External User Authentication Development

[smithdave]

I've been poking around at this for quite some time now, but since our LDAP server is up and running and we can test now...

I'm using Serendipity 0.9-beta1 with the External User Authentication plugin. Through earlier communication with Garvin I understand the basic workings of this plugin, however, I do not see it working.

If I attempt to login with a user that is not listed in the serendipity_authors table, the plugin should come into effect, match against the LDAP database, and if a result is found, create an account in serendipity_authors and log me in. When I attempt to login in this manner, I am unsuccessful, but I do not know why. Is there an error log from this plugin? A way to tell if the connection to the LDAP host is unsuccessful, or if a result is simply not found, or if the plugin is even being triggered?

[garvinhicking]

Actually the plugin itself does not have much debugging, but is easy to add.

I've created one for you, here it is. It writes its logfile to /tmp/s9ldap.log, you can change that location inside the file.

http://nopaste.php-q.net/163485

Check out the logfile and please report back here.

Regards,
Garvin

[DOKool]

Garvin - I think this is really, really close to something I'm trying to implement at my school and despite my not being a code this plugin you've written is frighteningly close to doing what I need it to do -

Here's the situation: I'm a student at a college of about... oh, 380 students. The Alternative Media/Journalism Class, which I'm in, uses a blog for part of its coursework, and other classes are examining blogs as well.

The catch is, though, that our current platform (Zope) sucks ass. I could write pages upon pages as to how much I and the other students in the class hate it. But that's besides the point.

What we need is a new blogging platform that's a bit more user-friendly - however, for authentication, we need two things.

1. LDAP authentication. This is simple enough.
2. LDAP group-management. What we'd want is for only users in a certain LDAP group (using either posixgroups or a group attribute in the LDAP entry - I apologize if I'm confusing but I'm not a coder so I'm kinda flying by the seat of my pants here) to have access to post to the blog, but everyone with an LDAP account to be allowed to comment. This sounds doable in my head but I'm not sure how easy it'd be to impliment.


Any guidance you can offer would be great - I've been headdesking regarding this problem for the past few weeks, and I'm ecstatic about the possibility of finally having a solution on my hands.

Thanks!
-Dan

[DOKool]

-"despite not being a code" + "despite my not being a coder"

Yay for being up at the ass-crack of dawn...

[garvinhicking]

Actually, doing LDAP group permissions is basically the same like the current LDAP plugin does.

First off, you will need to do one of those things:

1. Enhance they proxy code of the LDAP plugin. Currently it only mirrors usernames and passwords into the native serendipity user table. You could enhance the plugin to fetch group permissions and them insert them into the serendipity authentication scheme through serendipity_groups and serendipity_groupconfig tables (available in serendipity 0.9).

2. You could also write a drop-in replacement for the serendipity_checkPermission() function, found in serendipity 0.9 in the include/functions_config.inc.php file. With that you could query your LDAP connection for the permissions parameters. Even though the implementation here might be easier for you, it will also be slower. Doing permission checks via SQL is much faster.

Hope that might get you started?

Best regards,
Garvin

[DOKool]

Garvin - thanks for the info. I've been talking to my contact in our CMS about this, and he suggested this:

It'd be much better if the blogging software simply has "hooks" for LDAP so that if you properly configure the LDAP server info that the blogging software can leverage that for authentication (instead of
handling authentication/authorization internally like most of these packages do).

As I mentioned before, I'm not a programmer, but I can do my best to mess around and try to figure this out. Sorry to bug you with so many questions...

[garvinhicking]

Sadly LDAP is a pain in the back to simply "work with". Serendipity and most other blog applications require permission access on a SQL level to do many cross-joins. LDAP does not easily support this.

But maybe you can work on it to find a way; I personally am not very much liking LDAP and prefer proxy-caching the information to faster work with it.

The "hooks" of which the person speaks can be implemented easier by just editing the serendipity_checkPermission() function. If you prefer the plugin approach, you can easily add a plugin hook into that with a few lines:

Code: Select all

$permData = array('permName' => $permName, 'returnCode' => false);
serendipity_plugin_api::hook_event('checkPermission', $permData);
if ($permData['returnCode'] !== false) { return $permData['returnCode']; }

Then you can build plugins that listen on the checkPermission hook which validate against LDAP. This is what I described as method 2, and painfully slow if you do live LDAP-checkups.

But I need to suggest you to look for a programmer that is familiar with your LDAP layout and some PHP coding. The serendipity side is easy to work with I can help you on that; the LDAP permission check itself I sadly cannot deliver.

Regards,
Garvin