IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo
Moderator: Thorsten
IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo
Hi Guys
I'm having some very odd issues with phpMyFAQ Ver 2.8.7 and AD Authenticiaion
I've setup the system to use LDAP ( Active Directory) and with just this on, ( with $PMF_LDAP['ldap_use_domain_prefix'] = false; I can login with any AD account just fine, and the system creates the user in the database so I can increase the access rights as required.
I have set the config to Complete secured FAQ so only authorised users can login, but this doesn't make any effect to the issues below, I can leave it on or off and get the same issue.
I've also setup SSO via windows Authentication, which is were the system starts behaving in an odd way.
If I log in with a user that has already logged in via LDAP ( eg my primary AD Login) and is a user within phpMyFAQ then system signs me in correctly, with my AD username etc, so the system looks like its working perfectly.
But when a new user access's the page, it lets them access the system but the UserContolPanel shows blank info, and the user doesn't get added to the Users list. The system shows the logins as Guests
I've created a phpinfo file and the Server"Login_User" is passing the domain\samAccountName to PHP.
I've tried adjusting the LDAP settings to either include or exclude ['ldap_use_domain_prefix'] = false; but this also makes no difference.
If I can get this working it will solve a huge range of issues, but I need it to use AD SSO to be any use to end users and back end staff, as we need to track who puts in what requests, which without both LDAP and SSO working I can not do.
Any suggestions of what to look at would be appreciated.
Regards
Jon
I'm having some very odd issues with phpMyFAQ Ver 2.8.7 and AD Authenticiaion
I've setup the system to use LDAP ( Active Directory) and with just this on, ( with $PMF_LDAP['ldap_use_domain_prefix'] = false; I can login with any AD account just fine, and the system creates the user in the database so I can increase the access rights as required.
I have set the config to Complete secured FAQ so only authorised users can login, but this doesn't make any effect to the issues below, I can leave it on or off and get the same issue.
I've also setup SSO via windows Authentication, which is were the system starts behaving in an odd way.
If I log in with a user that has already logged in via LDAP ( eg my primary AD Login) and is a user within phpMyFAQ then system signs me in correctly, with my AD username etc, so the system looks like its working perfectly.
But when a new user access's the page, it lets them access the system but the UserContolPanel shows blank info, and the user doesn't get added to the Users list. The system shows the logins as Guests
I've created a phpinfo file and the Server"Login_User" is passing the domain\samAccountName to PHP.
I've tried adjusting the LDAP settings to either include or exclude ['ldap_use_domain_prefix'] = false; but this also makes no difference.
If I can get this working it will solve a huge range of issues, but I need it to use AD SSO to be any use to end users and back end staff, as we need to track who puts in what requests, which without both LDAP and SSO working I can not do.
Any suggestions of what to look at would be appreciated.
Regards
Jon
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Is anyone else having this issue
When I turn on DEBUG i get
phpMyFAQ warning [2]: in_array() expects parameter 2 to be array, boolean given in C:\inetpub\wwwroot\itservices\index.php on line 158
whenever I log in a new user.
Appreciate any help/pointers given
Regards
Jon
When I turn on DEBUG i get
phpMyFAQ warning [2]: in_array() expects parameter 2 to be array, boolean given in C:\inetpub\wwwroot\itservices\index.php on line 158
whenever I log in a new user.
Appreciate any help/pointers given
Regards
Jon
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
your SSO info is in $_SERVER['Login_User']? We check the value REQUEST_USER, maybe that's the issue.
bye
Thorsten
your SSO info is in $_SERVER['Login_User']? We check the value REQUEST_USER, maybe that's the issue.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi Thorsten
I've looked in the phpinfo.php ( which I've just created) and I have the following values
_SERVER["REMOTE_USER"] AD\Jon
_SERVER["LOGON_USER"] AD\Jon
_SERVER["AUTH_USER"] AD\Jon
Where Jon is my AD User and AD is my domain name.
I can't see REQUEST_USER within the phpinfo, so am unsure as to what I should be looking at.
Regards
Jon
I've looked in the phpinfo.php ( which I've just created) and I have the following values
_SERVER["REMOTE_USER"] AD\Jon
_SERVER["LOGON_USER"] AD\Jon
_SERVER["AUTH_USER"] AD\Jon
Where Jon is my AD User and AD is my domain name.
I can't see REQUEST_USER within the phpinfo, so am unsure as to what I should be looking at.
Regards
Jon
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
sorry, we use REMOTE_USER and your username should work:
https://github.com/thorsten/phpMyFAQ/bl ... so.php#L85
bye
Thorsten
sorry, we use REMOTE_USER and your username should work:
https://github.com/thorsten/phpMyFAQ/bl ... so.php#L85
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
The exactly same behavior.
My configuration:
LAMP server linux, apache configured to authenticate against AD (Kerberos) and working
logged user is in REMOTE_USER in form user@DOMAIN.COM
for sso was a small hack necessary:
in inc/PMF/User/ CurrentUser.php:
is the function adduser in sso active?
Sorry, I'm not a php coder...
regards
jan
My configuration:
LAMP server linux, apache configured to authenticate against AD (Kerberos) and working
logged user is in REMOTE_USER in form user@DOMAIN.COM
for sso was a small hack necessary:
in inc/PMF/User/ CurrentUser.php:
Code: Select all
public function login($login, $password)
{
$optData = array();
if (isset($this->_ldapConfig['ldap_use_domain_prefix'])) {
if (($pos = strpos($login, '\\')) !== false) {
if ($pos !== 0) {
$optData['domain'] = substr($login, 0, $pos);
}
$login = substr($login, $pos + 1);
}
}
//hack for format user@DOMAIN.COM
if (($pos = strpos($login, '@')) !== false) {
if ($pos !== 0) {
$login = substr($login, 0, $pos);
}
}
....
Sorry, I'm not a php coder...
regards
jan
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
thanks for the hint, I'll fixed that part of the code with 2.8.8!
bye
Thorsten
thanks for the hint, I'll fixed that part of the code with 2.8.8!
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi guys
I see you have added these changes into the latest version, I still can't get it working and think I might be missing something obvious
I can:
Get LDAP Working successfully - I'm able to log in with any AD user via ldap, it creates the user in the faquser table.
Turn on SSO, so the Authentication by NTLM is working.
Where I'm having issues is
If a new user who has never logged in via LDAP accesses the site, it allows access to the site, but doesn't correctly create the user an account. ( See attached Image1), it just gets into an odd situation.
If I log in with an account that was previously created by signing in with LDAP, the the system picks up the username and email details etc.(See attached Image2)
I've tried various different LDAP Settings within the constants_ldap.php
Changing ldap_use_domain_prefix as True, and as false, but the system still doesn't pickup the details from SSO, then LDAP.
I've tried using a Complete secured FAQ, but this makes no difference.
Maybe I'm expecting to much, but it would seem logical to me that if you wanted to use SSO within an corporate environment then using LDAP as well to populate the details would be sensible.
I've included a screenshot of phpinfo that I created within the FAQ directory, which shows the AD user details are being passed to PHP. ( i've edited some details out,) See attached Image3 I hope someone can enlighten me to where i'm going wrong.
Thanks
Jon
I see you have added these changes into the latest version, I still can't get it working and think I might be missing something obvious
I can:
Get LDAP Working successfully - I'm able to log in with any AD user via ldap, it creates the user in the faquser table.
Turn on SSO, so the Authentication by NTLM is working.
Where I'm having issues is
If a new user who has never logged in via LDAP accesses the site, it allows access to the site, but doesn't correctly create the user an account. ( See attached Image1), it just gets into an odd situation.
If I log in with an account that was previously created by signing in with LDAP, the the system picks up the username and email details etc.(See attached Image2)
I've tried various different LDAP Settings within the constants_ldap.php
Changing ldap_use_domain_prefix as True, and as false, but the system still doesn't pickup the details from SSO, then LDAP.
I've tried using a Complete secured FAQ, but this makes no difference.
Maybe I'm expecting to much, but it would seem logical to me that if you wanted to use SSO within an corporate environment then using LDAP as well to populate the details would be sensible.
I've included a screenshot of phpinfo that I created within the FAQ directory, which shows the AD user details are being passed to PHP. ( i've edited some details out,) See attached Image3 I hope someone can enlighten me to where i'm going wrong.
Thanks
Jon
You do not have the required permissions to view the files attached to this post.
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
can you send me an backup of your database to analyse your data?
bye
Thorsten
can you send me an backup of your database to analyse your data?
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
-
- Posts: 10
- Joined: Mon Jun 23, 2014 8:37 am
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
I have the same issue. My login details are passed to the phpinfo but when attempting to login it is blank.
I will PM you a link to my database export.
Thanks,
Michael
I have the same issue. My login details are passed to the phpinfo but when attempting to login it is blank.
I will PM you a link to my database export.
Thanks,
Michael
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
I have the same issue, I mean:
-LDAP (Active Directory) is working fine,
-SSO (on IIS) is working fine.
I instal phpMyFAQ is phpmyfaq-2.8.11.zip
What I found?
Theare are two situations:
-User exisits in PMF database then after login using SSO username is visible.
-User doesn't exists in PMF database then username is blank, user is not created in the PMF database.
When LDAP is enabled and SSO is disabled then we need to provide username and password. This pair is chacked in the LDAP (Active Directory) in function checkPassword (inc/PMF/Auth/Ldap.php). If username and password are valid - no error for (inc/PMF/Auth/Ldap.php, lines 201-207):
then program add/update this username in local PMF database.
If SSO is enabled then program reads username and sets password to empty string (index.php, lines 93-94):
Empty password in checkPassword in inc/PMF/Auth/Ldap.php returns "false" then user data cannot be created ($this->add($login, $pass); is not run).
Workaround/solution
set faqpassword in index.php, line 94 to "complicated string", ex:
change function checkPassowrd, inc/PMF/Auth/Ldap.php
Is it possible to apply such a behaviour in future versions of phpMyFAQ?
Regards,
Maciej
I have the same issue, I mean:
-LDAP (Active Directory) is working fine,
-SSO (on IIS) is working fine.
I instal phpMyFAQ is phpmyfaq-2.8.11.zip
What I found?
Theare are two situations:
-User exisits in PMF database then after login using SSO username is visible.
-User doesn't exists in PMF database then username is blank, user is not created in the PMF database.
When LDAP is enabled and SSO is disabled then we need to provide username and password. This pair is chacked in the LDAP (Active Directory) in function checkPassword (inc/PMF/Auth/Ldap.php). If username and password are valid - no error for (inc/PMF/Auth/Ldap.php, lines 201-207):
Code: Select all
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$bindLogin,
$pass
);
Code: Select all
$this->add($login, $pass);
Code: Select all
$faqusername = trim($_SERVER['REMOTE_USER']);
$faqpassword = '';
Workaround/solution
set faqpassword in index.php, line 94 to "complicated string", ex:
Code: Select all
$faqpassword = 'sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r';
Code: Select all
public function checkPassword($login, $pass, Array $optionalData = null)
{
if ('' === trim($pass)) {
$this->errors[] = PMF_User::ERROR_USER_INCORRECT_PASSWORD;
return false;
}
if ('sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r' === trim($pass)) { // SSO is enabled
$this->ldap = new PMF_Ldap($this->_config);
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$this->_ldapConfig['ldap_user'],
$this->_ldapConfig['ldap_password']
);
} else { // SSO is disabled
$bindLogin = $login;
if ($this->_ldapConfig['ldap_use_domain_prefix']) {
if (array_key_exists('domain', $optionalData)) {
$bindLogin = $optionalData['domain'] . '\\' . $login;
}
} else {
$this->ldap = new PMF_Ldap($this->_config);
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$this->_ldapConfig['ldap_user'],
$this->_ldapConfig['ldap_password']
);
if ($this->ldap->error) {
$this->errors[] = $this->ldap->error;
}
$bindLogin = $this->ldap->getDn($login);
}
// Check user in LDAP
$this->ldap = new PMF_Ldap($this->_config);
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$bindLogin,
$pass
);
}
if ($this->ldap->error) {
$this->errors[] = $this->ldap->error;
return false;
} else {
$this->add($login, $pass);
return true;
}
}
Regards,
Maciej
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
sure, I can add this to 2.8.12. Does this "patch" work for you?
bye
Thorsten
sure, I can add this to 2.8.12. Does this "patch" work for you?
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
I did it on test server last week, and today modified a little bit. It looks that it is working fine.
I plan to implement on the pro server in next days and test it deeper in next 2-4 weeks.
Regards,
Maciej
I did it on test server last week, and today modified a little bit. It looks that it is working fine.
I plan to implement on the pro server in next days and test it deeper in next 2-4 weeks.
Regards,
Maciej
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
okay, would be fine, if you can give feedback, then I'll add it to 2.8.12
bye
Thorsten
okay, would be fine, if you can give feedback, then I'll add it to 2.8.12
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire
Hi,
thank you!
I will give you a feedback in next days/weeks
Please let me know, is it possible to read $faqConfig->get('security.ssoSupport') in inc/PMF/Auth/Ldap.php to check SSO enabled in this way:
instead of my workaround
I tried this but it looks that it didn't work.
Regards,
Maciej
thank you!
I will give you a feedback in next days/weeks
Please let me know, is it possible to read $faqConfig->get('security.ssoSupport') in inc/PMF/Auth/Ldap.php to check SSO enabled in this way:
Code: Select all
if ($faqConfig->get('security.ssoSupport') && isset($_SERVER['REMOTE_USER'])) {
Code: Select all
if ('sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r' === trim($pass)) { // SSO is enabled
Regards,
Maciej