mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-19 06:18:28 +01:00
Code Issues Projects Releases Wiki Activity

MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU

Browse Source 
From Iñaki Arenaza...

Right now, if someone logs in via NTLM magic, we don't check if that
user is inside the contexts specified in the LDAP settings. I mean,
if I want to restrict my Moodle site to those users inside a given OU
or subtree of my LDAP directory, with the current code any valid user
in my whole AD domain (and if we are using a GC as the LDAP server,
the whole forest) can log in. We should check that the user is inside
one of the configured contexts before allowing his/her to log in.

Something along the lines of the attached patch could do it.
This commit is contained in:
martinlanghoff 2007-11-14 22:09:59 +00:00
parent ddf3de6720
commit f8bf0f4afc
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
auth/ldap/auth.php
View File

@ -102,7 +102,19 @@ class auth_plugin_ldap extends auth_plugin_base {
unset($key); unset($key);
unset($time); unset($time);
unset($sessusername); unset($sessusername);
return true;
// Check that the user is inside one of the configured LDAP contexts
$validuser = false;
$ldapconnection = $this->ldap_connect();
if ($ldapconnection) {
// if the user is not inside the configured contexts,
// ldap_find_userdn returns false.
if ($this->ldap_find_userdn($ldapconnection, $extusername)) {
$validuser = true;
}
ldap_close($ldapconnection);
}
return $validuser;
} }
} }
} }