#58 Another LDAP fix


If a user is present in users_users and can be
authenticated against LDAP, validate_user should return

to be inserted after line 286:

// if the user was logged into Auth and found in Tiki
elseif($userAuth && $userTikiPresent)
return true;


  • teedog

    teedog - 2003-08-17

    Logged In: YES

    Hi Ralf,

    Why is this needed? In the function that calls
    validate_user_auth, there's this code:

    // if the user verified in Tiki and Auth, log in
    if($userAuth && $userTiki)
    return $this->update_lastlogin($user);

  • Jacco Ligthart

    Jacco Ligthart - 2003-09-20

    Logged In: YES

    This is something I also ran into.
    The keyword here is 'Present'

    I want to have a single sign on system, where the leading
    database is the LDAP. At this moment tiki users are allowed
    to change their pass in tiki (where can I turn this off?)
    Which leads to two different passes. More important the one
    wich is in LDAP doesn't work anymore.
    This is the situation where $userAuth and $userTikiPresent
    are both true. In the code this leads to line 274 which
    should be impossible.

    So I think line 208 should read $userTikiPresent. But I
    can't oversee at this moment if there should be any password
    sync for other purposes in tiki.


  • Jacco Ligthart

    Jacco Ligthart - 2003-09-20

    Logged In: YES

    Hmm, I'm playing a bit with this, and now it's possible to
    get at line 274 with $userTiki and $userAuthPresent both
    true ...

    This is more or less correct.
    If there are two tri-state variables, that makes six
    possibillities, and there are only four in the code.


  • Ralf E. Lueders

    Ralf E. Lueders - 2003-09-21

    Logged In: YES

    Hi Jacco,

    actually the users have to be present in the users_users
    database for tiki to operate correctly. All permissions are
    checked against users and groups present in the tiki database
    as of now. Maybe in the future there will be code to check all
    users and groups permissions against an LDAP directory on-
    the-fly. For Tiki, I am using a Novell NDS LDAP directory to
    AUTHENTICATE users with their network password. I have
    written a perl script that imports all users and tiki-groups into
    tiki every 10 min. So tiki perms can be assigned to groups,
    and users will be assigned to those groups (i.e. roles) in the
    outside LDAP directory. Since passwords cannot be
    transferred from the Novell NDS LDAP system, the auth
    process is real-time.
    Anyway, this is not a perfect solution. We should improve the
    code to incorporate all possible scenarios.
    This implies major modifications though, because all user-
    related functions have to be extended with LDAP access.
    Maybe you are willing to help with a design concept for this.



Log in to post a comment.