Page 1 of 2

LDAP Authentication [SOLVED]

PostPosted: Fri Mar 12, 2010 7:28 pm
by cantlep
Hi All,

I've checked out this link viewtopic.php?t=4475 but still can't get LDAP authentication to work. In fact, the webserver doesn't even try to contact the LDAP server (In this instance a Windows Domain Controller). Any ideas why? Here's my config.

conf.ini
Code: Select all
[_auth]
auth_type= "ldap"
users_table = "Users"
username_column = "UserName"
password_column = "Password"
ldap_host = "1.1.1.1"
ldap_port = "389"
ldap_base = "dc=sub,dc=my,dc=domain"
ldap_group = "Domain Admins"
ldap_suffix = "MY.DOMAIN"


and I have "ldap.php" file in dataface/modules/Auth/ldap/

Code: Select all
<?php

        /**
         * Implementation of checkCredentials() hook.  This checks the
         * credentials to see if the username/password combination are
         * correct.
         */
   function checkCredentials(){

     $auth =& Dataface_AuthenticationTool::getInstance();
      $app =& Dataface_Application::getInstance();

      $creds = $auth->getCredentials();
      if ( !isset($auth->conf['ldap_host']) ) $auth->conf['ldap_host'] = 'localhost';
      if ( !isset($auth->conf['ldap_port']) ) $auth->conf['ldap_port'] = null;
      if ( !isset($auth->conf['ldap_base']) ){
         trigger_error("Please specify the LDAP basedn in the [_auth] section of the conf.ini file.", E_USER_ERROR);
      }

      if ( !function_exists('ldap_connect') ){
         trigger_error("Please install the PHP LDAP module in order to user LDAP authentication.", E_USER_ERROR);
      }
     //echo "qui";
      $ds = ldap_connect($auth->conf['ldap_host'], $auth->conf['ldap_port']);
      if ( !$ds ) trigger_error("Failed to connect to LDAP server", E_USER_ERROR);



     $good=false;

     if ( @ldap_bind( $ds, $creds['UserName'].'@'.$auth->conf['ldap_suffix'], $creds['Password']) )
     {
      $result = ldap_search($ds, $auth->conf['ldap_base'], '(samaccountname='.$creds['UserName'].')');

      //Create result set
      $entries = ldap_get_entries($ds, $result);

      //Sort and print
      //echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";
      //print_r ($entries);
      for ($i=0; $i < $entries["count"]; $i++)
      {
         //echo "name:".$entries[$i]["displayname"][0]."<br />\n";

         //Autoinsert in usertable if user in ldap not exist
         foreach ($entries[$i]['memberof'] as &$value)
         {
            list($attribute) = explode(',', $value);
            if ($attribute == "CN=".$auth->conf['ldap_group'])
            {
               //echo "member:".$attribute."<br />\n";
               $good=true;

               $sql = "select * from ".$auth->conf['users_table']." where ".$auth->conf['username_column']."='".$creds['UserName']."'";
               $res = mysql_query($sql, $app->db()) or
               trigger_error("Failed to get username from usertable qry:".$sql." Err:".mysql_query(), E_USER_ERROR);
               //insert new user with default role
               if (mysql_num_rows($res)  < 1 )
               {
                  $sql = "insert into ".$auth->conf['users_table']." (".$auth->conf['username_column'].",ROLE) value ('".$creds['UserName']."','ADMIN')";
                  $res = mysql_query($sql, $app->db()) or
                  trigger_error("Failed to insert username into  usertable qry:".$sql." Err:".mysql_query(), E_USER_ERROR);
               }

               break;
            }

         }
      }
      ldap_unbind($ds);

     }

     return $good;

}
?>


I've tried this with the function checkCredentials() section in AuthenticationTool.php commented out as well as being left as standard. Either way, the webserver never even tries to contact the Domain Controller.

Have I missed something obvious?

Cheers

Paul

Re: LDAP Authentication

PostPosted: Tue Mar 16, 2010 12:10 pm
by shannah
Is there something missing from your ldap.php snippet? It looks like it's just a function, but it should be inside a class.

Re: LDAP Authentication

PostPosted: Tue Mar 16, 2010 5:02 pm
by cantlep
:-) Thanks Steve, right again.

I added this in
Code: Select all
class dataface_modules_ldap {


It still doesn't actually work but I now see packets leaving and a valid login against the DC. Just need to work out when it's not getting any further!

Thanks a lot

Paul

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 6:24 am
by cantlep
Hi again,

Also, using that code in ldap.php, the username/password are both sent in the URL :-(

Any ideas folks?

Cheers

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 10:45 am
by shannah
You might find this thread to be helpful.

viewtopic.php?f=5&t=4751&p=23285&hilit=LDAP#p23285

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 10:54 am
by cantlep
Cheers Steve. That's the code i'm using :-) i can probably fix the actual auth stuff not working but i'm not sure why credentials are being passed on the URL?

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 11:12 am
by shannah
Which URL are you referring to? As far as I can tell the only place that the password is used is in the ldap_bind() function to bind to LDAP. (I haven't really dissected the LDAP protocol to know exactly what happens inside the ldap_bind() function).

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 12:18 pm
by cantlep
Hi Steve, by URL I mean when i hit submit after entering the username/password those credentials appear on the URL in the browser. In this instance, those credentials are also used to bind to the LDAP server.

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 12:29 pm
by shannah
You mean when you click "Login" on the login form? That is strange. It should use "post" for the method in which case the details of the login form are sent as part of the BODY of the HTTP request, not in the URL.

Check the HTML for the login form and verify that the <form> tag has method "post".
-Steve

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 12:29 pm
by cantlep
Like this:

http://www.example.com/index.php?-actio ... redirect=&UserName=bloggsj&Password=Letmein%21&-submit=Submit&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list&--msg=Sorry%2C+you+have+entered+an+incorrect+username+%2Fpassword+combination.++Please+try+again.

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 12:33 pm
by cantlep
Yep, indeed it does.

Code: Select all
<form action="{$ENV.DATAFACE_SITE_HREF}" method="post">


Agree, it's a bit weird. I've not adjusted Dataface_Login_Prompt.html so it's as standard.

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 12:41 pm
by shannah
Check the resulting HTML page (not the template) to what it ends up like.

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 1:04 pm
by cantlep
Yeah, it does:

Code: Select all
            
            <h1>Please Login to access this section of the site</h1>
            <form action="/index.php" method="post">
      <input type="hidden" name="-action" value="login" />
      <input type="hidden" name="-redirect" value="" />
      <fieldset>
      <legend>Login Form</legend>
         
         <div id="Login-Username">
            <label>Username:</label>
            <input type="text" name="UserName" value="cantlep">
         </div>
         <div id="Login-Password">
            <label>Password:</label>
            <input type="password" name="Password" value="Ange1us!">
         </div>
         <input id="Login-submit" name="-submit" type="submit" value="Submit"/>
      </fieldset>
      


I do have these errors in logs too so I'm going to start taking the ldap.php apart.


[Mon Mar 22 20:13:34 2010] [error] [client 10.0.10.51] PHP Warning: ldap_search(): Search: No such object in /var/www/html/public/workout/dataface/modules/Auth/ldap/ldap.php on line 34, referer: http://www.example.com/index.php?-actio ... +try+again.
[Mon Mar 22 20:13:34 2010] [error] [client 10.0.10.51] PHP Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/html/public/workout/dataface/modules/Auth/ldap/ldap.php on line 37, referer: http://www.example.com/index.php?-actio ... +try+again.

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 1:15 pm
by shannah
Sounds like you may have to tinker with your base dn or other ldap parameters. This might be helpful:
http://www.php.net/manual/en/function.l ... .php#49905

Re: LDAP Authentication

PostPosted: Mon Mar 22, 2010 2:03 pm
by cantlep
Cheers for the pointer, Steve. I've tweaked and changed a few bits and forced it to be using V3. Looking a bit better. Checking the debugging in the ldap.php I can now see the good bind and a list of membership groups. There seems to be an error in the foreach part of the script. I'll upload my version when/if i figure out what's wrong :-)

cheers