EDV:Nextbbs/ldap: Difference between revisions

From KIP Wiki
ā§¼kip-jumptonavigationā§½ā§¼kip-jumptosearchā§½
No edit summary
No edit summary
Line 28: Line 28:
<?php
<?php
require_once "tidbit.php";
require_once "tidbit.php";

$ldapfullname = "";
$ldapemail = "";


/**
/**
Line 37: Line 34:
class Auth
class Auth
{
{
var $fullname = "";
var $email = "";

function Auth() { }
function Auth() { }
/**
/**
Line 62: Line 62:
$r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable)
$r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable)
}
}
if(!$r)
if(!$r) {
error_log("ldap proxy bind failed.");
error_log("ldap host = ".$CONFIG->auth->ldap->host);
error_log("ldap port = ".$CONFIG->auth->ldap->port);
error_log("ldap proxy = ".$CONFIG->auth->ldap->proxyagent);
return false;
return false;
}
$auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")";
$auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")";
$srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")";
$srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")";
Line 72: Line 77:
$attributes = array('dn','cn','mail');
$attributes = array('dn','cn','mail');
$base = $CONFIG->auth->ldap->basedn;
$base = $CONFIG->auth->ldap->basedn;
$entry = @ldap_search($ldapconn, $base, $filter, $attributes);
$entry = @ldap_search($ds, $base, $filter, $attributes);
if (!$entry) {
if (!$entry) {
error_log("ldap search with filter '$filter' had no result. base='$base'");
return '';
return false;
}
}
$info = @ldap_get_entries($ldapconn, $entry);
$info = @ldap_get_entries($ds, $entry);
$rdn = $info[0]["dn"];
$rdn = $info[0]["dn"];
$ldapfullname = $info[0]["cn"];
$this->fullname = $info[0]['cn'][0];
$ldapemail = $info[0]["mail"];
$this->email = $info[0]['mail'][0];


if ( $pwd == "" )
if ( $pwd == "" )
return false;
if ( $rdn == "" )
return false;
return false;


Line 100: Line 108:
</pre>
</pre>


If you also want to set the fullname of the new created account to the ldap-cn field, just change
If you also want to set the fullname and email of the new created account to the ldap-cn field, just change
file '''login.php''' on line 75 to <pre>
file '''login.php''' on line 75 to <pre>
fullname = '$ldapfullname',
fullname = '$auth->fullname',
email = '$ldapemail',
email = '$auth->email',
</pre>


If you want, that a ldap-user, who is logging in the first time
shall be logging immediately,
just enter the following after line 82 containig '''$DB->query($sql);'''

<pre>
$sql = "SELECT * FROM {$CONFIG->dbprfx}users WHERE
userid = '$uid' AND
server='{$CONFIG->server}'";
$res = $DB->query($sql);
</pre>
</pre>

Revision as of 08:34, 26 February 2008

nextBBS / LDAP-Modifications

In our case it is an openldap-server with users sorted in sub-trees. The current version ( nightly build, Sep 2007, Feb 2008 ) doesn't allow searching for user accounts in subtrees. It also does not support a proxy agent.

So I had to make some changes..

Database changes

In order to use ldap with subtrees and proxyagent you need more configuration options.

INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`)
 VALUES (1,'auth->ldap->basedn','ou=people,dc=example,dc=com','LDAP Base-DN',NULL,NULL,2);
INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`)
 VALUES (1,'auth->ldap->filter','objectclass=posixaccount','LDAP Search Filter',NULL,NULL,2);
INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`)
 VALUES (1,'auth->ldap->proxyagent','cn=proxyagent,dc=example,dc=com','LDAP Proxy Agent',NULL,NULL,2);
INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`)
 VALUES (1,'auth->ldap->proxypassword','proxy_pass','LDAP Password for Proxy Agent',NULL,NULL,2);

Just replace chris by your tablename-prefix.

File changes

Alter file tools/auth/ldap.php:

<?php
require_once "tidbit.php";

/**
 * LDAP Authentication Module
 */
class Auth
{
 var $fullname = "";
 var $email = "";

	function Auth() { }
	/**
	 * Externally authenticate username/password, if possible
	 * @return a unique id, that can be used to check whether this is the user we were expecting,
	 * or false if it cannot be authenticated
	 */
	function login($uid, $pwd)
	{
		global $CONFIG;

		$ds = @ldap_connect($CONFIG->auth->ldap->host, $CONFIG->auth->ldap->port);
		if(!$ds)
			return false;
		@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $CONFIG->auth->ldap->protocol);

//  ''new from here ----''

		if ( $CONFIG->auth->ldap->proxyagent != "" )
		 {
		  $r = @ldap_bind($ds,$CONFIG->auth->ldap->proxyagent,$CONFIG->auth->ldap->proxypassword ); 
		 }
		 else
		 {
		  $r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable)
		 }
		if(!$r) {
			error_log("ldap proxy bind failed.");
			error_log("ldap host  = ".$CONFIG->auth->ldap->host);
			error_log("ldap port  = ".$CONFIG->auth->ldap->port);
			error_log("ldap proxy = ".$CONFIG->auth->ldap->proxyagent);
			return false;
			}
		$auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")";
		$srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")";
		if ($auth_filter != "()") {
		   $filter = "(&" . $srch_filter . $auth_filter . ")";
		}
		else $filter = $srch_filter;
		$attributes = array('dn','cn','mail');
		$base = $CONFIG->auth->ldap->basedn;
		$entry = @ldap_search($ds, $base, $filter, $attributes);
		if (!$entry) {
			error_log("ldap search with filter '$filter' had no result. base='$base'");
			return false;
		}
		$info = @ldap_get_entries($ds, $entry);
		$rdn = $info[0]["dn"];
		$this->fullname = $info[0]['cn'][0];
		$this->email = $info[0]['mail'][0];

		if ( $pwd == "" ) 
			return false;
		if ( $rdn == "" ) 
			return false;

//  ''up to here --------------''

//		$rdn = str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern);

		// and now bind as user ....
		
		$r = @ldap_bind($ds, $rdn, $pwd); // args: HANDLER, USER RDN, PASSWORD
		if(!$r)
			return false;
		@ldap_unbind(); // Cleanup
		return 'LDAP';
	}
}
?>

If you also want to set the fullname and email of the new created account to the ldap-cn field, just change

file login.php on line 75 to

							fullname = '$auth->fullname',
							email = '$auth->email',


If you want, that a ldap-user, who is logging in the first time shall be logging immediately, just enter the following after line 82 containig $DB->query($sql);

					$sql = "SELECT * FROM {$CONFIG->dbprfx}users WHERE
						userid = '$uid' AND
						server='{$CONFIG->server}'";
					$res = $DB->query($sql);