[ZendTo] Authentication failure display bug in ZendTo 4.11-6

Mike Brudenell mike.brudenell at york.ac.uk
Thu Jan 17 16:45:26 GMT 2013 

Hi, all -

We are using AD authentication with only 1 forest/domain. When someone
enters an invalid username/password combination they see a ghastly trio of
errors within the login page saying:

[image: [error]]LDAP ErrorCheck User: Unable to connect to any of the
authentication servers; could not authenticate user.[image: [error]]LDAP
ErrorCheck User: Unable to connect to any of the LDAP servers; could not
authenticate user.[image: [error]]Authentication ErrorThe username or
password was incorrect.

The problem is a missing code fragment in the authenticate() function
within lib/NSSADAuthenticator.php

An earlier function named validUsername() checks whether the username is
valid by searching domain1 and then domain2. Before checking domain2
there's a check to see whether a second domain is actually configured, and
if not to bail out:

    // Bail out quietly if there isn't a 2nd AD forest
    if (empty($this->_ldapServers2)) {
      return FALSE;
    }

However in the authenticate() function this bailout test is omitted. So
after checking domain1 for the invalid username/password combination the
function blithely goes on to check it against domain2 even though the
second domain isn't configured in the preferences. This gives the first two
nasty LDAP errors in the trio.

The fix is to copy the bailout code fragment from the validUsername()
function to the equivalent position in the authenticate() function — ie,
just before the domain2 tests.

Sorry I can't give a patch file: we're actually running a version older
than 4.11-6 (but I have checked the lib/NSSADAuthenticator.php file in
4.11-6 and the problem is still present).

Cheers,
Mike B-)

-- 
IT Services, The University of York, Heslington, York YO10 5DD, UK
Tel: +44-1904-323811
Disclaimer: <http://www.york.ac.uk/docs/disclaimer/email.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20130117/fdbe14f7/attachment.html

More information about the ZendTo mailing list