Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F18644318
D8722.id.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Referenced Files
None
Subscribers
None
D8722.id.diff
View Options
diff --git a/src/auth/PhutilAuthAdapterLDAP.php b/src/auth/PhutilAuthAdapterLDAP.php
--- a/src/auth/PhutilAuthAdapterLDAP.php
+++ b/src/auth/PhutilAuthAdapterLDAP.php
@@ -18,6 +18,7 @@
private $anonymousUsername;
private $anonymousPassword;
private $activeDirectoryDomain;
+ private $alwaysSearch;
private $loginUsername;
private $loginPassword;
@@ -104,6 +105,11 @@
return $this;
}
+ public function setAlwaysSearch($always_search) {
+ $this->alwaysSearch = $always_search;
+ return $this;
+ }
+
public function getAccountID() {
return $this->readLDAPRecordAccountID($this->getLDAPUserData());
}
@@ -209,7 +215,7 @@
$login_user = $this->loginUsername;
$login_pass = $this->loginPassword;
- if ($this->anonymousUsername) {
+ if ($this->shouldBindWithoutIdentity()) {
$distinguished_name = null;
$search_query = null;
foreach ($this->searchAttributes as $attribute) {
@@ -257,13 +263,13 @@
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
- if (!strlen($this->anonymousUsername)) {
+ if (!$this->shouldBindWithoutIdentity()) {
// No anonymous credentials, so we just fail here.
throw new Exception(
pht(
'LDAP: Failed to retrieve record for user "%s" when searching. '.
'Credentialed users may not be able to search your LDAP server. '.
- 'Try configuring anonymous credentials.',
+ 'Try configuring anonymous credentials or fully anonymous binds.',
$login_user));
} else {
// Rebind as anonymous and try the search again.
@@ -352,7 +358,7 @@
}
}
- if (strlen($this->anonymousUsername)) {
+ if ($this->shouldBindWithoutIdentity()) {
$user = $this->anonymousUsername;
$pass = $this->anonymousPassword;
$this->bindLDAP($conn, $user, $pass);
@@ -460,15 +466,40 @@
// NOTE: ldap_bind() dumps cleartext passwords into logs by default. Keep
// it quiet.
- $ok = @ldap_bind($conn, $user, $pass->openEnvelope());
+ if (strlen($user)) {
+ $ok = @ldap_bind($conn, $user, $pass->openEnvelope());
+ } else {
+ $ok = @ldap_bind($conn);
+ }
$profiler->endServiceCall($call_id, array());
if (!$ok) {
- $this->raiseConnectionException(
- $conn,
- pht("Failed to bind to LDAP server (as user '%s').", $user));
+ if (strlen($user)) {
+ $this->raiseConnectionException(
+ $conn,
+ pht('Failed to bind to LDAP server (as user "%s").', $user));
+ } else {
+ $this->raiseConnectionException(
+ $conn,
+ pht('Failed to bind to LDAP server (without username).'));
+ }
}
}
+
+ /**
+ * Determine if this adapter should attempt to bind to the LDAP server
+ * without a user identity.
+ *
+ * Generally, we can bind directly if we have a username/password, or if the
+ * "Always Search" flag is set, indicating that the empty username and
+ * password are sufficient.
+ *
+ * @return bool True if the adapter should perform binds without identity.
+ */
+ private function shouldBindWithoutIdentity() {
+ return $this->alwaysSearch || strlen($this->anonymousUsername);
+ }
+
}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sep 20 2025, 4:52 AM (5 w, 6 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
9020381
Default Alt Text
D8722.id.diff (3 KB)
Attached To
Mode
D8722: Add an "Always Search" flag to the libphutil LDAP adapter
Attached
Detach File
Event Timeline
Log In to Comment