21
mercibe
Re: LDAP authentication
  • 2004/8/3 5:42

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi evol13,

If you applied the hack step by step it should work. If the LDAP authentication fails, the hack automatically performs the default XOOPS authentication. I suggest you double check your LDAP parameters. What kind of LDAP server are you using: Active Directory, OpenLDAP, IPlanet, eDirectory, etc. ? Try to debug/add some "echo" to verify that the bind/connection to your LDAP server is OK.

I suggest you use this hack instead that will soon be included in the official XOOPS kernel (I hope this month)
https://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=19401&forum=14

The code is almost the same but you can quickly develop/test multiple authentication schemes without touching the kernel too much. And you can fall back to the default XOOPS authentication in 5 seconds by modifying only one string in your mainfile.php

Best regards,

Benoit



22
mercibe
Re: LDAP authentication
  • 2004/7/27 5:39

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi hagane,

The password is already checked in the code previously provided. It is done during the bind process with the LDAP server

$ldapbind=ldap_bind($ds,$uid_attr."=".$criteria->criteriaElements[0]->value.",".$base_dn,$criteria->criteriaElements[1]->value);
      if(
$ldapbind) {
            
//the user is authenticated
      
}


Do you have any particular reason to do so ? I am interested...

By the way, you might want to have a look at this posthttps://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=19401&forum=14 for a more "pluggable" authentication mechanism that should be implemented in a future XOOPS release.

Benoit



23
mercibe
weBLog 1.30 small bug
  • 2004/7/2 9:13

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi,

For those who are using weBLog module (by wellwine.net), I have just corrected a small annoying bug that does not allow you to get access to your "next" blogs in the SAME category if the maximum number of entries per page has been reach. Instead you get the next X blogs in from the Main (root) category.

file: /weblog/index.php
line 127, replace $uri=''; by $uri='cat_id='.$cat_id;
line 130, replace $uri .= 'user_id='.$user_id; by $uri .= '&user_id='.$user_id;

Hope this will help someone.

Benoit



24
mercibe
AD, LDAP, etc.: don't weaken your company security
  • 2004/6/19 21:41

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Just one thing I would like to remind to all "corporate" users : unless you use SSL (HTTPS) to get access to your XOOPS web site, all your passwords are travelling in CLEAR over the network. Your security experts might have (will have!) serious concerns about your Active Directory password usage within Xoops... If you are doing so, you will "reveal" passwords that might be known to be "secured".

This is the reason why we developed the CAS module: the password is never transmitted in clear and none of our applications have access to it. Authentication is completely externalised. It has another advantage: you can have single sign on "for free" for all applications using your central authentication server...

We could have use our AD for our CAS backend security repository, but we finally use our "pure" LDAP central directory.

Conclusion: be careful before using these authentication modules based on LDAP, AD or anything else because you could be responsible for opening a huge hole in your company security.

If you are hesitating, please stick to XOOPS basic authentication. Your password will still be visible for "all" but these password are only for Xoops... even if we now that a lot of people use the same password for many different systems

Novell is using XOOPS internally and on Internet (http://forge.novell.com). Authentication is done through SSL via a central LDAP (eDirectory) repository also used for CVS access and a lot of other systems. This is not by chance...

You could use the built-in SSL login page offered by Xoops. I have never tried it. If some of you have successfuly used it or know a URL where the way to use it is described I would be nice to share.

Security is a complex matter. Don't play with your company security policies.

Benoit



25
mercibe
Re: Xoops Authentication Service hack
  • 2004/6/19 12:10

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi bogart,

We (unfortunately) also use the CN as unique identifier within our AD directory. Since we are a huge organization (more than 35000 entries in our AD...) I am waiting for 2 people with the same name (and we have a lot) start working in the same unit , the info that is put between () at the end of our CN entries... BOUM ! "Primary key violation"

If you want to use the "samaccountname" as login name for your user, it is only possible via a two step process. First you have to perform an anonymous query on your AD (if authorised! - otherwise use a special account or yours) to get the CN from the samaccountname. Then, simply proceed to the LDAP bind with CN and password. You can write("develop/test") your query with the help of any LDAP browser.

If I have some time next week I will add this option to the current AD "authentication module". If you wrote the query before me, simply post it here: it will make me gain 5 precious minutes

A++

Benoit





26
mercibe
Re: Xoops + Web Server on LAN = No workage..
  • 2004/6/16 6:55

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


This is a bad news... If you are interested I could send you by mail (just send me a PM - private message with your email) a copy of my 2.0.6 version correctly patched (it works on 3 production sites accessed by 4 different URL's). I feel sad that you forget about XOOPS because of that...

Best regards,

Benoit



27
mercibe
Re: Xoops + Web Server on LAN = No workage..
  • 2004/6/15 6:58

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


May I ask you to keep us informed of your problem resolution ? It would be nice. Thank you.

Benoit



28
mercibe
Re: Xoops + Web Server on LAN = No workage..
  • 2004/6/14 19:24

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


I think you should not add any information about your host in XOOPS_URL variable in mainfile.php (no IP address nor protocol, just /xyz or simply /) You should use semi-relative URL instead and apply the small hack described herehttps://xoops.org/modules/newbb/viewtopic.php?topic_id=13171&forum=21#forumpost69343
One day it will be incorporated in the core... I should document that in the XOOPS wiki but I am too busy (not too lazy, trust me )

This is the only way to make a single XOOPS site available from various different URL's.

Please rad carefully the hack wrap-up and I am sure you will understand.

Hope this will help.

Benoit




29
mercibe
Re: Xoops Authentication Service hack
  • 2004/6/3 15:24

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi,

I have just finished testing it for you with my corporate Active Directory... It works by simply modifying configuration parameters of the LDAP module (ldap.php).

I suggest you first try to authenticate to your Active Directory with a standard LDAP GUI Browser. If you are working with Windows, you could use the free Softerra LDAP Browser (http://www.softerra.com/products/ldapbrowser.php) or an OSS one like LDAP explorer (Linux and Windows,http://ldaptool.sourceforge.net/). I tried both with my AD before writing these lines so I can tell you that it works.

Do not go further if you are not able to authenticate yourself and browse your AD with one of these tools.

Then try:

1. create a new ad.php file with the same content that the ldap.php
2. Modify parameters at the beginning of the module, based on the one you used with your LDAP GUI browser. Here are the ones I used

//AD directory parameters
//all should be in lowercase
var $uid_attr = "cn"; // The unique identifier attribute (=uid=login=username)
var $mail_attr = "mail";
var $name_attr = "cn";
var $surname_attr = "sn";
var $givenname_attr = "givenname";
var $location_attr = "l"; // The attribute containing the location of the user (town, country, etc.)
var $office_attr = "physicaldeliveryofficename";
var $sernum_attr= "samaccountname"; // A unique identifier that you could use to link to more precise user profile details in an other system (for example)
var $ldap_server = "S-NET1BRUDC01";
var $ldap_port = 389;
var $base_dn = "OU=Users,OU=DIGIT,OU=DGs,DC=net1,DC=cec,DC=eu,DC=int"; // The DN that will be prepend with the uid_attr to authenticate the user

3. Test...

Hope this will help !

Benoit



30
mercibe
Re: Xoops and proxy: summary of modifications needed
  • 2004/6/1 8:34

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


First of all, a couple of questions:
- XOOPS version ?
- OS used: Windows or Unix like ?
- What is the exact (complete) URL you get in your browser when the "Selected module does not exist!" message appears ?

If you would like to work behind a proxy, you HAVE to apply the hack completely (https://xoops.org/modules/newbb/viewtopic.php?viewmode=thread&topic_id=13171&forum=21&post_id=69661#69661)

In you mainfile.php you should have something like
*************************************************************
// XOOPS Physical Path
define('XOOPS_ROOT_PATH', '/home/wwhusoc/admin2');

// XOOPS Virtual Path (URL)
define('XOOPS_URL', '/admin2');

// Hack
define('XOOPS_DEFAULT_DOMAIN', 'http://www.massey.ac.nz');
*************************************************************

One of the common reason for "Selected module does not exist!" error is when you copy files from Windows to Linux/Unix: the access rights are lost and particularly the "x" (executable) on the directories...

You might also need something like that in you apache configuration file:

*************************************************************
Alias /admin2 /home/wwhusoc/admin2
<DirectoryMatch /home/wwhusoc/admin2/>
Options +FollowSymLinks
AllowOverride None
order allow,deny
allow from all
</DirectoryMatch>
*************************************************************

Hope this will help. For your information I am using this hack on 3 different running XOOPS sites on Linux (2) and Windows (1).

Working with proxies, LDAP servers, etc. is more related to university or corporate environment. Most of XOOPS developers are not comfortable with these "tools". This is the reason why you got no quick answer to your question. But I can tell you that the XOOPS community is one of the most kind and helpful I have ever met on the Internet.

Best regards,

Benoit

P.-S.: I am not interested at all by your donation but I am sure that the XOOPS community would make a good use of it






TopTop
« 1 2 (3) 4 5 6 »



Login

Who's Online

239 user(s) are online (171 user(s) are browsing Support Forums)


Members: 0


Guests: 239


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits