EDV:Nextbbs/ldap
From KIP Wiki
⧟kip-jumptonavigation⧽⧟kip-jumptosearch⧽
nextBBS / LDAP-Modifications
In our case it is an openldap-server with users sorted in sub-trees. The current version ( nightly build, Sep 2007, Feb 2008 ) doesn't allow searching for user accounts in subtrees. It also does not support a proxy agent.
So I had to make some changes..
Database changes
In order to use ldap with subtrees and proxyagent you need more configuration options.
INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->basedn','ou=people,dc=example,dc=com','LDAP Base-DN',NULL,NULL,2); INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->filter','objectclass=posixaccount','LDAP Search Filter',NULL,NULL,2); INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->proxyagent','cn=proxyagent,dc=example,dc=com','LDAP Proxy Agent',NULL,NULL,2); INSERT INTO `chris_config` (`server`, `config_key`, `config_value`, `config_desc`, `config_type`, `config_options`, `config_group`) VALUES (1,'auth->ldap->proxypassword','proxy_pass','LDAP Password for Proxy Agent',NULL,NULL,2);
Just replace chris by your tablename-prefix.
File changes
Alter file tools/auth/ldap.php:
<?php require_once "tidbit.php"; $ldapfullname = ""; /** * LDAP Authentication Module */ class Auth { function Auth() { } /** * Externally authenticate username/password, if possible * @return a unique id, that can be used to check whether this is the user we were expecting, * or false if it cannot be authenticated */ function login($uid, $pwd) { global $CONFIG; $ds = @ldap_connect($CONFIG->auth->ldap->host, $CONFIG->auth->ldap->port); if(!$ds) return false; @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $CONFIG->auth->ldap->protocol); // ''new from here ----'' if ( $CONFIG->auth->ldap->proxyagent != "" ) { $r = @ldap_bind($ds,$CONFIG->auth->ldap->proxyagent,$CONFIG->auth->ldap->proxypassword ); } else { $r = @ldap_bind($ds ); // anonymous bind ; TODO : bind as ProxyAgent (<-should be configurable) } if(!$r) return false; $auth_filter = "(" . str_replace(' ', '', $CONFIG->auth->ldap->filter) .")"; $srch_filter = "(" . str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern) .")"; if ($auth_filter != "()") { $filter = "(&" . $srch_filter . $auth_filter . ")"; } else $filter = $srch_filter; $attributes = array("dn"); $base = $CONFIG->auth->ldap->basedn; $entry = @ldap_search($ldapconn, $base, $filter, $attributes); if (!$entry) { return ''; } $info = @ldap_get_entries($ldapconn, $entry); $rdn = $info[0]["dn"]; $ldapfullname = $info[0]["cn"]; if ( $pwd == "" ) return false; // ''up to here --------------'' // $rdn = str_replace('$1', $uid, $CONFIG->auth->ldap->rdnpattern); // and now bind as user .... $r = @ldap_bind($ds, $rdn, $pwd); // args: HANDLER, USER RDN, PASSWORD if(!$r) return false; @ldap_unbind(); // Cleanup return 'LDAP'; } } ?>
If you also want to set the fullname of the new created account to the ldap-cn field, just change
file login.php on line 75 to
fullname = '$ldapfullname',