stackoom
  简体   繁体   中英

Able to login in laravel ldap application even after incorrect password is passed

 原文  2019-11-15 11:00:16       php/ authentication/ laravel-5/ ldap/ adldap

Question

We are trying to build an laravel application where ldap connection is used to login to the application. Everything works fine. But when any user is registered using laravel simple registration form and try to login to the application even after providing wrong password able to login. Here the code attemptlogin function in logincontroller.php file.

protected function attemptLogin(Request $request)
    {
        $credentials = $request->only($this->username(), 'password');
        $username = $credentials[$this->username()];
        $password = $credentials['password'];

        $user_format = env('LDAP_USER_FORMAT', 'cn=%s,' . env('LDAP_BASE_DN', ''));
        $userdn = sprintf($user_format, $username);

        if (Adldap::auth()->attempt($userdn, $password, $bindAsUser = true)) {
            // the user exists in the LDAP server, with the provided password

            $user = \App\User::where($this->username(), $username)->first();
            if (!$user) {
                // the user doesn't exist in the local database, so we have to create one

                $user = new \App\User();
                $user->username = $username;
                $user->password = '';

                // you can skip this if there are no extra attributes to read from the LDAP server
                // or you can move it below this if(!$user) block if you want to keep the user always
                // in sync with the LDAP server 
                $sync_attrs = $this->retrieveSyncAttributes($username);
                foreach ($sync_attrs as $field => $value) {
                    $user->$field = $value !== null ? $value : '';
                }
            }

            // by logging the user we create the session, so there is no need to login again (in the configured time).
            // pass false as second parameter if you want to force the session to expire when the user closes the browser.
            // have a look at the section 'session lifetime' in `config/session.php` for more options.
            $this->guard()->login($user, true);
            return true;
        } else {
            $user = \App\User::where($this->username(), $username)->firstOrFail();

           if (Auth::guard('admin')->attempt($credentials)) {
                $this->guard()->login($user, true);
                return true;
            } else {
                return false;
            }


        // the user doesn't exist in the LDAP server/Database or the password is wrong
        // log error
        return false;
    }

1 answers

solution1
 0  2019-11-15 20:44:47

You missed saving the user after you instantiated a new one with their attributes:

$sync_attrs = $this->retrieveSyncAttributes($username);
foreach ($sync_attrs as $field => $value) {
    $user->$field = $value !== null ? $value : '';
}

$user->save();

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Always able to login even when password is incorrect My PHP login system still Logging in even if the password or username is incorrect AD/LDAP: “Invalid Username/Password” after click button login Redirect to login page after reset password in laravel Users are not able to login after Yii to Laravel migration Laravel - can´t login after update password PHP LDAP binding successfully with incorrect password sometimes wordpress login stays in the same page even after accepting password Login to LDAP with Kerberos password from PHP not being able to Login in Laravel
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM