EDV:Nextbbs/ldap: Difference between revisions
From KIP Wiki
ā§¼kip-jumptonavigationā§½ā§¼kip-jumptosearchā§½
No edit summary |
Ā |
||
(One intermediate revision by the same user not shown) | |||
Line 28: | Line 28: | ||
<?php |
<?php |
||
require_once "tidbit.php"; |
require_once "tidbit.php"; |
||
$ldapfullname = ""; |
|||
$ldapemail = ""; |
|||
/** |
/** |
||
Line 37: | Line 34: | ||
class Auth |
class Auth |
||
{ |
{ |
||
var $fullname = ""; |
|||
var $email = ""; |
|||
function Auth() { } |
function Auth() { } |
||
/** |
/** |
||
Line 62: | Line 62: | ||
$r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable) |
$r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable) |
||
} |
} |
||
if(!$r) |
if(!$r) { |
||
error_log("ldap proxy bind failed."); |
|||
error_log("ldap host = ".$CONFIG->auth->ldap->host); |
|||
error_log("ldap port = ".$CONFIG->auth->ldap->port); |
|||
error_log("ldap proxy = ".$CONFIG->auth->ldap->proxyagent); |
|||
return false; |
return false; |
||
} |
|||
$auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")"; |
$auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")"; |
||
$srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")"; |
$srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")"; |
||
Line 72: | Line 77: | ||
$attributes = array('dn','cn','mail'); |
$attributes = array('dn','cn','mail'); |
||
$base = $CONFIG->auth->ldap->basedn; |
$base = $CONFIG->auth->ldap->basedn; |
||
$entry = @ldap_search($ |
$entry = @ldap_search($ds, $base, $filter, $attributes); |
||
if (!$entry) { |
if (!$entry) { |
||
error_log("ldap search with filter '$filter' had no result. base='$base'"); |
|||
return |
return false; |
||
} |
} |
||
$info = @ldap_get_entries($ |
$info = @ldap_get_entries($ds, $entry); |
||
$rdn = $info[0]["dn"]; |
$rdn = $info[0]["dn"]; |
||
$ |
$this->fullname = $info[0]['cn'][0]; |
||
$ |
$this->email = $info[0]['mail'][0]; |
||
if ( $pwd == "" ) |
if ( $pwd == "" ) |
||
return false; |
|||
if ( $rdn == "" ) |
|||
return false; |
return false; |
||
Line 100: | Line 108: | ||
</pre> |
</pre> |
||
If you also want to set the fullname of the new created account to the ldap-cn field, just change |
If you also want to set the fullname and email of the new created account to the ldap-cn field, just change |
||
file '''login.php''' on line 75 to <pre> |
file '''login.php''' on line 75 to <pre> |
||
fullname = '$ |
fullname = '$auth->fullname', |
||
email = '$ |
email = '$auth->email', |
||
</pre> |
|||
If you want, that a ldap-user, who is logging in the first time |
|||
shall be logged in immediately, |
|||
just enter the following after line 82 containig '''$DB->query($sql);''' |
|||
<pre> |
|||
$sql = "SELECT * FROM {$CONFIG->dbprfx}users WHERE |
|||
userid = '$uid' AND |
|||
server='{$CONFIG->server}'"; |
|||
$res = $DB->query($sql); |
|||
</pre> |
</pre> |
Latest revision as of 13:37, 27 February 2008
nextBBS / LDAP-Modifications
In our case it is an openldap-server with users sorted in sub-trees. The current version ( nightly build, Sep 2007, Feb 2008 ) doesn't allow searching for user accounts in subtrees. It also does not support a proxy agent.
So I had to make some changes..
Database changes
In order to use ldap with subtrees and proxyagent you need more configuration options.
INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->basedn','ou=people,dc=example,dc=com','LDAP Base-DN',NULL,NULL,2); INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->filter','objectclass=posixaccount','LDAP Search Filter',NULL,NULL,2); INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->proxyagent','cn=proxyagent,dc=example,dc=com','LDAP Proxy Agent',NULL,NULL,2); INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->proxypassword','proxy_pass','LDAP Password for Proxy Agent',NULL,NULL,2);
Just replace chris by your tablename-prefix.
File changes
Alter file tools/auth/ldap.php:
<?php require_once "tidbit.php"; /** * LDAP Authentication Module */ class Auth { var $fullname = ""; var $email = ""; function Auth() { } /** * Externally authenticate username/password, if possible * @return a unique id, that can be used to check whether this is the user we were expecting, * or false if it cannot be authenticated */ function login($uid, $pwd) { global $CONFIG; $ds = @ldap_connect($CONFIG->auth->ldap->host, $CONFIG->auth->ldap->port); if(!$ds) return false; @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $CONFIG->auth->ldap->protocol); // ''new from here ----'' if ( $CONFIG->auth->ldap->proxyagent != "" ) { $r = @ldap_bind($ds,$CONFIG->auth->ldap->proxyagent,$CONFIG->auth->ldap->proxypassword ); } else { $r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable) } if(!$r) { error_log("ldap proxy bind failed."); error_log("ldap host = ".$CONFIG->auth->ldap->host); error_log("ldap port = ".$CONFIG->auth->ldap->port); error_log("ldap proxy = ".$CONFIG->auth->ldap->proxyagent); return false; } $auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")"; $srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")"; if ($auth_filter != "()") { $filter = "(&" . $srch_filter . $auth_filter . ")"; } else $filter = $srch_filter; $attributes = array('dn','cn','mail'); $base = $CONFIG->auth->ldap->basedn; $entry = @ldap_search($ds, $base, $filter, $attributes); if (!$entry) { error_log("ldap search with filter '$filter' had no result. base='$base'"); return false; } $info = @ldap_get_entries($ds, $entry); $rdn = $info[0]["dn"]; $this->fullname = $info[0]['cn'][0]; $this->email = $info[0]['mail'][0]; if ( $pwd == "" ) return false; if ( $rdn == "" ) return false; // ''up to here --------------'' // $rdn = str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern); // and now bind as user .... $r = @ldap_bind($ds, $rdn, $pwd); // args: HANDLER, USER RDN, PASSWORD if(!$r) return false; @ldap_unbind(); // Cleanup return 'LDAP'; } } ?>
If you also want to set the fullname and email of the new created account to the ldap-cn field, just change
file login.php on line 75 to
fullname = '$auth->fullname', email = '$auth->email',
If you want, that a ldap-user, who is logging in the first time
shall be logged in immediately,
just enter the following after line 82 containig $DB->query($sql);
$sql = "SELECT * FROM {$CONFIG->dbprfx}users WHERE userid = '$uid' AND server='{$CONFIG->server}'"; $res = $DB->query($sql);