[ZendTo] Re: Authentication failure display bug in ZendTo 4.11-6

Jules Jules at Zend.To
Fri Jan 18 09:08:24 GMT 2013 

On 17/01/2013 17:54, Mike Brudenell wrote:
> Hi, Jules!
>
> On 17 January 2013 16:56, Jules <Jules at zend.to <mailto:Jules at zend.to>> 
> wrote:
>
>     If you set all the 2nd forest settings to blank (or empty arrays)
>     rather than commenting them out, you should have better luck.
>
>
> Nope... We have the 2nd forest settings set to blank (see below), not 
> commented out.
>
> Originally we'd got them all set to blank ('') and noticed that this 
> produced a PHP error string at the top of the page (ie, the PHP error 
> text was getting output mingled in with the HTML). That was fixed by 
> changing
>
>       'authLDAPServers2'  => '',
>
> to
>
>       'authLDAPServers2'  => array(),
>
> as per its introductory comment, which we'd initially missed.
If they were originally arrays in my default file, they need to be 
arrays still, even empty ones.
> (I can't remember the PHP error text exactly but it was that the range 
> for a for/foreach was invalid.)
>
> That left us with these forest2 settings:
>
>       'authLDAPBaseDN2'           => '',
>       'authLDAPServers2'    => array(),
>       'authLDAPAccountSuffix2'    => '',
>       'authLDAPUseSSL2'     => '',
>       'authLDAPBindUser2'     => '',
>       'authLDAPBindPass2'     => '',
>       'authLDAPOrganization2'     => '',
>
>
> With these in place entering an invalid password produces the two 
> ghastly and unfriendly LDAP error messages followed by the 
> human-friendly "Invalid username or password" message from the 
> ErrBadLogin config string.
>
> The problem is that in the authenticate() function within 
> lib/NSSADAuthenticator.php the code flow goes like this:
>
>     Check username/password in forest1
>     Check username/password in forest2
>
>
> Without the "if (empty($this->_ldapServers2)) { return FALSE; }" bail 
> out test between the two the forest2 test is always performed.
>
> So the PHP code in the forest2 block tries to connect to no LDAP 
> servers (because none are configured for forest2 in the preferences). 
> So it complains bitterly that it can't: that's produces the two 
> unfriendly LDAP errors before the human-friendly "You got the 
> username/password wrong" (sic) message.
I'll definitely take a look in the light of what you've said. Other 
people haven't raised this in the past, they've got it working. So I'll 
see what happens when I set up mine with only 1 forest.
>
> In passing...
>
> We're actually running ZendTo 4.08-something on one server and 4.10-5 
> on another. Between the two versions the bailout test has been added 
> between the forest1/forest2 code blocks within the validUsername() 
> function so was presumably added to fix the problem for that function. 
> It's just also needed between the same two codeblocks within the 
> authenticate() function as well.
Aha! Many thanks! :-)

Yes, just looked at the code, you're totally right.

Jules.

>
> Cheers,
> Mike B-)
>
> -- 
> IT Services, The University of York, Heslington, York YO10 5DD, UK
> Tel: +44-1904-323811
> Disclaimer: <http://www.york.ac.uk/docs/disclaimer/email.htm>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>
> -- 
> Julian Field MEng MBCS CITP CEng
>
> 'When I read Shakespeare I am struck with wonder
>   That such trivial people should muse and thunder
>   In such lovely language.' - D.H. Lawrence
>
> www.Zend.To
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20130118/43144454/attachment-0001.html

More information about the ZendTo mailing list