DokuWiki

IMPORTANT!

This is the old issue tracking system for DokuWiki. Issues can not be added here anymore. Pleaser refer to https://github.com/splitbrain/dokuwiki/issues for the new system.

IMPORTANT!
Tasklist

FS#2607 - LDAP authentication fails with openldap server that doesn't support anonymous bind

Attached to Project: DokuWiki
Opened by Bob Jewell (bob.jewell) - Tuesday, 18 September 2012, 21:39 GMT
Last edited by Andreas Gohr (andi) - Sunday, 05 May 2013, 18:12 GMT
Task Type Bug Report
Category ACL & Authentication
Status Closed
Assigned To Andreas Gohr (andi)
Operating System Linux
Severity Medium
Priority Normal
Reported Version rc2012-09-10 "Adora Belle"
Due in Version Spring 2013 release
Due Date Undecided
Percent Complete 100%
Votes 8
Private No

Details

On line 447 of auth.ldap.php https://github.com/splitbrain/dokuwiki/blob/master/inc/auth/ldap.class.php#L447:

$bound = @ldap_bind($this->con); attempts to bind anonymously as part of the function that determines if ldap connections are working. If anonymous bind is not permitted, an openldap server will return an error (in openldap2.4.23 at least), which causes php-ldap to return false. This causes that server to be flagged as unavailable.

A possible solution may be to follow the same binding logic as used in the checkPass() in the same file to actually complete the bind as intended. This kinda screws with self-bind, though.. I think that would mess up the error flow.

Anyway, in my case, I am not using multiple ldap servers, so I don't care if this accurately detects whether or not my ldap server is available. I just commented out the 'break' and the if(!$bound) clause below it.

Please let me know if you need more information.
This task depends upon

Closed by  Andreas Gohr (andi)
Sunday, 05 May 2013, 18:12 GMT
Reason for closing:  Fixed
Additional comments about closing:  no additional feedback received
Comment by Joschi Brauchle (endzone) - Sunday, 14 October 2012, 15:10 GMT
I can confirm that this change breaks connections with LDAP servers that disallow anon bind. I followed Bob's suggestions to comment some lines and this fixes the problem!
Comment by Götz Reinicke (greinick) - Tuesday, 27 November 2012, 08:04 GMT
I can confirm that this too and it is a very annoying bug/feature still as well in the release of "Adora Belle"
Comment by Sébastien (Crupuk) - Tuesday, 29 January 2013, 10:52 GMT
The bug is still there. Just need to comment this block :

/*
if(!$bound) {
msg("LDAP: couldn't connect to LDAP server",-1);
return false;
}
*/
Comment by Michael Duelli (duelli) - Sunday, 03 February 2013, 22:09 GMT
I also face this problem with a super-user bound OpenLDAP. I worked around it by:

diff --git a/inc/auth/ldap.class.php b/inc/auth/ldap.class.php
index 23c2c28..9eea92a 100644
--- a/inc/auth/ldap.class.php
+++ b/inc/auth/ldap.class.php
@@ -444,7 +444,9 @@ class auth_ldap extends auth_basic {
if (defined('LDAP_OPT_NETWORK_TIMEOUT')) {
ldap_set_option($this->con, LDAP_OPT_NETWORK_TIMEOUT, 1);
}
- $bound = @ldap_bind($this->con);
+ //$bound = @ldap_bind($this->con);
+ // Workaround for bug https://bugs.dokuwiki.org/index.php?do=details&task_id=2607 with super-user bind
+ $bound = @ldap_bind($this->con,$this->cnf['binddn'],$this->cnf['bindpw']);
if ($bound) {
break;
}

Probably, parts of checkPass (which relies on this->_openLDAP anyway) should be done here.
Comment by Marcio Merlone (mmerlone) - Monday, 04 February 2013, 17:18 GMT
No luck even on a server that allows anon bind.

I just deployed a dokuwiki 2012-10-13 "Adora Belle" on a Lucid 10.04 server, running apache2 2.2.14-5ubuntu8.10, php5-ldap 5.3.2-1ubuntu4.18, authing over an OpenLDAP 2.4.21-0ubuntu5.7, which _does accept_ anon binds, and still no luck, I get the error "LDAP: couldn't connect to LDAP server". Only useful search result on Google about that is this bug.
Comment by Andreas Gohr (andi) - Saturday, 16 February 2013, 15:45 GMT
This should be fixed in the current devel can you try it?
Comment by Oscar (Flextron) - Sunday, 17 March 2013, 10:38 GMT
Andreas, I tried the last RC "Weatherwax" and this bug is still unsolved. With the patch from https://bugs.dokuwiki.org/index.php?do=details&task_id=2607#comment5274 (using getConf() function instead of the array to get the values) does the trick for me.

TIA,
Comment by Enrico Tagliavini (enrico.tagliavini) - Monday, 01 April 2013, 17:53 GMT
Still have to try the code, but the git master still looks affected by this bug https://github.com/splitbrain/dokuwiki/blob/master/lib/plugins/authldap/auth.php#L468 . For sure I have this problem on dokuwiki-2012-10-13 “Adora Belle” on CentOS 6.4 using 389 directory server.

Can't you just do this:

if($this->getConf('binddn') && $this->getConf('bindpw')) {
$bound = @ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'));
} else {
$bound = @ldap_bind($this->con);
}
if($bound) {
break;
}

For me it worked.

I think it is always a wise idea to disable anonymous bind where possible, so this is a very needed fix.
Comment by Andreas Gohr (andi) - Friday, 19 April 2013, 06:33 GMT
I appplied Enrico's suggestion in a426a6cd could you guys check if this fixes the problem for you?
Comment by Enrico Tagliavini (enrico.tagliavini) - Saturday, 08 June 2013, 17:13 GMT
Hi Andreas, I just updated to dokuwiki 2013-05-10 “Weatherwax”. It worked out of the box with my LDAP setup, thank you for the inclusion.

Cheers :)

Loading...