我正在我们的内部站点中使用Active Directory进行身份验证。但是,如果你输入了错误的密码,它找到了用户名,它仍然允许身份验证。所以基本上,这告诉我,它甚至没有真正检查密码是否匹配。有没有一种方法可以确保进行实际的身份验证?
<?php session_start();
include '_includes/header.php';
// form defaults
$error['alert'] = '';
$error['user'] = '';
$error['pass'] = '';
$input['user'] = '';
$input['pass'] = '';
if(isset($_POST['submit']))
{
if($_POST['username'] == '' || $_POST['password'] == '')
{
if($_POST['username'] == '') { $error['user'] = 'required!'; }
if($_POST['password'] == '') { $error['pass'] = 'required!'; }
$error['alert'] = 'Please fill in the required fields';
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
include 'views/v_authentication.php';
}
else
{
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
$user = $input['user'] . '@domain.local';
$ldap = ldap_connect("name.of.ldap.server");
if($bind = ldap_bind($ldap, $user, $pass)) {
$_SESSION['id'] = $id;
$_SESSION['type'] = $type;
$_SESSION['username'] = $input['user'];
$_SESSION['last_active'] = time();
header('Location: index.php');
} else {
// username/password incorrect
$error['alert'] = "Username or password incorrect!";
include 'views/v_authentication.php';
}
}
}
else
{
// check for any variables within the URL
if (isset($_GET['unauthorized']))
{
$error['alert'] = 'Please login to view that page!';
}
if (isset($_GET['timeout']))
{
$error['alert'] = 'Your session has expired. Please log in again.';
}
// if the form hasn't been submitted, show form
include 'views/v_authentication.php';
}
$ldap->close();
?>
<?php include 'views/v_authentication.php'; ?>
<?php include '_includes/footer.php'; ?>
$pass在上面的代码中没有定义,因此null被传递给ldap_bind()。根据文档,这将尝试匿名绑定,这在您的设置中似乎是成功的。传递$input['pass']就可以了。