[geeklog-devel] 'force_remoteauthentication' patch forenterprise users
Dirk Haun
dirk at haun-online.de
Sun Feb 24 06:13:53 EST 2008
Blank, Jessica wrote:
>Was my patch received, and is it satisfactory?
I just had a look and as usual, there's a can of worms waiting to be
opened there.
Short version: I have now made a change that should be equivalent to
your patch. You can now set $_CONF['user_login_method']['3rdparty'] =
true and $_CONF['user_login_method']['standard'] = false and that would
force users to login via remote authentication.
Long version: I couldn't help noticing that we have two similar, but not
quite identical, login forms: The one in the side block and the one on /
users.php. I've made an attempt to move that code to one function and
make $_CONF['user_login_method']['standard'] working properly (i.e. that
you could disable the standard login and the remote auth. and it would
hide the login form), but that required too many theme changes.
I still think this should be done properly, if only to get rid of the
duplicate code (and duplicate template files) but I wasn't really in the
mood. If anyone else wants to wrestle with it - be my guest. Otherwise,
I may look at it again some other time.
Anyway, thanks Jessica, for the patch.
Btw, I assume you're only using this on an intranet? Because users could
bypass the remote authentication by using a manipulated login form. I
made a small addition to prevent that:
if (!empty($loginname) && !empty($passwd) && empty($service)) {
if (empty($service) && $_CONF['user_login_method']['standard']) {
$status = SEC_authenticate($loginname, $passwd, $uid);
} else {
$status = -1;
}
(in users.php) You would have to invert the logic for your
$_CONF['force_remoteauthentication'] flag.
bye, Dirk
--
http://www.geeklog.net/
http://geeklog.info/
More information about the geeklog-devel
mailing list