2006-03-16
rustre
The bug is located in the file DOKUWIKI/inc/auth/ldap.class.php from line 147 to line 157 :
the first time "getUserData" is called, $this->bound is false, so the ldap search is completed correctly. The second time, $this->bound is true, so the bind is not done (reusing the existing one). But the connection to the ldap server has been closed previously, so no result are found for the same search done before, so $USERINFO in DOKUWIKI/inc/auth.php is not filled in, and so no groups are returned for the user (test on line 175 which checks if there is one and only one result fails).
So if the "superuser" is a group and not a user, the mecanism fails and no user in the group superuser is actually recognised as superuser.
I commented out the test on "$this->bound" in the file ldap.class.php line 147 to force a new bind, but there might be a cleverer way of doing this. Here is the code i have now (which works well for me) :
//if(!$this->bound){
if($this->cnf['binddn'] && $this->cnf['bindpw']){
// use superuser credentials
if(!@ldap_bind($this->con,$this->cnf['binddn'],$this->cnf['bindpw'])){
if($this->cnf['debug'])
msg('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)),0);
return false;
}
}
$this->bound = true;
//}
Note : using dokuwiki on a linux box (ubuntu with apache2 webserver with php4-ldap plugin), ldaps server on a debian (OpenLdap), no anonymous login allowed so usind binddn and bindpw