phpMyFAQ

phpMyFAQ support board
https://forum.phpmyfaq.de/

IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo

https://forum.phpmyfaq.de/viewtopic.php?f=7&t=16304

Page 1 of 2

IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo

Posted: Mon Feb 10, 2014 5:00 pm
by JonM
Hi Guys

I'm having some very odd issues with phpMyFAQ Ver 2.8.7 and AD Authenticiaion

I've setup the system to use LDAP ( Active Directory) and with just this on, ( with $PMF_LDAP['ldap_use_domain_prefix'] = false; I can login with any AD account just fine, and the system creates the user in the database so I can increase the access rights as required.

I have set the config to Complete secured FAQ so only authorised users can login, but this doesn't make any effect to the issues below, I can leave it on or off and get the same issue.

I've also setup SSO via windows Authentication, which is were the system starts behaving in an odd way.

If I log in with a user that has already logged in via LDAP ( eg my primary AD Login) and is a user within phpMyFAQ then system signs me in correctly, with my AD username etc, so the system looks like its working perfectly.

But when a new user access's the page, it lets them access the system but the UserContolPanel shows blank info, and the user doesn't get added to the Users list. The system shows the logins as Guests

I've created a phpinfo file and the Server"Login_User" is passing the domain\samAccountName to PHP.

I've tried adjusting the LDAP settings to either include or exclude ['ldap_use_domain_prefix'] = false; but this also makes no difference.

If I can get this working it will solve a huge range of issues, but I need it to use AD SSO to be any use to end users and back end staff, as we need to track who puts in what requests, which without both LDAP and SSO working I can not do.

Any suggestions of what to look at would be appreciated.

Regards

Jon

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Fri Feb 14, 2014 7:03 pm
by JonM
Is anyone else having this issue

When I turn on DEBUG i get

phpMyFAQ warning [2]: in_array() expects parameter 2 to be array, boolean given in C:\inetpub\wwwroot\itservices\index.php on line 158

whenever I log in a new user.

Appreciate any help/pointers given

Regards

Jon

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sat Feb 15, 2014 8:47 am
by Thorsten
Hi,

your SSO info is in $_SERVER['Login_User']? We check the value REQUEST_USER, maybe that's the issue.

bye
Thorsten

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Mon Feb 17, 2014 1:39 pm
by JonM
Hi Thorsten

I've looked in the phpinfo.php ( which I've just created) and I have the following values

_SERVER["REMOTE_USER"] AD\Jon
_SERVER["LOGON_USER"] AD\Jon
_SERVER["AUTH_USER"] AD\Jon

Where Jon is my AD User and AD is my domain name.

I can't see REQUEST_USER within the phpinfo, so am unsure as to what I should be looking at.

Regards

Jon

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Tue Feb 18, 2014 7:01 am
by Thorsten
Hi,

sorry, we use REMOTE_USER and your username should work:

https://github.com/thorsten/phpMyFAQ/bl ... so.php#L85

bye
Thorsten

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sat Mar 08, 2014 11:58 am
by jprokop
The exactly same behavior.

My configuration:

LAMP server linux, apache configured to authenticate against AD (Kerberos) and working

logged user is in REMOTE_USER in form user@DOMAIN.COM

for sso was a small hack necessary:

in inc/PMF/User/ CurrentUser.php:

Code: Select all

 public function login($login, $password)
    {
        $optData = array();
        if (isset($this->_ldapConfig['ldap_use_domain_prefix'])) {
            if (($pos = strpos($login, '\\')) !== false) {
                if ($pos !== 0) {
                    $optData['domain'] = substr($login, 0, $pos);
                }

                $login = substr($login, $pos + 1);
            }
        }
        //hack for format user@DOMAIN.COM
         if (($pos = strpos($login, '@')) !== false) {
                if ($pos !== 0) {
                    $login = substr($login, 0, $pos);
                }
         }
....
is the function adduser in sso active?
Sorry, I'm not a php coder...

regards
jan

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sat Mar 15, 2014 5:45 pm
by Thorsten
Hi,

thanks for the hint, I'll fixed that part of the code with 2.8.8!

bye
Thorsten

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sat Jun 07, 2014 12:25 pm
by JonM
Hi guys

I see you have added these changes into the latest version, I still can't get it working and think I might be missing something obvious

I can:
Get LDAP Working successfully - I'm able to log in with any AD user via ldap, it creates the user in the faquser table.
Turn on SSO, so the Authentication by NTLM is working.

Where I'm having issues is

If a new user who has never logged in via LDAP accesses the site, it allows access to the site, but doesn't correctly create the user an account. ( See attached Image1), it just gets into an odd situation.
image1.png
If I log in with an account that was previously created by signing in with LDAP, the the system picks up the username and email details etc.(See attached Image2)
image2.png
I've tried various different LDAP Settings within the constants_ldap.php

Changing ldap_use_domain_prefix as True, and as false, but the system still doesn't pickup the details from SSO, then LDAP.

I've tried using a Complete secured FAQ, but this makes no difference.

Maybe I'm expecting to much, but it would seem logical to me that if you wanted to use SSO within an corporate environment then using LDAP as well to populate the details would be sensible.

I've included a screenshot of phpinfo that I created within the FAQ directory, which shows the AD user details are being passed to PHP. ( i've edited some details out,) See attached Image3
image3.png
I hope someone can enlighten me to where i'm going wrong.

Thanks

Jon

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Thu Jun 19, 2014 5:06 pm
by Thorsten
Hi,

can you send me an backup of your database to analyse your data?

bye
Thorsten

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Mon Jun 30, 2014 12:44 pm
by linkazoid2
Hi,

I have the same issue. My login details are passed to the phpinfo but when attempting to login it is blank.

I will PM you a link to my database export.

Thanks,

Michael

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sun Jul 13, 2014 10:18 am
by nawiiwan
Hi,
I have the same issue, I mean:
-LDAP (Active Directory) is working fine,
-SSO (on IIS) is working fine.

I instal phpMyFAQ is phpmyfaq-2.8.11.zip

What I found?
Theare are two situations:
-User exisits in PMF database then after login using SSO username is visible.
-User doesn't exists in PMF database then username is blank, user is not created in the PMF database.

When LDAP is enabled and SSO is disabled then we need to provide username and password. This pair is chacked in the LDAP (Active Directory) in function checkPassword (inc/PMF/Auth/Ldap.php). If username and password are valid - no error for (inc/PMF/Auth/Ldap.php, lines 201-207):

Code: Select all

        $this->ldap->connect(
            $this->_ldapConfig['ldap_server'],
            $this->_ldapConfig['ldap_port'],
            $this->_ldapConfig['ldap_base'],
            $bindLogin,
            $pass
        );
then program add/update this username in local PMF database.

Code: Select all

            $this->add($login, $pass);
If SSO is enabled then program reads username and sets password to empty string (index.php, lines 93-94):

Code: Select all

    $faqusername = trim($_SERVER['REMOTE_USER']);
    $faqpassword = '';
Empty password in checkPassword in inc/PMF/Auth/Ldap.php returns "false" then user data cannot be created ($this->add($login, $pass); is not run).


Workaround/solution
set faqpassword in index.php, line 94 to "complicated string", ex:

Code: Select all

    $faqpassword = 'sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r';
change function checkPassowrd, inc/PMF/Auth/Ldap.php

Code: Select all

	public function checkPassword($login, $pass, Array $optionalData = null)
	{
		if ('' === trim($pass)) {
			$this->errors[] = PMF_User::ERROR_USER_INCORRECT_PASSWORD;
			return false;
		}

		if ('sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r' === trim($pass)) { // SSO is enabled
			$this->ldap = new PMF_Ldap($this->_config);
			$this->ldap->connect(
				$this->_ldapConfig['ldap_server'],
				$this->_ldapConfig['ldap_port'],
				$this->_ldapConfig['ldap_base'],
				$this->_ldapConfig['ldap_user'],
				$this->_ldapConfig['ldap_password']
			);
		} else { // SSO is disabled
			$bindLogin = $login;
			if ($this->_ldapConfig['ldap_use_domain_prefix']) {
				if (array_key_exists('domain', $optionalData)) {
					$bindLogin = $optionalData['domain'] . '\\' . $login;
				}
			} else {
				$this->ldap = new PMF_Ldap($this->_config);
				$this->ldap->connect(
					$this->_ldapConfig['ldap_server'],
					$this->_ldapConfig['ldap_port'],
					$this->_ldapConfig['ldap_base'],
					$this->_ldapConfig['ldap_user'],
					$this->_ldapConfig['ldap_password']
				);
				if ($this->ldap->error) {
					$this->errors[] = $this->ldap->error;
				}
				
				$bindLogin = $this->ldap->getDn($login);
			}

			// Check user in LDAP
			$this->ldap = new PMF_Ldap($this->_config);
			$this->ldap->connect(
				$this->_ldapConfig['ldap_server'],
				$this->_ldapConfig['ldap_port'],
				$this->_ldapConfig['ldap_base'],
				$bindLogin,
				$pass
			);
		}
			
		if ($this->ldap->error) {
			$this->errors[] = $this->ldap->error;
			return false;
		} else {
			$this->add($login, $pass);
			return true;
		}
	}
Is it possible to apply such a behaviour in future versions of phpMyFAQ?

Regards,
Maciej

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sun Jul 13, 2014 10:36 am
by Thorsten
Hi,

sure, I can add this to 2.8.12. Does this "patch" work for you?

bye
Thorsten

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sun Jul 13, 2014 10:51 am
by nawiiwan
Hi,
I did it on test server last week, and today modified a little bit. It looks that it is working fine.

I plan to implement on the pro server in next days and test it deeper in next 2-4 weeks.

Regards,
Maciej

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sun Jul 13, 2014 11:05 am
by Thorsten
Hi,

okay, would be fine, if you can give feedback, then I'll add it to 2.8.12

bye
Thorsten

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Posted: Sun Jul 13, 2014 11:32 am
by nawiiwan
Hi,
thank you!

I will give you a feedback in next days/weeks


Please let me know, is it possible to read $faqConfig->get('security.ssoSupport') in inc/PMF/Auth/Ldap.php to check SSO enabled in this way:

Code: Select all

if ($faqConfig->get('security.ssoSupport') && isset($_SERVER['REMOTE_USER'])) {
instead of my workaround

Code: Select all

if ('sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r' === trim($pass)) { // SSO is enabled
I tried this but it looks that it didn't work.

Regards,
Maciej
All times are UTC+01:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited