Hi,
thank you for sugestion. I implement it, maybe somebody else can test SSO + AD as well.
My configuration is:
config/ldap.php:
Code: Select all
// Main LDAP server
$PMF_LDAP['ldap_server'] = 'active directory domain server name';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'AD_username@domain_name';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'DC=sdf,DC=privad,DC=net';
config/constants_ldap.php (ldap_use_domain_prefix changed from true to false)
Code: Select all
$PMF_LDAP['ldap_use_domain_prefix'] = false;
1. Login as Admin to phpMyFAQ
2. enable menu Administration/Configuration/Security Configuration/Enable LDAP support? (default: disabled)
3. login as domain user
4. login as Admin and give rights to domain user which you use in point 3 (in other case after enable SSO you will not be able to login as local admin user and you will not be admin in the system)
5. In IIS on the folder with phpMyFAQ set authentication to:
a. Windows authenticateion - enabled
b. Anonymous authentication - disabled
6. Login as domain user or admin
7. enable menu Administration/Configuration/Security Configuration/Single Sign On Support (default: deactivated)
8. logout from phpMyFAQ and open main phpMyFAQ page, you shgould be logged automatically with your domain account.
To automatically copy user data (username and email) from LDAP (Active Directory) please modify
only file inc/PMF/Auth/Ldap.php (it is not required to modify index.php as I few posts before), new code for function checkPassword:
Code: Select all
public function checkPassword($login, $pass, Array $optionalData = null)
{
if ($this->_config->get('security.ssoSupport') && isset($_SERVER['REMOTE_USER'])) { // SSO is enabled
$this->ldap = new PMF_Ldap($this->_config);
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$this->_ldapConfig['ldap_user'],
$this->_ldapConfig['ldap_password']
);
} else { // SSO is disabled
if ('' === trim($pass)) {
$this->errors[] = PMF_User::ERROR_USER_INCORRECT_PASSWORD;
return false;
}
$bindLogin = $login;
if ($this->_ldapConfig['ldap_use_domain_prefix']) {
if (array_key_exists('domain', $optionalData)) {
$bindLogin = $optionalData['domain'] . '\\' . $login;
}
} else {
$this->ldap = new PMF_Ldap($this->_config);
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$this->_ldapConfig['ldap_user'],
$this->_ldapConfig['ldap_password']
);
if ($this->ldap->error) {
$this->errors[] = $this->ldap->error;
}
$bindLogin = $this->ldap->getDn($login);
}
// Check user in LDAP
$this->ldap = new PMF_Ldap($this->_config);
$this->ldap->connect(
$this->_ldapConfig['ldap_server'],
$this->_ldapConfig['ldap_port'],
$this->_ldapConfig['ldap_base'],
$bindLogin,
$pass
);
}
if ($this->ldap->error) {
$this->errors[] = $this->ldap->error;
return false;
} else {
$this->add($login, $pass);
return true;
}
}
If anybody will implement it and test please let know to Thorsten in this thread.
Regards,
Maciej