LDAP authentication - I created!

[darkchild]

Thanks for the share.

[Philipp]

Wow great stuff there.

I will definately implement this in one of our upcoming releases, to be supported as a default login option.

Thanks for your effort.

[jledhead]

this doesn't work for me with active directory. I suspect its because I don't allow anon lookups. I have tried passing bind username and pass but can't get it to work. any ideas?

[mloeffen]

this doesn't work for me with active directory. I suspect its because I don't allow anon lookups. I have tried passing bind username and pass but can't get it to work. any ideas?

It would help if you posted errormessages. To see the actual error, you have to uncomment line 16 in init.php, so

//error_reporting(E_ALL | E_STRICT);

becomes

error_reporting(E_ALL | E_STRICT);

And you have to remove the @ from @ldap_connect and @ldap_bind in include/class.user.php

You might also have a look if your active directory listens on the default port (389) and set the username and password here:

if(($bind=@ldap_bind($connect,'username','password')) == false){

[cenic]

Thanks a lot, worked like a charm, with 1 exception:

I think in version 0.5 the user table changed and no longer has the column "admin". I had to remove that from line 390 to look like:
$sel1 = mysql_query("SELECT ID,name,locale,lastlogin FROM user WHERE name = '$user' AND pass = '$pass'"

[cenic]

So with the changes away from the admin flag to the user role system a few more modifications were needed to get this to work. For the sake of anyone else looking i've posted the complete login function below for LDAP integration.

Code: Select all

function login($user, $pass)
    {
        if (!$user)
        {
            return false;
        }

        // ---------------- Start of LDAP authentication code ----------------
        $auth_type="ldap"; // Possible values: ldap | mysql
        $ldap_server="od.blah.org";
        $base_dn="dc=od,dc=blah,dc=org";

        if ($auth_type == "ldap"){
                if($connect=@ldap_connect($ldap_server)){ // if connected to ldap server
                        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);

                        // bind to ldap connection
                        if(($bind=@ldap_bind($connect)) == false){
                                print "bind:__FAILED__<br>\n";
                                return false;
                        }

                        // search for user
                        if (($res_id = ldap_search( $connect, $base_dn, "uid=$user")) == false) {
                                print "failure: search in LDAP-tree failed<br>";
                                return false;
                        }

                        // verify if there is only one entry of this user:
                        if (ldap_count_entries($connect, $res_id) > 1) {
                                print "failure: user $user found more than once<br>\n";
                                return false;
                        }
                        elseif (ldap_count_entries($connect, $res_id) == 1){
                                if (( $entry_id = ldap_first_entry($connect, $res_id))== false) {
                                        print "failur: entry of searchresult couln't be fetched<br>\n";
                                        return false;
                                }

                                if (( $user_dn = ldap_get_dn($connect, $entry_id)) == false) {
                                        print "failure: user-dn coulnd't be fetched<br>\n";
                                        return false;
                                }

                                /* Authentifizierung des User */
                                if (($link_id = ldap_bind($connect, $user_dn, $pass)) == false) {
                                        print "failure: username, password didn't match: $user_dn<br>\n";
                                        return false;
                                }

                                // verify if user is already registered at database:
                                $sel0 = mysql_query("SELECT ID,pass FROM user WHERE name = '$user'");
                                $chk = mysql_fetch_array($sel0);

                                // if user already exists, just keep the password updated:
                                if ($chk["ID"] != "")
                                {
                                        if ($chk["pass"] != $pass)
                                        {
                                                $this->admin_editpass($chk["ID"], $pass, $pass);
                                        }
                                }
                                // if user isn't registered at database yet, add the user right now:
                                else
                                {
                                        $newid = $this->add($user, /*$email*/"", 0, $pass, /*$admin*/1, /*$sysloc*/"");
                                }
                                unset($chk);
                                // Now the database is updated the system can try the normal database auth
                        }
                        @ldap_close($connect);
                }
        }
        // ---------------- End of LDAP authentication code ------------------

        $user = mysql_real_escape_string($user);
        $pass = mysql_real_escape_string($pass);
        $pass = sha1($pass);
        print $user;
        $sel1 = mysql_query("SELECT ID,name,locale,lastlogin FROM user WHERE name = '$user' AND pass = '$pass'");
        $chk = mysql_fetch_array($sel1);
        print $chk["ID"];
        if ($chk["ID"] != "")
        {
            $rolesobj = new roles();
            $now = time();
            $_SESSION["userpermissions"] = $rolesobj->getUserRole($chk["ID"]);
            $_SESSION['userid'] = $chk['ID'];
                    $_SESSION['username'] = stripslashes($chk['name']);
            $_SESSION['adminstate'] = $chk['admin'];
            $_SESSION['lastlogin'] = $now;
            $_SESSION['userlocale'] = $chk['locale'];
            session_register('userid');
            session_register('username');
            session_register('adminstate');
            session_register('lastlogin');
            session_register('userlocale');
            $userid = $_SESSION['userid'];
            $seid = session_id();
            $staylogged = getArrayVal($_POST, 'staylogged');

            if ($staylogged == 1)
            {
                setcookie("PHPSESSID", "$seid", time() + 14 * 24 * 3600);
            }
            $upd1 = mysql_query("UPDATE user SET lastlogin = '$now' WHERE ID = $userid");
            return true;
        }
        else
        {
            return false;
        }
    }



[Philipp]

It seems that the mysql insert isn't working into the user table. I have looked at the user table and my ldap user isn't in there after authenticating.

I guess this is because the interface of user::add has changed since this was created.

[Gingah]

I can't seem to get this to work.

I wouldn't worry, as Phillip said further up in the thread, he is already planning to implement this in a future release.

[Philipp]

i guess i should just wrap this into a method of class user

I admit i have not spent much time on this, since it was created.
Mainly because i don't have a LDAP setup running for testing.

Mainwhile i would suggest doing it like this:

First rename the function presented here to ldap_login

Code: Select all

    function ldap_login($user, $pass)


Put it in /include/class.user.php

Then open login.tpl, and add a checkbox named "ldap"

Code: Select all

      <div class="row">         
            <label for="stay"><span>LDAP</span></label>
            <input type = "checkbox" name = "ldap" id="ldap" value = "1" />
         </div>


This won't look too pretty, but i will do
(You can style it with css, if you like )

Then open manageuser.php, go to line 65 , and get the value of the checkbox like this:

Code: Select all

$ldap = getArrayVal($_POST,"ldap");


Then go to line 106 and change

Code: Select all

     if ($user->login($username, $pass))
        {
            $loc = $url . "index.php?mode=login";
            header("Location: $loc");
        }


to

Code: Select all

      if($ldap)
      {
          $normal_login = $user->ldap_login($username, $pass)
      }
      else
      {
          $normal_login = $user->login($username, $pass)
      }
      if ($normal_login)
        {
            $loc = $url . "index.php?mode=login";
            header("Location: $loc");
        }


This way you can chose on each login if you want to use LDAP login.
Hope this helps, haven't tested it though

[snake-bis]

Great Job. Thanks for sharing. Hope LDAP for Active Directory come soon.
Greetings
Peter

Works fine with AD LDAP. You just need to (I used the last code from above)

change :

Code: Select all

($res_id = ldap_search( $connect, $base_dn, "mailNickName=$user")


to

Code: Select all

($res_id = ldap_search( $connect, $base_dn, "samaccountname=$user")


For the loginDN use :

Code: Select all

$ldapbinduser = "domain\username"; //put username here

Remember also to create a dummy account with restricted rights to your AD and add it to the LDAP tree using "adsiedit.msc"