[geeklog-devel] 'force_remoteauthentication' patch forenterprise users

Blank, Jessica Jessica.Blank at mtvnmix.com
Mon Feb 25 13:42:53 EST 2008

Wonderful. I will defer to your patch. Has it been integrated into the
CVS repository?

Additionally: Did you add logic to remove the dropdown if only one
authentication method is present and
$_CONF['user_login_method']['3rdparty'] = true and
$_CONF['user_login_method']['standard'] = false? It would make little
sense to have a dropdown where a user can only select one method... Just
use a hidden form field like I did, no?

And yes, we are using this on an Intranet. I knew users could change the
authentication method via manipulating the form, but it wasn't really
important as it wouldn't get them in anyways. We simply do not HAVE any
local logins for geeklog; everything is done via LDAP. :)


-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Dirk Haun
Sent: Sunday, February 24, 2008 6:14 AM
To: geeklog-devel
Subject: Re: [geeklog-devel] 'force_remoteauthentication' patch
forenterprise users

Blank, Jessica wrote:

>Was my patch received, and is it satisfactory?

I just had a look and as usual, there's a can of worms waiting to be
opened there.

Short version: I have now made a change that should be equivalent to
your patch. You can now set $_CONF['user_login_method']['3rdparty'] =
true and $_CONF['user_login_method']['standard'] = false and that would
force users to  login via remote authentication.

Long version: I couldn't help noticing that we have two similar, but not
quite identical, login forms: The one in the side block and the one on /
users.php. I've made an attempt to move that code to one function and
make $_CONF['user_login_method']['standard'] working properly (i.e. that
you could disable the standard login and the remote auth. and it would
hide the login form), but that required too many theme changes.

I still think this should be done properly, if only to get rid of the
duplicate code (and duplicate template files) but I wasn't really in the
mood. If anyone else wants to wrestle with it - be my guest. Otherwise,
I may look at it again some other time.

Anyway, thanks Jessica, for the patch.

Btw, I assume you're only using this on an intranet? Because users could
bypass the remote authentication by using a manipulated login form. I
made a small addition to prevent that:

    if (!empty($loginname) && !empty($passwd) && empty($service)) {
        if (empty($service) && $_CONF['user_login_method']['standard'])
            $status = SEC_authenticate($loginname, $passwd, $uid);
        } else {
            $status = -1;

(in users.php) You would have to invert the logic for your
$_CONF['force_remoteauthentication'] flag.

bye, Dirk


geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

More information about the geeklog-devel mailing list