Skip to content

Commit 5822e4e

Browse files
snipesnipe
authored
Merge pull request #17729 from grokability/exit-early-if-ldap-troubleshooter-cannot-decrypt-ldap-pw
Put LDAP troubleshooter's decrypt in a try/catch to avoid crashing if it cannot decrypt the password
2 parents adc3a34 + e4f06b0 commit 5822e4e

File tree

1 file changed

+27
-4
lines changed

1 file changed

+27
-4
lines changed

app/Console/Commands/LdapTroubleshooter.php

Lines changed: 27 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,15 @@ public function handle()
161161
$output[] = "-x";
162162
$output[] = "-b ".escapeshellarg($settings->ldap_basedn);
163163
$output[] = "-D ".escapeshellarg($settings->ldap_uname);
164-
$output[] = "-w ".escapeshellarg(Crypt::Decrypt($settings->ldap_pword));
164+
165+
try {
166+
$w = Crypt::Decrypt($settings->ldap_pword);
167+
} catch (\Exception $e) {
168+
$this->warn("Could not decrypt password. This usually means an LDAP password was not set or the APP_KEY was changed since the LDAP pasword was last saved. Aborting.");
169+
exit(0);
170+
}
171+
172+
$output[] = "-w ". escapeshellarg($w);
165173
$output[] = escapeshellarg(parenthesized_filter($settings->ldap_filter));
166174
if($settings->ldap_tls) {
167175
$this->line("# adding STARTTLS option");
@@ -363,7 +371,13 @@ public function handle()
363371

364372
$this->line("STAGE 4: Test Administrative Bind for LDAP Sync");
365373
foreach($ldap_urls AS $ldap_url) {
366-
$this->test_authed_bind($ldap_url[0], $ldap_url[1], $ldap_url[2], $settings->ldap_uname, Crypt::decrypt($settings->ldap_pword));
374+
try {
375+
$w = Crypt::Decrypt($settings->ldap_pword);
376+
} catch (\Exception $e) {
377+
$this->warn("Could not decrypt password. This usually means an LDAP password was not set or the APP_KEY was changed since the LDAP pasword was last saved. Aborting.");
378+
exit(0);
379+
}
380+
$this->test_authed_bind($ldap_url[0], $ldap_url[1], $ldap_url[2], $settings->ldap_uname, $w);
367381
}
368382

369383
$this->line("STAGE 5: Test BaseDN");
@@ -378,7 +392,14 @@ public function handle()
378392
$this->debugout("LDAP constants are: ".print_r($ldap_constants,true));
379393

380394
foreach($ldap_urls AS $ldap_url) {
381-
if($this->test_informational_bind($ldap_url[0],$ldap_url[1],$ldap_url[2],$settings->ldap_uname,Crypt::decrypt($settings->ldap_pword),$settings)) {
395+
try {
396+
$w = Crypt::Decrypt($settings->ldap_pword);
397+
} catch (\Exception $e) {
398+
$this->warn("Could not decrypt password. This usually means an LDAP password was not set or the APP_KEY was changed since the LDAP pasword was last saved. Aborting.");
399+
exit(0);
400+
}
401+
402+
if($this->test_informational_bind($ldap_url[0],$ldap_url[1],$ldap_url[2],$settings->ldap_uname,$w,$settings)) {
382403
$this->info("Success getting informational bind!");
383404
} else {
384405
$this->error("Unable to get information from bind.");
@@ -449,7 +470,7 @@ public function test_anonymous_bind($ldap_url, $check_cert = true, $start_tls =
449470
return $this->timed_boolean_execute(function () use ($ldap_url, $check_cert , $start_tls) {
450471
try {
451472
$lconn = $this->connect_to_ldap($ldap_url, $check_cert, $start_tls);
452-
$this->line("gonna try to bind now, this can take a while if we mess it up");
473+
$this->line("Attempting to bind now, this can take a while if we mess it up");
453474
$bind_results = ldap_bind($lconn);
454475
$this->line("Bind results are: " . $bind_results . " which translate into boolean: " . (bool)$bind_results);
455476
ldap_close($lconn);
@@ -601,4 +622,6 @@ private function timed_boolean_execute($function)
601622
}
602623

603624
}
625+
626+
604627
}

0 commit comments

Comments
 (0)