[open-ils-commits] [GIT] Evergreen ILS branch master updated. be36c3c96f7b79b9c7109de0e9a6b04c18faf559
Evergreen Git
git at git.evergreen-ils.org
Mon Jul 15 12:47:50 EDT 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via be36c3c96f7b79b9c7109de0e9a6b04c18faf559 (commit)
via 36ea3a290b5ac52e758feda91212c2cb68d4e9b2 (commit)
from f040814c7507291c388a35a23c8878293a2524e4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit be36c3c96f7b79b9c7109de0e9a6b04c18faf559
Author: Dan Wells <dbw2 at calvin.edu>
Date: Wed Oct 10 09:22:33 2012 -0400
Capture and log AuthProxy logins with no account
The current AuthProxy.pm code assumes that if the external auth
passes, the Evergreen account will be there. This protects
against cases where a user is in the external auth system but
has no matching account in Evergreen.
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index be1d05b..a555be7 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -257,6 +257,10 @@ sub _do_login {
"open-ils.cstore.direct.actor.user.search.atomic",
{ usrname => $args->{'username'} }
);
+ if (!$user->[0]) {
+ $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting");
+ return OpenILS::Event->new( 'LOGIN_FAILED' );
+ }
$args->{'password'} = md5_hex( $seed . $user->[0]->passwd );
} else {
$args->{'password'} = md5_hex( $seed . md5_hex($real_password) );
commit 36ea3a290b5ac52e758feda91212c2cb68d4e9b2
Author: Dan Wells <dbw2 at calvin.edu>
Date: Thu Sep 27 17:35:03 2012 -0400
Make AuthProxy LDAP bind code more robust
The existing version of LDAP_Auth.pm assumed that the user's
bind DN could be derived from the base DN, the ID attribute, and
the user's ID. This is frequently the case, but not always,
particularly in Active Directory setups using sAMAccountName. This
commit instead uses the initial LDAP lookup as the authority for
determining the user's DN.
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
index 0a4a0b0..a180e3a 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
@@ -40,14 +40,14 @@ sub authenticate {
$hostname_is_ldap = 1;
if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) {
$reached_ldap = 1;
- # verify username
- if ( $ldap
- ->search( base => $basedn, filter => "($id_attr=$username)" )
- ->count != 0 ) {
+ # verify username and lookup user's DN
+ my $ldap_search = $ldap->search( base => $basedn,
+ filter => "($id_attr=$username)" );
+ if ( $ldap_search->count != 0 ) {
$user_in_ldap = 1;
# verify password (bind check)
- my $binddn = "$id_attr=$username,$basedn";
+ my $binddn = $ldap_search->entry(0)->dn();
if ( $ldap->bind( $binddn, password => $password )
->code == 0 ) {
$login_succeeded = 1;
-----------------------------------------------------------------------
Summary of changes:
.../perlmods/lib/OpenILS/Application/AuthProxy.pm | 4 ++++
.../lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm | 10 +++++-----
2 files changed, 9 insertions(+), 5 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list