Menu
▾
▴
[Phpwiki-talk] LDAP Authentication...
|
From: John C. <joh...@ya...> - 2004-02-26 21:57:01
|
Ok, I got it working. There are a few issues here.
First if you use strict USER_AUTH_POLICY with only
LDAP defined, you will get an error
Fatal error: Call to a member function on a non-object
in C:\Program Files\Apache
Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on
line 855
inside the checkPass function.
using USER_AUTH_POLICY stacked works however.
After, that is,
the line
if ($r = @ldap_bind($ldap,
$dn, $passwd)) {
is changed to
if ($r = @ldap_bind($ldap,
$dn, $submitted_password)) {
Here is the patch to make LDAP actually work and work
with Active Directory. I do not know if the AD stuff
interfers with OpenLDAP or not.
-----------------------------------------------
Index: lib/WikiUserNew.php
===================================================================
RCS file:
/cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v
retrieving revision 1.20
diff -u -r1.20 WikiUserNew.php
--- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000
1.20
+++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000
@@ -459,6 +459,7 @@
return false; // Nothing to do?
$authlevel = $this->checkPass($passwd);
+
if (!$authlevel)
return _("Invalid password or userid.");
elseif ($authlevel < $require_level)
@@ -1370,25 +1371,38 @@
function checkPass($submitted_password) {
$this->_authmethod = 'LDAP';
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap); // this is an
anonymous bind
- // Need to set the right root search
information. see ../index.php
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr); //
there may be more hits with this userid. try every
- for ($i = 0; $i < $info["count"]; $i++) {
- $dn = $info[$i]["dn"];
- // The password is still plain text.
- if ($r = @ldap_bind($ldap, $dn,
$passwd)) {
- // ldap_bind will return TRUE if
everything matches
- ldap_close($ldap);
- $this->_level = WIKIAUTH_USER;
- return $this->_level;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+
+ for ($i = 0; $i < $info["count"];
$i++) {
+ $dn = $info[$i]["dn"];
+ // The password is still
plain text.
+ if ($r = @ldap_bind($ldap,
$dn, $submitted_password)) {
+ // ldap_bind will return
TRUE if everything matches
+ ldap_close($ldap);
+ $this->_level =
WIKIAUTH_USER;
+ return $this->_level;
+ }
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
}
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
- trigger_error(fmt("Unable to connect to
LDAP server %s", LDAP_AUTH_HOST),
- E_USER_WARNING);
- //return false;
+ trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
}
if (USER_AUTH_POLICY === 'strict') {
@@ -1406,13 +1420,28 @@
function userExists() {
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap);
// this is an anonymous bind
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr);
- if ($info["count"] > 0) {
- ldap_close($ldap);
- return true;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+ if ($info["count"] > 0) {
+ ldap_close($ldap);
+ return true;
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
+ }
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
@@ -1955,7 +1984,6 @@
return $this->_prefs;
}
}
-
// $Log: WikiUserNew.php,v $
// Revision 1.20 2004/02/26 01:29:11 rurban
------------------------------------------------------
You will need the following added to index.php
//LDAP's Server Port. If using SSL, aka ldaps://, port
should be 636
if (!defined('LDAP_PORT')) define('LDAP_PORT', "389");
//our AD's LDAP is locked down, no anonymous
connections are
//allowed. A real username / password must be given in
order to perform
//a search.
if (!defined('LDAP_AUTH_USER'))
define('LDAP_AUTH_USER', "CN=ldap
user,CN=Users,DC=company,DC=com");
if (!defined('LDAP_AUTH_PASSWORD'))
define('LDAP_AUTH_PASSWORD', "ldappassword");
//Defines which field of AD's LDAP to search for.
needs to match the
//username entered by the user in the webpage.
//samaccountname =
//Pre-Win2k username
if (!defined('LDAP_SEARCH_FIELD'))
define('LDAP_SEARCH_FIELD', "sAMAccountName");
Thanks,
John Cole
|
