authLdap icon indicating copy to clipboard operation
authLdap copied to clipboard

Published 20 hours ago verified publisher icon heiglandreas

Trying to log into LDAP even when user is not LDAP user

Open vyskoczilova opened this issue 3 years ago • 2 comments

Hi Andreas,

we've spotted that when I log in as admin who has only WP account, I get the following message in the error log:

[26-Feb-2021 11:47:20 UTC] [AuthLDAP] User 'karolina' logging in
[26-Feb-2021 11:47:20 UTC] [AuthLDAP] about to do LDAP authentication
[26-Feb-2021 11:47:20 UTC] [AuthLDAP] connect to LDAP server
[26-Feb-2021 11:47:20 UTC] [AuthLDAP] No bind successfull. Exception thrown in line 70
[26-Feb-2021 11:47:20 UTC] PHP Notice:  No bind successfull. Exception thrown in line 70 in C:\laragon\www\getmantaportal\wp-content\plugins\authldap\authLdap.php on line 467
[26-Feb-2021 11:47:20 UTC] PHP Stack trace:
[26-Feb-2021 11:47:20 UTC] PHP   1. {main}() C:\laragon\www\getmantaportal\index.php:0
[26-Feb-2021 11:47:20 UTC] PHP   2. require() C:\laragon\www\getmantaportal\index.php:17
[26-Feb-2021 11:47:20 UTC] PHP   3. require_once() C:\laragon\www\getmantaportal\wp-blog-header.php:13
[26-Feb-2021 11:47:20 UTC] PHP   4. require_once() C:\laragon\www\getmantaportal\wp-load.php:37
[26-Feb-2021 11:47:20 UTC] PHP   5. require_once() C:\laragon\www\getmantaportal\wp-config.php:123
[26-Feb-2021 11:47:20 UTC] PHP   6. do_action() C:\laragon\www\getmantaportal\wp-settings.php:579
[26-Feb-2021 11:47:20 UTC] PHP   7. WP_Hook->do_action() C:\laragon\www\getmantaportal\wp-includes\plugin.php:484
[26-Feb-2021 11:47:20 UTC] PHP   8. WP_Hook->apply_filters() C:\laragon\www\getmantaportal\wp-includes\class-wp-hook.php:311
[26-Feb-2021 11:47:20 UTC] PHP   9. WC_Form_Handler::process_login() C:\laragon\www\getmantaportal\wp-includes\class-wp-hook.php:287
[26-Feb-2021 11:47:20 UTC] PHP  10. wp_signon() C:\laragon\www\getmantaportal\wp-content\plugins\woocommerce\includes\class-wc-form-handler.php:963
[26-Feb-2021 11:47:20 UTC] PHP  11. wp_authenticate() C:\laragon\www\getmantaportal\wp-includes\user.php:95
[26-Feb-2021 11:47:20 UTC] PHP  12. apply_filters() C:\laragon\www\getmantaportal\wp-includes\pluggable.php:549
[26-Feb-2021 11:47:20 UTC] PHP  13. WP_Hook->apply_filters() C:\laragon\www\getmantaportal\wp-includes\plugin.php:212
[26-Feb-2021 11:47:20 UTC] PHP  14. authLdap_login() C:\laragon\www\getmantaportal\wp-includes\class-wp-hook.php:287
[26-Feb-2021 11:47:20 UTC] PHP  15. trigger_error() C:\laragon\www\getmantaportal\wp-content\plugins\authldap\authLdap.php:467

That means it tries to log me in LDAP even when get_user_meta($uid, 'authLDAP') returns null since it's not set. Maybe I'm seeing wrong, but there is no check for this parameter before the connection to LDAP?

The login itself goes as expected and I log in, but this is weird since I would expect to skip the authLdap process entiery.

vyskoczilova avatar Feb 26 '21 12:02 vyskoczilova

Now I had formulated a very thought through response why we need to do the LDAP authentication first. And then I reread your post and completely deleted it as you could be right. When `get_user_meta($uid, 'authLDAP') returns 'null', we should not need to do the LDAP authentication you could think.

I'm just thinking about whether there can be cases where someone logs in with name but the username retrieved from LDAP would be different and so they might be using a different account then.

As currently it is i.e. possible to authenticate via the LDAP field wordpressUid which contains "me". That ldapuser has a uid of userA so for wordpress that user will have the uid userA. I'm not 100% sure whether that might open a loophole that can be exploited.

Nevertheless: After searching the ldap for that user I can either see that there is no user with that identifier so I take the literal one of I find a user with that identifier, then I take the converted one and check that against the users meta-data. If the user has no ldap-flag set, I can skip the rest of the authentication process.

I might implement that later...

heiglandreas avatar Feb 26 '21 13:02 heiglandreas

@heiglandreas You're right with the rest of the user login process, no troubles on that side.

I haven't tested any other case than logging in with the email and there could be something going wrong. And it's probably better to be safe than sorry and I definitely don't want to open a loophole for an exploit (that's why I asked first not tried to fix it). Thanks for your feedback

vyskoczilova avatar Feb 26 '21 13:02 vyskoczilova