LDAP authentication - I created!

[api984]

Hi,

I had a little trouble setting up LDAP so I made some changes to your code:

Code: Select all

 function ldap_login($user, $pass)
    {
        global $conn;

         if (!$user)
        {
            return false;
        }

        // ---------------- Start of LDAP authentication code ----------------
        $auth_type="ldap"; // Possible values: ldap | mysql
        $ldap_server="yourserver.local";
        $base_dn="OU=Users,OU=MyBusiness,dc=<domain>,dc=local";
        $ldap_user = "ldapuser"; //dont use domain admin
        $ldap_pass = "ldappass";

        if ($auth_type == "ldap"){
                if($connect=@ldap_connect($ldap_server)){ // if connected to ldap server
                        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);

                        // bind to ldap connection
                        if(($bind=@ldap_bind($connect,$ldap_user,$ldap_pass)) == false){
                                print "bind:__FAILED__<br>\n";
                                return false;
                        }

                        // search for user - WindowsServer samaccountname, openldap (uid or similar unique attribute)
                        if (($res_id = ldap_search( $connect, $base_dn, "samaccountName=$user")) == false) {
                                print "failure: search in LDAP-tree failed<br>";
                                return false;
                        }

                        // verify if there is only one entry of this user:
                        if (ldap_count_entries($connect, $res_id) > 1) {
                                print "failure: user $user found more than once<br>\n";
                                return false;
                        }
                        elseif (ldap_count_entries($connect, $res_id) == 1){
                                if (( $entry_id = ldap_first_entry($connect, $res_id))== false) {
                                        print "failur: entry of searchresult couln't be fetched<br>\n";
                                        return false;
                                }

                                if (( $user_dn = ldap_get_dn($connect, $entry_id)) == false) {
                                        print "failure: user-dn coulnd't be fetched<br>\n";
                                        return false;
                                }

                                /* Authentifizierung des User */
                                //you can reconfigure testing strings to your needs
                                if (($link_id = ldap_bind($connect, $user_dn, $pass)) == false) {
                                        print "failure: username, password didn't match: $user_dn<br>\n";
                                        return false;
                                }

                                // verify if user is already registered at database:
                                $sel0 = $conn->query("SELECT ID,pass FROM user WHERE name = '$user'");

                                if($sel0 != FALSE) {   
                               
                                    $chk = $sel0->fetch();
                               
                                }else{
                                    //sets blank if not found in DB
                                    $chk = array("ID"=>"");

                                }

                                // if user already exists, just keep the password updated:
                                //Has to stay to keep LDAP password synced
                                if ($chk["ID"] != "")
                                {
                                        if ($chk["pass"] != $pass)
                                        {
                                                $this->admin_editpass($chk["ID"], $pass, $pass);
                                        }
                                }
                                // if user isn't registered at database yet, add the user right now:
                                else
                                {
                                         //Escape SQL INJection :D, still needs testing
                                         $user = mysql_real_escape_string($user);
                                         $pass = mysql_real_escape_string($pass);
                                       
                                        //Form user email by LDAP/DC logon and Insert record - CHANGE HERE FORMAT BELOW
                                        $newid = $this->add($user,$user."@emailaddress.xxx", "Company name d.o.o.", $pass, "en", "");
                                        $passw = sha1($pass);

                                        //Find this added user and add roles - ADDs a user as role User (not client)
                                        $IDsel = $conn->query("SELECT ID FROM user WHERE name =\"".$user."\" AND pass =\"".$passw."\" LIMIT 1");
                                        $IDusr_ar = $IDsel->fetch();

                                        $ID_user = $IDusr_ar["ID"];
                                        $SetRole = $conn->query("INSERT INTO roles_assigned VALUES (0,$ID_user,2)");                     
                                }
                                unset($chk);
                                // Now the database is updated the system can try the normal database auth
                        }
                        @ldap_close($connect);
                }
        }
        // ---------------- End of LDAP authentication code ------------------

        $user = mysql_real_escape_string($user);
        $pass = mysql_real_escape_string($pass);
       
        $passw = sha1($pass);
       
        //echo "<p>".$user;
        //echo "<p>".$passw;

            //error_reporting(E_ALL);

        $sel1 = $conn->query("SELECT ID,name,pass,locale,lastlogin FROM user WHERE name =\"".$user."\" AND pass =\"".$passw."\" LIMIT 1");
        $chk2 = $sel1->fetch(); //this variable could use error escape also if 0 results

        //var_dump($sel1);
        //var_dump($chk2);
       
        if ($chk2["ID"] != "")
        {
            $rolesobj = new roles();
            $now = time();
            $_SESSION["userpermissions"] = $rolesobj->getUserRole($chk2["ID"]);
            $_SESSION['userid'] = $chk2['ID'];
                    $_SESSION['username'] = stripslashes($chk2['name']);
            $_SESSION['adminstate'] = $chk2['admin'];
            $_SESSION['lastlogin'] = $now;
            $_SESSION['userlocale'] = $chk2['locale'];
            session_register('userid');
            session_register('username');
            session_register('adminstate');
            session_register('lastlogin');
            session_register('userlocale');
            $userid = $_SESSION['userid'];
            $seid = session_id();
            $staylogged = getArrayVal($_POST, 'staylogged');

            if ($staylogged == 1)
            {
                setcookie("PHPSESSID", "$seid", time() + 14 * 24 * 3600);
            }
           
            $upd1 = $conn->query("UPDATE user SET lastlogin = '$now' WHERE ID = $userid");

            return true;
        }
        else
        {
            return false;
        }   

    }


-i also disabled username change in userform.tpl and removed SQL query with variable name (update query)
-allowing admins to change login name is not what i prefer of doing

Using lastest stable version 1.7 i think.

Thank you for sharing LDAP auth. Now you gave me an Idea how to simple change some existing services to LDAP auth!

[Zakire]

I found a problem with the code. For some reason mysql_real_escape_string($var) wont work, so i just removed it (making it possible for an hacker to make SQL injections?).
I also changed the LDAP-script a bit to support LDAP Groups (I want my users to be member of a specific group in order for login).
The script also inserts E-mail Address and Company from the directory.

Here is my LDAP-script (paste it just after if (!$user) { return false; } under function login in class.user.php):

Code: Select all

// ---------------- Start of LDAP authentication code ----------------
       $ldap_host = "server.domain.local"; //LDAP Server
       $ldap_dn = "ou=Users,dc=domain,dc=local"; //DN to look for users in
       $ldap_domain = "domain.local"; //LDAP domain
   $ldap_group = "Domain Users"; //LDAP group user has to be member of
       
   //Connect to LDAP server
       $ldap = ldap_connect($ldap_host);
      
       //Verify username and password
       if($bind = @ldap_bind($ldap, $user . "@" . $ldap_domain, $pass)){
      $filter = "(sAMAccountName=" . $user . ")";
           $attribute = array("memberof", "mail", "company");
           $result = ldap_search($ldap, $ldap_dn, $filter, $attribute);
           $entries = ldap_get_entries($ldap, $result);
           ldap_unbind($ldap);
      
      //Check if user is member of correct group
           foreach($entries[0]['memberof'] as $groups){
               if(strpos($groups, $ldap_group)){
               
               //Verify if user is registered in database
               $sel0 = $conn->query("SELECT ID,pass FROM user WHERE name = '$user'");

               if($sel0 != false){                         
                  $chk = $sel0->fetch();
               } else {
                  //Sets blank if not found in DB
                  $chk = array("ID"=>"");
               }

               //If user already exists - update the password
               if($chk["ID"] != ""){
                  if($chk["pass"] != $pass){
                     $this->admin_editpass($chk["ID"], $pass, $pass);
                  }
               //If user isn't registered in database - add the user
               } else {
                  
                  //Set users attribute
                  $company = $entries['0']['company']['0'];
                  $mail = $entries['0']['mail']['0'];
                                       
                  $newid = $this->add($user, $mail, $company, $pass, "en", "");
                  $passw = sha1($pass);

                  //Find added user and add roles
                  $IDsel = $conn->query("SELECT ID FROM user WHERE name =\"".$user."\" AND pass =\"".$passw."\" LIMIT 1");
                  $IDusr_ar = $IDsel->fetch();

                  $ID_user = $IDusr_ar["ID"];
                  $SetRole = $conn->query("INSERT INTO roles_assigned VALUES (0,$ID_user,2)");                     
               }
               unset($chk);   
            }
           }   
}
      
//Database is updated - system can try the normal database auth
// ---------------- End of LDAP authentication code ------------------

The script is verified working with Active Directory and Collabtive version 1.1.

[G0n3r]

I'm sorry my lame question. But what code do i really need?
I'm using v1.2 and i cant understand this thread to have collabtive working with LDAP.
I cant see first post, or understand all the files that needs modification.

can someone please post or help?

very appreciated

[georkame]

Has anyone successfully got this working with Collabtive Ver 2.0?

thx,

[humanjoe]

Has anyone successfully got this working with Collabtive Ver 2.0?

thx,

Have you tried to get the script working yet? I was going to try but was curious if anyone else has yet?

[georkame]

I tried and I couldn't.

[cortes-annecy]

Any plan to include it in Collabtive 3.0 ?