search

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.
https://extensions.typo3.org/extension/ig_ldap_sso_auth
27 stars 62 forks source link

[BUGFIX] Prevent possible domain match when using a single AD server #123

Closed xperseguers closed 3 years ago

xperseguers commented 3 years ago

Resolves: #119

pniederlag commented 3 years ago

To be honest, looking into the code again i stumble once more on 

$domain = null 
if (!Configuration::getValue('SSOKeepDomainName')) {
     $domain = 'whatever';
}
// if NOT SSOKeepDomainName, then pass it along (in order to keep/check it?)

https://github.com/xperseguers/t3ext-ig_ldap_sso_auth/blob/master/Classes/Service/AuthenticationService.php#L136

if you wan't to keep the SSO domain, get it from remote user and pass it along, enabling a check from domain and baseDN in user record. If not, don't pass it, don't check it...

Are you with me? ;)

xperseguers commented 3 years ago

I'm not with you since I don't get exactly what you mean, please provide a patch in your description so that it's clear what you mean.

Not really, I don't know if that really feasible but you could possibly have a username in your AD (or OpenLDAP maybe?) which needs to have a @some-domain in its username while checking against another arbitrary DC in your binding.

The added case for checking the domain against the DC has been added in order for work with AD forests.