<div dir="ltr">Hi, all -<div><br></div><div>We are using AD authentication with only 1 forest/domain. When someone enters an invalid username/password combination they see a ghastly trio of errors within the login page saying:</div>
<div><br></div><div><table class="" width="50%" style="font-family:'Helvetica Neue',Helvetica,Verdana,Arial,sans-serif"><tbody><tr><td valign="middle" rowspan="2"><img src="https://dropoff.york.ac.uk/images/error-icon.png" alt="[error]"></td>
<td class="">LDAP Error</td></tr><tr><td class="">Check User: Unable to connect to any of the authentication servers; could not authenticate user.</td></tr><tr><td valign="middle" rowspan="2"><img src="https://dropoff.york.ac.uk/images/error-icon.png" alt="[error]"></td>
<td class="">LDAP Error</td></tr><tr><td class="">Check User: Unable to connect to any of the LDAP servers; could not authenticate user.</td></tr><tr><td valign="middle" rowspan="2"><img src="https://dropoff.york.ac.uk/images/error-icon.png" alt="[error]"></td>
<td class="">Authentication Error</td></tr><tr><td class="">The username or password was incorrect.</td></tr></tbody></table></div><div><br></div><div>The problem is a missing code fragment in the authenticate() function within lib/NSSADAuthenticator.php</div>
<div><br></div><div>An earlier function named validUsername() checks whether the username is valid by searching domain1 and then domain2. Before checking domain2 there's a check to see whether a second domain is actually configured, and if not to bail out:</div>
<div><br></div><div><div> // Bail out quietly if there isn't a 2nd AD forest</div><div> if (empty($this->_ldapServers2)) {</div><div> return FALSE;</div><div> }</div></div><div><br></div><div>However in the authenticate() function this bailout test is omitted. So after checking domain1 for the invalid username/password combination the function blithely goes on to check it against domain2 even though the second domain isn't configured in the preferences. This gives the first two nasty LDAP errors in the trio.</div>
<div><br></div><div>The fix is to copy the bailout code fragment from the validUsername() function to the equivalent position in the authenticate() function — ie, just before the domain2 tests.</div><div><br></div><div>Sorry I can't give a patch file: we're actually running a version older than 4.11-6 (but I have checked the lib/NSSADAuthenticator.php file in 4.11-6 and the problem is still present).</div>
<div><br></div><div>Cheers,</div><div>Mike B-)<br clear="all"><div><br></div>-- <br><font size="1"><font face="'arial narrow', sans-serif"><span style="font-size:small">IT Services, The University of York, Heslington, York YO10 5DD, UK<br>
Tel: +44-1904-323811</span><span style="font-size:small"><br>Disclaimer: <</span><a href="http://www.york.ac.uk/docs/disclaimer/email.htm" target="_blank"><span style="font-size:small">http://www.york.ac.uk/docs/disclaimer/email.htm</span></a><span style="font-size:small">></span></font><br>
</font>
</div></div>