[sork] PATCH: LDAP Vacation without anonymous DN searching

Jan Schneider jan at horde.org
Sat Jan 26 10:15:13 UTC 2008 

Zitat von "Douglas C. Stephens" <stephens at ameslab.gov>:

> This is my first post to this list.
>
> Our security policy on the LDAP directory we use for email does not permit
> anonymous binds.  This conflicts with apparent assumptions in the SORK
> Vacation LDAP driver, as evidenced by this wording from config/conf.xml:
>
> "The DN used to bind to the LDAP server. If empty, we will bind anonymously
>   to search for the user DN and bind with the user name and password when
>   setting the vacation message, see below."
>
>  From reading this language, reading the code, and experimenting with the
> module, it seemed the author of the LDAP driver assumed the following:
>
> * Searches would be permitted for anonymous binds, or
> * An account would be available with ACL privileges in the directory to
>    search, read, and write to the necessary attributes.
>
> This inference was confirmed during testing by rotating the binddn value
> through the following states:
>
> * Blank,
> * Containing the DN of an account with only search/read privileges,
> * Containing the DN of an account with full search/read/write privileges in
>    the directory.
>
> To address this, my options were:
>
> 1. Discontinue roll-out of a Vacation module integrated into the IMP webmail
>     system I've run for the past eight years, and choose another  
> webmail and/or
>     Vacation web interface.
> 2. Configure an account with ACL privileges in my directory to search, read,
>     and write the necessary attributes.
> 3. Alter the security policy on the LDAP directory to permit anonymous binds.
> 4. Patch the SORK Vacation code.
>
> For an assortment of reasons, option (4) was selected.
>
> Appended below is a tested and relatively straightforward patch for the SORK
> module vacation-h3-3.0.1 that provides the following features:
>
> * A non-anonymous bind for searching a user DN in the _lookupdn() method,
>    while at the same performing the LDAP attribute changes while bound as the
>    currently logged-in user's DN.
> * A boolean module configuration variable to control activation of this DN
>    search mode.  Setting this variable value to FALSE was tested to correctly
>    revert to the unpatched logic for the binddn setting.
> * Debugging output now shows what DN, if any, was used to bind with  
> to perform
>    the search in _lookupdn().
>
> After this patch is applied, it is necessary to regenerate a new conf.php
> module configuration file.
>
> I ask that this patch be added to the next release of the SORK Vacation
> module so that others who find themselves in a similar situation with their
> LDAP directory may benefit.  Also, I am looking forward to Ingo 2.x with its
> integration of the SORK backend drivers, so it would be quite fine  
> to see this
> patch be included in those drivers.
>
> Thanks.
>
> ------------------------------------------------------------------------------
> --- config/conf.xml.1   2006-10-13 11:03:33.000000000 -0500
> +++ config/conf.xml     2008-01-25 17:50:06.000000000 -0600
> @@ -213,6 +213,10 @@
>           vacation message, see below."/>
>           <configstring name="bindpw" required="false" desc="The
> password used to
>           bind to the LDAP server"/>
> +        <configboolean name="noanonsearch" required="false"  
> desc="No anonymous
> +        searches allowed?  If so, then will bind with the given DN
> to search for
> +        the user DN, and bind as the user when setting the vacation  
> message.">
> +        no</configboolean>
>          </case>
>          <case name="true" desc="Yes, but with the domain stripped from the
>          username">
> @@ -222,6 +226,10 @@
>           vacation message, see below."/>
>           <configstring name="bindpw" required="false" desc="The
> password used to
>           bind to the LDAP server"/>
> +        <configboolean name="noanonsearch" required="false"  
> desc="No anonymous
> +        searches allowed?  If so, then will bind with the given DN
> to search for
> +        the user DN, and bind as the user when setting the vacation  
> message.">
> +        no</configboolean>
>          </case>
>         </configswitch>
>        </configsection>
> --- lib/Driver/ldap.php.1       2007-01-02 07:55:22.000000000 -0600
> +++ lib/Driver/ldap.php 2008-01-25 23:24:33.000000000 -0600
> @@ -88,7 +88,7 @@
>                               $this->_params[$realm]['version']);
>           }
>
> -        if (!empty($this->_params[$realm]['binddn'])) {
> +        if (!$this->_params[$realm]['noanonsearch'] &&
> !empty($this->_params[$realm]['binddn'])) {
>               $result = @ldap_bind($this->_ds,
> $this->_params[$realm]['binddn'], $this->_params[$realm]['bindpw']);
>           } elseif (!is_null($userdn)) {
>               $result = @ldap_bind($this->_ds, $userdn, $password);
> @@ -148,8 +148,19 @@
>        */
>       function _lookupdn($user, $realm)
>       {
> -        // Bind as guest.
> -        $this->_connect();
> +
> +        if ($this->_params[$realm]['noanonsearch']) {
> +            if (!empty($this->_params[$realm]['binddn'])) {
> +                // Bind as the configured DN in binddn.
> +                $this->_connect($this->_params[$realm]['binddn'],
> $this->_params[$realm]['bindpw']);
> +            } else {
> +                // Bind as guest.
> +                $this->_connect();
> +            }
> +        } else {
> +            // Bind as guest.
> +            $this->_connect();
> +        }
>
>           // Construct search.
>           $search = $this->_params[$realm]['uid'] . '=' . $user;
> @@ -158,10 +169,15 @@
>           }
>
>           /* Log the query at a DEBUG log level. */
> -        Horde::logMessage(sprintf('LDAP query by
> Vacation_Driver_ldap::_lookupdn(): root = "%s"; filter = "%s";  
> timelimit = %d',
> +        if (!empty($this->_params[$realm]['binddn'])) {
> +          Horde::logMessage(sprintf('LDAP query by
> Vacation_Driver_ldap::_lookupdn(): binddn = "%s"; root = "%s"; filter
> = "%s"; timelimit = %d',
> +                                  $this->_params[$realm]['binddn'],
> $this->_params[$realm]['basedn'], $search,  
> $this->_params[$realm]['timeout']),
> +                          __FILE__, __LINE__, PEAR_LOG_DEBUG);
> +        } else {
> +          Horde::logMessage(sprintf('LDAP query by
> Vacation_Driver_ldap::_lookupdn(): root = "%s"; filter = "%s";  
> timelimit = %d',
>                                     $this->_params[$realm]['basedn'],
> $search, $this->_params[$realm]['timeout']),
>                             __FILE__, __LINE__, PEAR_LOG_DEBUG);
> -
> +        }
>           // Get userdn.
>           $result = @ldap_search($this->_ds,
> $this->_params[$realm]['basedn'], $search, array(), 0, 0,
> $this->_params[$realm]['timeout']);
>           if (!$result ||
> ------------------------------------------------------------------------------
>
>
>
> --
> Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: sork-unsubscribe at lists.horde.org
>


Please create a ticket on http://bugs.horde.org/.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the sork mailing list