Closed
Bug 99697
Opened 24 years ago
Closed 19 years ago
LDAP authentication does not check for emailregexp parameter.
Categories
(Bugzilla :: User Accounts, defect, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.0
People
(Reporter: asolofnenko, Assigned: mkanat)
Details
When using LDAP Bugzilla silently copies LDAP accounts into profiles table
without checking user emails againts email filter. On one server it is possible
to host multiple email domains and right now there is no way to restrict which
users can access Bugzilla.
|
Reporter | |
Comment 1•24 years ago
|
||
proposed fix:
diff -c -r1.100 CGI.pl
*** CGI.pl 2001/08/26 18:51:45 1.100
--- CGI.pl 2001/10/13 00:59:12
***************
*** 907,912 ****
--- 923,938 ----
# Mozilla::LDAP::Entry->getValues returns an array for the attribute
# requested, even if there's only one entry.
$enteredlogin = ($userEntry->getValues(Param("LDAPmailattribute")))[0];
+
+ my $emailregexp = Param("emailregexp");
+ unless ( $enteredlogin =~ m/$emailregexp/ ) {
+ print "Content-type: text/html\n\n";
+ PutHeader("Login Failed");
+ print "The username or password you entered is not valid..\n";
+ print "Please click <b>Back</b> and try again.\n";
+ PutFooter();
+ exit;
+ }
# We're going to need the cryptpwd for this user from the database
# so that we can set the cookie below, even though we're not going
|
||
Updated•24 years ago
|
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
|
||
Comment 2•23 years ago
|
||
Perhaps we don't want the LDAP login to be an email address? LDAP would allow
us to login as anything that can uniquely identify that user that is stored
under their LDAP record. Employee number, ssn, ...whatever. Once you know its
them, you could go and grab their email address from their LDAP record. I would
suggest creating a parameter LDAPloginattribute. The admin would specify what
LDAP attribute to authenticate it's users against. LDAPmailattribute would be
set to the attribute which holds their email addresses. This wouldn't require
many changes...let me know what you folks think...
|
||
Comment 3•21 years ago
|
||
This is a bug where we have not even decided IF we want to do it, so I'm
removing the 2.18 target.
That said, I hope LDAP lets you log in with a username and then retrieve and use
the email address.
Target Milestone: Bugzilla 2.18 → ---
|
||
Updated•19 years ago
|
QA Contact: mattyt-bugzilla → default-qa
|
Assignee | |
Updated•19 years ago
|
Assignee: myk → mkanat
Target Milestone: --- → Bugzilla 2.24
|
|
Assignee | |
Comment 4•19 years ago
|
||
This was fixed by the Auth re-write. (You can see the change in the create_or_update_user sub in Bugzilla::Auth::Verify.)
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•