[open-ils-commits] [GIT] Evergreen ILS branch rel_2_3 updated. 4e4589ed0e2f10d8ce7c9c48949f5f0c81b6248a
Evergreen Git
git at git.evergreen-ils.org
Mon Jul 15 12:48:40 EDT 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_3 has been updated
via 4e4589ed0e2f10d8ce7c9c48949f5f0c81b6248a (commit)
via 1532f045e2d2b4e7ac1da880fc75b3bcb4282df7 (commit)
from 36c60bd42b0cf8be9eaedd1ff99de6dd63c7ef7f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4e4589ed0e2f10d8ce7c9c48949f5f0c81b6248a
Author: Dan Wells <dbw2 at calvin.edu>
Date: Wed Oct 10 09:22:33 2012 -0400
Capture and log AuthProxy logins with no account
The current AuthProxy.pm code assumes that if the external auth
passes, the Evergreen account will be there. This protects
against cases where a user is in the external auth system but
has no matching account in Evergreen.
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
index be1d05b..a555be7 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm
@@ -257,6 +257,10 @@ sub _do_login {
"open-ils.cstore.direct.actor.user.search.atomic",
{ usrname => $args->{'username'} }
);
+ if (!$user->[0]) {
+ $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting");
+ return OpenILS::Event->new( 'LOGIN_FAILED' );
+ }
$args->{'password'} = md5_hex( $seed . $user->[0]->passwd );
} else {
$args->{'password'} = md5_hex( $seed . md5_hex($real_password) );
commit 1532f045e2d2b4e7ac1da880fc75b3bcb4282df7
Author: Dan Wells <dbw2 at calvin.edu>
Date: Thu Sep 27 17:35:03 2012 -0400
Make AuthProxy LDAP bind code more robust
The existing version of LDAP_Auth.pm assumed that the user's
bind DN could be derived from the base DN, the ID attribute, and
the user's ID. This is frequently the case, but not always,
particularly in Active Directory setups using sAMAccountName. This
commit instead uses the initial LDAP lookup as the authority for
determining the user's DN.
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
index 0a4a0b0..a180e3a 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
@@ -40,14 +40,14 @@ sub authenticate {
$hostname_is_ldap = 1;
if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) {
$reached_ldap = 1;
- # verify username
- if ( $ldap
- ->search( base => $basedn, filter => "($id_attr=$username)" )
- ->count != 0 ) {
+ # verify username and lookup user's DN
+ my $ldap_search = $ldap->search( base => $basedn,
+ filter => "($id_attr=$username)" );
+ if ( $ldap_search->count != 0 ) {
$user_in_ldap = 1;
# verify password (bind check)
- my $binddn = "$id_attr=$username,$basedn";
+ my $binddn = $ldap_search->entry(0)->dn();
if ( $ldap->bind( $binddn, password => $password )
->code == 0 ) {
$login_succeeded = 1;
-----------------------------------------------------------------------
Summary of changes:
.../perlmods/lib/OpenILS/Application/AuthProxy.pm | 4 ++++
.../lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm | 10 +++++-----
2 files changed, 9 insertions(+), 5 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list