#015240: Final LDAP bind uses wrong DN (patch)

Index: Authentication/src/filters/ldap/ldap_filter.php
===================================================================
--- Authentication/src/filters/ldap/ldap_filter.php (revision 10730)
+++ Authentication/src/filters/ldap/ldap_filter.php (working copy)
@@ -272,13 +272,16 @@
return self::STATUS_USERNAME_INCORRECT;
}

- // username exists, so check if we can bind with the provided password
- if ( @ldap_bind( $connection, str_replace( '%id%', $credentials->id, $this->ldap->format ) . ',' . $this->ldap->base, $credentials->password ) )
+ // username exists, so get dn for it
+ $entry = ldap_first_entry( $connection, $search );
+ $entryDN = ldap_get_dn( $connection, $entry );
+
+ // check if we can bind with the provided password
+ if ( @ldap_bind( $connection, $entryDN, $credentials->password ) )
{
// retrieve extra authentication data
if ( count( $this->requestedData ) > 0 )
{
- $entry = ldap_first_entry( $connection, $search );
$attributes = ldap_get_attributes( $connection, $entry );

foreach ( $this->requestedData as $attribute )

Index: Authentication/tests/filters/ldap/ldap_test.php
===================================================================
--- Authentication/tests/filters/ldap/ldap_test.php (revision 10733)
+++ Authentication/tests/filters/ldap/ldap_test.php (working copy)
@@ -330,6 +330,23 @@
$this->assertEquals( $expected, $filter->fetchData() );
}

+ /**
+ * Test for issue #15240 (Final LDAP bind uses wrong DN (patch)).
+ */
+ public function testLdapSublevel()
+ {
+ $credentials = new ezcAuthenticationPasswordCredentials( 'johnny.doe', '12345' );
+ $ldap = new ezcAuthenticationLdapInfo( self::$host, self::$format, self::$base, self::$port );
+ $authentication = new ezcAuthentication( $credentials );
+ $filter = new ezcAuthenticationLdapFilter( $ldap );
+ $filter->registerFetchData( array( 'uid', 'displayName' ) );
+ $authentication->addFilter( $filter );
+ $this->assertEquals( true, $authentication->run() );
+
+ $expected = array( 'uid' => array( 'johnny.doe' ), 'displayName' => array ( 'Johnny Doe' ) );
+ $this->assertEquals( $expected, $filter->fetchData() );
+ }
+
public function testLdapInfo()
{
$ldap = ezcAuthenticationLdapInfo::__set_state( array( 'host' => self::$host, 'format' => self::$format, 'base' => self::$base, 'port' => self::$port, 'protocol' => ezcAuthenticationLdapFilter::PROTOCOL_TLS ) );

Index: Authentication/tests/filters/ldap/data/setup_accounts.php
===================================================================
--- Authentication/tests/filters/ldap/data/setup_accounts.php (revision 10733)
+++ Authentication/tests/filters/ldap/data/setup_accounts.php (working copy)
@@ -9,7 +9,7 @@
$dc = "dc=ezctest,dc=ez,dc=no";
$host = "ezctest.ez.no";

-$connection = Ldap::connect( 'ldap://ezctest.ez.no', "cn=%s,{$dc}", 'admin', 'wee123' );
+$connection = Ldap::connect( "ldap://$host", "cn=%s,{$dc}", 'admin', 'wee123' );

Ldap::delete( $connection, 'john.doe', $dc );
Ldap::delete( $connection, 'jan.modaal', $dc );
@@ -25,7 +25,9 @@
Ldap::add( $connection, 'john.doe', '{CRYPT}' . crypt( 'foobar' ), $dc );
Ldap::add( $connection, 'jan.modaal', '{SHA}' . base64_encode( pack( 'H*', sha1( 'qwerty' ) ) ), $dc );
Ldap::add( $connection, 'zhang.san', '{MD5}' . base64_encode( pack( 'H*', md5( 'asdfgh' ) ) ), $dc );
-Ldap::add( $connection, 'johnny.doe', '{MD5}' . base64_encode( pack( 'H*', md5( '12345' ) ) ), "ou=Users,{$dc}", array( 'displayName' => array( 'Johnny Doe' ) ) );
+Ldap::add( $connection, 'johnny.doe', '{MD5}' . base64_encode( pack( 'H*', md5( '12345' ) ) ), "ou=Users,{$dc}",
+ array( 'displayName' => 'Johnny Doe',
+ 'ou' => array( 'Users' ) ) );
//Ldap::add( $connection, 'jan.modaal', '{SHA}' . base64_encode( sha1( 'qwerty' ) ), $dc );
//Ldap::add( $connection, 'zhang.san', '{MD5}' . base64_encode( md5( 'asdfgh' ) ), $dc );
Ldap::add( $connection, 'hans.mustermann', 'abcdef', $dc );
@@ -96,18 +98,23 @@
*/
public static function add( $connection, $user, $password, $dc, $extra = array() )
{
- $ldaprecord['uid'] = $user;
- $ldaprecord['objectclass'][0] = "top";
- $ldaprecord['objectclass'][] = "account";
- $ldaprecord['objectclass'][] = "simpleSecurityObject";
+ $ldaprecord['uid'][0] = $user;
+ // The 'person' classes are not compatible with account and simpleSecurityObject
+ if ( $user == 'johnny.doe' )
+ {
+ $ldaprecord['objectclass'][0] = "person";
+ $ldaprecord['objectclass'][] = "organizationalPerson";
+ $ldaprecord['objectclass'][] = "inetOrgPerson";
+ $ldaprecord['sn'] = array( 'Doe' );
+ $ldaprecord['cn'] = array( 'Johnny Doe' );
+ }
+ else
+ {
+ $ldaprecord['objectclass'][0] = "account";
+ $ldaprecord['objectclass'][] = "simpleSecurityObject";
+ }
+ $ldaprecord['objectclass'][] = "top";
$ldaprecord['userPassword'][0] = $password;
- /*
- $ldaprecord['objectclass'][] = "person";
- $ldaprecord['objectclass'][] = "inetOrgPerson";
- $ldaprecord['sn'] = array( 'test' );
- $ldaprecord['cn'] = array( 'test' );
- $ldaprecord['userid'] = array( $user );
- */

foreach ( $extra as $key => $value )
{