LDAP authentication not working with openldap + FIX

[liedekef]

Hi,

the ldap auth doesn't seem to be working with openldap. The reason seems to be that not the user DN is used for binding to the ldap, but the entered userid (eg. just "uid=xxxx". This works for Windows AD, but not for any other LDAP server out there (they require a LDAP bind with the DN). Windows AD also supports binding with the DN, so I changed some code for this to work. Hereunder you can find the unified diff (for 2.6.4, but it should apply against later versions as well):

Code: Select all

diff -ru phpmyfaq-2.6.4.orig/inc/Ldap.php phpmyfaq-2.6.4/inc/Ldap.php
--- phpmyfaq-2.6.4.orig/inc/Ldap.php    2010-04-18 11:30:58.000000000 +0200
+++ phpmyfaq-2.6.4/inc/Ldap.php 2010-05-26 11:28:50.000000000 +0200
@@ -121,6 +121,10 @@
         return $this->getLdapData($username, 'mail');
     }

+    public function getDn($username)
+    {
+        return $this->getLdapDn($username);
+    }
     /**
      * Returns the user's full name from LDAP
      *
@@ -129,7 +133,7 @@
      */
     public function getCompleteName($username)
     {
-        return $this->getLdapData($username, "name");
+        return $this->getLdapData($username, 'name');
     }

     /**
@@ -183,4 +187,26 @@
         return $values[0];
     }

-}
\ No newline at end of file
+    private function getLdapDn ($username)
+    {
+        global $PMF_LDAP;
+
+        $filter = "(" . $PMF_LDAP['ldap_mapping']['username'] . "=" . $username . ")";
+        $sr     = ldap_search($this->ds, $this->base, $filter);
+
+        if (!$sr) {
+            $this->errno = ldap_errno($this->ds);
+            $this->error = 'Unable to search for "' . $username . '" (Error: ' . ldap_error($this->ds) . ')';
+        }
+
+        $entryId = ldap_first_entry($this->ds, $sr);
+
+        if (!$entryId) {
+            $this->errno = ldap_errno($this->ds);
+            $this->error = 'Cannot get the value(s). Error: ' . ldap_error($this->ds);
+        }
+
+        return ldap_get_dn($this->ds, $entryId);
+    }
+
+}
diff -ru phpmyfaq-2.6.4.orig/inc/PMF_Auth/AuthLdap.php phpmyfaq-2.6.4/inc/PMF_Auth/AuthLdap.php
--- phpmyfaq-2.6.4.orig/inc/PMF_Auth/AuthLdap.php       2010-04-18 11:30:58.000000000 +0200
+++ phpmyfaq-2.6.4/inc/PMF_Auth/AuthLdap.php    2010-05-26 11:24:16.000000000 +0200
@@ -137,7 +137,19 @@
            if (array_key_exists('domain', $optionalData)) {
                $bindLogin = $optionalData['domain']."\\".$login;
            }
-       }
+       } else {
+               $this->ldap = new PMF_Ldap($PMF_LDAP['ldap_server'],
+                                   $PMF_LDAP['ldap_port'],
+                                   $PMF_LDAP['ldap_base'],
+                                   $PMF_LDAP['ldap_user'],
+                                   $PMF_LDAP['ldap_password']);
+
+               if ($this->ldap->error) {
+                   $this->errors[] = $this->ldap->error;
+               }
+               $bindLogin = $this->ldap->getDn($login);
+
+       }

         $this->ldap = new PMF_Ldap($PMF_LDAP['ldap_server'],
                                    $PMF_LDAP['ldap_port'],
@@ -165,4 +177,4 @@
         return $this->ldap->getCompleteName($login);
     }

-}
\ No newline at end of file
+}

I hope this gets included in newer versions, since LDAP auth is very interesting for everybody to work.

Franky

[Thorsten]

Hi Franky,

thank you very much for this fix!

Here's my slightly refactored commit for 2.6.6, could you please check it?

http://github.com/thorsten/phpMyFAQ/com ... 16efaea308

bye
Thorsten

[liedekef]

Hi Franky,

thank you very much for this fix!

Here's my slightly refactored commit for 2.6.6, could you please check it?

http://github.com/thorsten/phpMyFAQ/com ... 16efaea308

bye
Thorsten

Hi Thorsten,

I'm very sorry, I forgot to test this and just saw today the freshmeat announcement for the 2.6.6 version (holidays and such ...) I'll test this out asap, but since you released it, I'm very confident it works ok

Franky

[liedekef]

Hi,

it works ok, but I found some confusing things upon entering the initial LDAP config settings.
You ask for the following fields:

- LDAP server host
- LDAP server port
- LDAP username
- LDAP password
- Distinguished name

But according to me, and the resulting ldap file, the field "LDAP username" should contain the user DN used for searching LDAP and the field "Distinguished name" is in fact the LDAP DN base for searching. So I would recommend changing these names into more consistent names:

- LDAP username ==> LDAP user DN
- Distinguished name ==> LDAP base search DN

One other thing I found: you can't set the rights for a LDAP user before he first logs in, but when the user logs in he has no rights at all and just sees the logon screen again (although he is in fact logged in). So it would be great to be able to set default permissions for newly created users (so a new user created via the admin interface or a new user that first logs on via ldap gets eg. read only access or so). I hope you know what I mean

Franky

[liedekef]

Hi,
One other thing I found: you can't set the rights for a LDAP user before he first logs in, but when the user logs in he has no rights at all and just sees the logon screen again (although he is in fact logged in). So it would be great to be able to set default permissions for newly created users (so a new user created via the admin interface or a new user that first logs on via ldap gets eg. read only access or so). I hope you know what I mean

Never mind this comment ... read access is ok, the LDAP auth is just for the admin part

[Thorsten]

Hi Franky,

But according to me, and the resulting ldap file, the field "LDAP username" should contain the user DN used for searching LDAP and the field "Distinguished name" is in fact the LDAP DN base for searching. So I would recommend changing these names into more consistent names:

- LDAP username ==> LDAP user DN
- Distinguished name ==> LDAP base search DN

you are right. I will change this for the 2.6.7 release.

bye
Thorsten