Menu
▾
▴
phpwiki-talk
|
From: John C. <joh...@ya...> - 2004-02-26 15:59:49
|
Well, I've been trying to get LDAP authentication
working again with the current CVS version (as of this
morning).
I have made the modifications nessisary for the LDAP
code to work with Active Directory, but I am still
getting "Invalid password or userid".
I went through the code and it appears that it is
going through _checkPass with an empty stored
password. I'm a little confused as to why it's going
through there at all, since the old version had the
ldap code in the pwcheck function. Did something get
set wrong?
Anyway, here are the modifications needed for geting
the LDAP connection to work with AD:
Add the following to index.php
-------------------------------------------------
//LDAP's Server Port. If using SSL, aka ldaps://, port
should be 636
if (!defined('LDAP_PORT')) define('LDAP_PORT', "389");
//our AD's LDAP is locked down, no anonymous
connections are
//allowed. A real username / password must be given in
order to perform
//a search.
if (!defined('LDAP_AUTH_USER'))
define('LDAP_AUTH_USER', "CN=ldap
user,CN=Users,DC=uai,DC=int");
if (!defined('LDAP_AUTH_PASSWORD'))
define('LDAP_AUTH_PASSWORD', "ldap4uai");
//Defines which field of AD's LDAP to search for.
needs to match the
//username entered by the user in the webpage.
//samaccountname =
//Pre-Win2k username
if (!defined('LDAP_SEARCH_FIELD'))
define('LDAP_SEARCH_FIELD', "sAMAccountName");
-------------------------------------------------
and here is a patch for WikiUserNew.php
--------------------------------------------------------
Index: lib/WikiUserNew.php
===================================================================
RCS file:
/cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v
retrieving revision 1.20
diff -u -r1.20 WikiUserNew.php
--- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000
1.20
+++ lib/WikiUserNew.php 26 Feb 2004 15:32:27 -0000
@@ -459,6 +459,7 @@
return false; // Nothing to do?
$authlevel = $this->checkPass($passwd);
+
if (!$authlevel)
return _("Invalid password or userid.");
elseif ($authlevel < $require_level)
@@ -1370,25 +1371,39 @@
function checkPass($submitted_password) {
$this->_authmethod = 'LDAP';
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap); // this is an
anonymous bind
- // Need to set the right root search
information. see ../index.php
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr); //
there may be more hits with this userid. try every
- for ($i = 0; $i < $info["count"]; $i++) {
- $dn = $info[$i]["dn"];
- // The password is still plain text.
- if ($r = @ldap_bind($ldap, $dn,
$passwd)) {
- // ldap_bind will return TRUE if
everything matches
- ldap_close($ldap);
- $this->_level = WIKIAUTH_USER;
- return $this->_level;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+
+ for ($i = 0; $i < $info["count"];
$i++) {
+ $dn = $info[$i]["dn"];
+
+ // The password is still
plain text.
+ if ($r = @ldap_bind($ldap,
$dn, $passwd)) {
+ // ldap_bind will return
TRUE if everything matches
+ ldap_close($ldap);
+ $this->_level =
WIKIAUTH_USER;
+ return $this->_level;
+ }
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
}
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
- trigger_error(fmt("Unable to connect to
LDAP server %s", LDAP_AUTH_HOST),
- E_USER_WARNING);
- //return false;
+ trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
}
if (USER_AUTH_POLICY === 'strict') {
@@ -1406,13 +1421,28 @@
function userExists() {
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap);
// this is an anonymous bind
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr);
- if ($info["count"] > 0) {
- ldap_close($ldap);
- return true;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+ if ($info["count"] > 0) {
+ ldap_close($ldap);
+ return true;
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
+ }
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
@@ -1955,7 +1985,6 @@
return $this->_prefs;
}
}
-
// $Log: WikiUserNew.php,v $
// Revision 1.20 2004/02/26 01:29:11 rurban
|
|
From: John C. <joh...@ya...> - 2004-02-26 21:57:01
|
Ok, I got it working. There are a few issues here.
First if you use strict USER_AUTH_POLICY with only
LDAP defined, you will get an error
Fatal error: Call to a member function on a non-object
in C:\Program Files\Apache
Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on
line 855
inside the checkPass function.
using USER_AUTH_POLICY stacked works however.
After, that is,
the line
if ($r = @ldap_bind($ldap,
$dn, $passwd)) {
is changed to
if ($r = @ldap_bind($ldap,
$dn, $submitted_password)) {
Here is the patch to make LDAP actually work and work
with Active Directory. I do not know if the AD stuff
interfers with OpenLDAP or not.
-----------------------------------------------
Index: lib/WikiUserNew.php
===================================================================
RCS file:
/cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v
retrieving revision 1.20
diff -u -r1.20 WikiUserNew.php
--- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000
1.20
+++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000
@@ -459,6 +459,7 @@
return false; // Nothing to do?
$authlevel = $this->checkPass($passwd);
+
if (!$authlevel)
return _("Invalid password or userid.");
elseif ($authlevel < $require_level)
@@ -1370,25 +1371,38 @@
function checkPass($submitted_password) {
$this->_authmethod = 'LDAP';
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap); // this is an
anonymous bind
- // Need to set the right root search
information. see ../index.php
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr); //
there may be more hits with this userid. try every
- for ($i = 0; $i < $info["count"]; $i++) {
- $dn = $info[$i]["dn"];
- // The password is still plain text.
- if ($r = @ldap_bind($ldap, $dn,
$passwd)) {
- // ldap_bind will return TRUE if
everything matches
- ldap_close($ldap);
- $this->_level = WIKIAUTH_USER;
- return $this->_level;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+
+ for ($i = 0; $i < $info["count"];
$i++) {
+ $dn = $info[$i]["dn"];
+ // The password is still
plain text.
+ if ($r = @ldap_bind($ldap,
$dn, $submitted_password)) {
+ // ldap_bind will return
TRUE if everything matches
+ ldap_close($ldap);
+ $this->_level =
WIKIAUTH_USER;
+ return $this->_level;
+ }
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
}
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
- trigger_error(fmt("Unable to connect to
LDAP server %s", LDAP_AUTH_HOST),
- E_USER_WARNING);
- //return false;
+ trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
}
if (USER_AUTH_POLICY === 'strict') {
@@ -1406,13 +1420,28 @@
function userExists() {
$userid = $this->_userid;
- if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
// must be a valid LDAP server!
- $r = @ldap_bind($ldap);
// this is an anonymous bind
- $sr = ldap_search($ldap, LDAP_BASE_DN,
"uid=$userid");
- $info = ldap_get_entries($ldap, $sr);
- if ($info["count"] > 0) {
- ldap_close($ldap);
- return true;
+
+ if ($ldap = ldap_connect(LDAP_AUTH_HOST,
LDAP_PORT)) { // must be a valid LDAP server!
+ ldap_set_option($ldap,
LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap,
LDAP_OPT_REFERRALS, 0);
+
+ // anonymous binds do not work with
active directory
+ if ($r = @ldap_bind($ldap,
LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
+ // AD search field is different that
uid
+ $st_search =
LDAP_SEARCH_FIELD."=$userid";
+
+ // Need to set the right root search
information. see ../index.php
+ if ($sr = ldap_search($ldap,
LDAP_BASE_DN, "$st_search")) {
+ $info = ldap_get_entries($ldap,
$sr);
+ if ($info["count"] > 0) {
+ ldap_close($ldap);
+ return true;
+ }
+ } else {
+ trigger_error("LDAP Search Failed
" . LDAP_AUTH_HOST, E_USER_WARNING);
+ }
+ } else {
+ trigger_error("LDAP Search Failed " .
LDAP_AUTH_HOST, E_USER_WARNING);
}
} else {
trigger_error(_("Unable to connect to
LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
@@ -1955,7 +1984,6 @@
return $this->_prefs;
}
}
-
// $Log: WikiUserNew.php,v $
// Revision 1.20 2004/02/26 01:29:11 rurban
------------------------------------------------------
You will need the following added to index.php
//LDAP's Server Port. If using SSL, aka ldaps://, port
should be 636
if (!defined('LDAP_PORT')) define('LDAP_PORT', "389");
//our AD's LDAP is locked down, no anonymous
connections are
//allowed. A real username / password must be given in
order to perform
//a search.
if (!defined('LDAP_AUTH_USER'))
define('LDAP_AUTH_USER', "CN=ldap
user,CN=Users,DC=company,DC=com");
if (!defined('LDAP_AUTH_PASSWORD'))
define('LDAP_AUTH_PASSWORD', "ldappassword");
//Defines which field of AD's LDAP to search for.
needs to match the
//username entered by the user in the webpage.
//samaccountname =
//Pre-Win2k username
if (!defined('LDAP_SEARCH_FIELD'))
define('LDAP_SEARCH_FIELD', "sAMAccountName");
Thanks,
John Cole
|
|
From: Reini U. <ru...@x-...> - 2004-02-26 23:39:49
|
John,
could you please zip your diff and attach it.
email mangles it unreadable.
A few things:
LDAP_PORT is not needed.
Just set
LDAP_HOST = "ldaps://server:636"
or
LDAP_HOST = "ldap://server:389"
Could you please try that out with your php_ldap.dll
Thanks for the non-anonymous bind sample and for finding the stupid
password error.
John Cole schrieb:
> Ok, I got it working. There are a few issues here.
> First if you use strict USER_AUTH_POLICY with only
> LDAP defined, you will get an error
>
> Fatal error: Call to a member function on a non-object
> in C:\Program Files\Apache
> Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on
> line 855
>
> inside the checkPass function.
>
> using USER_AUTH_POLICY stacked works however.
>
> After, that is,
>
> the line
>
> if ($r = @ldap_bind($ldap,
> $dn, $passwd)) {
>
> is changed to
>
> if ($r = @ldap_bind($ldap,
> $dn, $submitted_password)) {
>
>
> Here is the patch to make LDAP actually work and work
> with Active Directory. I do not know if the AD stuff
> interfers with OpenLDAP or not.
>
> -----------------------------------------------
> Index: lib/WikiUserNew.php
> ===================================================================
> RCS file:
> /cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v
> retrieving revision 1.20
> diff -u -r1.20 WikiUserNew.php
> --- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000
> 1.20
> +++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000
> @@ -459,6 +459,7 @@
> return false; // Nothing to do?
>
> $authlevel = $this->checkPass($passwd);
> +
> if (!$authlevel)
> return _("Invalid password or userid.");
> elseif ($authlevel < $require_level)
> @@ -1370,25 +1371,38 @@
> function checkPass($submitted_password) {
> $this->_authmethod = 'LDAP';
> $userid = $this->_userid;
> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
> // must be a valid LDAP server!
> - $r = @ldap_bind($ldap); // this is an
> anonymous bind
> - // Need to set the right root search
> information. see ../index.php
> - $sr = ldap_search($ldap, LDAP_BASE_DN,
> "uid=$userid");
> - $info = ldap_get_entries($ldap, $sr); //
> there may be more hits with this userid. try every
> - for ($i = 0; $i < $info["count"]; $i++) {
> - $dn = $info[$i]["dn"];
> - // The password is still plain text.
> - if ($r = @ldap_bind($ldap, $dn,
> $passwd)) {
> - // ldap_bind will return TRUE if
> everything matches
> - ldap_close($ldap);
> - $this->_level = WIKIAUTH_USER;
> - return $this->_level;
> +
> + if ($ldap = ldap_connect(LDAP_AUTH_HOST,
> LDAP_PORT)) { // must be a valid LDAP server!
> + ldap_set_option($ldap,
> LDAP_OPT_PROTOCOL_VERSION, 3);
> + ldap_set_option($ldap,
> LDAP_OPT_REFERRALS, 0);
> +
> + // anonymous binds do not work with
> active directory
> + if ($r = @ldap_bind($ldap,
> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
> + // AD search field is different that
> uid
> + $st_search =
> LDAP_SEARCH_FIELD."=$userid";
> +
> + // Need to set the right root search
> information. see ../index.php
> + if ($sr = ldap_search($ldap,
> LDAP_BASE_DN, "$st_search")) {
> + $info = ldap_get_entries($ldap,
> $sr);
> +
> + for ($i = 0; $i < $info["count"];
> $i++) {
> + $dn = $info[$i]["dn"];
> + // The password is still
> plain text.
> + if ($r = @ldap_bind($ldap,
> $dn, $submitted_password)) {
> + // ldap_bind will return
> TRUE if everything matches
> + ldap_close($ldap);
> + $this->_level =
> WIKIAUTH_USER;
> + return $this->_level;
> + }
> + }
> + } else {
> + trigger_error("LDAP Search Failed
> " . LDAP_AUTH_HOST, E_USER_WARNING);
> }
> + } else {
> + trigger_error("LDAP Search Failed " .
> LDAP_AUTH_HOST, E_USER_WARNING);
> }
> } else {
> - trigger_error(fmt("Unable to connect to
> LDAP server %s", LDAP_AUTH_HOST),
> - E_USER_WARNING);
> - //return false;
> + trigger_error(_("Unable to connect to
> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
> }
>
> if (USER_AUTH_POLICY === 'strict') {
> @@ -1406,13 +1420,28 @@
>
> function userExists() {
> $userid = $this->_userid;
> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) {
> // must be a valid LDAP server!
> - $r = @ldap_bind($ldap);
> // this is an anonymous bind
> - $sr = ldap_search($ldap, LDAP_BASE_DN,
> "uid=$userid");
> - $info = ldap_get_entries($ldap, $sr);
> - if ($info["count"] > 0) {
> - ldap_close($ldap);
> - return true;
> +
> + if ($ldap = ldap_connect(LDAP_AUTH_HOST,
> LDAP_PORT)) { // must be a valid LDAP server!
> + ldap_set_option($ldap,
> LDAP_OPT_PROTOCOL_VERSION, 3);
> + ldap_set_option($ldap,
> LDAP_OPT_REFERRALS, 0);
> +
> + // anonymous binds do not work with
> active directory
> + if ($r = @ldap_bind($ldap,
> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) {
> + // AD search field is different that
> uid
> + $st_search =
> LDAP_SEARCH_FIELD."=$userid";
> +
> + // Need to set the right root search
> information. see ../index.php
> + if ($sr = ldap_search($ldap,
> LDAP_BASE_DN, "$st_search")) {
> + $info = ldap_get_entries($ldap,
> $sr);
> + if ($info["count"] > 0) {
> + ldap_close($ldap);
> + return true;
> + }
> + } else {
> + trigger_error("LDAP Search Failed
> " . LDAP_AUTH_HOST, E_USER_WARNING);
> + }
> + } else {
> + trigger_error("LDAP Search Failed " .
> LDAP_AUTH_HOST, E_USER_WARNING);
> }
> } else {
> trigger_error(_("Unable to connect to
> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING);
> @@ -1955,7 +1984,6 @@
> return $this->_prefs;
> }
> }
> -
>
> // $Log: WikiUserNew.php,v $
> // Revision 1.20 2004/02/26 01:29:11 rurban
> ------------------------------------------------------
>
> You will need the following added to index.php
>
> //LDAP's Server Port. If using SSL, aka ldaps://, port
> should be 636
> if (!defined('LDAP_PORT')) define('LDAP_PORT', "389");
>
> //our AD's LDAP is locked down, no anonymous
> connections are
> //allowed. A real username / password must be given in
> order to perform
> //a search.
> if (!defined('LDAP_AUTH_USER'))
> define('LDAP_AUTH_USER', "CN=ldap
> user,CN=Users,DC=company,DC=com");
> if (!defined('LDAP_AUTH_PASSWORD'))
> define('LDAP_AUTH_PASSWORD', "ldappassword");
>
>
> //Defines which field of AD's LDAP to search for.
> needs to match the
> //username entered by the user in the webpage.
> //samaccountname =
> //Pre-Win2k username
> if (!defined('LDAP_SEARCH_FIELD'))
> define('LDAP_SEARCH_FIELD', "sAMAccountName");
>
> Thanks,
>
> John Cole
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Phpwiki-talk mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
|
|
From: Norberto M. <nu...@me...> - 2004-03-08 07:20:48
|
John, Reini, FWIW, I submitted a patch against 1.3.4 that enabled this functionality -- http://sourceforge.net/tracker/index.php?func=detail&aid=738150&group_id=6121&atid=306121 Some of the code and comments provided in this thread above looks quite similar (same?) to the one provided in my patch. I guess I used the wrong system to post that patch :-) I've had 1.3.4 running with this changes doing authentication against my W2K Active Directory since I've submitted the patch. I only have to spend some time figuring out how to enable LDAP queries over TLS against this AD (not sure how to enable it @ W2K end, no problems from PHP). The reason of using a specific define for LDAP_PORT was in case a user had an LDAP server running on another port without changing the lib/ files. Keep on the great work -- looking forward 1.3.8 + 1.4 :-) Best regards, -- Norberto Meijome | numard at meijome dot net "Everything is interesting if you go into it deeply enough." - Richard Feynman Reini Urban wrote: > John, > could you please zip your diff and attach it. > email mangles it unreadable. > > A few things: > LDAP_PORT is not needed. > Just set > LDAP_HOST = "ldaps://server:636" > or > LDAP_HOST = "ldap://server:389" > Could you please try that out with your php_ldap.dll > > Thanks for the non-anonymous bind sample and for finding the stupid > password error. > > John Cole schrieb: > >> Ok, I got it working. There are a few issues here. First if you use >> strict USER_AUTH_POLICY with only >> LDAP defined, you will get an error >> >> Fatal error: Call to a member function on a non-object >> in C:\Program Files\Apache >> Group\Apache2\htdocs\phpwiki\lib\WikiUserNew.php on >> line 855 >> >> inside the checkPass function. >> >> using USER_AUTH_POLICY stacked works however. >> >> After, that is, >> the line >> >> if ($r = @ldap_bind($ldap, >> $dn, $passwd)) { >> >> is changed to >> >> if ($r = @ldap_bind($ldap, >> $dn, $submitted_password)) { >> >> >> Here is the patch to make LDAP actually work and work >> with Active Directory. I do not know if the AD stuff >> interfers with OpenLDAP or not. >> >> ----------------------------------------------- >> Index: lib/WikiUserNew.php >> =================================================================== >> RCS file: >> /cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v >> retrieving revision 1.20 >> diff -u -r1.20 WikiUserNew.php >> --- lib/WikiUserNew.php 26 Feb 2004 01:29:11 -0000 >> 1.20 >> +++ lib/WikiUserNew.php 26 Feb 2004 21:38:13 -0000 >> @@ -459,6 +459,7 @@ >> return false; // Nothing to do? >> >> $authlevel = $this->checkPass($passwd); >> + if (!$authlevel) >> return _("Invalid password or userid."); >> elseif ($authlevel < $require_level) >> @@ -1370,25 +1371,38 @@ >> function checkPass($submitted_password) { >> $this->_authmethod = 'LDAP'; >> $userid = $this->_userid; >> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { >> // must be a valid LDAP server! >> - $r = @ldap_bind($ldap); // this is an >> anonymous bind >> - // Need to set the right root search >> information. see ../index.php >> - $sr = ldap_search($ldap, LDAP_BASE_DN, >> "uid=$userid"); >> - $info = ldap_get_entries($ldap, $sr); // >> there may be more hits with this userid. try every >> - for ($i = 0; $i < $info["count"]; $i++) { >> - $dn = $info[$i]["dn"]; >> - // The password is still plain text. >> - if ($r = @ldap_bind($ldap, $dn, >> $passwd)) { >> - // ldap_bind will return TRUE if >> everything matches >> - ldap_close($ldap); >> - $this->_level = WIKIAUTH_USER; >> - return $this->_level; >> + >> + if ($ldap = ldap_connect(LDAP_AUTH_HOST, >> LDAP_PORT)) { // must be a valid LDAP server! >> + ldap_set_option($ldap, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> + ldap_set_option($ldap, >> LDAP_OPT_REFERRALS, 0); >> + + // anonymous binds do not work with >> active directory >> + if ($r = @ldap_bind($ldap, >> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) { >> + // AD search field is different that >> uid >> + $st_search = >> LDAP_SEARCH_FIELD."=$userid"; >> + >> + // Need to set the right root search >> information. see ../index.php >> + if ($sr = ldap_search($ldap, >> LDAP_BASE_DN, "$st_search")) { + $info = >> ldap_get_entries($ldap, >> $sr); >> + >> + for ($i = 0; $i < $info["count"]; >> $i++) { >> + $dn = $info[$i]["dn"]; >> + // The password is still >> plain text. >> + if ($r = @ldap_bind($ldap, >> $dn, $submitted_password)) { >> + // ldap_bind will return >> TRUE if everything matches >> + ldap_close($ldap); >> + $this->_level = >> WIKIAUTH_USER; >> + return $this->_level; >> + } >> + } >> + } else { >> + trigger_error("LDAP Search Failed >> " . LDAP_AUTH_HOST, E_USER_WARNING); >> } >> + } else { >> + trigger_error("LDAP Search Failed " . >> LDAP_AUTH_HOST, E_USER_WARNING); >> } >> } else { >> - trigger_error(fmt("Unable to connect to >> LDAP server %s", LDAP_AUTH_HOST), - >> E_USER_WARNING); >> - //return false; >> + trigger_error(_("Unable to connect to >> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING); >> } >> >> if (USER_AUTH_POLICY === 'strict') { >> @@ -1406,13 +1420,28 @@ >> >> function userExists() { >> $userid = $this->_userid; >> - if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { >> // must be a valid LDAP server! >> - $r = @ldap_bind($ldap); // this is an >> anonymous bind >> - $sr = ldap_search($ldap, LDAP_BASE_DN, >> "uid=$userid"); >> - $info = ldap_get_entries($ldap, $sr); >> - if ($info["count"] > 0) { >> - ldap_close($ldap); >> - return true; >> + >> + if ($ldap = ldap_connect(LDAP_AUTH_HOST, >> LDAP_PORT)) { // must be a valid LDAP server! >> + ldap_set_option($ldap, >> LDAP_OPT_PROTOCOL_VERSION, 3); >> + ldap_set_option($ldap, >> LDAP_OPT_REFERRALS, 0); >> + + // anonymous binds do not work with >> active directory >> + if ($r = @ldap_bind($ldap, >> LDAP_AUTH_USER, LDAP_AUTH_PASSWORD)) { >> + // AD search field is different that >> uid >> + $st_search = >> LDAP_SEARCH_FIELD."=$userid"; >> + >> + // Need to set the right root search >> information. see ../index.php >> + if ($sr = ldap_search($ldap, >> LDAP_BASE_DN, "$st_search")) { + $info = >> ldap_get_entries($ldap, >> $sr); >> + if ($info["count"] > 0) { >> + ldap_close($ldap); >> + return true; >> + } >> + } else { >> + trigger_error("LDAP Search Failed >> " . LDAP_AUTH_HOST, E_USER_WARNING); >> + } >> + } else { >> + trigger_error("LDAP Search Failed " . >> LDAP_AUTH_HOST, E_USER_WARNING); >> } >> } else { >> trigger_error(_("Unable to connect to >> LDAP server "). LDAP_AUTH_HOST, E_USER_WARNING); >> @@ -1955,7 +1984,6 @@ >> return $this->_prefs; >> } >> } >> - >> >> // $Log: WikiUserNew.php,v $ >> // Revision 1.20 2004/02/26 01:29:11 rurban >> ------------------------------------------------------ >> >> You will need the following added to index.php >> >> //LDAP's Server Port. If using SSL, aka ldaps://, port >> should be 636 if (!defined('LDAP_PORT')) define('LDAP_PORT', "389"); >> >> //our AD's LDAP is locked down, no anonymous >> connections are //allowed. A real username / password must be given in >> order to perform //a search. if (!defined('LDAP_AUTH_USER')) >> define('LDAP_AUTH_USER', "CN=ldap >> user,CN=Users,DC=company,DC=com"); >> if (!defined('LDAP_AUTH_PASSWORD')) >> define('LDAP_AUTH_PASSWORD', "ldappassword"); >> >> >> //Defines which field of AD's LDAP to search for. >> needs to match the //username entered by the user in the webpage. >> //samaccountname = //Pre-Win2k username if >> (!defined('LDAP_SEARCH_FIELD')) >> define('LDAP_SEARCH_FIELD', "sAMAccountName"); >> >> Thanks, >> >> John Cole >> >> >> >> ------------------------------------------------------- >> SF.Net is sponsored by: Speed Start Your Linux Apps Now. >> Build and deploy apps & Web services for Linux with >> a free DVD software kit from IBM. Click Now! >> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click >> _______________________________________________ >> Phpwiki-talk mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk >> > > |
|
From: Reini U. <ru...@x-...> - 2004-03-08 16:19:21
|
Norberto Meijome schrieb: > John, Reini, > FWIW, I submitted a patch against 1.3.4 that enabled this functionality Latest CVS code should work with Microsoft's Active Directory non-anonymous LDAP and LDAPS. See index.php and lib/WikiUserNew.php We don't maintain 1.3.4 anymore. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: John C. <joh...@ya...> - 2004-02-27 16:20:00
Attachments:
WikiUserNewLdapAD.zix
indexLDAPAD.zix
|
Reini, Here is the patch and the lines needed for AD in the index.php. Both are zipped so hopefully they will be readable. Note: you will need to rename the extension to zip, as SF is blocking all zip files. Thanks! John |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X