LDAP

All about webserver configurations, PHP and databases.

Moderator: Thorsten

Post Reply
Tinman
Posts: 19
Joined: Sun May 09, 2010 3:34 pm

LDAP

Post by Tinman » Thu May 27, 2010 12:46 am

I promise I'm coming to the end of my questions!

Now that I have the FAQ running the way I want, I'd like to use LDAP to integrate our exising Windows Server 2003 Active Directory.

On my Linux box I'm running Ubuntu 10.04 (but will use 9.0 when I reinstall for ease of Webmin installation). I ran sudo apt-get install php5-ldap, and then did the phpmyfaq setup.

During setup, I entered, then verified in the ldap.php file the following values..

"ldap_server" = IP of my Windows 2003 server
"ldap_port" = 389
"ldap_user" = hotspot\administrator
"ldap_password = password
"ldap_base" = dc=servername, dc=domainname

I then activated the LDAP option in config.


when I attempt to use a domain account to login, I get the following debug information.

phpMyFAQ warning [2]: ldap_search(): Search: No such object in Ldap.php on line 167

phpMyFAQ warning [2]: ldap_first_entry() expects parameter 2 to be resource, boolean given in Ldap.php on line 174

phpMyFAQ warning [2]: ldap_get_values() expects parameter 2 to be resource, null given in Ldap.php on line 181

But, once I've enabled LDAP, I get the same messages when attempting to use a non-domain user account as well. For domain accounts, should I use the Domain\User form? Or if it were working, would just the domain user account be sufficent? Example... Domain\user or just user?

My problem could very well be on the Windows side or the Linux side... but any advice is appreciated.

Thorsten
Posts: 14769
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP

Post by Thorsten » Thu May 27, 2010 7:26 pm

Hi,
Tinman wrote:But, once I've enabled LDAP, I get the same messages when attempting to use a non-domain user account as well. For domain accounts, should I use the Domain\User form? Or if it were working, would just the domain user account be sufficent? Example... Domain\user or just user?
do you see any errors on your Windows server? Please also check the LDAP configuration in config/constants_ldap.php.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Tinman
Posts: 19
Joined: Sun May 09, 2010 3:34 pm

Re: LDAP

Post by Tinman » Mon Jun 07, 2010 7:09 pm

LDAP is running on the server, and I don't see any errors. I reinstalled Ubuntu and then LDAP using...

1. sudo apt-get update
2. sudo apt-get install likewise-open
3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
4. sudo update-rc.d likewise-open defaults
5. sudo /etc/init.d/likewise-open start


From http://anothersysadmin.wordpress.com/20 ... buntu-804/

With that, I'm able to log into the linux server using my Domain credentials, so LDAP is working on that level. I then ran sudo apt-get install php5-ldap and configured the FAQ.

I can log into the FAQ using my personal domain account, but I think that's only because I've got those details specified in /var/www/faq/config/ldap.php When I try a different account, it fails with this output... (similar to my last output)....


phpMyFAQ warning [2]: ldap_get_values(): supplied argument is not a valid ldap result entry resource in Ldap.php on line 181

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in Session.php on line 380

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 589

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 590

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 591

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 592

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 593

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 594

phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 595

My Constants_Ldap.php has this (comment fields excluded)...

$PMF_LDAP['ldap_mapping']= array (
'name' => 'cn',
'username' => 'samAccountName',
'mail' => 'mail');

$PMF_LDAP['ldap_use_domain_prefix'] = true;
$PMF_LDAP["ldap_options"]=array (
LDAP_OPT_PROTOCOL_VERSION => 3,
LDAP_OPT_REFERRALS =>0 );

Not sure if this is right or wrong. Considering that I can log into the server with Domain credentials, I'm pretty sure the problem is in my FAQ configuration, I just know what to change.

Tinman
Posts: 19
Joined: Sun May 09, 2010 3:34 pm

Re: LDAP

Post by Tinman » Mon Jun 07, 2010 8:33 pm

Also..

I put LDAP event logging to grab every single event, and tried again. I noticed that when I login using my credentials, and everything works....well...everything works. If I use someone elses credentials, it's still my credentials that are passed to the server, then I get the above error messages.

I think it's using the details in LDAP.php to authenticate to the server, but then comparing the the supplied credentials against the ones being used to authenticate to the server, and failing the FAQ login. I hope that makes sense.. but I don't understand why.

Tinman
Posts: 19
Joined: Sun May 09, 2010 3:34 pm

Re: LDAP

Post by Tinman » Mon Jun 07, 2010 9:55 pm

I think I got it figured out. My DN was too specific, I had the complete path to MY identity, when I removed everything upto users OU it worked fine.

Tinman
Posts: 19
Joined: Sun May 09, 2010 3:34 pm

Re: LDAP

Post by Tinman » Mon Jun 07, 2010 10:32 pm

First off, I promise that this unfortunate stream of though threads isn't just a plan to boost my post # for some mastermind plot. Sometimes I just think better outloud, and these next questions are pretty straight forward.

My understanding is that ./config/constants.php is what FAQ uses to authenticate to my Active Directory server.

Is it possible to use the username/password the user is supplying to authenticate? I'd rather not have a username/password stored in plain text sitting in my config folder.

Is there a setting to automatically append a domain prefix so my domain members don't need to type Domain\user?

Thanks again for the help.

Thorsten
Posts: 14769
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP

Post by Thorsten » Tue Jun 08, 2010 7:53 am

Hi,

first, my knowledge of LDAP is very poor, most of the LDAP code of phpMyFAQ is not by myself.
Tinman wrote:My understanding is that ./config/constants.php is what FAQ uses to authenticate to my Active Directory server.
do you mean ./config/constants_ldap.php?
Tinman wrote:Is it possible to use the username/password the user is supplying to authenticate? I'd rather not have a username/password stored in plain text sitting in my config folder.
Yes, this should work...
Tinman wrote:Is there a setting to automatically append a domain prefix so my domain members don't need to type Domain\user?
Maybe this could work by using additional configuration items in ./config/constants_ldap.php

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Tinman
Posts: 19
Joined: Sun May 09, 2010 3:34 pm

Re: LDAP

Post by Tinman » Wed Jun 09, 2010 6:40 pm

sorry...not constants.php... I meant ldap.php

<?php
$PMF_LDAP["ldap_server"] = 'ip of domain controller';
$PMF_LDAP["ldap_port"] = '389';
$PMF_LDAP["ldap_user"] = 'DOMAIN\user';
$PMF_LDAP["ldap_password"] = 'user's password';
$PMF_LDAP["ldap_base"] = 'ou=dept, ou=users, dc=subdomain, dc=domain, dc=com';


This is the file that took me the longest to figure out. At first I had the Ldap base set to the full distinguished name of the domain\users account - cn = 'domain user', ou=dept, ou=users, dc=subdomain, dc=domain, dc=com... I had to drop the specific domain user mentioned.

I noticed the account was authenticating to the server, but LDAP was still failing. By expanding the DN to the users folder, it started working right away.

I'm going to remove the LDAP service for logging into the linux server using domain credentials, that'll at lease lock down access to the configuration text files to people with the local linux login.

Post Reply