I trying to set up LDAP authentication. Is LDAP over SSL supported? If so how do you do it?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2013-01-10
We also have this issue. OpenRoom was successfully installed, but our campus LDAP server requires LDAPS connections, so the out-of-the-box OpenRoom LDAP authentication does not work.
Michael Doran
Systems Librarian
University of Texas at Arlington
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2013-01-10
Update with more info.
OpenRoom was successfully installed on Red Hat Enterprise Linux Server release 6.3 with up-to-date (patched as of January 2013) versions of the MySql (v.5.1.66), Apache (v.2.2.15), PHP (v.5.3.3), OpenLDAP (v.2.4.23) packages. The install.php step showed an "all green" screen and no errors. The login method was configured for LDAP and the LDAP parameters for host and baseDN were supplied. When we initially tried to authenticate into OpenRoom, it failed with this error, "Can't contact LDAP server".
The "Can't contact LDAP server" error message is consistent with the fact that the campus LDAP server does not allow unsecure LDAP connections, but instead requires secure LDAPS connections. I know this from running the command line 'ldapsearch' utility. Connections via ldapsearch with the same LDAP host and baseDN parameters configured for OpenRoom work if using the secure LDAPS protocol, but fail with the same "Can't contact LDAP server" error if using unsecure LDAP. Note that in addition to verifying that LDAP connections work on that server with the command line ldapsearch utility, we also have another PHP app on the same server that allows authentication via the campus LDAP server, using the secure LDAPS protocol.
I dug a bit through the OpenRoom files and made some edits to the or-authenticate.php file. I changed this:
function AuthenticateUser($username, $password, $settings){
$Host = $settings;
…to this (i.e. I specified the ldaps protocol by prefacing it to the host parameter):
Note that as our LDAP server is not Active Directory, I changed this:
// search the Active Directory for username
$result = @ldap_search($connection, $BaseDN, "sAMAccountname=" . $username);
…to this (i.e. changed "sAMAccountname=" to "uid=":
// search the Active Directory for username
$result = @ldap_search($connection, $BaseDN, "uid=" . $username);
After those changes, the good news was that when attempting to login to OpenRoom I no longer got the "Can't contact LDAP server" error message. However the bad news was that the login still failed, and gave the cryptic but encouraging error message, "Success".
Any advice or suggestions on where to go from here, would be greatly appreciated.
Michael Doran
Systems Librarian
University of Texas at Arlington
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2013-01-11
SOLVED. OpenRoom login via LDAPS is working now.
In addition to the two issues identified above (LDAP connection requiring the secure LDAPS rather than the LDAP protocol, and a non-Active-Directory LDAP server) there was an issue with our LDAP server not allowing for anonymous binds. Once all three issues were addressed via code tweaks, logins worked.
Below is a diff file showing all the changes we made to the as-distributed or-authenticate.php file.
I trying to set up LDAP authentication. Is LDAP over SSL supported? If so how do you do it?
We also have this issue. OpenRoom was successfully installed, but our campus LDAP server requires LDAPS connections, so the out-of-the-box OpenRoom LDAP authentication does not work.
Systems Librarian
University of Texas at Arlington
Update with more info.
OpenRoom was successfully installed on Red Hat Enterprise Linux Server release 6.3 with up-to-date (patched as of January 2013) versions of the MySql (v.5.1.66), Apache (v.2.2.15), PHP (v.5.3.3), OpenLDAP (v.2.4.23) packages. The install.php step showed an "all green" screen and no errors. The login method was configured for LDAP and the LDAP parameters for host and baseDN were supplied. When we initially tried to authenticate into OpenRoom, it failed with this error, "Can't contact LDAP server".
The "Can't contact LDAP server" error message is consistent with the fact that the campus LDAP server does not allow unsecure LDAP connections, but instead requires secure LDAPS connections. I know this from running the command line 'ldapsearch' utility. Connections via ldapsearch with the same LDAP host and baseDN parameters configured for OpenRoom work if using the secure LDAPS protocol, but fail with the same "Can't contact LDAP server" error if using unsecure LDAP. Note that in addition to verifying that LDAP connections work on that server with the command line ldapsearch utility, we also have another PHP app on the same server that allows authentication via the campus LDAP server, using the secure LDAPS protocol.
I dug a bit through the OpenRoom files and made some edits to the or-authenticate.php file. I changed this:
function AuthenticateUser($username, $password, $settings){
$Host = $settings;
…to this (i.e. I specified the ldaps protocol by prefacing it to the host parameter):
function AuthenticateUser($username, $password, $settings){
$Host = $settings;
$Host = 'ldaps://' . $Host;
Note that as our LDAP server is not Active Directory, I changed this:
// search the Active Directory for username
$result = @ldap_search($connection, $BaseDN, "sAMAccountname=" . $username);
…to this (i.e. changed "sAMAccountname=" to "uid=":
// search the Active Directory for username
$result = @ldap_search($connection, $BaseDN, "uid=" . $username);
After those changes, the good news was that when attempting to login to OpenRoom I no longer got the "Can't contact LDAP server" error message. However the bad news was that the login still failed, and gave the cryptic but encouraging error message, "Success".
Any advice or suggestions on where to go from here, would be greatly appreciated.
Systems Librarian
University of Texas at Arlington
SOLVED. OpenRoom login via LDAPS is working now.
In addition to the two issues identified above (LDAP connection requiring the secure LDAPS rather than the LDAP protocol, and a non-Active-Directory LDAP server) there was an issue with our LDAP server not allowing for anonymous binds. Once all three issues were addressed via code tweaks, logins worked.
Below is a diff file showing all the changes we made to the as-distributed or-authenticate.php file.
$ cd /var/www/html/openroom
$ diff or-authenticate.php or-authenticate.php.dist
40d39
< $Host = 'ldaps://' . $Host;
42d40
< $dn = "uid=$username, $BaseDN";
57,61d54
< if(!@ldap_bind($connection, $dn, $password))
< {
< throw new Exception(@ldap_error($connection), @ldap_errno($connection));
< }
<
63c56
< $result = @ldap_search($connection, $BaseDN, "uid=" . $username);
--
> $result = @ldap_search($connection, $BaseDN, "sAMAccountname=" . $username);
Systems Librarian
University of Texas at Arlington