When using bind_method==LDAP_SERVERS_BIND_METHOD_USER, the dn and password are already sent (and checked) during the initial non-anonymous bind, but later in the code, when it comes time to check the password for the anonymous method, the password is checked again either way. The unnecessary network round-trip to the server can be eliminated thus:

In file modules/ldap/ldap_authentication/ldap_authentication.inc around line 364:

$credentials_pass = FALSE;
if ($sso_login) {
/* [...] */
$credentials_pass = (boolean)($ldap_user);
}
+ elseif ($ldap_server->bind_method == LDAP_SERVERS_BIND_METHOD_USER) {
+ // With user bind method, the only way we can reach this part of the code is when the pw
+ // has already been checked and $ldap_user could be loaded, so we're good to go.
+ $credentials_pass = true;
+ }
else {
$credentials_pass = ($ldap_server->bind($ldap_user['dn'], $pass) == LDAP_SUCCESS);
}

CommentFileSizeAuthor
#4 password_unnecessarily-1885710-4.patch849 byteshumansky
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

johnbarclay’s picture

johnbarclay CreditAttribution: johnbarclay commented
Version: 7.x-2.0-beta3 » 7.x-2.x-dev
johnbarclay’s picture

johnbarclay CreditAttribution: johnbarclay commented
Status: Needs review » Postponed

This looks good, but I don't want to break anything at this point, so am postponing to version 8.

johnbarclay’s picture

johnbarclay CreditAttribution: johnbarclay commented
Version: 7.x-2.x-dev » 8.x-2.x-dev
humansky’s picture

humansky CreditAttribution: humansky as a volunteer commented
Issue summary: View changes
Status: Postponed » Needs review
FileSize
password_unnecessarily-1885710-4.patch849 bytes

Thank you @alexanderperlis, this worked like a charm. My work's LDAP server would refuse to bind multiple times during a single connection. I used your patch and now it works. I've attached your code in patch form. All credit goes to @alexanderperlis.

Patch works for latest 7.x dev release.

queenvictoria’s picture

queenvictoria CreditAttribution: queenvictoria at Holly commented
Version: 8.x-2.x-dev » 8.x-3.x-dev

TO CHECK does this occur in the current branch?

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Needs review » Postponed (maintainer needs more info)
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Postponed (maintainer needs more info) » Closed (outdated)
notmike’s picture

notmike CreditAttribution: notmike commented

@grahl The patch in #4 is still needed for the 7.x branch (yesterday, we successfully applied it to 7.x-2.0-beta12 on a production site). What is the protocol for re-opening this issue? The issue was switched from the 7.x version to the 8.x version awhile back, but the patch is only for the 7.x branch (the ldap_authentication.inc file doesn't exist in the 8.x branch).

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Version: 8.x-3.x-dev » 7.x-2.x-dev
Status: Closed (outdated) » Needs review

Hi @notmike

Thanks for your feedback. The policy on reopening is to reopen if the problem isn't solved yet :-)

Status: Needs review » Needs work

The last submitted patch, 4: password_unnecessarily-1885710-4.patch, failed testing.

  • grahl committed ff91358 on 7.x-2.x authored by humansky 
    Issue #1885710 by humansky, alexanderperlis: Password unnecessarily sent...

  • grahl committed 8dc973b on 8.x-3.x authored by humansky 
    Issue #1885710 by humansky, grahl, alexanderperlis: Password...
grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Needs work » Fixed

The patch to 8 differs a bit in its implementation, would be great to get feedback from others on this though in my limited testing it worked as expected.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.