我们正在尝试构建一个laravel应用程序,其中使用ldap连接来登录该应用程序。一切正常。但是,当任何用户使用laravel简单注册表单注册后,即使提供了错误的登录密码,也尝试登录该应用程序。这里是logincontroller.php文件中的代码tryloglogin函数。
protected function attemptLogin(Request $request)
{
$credentials = $request->only($this->username(), 'password');
$username = $credentials[$this->username()];
$password = $credentials['password'];
$user_format = env('LDAP_USER_FORMAT', 'cn=%s,' . env('LDAP_BASE_DN', ''));
$userdn = sprintf($user_format, $username);
if (Adldap::auth()->attempt($userdn, $password, $bindAsUser = true)) {
// the user exists in the LDAP server, with the provided password
$user = \App\User::where($this->username(), $username)->first();
if (!$user) {
// the user doesn't exist in the local database, so we have to create one
$user = new \App\User();
$user->username = $username;
$user->password = '';
// you can skip this if there are no extra attributes to read from the LDAP server
// or you can move it below this if(!$user) block if you want to keep the user always
// in sync with the LDAP server
$sync_attrs = $this->retrieveSyncAttributes($username);
foreach ($sync_attrs as $field => $value) {
$user->$field = $value !== null ? $value : '';
}
}
// by logging the user we create the session, so there is no need to login again (in the configured time).
// pass false as second parameter if you want to force the session to expire when the user closes the browser.
// have a look at the section 'session lifetime' in `config/session.php` for more options.
$this->guard()->login($user, true);
return true;
} else {
$user = \App\User::where($this->username(), $username)->firstOrFail();
if (Auth::guard('admin')->attempt($credentials)) {
$this->guard()->login($user, true);
return true;
} else {
return false;
}
// the user doesn't exist in the LDAP server/Database or the password is wrong
// log error
return false;
}
实例化具有属性的新用户后,您错过了保存用户的时间:
$sync_attrs = $this->retrieveSyncAttributes($username);
foreach ($sync_attrs as $field => $value) {
$user->$field = $value !== null ? $value : '';
}
$user->save();