See ChangeLog

Monotone-Parent: 0b515b8331401536a0de4cc2ca53fce6dd6ca6ed Monotone-Revision: 3f570612955fe5748f947cb46b0d25c731f1bffb Monotone-Author: ludovic@Sophos.ca Monotone-Date: 2011-07-05T20:10:45 Monotone-Branch: ca.inverse.sogo
2026-05-15 00:15:27 +00:00 · 2011-07-05 20:10:45 +00:00
parent c56634f859
commit b87a7ceeac
3 changed files with 78 additions and 25 deletions
@@ -1,7 +1,7 @@
 2011-07-05  Ludovic Marcotte  <lmarcotte@inverse.ca>

 	* UI/MailPartViewers/UIxMailPartICalActions.m
-	(_setupChosenEventAndEventObject:) we now correctly
+	(-_setupChosenEventAndEventObject:) we now correctly
 	update the right event in the database in order to
 	update major properties coming from external invitations
 	during updates.
@@ -14,9 +14,13 @@
 	bug #1344 - which fixes Sieve script generation errors
 	for reject filters.
 	* SOPE/GDLContentStore/GCSFolderManager.m (
-	_reallyCreateFolderWithName:andFolderType:...): Fix
+	-_reallyCreateFolderWithName:andFolderType:...): Fix
 	path handling for recent GNUstep base versions. This
 	fixes bug #1327.
+	* SoObjects/SOGo/LDAPSource.m (-checkLogin:password:...)
+	We now make sure to use the original source's bindDN/password
+	when looking up the user's DN for indirect binds. This should
+	fix bug #1342.

 2011-07-02  Ludovic Marcotte  <lmarcotte@inverse.ca>

@@ -41,16 +41,18 @@
  int queryTimeout;

  NSString *sourceID;
-  NSString *bindDN;
+  NSString *bindDN;       // The bindDN/password could be either the source's one
+  NSString *password;     // or the current user if _bindAsCurrentUser is set to YES
+  NSString *sourceBindDN; // while sourceBindDN/sourceBindPassword always belong to the source
+  NSString *sourceBindPassword;
  NSString *hostname;
  unsigned int port;
-  NSString *password;
  NSString *encryption;
  NSString *_filter;
  NSString *_scope;

  NSString *baseDN;
-  NSString *IDField; /* the first part of a user DN */
+  NSString *IDField;     // the first part of a user DN
  NSString *CNField;
  NSString *UIDField;
  NSArray *mailFields, *searchFields;
@@ -129,6 +129,9 @@ static NSArray *commonSearchFields;
    }
 }

+//
+//
+//
 + (id) sourceFromUDSource: (NSDictionary *) udSource
                 inDomain: (NSString *) sourceDomain
 {
@@ -141,15 +144,20 @@ static NSArray *commonSearchFields;
  return newSource;
 }

+//
+//
+//
 - (id) init
 {
  if ((self = [super init]))
    {
      bindDN = nil;
+      password = nil;
+      sourceBindDN = nil;
+      sourceBindPassword = nil;
      hostname = nil;
      port = 389;
      encryption = nil;
-      password = nil;
      sourceID = nil;
      domain = nil;

@@ -179,12 +187,17 @@ static NSArray *commonSearchFields;
  return self;
 }

+//
+//
+//
 - (void) dealloc
 {
  [bindDN release];
+  [password release];
+  [sourceBindDN release];
+  [sourceBindPassword release];
  [hostname release];
  [encryption release];
-  [password release];
  [baseDN release];
  [IDField release];
  [CNField release];
@@ -206,6 +219,9 @@ static NSArray *commonSearchFields;
  [super dealloc];
 }

+//
+//
+//
 - (id) initFromUDSource: (NSDictionary *) udSource
               inDomain: (NSString *) sourceDomain
 {
@@ -214,7 +230,7 @@ static NSArray *commonSearchFields;

  if ((self = [self init]))
    {
-      ASSIGN (sourceID, [udSource objectForKey: @"id"]);
+      ASSIGN(sourceID, [udSource objectForKey: @"id"]);

      [self setBindDN: [udSource objectForKey: @"bindDN"]
             password: [udSource objectForKey: @"bindPassword"]
@@ -261,10 +277,10 @@ static NSArray *commonSearchFields;
      else
        queryTimeout = [dd ldapQueryTimeout];

-      ASSIGN (modulesConstraints,
-              [udSource objectForKey: @"ModulesConstraints"]);
-      ASSIGN (_filter, [udSource objectForKey: @"filter"]);
-      ASSIGN (_scope, ([udSource objectForKey: @"scope"]
+      ASSIGN(modulesConstraints,
+	     [udSource objectForKey: @"ModulesConstraints"]);
+      ASSIGN(_filter, [udSource objectForKey: @"filter"]);
+      ASSIGN(_scope, ([udSource objectForKey: @"scope"]
                       ? [udSource objectForKey: @"scope"]
                       : (id)@"sub"));

@@ -277,6 +293,7 @@ static NSArray *commonSearchFields;

 - (void) setBindDN: (NSString *) theDN
 {
+  //NSLog(@"Setting bind DN to %@", theDN);
  ASSIGN(bindDN, theDN);
 }

@@ -297,17 +314,23 @@ static NSArray *commonSearchFields;
 	encryption: (NSString *) newEncryption
 bindAsCurrentUser: (NSString *) bindAsCurrentUser
 {
-  ASSIGN (bindDN, newBindDN);
-  ASSIGN (encryption, [newEncryption uppercaseString]);
+  ASSIGN(bindDN, newBindDN);
+  ASSIGN(password, newBindPassword);
+  ASSIGN(sourceBindDN, newBindDN);
+  ASSIGN(sourceBindPassword, newBindPassword);
+
+  ASSIGN(encryption, [newEncryption uppercaseString]);
  if ([encryption isEqualToString: @"SSL"])
    port = 636;
-  ASSIGN (hostname, newBindHostname);
+  ASSIGN(hostname, newBindHostname);
  if (newBindPort)
    port = [newBindPort intValue];
-  ASSIGN (password, newBindPassword);
  _bindAsCurrentUser = [bindAsCurrentUser boolValue];
 }

+//
+//
+//
 - (void) setBaseDN: (NSString *) newBaseDN
 	   IDField: (NSString *) newIDField
 	   CNField: (NSString *) newCNField
@@ -320,21 +343,21 @@ static NSArray *commonSearchFields;
 	 kindField: (NSString *) newKindField
 andMultipleBookingsField: (NSString *) newMultipleBookingsField
 {
-  ASSIGN (baseDN, [newBaseDN lowercaseString]);
+  ASSIGN(baseDN, [newBaseDN lowercaseString]);
  if (newIDField)
-    ASSIGN (IDField, newIDField);
+    ASSIGN(IDField, newIDField);
  if (newCNField)
-    ASSIGN (CNField, newCNField);
+    ASSIGN(CNField, newCNField);
  if (newUIDField)
-    ASSIGN (UIDField, newUIDField);
+    ASSIGN(UIDField, newUIDField);
  if (newIMAPHostField)
-    ASSIGN (IMAPHostField, newIMAPHostField);
+    ASSIGN(IMAPHostField, newIMAPHostField);
  if (newIMAPLoginField)
-    ASSIGN (IMAPLoginField, newIMAPLoginField);
+    ASSIGN(IMAPLoginField, newIMAPLoginField);
  if (newMailFields)
-    ASSIGN (mailFields, newMailFields);
+    ASSIGN(mailFields, newMailFields);
  if (newSearchFields)
-    ASSIGN (searchFields, newSearchFields);
+    ASSIGN(searchFields, newSearchFields);
  if (newBindFields)
    {
      // Before SOGo v1.2.0, bindFields was a comma-separated list
@@ -364,6 +387,9 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField
    ASSIGN(multipleBookingsField, newMultipleBookingsField);
 }

+//
+//
+//
 - (BOOL) _setupEncryption: (NGLdapConnection *) encryptedConn
 {
  BOOL rc;
@@ -383,6 +409,9 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField
  return rc;
 }

+//
+//
+//
 - (NGLdapConnection *) _ldapConnection
 {
  NGLdapConnection *ldapConnection;
@@ -417,6 +446,9 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField
  return ldapConnection;
 }

+//
+//
+//
 - (NSString *) domain
 {
  return domain;
@@ -476,6 +508,9 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField
  return userDN;
 }

+//
+//
+//
 - (BOOL) checkLogin: (NSString *) _login
 	   password: (NSString *) _pwd
 	       perr: (SOGoPasswordPolicyError *) _perr
@@ -502,7 +537,16 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField
 	  if (!userDN)
 	    {
 	      if (bindFields)
-		userDN = [self _fetchUserDNForLogin: _login];
+		{
+		  // We MUST always use the source's bindDN/password in
+		  // order to lookup the user's DN. This is important since
+		  // if we use bindAsCurrentUser, we could stay bound and
+		  // lookup the user's DN (for an other user that is trying
+		  // to log in) but not be able to do so due to ACLs in LDAP.
+		  [self setBindDN: sourceBindDN];
+		  [self setBindPassword: sourceBindPassword];
+		  userDN = [self _fetchUserDNForLogin: _login];
+		}
 	      else
 		userDN = [NSString stringWithFormat: @"%@=%@,%@",
 				   IDField, _login, baseDN];
@@ -537,6 +581,9 @@ andMultipleBookingsField: (NSString *) newMultipleBookingsField
  return didBind;
 }

+//
+//
+//
 - (BOOL) changePasswordForLogin: (NSString *) login
 		    oldPassword: (NSString *) oldPassword
 		    newPassword: (NSString *) newPassword