Loading

LDAP authentication - I created!

You want to see a new feature?

Re: LDAP authentication - I created!

Postby darkchild » 13.08.2008, 19:34

Thanks for the share.
darkchild
 
Posts: 15
Joined: 29.04.2008, 20:09

Re: LDAP authentication - I created!

Postby Philipp » 14.08.2008, 10:47

Wow great stuff there. :)

I will definately implement this in one of our upcoming releases, to be supported as a default login option.

Thanks for your effort. :)
User avatar
Philipp
Site Admin
 
Posts: 1118
Joined: 14.12.2007, 03:06
Location: Saarbrücken, germany

Re: LDAP authentication - I created!

Postby jledhead » 14.11.2008, 20:43

this doesn't work for me with active directory. I suspect its because I don't allow anon lookups. I have tried passing bind username and pass but can't get it to work. any ideas?
jledhead
 
Posts: 6
Joined: 30.04.2008, 02:28

Re: LDAP authentication

Postby mloeffen » 15.11.2008, 13:13

jledhead wrote:this doesn't work for me with active directory. I suspect its because I don't allow anon lookups. I have tried passing bind username and pass but can't get it to work. any ideas?

It would help if you posted errormessages. To see the actual error, you have to uncomment line 16 in init.php, so

//error_reporting(E_ALL | E_STRICT);

becomes

error_reporting(E_ALL | E_STRICT);

And you have to remove the @ from @ldap_connect and @ldap_bind in include/class.user.php

You might also have a look if your active directory listens on the default port (389) and set the username and password here:

if(($bind=@ldap_bind($connect,'username','password')) == false){
mloeffen
Moderator
 
Posts: 196
Joined: 20.05.2008, 16:40
Location: Netherlands

Re: LDAP authentication - I created!

Postby cenic » 28.04.2009, 20:46

Thanks a lot, worked like a charm, with 1 exception:

I think in version 0.5 the user table changed and no longer has the column "admin". I had to remove that from line 390 to look like:
$sel1 = mysql_query("SELECT ID,name,locale,lastlogin FROM user WHERE name = '$user' AND pass = '$pass'"
cenic
 
Posts: 6
Joined: 28.04.2009, 20:20

Re: LDAP authentication - I created!

Postby cenic » 02.05.2009, 00:55

So with the changes away from the admin flag to the user role system a few more modifications were needed to get this to work. For the sake of anyone else looking i've posted the complete login function below for LDAP integration.
Code: Select all
function login($user, $pass)
    {
        if (!$user)
        {
            return false;
        }

        // ---------------- Start of LDAP authentication code ----------------
        $auth_type="ldap"; // Possible values: ldap | mysql
        $ldap_server="od.blah.org";
        $base_dn="dc=od,dc=blah,dc=org";

        if ($auth_type == "ldap"){
                if($connect=@ldap_connect($ldap_server)){ // if connected to ldap server
                        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);

                        // bind to ldap connection
                        if(($bind=@ldap_bind($connect)) == false){
                                print "bind:__FAILED__<br>\n";
                                return false;
                        }

                        // search for user
                        if (($res_id = ldap_search( $connect, $base_dn, "uid=$user")) == false) {
                                print "failure: search in LDAP-tree failed<br>";
                                return false;
                        }

                        // verify if there is only one entry of this user:
                        if (ldap_count_entries($connect, $res_id) > 1) {
                                print "failure: user $user found more than once<br>\n";
                                return false;
                        }
                        elseif (ldap_count_entries($connect, $res_id) == 1){
                                if (( $entry_id = ldap_first_entry($connect, $res_id))== false) {
                                        print "failur: entry of searchresult couln't be fetched<br>\n";
                                        return false;
                                }

                                if (( $user_dn = ldap_get_dn($connect, $entry_id)) == false) {
                                        print "failure: user-dn coulnd't be fetched<br>\n";
                                        return false;
                                }

                                /* Authentifizierung des User */
                                if (($link_id = ldap_bind($connect, $user_dn, $pass)) == false) {
                                        print "failure: username, password didn't match: $user_dn<br>\n";
                                        return false;
                                }

                                // verify if user is already registered at database:
                                $sel0 = mysql_query("SELECT ID,pass FROM user WHERE name = '$user'");
                                $chk = mysql_fetch_array($sel0);

                                // if user already exists, just keep the password updated:
                                if ($chk["ID"] != "")
                                {
                                        if ($chk["pass"] != $pass)
                                        {
                                                $this->admin_editpass($chk["ID"], $pass, $pass);
                                        }
                                }
                                // if user isn't registered at database yet, add the user right now:
                                else
                                {
                                        $newid = $this->add($user, /*$email*/"", 0, $pass, /*$admin*/1, /*$sysloc*/"");
                                }
                                unset($chk);
                                // Now the database is updated the system can try the normal database auth
                        }
                        @ldap_close($connect);
                }
        }
        // ---------------- End of LDAP authentication code ------------------

        $user = mysql_real_escape_string($user);
        $pass = mysql_real_escape_string($pass);
        $pass = sha1($pass);
        print $user;
        $sel1 = mysql_query("SELECT ID,name,locale,lastlogin FROM user WHERE name = '$user' AND pass = '$pass'");
        $chk = mysql_fetch_array($sel1);
        print $chk["ID"];
        if ($chk["ID"] != "")
        {
            $rolesobj = new roles();
            $now = time();
            $_SESSION["userpermissions"] = $rolesobj->getUserRole($chk["ID"]);
            $_SESSION['userid'] = $chk['ID'];
                    $_SESSION['username'] = stripslashes($chk['name']);
            $_SESSION['adminstate'] = $chk['admin'];
            $_SESSION['lastlogin'] = $now;
            $_SESSION['userlocale'] = $chk['locale'];
            session_register('userid');
            session_register('username');
            session_register('adminstate');
            session_register('lastlogin');
            session_register('userlocale');
            $userid = $_SESSION['userid'];
            $seid = session_id();
            $staylogged = getArrayVal($_POST, 'staylogged');

            if ($staylogged == 1)
            {
                setcookie("PHPSESSID", "$seid", time() + 14 * 24 * 3600);
            }
            $upd1 = mysql_query("UPDATE user SET lastlogin = '$now' WHERE ID = $userid");
            return true;
        }
        else
        {
            return false;
        }
    }

cenic
 
Posts: 6
Joined: 28.04.2009, 20:20

Re: LDAP authentication - I created!

Postby Philipp » 08.05.2009, 17:12

fry wrote:
It seems that the mysql insert isn't working into the user table. I have looked at the user table and my ldap user isn't in there after authenticating.


I guess this is because the interface of user::add has changed since this was created.
User avatar
Philipp
Site Admin
 
Posts: 1118
Joined: 14.12.2007, 03:06
Location: Saarbrücken, germany

Re: LDAP authentication - I created!

Postby Gingah » 08.05.2009, 17:53

fry wrote:I can't seem to get this to work.


I wouldn't worry, as Phillip said further up in the thread, he is already planning to implement this in a future release.
User avatar
Gingah
Contributor
 
Posts: 19
Joined: 30.03.2009, 19:28

Re: LDAP authentication - I created!

Postby Philipp » 08.05.2009, 18:51

i guess i should just wrap this into a method of class user :)

I admit i have not spent much time on this, since it was created.
Mainly because i don't have a LDAP setup running for testing.

Mainwhile i would suggest doing it like this:

First rename the function presented here to ldap_login
Code: Select all
    function ldap_login($user, $pass)


Put it in /include/class.user.php

Then open login.tpl, and add a checkbox named "ldap"
Code: Select all
      <div class="row">         
            <label for="stay"><span>LDAP</span></label>
            <input type = "checkbox" name = "ldap" id="ldap" value = "1" />
         </div>


This won't look too pretty, but i will do ;)
(You can style it with css, if you like )

Then open manageuser.php, go to line 65 , and get the value of the checkbox like this:
Code: Select all
$ldap = getArrayVal($_POST,"ldap");


Then go to line 106 and change
Code: Select all
     if ($user->login($username, $pass))
        {
            $loc = $url . "index.php?mode=login";
            header("Location: $loc");
        }


to

Code: Select all
      if($ldap)
      {
          $normal_login = $user->ldap_login($username, $pass)
      }
      else
      {
          $normal_login = $user->login($username, $pass)
      }
      if ($normal_login)
        {
            $loc = $url . "index.php?mode=login";
            header("Location: $loc");
        }


This way you can chose on each login if you want to use LDAP login.
Hope this helps, haven't tested it though :)
User avatar
Philipp
Site Admin
 
Posts: 1118
Joined: 14.12.2007, 03:06
Location: Saarbrücken, germany

Re: LDAP authentication - I created!

Postby snake-bis » 02.11.2009, 16:07

Loki wrote:Great Job. Thanks for sharing. Hope LDAP for Active Directory come soon.
Greetings
Peter


Works fine with AD LDAP. You just need to (I used the last code from above)

change :
Code: Select all
($res_id = ldap_search( $connect, $base_dn, "mailNickName=$user")

to
Code: Select all
($res_id = ldap_search( $connect, $base_dn, "samaccountname=$user")


For the loginDN use :

Code: Select all
$ldapbinduser = "domain\username"; //put username here


Remember also to create a dummy account with restricted rights to your AD and add it to the LDAP tree using "adsiedit.msc"
snake-bis
 
Posts: 3
Joined: 02.11.2009, 16:00

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users