Recent Topics

Problems with LDAP

Started by on Aug 24, 2015 – Contents updated: Aug 27, 2015

Aug 24, 2015 20:19    

Hi, does any one knows more about how to use the ldap plugin?
I have installed and configured the plugin.
Since then my logins does not work anymore.
I see an ldap bind which is successfull, and an unbind but fall back on a login page.
Admin account does not work anymore.
I even asked the sytem to resend the password, but with no success.

Versin 6.262-stable. And plugin ldap_plugin-2.1-beta

Aug 24, 2015 21:06

You can probably restore previous functionality just by deleting the LDAP plugin from your plugins folder.

You might want to ask the author of the plugin to update it.
http://plugins.b2evolution.net/ldap-plugin

Out of curiosity, can you please describe why you need to use LDAP? (I am very interested in different use cases for b2evolution)

Aug 24, 2015 21:33

I want to use b2evolition as an internal blog and photogallery for our company.
All accounts are configured on the ldap.
Eventually, i would like to use ldap groups to define rights in b2evolution, and use a single-sign on system . So the userid and password should be synchronised between our other apss and b2evolution.

Aug 24, 2015 21:44

Ok, a couple additional questions:

  • how many users do you have in LDAP?
  • what software are you using as the LDAP directory?
  • if I understand correctly, you want to synchronize:
    • login
    • password
    • group (for permissions)
    • anything else?

Please let us know if you can get help from the plugin author. If not, we'll see what we can do.

Aug 25, 2015 08:13

I have more than 10000 users in the ldap, but only 500 are concerned in this project.

The users are members of groups, so the ou's are groups for which the users are members, sou the membership is not registered in the user data.
The idea is that any of the members of certain groups, or having the attribute employee type set with the value 'company A'
should have access, and the credentials would be the quid and password from the ldap.

In addition, it would be great if the user rights in b2evolution could be derived from group membership in the ldap, for example if you are member of group b2evol_admin you have admin rights .

I made a comment with the ldap plugin developer, but I am not sure that there is a high activity on that plugin right now.
I need to understand the basic integration, what should the plugin do, etc, so maybe I can check how to modify the plugin.

Aug 25, 2015 13:13

Hi, I am slowly advancing.
ldap request is made, but then I get an MYSQL error :

MySQL error!

Data too long for column 'user_pass' at row 1(Errno=1406)

Your query: DataObject::dbinsert()

INSERT INTO evo_users (user_login, user_pass, user_salt, user_locale, user_email, user_level, user_created_datetime, user_profileupdate_date, user_grp_ID, user_status, user_unsubscribe_key, user_nickname, user_firstname, user_lastname, user_email_dom_ID)

VALUES ('dum', '36f05f8xxxxxxxxxxxxxxx2ea596616d', 'xxxxxxxx', 'fr-FR', 'dum@foyer.lu', 1, '2015-08-25 13:03:39', '2015-08-25', '4', 'autoactivated', 'th3VXrqLnJCqMnWu1ynf5X8QROEcKkg7', 'dum', 'Marc', 'DURBACH', '1')

My I just make the user_pass field 32 bytes long ?

Aug 25, 2015 14:46

Ah... we have encrypted passwords some more in recent versions.

Passwords are now salted with a random value which is specific to the user (there is a column for that) and then hashed? The resulting has is stored as a binary value.

You can look into the b2evolution core code at how it saves a password when a user account in created or a password is changed.

You should not change the field. It won't work. Instead you need to add a little salting and hashing.

I can explain this more if you need but I'll have to do it when I'm in front of a real computer (I'm in a train right now ;)

Ideally, there should be a User object method you can call from the plugin that does the password hashing for you. I'll check that.


Regarding groups, I think it should be possible to map LDAP group memberships to b2evolution groups (and b2evolution gets all it's permissions from groups anyways). However, in b2evolution, a user can be a member of only one group. Is that workable for you?


Thank you for the description of the context. It's interesting.

For a better understanding, can you define ou and quid which seem to be LDAP specific terms?

Aug 25, 2015 15:19

Our developers tell me that you should use $User->set_password( $raw_password ) in the plugin. It will take care of properly encrypting the password.

Then $User->dbupdate() will generate the actual SQL query to save to the DB.

However, in this case, you probably will make a password authentication against LDAP every time, so maybe the plugin just saves a dummy/random password into the b2evolution user account?

Aug 25, 2015 18:32

Hi thanks for the great support.

I made a type, it's not quid, but id, which is the attribut used to store the userid in my ldap. OU means Organisational Unit, which in fact is a container that contains some logically bound data, for example all users are in the ou ou=ouUsers,dc=foyer,dc=lu, whereas the groupes are in the ou ou=ouGroups,dc=lefoyer,dc=lu. But this is our own decision... you can arrange the data mor or less how you like.

Unfortunately the users are in more than one groupe. the only thing that could work would be to define a prefix for all b2evolution related groupes, for example having groups like b2evo_admin, b2evo_normnaluser etc, and than check only those.

I basically wanted to use the pluginin as is.
The password hash that is generated seems to be 32 bytes long, wheres the row in the table only contains 16.
so where would be the best place to modify ?
I can check maybe what's happening if substring the 32 byte char to 15 long. As I make an authentication against the LDAP, and as this password will change , anyway I don^t think that the plugin is using the value from the user table .

I started to use the system a little bit, but have not yet understood how the photo gallery system works. I will check later if there are no photo plugins making it easier to handle..

Aug 25, 2015 22:47

OK, I have downloaded the plugin and took a look at the code. I have not tried it out though, since I have no LDAP server to test against.

However, I see this:

			if( $local_User )
			{ // User exists already locally, but password does not match the LDAP one. Update it locally.
				$local_User->set( 'pass', $params['pass_md5'] );
				$local_User->dbupdate();

				$this->debug_log( 'Updating user password locally.' );

				return true;
			}

			// create this user locally (in b2evo)
			$NewUser = new User();
			$NewUser->set( 'login', $params['login'] );
			$NewUser->set( 'nickname', $params['login'] );
			$NewUser->set( 'pass', $params['pass_md5'] );
			$NewUser->set( 'status', 'autoactivated' ); // assume the user has been validated (through email link)

First, I think you probably don't need to update the password in b2evolution if it doesn't match (and it would be very complex, given all the encryption that is involved). So you may comment that part out.

Then, when the user is created, it's enough to assign a random password because it will never be used. The important thing is to use the new function previoulsy mentioned.

So the code would become this:

			if( $local_User )
			{ // User exists already locally, (but password does not match the LDAP one, 
			  // which is ok because we never use the b2evolution password)
				$this->debug_log( 'User already exists locally.' );

				return true;
			}

			// create this user locally (in b2evo)
			$NewUser = new User();
			$NewUser->set( 'login', $params['login'] );
			$NewUser->set( 'nickname', $params['login'] );
			// obsolete: $NewUser->set( 'pass', $params['pass_md5'] );
			$NewUser->set_password( 'RandomDummyStringWhichIsNeverUser17TEJHDG236KJG$e' );
			$NewUser->set( 'status', 'autoactivated' ); // assume the user has been validated (through email link)

Am I making sense?

Can you try this? (I have no LDAP server to try it)

Other answers:

  • The group prefix thing seems to be what the plugin expects
  • Regarding the photo gallery, I don't think any plugin will do it better than what we have in version 6.6. You are using the latest version, right? If you need help (or additional features) on the Gallery, please start a separate forum topic. Thanks.

Aug 27, 2015 10:12

Hi I tried this modification :
at line 211 I replaced
$local_User->set( 'pass', $params['pass_md5'] );
with
$local_User->set( 'pass', substr($params['pass_md5'],16) );
The error disappears, but the login does fail.

When I try your sugestion I have the same problem

I wonder if there is not storage of the user inserted password in the session. Then, the authentication is made against the LDAP, and the MD5 hash is stored in the evo_users table. An once against compared agains what the user inserted and what is in the database. both our solutions, mine based on a substring to fite the size ofg the fiels, and yours based on a unique dummy passowrd, do not allow the stored passwords to match .

Also when I have 2 invalid logions i am redirected to this page :
http://community.foyer.lu/skins/bootstrap_main_skin/login
with a Not Found message :
Not Found

The requested URL /skins/bootstrap_main_skin/login was not found on this server.

Aug 27, 2015 23:29

First, good news: I made it work! :)
You can find a working update of the plugin here: https://github.com/b2evolution/ldap_plugin

It took me 5 hours to get to this point, 4 of which were about understand how LDAP works and setting up a test environment (I had not prior experience with it)

This plugin update will show you that it can work but I believe it needs a bit more polishing to be perfect.

In order for me to work on it more efficiently please help me understand a few things about LDAP... Please look at the attached screenshots showing my Apache DS (Directory Server) install with some demo contents, as well as the plugin configuration I use to connect to it.

  • Can you tell me/show me how the data is organized on your side and what RDN/DN/Search filter you use as well as how you plan to retrieve the group so I can setup something similar? (I attached a screenshot of the groups I have in case it's similar; maybe you can tell me how to query those?)
  • In my tests I am entering a CN such as "John Fryer" for the login. Are you doing this too?
  • I would rather enter the UID "jfryer" and bind on this instead of CN, but I was unable to get it to work. Do you know if it's possible?
  • "jfryer" would be a valid b2evolution login whereas "John Fryer" includes a space which is a problem and would require more code in the plugin. So it would be nice to be able to use the uid...

No matter what, at this point I am very confident the LDAP plugin can be leveraged effectively.


Form is loading...

CMS software – This forum is powered by b2evolution CMS, a complete engine for your website.