Enhancements LDAP authentication

nappy_d · Post by **nappy_d** » Tue Nov 28, 2006 2:21 pm

Hi,

I recently installed Serendipity and it looks great. It does seem a bit cumbersome to setup multiple users as I plan to use this on our intranet.

That being said, is there anyway to setup LDAP authentication that would:

add a user to the editor group or a group that I specify as the default group
or a way to allow auto registration

Will a feature such as this be available maybe in the next version?

thanks!!

Post by **garvinhicking** » Tue Nov 28, 2006 3:34 pm

Hi!

Did you have a look at the LDAP authentication plugin already? This can synchronize users from an LDAP setup into the s9y user database?

Best regards,
Garvin

nappy_d · Post by **nappy_d** » Tue Nov 28, 2006 3:57 pm

Never thought to check there..(I am new to Serendipity)

Where is that located? I cannot seem to find it.

Thanks!!

Post by **garvinhicking** » Tue Nov 28, 2006 4:13 pm

Hi!

No problem.

Have a look at the Link "Plugins/Templates" at the top of this layout: http://spartacus.s9y.org/ - there you can download plugins.

You can also fetch and download plugins if you install the serendipity Spartacus plugin!

Best regards,
Garvin

nappy_d · Post by **nappy_d** » Tue Nov 28, 2006 6:16 pm

Thanks!! This is looking great so far. I have one question for clarification on the LDAP plugin.

In our LDAP infrastructure(Active Diretory), we require that a user be bound before lookups are performed.

I have another open source app that does such a thing that we use. The app is called phpShecduleIt.

Here is the code that is used to perform this task.

In the config.php it contains the following:

// LDAP Settings
// Should we use LDAP for authentication and enable transparent user registration.
// User registration data(mail, phone, etc.) is pulled from LDAP.
// If true the user will have to login with their LDAP uid instead of email address.
$conf['ldap']['authentication'] = true;
$conf['ldap']['host'] = 'hostNameOrIP';
$conf['ldap']['port'] = 389;
$conf['ldap']['lookupid'] = "org-unique=orgUserName,ou=internal,ou=people,dc=org,dc=com"; //Acct for lookup on LDAP server
$conf['ldap']['lookuppwd'] = "password"; // LDAP password
// LDAP people search base. Set this to where people in your organization are stored in LDAP,
// typically ou=people,o=domain.com.
$conf['ldap']['basedn'] = "ou=people,dc=org,dc=com";

Then, the app contains a lib file that performs the binding etc. I assume your app uses a similar concept, except that it does not bind to LDAP first before performing lookups.

If this is the case is there a way to remedy this easily without a lot of re-write?

Post by **garvinhicking** » Tue Nov 28, 2006 7:51 pm

Hi!

Our LDAP plugin si pretty easy, maybe you just have a look at it? I believe it does bind to LDAP.

I myself don't use LDAP, I more wrote the plugin as proof of concept.

Best regards,
Garvin

nappy_d · Post by **nappy_d** » Tue Nov 28, 2006 8:52 pm

I was looking thru the LDAP php files and I did not see anything such as what I have pasted below. This is the function I need to occur before lookups are done. This snipper was taken from another open source app that I use with LDAP.

Any thoughts?

var $AD_lookupid; // LDAP lookup dn
var $AD_lookuppwd; // LDAP lookup password

/**
* LDAPEngine constructor to initialize object
* @param string $uid user id
* @param string $password password associated with uid
*/
function LDAPEngine( $uid, $password ) {
global $conf;

$this->connected = false;

if( strlen( $uid ) == 0 || strlen( $password ) == 0 ) {
return;
}

$this->host = $conf['ldap']['host'];
$this->port = $conf['ldap']['port'];
$this->basedn = $conf['ldap']['basedn'];
$this->AD_lookupid = $conf['ldap']['lookupid'];
$this->AD_lookuppwd = $conf['ldap']['lookuppwd'];

$this->ldap = ldap_connect( $this->host, $this->port ) or die( "Could not connect to LDAP server." );

$this->uid = $uid;

if( $this->ldap ) {

$bind = @ldap_bind( $this->ldap, $this->AD_lookupid, $this->AD_lookuppwd );

if( $bind ) {

// System authentication was a success, lookup user's dn via uid= filter
$result = ldap_search( $this->ldap, $this->basedn, "uid"."=".$this->uid);
if (ldap_count_entries($this->ldap, $result)<=0) {
print "LDAPEngine: Search in LDAP failed. uid=$this->uid";
ldap_close( $this->ldap );
return;
} else {
$this->binddn = ldap_get_dn($this->ldap, ldap_first_entry($this->ldap, $result));
//print "LDAPEngine: User binding as dn=".$this->binddn."";
$bind2 = @ldap_bind( $this->ldap, $this->binddn, $password );
if ($bind2) {
//print "LDAPEngine: bind using user credentials successful.";
} else {
//print "LDAPEngine: bind using user credentials failed.";
ldap_close( $this->ldap );
return;
}
}

Post by **garvinhicking** » Tue Nov 28, 2006 9:00 pm

Hi!

Hm, our LDAP plugin does use the ldap_connect and ldap_bind and ldap_readfunctions...?

I'm sure you can edit the plugin if you need to insert those functions, it should be straight ahead.

Best regards,
Garvin

nappy_d · Post by **nappy_d** » Thu Nov 30, 2006 2:18 pm

Ok, I think this is what I need. But I preface this by saying I not a programmer but maybe you can point me in the right direction or maybe update the plugin with such options?

Near line 258 of serendipity_event_externalauth.php, how can I make it pass on this info to authorize lookups?

$['ldap']['lookupid'] = "org-unique=orgUserName,ou=internal,ou=people,dc=org,dc=com"; //Acct authorized for lookup on LDAP server
$['ldap']['lookuppwd'] = "password"; // LDAP password

var $AD_lookupid
var $AD_lookuppwd

$bind = @ldap_bind( $this->ldap, $this->AD_lookupid, $this->AD_lookuppwd );

I guess there would have to be a place on the external user athentication plugin interface to insert this information. Or would it be better served hard coded in the serendipity_event_externalauth.php?

Does this makes sense?
PS I am on chapter 4 of teach your self php

Post by **garvinhicking** » Thu Nov 30, 2006 2:23 pm

Hi!

nappy_d wrote:Ok, I think this is what I need. But I preface this by saying I not a programmer but maybe you can point me in the right direction or maybe update the plugin with such options?

Phew, I'm afraid I currently don't have the time to do that for free, especially because I personally do not use LDAP.

Maybe you have a PHP programmer in your intranet reach?

HTH,
Garvin

mgroeninger · Post by **mgroeninger** » Thu Nov 30, 2006 4:50 pm

nappy_d,
I'm not quite sure I follow what you are trying to do. It looks like you want the plugin to bind to the ldap server with a single account to do lookups?

If so, I'm not sure I would recommend that. The current code looks like it is binding to the ldap server using the account information passed to it by the client. This makes much better sense because it will prevent accidental disclosure of information.

When you use the plugin the way it is currently what happens?

What is you rdn set to?

nappy_d · Post by **nappy_d** » Thu Nov 30, 2006 5:21 pm

Unfortunately, I don't have any control over authentication for lookups.

And, yes you are correct, I require the plugin to bind to AD_ldap with a single accounts before lookups are performed.

This is what I use with another opensource app that functions with LDAP as we are discussing here. This app I mention is called phpScheduleIt:

// LDAP Settings
// Should we use LDAP for authentication and enable transparent user registration.
// User registration data(mail, phone, etc.) is pulled from LDAP.
// If true the user will have to login with their LDAP uid instead of email address.
$conf['ldap']['authentication'] = true;
$conf['ldap']['host'] = 'hostNameOrIP';
$conf['ldap']['port'] = 389;
$conf['ldap']['lookupid'] = "org-unique=orgUserName,ou=internal,ou=people,dc=org,dc=com"; //Acct for lookup on LDAP server
$conf['ldap']['lookuppwd'] = "password"; // LDAP password
// LDAP people search base. Set this to where people in your organization are stored in LDAP,
// typically ou=people,o=domain.com.
$conf['ldap']['basedn'] = "ou=people,dc=org,dc=com";

mgroeninger · Post by **mgroeninger** » Thu Nov 30, 2006 5:24 pm

Actually, I was thinking about it and it might also be possible that Active Directory allows anonymous lookups. If this is the case (I can't remember if it is by default or not), you could just try to change line 258 from this:

Code: Select all

Edited to remove an idea that might work for other ldap authentication systems, but would be a bad idea for this particular plugin.

If that works it would be a simple change to the plugin to add an option to allow for an anonymous lookup.

mgroeninger · Post by **mgroeninger** » Thu Nov 30, 2006 5:39 pm

Well, unfortunately I don't have a server that I could test changes to this plugin on.

What I would try would be something like this: http://www.theledge.net/uploads/serendi ... h_test.txt

It doesn't add the language stuff (so the two new plugin options will be named funny things), and I haven't tested on a server so I don't know if I got everything in the right place, but it should try to use a specific username and password if the are both set to something other than ''.

Please let me know the results...

mgroeninger · Post by **mgroeninger** » Thu Nov 30, 2006 5:56 pm

Actually, I'm taking that code down 'cause it has a pretty big bug in it from what I see...

Give me a couple of minutes...

Enhancements LDAP authentication

Enhancements LDAP authentication

Re: Enhancements LDAP authentication