Menu

Problem with LDAP authentication

Help
Piotr
2013-04-05
2013-04-08
  • Piotr

    Piotr - 2013-04-05

    Hi,
    I'm trying to configure authentication using LDAP server.
    As soon as I put following option in data/config.php:
    $serviceoverrides['User'] = 'SemanticScuttle_Service_AuthUser'

    I receive following error:
    XML Parsing Error: syntax error
    Location: http://host/bookmarks/login
    Line Number 2, Column 1:
    Deprecated: Assigning the return value of new by reference is deprecated in /usr/share/php/Auth.php on line 469
    ^

    When authentication debugging is turned on, error message goes as follow:
    Deprecated: Assigning the return value of new by reference is deprecated in /usr/share/php/Auth.php on line 469 Warning: require_once(Log.php): failed to open stream: No such file or directory in /var/www-sites/SemanticScuttle/src/SemanticScuttle/Service/AuthUser.php on line 107 Fatal error: require_once(): Failed opening required 'Log.php' (include_path='.:/usr/share/php:/usr/share/pear:/var/www-sites/SemanticScuttle/src/SemanticScuttle/../') in /var/www-sites/SemanticScuttle/src/SemanticScuttle/Service/AuthUser.php on line 107

    Any help will be appreciated,
    Piotr

     
  • Christian Weiske

    In your config file, add the following line:

    error_reporting(error_reporting() & ~E_DEPRECATED);

     
  • Piotr

    Piotr - 2013-04-05

    Unfortunately still the same.

     
  • Christian Weiske

    require_once(Log.php): failed to open stream
    Seems you also need to install the log package via the PEAR installer.

     
  • Piotr

    Piotr - 2013-04-06

    The problem is solved. I changed Auth.php, line 469 from:
    $obj =& new $storage_class($options);
    to:
    $obj = new $storage_class($options);
    and now LDAP authorization works.

     
  • Christian Weiske

    I think I know now what happened. You have debug mode enabled, and this overrides the error_reporting() setting in your configuration file.

    Either disable debugging, or modify src/SemanticScuttle/header.php:

    • error_reporting(E_ALL);
    • error_reporting(E_ALL & ~E_DEPRECATED);

    Modifying libraries is not the best solution, since an update of the library will reset your changes.

     

    Last edit: Christian Weiske 2013-04-07
  • Piotr

    Piotr - 2013-04-07

    Yes, you are right. I noticed the same thing - problem exists when $debugMode is set to true. Now I set $debugMode to false, restored original library files and everything works OK.

    Thank you for your help!

    BTW - documentation for external authentication should be changed. Following config options make no sense in my opinion:
    'binddn' => 'readuser',
    'bindpw' => 'readuser',
    'userattr' => 'sAMAccountName',

    At least two first options are not necessary. Last one could be used for other functionality - for mapping particular properties from LDAP directory to user properties in SemanticScuttle DB (e.g. CN can be used as user name, MAIL as user email address). Of course in different LDAP directories those properties can be named in different way, so such mapping should be configurable.

    Regards,
    Piotr

     
  • Christian Weiske

    Following config options make no sense in my opinion:
    'binddn' => 'readuser',
    'bindpw' => 'readuser',
    'userattr' => 'sAMAccountName',

    binddn and bindpw are needed when your LDAP server does not allow anonymous access. userattr is needed because it's the LDAP property that the user name gets matched against.

     
  • Piotr

    Piotr - 2013-04-08

    I don't get it. If binddn and bindpw is provided in configuration, how authentication is done? I was assuming that user should provide its credentials (i.e. username and password) to verify them against LDAP. And userattr is just used to point which LDAP property should be retrieved.

     
  • Christian Weiske

    I don't get it. If binddn and bindpw is provided in configuration, how authentication is done? I was assuming that user should provide its credentials (i.e. username and password) to verify them against LDAP.

    There are two models of LDAP authentication:

    1. use user-given name and password to log into the LDAP server. You're limited to the DN of the LDAP user object here.
    2. use pre-configured username and password to log into the LDAP server, then use this connection to find an object whose username and password match the user-supplied ones. This makes it possible to use e.g. the email address as user name, instead of needing to provide a full DN as user name.
     
  • Piotr

    Piotr - 2013-04-08

    OK, so when DN is same for all users, option number 1 is OK to be used.

    When DN includes some specific user information, only option number 2 can be used.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.