phpwiki-talk

[Phpwiki-talk] Configuring LDAP to connect to Active Directory

[William L. <le...@k2...>]

Hello all,
   I've been working on getting phpwiki to use LDAP to authenticate 
users in the windows active directory. but I'm not doing so well.

I can get apache to use LDAP for basic authentication, and I could just 
do that on the directory the wiki is and setup the wiki for anonymous 
use, but thats not so clean.

I think it is just going to be a matter of getting the config.ini right.

here is what i have:

ldapclient is a user on my domain. This is the initial user to bind to. 
This account is working because the other ldap connection uses it.
server4.pdi.com is a domain controller on the network.
the ldap port is 389, This is working because the other connection uses it.
WikiUsers is a group of users that should be able to access the wiki.
The domain is named pdi.com

So from my config.ini:

USER_AUTH_ORDER = "LDAP"
USER_AUTH_POLICY = stacked
LDAP_AUTH_HOST = "ldap://server4.pdi.com:389"
LDAP_BASE_DN = "ou=Users,dc=pdi.com"
LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFFERALS=0"
LDAP_AUTH_USER = "cn=ldapclient,ou=Users,dc=pdi.com"
LDAP_AUTH_PASSWORD = thisisnottherealpassword
LDAP_SEARCH_FIELD = sAMAccountName
LDAP_OU_USERS = ou=Users
LDAP_OU_GROUP = ou=Groups

I'm sure its just a matter of getting the right things in here, but I am 
pretty ignorant when it comes to LDAP. Any help or an example of a 
configuration for connecting to active directory would be appreciated.

Thanks,
-William

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[William L. <le...@k2...>]

I've been digging through the code trying to figure out why I can't 
authenticate, and the best I can tell, an instance of _LDAPPassUser 
never gets created. This tells me that I have some other problem I need 
to deal with before worrying about the LDAP specific settings. Basically 
I know that _LDAPPassUser->checkPass will never run until this is fixed 
on my install.

Is there any overview of the authentication code out there, or can 
someone provide one? I feel like I am missing something in my 
understanding of how this part of the code works.

-William

William Leader wrote:
> Hello all,
>    I've been working on getting phpwiki to use LDAP to authenticate 
> users in the windows active directory. but I'm not doing so well.
>
> I can get apache to use LDAP for basic authentication, and I could just 
> do that on the directory the wiki is and setup the wiki for anonymous 
> use, but thats not so clean.
>
> I think it is just going to be a matter of getting the config.ini right.
>
> here is what i have:
>
> ldapclient is a user on my domain. This is the initial user to bind to. 
> This account is working because the other ldap connection uses it.
> server4.pdi.com is a domain controller on the network.
> the ldap port is 389, This is working because the other connection uses it.
> WikiUsers is a group of users that should be able to access the wiki.
> The domain is named pdi.com
>
> So from my config.ini:
>
> USER_AUTH_ORDER = "LDAP"
> USER_AUTH_POLICY = stacked
> LDAP_AUTH_HOST = "ldap://server4.pdi.com:389"
> LDAP_BASE_DN = "ou=Users,dc=pdi.com"
> LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFFERALS=0"
> LDAP_AUTH_USER = "cn=ldapclient,ou=Users,dc=pdi.com"
> LDAP_AUTH_PASSWORD = thisisnottherealpassword
> LDAP_SEARCH_FIELD = sAMAccountName
> LDAP_OU_USERS = ou=Users
> LDAP_OU_GROUP = ou=Groups
>
> I'm sure its just a matter of getting the right things in here, but I am 
> pretty ignorant when it comes to LDAP. Any help or an example of a 
> configuration for connecting to active directory would be appreciated.
>
> Thanks,
> -William
>
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Phpwiki-talk mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>
>
>   

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[Manuel V. <man...@gm...>]

2006/6/26, William Leader <le...@k2...>:
> I've been digging through the code trying to figure out why I can't
> authenticate, and the best I can tell, an instance of _LDAPPassUser
> never gets created. This tells me that I have some other problem I need
> to deal with before worrying about the LDAP specific settings. Basically
> I know that _LDAPPassUser->checkPass will never run until this is fixed
> on my install.
>
> Is there any overview of the authentication code out there, or can
> someone provide one? I feel like I am missing something in my
> understanding of how this part of the code works.

Which version of phpwiki are you running ?

Does it change sth if you put
USER_AUTH_POLICY= first-only

-- Manuel

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[William L. <le...@k2...>]

the version is 1.3.12p2.
I have tried changing  USER_AUTH_POLICY= first-only as you suggested but 
it doesn't seem to help.

I have noticed that the constructor for GroupLDAP only runs when the 
session is first established. As far as I can tell this is the only 
place where new _LDAPPassUser gets called. But this is before I enter a 
user name and password. When I do enter a username and password. 
GroupLDAP's constructor never runs, and new _LDAPPassUser is therefore 
not called.... basically the only time I have observed _LDAPPassUser be 
created is before I have the opportunity to supply a username and password.

It frustrates me because I have seen posts by other users saying they 
have active directory working on their wiki( I think it might have been 
you Manuel), so I know it is supposed to be possible, and I find it hard 
to believe that something here got broken in a recent release.

Would it be too much to ask if anyone could provide a working example of 
a complete config.ini that connects to active directory?

-Will

Manuel Vacelet wrote:
> Which version of phpwiki are you running ?
>
> Does it change sth if you put
> USER_AUTH_POLICY= first-only
>
> -- Manuel
>   

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[William L. <le...@k2...>]

I have been able to make some progress on the problem. I started by 
reverting the config.ini file and configuring it again. This time is was 
able to get a Call to undefined function: ldap_connect() in LDAP.php 
line 16. This is good because it never did that before so. It seems that 
I was missing something in my config.ini to start with. So to get past 
this problem, I had to uncomment extension=php_ldap.dll in my php.ini. 
So now it seems that it is really trying to use LDAP, but I am still not 
completely there. With the debug set to 65 in config.ini, I can now get 
something like this when logging in:

DEBUG: ALLOW_ANON_EDIT = false, ALLOW_BOGO_LOGIN = false, 
ALLOW_USER_PASSWORDS = true, ENABLE_PAGEPERM = true, USER_AUTH_ORDER: => 
LDAP (nosuchuser) => Forbidden, USER_AUTH_POLICY: first-only, 
PASSWORD_LENGTH_MINIMUM: 0

Correct me if I am wrong, but that tells me that the LDAP code was 
unable to verify that the supplied user name doesn't exist. I am basing 
this assumption from the part that reads "USER_AUTH_ORDER: => LDAP 
(nosuchuser) => Forbidden" meaning LDAP reported that no such user 
exists, and since LDAP is the only allowed option on my wiki, failing 
that the only choice remaining was Forbidden user.

Upon double checking the config.ini, I found that the configurator.php 
script commented out the LDAP settings. I uncommented and changed what I 
think is correct, based on the hints in the config.ini:

*LDAP_AUTH_HOST = "ldap://12.161.32.40:389"
;**12.161.32.40** is the address of the Active Directory server as it is 
seen from the webserver.
;it does run on port 389, because I have been able to configure other 
programs to connect on that port.

LDAP_BASE_DN = "ou=Users,o=WikiUsers,dc=pdi.com"
;I don't know enough about LDAP to know if this is right.
;the origional config had o=developement
;not being sure what that was I guessed that it is supposed to be the group.
;WikiUsers is the group on Active Directory that contains the users that 
should have access to the wiki.
;pdi.com is the name of the domain.

LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFERRALS=0"
;I've heard somewhere active directory needs these, so I just 
uncommented this line.

LDAP_AUTH_USER = "CN=ldapclient,ou=Users,o=WikiUsers,dc=pdi.com"
;I also know that active directory needs a user to log in as to query 
the directory
;ldapclient is a user in my domain created just for that purpose, the 
rest of the line
;was similar to Base_DN so this was also modified in the same way as base_DN

LDAP_AUTH_PASSWORD = secret
;the password was changed to match what is in active directory.

LDAP_SEARCH_FIELD = sAMAccountName
;i've also heard somewhere that active directory needs this line to 
search by the old style username (will instead of wi...@pd...)

LDAP_OU_USERS = ou=Users
LDAP_OU_GROUP = ou=Groups
;i don't know what these last two do. so I just uncommented them.

*With all these changes I now get an error when loggin into the wiki:

lib\WikiUser\LDAP.php:28: Warning[2]: ldap_bind() [<a 
href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to 
server: Invalid credentials
lib\WikiUser\LDAP.php:37: Warning[512]: Unable to bind LDAP server 
ldap://12.161.32.40:389 using 
CN=ldapclient,ou=Users,o=WikiUsers,dc=pdi.com secret

And this is where I am stuck.

-Will

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[William L. <le...@k2...>]

I have been able to make further progress by changing these two settings:

LDAP_BASE_DN = "DC=PDI,DC=com"
LDAP_AUTH_USER = "CN=ldapclient,CN=Users,DC=PDI,DC=com"

Now when I try to log in as any user that is in the active directory I get:
USER_AUTH_ORDER: => LDAP => Forbidden,

But if I use anything that doesn't exist in the active directory I get:
USER_AUTH_ORDER: => LDAP (nosuchuser) => Forbidden,

So at the very least I do know that it is connecting and properly 
checking if the users exist. However I am still not able to log in with 
a valid user name and password

William Leader wrote:
> I have been able to make some progress on the problem. I started by 
> reverting the config.ini file and configuring it again. This time is was 
> able to get a Call to undefined function: ldap_connect() in LDAP.php 
> line 16. This is good because it never did that before so. It seems that 
> I was missing something in my config.ini to start with. So to get past 
> this problem, I had to uncomment extension=php_ldap.dll in my php.ini. 
> So now it seems that it is really trying to use LDAP, but I am still not 
> completely there. With the debug set to 65 in config.ini, I can now get 
> something like this when logging in:
>
> DEBUG: ALLOW_ANON_EDIT = false, ALLOW_BOGO_LOGIN = false, 
> ALLOW_USER_PASSWORDS = true, ENABLE_PAGEPERM = true, USER_AUTH_ORDER: => 
> LDAP (nosuchuser) => Forbidden, USER_AUTH_POLICY: first-only, 
> PASSWORD_LENGTH_MINIMUM: 0
>
> Correct me if I am wrong, but that tells me that the LDAP code was 
> unable to verify that the supplied user name doesn't exist. I am basing 
> this assumption from the part that reads "USER_AUTH_ORDER: => LDAP 
> (nosuchuser) => Forbidden" meaning LDAP reported that no such user 
> exists, and since LDAP is the only allowed option on my wiki, failing 
> that the only choice remaining was Forbidden user.
>
> Upon double checking the config.ini, I found that the configurator.php 
> script commented out the LDAP settings. I uncommented and changed what I 
> think is correct, based on the hints in the config.ini:
>
> *LDAP_AUTH_HOST = "ldap://12.161.32.40:389"
> ;**12.161.32.40** is the address of the Active Directory server as it is 
> seen from the webserver.
> ;it does run on port 389, because I have been able to configure other 
> programs to connect on that port.
>
> LDAP_BASE_DN = "ou=Users,o=WikiUsers,dc=pdi.com"
> ;I don't know enough about LDAP to know if this is right.
> ;the origional config had o=developement
> ;not being sure what that was I guessed that it is supposed to be the group.
> ;WikiUsers is the group on Active Directory that contains the users that 
> should have access to the wiki.
> ;pdi.com is the name of the domain.
>
> LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFERRALS=0"
> ;I've heard somewhere active directory needs these, so I just 
> uncommented this line.
>
> LDAP_AUTH_USER = "CN=ldapclient,ou=Users,o=WikiUsers,dc=pdi.com"
> ;I also know that active directory needs a user to log in as to query 
> the directory
> ;ldapclient is a user in my domain created just for that purpose, the 
> rest of the line
> ;was similar to Base_DN so this was also modified in the same way as base_DN
>
> LDAP_AUTH_PASSWORD = secret
> ;the password was changed to match what is in active directory.
>
> LDAP_SEARCH_FIELD = sAMAccountName
> ;i've also heard somewhere that active directory needs this line to 
> search by the old style username (will instead of wi...@pd...)
>
> LDAP_OU_USERS = ou=Users
> LDAP_OU_GROUP = ou=Groups
> ;i don't know what these last two do. so I just uncommented them.
>
> *With all these changes I now get an error when loggin into the wiki:
>
> lib\WikiUser\LDAP.php:28: Warning[2]: ldap_bind() [<a 
> href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to 
> server: Invalid credentials
> lib\WikiUser\LDAP.php:37: Warning[512]: Unable to bind LDAP server 
> ldap://12.161.32.40:389 using 
> CN=ldapclient,ou=Users,o=WikiUsers,dc=pdi.com secret
>
> And this is where I am stuck.
>
> -Will
>
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Phpwiki-talk mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
>
>
>   

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[William L. <le...@k2...>]

After lots more digging, here is where I am at. The code is calling the 
_PassUser constructor. Inside the constructor, right around line 880 or 
so there is the block of code that only runs when USER_AUTH_POLICY = 
first-only

$class = $this->nextClass();
return new $class($UserName,$this->_prefs);

Whats interesting is that if we follow the code back up and examine the 
result, it is a _PassUser, but a   _LDAPPassUser was expected. So I got 
to thinking that something must not be right with the line:

return new $class($UserName,$this->_prefs);

That runs when Auth Policy is first-only, and but there is different 
code that runs when USER_AUTH_POLICY = old, which should behave the same 
way as long as USER_AUTH_ORDER = "LDAP" right? So one quick change to 
the config.ini and I can now log in. My guess is that the code that runs 
for the old Auth Policy explcitly calls _LDAPPassUser's constructor.

So return new $class($UserName,$this->_prefs); does not behave the same 
as return new _LDAPPassUser($UserName,$this->_prefs);

things still weren't quite right. I had to adjust around a few more 
seeming unrelated settings before things were completely working the way 
I want them to. After some review of my config.ini here are the values 
that needed to be changed to make it work:

USER_AUTH_ORDER = "LDAP"
USER_AUTH_POLICY = old
CATEGORY_GROUP_PAGE = "CategoryGroup"
;not sure if CATEGORY_GROUP_PAGE was really needed.
LDAP_AUTH_HOST = "ldap://127.0.0.1:389"
LDAP_BASE_DN = "DC=PDI,DC=com"
LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFERRALS=0"
LDAP_AUTH_USER = "CN=ldapclient,CN=Users,DC=PDI,DC=com"
LDAP_AUTH_PASSWORD = secret
LDAP_SEARCH_FIELD = sAMAccountName
LDAP_OU_USERS = "OU=Users"
LDAP_OU_GROUP = "OU=Users"
AUTH_SESS_USER = "userid"
AUTH_SESS_LEVEL = 2

Some observations:
I had tried setting ENABLE_PAGEPERM on, but this doesn't appear to work 
yet with LDAP. The comments mention something about  a gidnumber, but it 
seems silly for me to have to add some attribute like that. When an 
Active Directory Group has a Members attribute with a list of members in 
it. If I can find the time to do it, I may try to hack up GroupLdap's 
Membership functions to do things the active directory way, It depends 
on how much free time I have.
 
Active Directory appears to be case sensitive on the LDAP stuff. I had 
to make all the DC, OU, CN, etc, uppercase before the connections to 
LDAP would work. I'm not 100% sure this is true, can anyone who knows 
more about AD and LDAP confirm this?

Currently any account in the Active Directory can log in. This isn't 
what I want, but it will have to do for now. Since the Group code isn't 
working, its probably related to that. If anyone has gotten their php 
wiki setup so that only members of a certain group can login, I would 
like to hear from them.

-Will

William Leader wrote:
> I have been able to make further progress by changing these two settings:
>
> LDAP_BASE_DN = "DC=PDI,DC=com"
> LDAP_AUTH_USER = "CN=ldapclient,CN=Users,DC=PDI,DC=com"
>
> Now when I try to log in as any user that is in the active directory I get:
> USER_AUTH_ORDER: => LDAP => Forbidden,
>
> But if I use anything that doesn't exist in the active directory I get:
> USER_AUTH_ORDER: => LDAP (nosuchuser) => Forbidden,
>
> So at the very least I do know that it is connecting and properly 
> checking if the users exist. However I am still not able to log in with 
> a valid user name and password
>   

Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

[Manuel V. <man...@gm...>]

2006/6/29, William Leader <le...@k2...>:
> Currently any account in the Active Directory can log in. This isn't
> what I want, but it will have to do for now. Since the Group code isn't
> working, its probably related to that. If anyone has gotten their php
> wiki setup so that only members of a certain group can login, I would
> like to hear from them.

Woo !
You made a lot of digging.
Unfortunatly I cannot help you much since I never relied on a AD and I
don't use group feature of phpwiki yet.

What I've heard about AD when I was developing an LDAP connexion for
another tool is:
* group usage of AD is a nightmare (ie. if your soft is not tested and
validated with AD, it will probably not work out of the box).

Note: other ldap server does not seem to be case sensitive in LDAP queries.

-- Manuel