<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    If you set all the 2nd forest settings to blank (or empty arrays)

    rather than commenting them out, you should have better luck.<br>

    <br>

    Jules.<br>

    <br>

    <div class="moz-cite-prefix">On 17/01/2013 16:45, Mike Brudenell

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAPXCWatu=+d58sXij6N8a3pMsU_G+grk7uMb=azWE4tqtBpbkA@mail.gmail.com"

      type="cite">

      <div dir="ltr">Hi, all -

        <div><br>

        </div>

        <div>We are using AD authentication with only 1 forest/domain.

          When someone enters an invalid username/password combination

          they see a ghastly trio of errors within the login page

          saying:</div>

        <div><br>

        </div>

        <div>

          <table class="" style="font-family:'Helvetica

            Neue',Helvetica,Verdana,Arial,sans-serif" width="50%">

            <tbody>

              <tr>

                <td rowspan="2" valign="middle"><img

                    moz-do-not-send="true"

                    src="https://dropoff.york.ac.uk/images/error-icon.png"

                    alt="[error]"></td>

                <td class="">LDAP Error</td>

              </tr>

              <tr>

                <td class="">Check User: Unable to connect to any of the

                  authentication servers; could not authenticate user.</td>

              </tr>

              <tr>

                <td rowspan="2" valign="middle"><img

                    moz-do-not-send="true"

                    src="https://dropoff.york.ac.uk/images/error-icon.png"

                    alt="[error]"></td>

                <td class="">LDAP Error</td>

              </tr>

              <tr>

                <td class="">Check User: Unable to connect to any of the

                  LDAP servers; could not authenticate user.</td>

              </tr>

              <tr>

                <td rowspan="2" valign="middle"><img

                    moz-do-not-send="true"

                    src="https://dropoff.york.ac.uk/images/error-icon.png"

                    alt="[error]"></td>

                <td class="">Authentication Error</td>

              </tr>

              <tr>

                <td class="">The username or password was incorrect.</td>

              </tr>

            </tbody>

          </table>

        </div>

        <div><br>

        </div>

        <div>The problem is a missing code fragment in the

          authenticate() function within lib/NSSADAuthenticator.php</div>

        <div><br>

        </div>

        <div>An earlier function named validUsername() checks whether

          the username is valid by searching domain1 and then domain2.

          Before checking domain2 there's a check to see whether a

          second domain is actually configured, and if not to bail out:</div>

        <div><br>

        </div>

        <div>

          <div>&nbsp; &nbsp; // Bail out quietly if there isn't a 2nd AD forest</div>

          <div>&nbsp; &nbsp; if (empty($this-&gt;_ldapServers2)) {</div>

          <div>&nbsp; &nbsp; &nbsp; return FALSE;</div>

          <div>&nbsp; &nbsp; }</div>

        </div>

        <div><br>

        </div>

        <div>However in the&nbsp;authenticate() function this bailout test is

          omitted. So after checking domain1 for the invalid

          username/password combination the function blithely goes on to

          check it against domain2 even though the second domain isn't

          configured in the preferences. This gives the first two nasty

          LDAP errors in the trio.</div>

        <div><br>

        </div>

        <div>The fix is to copy the bailout code fragment from the

          validUsername() function to the equivalent position in the

          authenticate() function &#8212; ie, just before the domain2 tests.</div>

        <div><br>

        </div>

        <div>Sorry I can't give a patch file: we're actually running a

          version older than 4.11-6 (but I have checked

          the&nbsp;lib/NSSADAuthenticator.php file in 4.11-6 and the problem

          is still present).</div>

        <div><br>

        </div>

        <div>Cheers,</div>

        <div>Mike B-)<br clear="all">

          <div><br>

          </div>

          -- <br>

          <font size="1"><font face="'arial narrow', sans-serif"><span

                style="font-size:small">IT Services, The University of

                York, Heslington, York YO10 5DD, UK<br>

                Tel: +44-1904-323811</span><span style="font-size:small"><br>

                Disclaimer: &lt;</span><a moz-do-not-send="true"

                href="http://www.york.ac.uk/docs/disclaimer/email.htm"

                target="_blank"><span style="font-size:small">http://www.york.ac.uk/docs/disclaimer/email.htm</span></a><span

                style="font-size:small">&gt;</span></font><br>

          </font>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

ZendTo mailing list

<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>

<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>

      <br>

      <pre class="moz-signature" cols="72">Jules

-- 

Julian Field MEng MBCS CITP CEng

Viking, North Utsire, South Utsire, Forties: Southerly or southeasterly 5 to

7, decreasing 4 at times. Slight or moderate, becoming moderate or rough. Snow

showers. Good, occasionally poor.

<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>

Twitter: @JulesFM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

</pre>

    </blockquote>

  </body>

</html>