I have applied the hack on a 2.0.9.2 and it works (LDAP, AD and CAS - did not test other modules). I planned to release a new version of this hack soon. And better in fact: I want to make it part of one of the next official XOOPS kernel. I will come to this forum later to discuss about the issues raised by some of you.

Sorry I am very busy right now but stay tuned.

Benoit

Hi,

I will try to publish this hack for 2.0.9.2 this week. If you can't wait, have a look at the 2.0.7.3 patch that I have just uploaded athttp://sourceforge.net/tracker/download.php?group_id=41586&atid=430842&file_id=116125&aid=945237

You will find all the information to apply this hack on any version by yourself in the xoops-2.0.7.3-authentication-service-hack.txt file included in the ZIP file (not corrupted, I checked !)

Best regards,

Benoit

Hi,

The files are available on sourceforge.net at the following URL:http://sourceforge.net/tracker/index.php?func=detail&aid=945237&group_id=41586&atid=430842

I do not maintain these files anymore, but the are still usable. I could update them next week with a more recent version (bug correction - no new feature), but the current ones are OK.

I still have to finish the port of this hack to the XOOPS 2.2/2.3 kernel. So be prepared to have at least this pluggable authentication hack in the forthcoming XOOPS version (in fact it is already done for the standard XOOPS authentication process )

Best regards,

Benoit

Hi alainjean/sunita,

You are right (global $xoopsUser)

Do you use your PAM authentication module today ?

Would it be possible to get it ? You can drop me a mail to my users.sourceforge.net address (mercibe)

I would like to integrate this module in the next XOOPS release (2.1/2)

Thank you very much in advance.

Best regards,

Benoit

Are you sure that the ldap server name and port point to an existing, up and running server ?

var $ldap_server = "my.server.com";
var $ldap_port = 389;

It may arrive that ldap_connect return "true" even if the server is not there...

Can you connect to this server ? I suggest you first try to authenticate to your Server with a standard LDAP GUI Browser. If you are working with Windows, you could use the free Softerra LDAP Browser (http://www.softerra.com/products/ldapbrowser.php) or an OSS one like LDAP explorer (Linux and Windows,http://ldaptool.sourceforge.net/). I tried both with my server before writing these lines so I can tell you that it works.

Do not go further if you are not able to authenticate yourself and browse your AD with one of these tools.


Benoit

Hello,

Welcome on board

The problem is that the ldap support of your PHP installation is not activated/installed. If you are working on a Debian system, simply type "apt-get install php4-ldap" for instance. You should find the same kind of package on rpm based distributions. If you are on Windows, please install the "complete" version of PHP with almost all modules embeded.

For your information, the XOOPS 2.1 will allow you to authenticate your users via LDAP, Active Directory, CAS, NIS, etc.

Hope this will help !

Best regards,

Benoit

Great news and congratulations !

I planned to have a look at this PAM module this weekend...

1. Users, even when authenticated outside of the XOOPS scope, have to be inserted in the XOOPS DB. This is mandatory since a lot of modules/tables reference them by their unique xoops_user table identifier (a good thing). So you are right, almost all authentication modules first authenticate the user via LDAP or AD for instance, insert/update user data in XOOPS and continue the normal XOOPS authentication process. So users are authenticated twice and, you are right, the password (not the password, a hash key only) of the external system is kept in the XOOPS DB. But it is updated at each new user login. This is the only way to allow a mixed authentication: external XOOPS users and XOOPS only users. But this way of doing is NOT mandatory. For the CAS module (strong security), XOOPS do not even receive the password of the user. The page that perform the authentication is a non XOOPS page. So, the CAS realm users are the only ones able to connect to Xoops. But I still have to add them to the XOOPS DB. So I generate a fake password based on the username in the password field. I have even implemented and deployed a mixed CAS and XOOPS authentication module (not published yet on Internet ) that, based on the username (and the fake password algorithm) redirects the user either to the CAS login page or to the XOOPS standard page. The authentication process is splitted in 2 phases: first the user has to enter his login and then his password, either in the CAS page or XOOPS page. This is a complex and powerful module

Conclusion: if you need "mixed authentication" (Xoops+PAM) and do not want to store the "PAM" password in the XOOPS DB, generate a fake one based on the username (using your own function/algoithm). So that the password is kept secret (more or less since XOOPS at one moment in time owns it and YOU could do anything with it...). This is one of the strenghs of mechanisms like CAS. If you do not need mixed authentication (PAM only), you can even modify the code to not authenticate users twice. I suggest you do that in your own separated authentication modules, so that when XOOPS will integrate this hack in a future version you won't have to hack anymore You can always keep the original modules and work/hack on copies with other names.

2. Unless you use a completely externalized authentication process (like CAS) with full SSL (HTTPS) encryption during the login process, you won't have the minimum needed to a more or less secure system. A "very secue system" does not mean a lot of things to me. What about the process of password lost, modification, etc. ? A delay between erroneous failed authentications can only prevent you of brute force password attacks. And this should be implemented by the underlying PAM authentication system, not Xoops.
For syslog use, adapt your code as you like using PHP's syslog functions (http://www.developer.com/lang/php/article.php/3327111)
For redirection to the Homepage, you could use a Session variable to hold the number of failed attempts. At the third one, reset to 0 and redirect to home page.

It would be interesting to have that 2 last possibilities as options for all authentication modules, wouldn't be ?

Best regards,

Benoit

If I were short in time as you seem to be, I would definitely use the NIS module instead of copying all my users in the XOOPS DB... It seems that the PAM module your administrator adviced you to use is using the NIS server you planned to use. So I do not see any reason to, even temporarly, using directly the NIS server from Xoops.

But I am not you

So to add users manually to xoops, the xoops_users table is the only one needed (don't forget to put a username, a mail address, activate the account, etc. in this table)

You are hacking XOOPS authentication process to add your users. The problem is, I think, that you do not have the clear text password of your users...

Are you sure you are using the good salt with the crypt function? Look at the value of CRYPT_SALT_LENGTH in a PHP script and use the correct salt at every call of the crypt function (see NIS module code if needed )

CRYPT_STD_DES - Standard DES-based encryption with a two character salt

CRYPT_EXT_DES - Extended DES-based encryption with a nine character salt

CRYPT_MD5 - MD5 encryption with a twelve character salt starting with $1$

CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt starting with $2$

Hope this will help !

Benoit

Hi Sunita,

I understand your requirements better now. But why did you ask for NIS integration if your IMAP server is using PAM to authanticate your users ??? Does the PAM module use NIS as the background authentication mechanism ? If yes, you could simply use the NIS module I provided to you. If not, I don't understand.

Your Requirement 1:
Implementing PAM might be difficult or very simple: I have never tried it before (no time today ). It would be a pity to import your mail users into XOOPS database. What about security, maintenance/synchronisation, password changing, new users, etc. ? Please try to forget about that !

Your requirement 2: Are you kidding ? Today the www.xoops.org have more than 20.000 members (https://xoops.org/modules/xoopsmembers/) It is a MySQL behind Xoops, not a Microsoft Access one! But I hope you won't need to test it with your "poor" 3000 users

I think honestly that XOOPS is the right solution for you if we could manage to authenticate users via PAM (we already have XOOPS native, LDAP, Active Directory, NIS and CAS). XOOPS can do much more than just news and forums. You never know what will be your future needs. You could have a look at phpBB (http://www.phpbb.com) but I have some doubt... (search for PAM and Authentication in forums: you will find 2 or 3 questions without answers...)

I will try to implement a PAM module but allow me at least 1 week

Best regards,

Benoit

I think that your problem would be solved if you could use a relative XOOPS_URL url.

define('XOOPS_URL', '/');

That way you could access your site via HTTP, HTTPS and any domain name (IP address, proxy mapping, machine name, etc.)

Am I right ?

The problem is that today XOOPS cannot do it unless you apply an old hack (2.0.6) that I am still using on various production sites.

See:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=13171&forum=21#forumpost69343
https://xoops.org/modules/newbb/viewtopic.php?viewmode=thread&topic_id=13171&forum=21&post_id=69661#69661

The Michael Wulff Nielsen code addition in XOOPS 2.0.7 (/include/commom.php) is good and needed, but not sufficient to make it work completely.

I still have to help to make it part of the XOOPS official kernel...

Regards,

Benoit