[Coquelicot] [PATCH] Add LDAP authentication (with uid lookup)
Lunar
lunar at anargeek.net
Tue May 6 16:51:49 CEST 2014
Hi!
Rowan Thorpe:
> I squashed it to a single commit, which is below (can be applied in git, as it
> is "git format-patch" output). You may wish to add in the docs that the
> underlying ldap module doesn't validate server certs yet - I just added it as
> an in-code comment. Also, the copyright notices will need bumping to 2014 :-)
I'm finally getting to your patch. I have a couple of changes in the
way, but I just wanted to highlight one thing:
> + result = ldap.bind_as( :base => settings.ldap_base,
> + :filter => "(uid=" + params[:ldap_user] + ")",
> + :password => params[:ldap_password] )
This code puts a user controlled string directly into the filter. Bad
idea. Net::Ldap::Filter provides an `escape` method which is made for
these occasions.
--
Lunar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://listes.potager.org/pipermail/coquelicot/attachments/20140506/80fb0230/attachment.sig>
More information about the Coquelicot
mailing list