LDAP groupfilter don't work as expected
chuhn opened this issue · 2 comments
In our setup we use LDAP authentication with grouptree and groupfilter, eg.
$conf['auth']['ldap']['grouptree'] = 'cn=groups,dc=example,dc=com';
$conf['auth']['ldap']['groupfilter'] = '(&(cn=onagroup)(uniqueMember=%{dn})(objectClass=GroupOfUniqueNames))';
The expected behavior would be that only members of ONAGROUP can connect to ONA and logins of other LDAP accounts fail.
What actually happens is that all LDAP logins with correct credential succeed and the user permissions are comparable to the guest access (global read-only access).
My proposal would be that
ona/www/include/functions_auth.inc.php
Line 65 in 53c03bc
$auth->getUserData($login_name); and block users with no groups assigned.Another observation: LDAP login attempts with an existing user but wrong password are declined with 'Unknown user' instead of 'Wrong password'.
This is due to the direct bind that fails. ONA cannot distinguish between the two.
The error should simply be 'Login failed'.
Not sure how I totally missed answering you on this one. SORRY!
First off.. I would agree. Returning 'Login failed' would be more appropriate.. that should be forthcoming.
Second. It looks like there is no proper logic for successful logins for users with no groups. Seems to be just doing the default read only thing as you have pointed out. I tried the 'disable_guest' system config option and that did not fix it.
I'll probably look into fixing the disable_guest flag. Basically the general assumption has been a default read only with additional permissions. The disable_guest flag should really be called 'disable_readonly' or similar. Gotta git a bit more on the logic here and see what fits best.