LDAP - Full Support - Guide - Readme

by **Eric** » 04.05.2012, 11:20

Hi,

for using ldap auth with collabtive 0.75 you need:

in the folder collabtive create a file akua.ldap.php
with this txt:

Code: Select all: <?PHP // LDAP For Collabtive 0.6.5 (v1.0, 2010-11-20) // by Greg Kerr // License: BSD // Place this file in the root directory - fix permissions as needed // Configure the constants below to suit your environment // Set LDAPChoice to SearchOpenLDAP or SelfBindActiveDirectory or whatever config and setup the associated parameters below // In the file include/class.user.php // Search for: function login // Insert new line after first the first brace ({) of the function and add the following 2 lines: // require_once("./akua.ldap.php"); // Or whatever you rename it // ldap_login($this, $user, $pass); // Way down at the bottom of the file you may enable "debug" mode to test your settings before using it // Tested on my company's ActiveDirectory and personal OpenLDAP server ... results may vary function ldap_login($userObj, $user, $pass, $debug = false) { if (!$user) return false; $LDAPChoice = 'SelfBindActiveDirectory'; // Choose an $x = line below $x = 'SearchOpenLDAP'; $ldap[$x]['Server'] = 'ldap.myco.org'; // Server accessed $ldap[$x]['BindAsMe'] = false; // Bind as the attempting user (otherwise bind as User/Pass and search for this user) $ldap[$x]['Search'] = true; // Search regardless of who binds $ldap[$x]['BaseDN'] = 'o=kerr,c=us'; // Base of LDAP tree $ldap[$x]['uid'] = 'uid'; // User ID field of users $ldap[$x]['oclass'] = 'inetOrgPerson'; // Objects to restrict user search to (if searching) $ldap[$x]['BindDN'] = 'uid=collabtive,ou=services,' . $ldap[$x]['BaseDN']; // If BindAsMe is false, bind as this ldap user - make both empty for anonymous bind $ldap[$x]['BindPW'] = ''; // If BindAsMe is false, bind with this password $ldap[$x]['UserForm'] = 'uid=USERNAME,' . $ldap[$x]['BaseDN']; // If not empty; replace USERNAME with $user; bind with this and $pass $ldap[$x]['Email'] = 'mail'; // Email attribute in LDAP $ldap[$x]['Company'] = 'company'; // Company attribute in LDAP $x = 'SelfBindOpenLDAP'; $ldap[$x]['Server'] = 'ldap.myco.org'; // Server accessed $ldap[$x]['BindAsMe'] = true; // Bind as the attempting user (otherwise bind as User/Pass and search for this user) $ldap[$x]['Search'] = true; // Search regardless of who binds $ldap[$x]['BaseDN'] = 'o=kerr,c=us'; // Base of LDAP tree $ldap[$x]['uid'] = 'uid'; // User ID field of users $ldap[$x]['oclass'] = 'inetOrgPerson'; // Objects to restrict user search to (if searching) $ldap[$x]['BindDN'] = 'uid=collabtive,ou=services,' . $ldap[$x]['BaseDN']; // If BindAsMe is false, bind as this ldap user - make both empty for anonymous bind $ldap[$x]['BindPW'] = ''; // If BindAsMe is false, bind with this password $ldap[$x]['UserForm'] = 'uid=USERNAME,' . $ldap[$x]['BaseDN']; // If not empty; replace USERNAME with $user; bind with this and $pass $ldap[$x]['Email'] = 'mail'; // Email attribute in LDAP $ldap[$x]['Company'] = 'company'; // Company attribute in LDAP $x = 'SelfBindActiveDirectory'; $ldap[$x]['Server'] = 'server.enterprise.corp'; // Server accessed $ldap[$x]['BindAsMe'] = false; // Bind as the attempting user (otherwise bind as User/Pass and search for this user) $ldap[$x]['Search'] = true; // Search regardless of who binds (e.g. to bind to AD as the DOMAIN\USER form - but search for sAMAAccountName to get the DN) $ldap[$x]['BaseDN'] = 'ou=Services,dc=enterprise,dc=corp'; // Base of LDAP tree $ldap[$x]['uid'] = 'sAMAccountName'; // User ID field of users $ldap[$x]['oclass'] = 'user'; // Objects to restrict user search to (if searching) $ldap[$x]['BindDN'] = 'administrateur@enterprise.corp'; // If BindAsMe is false, bind as this ldap user - make both empty for anonymous bind $ldap[$x]['BindPW'] = 'password'; // If BindAsMe is false, bind with this password $ldap[$x]['UserForm'] = 'domain\\$user'; // If not empty; replace USERNAME with $user; bind with this and $pass $ldap[$x]['Email'] = 'mail'; // Email attribute in LDAP $ldap[$x]['Company'] = 'physicalDeliveryOfficeName'; // Company attribute in LDAP // Get the selected parameters (which should move to a config file if adopted) $server = $ldap[$LDAPChoice]['Server']; $bindasme = $ldap[$LDAPChoice]['BindAsMe']; $search = $ldap[$LDAPChoice]['Search']; $basedn = $ldap[$LDAPChoice]['BaseDN']; $uid = $ldap[$LDAPChoice]['uid']; $oclass = $ldap[$LDAPChoice]['oclass']; $binddn = $ldap[$LDAPChoice]['BindDN']; $bindpw = $ldap[$LDAPChoice]['BindPW']; $userform = $ldap[$LDAPChoice]['UserForm']; $ldemail = $ldap[$LDAPChoice]['Email']; $ldcompany = $ldap[$LDAPChoice]['Company']; if ($debug) print ("Connecting to $server ...\n"); if (!($connect = @ldap_connect($server))) { print("Basic connection to $server failed<BR>\n"); return false; } ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); // Bind as ME (the user) or as the BindDN if ($bindasme) { if ($debug) print ("Parameter replace in $userform with $user ...\n"); $binddn = str_replace('USERNAME', $user, $userform); $bindpw = $pass; } if ($debug) print ("Binding as $binddn with $bindpw ...\n"); if (!($bind = @ldap_bind($connect, $binddn, $bindpw))) { print("Binding as $binddn failed<BR>\n"); @ldap_close($connect); return false; } // ID of found entry $foundID = 0; // Search for the user, binding as binddn, bindpw? (or anonymous if they're empty) if ($search) { $userform = $uid . '=' . $user; if ($oclass != '') $userform = '(&(objectclass=' . $oclass . ')(' . $userform . '))'; // Search for user if ($debug) print("Searching for $userform in $basedn ...\n"); if (!($resultID = ldap_search($connect, $basedn, $userform))) { print("Search for $userform in $basedn failed<BR>\n"); @ldap_close($connect); return false; } // We should only have one - but I suppose it is legal to have the same UID in some LDAPs - so let's try them all $cnt = ldap_count_entries($connect, $resultID); if ($debug) print("Got $cnt entries from search\n"); $userform = ''; for ($i = 0; $i < $cnt; $i++) { // Get the entry's DN if ($debug) print("Getting entry #$i\n"); $entryID = ($i == 0) ? ldap_first_entry($connect, $resultID) : ldap_next_entry($connect, $resultID); $entryDN = ldap_get_dn($connect, $entryID); // Try to bind with it and the given password if ($debug) print("Trying to bind with its DN $entryDN ...\n"); if ($userbind = @ldap_bind($connect, $entryDN, $pass)) { $userform = $entryDN; $foundID = $entryID; if ($debug) print("Success binding $entryDN ...\n"); } } if ($userform == '') { if ($debug) print("Binding failed for all entries found.\n"); @ldap_close($connect); return false; // We now have success DN in $userform } } else { // We'll search here too - but for the DN we have in UserForm (e.g. if UserForm is uid=USERNAME,ou=...,[BaseDN]) if ($debug) print ("Searching for dn=$userform in $basedn ...\n"); // Get the entry for this DN if (!($resultID = ldap_search($connect, $basedn, 'dn=' . $userform))) { print("Search for $userform in $basedn failed<BR>\n"); @ldap_close($connect); return false; } // We should only have one - but I suppose it is legal to have the same UID in some LDAPs - so let's try them all $cnt = ldap_count_entries($connect, $resultID); if ($debug) print("Got $cnt entries from search for $userform"); if ($cnt != 1) { if ($debug) print("$cnt entries should never happen for an exact DN search\n"); @ldap_close($connect); return false; } if (!($foundID = ldap_first_entry($resultID))) { if ($debug) print("Couldn't retrieve the entry for $userform\n"); @ldap_close($connect); return false; } } // At this point - successful binding with $userform / pass and entryID is in $foundID // Connect entry to mysql database // Search user table for this user if ($debug) { print("Would search for $user in database in non-debug mode\n"); $rec['id'] = ''; } else { $dbQ = mysql_query("SELECT id, pass FROM user WHERE name = '$user'"); $rec = mysql_fetch_array($dbQ); } // Add User as new? if ('' == $rec['id']) { // Get values from LDAP entry we'll be stuffing into the database $emails = @ldap_get_values($connect, $foundID, $ldemail); $comps = @ldap_get_values($connect, $foundID, $ldcompany); $email = ($emails['count'] > 0) ? $emails[0] : 'UnknownEmail@unknown'; $company = ($comps['count'] > 0) ? $comps[0] : 'Untitled'; if ($debug) print("Would add in non-debug mode: $user, $email, $company, $pass ...\n"); else $userObj->add($user, $email, $company, $pass); // function add($name, $email, $company, $pass, $locale = "", $tags = "", $rate = 0.0) } else // Update password? { if ($rec['pass'] != $pass) { if ($debug) print("Would update password in non-debug mode\n"); else $userObj->admin_editpass($rec['id'], $pass, $pass); } } @ldap_close($connect); return true; } // Uncomment this to test a login with php CLI - just php this file // ldap_login(0, 'Test User', 'Test Password', true); ?>

after,
In the file include/class.user.php
Search for: function login
Insert new line after first the first brace ({) of the function and add the following 2 lines:

Code: Select all: require_once("./akua.ldap.php"); ldap_login($this, $user, $pass);

But Y have some incompatibility with gantt module
I hop ladap auth became un official modul!

by **to_O** » 28.02.2013, 10:55

Dear Eric,
thank you for this post. Could you give us more details about incompatibilities with gantt module ?

I'm very interesting about Collabtive & LDAP support, but I don't want to buy a module if is not working with.

Thanks.

LDAP - Full Support - Guide - Readme

Re: LDAP - Full Support - Guide - Readme

Re: LDAP - Full Support - Guide - Readme

Who is online