Troubles with our AD integration

[andreluizpr]

Hello all,

First, thank you for the great antispam solution. My EFA version is 3.0.0.9.

We are having some troubles with our Active Directory integration.

After add our users in EFA like name@domain.com.br when I try to authenticate in panel, our user can access with any password, for example:

User: name@domain.com.br
Pass: a or b or the correct AD password or some other.

Result: User can connect in quarantine panel.

We are receiving this message in my ssl_error_log:

[Tue Aug 09 08:50:55 2016] [error] [client 192.XXX.XXX.XXX] PHP Notice: Undefined offset: 0 in /var/www/html/mailscanner/functions.php on line 2592, referer: https://antispam.domain.com.br/mailscanner/login.php

Others messages in my sssl_error_log are:

[Tue Aug 09 08:48:59 2016] [error] [client 192.XXX.XXX.XXX] PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/mailscanner/functions.php on line 2594, referer: https://antispam.domain.com.br/mailscanner/login.php

My function.php

function ldap_authenticate($user, $password)
{
$user = strtolower($user);
if ($user != "" && $password != "") {
$ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die("Could not connect to " . LDAP_HOST);
// Check if Microsoft Active Directory compatibility is enabled
if (defined('LDAP_MS_AD_COMPATIBILITY') && LDAP_MS_AD_COMPATIBILITY === true) {
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
}
ldap_bind($ds, LDAP_USER, LDAP_PASS);
if (strpos($user, '@')) {
$r = ldap_search($ds, LDAP_DN, LDAP_EMAIL_FIELD . "=SMTP:$user") or die("Could not search");
} else {
$r = ldap_search($ds, LDAP_DN, "sAMAccountName=$user") or die("Could not search");
}
if ($r) {
$result = ldap_get_entries($ds, $r) or die("Could not get entries");
if ($result[0]) { ----------------------------------------------------------------> Line 2592
$user = $result[0]['userprincipalname']['0'];
if (ldap_bind($ds, $user, $password)) {
if (isset($result[0][LDAP_EMAIL_FIELD])) {
foreach ($result[0][LDAP_EMAIL_FIELD] as $email) {
if (substr($email, 0, 4) == "SMTP") {
$email = strtolower(substr($email, 5));
break;
}
}

$sql = sprintf("SELECT username FROM users WHERE username = %s", quote_smart($email));
$sth = dbquery($sql);
if (mysql_num_rows($sth) == 0) {
$sql = sprintf(
"REPLACE INTO users (username, fullname, type, password) VALUES (%s, %s,'U',NULL)",
quote_smart($email),
quote_smart($result[0]['cn'][0])
);
dbquery($sql);
}

return $email;
}
}
}
}
}

return null;
}


My conf.php

// LDAP settings
define('USE_LDAP', true);
define('LDAP_SSL', false); // set to true if using LDAP with SSL encryption
define('LDAP_HOST', 'server.mydomain.local');
define('LDAP_PORT', '389');
define('LDAP_DN', 'DC=mydomain,DC=local');
define('LDAP_USER', 'efa@mydomain.local');
define('LDAP_PASS', 'MyPassword');
define('LDAP_SITE', 'default-first-site-name');
// can be set to 'proxyaddresses' or 'mail'. Please refer to your LDAP system manual for the right keyword
define('LDAP_EMAIL_FIELD', 'mail');
// Microsoft Active Directory compatibility support for searches from Domain Base DN
define('LDAP_MS_AD_COMPATIBILITY', true);

Package php-ldap is OK, see: Package php-ldap-5.3.3-47.el6.x86_64 already installed and latest version

Someone Can I help me?

Thank you very much!

Cheers,

André

[shawniverson]

Upgrade to 3.0.1.1. There are issues with LDAP and auth in 3.0.0.9.