1
mercibe
LDAP authentication
  • 2003/10/9 13:37

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


It is my first PHP "development" and first post to a public forum. So I am a bit shy... Time to share experience!
I have just finished the first version of a small hack to use our internal user directory accessible through LDAP for XOOPS user authentication.
The goal is to allow all users registered in the Directory to directly connect to Xoops, without having to register manually
BUT WITHOUT preventing users not present in the central Directory to register. How is it working ?
In fact, I simply automatically register the users that I can authenticate through LDAP and then let the normal authentication process continue.

2 files have to be modified:


Add these 3 lines at the very beginning of the &loginUser($uname, $pwd) function in /kernel/member.php
$ldap_criteria = new CriteriaCompo(new Criteria('uname'$uname));
        
$ldap_criteria->add(new Criteria('pass'$pwd));        
    
$authenticated $this->_uHandler->LDAPAuthentication($ldap_criteriafalse);


Add the following function to the XoopsUserHandler class in /kernel/user.php
/**
     * retrieve users from a Directory server through LDAP
     * @param object $criteria {@link CriteriaElement} conditions to be met
     * @return true if the user has been authenticated, otherwise false 

     */
    
function LDAPAuthentication($criteria null)
    {           
    
$uid_attr "uid";
    
$mail_attr "mail";
    
$name_attr "cn";
    
$ldap_server "ldap.bb.cc.dd";
    
$ldap_port 389;
    
$base_dn "ou=People,o=bb.cc.dd";
    
$timezone_offset 1;
    
    
$authenticated false;
    
      if (isset(
$criteria) && is_subclass_of($criteria'criteriaelement')) {
        
    
$ds=ldap_connect($ldap_server$ldap_port) or die("Could not connect to LDAP server.");
                   
    if(
$ds) {
        
          
//Authentication
      
$pass=$criteria->criteriaElements[1]->value;                $ldapbind=ldap_bind($ds,$uid_attr."=".$criteria->criteriaElements[0]->value.",".$base_dn,$criteria->criteriaElements[1]->value);
      if(
$ldapbind) {
                
$authenticated true;
                
// Get info from LDAP (mail,name)
$sr=ldap_search($ds,$base_dn,$uid_attr."=".$criteria->criteriaElements[0]->value,Array($mail_attr,$name_attr)); 
                
$info ldap_get_entries($ds$sr);
        if(
$info["count"] == 1) {
            
// Search user in the DB        
            
$criteria = new CriteriaCompo(new Criteria('uname',$criteria->criteriaElements[0]->value));            
            
$user =& $this->getObjects($criteriafalse);

            
$member_handler =& xoops_gethandler('member');
            

            if (!
$user || count($user) != 1) {
                
$xuser =& $member_handler->createUser();
                
$xuser->setVar("uname",$criteria->criteriaElements[0]->value);
                
$xuser->setVar("user_avatar","blank.gif");
                
$xuser->setVar('user_regdate'time());
                
$xuser->setVar('timezone_offset'$timezone_offset);
                
$xuser->setVar('actkey',substr(md5(uniqid(mt_rand(), 1)), 08));                                
            }
            else {
                
$xuser = & $user[0];
            }    
                        
            
$xuser->setVar("email",$info[0][$mail_attr][0]);
            
$xuser->setVar("name",$info[0][$name_attr][0]);            
            
$xuser->setVar("pass",md5($pass));            
            
$xuser->setVar("level",1);            
            
$xuser->setVar('notify_method'2);
                                                                                                                                    
                    
// Store info in DB (update or insert)
            
$ret $this->insert($xuser);
            
            
//Add the user to Registered Users group
            
$member_handler->addUserToGroup(XOOPS_GROUP_USERS$xuser->getVar('uid'));                    
        }
      }
            
      
ldap_close($ds);
    }
    else {
        
//echo "cannot connect to ldap server";
    
}
        
      }
     
       return 
$authenticated;
  }

In order to minimize the files to modify I put all configuration data directly where there are used.
I suppose it should be located outside, but where ? (config.inc.php ?)
This hack should also work for those working with Active Directory (through LDAP, of course)
by simply adapting LDAP server info at the beginning of the LDAPAuthentication function.

Even if your LDAP server is down, registered users should be able to connect to Xoops.

I hope this will be useful for someone. In our case it allowed us to immediately adopt XOOPS for our internal developper portal.

Now I have to try the secure (SSL login page ?) authentication process to
avoid the "travelling" of clear passwords over the network... Any ideas or tips ?

Regards,

BM

2
GuillauG
Re: LDAP authentication
  • 2003/10/29 21:45

  • GuillauG

  • Just popping in

  • Posts: 4

  • Since: 2003/10/17


I wanted to do exactly this.

I try to insert your code into xoops.

I got a problem with this line:
"$user =& this->getObjects($criteria, false);"

I got a blank screen if this is enable, when i put // before the line XOOPS is loading but no autologin is performed....

thanks!

3
ukdave
Re: LDAP authentication
  • 2003/10/30 2:02

  • ukdave

  • Just popping in

  • Posts: 67

  • Since: 2003/6/27


I would like to do the opposite. I need to figure out how to get my registered XOOPS users into an LDAP store. How do I do that?

4
mercibe
Re: LDAP authentication
  • 2003/11/1 20:10

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Strange... This is a standard XOOPS function that should be present in your user.php

Did you check if you have the getObjects function defined in your /kernel/user.php ?

The definition should start like this:

function &getObjects($criteria = null, $id_as_key = false)

If the "line" you mention is reached, it means that your LDAP connection is successful. Try to put some debug info to understand what is going on after...

This hack does not perform an autologin (read again its decription). In order to do that you could check the AUTH_USER HTTP header variable that has to be filled in with the username of a user already authenticated by your web server via the Basic Authentication mechanism (on the same domain). Then takes the approriate decisions to create or load the user data from XOOPS database based on your LDAP directory data and connect him to Xoops. This check/behaviour should be done ("included") automatically on every pages. A nice hack to develop

Hope this will help !

BM

5
GuillauG
Re: LDAP authentication
  • 2003/11/5 3:38

  • GuillauG

  • Just popping in

  • Posts: 4

  • Since: 2003/10/17


What i want is:

A user from our active directory domain go on the site. a javascript take his username, then a php script check if the user is found in Netscape Directory Service (LDAP), if the user is found then Log him into XOOPS (it mean that if this is the first time it will create an entry in xoops_users table with default settings).

Someone could give me a kind of Procedure..., i'm a beginner with PHP.

thanks a lot.

6
mercibe
Re: LDAP authentication
  • 2003/11/5 8:04

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


This is exactly what this hack is doing except that the user name (and password) is entered via the standard XOOPS form. If you want some help, try to be more precise: what do you want to do ? Identification or authentication ? Why do you need javascript ? You talk about Active Directory and then about Netscape Directory. How are there related ?

Few months ago I was also a PHP beginner... Put your hands in it and you will get it working ! But please, try to describe precisely what you want to achieve.

BM

7
whyz
Re: LDAP authentication
  • 2004/3/11 18:22

  • whyz

  • Just popping in

  • Posts: 3

  • Since: 2002/10/10


I got a problem also :
"$user =& this->getObjects($criteria, false);"

The function &getObjects($criteria = null, $id_as_key = false) in XoopsUserHandler class had defined .

It said : Parse error: parse error, expecting `T_PAAMAYIM_NEKUDOTAYIM' or `'('' in /xoops2/kernel/user.php on line 705

Does any one tell me what wrong is, tkx!



8
whyz
Re: LDAP authentication
  • 2004/3/12 16:22

  • whyz

  • Just popping in

  • Posts: 3

  • Since: 2002/10/10


sorry, lost $ :

$user =& $this->getObjects($criteria, false);

Is ok!

9
mercibe
Re: LDAP authentication
  • 2004/3/12 16:27

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Thank you very much for your feedback. I have corrected my post. I really don't know how this $ has disapeared !!! I have just check my production source code and it is there, of course...

Thanks again.

Benoit

10
jquinn
Re: LDAP authentication
  • 2004/4/9 16:15

  • jquinn

  • Just popping in

  • Posts: 1

  • Since: 2004/4/9 1


Great work - this fits my requirements exactly!

Login

Who's Online

361 user(s) are online (264 user(s) are browsing Support Forums)


Members: 0


Guests: 361


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits