Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

LDAP User Provider wrong handling of passwords #18401

New issue
Copy link
New issue
Copy link
Closed
Closed
LDAP User Provider wrong handling of passwords#18401
Copy link
Labels
BugLdapStatus: Needs ReviewUnconfirmed
@MortI2C

Description

@MortI2C
MortI2C
opened on Apr 1, 2016
Issue body actions

Hi, trying to use the new LDAP component I think I have found a bug on the Component\Security\Core\User\LDAPUserProvider.

Concretely, LDAP on successful authentication retrieves an array with each user parameter, and each of this have at the same time another array. Due to this on this new version, among other improvements, the Entry class was introduced to handle this situation, but on the method loadUser, when it creates a new user it gives as a password the Entry for the password field, without taking into consideration that at the same time is an array of passwords. It is needed to get the first one - which should be the only one as we only authenticate one user at a time -.
This problem makes LDAP fail to completely authenticate the user. Also it doesn't allow symfony to store the remember me cookies correctly. This is because the token generator requires requires a single element not an array on the password parameter.

And there is a second bug on the same class, on the method refreshUser, when it creates the User instance giving a null as a password, instead of calling $user->getPassword() as it looks like it should do.

I have done a quick and not necessarily good fix on my own fork to check this issue, and it worked fine just with this small changes.

To reproduce, install a LDAP server, configure it using this doc as a reference: http://symfony.com/blog/new-in-symfony-2-8-ldap-component
Except the part of the service definition, that as mentioned on symfony/symfony-docs#5756 (comment) on the new version has to be defined like this:

app.ldap:
        class: Symfony\Component\Ldap\Ldap
        factory: ['Symfony\Component\Ldap\Ldap', 'create']
        arguments:
            - 'ext_ldap'
            - host: 'host.mydomain.com'

And after an initial successful authentication you should be getting a redirection loop to the authentication layer, as LDAP constantly fails to authenticate the user given that it tries to authenticate with a null password.

If someone else has the same problem and this bug can be confirmed, I can make a pull request with a fix.
Also, on this side, I'm not sure what the rules on fixes are on symfony, but it would be nice to add a fix for the 2.8 branch as well, which had the same issue and the bug is solved pretty much in the same way.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugLdapStatus: Needs ReviewUnconfirmed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.