[geeklog-devel] 'force_remoteauthentication' patch forenterprise users

[Dirk Haun]

Blank, Jessica wrote:

>Was my patch received, and is it satisfactory?

I just had a look and as usual, there's a can of worms waiting to be
opened there.

Short version: I have now made a change that should be equivalent to
your patch. You can now set $_CONF['user_login_method']['3rdparty'] =
true and $_CONF['user_login_method']['standard'] = false and that would
force users to  login via remote authentication.

Long version: I couldn't help noticing that we have two similar, but not
quite identical, login forms: The one in the side block and the one on /
users.php. I've made an attempt to move that code to one function and
make $_CONF['user_login_method']['standard'] working properly (i.e. that
you could disable the standard login and the remote auth. and it would
hide the login form), but that required too many theme changes.

I still think this should be done properly, if only to get rid of the
duplicate code (and duplicate template files) but I wasn't really in the
mood. If anyone else wants to wrestle with it - be my guest. Otherwise,
I may look at it again some other time.


Anyway, thanks Jessica, for the patch.

Btw, I assume you're only using this on an intranet? Because users could
bypass the remote authentication by using a manipulated login form. I
made a small addition to prevent that:

    if (!empty($loginname) && !empty($passwd) && empty($service)) {
        if (empty($service) && $_CONF['user_login_method']['standard']) {
            $status = SEC_authenticate($loginname, $passwd, $uid);
        } else {
            $status = -1;
        }

(in users.php) You would have to invert the logic for your
$_CONF['force_remoteauthentication'] flag.

bye, Dirk


-- 
http://www.geeklog.net/
http://geeklog.info/