From 14cc832552e9cde1a06631aaf534b5afdfcaeed7 Mon Sep 17 00:00:00 2001
From: popi <popi+git@gragnottes.fr>
Date: Jun 22 2017 21:05:17 +0000
Subject: fix ldap filtering
---
diff --git a/lib/Lufi.pm b/lib/Lufi.pm
index f489373..4ca9945 100755
--- a/lib/Lufi.pm
+++ b/lib/Lufi.pm
@@ -11,6 +11,7 @@ $ENV{MOJO_MAX_WEBSOCKET_SIZE} = 100485760; # 10 * 1024 * 1024 = 10MiB
# This method will run once at server start
sub startup {
my $self = shift;
+ my $entry = undef;
my $config = $self->plugin('Config' => {
default => {
@@ -95,8 +96,15 @@ sub startup {
$c->app->log->error($mesg->error);
return undef;
}
-
- # Now we know that the user exists
+
+ # we filtered out, but did we actually get a non-empty result?
+ $entry = $mesg->shift_entry;
+ if (!defined $entry) {
+ $c->app->log->info("[LDAP authentication failed] - User $username filtered out, IP: ".$c->ip);
+ return undef;
+ }
+
+ # Now we know that the user exists, and that he is authorized by the filter
$mesg = $ldap->bind('uid='.$username.$c->config->{ldap}->{bind_dn},
password => $password
);
@@ -110,7 +118,7 @@ sub startup {
$c->app->log->info("[LDAP authentication successful] login: $username, IP: ".$c->ip);
} elsif (defined($c->config('htpasswd'))) {
my $htpasswd = new Apache::Htpasswd({passwdFile => $c->config->{htpasswd},
- ReadOnly => 1}
+ ReadOnly => 1}
);
if (!$htpasswd->htCheckPassword($username, $password)) {
return undef;
@@ -277,9 +285,12 @@ sub startup {
if($c->authenticate($login, $pwd)) {
$c->redirect_to('index');
- } else {
- $c->stash(msg => $c->l('Please, check your credentials: unable to authenticate.'));
- $c->render(template => 'login');
+ } elsif (defined $entry) {
+ $c->stash(msg => $c->l('Please, check your credentials: unable to authenticate.'));
+ $c->render(template => 'login');
+ } else {
+ $c->stash(msg => $c->l('Sorry mate, you are not authorised to use that service. Contact your sysadmin if you think there\'s a glitch in the matrix.'));
+ $c->render(template => 'login');
}
});
# Logout page