|
I don't believe it's possible in the current Mantis releases to create this behaviour using a plugin as there are no hooks in this code.
However, you can create the desired behaviour of local authentication with an LDAP fallback by changing the priority in core/authentication_api.php - from line 710 onwards replacing the auth_does_password_match function:
function auth_does_password_match( $p_user_id, $p_test_password ) {
$t_configured_login_method = config_get_global( 'login_method' );
if( !auth_can_use_standard_login( $p_user_id ) ) {
return false;
}
// NOTE: This modified login routine means that local accounts always take
// precedence over LDAP authentication - allows both methods to be used and
// avoid thrashing LDAP for local accounts.
$t_password = user_get_field( $p_user_id, 'password' );
$t_login_methods = array(
MD5,
CRYPT,
PLAIN,
BASIC_AUTH,
);
// Attempt local authentication first
foreach( $t_login_methods as $t_login_method ) {
# pass the stored password in as the salt
if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
# If we're using LDAP as a login method, don't attempt migration
if ($t_configured_login_method == LDAP) return true;
# Do not support migration to PLAIN, since this would be a crazy thing to do.
# Also if we do, then a user will be able to login by providing the MD5 value
# that is copied from the database. See 0008467 for more details.
if(
( $t_configured_login_method != PLAIN && $t_login_method == PLAIN ) ||
( $t_configured_login_method != BASIC_AUTH && $t_login_method == BASIC_AUTH )
) {
continue;
}
# Check for migration to another login method and test whether the password was encrypted
# with our previously insecure implementation of the CRYPT method
if(
( $t_login_method != $t_configured_login_method ) ||
(
( CRYPT == $t_configured_login_method ) &&
( mb_substr( $t_password, 0, 2 ) == mb_substr( $p_test_password, 0, 2 ) )
)
) {
user_set_password( $p_user_id, $p_test_password, true );
}
return true;
}
}
// Attempt the LDAP authentication if it is enabled
if( LDAP == $t_configured_login_method ) {
return ldap_authenticate( $p_user_id, $p_test_password );
}
return false;
} |