Hi,

I did look at CAS and was impressed... But i am a Project liberty Advocate. CAS is very very good... But I'm working on embedding the project liberty framework into XOOPS. Could you please get in touch with me so we could share notes...

I've worked with both CAS and Liberty. (I have absolutely no compalaints about CAS. i love it). But since the industry is moving towards a liberty framework I am leaning towards the libert specs myself.


Rohan Pinto
rpinto@ldapguru.org
http://www.project-liberty.org

Hi,

I have just finished testing it for you with my corporate Active Directory... It works by simply modifying configuration parameters of the LDAP module (ldap.php).

I suggest you first try to authenticate to your Active Directory with a standard LDAP GUI Browser. If you are working with Windows, you could use the free Softerra LDAP Browser (http://www.softerra.com/products/ldapbrowser.php) or an OSS one like LDAP explorer (Linux and Windows,http://ldaptool.sourceforge.net/). I tried both with my AD before writing these lines so I can tell you that it works.

Do not go further if you are not able to authenticate yourself and browse your AD with one of these tools.

Then try:

1. create a new ad.php file with the same content that the ldap.php
2. Modify parameters at the beginning of the module, based on the one you used with your LDAP GUI browser. Here are the ones I used

//AD directory parameters
//all should be in lowercase
var $uid_attr = "cn"; // The unique identifier attribute (=uid=login=username)
var $mail_attr = "mail";
var $name_attr = "cn";
var $surname_attr = "sn";
var $givenname_attr = "givenname";
var $location_attr = "l"; // The attribute containing the location of the user (town, country, etc.)
var $office_attr = "physicaldeliveryofficename";
var $sernum_attr= "samaccountname"; // A unique identifier that you could use to link to more precise user profile details in an other system (for example)
var $ldap_server = "S-NET1BRUDC01";
var $ldap_port = 389;
var $base_dn = "OU=Users,OU=DIGIT,OU=DGs,DC=net1,DC=cec,DC=eu,DC=int"; // The DN that will be prepend with the uid_attr to authenticate the user

3. Test...

Hope this will help !

Benoit

Hi mercibe,

Thank you for this module. This is going to work well for us for active directory.

I tested it on our production AD, following your tips, and it works very well.

Our cn for the user name is a little different as it is the user's full name plus code, something like a "Jack Ryan (TS-PH)". And this is different from the login name, which would be "jackr".

I'm new to LDAP and I'm not sure if I can pass the "samaccountname" as the $uid_attr. This is the object that has the login name I want, the "jackr". Well I tested it using the LDAP browser and it wouldn't accept using samaccountname as user DN. So I guess it doesn't work, ...or does it?

Thanks.

bogart

Hi bogart,

We (unfortunately) also use the CN as unique identifier within our AD directory. Since we are a huge organization (more than 35000 entries in our AD...) I am waiting for 2 people with the same name (and we have a lot) start working in the same unit , the info that is put between () at the end of our CN entries... BOUM ! "Primary key violation"

If you want to use the "samaccountname" as login name for your user, it is only possible via a two step process. First you have to perform an anonymous query on your AD (if authorised! - otherwise use a special account or yours) to get the CN from the samaccountname. Then, simply proceed to the LDAP bind with CN and password. You can write("develop/test") your query with the help of any LDAP browser.

If I have some time next week I will add this option to the current AD "authentication module". If you wrote the query before me, simply post it here: it will make me gain 5 precious minutes

A++

Benoit

Man, this sounds great! My boss is wanting me to setup an intranet site at work, and of course I immediately thought XOOPS ! With this I should be able to intergrate it with our Active Directory

Just one thing I would like to remind to all "corporate" users : unless you use SSL (HTTPS) to get access to your XOOPS web site, all your passwords are travelling in CLEAR over the network. Your security experts might have (will have!) serious concerns about your Active Directory password usage within Xoops... If you are doing so, you will "reveal" passwords that might be known to be "secured".

This is the reason why we developed the CAS module: the password is never transmitted in clear and none of our applications have access to it. Authentication is completely externalised. It has another advantage: you can have single sign on "for free" for all applications using your central authentication server...

We could have use our AD for our CAS backend security repository, but we finally use our "pure" LDAP central directory.

Conclusion: be careful before using these authentication modules based on LDAP, AD or anything else because you could be responsible for opening a huge hole in your company security.

If you are hesitating, please stick to XOOPS basic authentication. Your password will still be visible for "all" but these password are only for Xoops... even if we now that a lot of people use the same password for many different systems

Novell is using XOOPS internally and on Internet (http://forge.novell.com). Authentication is done through SSL via a central LDAP (eDirectory) repository also used for CVS access and a lot of other systems. This is not by chance...

You could use the built-in SSL login page offered by Xoops. I have never tried it. If some of you have successfuly used it or know a URL where the way to use it is described I would be nice to share.

Security is a complex matter. Don't play with your company security policies.

Benoit

mercibe,

I would sure like to have that samaccountname option, because I don't know how to write a query .

I think I'm having problems with the CN, one because of the long names and two maybe because of the spaces.

One user has more than 25 characters in his CN and he's not able to login to xoops, even after I modified the maxlength of the textbox to > 25. I'm pretty sure I need to change something else somewhere else.

Quote:

So the sam name lookup would really work for us, as the domain login names are not too long and have no spaces. I hope you find the time to add the modifications. Thanks!

bogart

I tried out your LDAP connection settings for AD server and they work great. I have a question though, our network administrator has users in each department in their own OU, like so:
Quote:
Is it possible to have the LDAP server search across OU's? I tried setting the base DN to 'DC=epctech,DC=com', but then no user could authenticate using AD. Do I have to search each OU individually? I must confess that LDAP (and AD's implementation of LDAP)is a bit new to me, so I might be looking at this problem wrong.

ok after re-reading the ldap_search function specification on php.net, I found a code example to search AD across OU's. You need to add:



after the call to ldap_connect in the function LDAPAuthentication

Excellent piece of code!!

I have tested this and got it working using Exchange 5.5 as the LDAP server with the following mods:

1. ldap.php

Line 14 =


Line ~249

The "cn" and "uid" might be particular to the way our Exchange server was setup but these work for me very well.

Again, many thanks for sharing this with us and look forward to it being in an upcoming XOOPS update.

Cheers.

Naz.