Menu
▾
▴
Re: [Phpwiki-talk] LDAP Authentication...
|
From: Norberto M. <nu...@me...> - 2004-03-08 07:20:48
|
John, Reini, FWIW, I submitted a patch against 1.3.4 that enabled this functionality -- http://sourceforge.net/tracker/index.php?func=detail&aid=738150&group_id=6121&atid=306121 Some of the code and comments provided in this thread above looks quite similar (same?) to the one provided in my patch. I guess I used the wrong system to post that patch :-) I've had 1.3.4 running with this changes doing authentication against my W2K Active Directory since I've submitted the patch. I only have to spend some time figuring out how to enable LDAP queries over TLS against this AD (not sure how to enable it @ W2K end, no problems from PHP). The reason of using a specific define for LDAP_PORT was in case a user had an LDAP server running on another port without changing the lib/ files. Keep on the great work -- looking forward 1.3.8 + 1.4 :-) Best regards, -- Norberto Meijome | numard at meijome dot net "Everything is interesting if you go into it deeply enough." - Richard Feynman Reini Urban wrote: > John, > could you please zip your diff and attach it. > email mangles it unreadable. > > A few things: > LDAP_PORT is not needed. > Just set > LDAP_HOST = "ldaps://server:636" > or > LDAP_HOST = "ldap://server:389" > Could you please try that out with your php_ldap.dll > > Thanks for the non-anonymous bind sample and for finding the stupid > password error. > > John Cole schrieb: > >> Ok, I got it working. There are a few issues here. First if you use >> strict USER_AUTH_POLICY with only >> LDAP defined, you will get an error >> >> Fatal error: Call to a member function on a non-object >> in C:\Program Files\Apache >> Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on >> line 855 >> >> inside the checkPass function. >> >> using USER_AUTH_POLICY stacked works however. >> >> After, that is, >> the line >> >> if ($r = @ldap_bind($ldap, >> $dn, $passwd)) { >> >> is changed to >> >> if ($r = @ldap_bind($ldap, >> $dn, $submitted_password)) { >> >> >> Here is the patch to make LDAP actually work and work >> with Active Directory. I do not know if the AD stuff >> interfers with OpenLDAP or not. >> >> ----------------------------------------------- >> Index: lib/WikiUserNew.php >> =================================================================== >> RCS file: >> /cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v >> retrieving revision 1.20 >> diff -u -r1.20 WikiUserNew.php >> --- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000 >> 1.20 >> +++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000 >> @@ -459,6 +459,7 @@ >> return false; // Nothing to do? >> >> $authlevel = $this->checkPass($passwd); >> + if (!$authlevel) >> return _("Invalid password or userid."); >> elseif ($authlevel < $require_level) >> @@ -1370,25 +1371,38 @@ >> function checkPass($submitted_password) { >> $this->_authmethod = 'LDAP'; >> $userid = $this->_userid; >> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { >> // must be a valid LDAP server! >> - $r = @ldap_bind($ldap); // this is an >> anonymous bind >> - // Need to set the right root search >> information. see ../index.php >> - $sr = ldap_search($ldap, LDAP_BASE_DN, >> "uid=$userid"); >> - $info = ldap_get_entries($ldap, $sr); // >> there may be more hits with this userid. try every >> - for ($i = 0; $i < $info["count"]; $i++) { >> - $dn = $info[$i]["dn"]; >> - // The password is still plain text. >> - if ($r = @ldap_bind($ldap, $dn, >> $passwd)) { >> - // ldap_bind will return TRUE if >> everything matches >> - ldap_close($ldap); >> - $this->_level = WIKIAUTH_USER; >> - return $this->_level; >> + >> + if ($ldap = ldap_connect(LDAP_AUTH_HOST, >> LDAP_PORT)) { // must be a valid LDAP server! >> + ldap_set_option($ldap, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> + ldap_set_option($ldap, >> LDAP_OPT_REFERRALS, 0); >> + + // anonymous binds do not work with >> active directory >> + if ($r = @ldap_bind($ldap, >> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) { >> + // AD search field is different that >> uid >> + $st_search = >> LDAP_SEARCH_FIELD."=$userid"; >> + >> + // Need to set the right root search >> information. see ../index.php >> + if ($sr = ldap_search($ldap, >> LDAP_BASE_DN, "$st_search")) { + $info = >> ldap_get_entries($ldap, >> $sr); >> + >> + for ($i = 0; $i < $info["count"]; >> $i++) { >> + $dn = $info[$i]["dn"]; >> + // The password is still >> plain text. >> + if ($r = @ldap_bind($ldap, >> $dn, $submitted_password)) { >> + // ldap_bind will return >> TRUE if everything matches >> + ldap_close($ldap); >> + $this->_level = >> WIKIAUTH_USER; >> + return $this->_level; >> + } >> + } >> + } else { >> + trigger_error("LDAP Search Failed >> " . LDAP_AUTH_HOST, E_USER_WARNING); >> } >> + } else { >> + trigger_error("LDAP Search Failed " . >> LDAP_AUTH_HOST, E_USER_WARNING); >> } >> } else { >> - trigger_error(fmt("Unable to connect to >> LDAP server %s", LDAP_AUTH_HOST), - >> E_USER_WARNING); >> - //return false; >> + trigger_error(_("Unable to connect to >> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING); >> } >> >> if (USER_AUTH_POLICY === 'strict') { >> @@ -1406,13 +1420,28 @@ >> >> function userExists() { >> $userid = $this->_userid; >> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { >> // must be a valid LDAP server! >> - $r = @ldap_bind($ldap); // this is an >> anonymous bind >> - $sr = ldap_search($ldap, LDAP_BASE_DN, >> "uid=$userid"); >> - $info = ldap_get_entries($ldap, $sr); >> - if ($info["count"] > 0) { >> - ldap_close($ldap); >> - return true; >> + >> + if ($ldap = ldap_connect(LDAP_AUTH_HOST, >> LDAP_PORT)) { // must be a valid LDAP server! >> + ldap_set_option($ldap, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> + ldap_set_option($ldap, >> LDAP_OPT_REFERRALS, 0); >> + + // anonymous binds do not work with >> active directory >> + if ($r = @ldap_bind($ldap, >> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) { >> + // AD search field is different that >> uid >> + $st_search = >> LDAP_SEARCH_FIELD."=$userid"; >> + >> + // Need to set the right root search >> information. see ../index.php >> + if ($sr = ldap_search($ldap, >> LDAP_BASE_DN, "$st_search")) { + $info = >> ldap_get_entries($ldap, >> $sr); >> + if ($info["count"] > 0) { >> + ldap_close($ldap); >> + return true; >> + } >> + } else { >> + trigger_error("LDAP Search Failed >> " . LDAP_AUTH_HOST, E_USER_WARNING); >> + } >> + } else { >> + trigger_error("LDAP Search Failed " . >> LDAP_AUTH_HOST, E_USER_WARNING); >> } >> } else { >> trigger_error(_("Unable to connect to >> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING); >> @@ -1955,7 +1984,6 @@ >> return $this->_prefs; >> } >> } >> - >> >> // $Log: WikiUserNew.php,v $ >> // Revision 1.20 2004/02/26 01:29:11 rurban >> ------------------------------------------------------ >> >> You will need the following added to index.php >> >> //LDAP's Server Port. If using SSL, aka ldaps://, port >> should be 636 if (!defined('LDAP_PORT')) define('LDAP_PORT', "389"); >> >> //our AD's LDAP is locked down, no anonymous >> connections are //allowed. A real username / password must be given in >> order to perform //a search. if (!defined('LDAP_AUTH_USER')) >> define('LDAP_AUTH_USER', "CN=ldap >> user,CN=Users,DC=company,DC=com"); >> if (!defined('LDAP_AUTH_PASSWORD')) >> define('LDAP_AUTH_PASSWORD', "ldappassword"); >> >> >> //Defines which field of AD's LDAP to search for. >> needs to match the //username entered by the user in the webpage. >> //samaccountname = //Pre-Win2k username if >> (!defined('LDAP_SEARCH_FIELD')) >> define('LDAP_SEARCH_FIELD', "sAMAccountName"); >> >> Thanks, >> >> John Cole >> >> >> >> ------------------------------------------------------- >> SF.Net is sponsored by: Speed Start Your Linux Apps Now. >> Build and deploy apps & Web services for Linux with >> a free DVD software kit from IBM. Click Now! >> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click >> _______________________________________________ >> Phpwiki-talk mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk >> > > |
