MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU

From Iñaki Arenaza...

Right now, if someone logs in via NTLM magic, we don't check if that
user is inside the contexts specified in the LDAP settings. I mean,
if I want to restrict my Moodle site to those users inside a given OU
or subtree of my LDAP directory, with the current code any valid user
in my whole AD domain (and if we are using a GC as the LDAP server,
the whole forest) can log in. We should check that the user is inside
one of the configured contexts before allowing his/her to log in.

Something along the lines of the attached patch could do it.

diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php
index 147c864dabe97f2dc2cf7821282ddc696037b943..be5c4cfc245099885c9ea76a2041740992410531 100644 (file)
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@@ -102,7 +102,19 @@ class auth_plugin_ldap extends auth_plugin_base {
                         unset($key);
                         unset($time);
                         unset($sessusername);
-                        return true;
+
+                        // Check that the user is inside one of the configured LDAP contexts
+                        $validuser = false;
+                        $ldapconnection = $this->ldap_connect();
+                        if ($ldapconnection) {
+                            // if the user is not inside the configured contexts,
+                            // ldap_find_userdn returns false.
+                            if ($this->ldap_find_userdn($ldapconnection, $extusername)) {
+                                $validuser = true;
+                            }
+                            ldap_close($ldapconnection);
+                        }
+                        return $validuser;
                     }
                 }
             }