[#6418] - LDAP enforce two-factor authentication
- Closed
- 24 May 2017
- Medium
- Build: staging
- # 6418
- Diff
- jrseliga:ldap-enforce-twofactor
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
User tests: Successful: Unsuccessful:
Summary
Currently the LDAP Authentication plugin does not enforce two-factor authentication, this fixes that.
Notes
This is just a copy-paste of the logic from the Joomla! Authentication plugin. Although it is beyond the scope of this pull request, it might be beneficial to add a method to a core authentication library/helper as this code would be usable for any future core shipped authentication plugin or one developed by the community.
In the Joomla! Authentication plugin, the block for getting the database object (lines 166-174 of the file changed in this PR) happens near the top before any authentication checking happens. That is because the authentication checking for the Joomla! Authentication plugin requires information from that object. However, the LDAP Authentication plugin only requires this object if two-factor authentication is enabled for this user. Therefore this query shouldn't happen every time this plugin is triggered, instead only when the user has two-factor authentication enabled. Thus it has been moved after the two-factor method conditional.
Testing
- Configure LDAP Authentication Plugin
- Ensure LDAP Authentication is functioning properly
- Enable a two-factor authentication plugin
- Add two-factor authentication to this user
- Take note of a one time emergency password (used later in testing)
- Attempt login without supplying secret
- Should fail, with notice that secret key is invalid
- Attempt login with appropriate secret key
- Should Succeed
- Attempt login with one time password copied in step 3
- Should succeed
joomla-cms-bot
- | Labels |
Added:
?
|
||
brianteeman
- | Category | ⇒ | Authentication |
is there any Comment on this PR by Maintainers?
The scope of this PR has nothing to do with the feature set of the LDAP plugin. It simply adds logic so that two-factor authentication is enforced even when the LDAP plugin is used for authentication.
closing this one, just copy code is not the way to go
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-05-24 09:42:55 |
| Closed_By | ⇒ | rdeutz |
| Category | Authentication | ⇒ | Front End Plugins Authentication |
I gladly want to help testing, but the plugin does not have enough options and functionalities to connect to Secured Windows Domains with Functionality level Windows 2012.
Shmanic has a much more extended extension and plugins for LDAP Authentication, but this one is not fully maintained.
If someone wants to look at integrating the necessary stuff from his Extension to the Default Joomla LDAP Plugin, then we will have a much greater plugin which can be used on the new Windows Domains.
I can't program but I can provide many information on the usage and needs.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/6418.