fix ldap filtering

2017-06-22 23:05:17 +02:00 · 2017-06-22 23:05:17 +02:00 · 14cc832552
parent 6f88225661
commit 14cc832552
1 changed files with 17 additions and 6 deletions
--- a/lib/Lufi.pm
+++ b/lib/Lufi.pm
@ -11,6 +11,7 @@ $ENV{MOJO_MAX_WEBSOCKET_SIZE} = 100485760; # 10 * 1024 * 1024 = 10MiB
 # This method will run once at server start
 sub startup {
    my $self = shift;
+    my $entry = undef;

    my $config = $self->plugin('Config' => {
        default =>  {
@ -95,8 +96,15 @@ sub startup {
                        $c->app->log->error($mesg->error);
                        return undef;
                    }
-    
-                    # Now we know that the user exists
+
+                    # we filtered out, but did we actually get a non-empty result?
+                    $entry = $mesg->shift_entry;
+                    if (!defined $entry) {
+                        $c->app->log->info("[LDAP authentication failed] - User $username filtered out, IP: ".$c->ip);
+                        return undef;
+                    }
+ 
+                    # Now we know that the user exists, and that he is authorized by the filter
                    $mesg = $ldap->bind('uid='.$username.$c->config->{ldap}->{bind_dn},
                        password => $password
                    );
@ -110,7 +118,7 @@ sub startup {
                    $c->app->log->info("[LDAP authentication successful] login: $username, IP: ".$c->ip);
                } elsif (defined($c->config('htpasswd'))) {
                    my $htpasswd = new Apache::Htpasswd({passwdFile => $c->config->{htpasswd},
-                                                 ReadOnly   => 1}
+                                                 ReadOnly   => 1}
                                                );
                    if (!$htpasswd->htCheckPassword($username, $password)) {
                        return undef;
@ -277,9 +285,12 @@ sub startup {

            if($c->authenticate($login, $pwd)) {
                $c->redirect_to('index');
-            } else {
-                $c->stash(msg => $c->l('Please, check your credentials: unable to authenticate.'));
-                $c->render(template => 'login');
+            } elsif (defined $entry) { 
+                    $c->stash(msg => $c->l('Please, check your credentials: unable to authenticate.'));
+                    $c->render(template => 'login');
+                } else {
+                    $c->stash(msg => $c->l('Sorry mate, you are not authorised to use that service. Contact your sysadmin if you think there\'s a glitch in the matrix.'));
+                    $c->render(template => 'login');
            }
        });
        # Logout page