SiT! Bugs - SiT!
View Issue Details
0000735SiT!authenticationpublic2009-06-16 15:372009-08-16 14:39
mfeider67 
paulh 
normalmajoralways
closedfixed 
3.45 
3.503.50 
0000735: log in error
login is allowed when LDAP is false, but SQL still authenticates - can be old or blank password sometimes bypasses LDAP's failure
DIFF file seems to contain all change in indent - this line change is the important one....

- if ($CONFIG['use_ldap']) authenticateLDAPCustomer($username, $portalpassword );
+ if ($CONFIG['use_ldap'] && authenticateLDAPCustomer($username, $portalpassword )) //changed due to small bug - if user logs in with blank password, and if LDAP either updates a blank or never sets the user is still logged in even though the password is incorrect, essentially we need to validate return value of this function for success and not just rely on next SQL check
security
child of 0000076closed paulh Directory integration - LDAP 
diff login.php.diff (7,406) 2009-06-16 15:37
http://bugs.sitracker.org/file_download.php?file_id=41&type=bug
Issue History
2009-06-16 15:37mfeider67New Issue
2009-06-16 15:37mfeider67File Added: login.php.diff
2009-06-16 17:47ivanRelationship addedchild of 0000076
2009-07-10 20:14paulhNote Added: 0001274
2009-07-10 20:14paulhStatusnew => feedback
2009-07-20 22:03ivanTarget Version => 3.50
2009-07-25 14:51ivanTag Attached: security
2009-07-26 15:05paulhNote Added: 0001420
2009-07-26 15:05paulhStatusfeedback => resolved
2009-07-26 15:05paulhResolutionopen => fixed
2009-07-26 15:05paulhFixed in Version => Current SVN
2009-07-26 15:07ivanNote Added: 0001422
2009-07-26 15:07ivanAssigned To => paulh
2009-08-16 13:15ivanFixed in VersionCurrent SVN => 3.50
2009-08-16 14:39ivanNote Added: 0001698
2009-08-16 14:39ivanStatusresolved => closed

Notes
(0001274)
paulh   
2009-07-10 20:14   
Think the reworked LDAP code resolves this can you confirm?
(0001420)
paulh   
2009-07-26 15:05   
The reworked LDAP code makes it configurable whether passwords are cached, and if they are whether you can use them for authentication
(0001422)
ivan   
2009-07-26 15:07   
Thanks Paul
(0001698)
ivan   
2009-08-16 14:39   
Released in 3.50rc1