From: John C. <joh...@ua...> - 2004-03-08 15:35:45
|
Norberto, I think that is where I was able to get my 1.3.4 wiki working with LDAP :-) If you go back in the thread far enough, I hope I said that. I did have to change the search field for our setup, and I wonder if everyones AD setup is going to be different. I'd recomend to anyone trying to configure their wiki for LDAP to dump an LDIF file before you start trying to figure out what your DN and search fields are. Other than that, I've just been trying to keep AD working with the top of the tree, which got dicy for a while. I run two wiki's pointed at the same database, and when I feel the top of the tree is stable enough, I move it from my working version to the main version. I try and sync my development copy once a week to catch up to Reini. John Cole -----Original Message----- From: php...@li... [mailto:php...@li...]On Behalf Of Norberto Meijome Sent: Monday, March 08, 2004 1:14 AM To: php...@li... Subject: Re: [Phpwiki-talk] LDAP Authentication... Importance: Low John, Reini, FWIW, I submitted a patch against 1.3.4 that enabled this functionality -- http://sourceforge.net/tracker/index.php?func=detail&aid=738150&group_id=612 1&atid=306121 Some of the code and comments provided in this thread above looks quite similar (same?) to the one provided in my patch. I guess I used the wrong system to post that patch :-) I've had 1.3.4 running with this changes doing authentication against my W2K Active Directory since I've submitted the patch. I only have to spend some time figuring out how to enable LDAP queries over TLS against this AD (not sure how to enable it @ W2K end, no problems from PHP). The reason of using a specific define for LDAP_PORT was in case a user had an LDAP server running on another port without changing the lib/ files. Keep on the great work -- looking forward 1.3.8 + 1.4 :-) Best regards, -- Norberto Meijome | numard at meijome dot net "Everything is interesting if you go into it deeply enough." - Richard Feynman Reini Urban wrote: > John, > could you please zip your diff and attach it. > email mangles it unreadable. > > A few things: > LDAP_PORT is not needed. > Just set > LDAP_HOST = "ldaps://server:636" > or > LDAP_HOST = "ldap://server:389" > Could you please try that out with your php_ldap.dll > > Thanks for the non-anonymous bind sample and for finding the stupid > password error. > > John Cole schrieb: > >> Ok, I got it working. There are a few issues here. First if you use >> strict USER_AUTH_POLICY with only >> LDAP defined, you will get an error >> >> Fatal error: Call to a member function on a non-object >> in C:\Program Files\Apache >> Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on >> line 855 >> >> inside the checkPass function. >> >> using USER_AUTH_POLICY stacked works however. >> >> After, that is, >> the line >> >> if ($r = @ldap_bind($ldap, >> $dn, $passwd)) { >> >> is changed to >> >> if ($r = @ldap_bind($ldap, >> $dn, $submitted_password)) { >> >> >> Here is the patch to make LDAP actually work and work >> with Active Directory. I do not know if the AD stuff >> interfers with OpenLDAP or not. >> >> ----------------------------------------------- >> Index: lib/WikiUserNew.php >> =================================================================== >> RCS file: >> /cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v >> retrieving revision 1.20 >> diff -u -r1.20 WikiUserNew.php >> --- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000 >> 1.20 >> +++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000 >> @@ -459,6 +459,7 @@ >> return false; // Nothing to do? >> >> $authlevel = $this->checkPass($passwd); >> + if (!$authlevel) >> return _("Invalid password or userid."); >> elseif ($authlevel < $require_level) >> @@ -1370,25 +1371,38 @@ >> function checkPass($submitted_password) { >> $this->_authmethod = 'LDAP'; >> $userid = $this->_userid; >> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { >> // must be a valid LDAP server! >> - $r = @ldap_bind($ldap); // this is an >> anonymous bind >> - // Need to set the right root search >> information. see ../index.php >> - $sr = ldap_search($ldap, LDAP_BASE_DN, >> "uid=$userid"); >> - $info = ldap_get_entries($ldap, $sr); // >> there may be more hits with this userid. try every >> - for ($i = 0; $i < $info["count"]; $i++) { >> - $dn = $info[$i]["dn"]; >> - // The password is still plain text. >> - if ($r = @ldap_bind($ldap, $dn, >> $passwd)) { >> - // ldap_bind will return TRUE if >> everything matches >> - ldap_close($ldap); >> - $this->_level = WIKIAUTH_USER; >> - return $this->_level; >> + >> + if ($ldap = ldap_connect(LDAP_AUTH_HOST, >> LDAP_PORT)) { // must be a valid LDAP server! >> + ldap_set_option($ldap, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> + ldap_set_option($ldap, >> LDAP_OPT_REFERRALS, 0); >> + + // anonymous binds do not work with >> active directory >> + if ($r = @ldap_bind($ldap, >> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) { >> + // AD search field is different that >> uid >> + $st_search = >> LDAP_SEARCH_FIELD."=$userid"; >> + >> + // Need to set the right root search >> information. see ../index.php >> + if ($sr = ldap_search($ldap, >> LDAP_BASE_DN, "$st_search")) { + $info = >> ldap_get_entries($ldap, >> $sr); >> + >> + for ($i = 0; $i < $info["count"]; >> $i++) { >> + $dn = $info[$i]["dn"]; >> + // The password is still >> plain text. >> + if ($r = @ldap_bind($ldap, >> $dn, $submitted_password)) { >> + // ldap_bind will return >> TRUE if everything matches >> + ldap_close($ldap); >> + $this->_level = >> WIKIAUTH_USER; >> + return $this->_level; >> + } >> + } >> + } else { >> + trigger_error("LDAP Search Failed >> " . LDAP_AUTH_HOST, E_USER_WARNING); >> } >> + } else { >> + trigger_error("LDAP Search Failed " . >> LDAP_AUTH_HOST, E_USER_WARNING); >> } >> } else { >> - trigger_error(fmt("Unable to connect to >> LDAP server %s", LDAP_AUTH_HOST), - >> E_USER_WARNING); >> - //return false; >> + trigger_error(_("Unable to connect to >> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING); >> } >> >> if (USER_AUTH_POLICY === 'strict') { >> @@ -1406,13 +1420,28 @@ >> >> function userExists() { >> $userid = $this->_userid; >> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { >> // must be a valid LDAP server! >> - $r = @ldap_bind($ldap); // this is an >> anonymous bind >> - $sr = ldap_search($ldap, LDAP_BASE_DN, >> "uid=$userid"); >> - $info = ldap_get_entries($ldap, $sr); >> - if ($info["count"] > 0) { >> - ldap_close($ldap); >> - return true; >> + >> + if ($ldap = ldap_connect(LDAP_AUTH_HOST, >> LDAP_PORT)) { // must be a valid LDAP server! >> + ldap_set_option($ldap, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> + ldap_set_option($ldap, >> LDAP_OPT_REFERRALS, 0); >> + + // anonymous binds do not work with >> active directory >> + if ($r = @ldap_bind($ldap, >> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) { >> + // AD search field is different that >> uid >> + $st_search = >> LDAP_SEARCH_FIELD."=$userid"; >> + >> + // Need to set the right root search >> information. see ../index.php >> + if ($sr = ldap_search($ldap, >> LDAP_BASE_DN, "$st_search")) { + $info = >> ldap_get_entries($ldap, >> $sr); >> + if ($info["count"] > 0) { >> + ldap_close($ldap); >> + return true; >> + } >> + } else { >> + trigger_error("LDAP Search Failed >> " . LDAP_AUTH_HOST, E_USER_WARNING); >> + } >> + } else { >> + trigger_error("LDAP Search Failed " . >> LDAP_AUTH_HOST, E_USER_WARNING); >> } >> } else { >> trigger_error(_("Unable to connect to >> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING); >> @@ -1955,7 +1984,6 @@ >> return $this->_prefs; >> } >> } >> - >> >> // $Log: WikiUserNew.php,v $ >> // Revision 1.20 2004/02/26 01:29:11 rurban >> ------------------------------------------------------ >> >> You will need the following added to index.php >> >> //LDAP's Server Port. If using SSL, aka ldaps://, port >> should be 636 if (!defined('LDAP_PORT')) define('LDAP_PORT', "389"); >> >> //our AD's LDAP is locked down, no anonymous >> connections are //allowed. A real username / password must be given in >> order to perform //a search. if (!defined('LDAP_AUTH_USER')) >> define('LDAP_AUTH_USER', "CN=ldap >> user,CN=Users,DC=company,DC=com"); >> if (!defined('LDAP_AUTH_PASSWORD')) >> define('LDAP_AUTH_PASSWORD', "ldappassword"); >> >> >> //Defines which field of AD's LDAP to search for. >> needs to match the //username entered by the user in the webpage. >> //samaccountname = //Pre-Win2k username if >> (!defined('LDAP_SEARCH_FIELD')) >> define('LDAP_SEARCH_FIELD', "sAMAccountName"); >> >> Thanks, >> >> John Cole >> >> >> >> ------------------------------------------------------- >> SF.Net is sponsored by: Speed Start Your Linux Apps Now. >> Build and deploy apps & Web services for Linux with >> a free DVD software kit from IBM. Click Now! >> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click >> _______________________________________________ >> Phpwiki-talk mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk >> > > ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Phpwiki-talk mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phpwiki-talk ------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. |