Welcome to Geeklog, Anonymous Thursday, November 21 2024 @ 10:22 am EST
Geeklog Forums
LDAP authentication
Status: offline
jannetta
Forum User
Chatty
Registered: 01/22/03
Posts: 44
Hi folks
I have noticed before that people have asked about LDAP authentication. Well, I have just finished hacking the users.php file to pieces to add LDAP authentication. Would anyone be interested in it? If so, I'll make it available.
Short explanation of what the code does:
I know very little about LDAP, but I have managed to get the code working. Basically, when the user log into Geeklog, his username and password is checked against LDAP. If he authenticates, it is checked whether he exists in Geeklog. If not, he is added as a user, using the email from an LDAP search and then he is logged in. If he already exists, he is just logged in. If the user changes his password, it will be changed back to the LDAP password the next time he logs in. (This I have done, just because I didn't want to fiddle with the 'Account Information' code). I have removed the functions for requesting a new password, because, obviously, this has to be done by whoever maintains the LDAP database, which in our case is not me. The server and context information is configured in a config file that is included at the top of the script.
Any comments on the logic will also be welcomed.
I have noticed before that people have asked about LDAP authentication. Well, I have just finished hacking the users.php file to pieces to add LDAP authentication. Would anyone be interested in it? If so, I'll make it available.
Short explanation of what the code does:
I know very little about LDAP, but I have managed to get the code working. Basically, when the user log into Geeklog, his username and password is checked against LDAP. If he authenticates, it is checked whether he exists in Geeklog. If not, he is added as a user, using the email from an LDAP search and then he is logged in. If he already exists, he is just logged in. If the user changes his password, it will be changed back to the LDAP password the next time he logs in. (This I have done, just because I didn't want to fiddle with the 'Account Information' code). I have removed the functions for requesting a new password, because, obviously, this has to be done by whoever maintains the LDAP database, which in our case is not me. The server and context information is configured in a config file that is included at the top of the script.
Any comments on the logic will also be welcomed.
17
15
Quote
Status: offline
Tony
Site Admin
Admin
Registered: 12/17/01
Posts: 405
Location:Urbandale, Iowa
Please send this to me. We are are adding LDAP support to the authentication modules for Geeklog 2. By chance, does your implementation support LDAP authentication over SSL? I want the code regardless but having that part in there would be a nice bell or whistle.
The reason people blame things on previous generations is that there's only one other choice.
The reason people blame things on previous generations is that there's only one other choice.
17
18
Quote
saulacious
Anonymous
jannetta,
I'm trying to evaluate Geeklog as a CMS and would like to take a peek at your code (we have an LDAP backend for about ~ 150 users). Can you post your users.php on the web, or perhaps attach it to a message (if GL permits you to do so)? Thanks for your time (and effort).
saulacious
I'm trying to evaluate Geeklog as a CMS and would like to take a peek at your code (we have an LDAP backend for about ~ 150 users). Can you post your users.php on the web, or perhaps attach it to a message (if GL permits you to do so)? Thanks for your time (and effort).
saulacious
14
13
Quote
Status: offline
jannetta
Forum User
Chatty
Registered: 01/22/03
Posts: 44
I have uploaded the LDAP login to my homepage, you can download it from www.jannetta.com/article.php/20040622102151358. I don't know if this is code that one should be embarrassed about, but it is definitely better than nothing and it works!
Comments and suggestions are always welcome. You can leave comments on my website (or here).
Comments and suggestions are always welcome. You can leave comments on my website (or here).
23
12
Quote
Status: offline
jannetta
Forum User
Chatty
Registered: 01/22/03
Posts: 44
Hi Tony
At the moment my code does not support SSL, but I will be looking at that soon, as (hopefully) we will be upgrading our systems over the summer holidays and then implement some seriously needed security procedures.
Quote by Tony: Please send this to me. We are are adding LDAP support to the authentication modules for Geeklog 2. By chance, does your implementation support LDAP authentication over SSL? I want the code regardless but having that part in there would be a nice bell or whistle.
At the moment my code does not support SSL, but I will be looking at that soon, as (hopefully) we will be upgrading our systems over the summer holidays and then implement some seriously needed security procedures.
15
13
Quote
Chewie
Anonymous
Do you still have the code available?
18
20
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
There is now an LDAP module in Geeklog 1.5.0, courtesy of MTV (no, really). It should also work in 1.4.1.
You need the LDAP module and its config file from the system/classes/authentication directory. Just put them in the same place in your 1.4.1 install and enable remote authentication in config.php.
bye, Dirk
You need the LDAP module and its config file from the system/classes/authentication directory. Just put them in the same place in your 1.4.1 install and enable remote authentication in config.php.
bye, Dirk
16
15
Quote
Chewie
Anonymous
Thanks, now I'm just confused on how to configure the config file
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
// | Geeklog 1.5 |
// +---------------------------------------------------------------------------+
// | config.php |
// | |
// | LDAP configuration file. |
// +---------------------------------------------------------------------------+
// | Copyright (C) 2008 by the following authors: |
// | |
// | Authors: Jessica Blank - jessica.blank AT mtvnmix DOT com |
// | under contract to MTV Networks |
// | Evan Rappaport - evan.rappaport AT mtvi DOT com |
// +---------------------------------------------------------------------------+
// | |
// | This program is free software; you can redistribute it and/or |
// | modify it under the terms of the GNU General Public License |
// | as published by the Free Software Foundation; either version 2 |
// | of the License, or (at your option) any later version. |
// | |
// | This program is distributed in the hope that it will be useful, |
// | but WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
// | GNU General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software Foundation, |
// | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
// | |
// +---------------------------------------------------------------------------+
//
// $Id: config.php,v 1.1 2008/05/01 19:27:48 dhaun Exp $
global $_LDAP_CONF;
$_LDAP_CONF['version'] = '1.0.0'; // Module Version
// LDAP Settings
// Basic LDAP variables
$_LDAP_CONF['user_ou'] = "People";
$_LDAP_CONF['group_ou'] = "Group";
$_LDAP_CONF['branch'] = "dc=mydc,dc=com";
$_LDAP_CONF['user_branch'] = "ou={$_LDAP_CONF['user_ou']}," . $_LDAP_CONF['branch'];
$_LDAP_CONF['user_attributes'] = array("uid","cn","ou","objectClass","shadowLastChange","loginShell","uidnumber","gidNumber","homeDirectory","gecos","userPassword","givenName","sn","mail");
// LDAP server configuration
$_LDAP_CONF['servers'][0]['bind_dn'] = "cn=mycn,ou=LDAPusers,dc=mydc,dc=com";
$_LDAP_CONF['servers'][0]['password'] = "mypassword";
$_LDAP_CONF['servers'][0]['host'] = "localhost";
// (put additional servers here; example given below)
// $_LDAP_CONF['servers'][1]['bind_dn'] = 'cn=foo,ou=people,dc=corp,dc=com';
// $_LDAP_CONF['servers'][1]['password'] = 'joshua';
// $_LDAP_CONF['servers'][1]['host'] = 'ldap.example.com';
// LDAP server selection
/**
* If you wanted to set up some complex logic to determine which
* LDAP server is in use, this is where it would go.
* We have provided the basic infrastructure for multiple LDAP servers;
* the rest is left as an exercise for the user.
*/
$_LDAP_CONF['server_num'] = 0;
// Default user settings
$_LDAP_CONF['user_defaults']['ou'] = $_LDAP_CONF['user_ou'];
$_LDAP_CONF['user_defaults']['objectClass'] = array("account","posixAccount","top","shadowAccount","person","organizationalPerson","inetOrgPerson");
$_LDAP_CONF['user_defaults']['shadowLastChange'] = "0";
$_LDAP_CONF['user_defaults']['loginShell'] = "/etc/ftponly";
?>
If thats the code, and my domain is say blah.local , what do I change to reflect that??
Text Formatted Code
<?php/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
// | Geeklog 1.5 |
// +---------------------------------------------------------------------------+
// | config.php |
// | |
// | LDAP configuration file. |
// +---------------------------------------------------------------------------+
// | Copyright (C) 2008 by the following authors: |
// | |
// | Authors: Jessica Blank - jessica.blank AT mtvnmix DOT com |
// | under contract to MTV Networks |
// | Evan Rappaport - evan.rappaport AT mtvi DOT com |
// +---------------------------------------------------------------------------+
// | |
// | This program is free software; you can redistribute it and/or |
// | modify it under the terms of the GNU General Public License |
// | as published by the Free Software Foundation; either version 2 |
// | of the License, or (at your option) any later version. |
// | |
// | This program is distributed in the hope that it will be useful, |
// | but WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
// | GNU General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software Foundation, |
// | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
// | |
// +---------------------------------------------------------------------------+
//
// $Id: config.php,v 1.1 2008/05/01 19:27:48 dhaun Exp $
global $_LDAP_CONF;
$_LDAP_CONF['version'] = '1.0.0'; // Module Version
// LDAP Settings
// Basic LDAP variables
$_LDAP_CONF['user_ou'] = "People";
$_LDAP_CONF['group_ou'] = "Group";
$_LDAP_CONF['branch'] = "dc=mydc,dc=com";
$_LDAP_CONF['user_branch'] = "ou={$_LDAP_CONF['user_ou']}," . $_LDAP_CONF['branch'];
$_LDAP_CONF['user_attributes'] = array("uid","cn","ou","objectClass","shadowLastChange","loginShell","uidnumber","gidNumber","homeDirectory","gecos","userPassword","givenName","sn","mail");
// LDAP server configuration
$_LDAP_CONF['servers'][0]['bind_dn'] = "cn=mycn,ou=LDAPusers,dc=mydc,dc=com";
$_LDAP_CONF['servers'][0]['password'] = "mypassword";
$_LDAP_CONF['servers'][0]['host'] = "localhost";
// (put additional servers here; example given below)
// $_LDAP_CONF['servers'][1]['bind_dn'] = 'cn=foo,ou=people,dc=corp,dc=com';
// $_LDAP_CONF['servers'][1]['password'] = 'joshua';
// $_LDAP_CONF['servers'][1]['host'] = 'ldap.example.com';
// LDAP server selection
/**
* If you wanted to set up some complex logic to determine which
* LDAP server is in use, this is where it would go.
* We have provided the basic infrastructure for multiple LDAP servers;
* the rest is left as an exercise for the user.
*/
$_LDAP_CONF['server_num'] = 0;
// Default user settings
$_LDAP_CONF['user_defaults']['ou'] = $_LDAP_CONF['user_ou'];
$_LDAP_CONF['user_defaults']['objectClass'] = array("account","posixAccount","top","shadowAccount","person","organizationalPerson","inetOrgPerson");
$_LDAP_CONF['user_defaults']['shadowLastChange'] = "0";
$_LDAP_CONF['user_defaults']['loginShell'] = "/etc/ftponly";
?>
If thats the code, and my domain is say blah.local , what do I change to reflect that??
22
23
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Well, some LDAP knowledge would certainly help. Ask your system administrator - that's what I did :wink:
Here's a few anonymized snippets from a config the lets me connect to my employer's LDAP server:
(...)
$_LDAP_CONF['branch'] = "o=companyname,c=de";
$_LDAP_CONF['user_branch'] = "ou={$_LDAP_CONF['user_ou']}," . $_LDAP_CONF['branch'];
(...)
// LDAP server configuration
$_LDAP_CONF['servers'][0]['bind_dn'] = "uid=somevalidaccount,ou=People,ou=users,o=companyname,c=de";
$_LDAP_CONF['servers'][0]['password'] = "somevalidpassword";
$_LDAP_CONF['servers'][0]['host'] = "servername";
The rest was unchanged. Obviously, the c=de is for Germany.
Can't really help you with any details there. As I said, ask your admin.
HTH
bye, Dirk
Here's a few anonymized snippets from a config the lets me connect to my employer's LDAP server:
(...)
$_LDAP_CONF['branch'] = "o=companyname,c=de";
$_LDAP_CONF['user_branch'] = "ou={$_LDAP_CONF['user_ou']}," . $_LDAP_CONF['branch'];
(...)
// LDAP server configuration
$_LDAP_CONF['servers'][0]['bind_dn'] = "uid=somevalidaccount,ou=People,ou=users,o=companyname,c=de";
$_LDAP_CONF['servers'][0]['password'] = "somevalidpassword";
$_LDAP_CONF['servers'][0]['host'] = "servername";
The rest was unchanged. Obviously, the c=de is for Germany.
Can't really help you with any details there. As I said, ask your admin.
HTH
bye, Dirk
11
16
Quote
Chewie
Anonymous
Thanks for that info
I kinda am the admin and I'm working with Win2k3 server and ActiveDirectory.
Not wholly experienced with script writing and connecting from the command line so to speak so doing my best.
Do I need anything special for active direcotry use?
I kinda am the admin and I'm working with Win2k3 server and ActiveDirectory.
Not wholly experienced with script writing and connecting from the command line so to speak so doing my best.
Do I need anything special for active direcotry use?
16
19
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Chewie
Do I need anything special for active direcotry use?
I really don't know a lot about this stuff. I even had to look up if ActiveDirectory is the same or compatible with LDAP. Apparently it is. So you need PHP with LDAP support built in - and the rest should just be a configuration issue.
bye, Dirk
17
14
Quote
Chewie
Anonymous
I'm still getting nowhere with this LDAP script.
I've configured the script so that it should be connecting to the server but the error.log file keeps saying invalid credential. I know that the user I'm using (both int he user@domain.com and just plain user fasion) is valid, as is the password, yet it still doesnt work!!
Has anyone else here had luck using this to connect to Windows Server 2003 (or SBS 2003)? If so can you post your edited config file (omitting sensitive info of course).
Thanks!
I've configured the script so that it should be connecting to the server but the error.log file keeps saying invalid credential. I know that the user I'm using (both int he user@domain.com and just plain user fasion) is valid, as is the password, yet it still doesnt work!!
Has anyone else here had luck using this to connect to Windows Server 2003 (or SBS 2003)? If so can you post your edited config file (omitting sensitive info of course).
Thanks!
17
13
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
I've also started a page on the wiki for this, but it doesn't contain any more information than above.
Input welcome!
bye, Dirk
Input welcome!
bye, Dirk
18
12
Quote
All times are EST. The time is now 10:22 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content