[Bug 18992] New: LDAP fallback behaviour not consistent
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 Bug ID: 18992 Summary: LDAP fallback behaviour not consistent Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org If ldap enabled fallback to internal in C4::Auth::checkpw is dependent on the return value from checkpw_ldap In C4::Auth_with_ldap the situation seems to be: IF auth_by_bind IF anonymous_bind look up principalname ELSE construct via config Now we have principal name Attempt to bind IF fail IF anonymous_bind return -1 NO FALLBACK ELSE return 0 FALLBACK ELSE Lookup user with bind account If user not found, return 0 FALLBACK If user found and pwd not match return -1 NO FALLBACK The difference I see is: When doing bind by auth without anonymous bind we fallback on existing ldapuser with no matching password When using bind user we do not fallback on existing ldapuser with no matching password In one case you can login with either LDAP or Koha password In other you can only use LDAP password Maybe this is expected, but it seems odd. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org, | |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |nick@bywatersolutions.com |ity.org | CC| |nick@bywatersolutions.com --- Comment #1 from Nick Clemens <nick@bywatersolutions.com> --- Bumping severity here, this broke our ldap config after upgrade to 17.05, will try to provide patch next week -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 --- Comment #2 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Is this related to bug 18880? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 --- Comment #3 from Nick Clemens <nick@bywatersolutions.com> --- (In reply to Jonathan Druart from comment #2)
Is this related to bug 18880?
I commented on wrong bug, meant for 18947 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 --- Comment #4 from Nick Clemens <nick@bywatersolutions.com> --- (In reply to Jonathan Druart from comment #2)
Is this related to bug 18880?
And no, I think this exists separate from the work there - the decision is whether we should fallback if the user exists in ldap but password is wrong ( I think we should) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18992 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org