Authentication via both LDAP and local mantis db

Post about your customizations to share with others.

Moderators: Developer, Contributor

Post Reply
hendrix
Posts: 1
Joined: 19 Jul 2007, 21:28

Authentication via both LDAP and local mantis db

Post by hendrix »

I needed to provide functionality where mantis would first try to authenticate a user via LDAP, but failing that, would then try to authenticate a user against the mantis db. The reason for this is that we have some people that are in LDAP and some people that aren't.

I was happily surprised at how easy this was to do, so thought I'd share it in case there was any chance a similar change might make it into a future release of Mantis.

To implement, you just need to modify a few lines in core/authentication_api.php for the function auth_does_password_match().

Change:

Code: Select all

if ( LDAP == $t_configured_login_method ) {
    return ldap_authenticate( $p_user_id, $p_test_password );
}
to:

Code: Select all

if ( LDAP == $t_configured_login_method ) {
    if ( ldap_authenticate( $p_user_id, $p_test_password ) ) {
        return true;
    }
}
and then set core/config_inc.php settings so that Mantis uses LDAP for authentication. (i.e. $g_login_method = LDAP; etc.)

Code already exists in auth_does_password_match() that then tries to authenticate via the user's mantis db password using MD5, CRYPT, and PLAIN.

Kudos to the Mantis developers for making this so easy.

P.S. This change was done on version 1.0.7
Bijesz
Posts: 4
Joined: 03 Aug 2007, 19:56

Post by Bijesz »

Hi,

Nice feature but I think it might be better if local authentication takes place first. And if it fails then the LDAP.

That's because it can generate several authentication failure logs in the LDAP system and sysadmins probably won't like that.

Therefore I prefer this:

Code: Select all

	function auth_does_password_match( $p_user_id, $p_test_password ) {
		$t_configured_login_method = config_get( 'login_method' );

		$t_password			= user_get_field( $p_user_id, 'password' );
		$t_login_methods	= Array(MD5, CRYPT, PLAIN);
		foreach ( $t_login_methods as $t_login_method ) {

			# pass the stored password in as the salt
			if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
				# Check for migration to another login method and test whether the password was encrypted
				# with our previously insecure implemention of the CRYPT method
				if ( ( $t_login_method != $t_configured_login_method ) ||
					( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) {
					user_set_password( $p_user_id, $p_test_password, true );
				}

				return true;
			}
		}
		
		if ( LDAP == $t_configured_login_method ) {
			return ldap_authenticate( $p_user_id, $p_test_password );
		}


		return false;
	}
kratib
Posts: 12
Joined: 07 Jun 2006, 09:21

Encrypting and changing password

Post by kratib »

I needed that feature today and reached exactly the same conclusion as did.

A couple of other changes will make the feature even sweeter:
1. As it stands, the password ends up being stored plain-text in the database, because auth_process_plain_password() doesn't have a case for LDAP. If you want the password stored as MD5, just add

Code: Select all

case LDAP:
below

Code: Select all

case MD5:
2. As it stands, users who are not on LDAP cannot change their password. A simple workaround is to override the custom function auth_can_change_password() in custom_functions_inc.php:

Code: Select all

function custom_function_override_auth_can_change_password() {
  return true;
}
Of course, in that case, LDAP users will also be able to change their Mantis password although that won't affect their LDAP password.

Hope this helps,
K.
akimeu007
Posts: 23
Joined: 19 Sep 2010, 20:40

Re: Authentication via both LDAP and local mantis db

Post by akimeu007 »

Hello all. Has anyone tried this with 1.2.x? I'm interested in implementing this option too and looking for any input.

Thank you,
Alex
harryw
Posts: 1
Joined: 21 Jun 2018, 10:10

Re: Authentication via both LDAP and local mantis db

Post by harryw »

Hi,

I know this thread is fairly old, but I want to share my small change that is using local account data first, using LDAP only if it fails.
Method for login needs to be configured as LDAP.
Base version is 2.14.0, my changes are marked in-line by comments:

Code: Select all

/**
 * Return true if the password for the user id given matches the given
 * password (taking into account the global login method)
 * @param integer $p_user_id       User id to check password against.
 * @param string  $p_test_password Password.
 * @return boolean indicating whether password matches given the user id
 * @access public
 */
function auth_does_password_match( $p_user_id, $p_test_password ) {
        $t_configured_login_method = config_get_global( 'login_method' );

        # ORIGINAL CODE which was moved to bottom (harry) 
        /*
        if( LDAP == $t_configured_login_method ) {
                return ldap_authenticate( $p_user_id, $p_test_password );
        }
        */

        if( !auth_can_use_standard_login( $p_user_id ) ) {
                return false;
        }

        $t_password = user_get_field( $p_user_id, 'password' );
        $t_login_methods = array(
                MD5,
                CRYPT,
                PLAIN,
                BASIC_AUTH,
        );

        foreach( $t_login_methods as $t_login_method ) {
                # pass the stored password in as the salt
                if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
                        # Allow this fallback if LDAP is active, don't do any migration then!
                        # (harry)
                        if( LDAP == $t_configured_login_method ) return(true);

                        # Do not support migration to PLAIN, since this would be a crazy thing to do.
                        # Also if we do, then a user will be able to login by providing the MD5 value
                        # that is copied from the database.  See #8467 for more details.
                        if( ( $t_configured_login_method != PLAIN && $t_login_method == PLAIN ) ||
                                ( $t_configured_login_method != BASIC_AUTH && $t_login_method == BASIC_AUTH ) ) {
                                continue;
                        }

                        # Check for migration to another login method and test whether the password was encrypted
                        # with our previously insecure implementation of the CRYPT method
                        if( ( $t_login_method != $t_configured_login_method ) || (( CRYPT == $t_configured_login_method ) && mb_substr( $t_password, 0, 2 ) == mb_substr( $p_test_password, 0, 2 ) ) ) {
                                user_set_password( $p_user_id, $p_test_password, true );
                        }

                        return true;
                }
        }

        # ORIGINAL CODE from top moved to here to give local password priority: (harry)
        if( LDAP == $t_configured_login_method ) {
                return ldap_authenticate( $p_user_id, $p_test_password );
        }
        return false;
}
I'm not sure that this works correctly all the time, though, but maybe it helps someone.

Cheers,
Harry
Olaf123
Posts: 4
Joined: 01 Oct 2009, 09:39

Re: Authentication via both LDAP and local mantis db

Post by Olaf123 »

Dear all:

My use case is that I want to keep an admin account outside the LDAP system in case LDAP breaks and because it is bad practice to be a regular user and admin at the same time. In most organizations will not allow you to have a separate LDAP account.

I like the beautiful code but after trying this 8O I have some major security concerns. The proposed code, both the old and the new versions ignore the idea that LDAP should be leading. If the LDAP password changes, trying to log on to the Mantis with your old password must fail. If LDAP is running and can be connected to, there should be no fallback to other login methods for accounts in LDAP. Only if the account is not in LDAP, there should be a fallback. If LDAP is down, the fallback should operate as intended.

I am not a PhP programmer but when looking at the code the only solution I see is to hack the LDAP api to return not only true or false but also a few other things: |LDAP authenticated | LDAP works but account not found|LDAP account found but password not valid|. With these status messages the fallback can be then controlled.

I will try to investigate this further next month.
ekesaf
Posts: 9
Joined: 28 Dec 2020, 06:42

Re: Authentication via both LDAP and local mantis db

Post by ekesaf »

What are the latest news about this subject?
Olaf123
Posts: 4
Joined: 01 Oct 2009, 09:39

Re: Authentication via both LDAP and local mantis db

Post by Olaf123 »

I gave up on this. I am too poor of a PHP programmer to get this to work. :oops:
Post Reply