Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

MS Active Directory Integration

Help
Frank Hill
2006-06-22
2013-04-25
  • Frank Hill
    Frank Hill
    2006-06-22

    I've just discovered this project and am very enthusiastic.  I am working to implement this in an MS 2003 server environment for an IT group of 3, w/ 400 clients and about 150 workstations.  Being able to populate the users from AD is an obvious plus.  I don't have enough backround in LDAP to follow the notes in the inc/settings.ini.  Could someone post an example, please?

    Many Thanks,
    Frank Hill

     
    • Nick Vrtis
      Nick Vrtis
      2006-08-25

      Frank,

      The code doesn't populate the Employee table.  It it so you can check the login against AD.  There is a source forge project. http://adldap.sourceforge.net/ that has some source code that is very useful.  It has some pretty good examples on how to get data out of AD and into a PHP script.

      I have used it in another project with active directory.  I haven't yet bothered updating tables from AD yet, but I did write some code that compares what is in the project management system against active directory.

      Nick

       
    • eworcnella
      eworcnella
      2006-11-30

      I've been having dificulty getting logins working with AD.
      When I try to login using my domain username and password I get a blank screen and the url shows I'm on "http://localhost/openit/loginauth.php".

      I have nested OU's in active directory for the users, and suspect my settings/syntax for the "context" field are not correct:

      login_type = ldap
      login_field = text
      server = pqadc1.pqa.ca
      context = "OU=PQA,OU=Users,OU=IT-AdminDC=pqadc1"
      loginfield = cn
      usedummy = false
      truelogin = "distinguishedname"

      Mu OU setup in active directory:
      PQA -> Users -> IT-Admin
                   -> Department A
                   -> Department B
      PQA -> Computers -> Servers
                       -> etc

      Does anyone have a sample of a settings.ini file that works with AD?

       
    • lucas
      lucas
      2006-12-11

      I do have the same problem, I've nested the OU so it is more easy to the administrator to create user and to add GPOs. I can't set the right context, and every time that I tried to logon I get the Message: "User Not Found".
      Did you find a solution?

      Thanks!
      Martin

       
    • 50watt
      50watt
      2006-12-13

      The following setup is working here with a w2k3 AD server:

      login_type = ldap
      login_field = text
      server = dcsw02.abc.xyz.net (=my Domain controller name)
      context = "OU=myOUName, DC=abc, DC=xyz, DC=net"
      loginfield = cn
      usedummy = true
      truelogin = "distinguishedname"
      dummylogin    = abc\someUserName
      dummypassword = someUserNamePassword

      Login with: username (not domain\username) and password

      If you use login_type = spnego fill in  domainname\username to the middle initial field of the users

      Best regards
      Dieter

       
      • 50watt
        50watt
        2006-12-13

        login_type = ldap did not work for me with usedummy = false

        With the attached patch for login/auth_ldap.php it is working for me now no matter if I set usedummy to false or to true.
        If I set usedummy = false I have to login with username: domain\username
        If I set usedummy = true I have to login with username: username

        HTH
        Dieter

        Index: ldap_auth.php

        --- ldap_auth.php    (revision 481)
        +++ ldap_auth.php    (working copy)
        @@ -58,11 +58,12 @@
             }
           } else {
             //If no dummy account is used, bind using the entered username and password
        -    $bd = @ ldap_bind($ad, $login_name, $_POST['Password']);
        +    $bd = @ ldap_bind($ad, $login_name, $_POST['Password']) or die('LDAP login for '.$login_name.' failed.');
             if ($bd) {
               //if this bind is successful, grab the email address to match
        -      //the user up with the OpenIT user in the DB
        -      $sr = ldap_search($ad, $settings['LDAP']['context'], '('.$settings['LDAP']['loginfield'].'='.$login_name.')');
        +      //the user up with the OpenIT user in the DB. To do so we need the username without the domain name ...
        +      $login_name_without_domain = substr($login_name,1 + strpos($login_name,"\\"));
        +      $sr = ldap_search($ad, $settings['LDAP']['context'], '('.$settings['LDAP']['loginfield'].'='.$login_name_without_domain.')');
               $entries = ldap_first_entry($ad, $sr);
               // to avoid a php error if there is no "mail" attribute
               if (array_search('mail', ldap_get_attributes($ad, $entries))) {

         
    • > When I try to login using my domain username and password
      > I get a blank screen and the url shows I'm on
      > "http://localhost/openit/loginauth.php".

      I have the same problem. I am new to LDAP and to Active Directory, and I am not sure I am even connection to Active Directory, much less logging into it. I have many questions.

      How does one log in as the default administrator if the site is set up to validate through LDAP?

      How does one test whether one is even connecting to the Active Directory server at all, much less logging into it successfull?

      How does one figure out the correct values to place in the "context" (aka organization until) setting?

      How does one figure out the correct values to place in the "dummylogin" setting?

      If I had a way to *test* the connection, and get something other than a blank page, then I would have something to work on. As it is, I am poking and prodding and changing things and I have no way to know whether I am making things better or worse.

      I would really appreciate some advice from someone who understands how Active Directory works and who has managed to get OpenIT's LDAP authentication to work with Active Directory.

      Help, please?

       
      • Nick Vrtis
        Nick Vrtis
        2007-07-01

        Hi bblackmoor,

        See this note about Blank Pages from a previous problem...

        "Well, I finally figured it out. It was a permission problem on the session folder. Once I gave the IUSER_xxxxx account access to the temporary folder everything worked just fine. Thanks for trying to help. "

        I don't know what you are running on.  But blank pages usually means that there is a deeper problem than AD/LDAP.

        Can you give me some information on what you are running this on?

        Does it work if you go back to normal DB authorization?  Once we get that working, then we can start with AD.  There are a lot of moving parts.  I have most of a rewrite done of the LDAP modules.  But it still requires a fair amount of setup and Microsoft incantations.

        Nick

         
        • I am running OpenIT on a Fedora 7 server, running Apache 2 and PHP 5.

          DB login works fine.

          I have no idea what to do to try and get LDAP working. I listed a bunch of questions in my previous message. Having answers to those questions would help me a great deal.

           
          • Nick Vrtis
            Nick Vrtis
            2007-07-02

            Good, at least we know the basic system is working.

            Not sure why you are getting a completely blank page back.  The module is set up to give error messages if it fails.

            Here are some answers to your questions..:

            "How does one log in as the default administrator if the site is set up to validate through LDAP?" You can only do this if "Default Administrator" is defined as a valid user in LDAP.  And you MUST enter a password.  If you are using the dropdown list type login, try selecting default administrator and not entering a password.  You should get an error message that says it is missing.
             
            "How does one test whether one is even connecting to the Active Directory server at all, much less logging into it successfull? "
            The program is set to issue a "die" if it cannot connect to the Activer Directory server.  This is pretty early in the process, so if you are getting the error message from above, and now enter a password, then you are probably getting a connection of some sort.
             
            "How does one figure out the correct values to place in the "context" (aka organization until) setting? "
            Generally you ask your Windows administrator.. but normally, if you domain is mycompany.com, then context would be "DC=mycompany, DC=com"
             
            "How does one figure out the correct values to place in the "dummylogin" setting? "
            Again.. ask your Windows administrator... for an user id and password that has the authority to browse the directory.  Basically the system "logs in" with this ID and then does a search of the directory for the (generally) 'CN=firstname lastname'

            Nick

             
            • "Not sure why you are getting a completely blank page back. The module is set up to give error messages if it fails."

              Yes, well, it would be helpful if it did. But I am not the first person to report a blank loginauth.php page, so let's work on that: what do you suggest I do in order to get some kind of error message?

               
    • Here is some information about my current settings:

      login_type = ldap
      login_field = text
      server = pmurdegcp01.pmusa.net
      context = "DC=pmusa,DC=net"
      loginfield = cn
      usedummy = true
      truelogin = "distinguishedname"
      dummylogin    = pmusa\blackmob
      dummypassword = XXXXXXXX

      I then try to log in as "blackmob" with my password (XXXXXXXX above), and I get the blank white page of loginauth.php.

      FYI, there really are no Windows admins here to help me with this. I am on my own to try and figure this out.

       
    • Here is the output of the UserName command from joeware.net:

      set UN-DN=CN=Blackmoor\, Brandon,OU=Non-Employees,OU=Users,OU=Users and Workstations,OU=PMUSA,DC=pmusa,DC=net
      set UN-SAM=PMUSA\blackmob
      set UN-UniqueID={f35e4550-96e3-4ec4-bdaa-47aa5f185463}
      set UN-UPN=Brandon.Blackmoor@pmusa.net

      I have tried loggin into OpenIT as both "blackmob" and as "Blackmoor, Brandon".

      Both attempts result in a blank white page of loginauth.php

       
    • I have also tried logging in as "PMUSA\blackmob" and "Brandon.Blackmoor@pmusa.net".

      Same result.

       
    • I have tried changing the context setting to:

      context = "OU=PMUSA,DC=pmusa,DC=net"

      Same result.

       
    • Hey, I have a new question: if you can only log in as an administrator if there is already a "Default Administrator" account in Active Directory, but there is no such user in Active Directory, then how can you administer the app and grant permissions and so forth if you are using LDAP authentication?

      Does this mean that you can only administer OpenIT using LDAP if you also have access to create accounts in Active Directory (I don't, fyi - I am just a user as far as the Windows side of the IT department is concerned).

       
    • I have confirmed that PHP can reach the AD server, by running a php script that pings the server:

      Ping Output:

      PING pmurdegcp01.pmusa.net (10.65.66.136) 56(84) bytes of data.
      64 bytes from pmurdegcp01.pmusa.net (10.65.66.136): icmp_seq=1 ttl=124 time=0.379 ms
      64 bytes from pmurdegcp01.pmusa.net (10.65.66.136): icmp_seq=2 ttl=124 time=0.435 ms
      64 bytes from pmurdegcp01.pmusa.net (10.65.66.136): icmp_seq=3 ttl=124 time=0.439 ms
      64 bytes from pmurdegcp01.pmusa.net (10.65.66.136): icmp_seq=4 ttl=124 time=0.417 ms

      --- pmurdegcp01.pmusa.net ping statistics ---
      4 packets transmitted, 4 received, 0% packet loss, time 2999ms
      rtt min/avg/max/mdev = 0.379/0.417/0.439/0.031 ms

       
    • I have also checked that I can reach the Active Directory port (389):

      [root@pmlampdev php-5.2.3]# telnet pmurdegcp01.pmusa.net 389
      Trying 10.65.66.136...
      Connected to pmurdegcp01.pmusa.net.
      Escape character is '^]'.

       
    • After an extensive search, I discovered that php needs to be compiled with ldap support (--with-ldap). This option is NOT enabled by default. So I recompiled php, and lo and behold, I now get error messages! This is a huge step forward!

      So: if you get a blank screen after trying to log in with ldap authentication in OpenIT, make sure php has been compiled with the --with-ldap option.