Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Item13939:Item13956: various fixes and improvements
* added <nop>IgnoreReferrals switch
* fixed occasional infinite loop when checking for an existing user
* be more robust against misconfiguring ca-file and/or ca-path
  • Loading branch information
MichaelDaum committed Apr 22, 2016
1 parent 7cc44a9 commit bfca3e2
Show file tree
Hide file tree
Showing 8 changed files with 36 additions and 39 deletions.
7 changes: 5 additions & 2 deletions data/System/LdapContrib.txt
Expand Up @@ -500,6 +500,9 @@ This work was partly sponsored by
---++ Change History

%TABLE{columnwidths="7em" tablewidth="100%"}%
| 22 Apr 2016: | added <nop>IgnoreReferrals switch; \
fixed occasional infinite loop when checking for an existing user; \
be more robust against misconfiguring ca-file and/or ca-path |
| 21 Sep 2015: | added <nop>LdapTemplateLogin and <nop>LdapApacheLogin managers; \
added <nop>RewriteLoginNames config parameter; \
prevent against infinite redirects when using kerberos login but no ticket may be exchanged |
Expand Down Expand Up @@ -629,9 +632,9 @@ This work was partly sponsored by
%META:FORM{name="PackageForm"}%
%META:FIELD{name="Author" title="Author" value="Michael Daum"}%
%META:FIELD{name="Copyright" title="Copyright" value="&copy; 2006-2015 Michael Daum http://michaeldaumconsulting.com"}%
%META:FIELD{name="Home" value="http://foswiki.org/Extensions/LdapContrib"}%
%META:FIELD{name="Home" value="https://foswiki.org/Extensions/LdapContrib"}%
%META:FIELD{name="License" title="License" value="GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]])"}%
%META:FIELD{name="Release" title="Release" value="%$RELEASE%"}%
%META:FIELD{name="Repository" title="Repository" value="https://github.com/foswiki/LdapContrib"}%
%META:FIELD{name="Support" value="http://foswiki.org/Support/LdapContrib"}%
%META:FIELD{name="Support" value="https://foswiki.org/Support/LdapContrib"}%
%META:FIELD{name="Version" title="Version" value="%$VERSION%"}%
37 changes: 11 additions & 26 deletions lib/Foswiki/Contrib/LdapContrib.pm
@@ -1,6 +1,6 @@
# Module of Foswiki - The Free and Open Source Wiki, http://foswiki.org/
#
# Copyright (C) 2006-2015 Michael Daum http://michaeldaumconsulting.com
# Copyright (C) 2006-2016 Michael Daum http://michaeldaumconsulting.com
# Portions Copyright (C) 2006 Spanlink Communications
#
# This program is free software; you can redistribute it and/or
Expand Down Expand Up @@ -30,8 +30,8 @@ use Encode ();
use Foswiki::Func ();
use Foswiki::Plugins ();

our $VERSION = '7.31';
our $RELEASE = '21 Sep 2015';
our $VERSION = '7.40';
our $RELEASE = '22 Apr 2016';
our $SHORTDESCRIPTION = 'LDAP services for Foswiki';
our $NO_PREFS_IN_TOPIC = 1;
our %sharedLdapContrib;
Expand Down Expand Up @@ -156,6 +156,7 @@ sub new {
port => $Foswiki::cfg{Ldap}{Port} || 389,
version => $Foswiki::cfg{Ldap}{Version} || 3,
ipv6 => $Foswiki::cfg{Ldap}{IPv6} || 0,
ignoreReferrals => $Foswiki::cfg{Ldap}{IgnoreReferrals} || 0,

userBase => $Foswiki::cfg{Ldap}{UserBase}
|| [$Foswiki::cfg{Ldap}{Base}]
Expand Down Expand Up @@ -371,9 +372,10 @@ sub connect {
#writeDebug("using TLS");
my %args = (
verify => $this->{tlsVerify},
cafile => $this->{tlsCAFile},
capath => $this->{tlsCAPath},
);

$args{"cafile"} = $this->{tlsCAFile} if $this->{tlsCAFile};
$args{"capath"} = $this->{tlsCAPath} if $this->{tlsCAPath} && !$this->{tlsCAFile};
$args{"clientcert"} = $this->{tlsClientCert} if $this->{tlsClientCert};
$args{"clientkey"} = $this->{tlsClientKey} if $this->{tlsClientKey};
$args{"sslversion"} = $this->{tlsSSLVersion} if $this->{tlsSSLVersion};
Expand Down Expand Up @@ -657,7 +659,7 @@ sub search {
}

if ($errorCode == LDAP_REFERRAL) {
unless ($this->{_followingLink}) {
if (!$this->{ignoreReferrals} && !$this->{_followingLink}) {
my @referrals = $msg->referrals;
foreach my $link (@referrals) {
writeDebug("following referral $link");
Expand Down Expand Up @@ -742,7 +744,7 @@ sub cacheBlob {
if ($refresh || !-f $fileName) {
writeDebug("caching blob for $attr to $fileName");
my $value = $entry->get_value($attr);
return undef unless defined $value;
return unless $value;
mkdir($dir, 0775) unless -e $dir;

open(FILE, ">$fileName") || die "can't open $fileName";
Expand Down Expand Up @@ -1676,25 +1678,7 @@ sub rewriteName {

my $out = $in;

# Original:
# while (my ($pattern,$subst) = each %$rules) {
#
# this produces a re-entrant bug.
# http://blogs.perl.org/users/rurban/2014/04/do-not-use-each.html
#
# 1) something needs to be rewritten
# 2) start with the first entry in rules
# 3) it matches. rewrite it, return out (call to last)
# 4) something else needs to be rewritten
# 5) continue with the second entry in rules, as
# rules points to the same hash and each just
# continues where it was.
# (re-entrant bug)
#
# use keys to fetch all keys and then iterate.
# avoids re-entrant bug of each

for my $pattern (keys %$rules) {
foreach my $pattern (keys %$rules) {
my $subst = $rules->{$pattern};
if ($out =~ /^(?:$pattern)$/) {
my $arg1 = $1;
Expand Down Expand Up @@ -2657,6 +2641,7 @@ sub fromLdapCharSet {
my ($this, $string) = @_;

my $ldapCharSet = $Foswiki::cfg{Ldap}{CharSet} || 'utf-8';
return $string if $Foswiki::cfg{Site}{CharSet} eq $ldapCharSet;

return Encode::decode($ldapCharSet, $string);
}
Expand Down
19 changes: 14 additions & 5 deletions lib/Foswiki/Contrib/LdapContrib/Config.spec
Expand Up @@ -33,6 +33,15 @@ $Foswiki::cfg{Ldap}{Version} = '3';
# Base DN to use in searches
$Foswiki::cfg{Ldap}{Base} = 'dc=my,dc=domain,dc=com';

# **BOOLEAN**
# Use this switch to prune LDAP referrals. Normally admins may use referrals to guide search paths
# in a directory or among several servers to follow a certain URL. The normal behavior is to follow
# these referrals and continue search there recursively. However under certain conditions these referrals may
# result in a search to traverse a very large array of different paths that may or may not
# be online and when not result in undesirable timeouts. In general best practice would
# be to maintain the directory in a consistent state and remove stale referrals not to harm queries performance.
$Foswiki::cfg{Ldap}{IgnoreReferrals} = 0;

# **STRING**
# The DN to use when binding to the LDAP server; if undefined anonymous binding
# will be used. Example 'cn=proxyuser,dc=my,dc=domain,dc=com'
Expand Down Expand Up @@ -71,7 +80,7 @@ $Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';

# **BOOLEAN**
# Use Transort Layer Security (TLS) to encrypt the connection to the LDAP server.
# You will need to specify the servers CA File using the TLSCAFile option
# You will need to specify the servers CA File using the TLSCAFile or TLSCAPath option
$Foswiki::cfg{Ldap}{UseTLS} = 0;

# **STRING**
Expand All @@ -84,14 +93,14 @@ $Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
# or 'require'.
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';

# **STRING**
# Pathname of the directory containing CA certificates
$Foswiki::cfg{Ldap}{TLSCAPath} = '';

# **STRING**
# Filename containing the certificate of the CA which signed the server’s certificate.
$Foswiki::cfg{Ldap}{TLSCAFile} = '';

# **STRING**
# Pathname of the directory containing CA certificates.
$Foswiki::cfg{Ldap}{TLSCAPath} = '';

# **STRING**
# Client side certificate file
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
Expand Down
2 changes: 1 addition & 1 deletion lib/Foswiki/LoginManager/KerberosLogin.pm
@@ -1,6 +1,6 @@
# Module of Foswiki - The Free and Open Source Wiki, http://foswiki.org/
#
# Copyright (C) 2015 Michael Daum http://michaeldaumconsulting.com
# Copyright (C) 2015-2016 Michael Daum http://michaeldaumconsulting.com
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
Expand Down
2 changes: 1 addition & 1 deletion lib/Foswiki/LoginManager/LdapApacheLogin.pm
@@ -1,6 +1,6 @@
# Module of Foswiki - The Free and Open Source Wiki, http://foswiki.org/
#
# Copyright (C) 2007-2015 Michael Daum http://michaeldaumconsulting.com
# Copyright (C) 2007-2016 Michael Daum http://michaeldaumconsulting.com
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
Expand Down
2 changes: 1 addition & 1 deletion lib/Foswiki/LoginManager/LdapTemplateLogin.pm
@@ -1,6 +1,6 @@
# Module of Foswiki - The Free and Open Source Wiki, http://foswiki.org/
#
# Copyright (C) 2007-2015 Michael Daum http://michaeldaumconsulting.com
# Copyright (C) 2007-2016 Michael Daum http://michaeldaumconsulting.com
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
Expand Down
4 changes: 2 additions & 2 deletions lib/Foswiki/Users/LdapUserMapping.pm
Expand Up @@ -248,8 +248,8 @@ sub userExists {
return 1 if $wikiName;

my $result = 0;
if ($this->{ldap}{nativeGroupsBackoff}) {
# see LdapPasswdUser
if ($this->{ldap}{nativeGroupsBackoff} && ! $this->{session}->inContext("_user_exists")) {
# prevent deep recursion
$this->{session}->enterContext("_user_exists");
$result = $this->SUPER::userExists($cUID);
$this->{session}->leaveContext("_user_exists");
Expand Down
2 changes: 1 addition & 1 deletion tools/ldaptest
@@ -1,7 +1,7 @@
#!/usr/bin/env perl
# Test program to check your ldap connectivity using perl
#
# Copyright (C) 2006-2015 Michael Daum http://michaeldaumconsulting.com
# Copyright (C) 2006-2016 Michael Daum http://michaeldaumconsulting.com
# Portions Copyright (C) 2006 Spanlink Communications
#
# This program is free software; you can redistribute it and/or
Expand Down

0 comments on commit bfca3e2

Please sign in to comment.