3

We have an instance of MantisBT and we managed to set up LDAP authentication but we need to enable also authentication based on the Mantis's users (separately from LDAP for some users) very much alike in this question for Ruby.

Unfortunately, it seems that you can easily set up Mantis to either authenticate via LDAP or via its users but enabling both authentication protocols is problematic. Do you have any suggestion?

sophros
  • 14,672
  • 11
  • 46
  • 75
  • I don't know Mantis, but if there is no way to enable both types of authentication, you might be able to export users from mantis and import them into your ldap database, thus you could manage all users in one single point. If you can't export directly in ldif that may be more complicated but having a sample ldif of a "regular" user entry may tell you how to migrate the mantis data export in ldif.. – EricLavault Jul 02 '19 at 17:10
  • The point is that we have no control over LDAP database contents. We can only use what is there but not add any new users (which would make your suggested solution viable). – sophros Jul 02 '19 at 17:23
  • Ok I just checked the code and I may be wrong but I think it's easily patchable, have a look [here](https://github.com/mantisbt/mantisbt/blob/master/core/authentication_api.php), in the function `auth_does_password_match`, the 1st condition contains a `return` statement (hence the 'xor' behavior on the authentication methods), you just need to make that condition fallback to the classic authentication that comes just after, or to make things properly, you can create your own constant for `t_configured_login_method` so that you can add your own logic and don't interfere with other auth methods. – EricLavault Jul 02 '19 at 17:43
  • @EricLavault - This is what I was looking for. I would be more than happy to accept your comment as an answer should you decide to add it. – sophros Jul 11 '19 at 12:06
  • Thanks , I wrote it as an answer with more details. – EricLavault Jul 11 '19 at 17:31

1 Answers1

2

Looking at the source code, in the function auth_does_password_match() that actually performs the authentication :

function auth_does_password_match( $p_user_id, $p_test_password ) {
    $t_configured_login_method = config_get_global( 'login_method' );

    if ( LDAP == $t_configured_login_method ) {
        return ldap_authenticate( $p_user_id, $p_test_password );
    }

    # code continues with a try for each of the other authentication methods
    # ...
}

The 1st condition tests the login method $t_configured_login_method and if it's "LDAP" tries to authenticate accordingly. Ok nothing crazy here, but the statement return ldap_authenticate(...); doesn't allow for other authentication methods.

Fortunately, it's not a big deal to patch so that if LDAP authentication fails, it can fallback to other authentication methods.

Basically, it requires the return value of ldap_authenticate() to be returned only if LDAP authentication succeeds, but not otherwise so that the code can keep trying with other auth methods. The 1st condition would look like this :

    if (LDAP == $t_configured_login_method && ldap_authenticate($p_user_id, $p_test_password)) {
        return TRUE;
    }

To make things properly, you can create your own constant for t_configured_login_method so that you can add your own logic and don't interfere with other auth methods.

EricLavault
  • 12,130
  • 3
  • 23
  • 45