LDAP Authentication [SOLVED]

A place for users and developers of the Xataface to discuss and receive support.

LDAP Authentication [SOLVED]

Postby cantlep » Fri Mar 12, 2010 7:28 pm

Hi All,

I've checked out this link viewtopic.php?t=4475 but still can't get LDAP authentication to work. In fact, the webserver doesn't even try to contact the LDAP server (In this instance a Windows Domain Controller). Any ideas why? Here's my config.

conf.ini
Code: Select all
[_auth]
auth_type= "ldap"
users_table = "Users"
username_column = "UserName"
password_column = "Password"
ldap_host = "1.1.1.1"
ldap_port = "389"
ldap_base = "dc=sub,dc=my,dc=domain"
ldap_group = "Domain Admins"
ldap_suffix = "MY.DOMAIN"


and I have "ldap.php" file in dataface/modules/Auth/ldap/

Code: Select all
<?php

        /**
         * Implementation of checkCredentials() hook.  This checks the
         * credentials to see if the username/password combination are
         * correct.
         */
   function checkCredentials(){

     $auth =& Dataface_AuthenticationTool::getInstance();
      $app =& Dataface_Application::getInstance();

      $creds = $auth->getCredentials();
      if ( !isset($auth->conf['ldap_host']) ) $auth->conf['ldap_host'] = 'localhost';
      if ( !isset($auth->conf['ldap_port']) ) $auth->conf['ldap_port'] = null;
      if ( !isset($auth->conf['ldap_base']) ){
         trigger_error("Please specify the LDAP basedn in the [_auth] section of the conf.ini file.", E_USER_ERROR);
      }

      if ( !function_exists('ldap_connect') ){
         trigger_error("Please install the PHP LDAP module in order to user LDAP authentication.", E_USER_ERROR);
      }
     //echo "qui";
      $ds = ldap_connect($auth->conf['ldap_host'], $auth->conf['ldap_port']);
      if ( !$ds ) trigger_error("Failed to connect to LDAP server", E_USER_ERROR);



     $good=false;

     if ( @ldap_bind( $ds, $creds['UserName'].'@'.$auth->conf['ldap_suffix'], $creds['Password']) )
     {
      $result = ldap_search($ds, $auth->conf['ldap_base'], '(samaccountname='.$creds['UserName'].')');

      //Create result set
      $entries = ldap_get_entries($ds, $result);

      //Sort and print
      //echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";
      //print_r ($entries);
      for ($i=0; $i < $entries["count"]; $i++)
      {
         //echo "name:".$entries[$i]["displayname"][0]."<br />\n";

         //Autoinsert in usertable if user in ldap not exist
         foreach ($entries[$i]['memberof'] as &$value)
         {
            list($attribute) = explode(',', $value);
            if ($attribute == "CN=".$auth->conf['ldap_group'])
            {
               //echo "member:".$attribute."<br />\n";
               $good=true;

               $sql = "select * from ".$auth->conf['users_table']." where ".$auth->conf['username_column']."='".$creds['UserName']."'";
               $res = mysql_query($sql, $app->db()) or
               trigger_error("Failed to get username from usertable qry:".$sql." Err:".mysql_query(), E_USER_ERROR);
               //insert new user with default role
               if (mysql_num_rows($res)  < 1 )
               {
                  $sql = "insert into ".$auth->conf['users_table']." (".$auth->conf['username_column'].",ROLE) value ('".$creds['UserName']."','ADMIN')";
                  $res = mysql_query($sql, $app->db()) or
                  trigger_error("Failed to insert username into  usertable qry:".$sql." Err:".mysql_query(), E_USER_ERROR);
               }

               break;
            }

         }
      }
      ldap_unbind($ds);

     }

     return $good;

}
?>


I've tried this with the function checkCredentials() section in AuthenticationTool.php commented out as well as being left as standard. Either way, the webserver never even tries to contact the Domain Controller.

Have I missed something obvious?

Cheers

Paul
Last edited by cantlep on Thu Mar 25, 2010 2:22 am, edited 1 time in total.
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby shannah » Tue Mar 16, 2010 12:10 pm

Is there something missing from your ldap.php snippet? It looks like it's just a function, but it should be inside a class.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: LDAP Authentication

Postby cantlep » Tue Mar 16, 2010 5:02 pm

:-) Thanks Steve, right again.

I added this in
Code: Select all
class dataface_modules_ldap {


It still doesn't actually work but I now see packets leaving and a valid login against the DC. Just need to work out when it's not getting any further!

Thanks a lot

Paul
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 6:24 am

Hi again,

Also, using that code in ldap.php, the username/password are both sent in the URL :-(

Any ideas folks?

Cheers
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby shannah » Mon Mar 22, 2010 10:45 am

You might find this thread to be helpful.

viewtopic.php?f=5&t=4751&p=23285&hilit=LDAP#p23285
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 10:54 am

Cheers Steve. That's the code i'm using :-) i can probably fix the actual auth stuff not working but i'm not sure why credentials are being passed on the URL?
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby shannah » Mon Mar 22, 2010 11:12 am

Which URL are you referring to? As far as I can tell the only place that the password is used is in the ldap_bind() function to bind to LDAP. (I haven't really dissected the LDAP protocol to know exactly what happens inside the ldap_bind() function).
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 12:18 pm

Hi Steve, by URL I mean when i hit submit after entering the username/password those credentials appear on the URL in the browser. In this instance, those credentials are also used to bind to the LDAP server.
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby shannah » Mon Mar 22, 2010 12:29 pm

You mean when you click "Login" on the login form? That is strange. It should use "post" for the method in which case the details of the login form are sent as part of the BODY of the HTTP request, not in the URL.

Check the HTML for the login form and verify that the <form> tag has method "post".
-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 12:29 pm

Like this:

http://www.example.com/index.php?-actio ... redirect=&UserName=bloggsj&Password=Letmein%21&-submit=Submit&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list&--msg=Sorry%2C+you+have+entered+an+incorrect+username+%2Fpassword+combination.++Please+try+again.
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 12:33 pm

Yep, indeed it does.

Code: Select all
<form action="{$ENV.DATAFACE_SITE_HREF}" method="post">


Agree, it's a bit weird. I've not adjusted Dataface_Login_Prompt.html so it's as standard.
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby shannah » Mon Mar 22, 2010 12:41 pm

Check the resulting HTML page (not the template) to what it ends up like.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 1:04 pm

Yeah, it does:

Code: Select all
            
            <h1>Please Login to access this section of the site</h1>
            <form action="/index.php" method="post">
      <input type="hidden" name="-action" value="login" />
      <input type="hidden" name="-redirect" value="" />
      <fieldset>
      <legend>Login Form</legend>
         
         <div id="Login-Username">
            <label>Username:</label>
            <input type="text" name="UserName" value="cantlep">
         </div>
         <div id="Login-Password">
            <label>Password:</label>
            <input type="password" name="Password" value="Ange1us!">
         </div>
         <input id="Login-submit" name="-submit" type="submit" value="Submit"/>
      </fieldset>
      


I do have these errors in logs too so I'm going to start taking the ldap.php apart.


[Mon Mar 22 20:13:34 2010] [error] [client 10.0.10.51] PHP Warning: ldap_search(): Search: No such object in /var/www/html/public/workout/dataface/modules/Auth/ldap/ldap.php on line 34, referer: http://www.example.com/index.php?-actio ... +try+again.
[Mon Mar 22 20:13:34 2010] [error] [client 10.0.10.51] PHP Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/html/public/workout/dataface/modules/Auth/ldap/ldap.php on line 37, referer: http://www.example.com/index.php?-actio ... +try+again.
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Re: LDAP Authentication

Postby shannah » Mon Mar 22, 2010 1:15 pm

Sounds like you may have to tinker with your base dn or other ldap parameters. This might be helpful:
http://www.php.net/manual/en/function.l ... .php#49905
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: LDAP Authentication

Postby cantlep » Mon Mar 22, 2010 2:03 pm

Cheers for the pointer, Steve. I've tweaked and changed a few bits and forced it to be using V3. Looking a bit better. Checking the debugging in the ldap.php I can now see the good bind and a list of membership groups. There seems to be an error in the foreach part of the script. I'll upload my version when/if i figure out what's wrong :-)

cheers
cantlep
 
Posts: 172
Joined: Fri Mar 05, 2010 2:14 am

Next

Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 37 guests

Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved