Authentication via both LDAP and local mantis db

Post about your customizations to share with others.

Moderators: Contributor, Developer

Post Reply
hendrix
Posts: 1
Joined: Jul 19, 2007 4:28 pm

Authentication via both LDAP and local mantis db

Post by hendrix » Jul 19, 2007 5:01 pm

I needed to provide functionality where mantis would first try to authenticate a user via LDAP, but failing that, would then try to authenticate a user against the mantis db. The reason for this is that we have some people that are in LDAP and some people that aren't.

I was happily surprised at how easy this was to do, so thought I'd share it in case there was any chance a similar change might make it into a future release of Mantis.

To implement, you just need to modify a few lines in core/authentication_api.php for the function auth_does_password_match().

Change:

Code: Select all

if ( LDAP == $t_configured_login_method ) {
    return ldap_authenticate( $p_user_id, $p_test_password );
}
to:

Code: Select all

if ( LDAP == $t_configured_login_method ) {
    if ( ldap_authenticate( $p_user_id, $p_test_password ) ) {
        return true;
    }
}
and then set core/config_inc.php settings so that Mantis uses LDAP for authentication. (i.e. $g_login_method = LDAP; etc.)

Code already exists in auth_does_password_match() that then tries to authenticate via the user's mantis db password using MD5, CRYPT, and PLAIN.

Kudos to the Mantis developers for making this so easy.

P.S. This change was done on version 1.0.7

Bijesz
Posts: 4
Joined: Aug 03, 2007 2:56 pm

Post by Bijesz » Aug 05, 2007 8:29 am

Hi,

Nice feature but I think it might be better if local authentication takes place first. And if it fails then the LDAP.

That's because it can generate several authentication failure logs in the LDAP system and sysadmins probably won't like that.

Therefore I prefer this:

Code: Select all

	function auth_does_password_match( $p_user_id, $p_test_password ) {
		$t_configured_login_method = config_get( 'login_method' );

		$t_password			= user_get_field( $p_user_id, 'password' );
		$t_login_methods	= Array(MD5, CRYPT, PLAIN);
		foreach ( $t_login_methods as $t_login_method ) {

			# pass the stored password in as the salt
			if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
				# Check for migration to another login method and test whether the password was encrypted
				# with our previously insecure implemention of the CRYPT method
				if ( ( $t_login_method != $t_configured_login_method ) ||
					( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) {
					user_set_password( $p_user_id, $p_test_password, true );
				}

				return true;
			}
		}
		
		if ( LDAP == $t_configured_login_method ) {
			return ldap_authenticate( $p_user_id, $p_test_password );
		}


		return false;
	}

kratib
Posts: 11
Joined: Jun 07, 2006 4:21 am

Encrypting and changing password

Post by kratib » Aug 06, 2007 7:57 pm

I needed that feature today and reached exactly the same conclusion as did.

A couple of other changes will make the feature even sweeter:
1. As it stands, the password ends up being stored plain-text in the database, because auth_process_plain_password() doesn't have a case for LDAP. If you want the password stored as MD5, just add

Code: Select all

case LDAP:
below

Code: Select all

case MD5:
2. As it stands, users who are not on LDAP cannot change their password. A simple workaround is to override the custom function auth_can_change_password() in custom_functions_inc.php:

Code: Select all

function custom_function_override_auth_can_change_password() {
  return true;
}
Of course, in that case, LDAP users will also be able to change their Mantis password although that won't affect their LDAP password.

Hope this helps,
K.

akimeu007
Posts: 23
Joined: Sep 19, 2010 3:40 pm

Re: Authentication via both LDAP and local mantis db

Post by akimeu007 » Jul 14, 2016 6:24 pm

Hello all. Has anyone tried this with 1.2.x? I'm interested in implementing this option too and looking for any input.

Thank you,
Alex

harryw
Posts: 1
Joined: Jun 21, 2018 5:10 am

Re: Authentication via both LDAP and local mantis db

Post by harryw » Jun 21, 2018 5:24 am

Hi,

I know this thread is fairly old, but I want to share my small change that is using local account data first, using LDAP only if it fails.
Method for login needs to be configured as LDAP.
Base version is 2.14.0, my changes are marked in-line by comments:

Code: Select all

/**
 * Return true if the password for the user id given matches the given
 * password (taking into account the global login method)
 * @param integer $p_user_id       User id to check password against.
 * @param string  $p_test_password Password.
 * @return boolean indicating whether password matches given the user id
 * @access public
 */
function auth_does_password_match( $p_user_id, $p_test_password ) {
        $t_configured_login_method = config_get_global( 'login_method' );

        # ORIGINAL CODE which was moved to bottom (harry) 
        /*
        if( LDAP == $t_configured_login_method ) {
                return ldap_authenticate( $p_user_id, $p_test_password );
        }
        */

        if( !auth_can_use_standard_login( $p_user_id ) ) {
                return false;
        }

        $t_password = user_get_field( $p_user_id, 'password' );
        $t_login_methods = array(
                MD5,
                CRYPT,
                PLAIN,
                BASIC_AUTH,
        );

        foreach( $t_login_methods as $t_login_method ) {
                # pass the stored password in as the salt
                if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
                        # Allow this fallback if LDAP is active, don't do any migration then!
                        # (harry)
                        if( LDAP == $t_configured_login_method ) return(true);

                        # Do not support migration to PLAIN, since this would be a crazy thing to do.
                        # Also if we do, then a user will be able to login by providing the MD5 value
                        # that is copied from the database.  See #8467 for more details.
                        if( ( $t_configured_login_method != PLAIN && $t_login_method == PLAIN ) ||
                                ( $t_configured_login_method != BASIC_AUTH && $t_login_method == BASIC_AUTH ) ) {
                                continue;
                        }

                        # Check for migration to another login method and test whether the password was encrypted
                        # with our previously insecure implementation of the CRYPT method
                        if( ( $t_login_method != $t_configured_login_method ) || (( CRYPT == $t_configured_login_method ) && mb_substr( $t_password, 0, 2 ) == mb_substr( $p_test_password, 0, 2 ) ) ) {
                                user_set_password( $p_user_id, $p_test_password, true );
                        }

                        return true;
                }
        }

        # ORIGINAL CODE from top moved to here to give local password priority: (harry)
        if( LDAP == $t_configured_login_method ) {
                return ldap_authenticate( $p_user_id, $p_test_password );
        }
        return false;
}
I'm not sure that this works correctly all the time, though, but maybe it helps someone.

Cheers,
Harry

Post Reply