LDAP query pattern to use when searching for a user account
// Example for OpenLDAP: 'uid=%s'
define('LDAP_USER_PATTERN', 'uid=%s');

I tired to change LDAP_USER_PATTERN to add quotes, but the issue persisted.

// LDAP query pattern to use when searching for a user account
// Example for OpenLDAP: 'uid=%s'
define('LDAP_USER_PATTERN', 'uid="%s"');  // <-- Double Quotes

Any thoughts?

fguillot commented 8 years ago

You should try again with the latest stable version, several changes have been made for LDAP auth. I tested myself with username with a dot "firstname.lastname" and it's working correctly.

poing commented 8 years ago

Still no joy! :disappointed:

I've had mixed results with the third-party LDAP provider. It's been hit-or-miss, depending on the LDAP methods / libraries used by various applications.

If you can not reproduce the issue, I'll live with it. Thanks for taking a look.

BTW: The changes to LDAP auth are not backward compatible. Some of the setting names changed, so it threw a couple errors on the upgrade. LDAP_USER_ATTRIBUTE_USERNAME and LDAP_USER_BASE_DN were added.

You might want to add a fix, something like this....

// If not set, empty(), etc...
if (!isset(LDAP_USER_BASE_DN)) {
   define(LDAP_USER_BASE_DN, LDAP_ACCOUNT_BASE);
}
fguillot commented 8 years ago

All breaking changes are documented in the ChangeLog and the documentation is up to date.