I hope you can help me out in trying to get XOOPS to authenticate to a W2K3 Active Directory.
So far I am only getting these PHP errors

Notice [PHP]: Undefined variable: userDN in file class/auth/auth_ldap.php line 105 or
or
Warning [PHP]: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in file class/auth/auth_ldap.php line 91

Basically I am trying to authenticate to my AD where dn's look like this:-

DN: CN=common name,OU=London Site Users,DC=domain,DC=org

Problem 1) CN's have a space in them and XOOPS does not allow login names with spaces

Problem 2) We have users in several different OU's which appear at the top level of the domain. This means I cannot specify my base DN as OU=London Site users, DC=Domain,DC=org, since this will exclude other OU's. I also do not want users to have to login with their CN as well as their OU (tedious!)

I use other PHP (PHPldapadmin) tools on my webserver to bind
to and search the AD using LDAP. I would always have to use a username something like common.name@domain.org in order to
bind successfully, this was along with a base DN of
DC=domain,DC=org.

Please can you help me to sort out the authentication if it is at all possible.

reply from Pierre-Eric, module author:
Quote:

Thanks for the info, I managed to get the authentication
working by doing the following:
1) DN of the LDAP manager : admin@domain.org (instead
of cn=,DN=,DN=) - not sure why, but this was consistent with the way my other web applications authenticate against my AD.
2) I had to set the password of the XOOPS user as exactly
the same as the password on the LDAP server.

Some questions:
When I change my password in my Active directory (users must change this every 2 months for security), the password in XOOPS is not automatically changed and I can then no longer log in to xoops. Is the password now being checked in both XOOPS and LDAP? If so, how can I keep the passwords synchronised.

Are the passwords sent between XOOPS and LDAP in encrypted form or clear text?

For the moment, the XOOPS Auth LDAP checks the password in both LDAP server and XOOPS Database (it's a problem).
The next version will check the password only in the LDAP server(for LDAP Auth option).

Nvertheless, I suggest you to keep Active Directory and XOOPS password synchronised for better maintenance.

Quote:

Effectly, in windows server 2003 you can use the UPN (Userprincipal name) to login to AD. The UPN is like an email adress like user@domain.org.

But the normal DN : cn=<firstName>+<LastName>,dc=domain,dc=suffix is also available.

For auth with XOOPS, you need to set "uid as dn" to NO and
LDAP - UID Field Name (in fact login field name) to
the attribute that correspond to XOOPS uid field.

With the current set up for LDAP authentication, I see the major use as only allowing those people to register whose accounts are allready on your LDAP server.

I think if we can get authentication to check just password in LDAP this will add a lot more flexibility. Also, for setups like mine where I run several XOOPS portals for my organisation, it would help to keep all the passwords in one secure place.

Hi,

Totally agree. This is the goal of the next version of the LDAP Auth.