From 8fd2a43ee222a821e0118ab465af93b7ada9bf5e Mon Sep 17 00:00:00 2001 From: Deon George Date: Thu, 19 Jun 2025 10:30:16 +1000 Subject: [PATCH] Add alert for DN logins that dont exist. Might be attempts to use the rootdn which is not supported. Closes #345 --- .env.example | 1 + app/Http/Controllers/Auth/LoginController.php | 26 +++++++++++++++ config/pla.php | 8 +++-- resources/views/errors/501.blade.php | 33 +++++++++++++++++++ 4 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 resources/views/errors/501.blade.php diff --git a/.env.example b/.env.example index 85fc8c60..18c92eaa 100644 --- a/.env.example +++ b/.env.example @@ -14,3 +14,4 @@ LDAP_HOST= LDAP_USERNAME= LDAP_PASSWORD= LDAP_CACHE=false +LDAP_ALERT_ROOTDN=true diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index a85785d1..3e020c15 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -8,7 +8,9 @@ use Illuminate\Http\Request; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Log; +use App\Exceptions\InvalidUsage; use App\Http\Controllers\Controller; +use App\Ldap\Entry; class LoginController extends Controller { @@ -51,6 +53,30 @@ class LoginController extends Controller ]; } + /** + * When attempt to login + * + * @param Request $request + * @return void + * @throws InvalidUsage + */ + public function attemptLogin(Request $request) + { + $attempt = $this->guard()->attempt( + $this->credentials($request), $request->boolean('remember') + ); + + // If the login failed, and PLA is set to use DN login, check if the entry exists. + // If the entry doesnt exist, it might be the root DN, which cannot be used to login + if ((! $attempt) && $request->dn && config('pla.login.alert_rootdn',TRUE)) { + $dn = config('server')->fetch($request->dn); + $o = new Entry; + + if (! $dn && $o->getConnection()->getLdapConnection()->errNo() === 32) + abort(501,'Authentication set to DN, but the DN doesnt exist'); + } + } + /** * We need to delete our encrypted username/password cookies * diff --git a/config/pla.php b/config/pla.php index 0aaf11d7..7a09ef87 100644 --- a/config/pla.php +++ b/config/pla.php @@ -84,8 +84,12 @@ return [ * setup. */ 'login' => [ - 'attr' => [env('LDAP_LOGIN_ATTR','uid') => env('LDAP_LOGIN_ATTR_DESC','User ID')], // Attribute used to find user for login - 'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')), // Objectclass that users must contain to login + // Attribute used to find user for login + 'attr' => [strtolower(env('LDAP_LOGIN_ATTR','uid')) => env('LDAP_LOGIN_ATTR_DESC','User ID')], + // Objectclass that users must contain to login + 'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')), + // Alert if DN is being used, and the login fails, and the the DN doesnt exist + 'alert_rootdn' => env('LDAP_ALERT_ROOTDN',TRUE) && strtolower(env('LDAP_LOGIN_ATTR','uid')) === 'dn', ], 'template' => [ diff --git a/resources/views/errors/501.blade.php b/resources/views/errors/501.blade.php new file mode 100644 index 00000000..77a8725a --- /dev/null +++ b/resources/views/errors/501.blade.php @@ -0,0 +1,33 @@ +@extends('architect::layouts.error') + +@section('error') + 501: @lang('LDAP Authentication Error') +@endsection + +@section('content') + + + + + + + + + + + + + + + +
@lang('Error')
{{ $exception->getMessage() }}
@lang('Possible Causes')
+
    +
  • The DN you used to login actually doesnt exist in the server (DN's must exist in order to login)
    • +
  • You are attempting to use the rootdn to login (not supported)
    • +
+
+ +

To suppress this message, set LDAP_ALERT_ROOTDN to FALSE before starting PLA.

+

Back to login?

+ +@endsection \ No newline at end of file