[open-ils-commits] [GIT] Evergreen ILS branch rel_2_4 updated. 61f725ec65f19126276a31c3ff549c65c69d9212
Evergreen Git
git at git.evergreen-ils.org
Mon Jul 15 12:48:18 EDT 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_4 has been updated
via 61f725ec65f19126276a31c3ff549c65c69d9212 (commit)
via 34d0347fdeb53f7fad42760cd0f8feb719218523 (commit)
from 38bf1ce296497c31910723205be16c24f95c84dd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 61f725ec65f19126276a31c3ff549c65c69d9212
Author: Dan Wells <dbw2 at calvin.edu>
Date: Wed Oct 10 09:22:33 2012 -0400
Capture and log AuthProxy logins with no account
The current AuthProxy.pm code assumes that if the external auth
passes, the Evergreen account will be there. This protects
against cases where a user is in the external auth system but
has no matching account in Evergreen.
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index be1d05b..a555be7 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -257,6 +257,10 @@ sub _do_login {
"open-ils.cstore.direct.actor.user.search.atomic",
{ usrname => $args->{'username'} }
);
+ if (!$user->[0]) {
+ $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting");
+ return OpenILS::Event->new( 'LOGIN_FAILED' );
+ }
$args->{'password'} = md5_hex( $seed . $user->[0]->passwd );
} else {
$args->{'password'} = md5_hex( $seed . md5_hex($real_password) );
commit 34d0347fdeb53f7fad42760cd0f8feb719218523
Author: Dan Wells <dbw2 at calvin.edu>
Date: Thu Sep 27 17:35:03 2012 -0400
Make AuthProxy LDAP bind code more robust
The existing version of LDAP_Auth.pm assumed that the user's
bind DN could be derived from the base DN, the ID attribute, and
the user's ID. This is frequently the case, but not always,
particularly in Active Directory setups using sAMAccountName. This
commit instead uses the initial LDAP lookup as the authority for
determining the user's DN.
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
index 0a4a0b0..a180e3a 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
@@ -40,14 +40,14 @@ sub authenticate {
$hostname_is_ldap = 1;
if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) {
$reached_ldap = 1;
- # verify username
- if ( $ldap
- ->search( base => $basedn, filter => "($id_attr=$username)" )
- ->count != 0 ) {
+ # verify username and lookup user's DN
+ my $ldap_search = $ldap->search( base => $basedn,
+ filter => "($id_attr=$username)" );
+ if ( $ldap_search->count != 0 ) {
$user_in_ldap = 1;
# verify password (bind check)
- my $binddn = "$id_attr=$username,$basedn";
+ my $binddn = $ldap_search->entry(0)->dn();
if ( $ldap->bind( $binddn, password => $password )
->code == 0 ) {
$login_succeeded = 1;
-----------------------------------------------------------------------
Summary of changes:
.../perlmods/lib/OpenILS/Application/AuthProxy.pm | 4 ++++
.../lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm | 10 +++++-----
2 files changed, 9 insertions(+), 5 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list