There is a possible scenario to get a redirect loop when triggering drupal_goto('user/login') in ldap_authentication.inc on auth fail. This is because $_GET['destination'] overrides the path set in drupal_goto($path), if that destination is not available to unauthorized users it will redirect back and forth. Firefox handled it well but Safari och Chrome just got TOO MANY REDIRECTS.

1. Front is not available to unauhtorized users.
2. User goes to / it will redirect to user/login/sso?destination={Front}
3. Auth fails and should redirect to user/login but drupal_goto overrides and redirects to Front
4. Front not available, redirect to user/login/sso?destination={Front}
5. continue until browser throws error

My solution is probably not the best but it works.

In ldap_authentication.inc unset the destination get parameter before drupal_goto('user/login') located in three places in sso method.

function _ldap_authentication_user_login_sso() {
  ...
  unset($_GET['destination']);
  drupal_goto('user/login');
  ...
  unset($_GET['destination']);
  drupal_goto('user/login');
  ...
  unset($_GET['destination']);
  drupal_goto('user/login');
}
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

emilkarl’s picture

Issue summary: View changes

Updated front text in description

johnbarclay’s picture

Version: 7.x-1.0-beta5 » 7.x-1.x-dev
Status: Active » Closed (won't fix)

This is something to keep an eye out for, but the current ldap_sso is quite different from when this patch was written.

shawn_smiley’s picture

Version: 7.x-1.x-dev » 7.x-2.x-dev
Status: Closed (won't fix) » Needs review
FileSize
1.63 KB

Re-opening this issue.

We ran into this infinite redirect issue during our Active Directory integration. I've attached a patch which resolved the issue for us.

Basically the problem appears to be that the ldap_sso module is verifying and loading the Drupal user account, but it never calls the routines to set the session cookies indicating that the user was logged in. Thus we would end up in a redirect loop where the user would be successfully authenticated and then redirected back to their original page, but the original page wouldn't be able to find an authentication token in the session for the user and redirect them back to the SSO page.

johnbarclay’s picture

There's been an endless loop of patches related to looping, redirecting, and excluded paths for ldap sso. We need a handful of people using ldap sso in a few different scenarios to isolate the issues and test patches. And someone to wrap up the simpletest coverage.

This patch looks good from what I can see.

swentel’s picture

I can confirm this patches fixes the redirects and also makes sure the roles are applied to the users. Patch needs reroll though.

johnbarclay’s picture

I can commit #2 this by hand without a reroll also. Will commit next chance I get.

johnbarclay’s picture

I committed #2 along with some more work on the ldap sso simpletests. See http://drupalcode.org/project/ldap.git/commitdiff/f53eaa120edb3b80aeb5de...

I needed to have a wrapper around the $_SESSION and $_SERVER variables for mock testing. I've implemented it but may need to do so for $_COOKIE at some point, but hopefully the drupal simpletest cookie helpers will do the trick.

Thanks for the fix. I suspect it may also fix #1956224: LDAP SSO: with AD, mod_auth_sspi, not seemless authentication gives success but does not logon user

Please test.

arh1’s picture

We're experiencing this, too.

The latest 2.x-dev release (April 24) seems to resolve it. Thanks for your work on this, shawn_smiley and johnbarclay.

solquimpo’s picture

I can also confirm that 7.x-2.x-dev fixes the problem.

johnbarclay’s picture

Status: Needs review » Fixed

Thanks. Appreciate the followups. I'm closing this.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

geerlingguy’s picture

geerlingguy’s picture

Issue summary: View changes

Updated spelling