From f8bf0f4afcf3a51dc90ecd50963381e7caab723d Mon Sep 17 00:00:00 2001 From: martinlanghoff Date: Wed, 14 Nov 2007 22:09:59 +0000 Subject: [PATCH] MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From IƱaki Arenaza... Right now, if someone logs in via NTLM magic, we don't check if that user is inside the contexts specified in the LDAP settings. I mean, if I want to restrict my Moodle site to those users inside a given OU or subtree of my LDAP directory, with the current code any valid user in my whole AD domain (and if we are using a GC as the LDAP server, the whole forest) can log in. We should check that the user is inside one of the configured contexts before allowing his/her to log in. Something along the lines of the attached patch could do it. --- auth/ldap/auth.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index 147c864dabe..be5c4cfc245 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -102,7 +102,19 @@ class auth_plugin_ldap extends auth_plugin_base { unset($key); unset($time); unset($sessusername); - return true; + + // Check that the user is inside one of the configured LDAP contexts + $validuser = false; + $ldapconnection = $this->ldap_connect(); + if ($ldapconnection) { + // if the user is not inside the configured contexts, + // ldap_find_userdn returns false. + if ($this->ldap_find_userdn($ldapconnection, $extusername)) { + $validuser = true; + } + ldap_close($ldapconnection); + } + return $validuser; } } }