From: martinlanghoff Date: Wed, 14 Nov 2007 22:09:59 +0000 (+0000) Subject: MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=f8bf0f4afcf3a51dc90ecd50963381e7caab723d;p=moodle.git MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU From IƱaki Arenaza... Right now, if someone logs in via NTLM magic, we don't check if that user is inside the contexts specified in the LDAP settings. I mean, if I want to restrict my Moodle site to those users inside a given OU or subtree of my LDAP directory, with the current code any valid user in my whole AD domain (and if we are using a GC as the LDAP server, the whole forest) can log in. We should check that the user is inside one of the configured contexts before allowing his/her to log in. Something along the lines of the attached patch could do it. --- diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index 147c864dab..be5c4cfc24 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -102,7 +102,19 @@ class auth_plugin_ldap extends auth_plugin_base { unset($key); unset($time); unset($sessusername); - return true; + + // Check that the user is inside one of the configured LDAP contexts + $validuser = false; + $ldapconnection = $this->ldap_connect(); + if ($ldapconnection) { + // if the user is not inside the configured contexts, + // ldap_find_userdn returns false. + if ($this->ldap_find_userdn($ldapconnection, $extusername)) { + $validuser = true; + } + ldap_close($ldapconnection); + } + return $validuser; } } }