MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU

From Iñaki Arenaza... Right now, if someone logs in via NTLM magic, we don't check if that user is inside the contexts specified in the LDAP settings. I mean, if I want to restrict my Moodle site to those users inside a given OU or subtree of my LDAP directory, with the current code any valid user in my whole AD domain (and if we are using a GC as the LDAP server, the whole forest) can log in. We should check that the user is inside one of the configured contexts before allowing his/her to log in. Something along the lines of the attached patch could do it.
2025-01-19 06:18:28 +01:00 · 2007-11-14 22:09:59 +00:00 · 2007-11-14 22:09:59 +00:00 · f8bf0f4afc
commit f8bf0f4afc
parent ddf3de6720
1 changed files with 13 additions and 1 deletions
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@ -102,7 +102,19 @@ class auth_plugin_ldap extends auth_plugin_base {
                        unset($key);
                        unset($time);
                        unset($sessusername);
-                        return true;
+
+                        // Check that the user is inside one of the configured LDAP contexts
+                        $validuser = false;
+                        $ldapconnection = $this->ldap_connect();
+                        if ($ldapconnection) {
+                            // if the user is not inside the configured contexts,
+                            // ldap_find_userdn returns false.
+                            if ($this->ldap_find_userdn($ldapconnection, $extusername)) {
+                                $validuser = true;
+                            }
+                            ldap_close($ldapconnection);
+                        }
+                        return $validuser;
                    }
                }
            }