View Issue Details

IDProjectCategoryView StatusLast Update
0012062mantisbtldappublic2018-05-17 11:27
Reporterchiquiarce Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Platformi586OSUbuntu ServerOS Version9.04
Product Version1.2.1 
Summary0012062: User cration on-the-fly and double authentication
Description

I've downloaded Mantis' very new version and modified its sourcecode. Now,
Mantis authenticates users both in AD and fallbacks to local database,
if user not found in AD, and implemented AD user creation on-the-fly.
I also modified manage_user_create_page.php so the admin can choose which auth type the user is (LDAP ou other).

Additional Information

So sorry I'm not sendind a patch, I don't have the originals anymore.

TagsNo tags attached.
Attached Files
ldap.rar (12,713 bytes)

Relationships

has duplicate 0017418 closedatrol fallback authentication 
related to 0013030 acknowledged Allow for multiple authentication mechanisms 

Activities

aborderon

aborderon

2018-04-09 04:41

reporter   ~0059480

Hello,
do you have the opportunity to add your transformation as a plugin?

I would be very interested because there is no fix on this problem.

Thank you

intuity

intuity

2018-05-17 11:26

reporter   ~0059846

I don't believe it's possible in the current Mantis releases to create this behaviour using a plugin as there are no hooks in this code.

However, you can create the desired behaviour of local authentication with an LDAP fallback by changing the priority in core/authentication_api.php - from line 710 onwards replacing the auth_does_password_match function:

function auth_does_password_match( $p_user_id, $p_test_password ) {
    $t_configured_login_method = config_get_global( 'login_method' );

    if( !auth_can_use_standard_login( $p_user_id ) ) {
        return false;
    }

    // NOTE: This modified login routine means that local accounts always take 
    // precedence over LDAP authentication - allows both methods to be used and
    // avoid thrashing LDAP for local accounts.

    $t_password = user_get_field( $p_user_id, 'password' );
    $t_login_methods = array(
        MD5,
        CRYPT,
        PLAIN,
        BASIC_AUTH,
    );

    // Attempt local authentication first
    foreach( $t_login_methods as $t_login_method ) {
        # pass the stored password in as the salt
        if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
            # If we're using LDAP as a login method, don't attempt migration
            if ($t_configured_login_method == LDAP) return true;

            # Do not support migration to PLAIN, since this would be a crazy thing to do.
            # Also if we do, then a user will be able to login by providing the MD5 value
            # that is copied from the database.  See 0008467 for more details.
            if(
                ( $t_configured_login_method != PLAIN      && $t_login_method == PLAIN      ) ||
                ( $t_configured_login_method != BASIC_AUTH && $t_login_method == BASIC_AUTH )
            ) {
                continue;
            }

            # Check for migration to another login method and test whether the password was encrypted
            # with our previously insecure implementation of the CRYPT method
            if(
                ( $t_login_method != $t_configured_login_method ) ||
                (
                    ( CRYPT                          == $t_configured_login_method          ) &&
                    ( mb_substr( $t_password, 0, 2 ) == mb_substr( $p_test_password, 0, 2 ) )
                )
            ) {
                user_set_password( $p_user_id, $p_test_password, true );
            }

            return true;
        }
    }

    // Attempt the LDAP authentication if it is enabled
    if( LDAP == $t_configured_login_method ) {
        return ldap_authenticate( $p_user_id, $p_test_password );
    }

    return false;
}