<div dir="ltr"><div class="gmail_extra" style>Hi, Jules!</div><div class="gmail_extra"><br></div><div class="gmail_extra">On 17 January 2013 16:56, Jules <span dir="ltr"><<a href="mailto:Jules@zend.to" target="_blank">Jules@zend.to</a>></span> wrote:<br>
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If you set all the 2nd forest settings to blank (or empty arrays)
rather than commenting them out, you should have better luck.</blockquote></div><br>Nope… We have the 2nd forest settings set to blank (see below), not commented out.</div><div class="gmail_extra"><br></div><div class="gmail_extra">
Originally we'd got them all set to blank ('') and noticed that this produced a PHP error string at the top of the page (ie, the PHP error text was getting output mingled in with the HTML). That was fixed by changing</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_extra" style> 'authLDAPServers2' => '',</div></blockquote><div class="gmail_extra">to</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div class="gmail_extra" style> 'authLDAPServers2' => array(),</div></blockquote><div class="gmail_extra">as per its introductory comment, which we'd initially missed. (I can't remember the PHP error text exactly but it was that the range for a for/foreach was invalid.)</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">That left us with these forest2 settings:</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_extra" style><div class="gmail_extra" style>
'authLDAPBaseDN2' => '',</div></div><div class="gmail_extra" style><div class="gmail_extra" style> 'authLDAPServers2' => array(),</div></div><div class="gmail_extra" style>
<div class="gmail_extra" style> 'authLDAPAccountSuffix2' => '',</div></div><div class="gmail_extra" style><div class="gmail_extra" style> 'authLDAPUseSSL2' => '',</div>
</div><div class="gmail_extra" style><div class="gmail_extra" style> 'authLDAPBindUser2' => '',</div></div><div class="gmail_extra" style><div class="gmail_extra" style> 'authLDAPBindPass2' => '',</div>
</div><div class="gmail_extra" style><div class="gmail_extra" style> 'authLDAPOrganization2' => '',</div></div></blockquote><div class="gmail_extra"><div class="gmail_extra" style><br></div><div class="gmail_extra" style>
With these in place entering an invalid password produces the two ghastly and unfriendly LDAP error messages followed by the human-friendly "Invalid username or password" message from the ErrBadLogin config string.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>The problem is that in the authenticate() function within lib/NSSADAuthenticator.php the code flow goes like this:</div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div class="gmail_extra" style><div class="gmail_extra" style>Check username/password in forest1</div></div><div class="gmail_extra" style><div class="gmail_extra" style>Check username/password in forest2</div></div></blockquote>
<div class="gmail_extra"><div class="gmail_extra" style><br></div><div class="gmail_extra" style>Without the "if (empty($this->_ldapServers2)) { return FALSE; }" bail out test between the two the forest2 test is always performed.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>So the PHP code in the forest2 block tries to connect to no LDAP servers (because none are configured for forest2 in the preferences). So it complains bitterly that it can't: that's produces the two unfriendly LDAP errors before the human-friendly "You got the username/password wrong" (sic) message.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>In passing…</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>We're actually running ZendTo 4.08-something on one server and 4.10-5 on another. Between the two versions the bailout test has been added between the forest1/forest2 code blocks within the validUsername() function so was presumably added to fix the problem for that function. It's just also needed between the same two codeblocks within the authenticate() function as well.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>Cheers,</div><div class="gmail_extra" style>Mike B-)</div><div><br></div>-- <br><font size="1"><font face="'arial narrow', sans-serif"><span style="font-size:small">IT Services, The University of York, Heslington, York YO10 5DD, UK<br>
Tel: +44-1904-323811</span><span style="font-size:small"><br>Disclaimer: <</span><a href="http://www.york.ac.uk/docs/disclaimer/email.htm" target="_blank"><span style="font-size:small">http://www.york.ac.uk/docs/disclaimer/email.htm</span></a><span style="font-size:small">></span></font><br>
</font>
</div></div>