Menu
▾
▴
[Phpwiki-talk] LDAP Authentication...
|
From: John C. <joh...@ya...> - 2004-02-26 15:59:49
|
Well, I've been trying to get LDAP authentication
working again with the current CVS version (as of this
morning).
I have made the modifications nessisary for the LDAP
code to work with Active Directory, but I am still
getting "Invalid password or userid".
I went through the code and it appears that it is
going through _checkPass with an empty stored
password. I'm a little confused as to why it's going
through there at all, since the old version had the
ldap code in the pwcheck function. Did something get
set wrong?
Anyway, here are the modifications needed for geting
the LDAP connection to work with AD:
Add the following to index.php
-------------------------------------------------
//LDAP's Server Port. If using SSL, aka ldaps://, port
should be 636
if (!defined('LDAP_PORT')) define('LDAP_PORT', "389");
//our AD's LDAP is locked down, no anonymous
connections are
//allowed. A real username / password must be given in
order to perform
//a search.
if (!defined('LDAP_AUTH_USER'))
define('LDAP_AUTH_USER', "CN=ldap
user,CN=Users,DC=uai,DC=int");
if (!defined('LDAP_AUTH_PASSWORD'))
define('LDAP_AUTH_PASSWORD', "ldap4uai");
//Defines which field of AD's LDAP to search for.
needs to match the
//username entered by the user in the webpage.
//samaccountname =
//Pre-Win2k username
if (!defined('LDAP_SEARCH_FIELD'))
define('LDAP_SEARCH_FIELD', "sAMAccountName");
-------------------------------------------------
and here is a patch for WikiUserNew.php
--------------------------------------------------------
Index: lib/WikiUserNew.php
===================================================================
RCS file:
/cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v
retrieving revision 1.20
diff -u -r1.20 WikiUserNew.php
--- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000
1.20
+++ lib/WikiUserNew.php 26 Feb 2004 15:32:27 -0000
@@ -459,6 +459,7 @@
return false; // Nothing to do?
$authlevel = $this->checkPass($passwd);
+
if (!$authlevel)
return _("Invalid password or userid.");
elseif ($authlevel < $require_level)
@@ -1370,25 +1371,39 @@
function checkPass($submitted_password) {
$this->_authmethod = 'LDAP';
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap); // this is an
anonymous bind
- // Need to set the right root search
information. see ../index.php
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr); //
there may be more hits with this userid. try every
- for ($i = 0; $i < $info["count"]; $i++) {
- $dn = $info[$i]["dn"];
- // The password is still plain text.
- if ($r = @ldap_bind($ldap, $dn,
$passwd)) {
- // ldap_bind will return TRUE if
everything matches
- ldap_close($ldap);
- $this->_level = WIKIAUTH_USER;
- return $this->_level;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+
+ for ($i = 0; $i < $info["count"];
$i++) {
+ $dn = $info[$i]["dn"];
+
+ // The password is still
plain text.
+ if ($r = @ldap_bind($ldap,
$dn, $passwd)) {
+ // ldap_bind will return
TRUE if everything matches
+ ldap_close($ldap);
+ $this->_level =
WIKIAUTH_USER;
+ return $this->_level;
+ }
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
}
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
- trigger_error(fmt("Unable to connect to
LDAP server %s", LDAP_AUTH_HOST),
- E_USER_WARNING);
- //return false;
+ trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
}
if (USER_AUTH_POLICY === 'strict') {
@@ -1406,13 +1421,28 @@
function userExists() {
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap);
// this is an anonymous bind
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr);
- if ($info["count"] > 0) {
- ldap_close($ldap);
- return true;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+ if ($info["count"] > 0) {
+ ldap_close($ldap);
+ return true;
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
+ }
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
@@ -1955,7 +1985,6 @@
return $this->_prefs;
}
}
-
// $Log: WikiUserNew.php,v $
// Revision 1.20 2004/02/26 01:29:11 rurban
|
