IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo

All about webserver configurations, PHP and databases.

Moderator: Thorsten

Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

yes, the config object is here:

Code: Select all

$this->_config
So

Code: Select all

$this->_config->get('security.ssoSupport')
returns true or false

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
thank you for sugestion. I implement it, maybe somebody else can test SSO + AD as well.

My configuration is:

config/ldap.php:

Code: Select all

// Main LDAP server
$PMF_LDAP['ldap_server'] = 'active directory domain server name';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'AD_username@domain_name';
$PMF_LDAP['ldap_password'] = 'password';
$PMF_LDAP['ldap_base'] = 'DC=sdf,DC=privad,DC=net';
config/constants_ldap.php (ldap_use_domain_prefix changed from true to false)

Code: Select all

$PMF_LDAP['ldap_use_domain_prefix'] = false;
1. Login as Admin to phpMyFAQ
2. enable menu Administration/Configuration/Security Configuration/Enable LDAP support? (default: disabled)
3. login as domain user
4. login as Admin and give rights to domain user which you use in point 3 (in other case after enable SSO you will not be able to login as local admin user and you will not be admin in the system)
5. In IIS on the folder with phpMyFAQ set authentication to:
a. Windows authenticateion - enabled
b. Anonymous authentication - disabled
6. Login as domain user or admin
7. enable menu Administration/Configuration/Security Configuration/Single Sign On Support (default: deactivated)
8. logout from phpMyFAQ and open main phpMyFAQ page, you shgould be logged automatically with your domain account.

To automatically copy user data (username and email) from LDAP (Active Directory) please modify only file inc/PMF/Auth/Ldap.php (it is not required to modify index.php as I few posts before), new code for function checkPassword:

Code: Select all

	public function checkPassword($login, $pass, Array $optionalData = null)
	{
		if ($this->_config->get('security.ssoSupport') && isset($_SERVER['REMOTE_USER'])) { // SSO is enabled
			$this->ldap = new PMF_Ldap($this->_config);
			$this->ldap->connect(
				$this->_ldapConfig['ldap_server'],
				$this->_ldapConfig['ldap_port'],
				$this->_ldapConfig['ldap_base'],
				$this->_ldapConfig['ldap_user'],
				$this->_ldapConfig['ldap_password']
			);
		} else { // SSO is disabled
			if ('' === trim($pass)) {
				$this->errors[] = PMF_User::ERROR_USER_INCORRECT_PASSWORD;
				return false;
			}

			$bindLogin = $login;
			if ($this->_ldapConfig['ldap_use_domain_prefix']) {
				if (array_key_exists('domain', $optionalData)) {
					$bindLogin = $optionalData['domain'] . '\\' . $login;
				}
			} else {
				$this->ldap = new PMF_Ldap($this->_config);
				$this->ldap->connect(
					$this->_ldapConfig['ldap_server'],
					$this->_ldapConfig['ldap_port'],
					$this->_ldapConfig['ldap_base'],
					$this->_ldapConfig['ldap_user'],
					$this->_ldapConfig['ldap_password']
				);
				if ($this->ldap->error) {
					$this->errors[] = $this->ldap->error;
				}
				
				$bindLogin = $this->ldap->getDn($login);
			}

			// Check user in LDAP
			$this->ldap = new PMF_Ldap($this->_config);
			$this->ldap->connect(
				$this->_ldapConfig['ldap_server'],
				$this->_ldapConfig['ldap_port'],
				$this->_ldapConfig['ldap_base'],
				$bindLogin,
				$pass
			);
		}
			
		if ($this->ldap->error) {
			$this->errors[] = $this->ldap->error;
			return false;
		} else {
			$this->add($login, $pass);
			return true;
		}
	}
If anybody will implement it and test please let know to Thorsten in this thread.

Regards,
Maciej
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
I did first tests and recognize some small problems
-when user login using SSO with my patch then column faquser.auth_source = "ldap" but I think that should be eqal to "sso"
-when LDAP is disabled and SSO is enabled then SSO is not working.

I did small investigation and going to create "patch".

Before I'll do this please let me know, in file inc\PMF\CurrenUser.php, line 129:

Code: Select all

        if (isset($this->_ldapConfig['ldap_use_domain_prefix'])) {
is this correct? Shouldn't be check value?:

Code: Select all

		if ($this->_ldapConfig['ldap_use_domain_prefix']) {
Regards,
Maciej
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

it has to look like this:

Code: Select all

        if (isset($this->_ldapConfig['ldap_use_domain_prefix']) && $this->_ldapConfig['ldap_use_domain_prefix']) {
Because it have to work even someone uses no LDAP, the majority of users. ;-)

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
now it's clear.

What do you think about below changes, is it looks correct? I already implement it and looks that works fine.
inc/PMF/User/CurrentUser:

Code: Select all

        // Additional code for LDAP: user\\domain
		if ($this->config->get('security.ldapSupport') && function_exists('ldap_connect') && isset($this->_ldapConfig['ldap_use_domain_prefix']) && $this->_ldapConfig['ldap_use_domain_prefix'] && $password!='') { // if LDAP configuration is enabled, and ldap_use_domain_prefix is available (in file constants_ldap.php) and  ldap_use_domain_prefix is set to true and LDAP data are provided (password is not empty)
            if (($pos = strpos($login, '\\')) !== false) {
                if ($pos !== 0) {
                    $optData['domain'] = substr($login, 0, $pos);
                }

                $login = substr($login, $pos + 1);
            }
        }

        // Additional code for SSO
		if ($this->config->get('security.ssoSupport') && isset($_SERVER['REMOTE_USER']) && $password=='') { // if SSO configuration is enabled, REMOTE_USER is provided and we try to login using SSO (password is empty)
			if (($pos = strpos($login, '@')) !== false) {
				if ($pos !== 0) {
					$login = substr($login, 0, $pos);
				}
			}
			if (($pos = strpos($login, '\\')) !== false) {
				if ($pos !== 0) {
					$login = substr($login, $pos + 1);
				}
			}
		}
Am I right that in 2.8.11 inc/PMF/Auth/Sso.php, function "add" is not used anywhere? I did small change:
in changePassword I propose to use method add, in simmilar way like it is done for ldap:

Code: Select all

            if ($user === $login) {
                $this->add($login, $pass);
                return true;
            } else {
                return false;
            }
add method:

Code: Select all

    public function add($login, $pass)
    {
		if ($this->_config->get('security.ldapSupport') && function_exists('ldap_connect')) { // LDAP enabled
			$authLdap = new PMF_Auth_Ldap($this->_config);
			$result = $authLdap->add($login, $pass);
			return $result;
		} else { // LDAP disabled
			$user   = new PMF_User($this->_config);
			$result = $user->createUser($login, null);

			if ($result) {
				$user->setStatus('active');
			}
			// Update user information
			$user->setUserData(
				array(
					'display_name' => $login
				)
			);
			return $result;
		}
    }
I removed changes in Ldap.php.

Regards,
Maciej
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi Maciej,

I would add it to 2.8.12 and then send you a pre-release for testing.

Thanks for your help!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
ok, I'll wait for message from you.

Thanks for your great support!

Regards,
Maciej
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

here's my first commit on it:

https://github.com/thorsten/phpMyFAQ/co ... f09b765547

How does your changePassword() method in PMF_Auth_Sso look like exaclty? Your code example uses $user which is not defined in changePassword()

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
if I understand your question correctly then $user in changePassword() is defined in original 2.8.11 code. I did only one chage, add line "$this->add($login, $pass);" like it is in Ldap.php.

Code: Select all

$user = $remoteUser[1];
or
$user = $remoteUser[0];
or
$user = $_SERVER['REMOTE_USER'];
I upload both modified files sso.php and CurrentUser.php please review both files and decide how to implement my proposal.

Regards,
Maciej
You do not have the required permissions to view the files attached to this post.
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi Thorsten,
will you have a chance to implement changes in beta?

Regards,
Maciej
JonM
Posts: 6
Joined: Fri Nov 01, 2013 1:12 pm

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by JonM »

nawiiwan wrote: I upload both modified files sso.php and CurrentUser.php please review both files and decide how to implement my proposal.

Regards,
Maciej
Hi Maciej, Thorsten

Sorry I didn't get back to you sooner, what with me starting this thread, but work got in the way.


Maciej, I've just tried your attached files on top of the 2.8.12 install, and this is working perfectly for me. When both options are turned on using
nawiiwan wrote: 1. Login as Admin to phpMyFAQ
2. enable menu Administration/Configuration/Security Configuration/Enable LDAP support? (default: disabled)
3. login as domain user
4. login as Admin and give rights to domain user which you use in point 3 (in other case after enable SSO you will not be able to login as local admin user and you will not be admin in the system)
5. In IIS on the folder with phpMyFAQ set authentication to:
a. Windows authenticateion - enabled
b. Anonymous authentication - disabled
6. Login as domain user or admin
7. enable menu Administration/Configuration/Security Configuration/Single Sign On Support (default: deactivated)
8. logout from phpMyFAQ and open main phpMyFAQ page, you shgould be logged automatically with your domain account.


I now get new users within the table, and SSO picks up the correct user. - This is working perfectly

I did try 2.8.12 without the attached files, and although LDAP would work and SSO would work, together they would not, and in the past, if the LDAP user existed it would get this info, but it now does not find the details, and wont allow me to log in.

So I would support adding your changes into the next version.
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

thanks for the feedback, here's the fix for 2.8.13:

https://github.com/thorsten/phpMyFAQ/co ... ed7313f8a3

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
Post Reply