Menu
▾
▴
Re: [Phpwiki-talk] LDAP Authentication...
|
From: Reini U. <ru...@x-...> - 2004-02-26 23:39:49
|
John,
could you please zip your diff and attach it.
email mangles it unreadable.
A few things:
LDAP_PORT is not needed.
Just set
LDAP_HOST = "ldaps://server:636"
or
LDAP_HOST = "ldap://server:389"
Could you please try that out with your php_ldap.dll
Thanks for the non-anonymous bind sample and for finding the stupid
password error.
John Cole schrieb:
> Ok, I got it working. There are a few issues here.
> First if you use strict USER_AUTH_POLICY with only
> LDAP defined, you will get an error
>
> Fatal error: Call to a member function on a non-object
> in C:\Program Files\Apache
> Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on
> line 855
>
> inside the checkPass function.
>
> using USER_AUTH_POLICY stacked works however.
>
> After, that is,
>
> the line
>
> if ($r = @ldap_bind($ldap,
> $dn, $passwd)) {
>
> is changed to
>
> if ($r = @ldap_bind($ldap,
> $dn, $submitted_password)) {
>
>
> Here is the patch to make LDAP actually work and work
> with Active Directory. I do not know if the AD stuff
> interfers with OpenLDAP or not.
>
> -----------------------------------------------
> Index: lib/WikiUserNew.php
> ===================================================================
> RCS file:
> /cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v
> retrieving revision 1.20
> diff -u -r1.20 WikiUserNew.php
> --- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000
> 1.20
> +++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000
> @@ -459,6 +459,7 @@
> return false; // Nothing to do?
>
> $authlevel = $this->checkPass($passwd);
> +
> if (!$authlevel)
> return _("Invalid password or userid.");
> elseif ($authlevel < $require_level)
> @@ -1370,25 +1371,38 @@
> function checkPass($submitted_password) {
> $this->_authmethod = 'LDAP';
> $userid = $this->_userid;
> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
> // must be a valid LDAP server!
> - $r = @ldap_bind($ldap); // this is an
> anonymous bind
> - // Need to set the right root search
> information. see ../index.php
> - $sr = ldap_search($ldap, LDAP_BASE_DN,
> "uid=$userid");
> - $info = ldap_get_entries($ldap, $sr); //
> there may be more hits with this userid. try every
> - for ($i = 0; $i < $info["count"]; $i++) {
> - $dn = $info[$i]["dn"];
> - // The password is still plain text.
> - if ($r = @ldap_bind($ldap, $dn,
> $passwd)) {
> - // ldap_bind will return TRUE if
> everything matches
> - ldap_close($ldap);
> - $this->_level = WIKIAUTH_USER;
> - return $this->_level;
> +
> + if ($ldap = ldap_connect(LDAP_AUTH_HOST,
> LDAP_PORT)) { // must be a valid LDAP server!
> + ldap_set_option($ldap,
> LDAP_OPT_PROTOCOL_VERSION, 3);
> + ldap_set_option($ldap,
> LDAP_OPT_REFERRALS, 0);
> +
> + // anonymous binds do not work with
> active directory
> + if ($r = @ldap_bind($ldap,
> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
> + // AD search field is different that
> uid
> + $st_search =
> LDAP_SEARCH_FIELD."=$userid";
> +
> + // Need to set the right root search
> information. see ../index.php
> + if ($sr = ldap_search($ldap,
> LDAP_BASE_DN, "$st_search")) {
> + $info = ldap_get_entries($ldap,
> $sr);
> +
> + for ($i = 0; $i < $info["count"];
> $i++) {
> + $dn = $info[$i]["dn"];
> + // The password is still
> plain text.
> + if ($r = @ldap_bind($ldap,
> $dn, $submitted_password)) {
> + // ldap_bind will return
> TRUE if everything matches
> + ldap_close($ldap);
> + $this->_level =
> WIKIAUTH_USER;
> + return $this->_level;
> + }
> + }
> + } else {
> + trigger_error("LDAP Search Failed
> " . LDAP_AUTH_HOST, E_USER_WARNING);
> }
> + } else {
> + trigger_error("LDAP Search Failed " .
> LDAP_AUTH_HOST, E_USER_WARNING);
> }
> } else {
> - trigger_error(fmt("Unable to connect to
> LDAP server %s", LDAP_AUTH_HOST),
> - E_USER_WARNING);
> - //return false;
> + trigger_error(_("Unable to connect to
> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
> }
>
> if (USER_AUTH_POLICY === 'strict') {
> @@ -1406,13 +1420,28 @@
>
> function userExists() {
> $userid = $this->_userid;
> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
> // must be a valid LDAP server!
> - $r = @ldap_bind($ldap);
> // this is an anonymous bind
> - $sr = ldap_search($ldap, LDAP_BASE_DN,
> "uid=$userid");
> - $info = ldap_get_entries($ldap, $sr);
> - if ($info["count"] > 0) {
> - ldap_close($ldap);
> - return true;
> +
> + if ($ldap = ldap_connect(LDAP_AUTH_HOST,
> LDAP_PORT)) { // must be a valid LDAP server!
> + ldap_set_option($ldap,
> LDAP_OPT_PROTOCOL_VERSION, 3);
> + ldap_set_option($ldap,
> LDAP_OPT_REFERRALS, 0);
> +
> + // anonymous binds do not work with
> active directory
> + if ($r = @ldap_bind($ldap,
> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
> + // AD search field is different that
> uid
> + $st_search =
> LDAP_SEARCH_FIELD."=$userid";
> +
> + // Need to set the right root search
> information. see ../index.php
> + if ($sr = ldap_search($ldap,
> LDAP_BASE_DN, "$st_search")) {
> + $info = ldap_get_entries($ldap,
> $sr);
> + if ($info["count"] > 0) {
> + ldap_close($ldap);
> + return true;
> + }
> + } else {
> + trigger_error("LDAP Search Failed
> " . LDAP_AUTH_HOST, E_USER_WARNING);
> + }
> + } else {
> + trigger_error("LDAP Search Failed " .
> LDAP_AUTH_HOST, E_USER_WARNING);
> }
> } else {
> trigger_error(_("Unable to connect to
> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
> @@ -1955,7 +1984,6 @@
> return $this->_prefs;
> }
> }
> -
>
> // $Log: WikiUserNew.php,v $
> // Revision 1.20 2004/02/26 01:29:11 rurban
> ------------------------------------------------------
>
> You will need the following added to index.php
>
> //LDAP's Server Port. If using SSL, aka ldaps://, port
> should be 636
> if (!defined('LDAP_PORT')) define('LDAP_PORT', "389");
>
> //our AD's LDAP is locked down, no anonymous
> connections are
> //allowed. A real username / password must be given in
> order to perform
> //a search.
> if (!defined('LDAP_AUTH_USER'))
> define('LDAP_AUTH_USER', "CN=ldap
> user,CN=Users,DC=company,DC=com");
> if (!defined('LDAP_AUTH_PASSWORD'))
> define('LDAP_AUTH_PASSWORD', "ldappassword");
>
>
> //Defines which field of AD's LDAP to search for.
> needs to match the
> //username entered by the user in the webpage.
> //samaccountname =
> //Pre-Win2k username
> if (!defined('LDAP_SEARCH_FIELD'))
> define('LDAP_SEARCH_FIELD', "sAMAccountName");
>
> Thanks,
>
> John Cole
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Phpwiki-talk mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
|
