LDAP's checkPassword should only catch when a user was not found, fixes #2431#3324
Conversation
#2431 Also fixes error processing after ldap_search, due to different return format Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
@eggithub @laurentdinclaux @lephisto could you check whether this solves your issues with #2431 ? |
|
@blizz I do not use LDAP... |
|
@eggithu how would I know? Please state your full setup in the original issue (ideally using https://raw.githubusercontent.com/nextcloud/server/master/issue_template.md) |
| return true; | ||
| } | ||
|
|
||
| if($this->curFunc === 'ldap_search' && is_array($result)) { |
There was a problem hiding this comment.
I think we could simplify this with return in_array(false, $result, true)
There was a problem hiding this comment.
Yeah we could. With big results sets I expect this to be faster (not that it would matter to much). At least few years ago it was better to loop through an array, create a new one with those values as key and isset them over an in_array call. http://nickology.com/2012/07/03/php-faster-array-lookup-than-using-in_array/
ChristophWurst
left a comment
There was a problem hiding this comment.
Tested and works 👍
I set up an LDAP user, created an app password and sent requests with curl. After turning off the LDAP server, requests fail with
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\ServiceUnavailable</s:exception>
<s:message>OC\ServerNotAvailableException: Lost connection to LDAP server.</s:message>
</d:error>
but the app password does not vanish.
|
Backport please @blizzz , we need this in for 11.0.2 :) |
|
Backport to stable11 goes #3493, reviewers needed :) |
LDAP's checkPassword() always returned false, no matter whether the user who tried to log in could not be found on the server, or the server is unavailable. This was due to too broadly catching Exceptions, which now is fixed.
While debugging I figured out that ldap_search calls did not pass error processing in the wrapper, because of a different return format.
In order to reproduce the whole thing I
When letting it go, usually the app password got revoked.