A place for users and developers of the Xataface to discuss and receive support.
by cantlep » Fri Mar 12, 2010 7:28 pm
Hi All, I've checked out this link viewtopic.php?t=4475 but still can't get LDAP authentication to work. In fact, the webserver doesn't even try to contact the LDAP server (In this instance a Windows Domain Controller). Any ideas why? Here's my config. conf.ini - Code: Select all
[_auth] auth_type= "ldap" users_table = "Users" username_column = "UserName" password_column = "Password" ldap_host = "1.1.1.1" ldap_port = "389" ldap_base = "dc=sub,dc=my,dc=domain" ldap_group = "Domain Admins" ldap_suffix = "MY.DOMAIN"
and I have "ldap.php" file in dataface/modules/Auth/ldap/ - Code: Select all
<?php
/** * Implementation of checkCredentials() hook. This checks the * credentials to see if the username/password combination are * correct. */ function checkCredentials(){
$auth =& Dataface_AuthenticationTool::getInstance(); $app =& Dataface_Application::getInstance();
$creds = $auth->getCredentials(); if ( !isset($auth->conf['ldap_host']) ) $auth->conf['ldap_host'] = 'localhost'; if ( !isset($auth->conf['ldap_port']) ) $auth->conf['ldap_port'] = null; if ( !isset($auth->conf['ldap_base']) ){ trigger_error("Please specify the LDAP basedn in the [_auth] section of the conf.ini file.", E_USER_ERROR); }
if ( !function_exists('ldap_connect') ){ trigger_error("Please install the PHP LDAP module in order to user LDAP authentication.", E_USER_ERROR); } //echo "qui"; $ds = ldap_connect($auth->conf['ldap_host'], $auth->conf['ldap_port']); if ( !$ds ) trigger_error("Failed to connect to LDAP server", E_USER_ERROR);
$good=false;
if ( @ldap_bind( $ds, $creds['UserName'].'@'.$auth->conf['ldap_suffix'], $creds['Password']) ) { $result = ldap_search($ds, $auth->conf['ldap_base'], '(samaccountname='.$creds['UserName'].')');
//Create result set $entries = ldap_get_entries($ds, $result);
//Sort and print //echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />"; //print_r ($entries); for ($i=0; $i < $entries["count"]; $i++) { //echo "name:".$entries[$i]["displayname"][0]."<br />\n";
//Autoinsert in usertable if user in ldap not exist foreach ($entries[$i]['memberof'] as &$value) { list($attribute) = explode(',', $value); if ($attribute == "CN=".$auth->conf['ldap_group']) { //echo "member:".$attribute."<br />\n"; $good=true;
$sql = "select * from ".$auth->conf['users_table']." where ".$auth->conf['username_column']."='".$creds['UserName']."'"; $res = mysql_query($sql, $app->db()) or trigger_error("Failed to get username from usertable qry:".$sql." Err:".mysql_query(), E_USER_ERROR); //insert new user with default role if (mysql_num_rows($res) < 1 ) { $sql = "insert into ".$auth->conf['users_table']." (".$auth->conf['username_column'].",ROLE) value ('".$creds['UserName']."','ADMIN')"; $res = mysql_query($sql, $app->db()) or trigger_error("Failed to insert username into usertable qry:".$sql." Err:".mysql_query(), E_USER_ERROR); }
break; }
} } ldap_unbind($ds);
}
return $good;
} ?>
I've tried this with the function checkCredentials() section in AuthenticationTool.php commented out as well as being left as standard. Either way, the webserver never even tries to contact the Domain Controller. Have I missed something obvious? Cheers Paul
Last edited by cantlep on Thu Mar 25, 2010 2:22 am, edited 1 time in total.
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by shannah » Tue Mar 16, 2010 12:10 pm
Is there something missing from your ldap.php snippet? It looks like it's just a function, but it should be inside a class.
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by cantlep » Tue Mar 16, 2010 5:02 pm
Thanks Steve, right again. I added this in - Code: Select all
class dataface_modules_ldap {
It still doesn't actually work but I now see packets leaving and a valid login against the DC. Just need to work out when it's not getting any further! Thanks a lot Paul
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by cantlep » Mon Mar 22, 2010 6:24 am
Hi again, Also, using that code in ldap.php, the username/password are both sent in the URL Any ideas folks? Cheers
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by shannah » Mon Mar 22, 2010 10:45 am
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by cantlep » Mon Mar 22, 2010 10:54 am
Cheers Steve. That's the code i'm using i can probably fix the actual auth stuff not working but i'm not sure why credentials are being passed on the URL?
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by shannah » Mon Mar 22, 2010 11:12 am
Which URL are you referring to? As far as I can tell the only place that the password is used is in the ldap_bind() function to bind to LDAP. (I haven't really dissected the LDAP protocol to know exactly what happens inside the ldap_bind() function).
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by cantlep » Mon Mar 22, 2010 12:18 pm
Hi Steve, by URL I mean when i hit submit after entering the username/password those credentials appear on the URL in the browser. In this instance, those credentials are also used to bind to the LDAP server.
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by shannah » Mon Mar 22, 2010 12:29 pm
You mean when you click "Login" on the login form? That is strange. It should use "post" for the method in which case the details of the login form are sent as part of the BODY of the HTTP request, not in the URL.
Check the HTML for the login form and verify that the <form> tag has method "post". -Steve
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by cantlep » Mon Mar 22, 2010 12:29 pm
Like this: http://www.example.com/index.php?-actio ... redirect=&UserName=bloggsj&Password=Letmein%21&-submit=Submit&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list&--msg=Sorry%2C+you+have+entered+an+incorrect+username+%2Fpassword+combination.++Please+try+again.
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by cantlep » Mon Mar 22, 2010 12:33 pm
Yep, indeed it does. - Code: Select all
<form action="{$ENV.DATAFACE_SITE_HREF}" method="post">
Agree, it's a bit weird. I've not adjusted Dataface_Login_Prompt.html so it's as standard.
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by shannah » Mon Mar 22, 2010 12:41 pm
Check the resulting HTML page (not the template) to what it ends up like.
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by cantlep » Mon Mar 22, 2010 1:04 pm
Yeah, it does: - Code: Select all
<h1>Please Login to access this section of the site</h1> <form action="/index.php" method="post"> <input type="hidden" name="-action" value="login" /> <input type="hidden" name="-redirect" value="" /> <fieldset> <legend>Login Form</legend> <div id="Login-Username"> <label>Username:</label> <input type="text" name="UserName" value="cantlep"> </div> <div id="Login-Password"> <label>Password:</label> <input type="password" name="Password" value="Ange1us!"> </div> <input id="Login-submit" name="-submit" type="submit" value="Submit"/> </fieldset>
I do have these errors in logs too so I'm going to start taking the ldap.php apart. [Mon Mar 22 20:13:34 2010] [error] [client 10.0.10.51] PHP Warning: ldap_search(): Search: No such object in /var/www/html/public/workout/dataface/modules/Auth/ldap/ldap.php on line 34, referer: http://www.example.com/index.php?-actio ... +try+again. [Mon Mar 22 20:13:34 2010] [error] [client 10.0.10.51] PHP Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /var/www/html/public/workout/dataface/modules/Auth/ldap/ldap.php on line 37, referer: http://www.example.com/index.php?-actio ... +try+again.
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
by cantlep » Mon Mar 22, 2010 2:03 pm
Cheers for the pointer, Steve. I've tweaked and changed a few bits and forced it to be using V3. Looking a bit better. Checking the debugging in the ldap.php I can now see the good bind and a list of membership groups. There seems to be an error in the foreach part of the script. I'll upload my version when/if i figure out what's wrong cheers
-
cantlep
-
- Posts: 172
- Joined: Fri Mar 05, 2010 2:14 am
Return to Xataface Users
Who is online
Users browsing this forum: No registered users and 24 guests
|