[ZendTo] Re: Authentication failure display bug in ZendTo 4.11-6

Mike Brudenell mike.brudenell at york.ac.uk
Thu Jan 17 17:54:16 GMT 2013 

Hi, Jules!

On 17 January 2013 16:56, Jules <Jules at zend.to> wrote:

> If you set all the 2nd forest settings to blank (or empty arrays) rather
> than commenting them out, you should have better luck.


Nope… We have the 2nd forest settings set to blank (see below), not
commented out.

Originally we'd got them all set to blank ('') and noticed that this
produced a PHP error string at the top of the page (ie, the PHP error text
was getting output mingled in with the HTML). That was fixed by changing

  'authLDAPServers2'          => '',

to

  'authLDAPServers2'          => array(),

as per its introductory comment, which we'd initially missed. (I can't
remember the PHP error text exactly but it was that the range for a
for/foreach was invalid.)

That left us with these forest2 settings:

  'authLDAPBaseDN2'           => '',
  'authLDAPServers2'          => array(),
  'authLDAPAccountSuffix2'    => '',
  'authLDAPUseSSL2'           => '',
  'authLDAPBindUser2'         => '',
  'authLDAPBindPass2'         => '',
  'authLDAPOrganization2'     => '',


With these in place entering an invalid password produces the two ghastly
and unfriendly LDAP error messages followed by the human-friendly "Invalid
username or password" message from the ErrBadLogin config string.

The problem is that in the authenticate() function within
lib/NSSADAuthenticator.php the code flow goes like this:

Check username/password in forest1
Check username/password in forest2


Without the "if (empty($this->_ldapServers2)) { return FALSE; }" bail out
test between the two the forest2 test is always performed.

So the PHP code in the forest2 block tries to connect to no LDAP servers
(because none are configured for forest2 in the preferences). So it
complains bitterly that it can't: that's produces the two unfriendly LDAP
errors before the human-friendly "You got the username/password wrong"
(sic) message.

In passing…

We're actually running ZendTo 4.08-something on one server and 4.10-5 on
another. Between the two versions the bailout test has been added between
the forest1/forest2 code blocks within the validUsername() function so was
presumably added to fix the problem for that function. It's just also
needed between the same two codeblocks within the authenticate() function
as well.

Cheers,
Mike B-)

-- 
IT Services, The University of York, Heslington, York YO10 5DD, UK
Tel: +44-1904-323811
Disclaimer: <http://www.york.ac.uk/docs/disclaimer/email.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20130117/b3338d09/attachment-0001.html

More information about the ZendTo mailing list