[Pkg-owncloud-commits] [owncloud] 49/457: throw exception on LDAP error 1, which we usually do not see and is pretty generic. AD uses is for uses not enlisted in the RFC, like on issues with anonymous binds. we also try to guess this case and show a hint.

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch stable8
in repository owncloud.

commit 5a563936579110bfa7d333ae8f32121cbc36cc7d
Author: Arthur Schiwon <blizzz at owncloud.com>
Date:   Fri May 8 17:15:29 2015 +0200

    throw exception on LDAP error 1, which we usually do not see and is pretty generic. AD uses is for uses not enlisted in the RFC, like on issues with anonymous binds. we also try to guess this case and show a hint.
---
 apps/user_ldap/ajax/testConfiguration.php    | 17 +++++++++++++++++
 apps/user_ldap/js/wizard/wizardTabGeneric.js |  6 ++++++
 apps/user_ldap/lib/ldap.php                  |  2 ++
 3 files changed, 25 insertions(+)

diff --git a/apps/user_ldap/ajax/testConfiguration.php b/apps/user_ldap/ajax/testConfiguration.php
index 2899577..f5fd5f2 100644
--- a/apps/user_ldap/ajax/testConfiguration.php
+++ b/apps/user_ldap/ajax/testConfiguration.php
@@ -39,6 +39,23 @@ try {
 	if ($connection->setConfiguration($_POST)) {
 		//Configuration is okay
 		if ($connection->bind()) {
+			/*
+			 * This shiny if block is an ugly hack to find out whether anonymous
+			 * bind is possible on AD or not. Because AD happily and constantly
+			 * replies with success to any anonymous bind request, we need to
+			 * fire up a broken operation. If AD does not allow anonymous bind,
+			 * it will end up with LDAP error code 1 which is turned into an
+			 * exception by the LDAP wrapper. We catch this. Other cases may
+			 * pass (like e.g. expected syntax error).
+			 */
+			try {
+				$ldapWrapper->read($connection->getConnectionResource(), 'neverwhere', 'objectClass=*', array('dn'));
+			} catch (\Exception $e) {
+				if($e->getCode() === 1) {
+					OCP\JSON::error(array('message' => $l->t('The configuration is invalid: anonymous bind is not allowed.')));
+					exit;
+				}
+			}
 			OCP\JSON::success(array('message'
 			=> $l->t('The configuration is valid and the connection could be established!')));
 		} else {
diff --git a/apps/user_ldap/js/wizard/wizardTabGeneric.js b/apps/user_ldap/js/wizard/wizardTabGeneric.js
index c272df7..b755f3c 100644
--- a/apps/user_ldap/js/wizard/wizardTabGeneric.js
+++ b/apps/user_ldap/js/wizard/wizardTabGeneric.js
@@ -74,7 +74,13 @@ OCA = OCA || {};
 				&& !this.configModel.configuration.ldap_dn)
 			{
 				message = t('user_ldap', 'Anonymous bind is not allowed. Please provide a User DN and Password.');
+			} else if (message === 'LDAP Operations error'
+				&& !this.configModel.configuration.ldap_dn
+				&& !this.configModel.configuration.ldap_agent_password)
+			{
+				message = t('user_ldap', 'LDAP Operations error. Anonymous bind might not be allowed.');
 			}
+
 			return message;
 		},
 
diff --git a/apps/user_ldap/lib/ldap.php b/apps/user_ldap/lib/ldap.php
index 48852a3..8d2c493 100644
--- a/apps/user_ldap/lib/ldap.php
+++ b/apps/user_ldap/lib/ldap.php
@@ -289,6 +289,8 @@ class LDAP implements ILDAPWrapper {
 					throw new ServerNotAvailableException('Lost connection to LDAP server.');
 				} else if ($errorCode === 48) {
 					throw new \Exception('LDAP authentication method rejected');
+				} else if ($errorCode === 1) {
+					throw new \Exception('LDAP Operations error', $errorCode);
 				} else {
 					\OCP\Util::writeLog('user_ldap',
 										'LDAP error '.$errorMsg.' (' .

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git