Merge remote-tracking branch 'origin/master' into develop

Merge pull request #18105 from grokability/ldap-fast-find-and-bind
Possible fix for 504 gateway timeout on unreachable LDAP server
2025-10-29 19:31:41 +00:00 · 2025-10-28 02:10:07 +00:00 · 2025-10-28 02:09:41 +00:00 · 2025-10-27 23:45:12 +00:00 · 2025-10-27 19:32:28 +00:00 · 2025-10-27 19:31:54 +00:00
2 changed files with 10 additions and 17 deletions
--- a/app/Models/Ldap.php
+++ b/app/Models/Ldap.php
@ -232,23 +232,14 @@ class Ldap extends Model

        if (! $ldapbind = @ldap_bind($connection, $userDn, $password)) {
            Log::debug("Status of binding user: $userDn to directory: (directly!) ".($ldapbind ? "success" : "FAILURE"));
-            if (! $ldapbind = self::bindAdminToLdap($connection)) {
-                /*
-                 * TODO PLEASE:
-                 *
-                 * this isn't very clear, so it's important to note: the $ldapbind value is never correctly returned - we never 'return true' from self::bindAdminToLdap() (the function
-                 * just "falls off the end" without ever explicitly returning 'true')
-                 *
-                 * but it *does* have an interesting side-effect of checking for the LDAP password being incorrectly encrypted with the wrong APP_KEY, so I'm leaving it in for now.
-                 *
-                 * If it *did* correctly return 'true' on a successful bind, it would _probably_ allow users to log in with an incorrect password. Which would be horrible!
-                 *
-                 * Let's definitely fix this at the next refactor!!!!
-                 *
-                 */
-                Log::debug("Status of binding Admin user: $userDn to directory instead: ".($ldapbind ? "success" : "FAILURE"));
-                return false;
+            // replicate the old bad-decryption-key detection behavior here
+            try {
+                Crypt::decrypt(Setting::getSettings()->ldap_pword);
+            } catch (\Exception $e) {
+                throw new \Exception('Your app key has changed! Could not decrypt LDAP password using your current app key, so LDAP authentication has been disabled. Login with a local account, update the LDAP password and re-enable it in Admin > Settings.');
            }
+            //regardless of anything else; stuff isn't working. Return false.
+            return false;
        }

        if (! $results = ldap_search($connection, $baseDn, $filterQuery)) {
--- a/app/Models/User.php
+++ b/app/Models/User.php
@ -225,7 +225,9 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
        return false;
    }

-    public function hasIndividualPermissions() {
+    public function hasIndividualPermissions()
+    {
+        $permissions = [];

        if (is_object($this->permissions)) {
            $permissions = json_decode(json_encode($this->permissions), true);
Author	SHA1	Message	Date
snipe	d064a5530a	Merge remote-tracking branch 'origin/master' into develop	2025-10-28 02:10:07 +00:00
snipe	ab4fbf6c19	Merge pull request #18105 from grokability/ldap-fast-find-and-bind Possible fix for 504 gateway timeout on unreachable LDAP server	2025-10-28 02:09:41 +00:00
snipe	728afa8361	Possible fix for 504 gateway timeout on unreachable LDAP server	2025-10-27 23:45:12 +00:00
snipe	b77019c16e	Merge remote-tracking branch 'origin/develop'	2025-10-27 19:32:28 +00:00
snipe	6703448b80	Merge pull request #18102 from marcusmoore/fixes/rb-20434-undefined-permissions-variable Fixed issue when viewing user that does not have permissions set	2025-10-27 19:31:54 +00:00
Marcus Moore	776ba19a1f	Define default permissions array	2025-10-27 12:28:55 -07:00