Recent Topics

[Plugin] LDAP Authentication *SOLVED*

Started by on Dec 16, 2008 – Contents updated: Aug 08, 2013

Dec 16, 2008 06:30    

Hi All,

I have browsed the forum and found the thread that talks about the LDAP authentication plugin however I am hard pressed to get it to work :(

I really require this type of authentication for the blog which is going to be an internal one.

My PDC is running Win2k3 server and a machine is id'ed on the domain as

machinename.subdomain.domain.com
let's assume my pdc hostname is pdcname
nothing fancy as far as trees and such are being used

I am using the latest b2evo version and LDAP Authentication plugin v. 2.01-dev

I tried a bunch of values for the required fields in the LDAP authentication with no success. It's a pity this is not being maintained anymore as I feel it would be of great interest to a lot of users.

Anyways for the configuration I tried

server: pdcname:389 (tried with and w/o the port name)
RDN: cn=%s,DC=subdomain,DC=domain,DC=com
DN: DC=subdomain,DC=domain,DC=com
search filter: uid=%s
LDAP protocol version: automatic (tried 3 and 2)

Yet when I try to authenticate (by login in using a username and pwd on the active directory) it doesn't work.
Does anyone have this working properly or have an idea what I'm doing wrong?

Thanks

Dec 17, 2008 10:33

cmon people you can do it!

Dec 17, 2008 16:48

Airbag,

Get me started... where is the plugin and where are your instructions. I'll work though this because I need to LDAP Auth as well on 2003.

Dec 17, 2008 17:02

someone's alive!

Ok here's the link to the plugin:

http://manual.b2evolution.net/Ldap_plugin <<< Main 'page'

http://evocms-plugins.svn.sourceforge.net/viewvc/evocms-plugins/ldap_plugin/trunk/ <<< actual plugin

There are no real instructions however. Just put it in your plugins directory, go to the plugins setup and install it.

From there add a new LDAP item in the configuration menu. That's where it gets blurred. There are examples of what to put in the different fields. However it goes nowhere for me. Check my previous post in this thread to get an idea.

There is also another post by the author of the plugin somewhere. Search for 'blueyed'

Dec 17, 2008 17:28

Okay... I have it installed... but need to get the settings right... so give me some time now.

Dec 17, 2008 18:47

all right... it did now work for me instantly and I'm not exatly wure how to debug this. I have another server in the same network with a better support LDAP authentication module... so I'm switching to that server to see if the same settings will work.

One troubling thing.... there is no way of handling authentication... where is my user and authentication?

Dec 18, 2008 07:26

Hold on I'm a bit confused.

You said it worked instantly but there is no way to handle authentication for your users.

Also what settings did you use and what's your setup like (domain and all)

Edit 1(so people watch out for this one):

Debug says
ldap_plugin_11:
LDAP does not seem to be compiled into PHP.
ldap_plugin_12:
LDAP does not seem to be compiled into PHP.

Edit 2(Once the ldap was included):

ldap_plugin_11:
Connected to server «PDC:389»..
Using rdn «cn=loginname,DC=subdomain,DC=domain,DC=com»..
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Invalid credentials" (49) (protocol version 2); "Invalid credentials" (49) (protocol version 3)
ldap_plugin_12:
Connected to server «10.35.0.4:389»..
Using rdn «cn=loginname»..
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Invalid credentials" (49) (protocol version 2); "Invalid credentials" (49) (protocol version 3)
Connected to server «:389»..
Using rdn «»..
Trying protocol versions: 2, 3
Could not bind to LDAP server! Error(s): "Can't contact LDAP server" (81) (protocol version 2); "Can't contact LDAP server" (81) (protocol version 3)

loginname = my username
subdomain and domain are from the domain controller.

Edit 3 - Important

After trial and error the following works for binding:
RDN: %s@subdomain
or
RDN: subdomain\%s

Now i'm stuck on finding the relevant's user info using the search filter and the Base DN.
Getting the following:

Code

Warning: ldap_search() [function.ldap-search]: Search: Bad search filter in C:\wamp\www\blogs\plugins\_ldap.plugin.php on line 259
 
ldap_plugin_11:
Connected to server «PDC:389»..
Using rdn «loginname@domain»..
Trying protocol versions: 3
User successfully bound to server.
Searching for user info. base_dn: DC=domain,DC=com, filter: loginname
Invalid ldap_search result. Skipping.

Edit 4 - Final *SOLVED*

At least it's solved for my setup

After a LOT of digging and debugging I guess

It appears the plugin lacks the line:

ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0);

So I modified the current version and added the above line after line 220 which read
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $try_version);

Important note

Search filter is set to (samAccountName=%s)

BaseDN DN=corp,DN=domain,DN=tld

so if your Domain is mycorp.super.com

Base DN is DN=mycorp,DN=super,DN=com

note NO space between the commas. No idea if that changes anything I haven't tested it yet.

oh and I left my Assign group by empty

Hope that helps. With the above I managed to login using the credentials in the LDAP server which recreated a user in the blog's own DB.

Mar 09, 2009 17:29

I have been working at this a while. I am finally able to get b2e to bind to Windows 2003 AD, but I receive the following when trying to log in.

I have also communicated with "blueyed" and he was very nice, but was not in the position to lend any further support to this effort.

Code

ldap_plugin_11:
Connected to server �msldap.domain.com:389�..
Using rdn �CN=svcMTA,DC=domain,DC=com�..
Trying protocol versions: 2, 3
User successfully bound to server.
Searching for user info. base_dn: DC=domain,DC=com, filter: sAMAccountName=billg
Invalid ldap_search result. Skipping.

I also receive in the browser with display_error turned on (because I don't see any error log being created)

Code

Warning: ldap_search() [function.ldap-search]: Search: Operations error in D:\mtaweb\b2evolution\blogs\plugins\ldap_plugin\_ldap.plugin.php on line 261

Configuration specifics:
- Authentication user
I have special user (user configured to authenticate logins) setup the svcMTA. Because there was not password I ended up adding this manually to the _ldap.plugin.php file. Once I added the password (yes I know it is clear text) I was able to bind.

Code

Server:    msldap.domain.com
RDN:     CN=svcMTA,DC=domain,DC=com
Base DN:  DC=domain,DC=com
Search filter:  sAMAccountName=%s
Assigned group by:  <blank>
Template Group for New:  "No Group"

b2evolution version: 2.4.6
ldap_plugin version: 2.01

The current issue:
I am now getting the "invalid ldap_search result" along with the php error. I am sure they are related. I don't do much with PHP, so I really need some hand-holding troubleshooting this.

It sounds as if there are some folks out there who have been able to successfully get the LDAP extention to work with Windows 2003 AD.

Please take a few minutes and help. You will be helping out more people than myself.

Karl

Mar 11, 2009 10:33

OK,

Let's try this.
Please try to contact me through irc://irc.freenode.net/#b2evolution
You want to turn debug on in /blogs/conf/_advanced.conf

Next change the defug part around line 261 to:

PHP

if( ! $search_result )
            { // this may happen with an empty base_dn
                $this->debug_log'Invalid ldap_search result. Skipping.' );
                $this->debug_log'$ldap_conn: <pre>' $ldap_conn '</pre>' );
                $this->debug_log'$l_set['base_dn'] <pre>' $l_set['base_dn'] . '</pre>' );
                $this->debug_log'$filter: <pre>' $filter '</pre>' );
                continue;
            }

According to the Doc $l_set['base_dn'] may be empty or not set correctly.
If so check the Plugin setting for that.

Good luck

Mar 11, 2009 12:40

Did you try this hint:
Airbag888 wrote:

It appears the plugin lacks the line:

PHP

ldap_set_option($ldap_connLDAP_OPT_REFERRALS0);

So I modified the current version and added the above line after line 220 which read

PHP

ldap_set_option($ldap_connLDAP_OPT_PROTOCOL_VERSION$try_version);

For the password, if it isn't set:
We need to find out where in the process this goes wrong, but clearly you want to:

  1. check the existence of the password. Add somethere ont he top of the login function:
  2. PHP

    pre_dump$params['pass_md5'] );
  3. At the point where you added the password try:
  4. PHP

    $params['pass_md5'] = ENTER MD5 OF PASSWORD HERE;
    [/list:o]
    That way the bare password won't be in the file however there is still an issue with the md5 in the open. It's only a tad more secure than leaving the password plain.
    I think we may be able to find out what goes wrong there. I have a lead I need to investigate.

    Good luck

Mar 11, 2009 14:30

Well it might be seen as an ugly hack, but with your input Afwas, suggested mods and my first attempt at PHP coding has solved my issue.

=== AFWAS you da man! :D

I have not done a lot of through testing, but it appears to be working well.

My situation was such that we do not allow anonymous binding to Active Directory. A user is configured for AD searching to validate login credentials. A special user is setup with a password for this purpose.

Several mods were made by afwas (see previous posts) and myself. I added the ldap_bind options for the RDN user password and also added an input field in the plug-in description.

Please correct my coding practices as this is my first attempt at PHP.

There may be issues - testing will prove this out further. but all of the functionality advertised with the original plug (bringing the user first name, last name, email address) works great!.

Thanks for the rapid support provided!!!!

I can't see a way for me to attach the php file so let me know what is the best way to get this to the community.

Karl

Mar 11, 2009 14:50

I am new at this PHP thing - so I appreciate your patience Afwas.

I have uploaded the code and the link is:
http://b2evolution.pastebin.com/f52523c21

Please let me know what further changes might be best to make.

Boy this made my day!!!!!

Karl

Mar 11, 2009 15:00

Looks great. One modification advised:

PHP

//karlgo Windows Active Directory RDN account authentication mod
 'rndpass'=> array(
    'label' => T_('RDN Password'),
    'note' => T_('The LDAP RDN user password'),
    'type' => 'password'// mod
    'size' => 30,
),

Good luck

Mar 11, 2009 15:04

Excellent! Great catch and update!

I knew of coding tags for other languages - had not gotten that far with PHP.

Karl

May 24, 2009 11:25

... and without editing or hacking the PHP code.
My users sit in a Global Group called 'sysUsers' which LDAP consider an 'organisational unit', therefore I had to add this information to the Base DN.
The plug in now works perfectly!!!

for your record... following is the way I configured the plug in:

Server: svr01.mydomain.net.au

RDN: %s@mydomain

Base DN: ou=sysUsers,dc=mydomain,dc=net,dc=au

Search filter: sAMAccountName=%s

Assign group by: <blank>

Template Group for new: No group

LDAP protocol version: automatic

Disabled: <unticked>

Aug 07, 2013 17:52

Hi All!

I bring up this old topic because I tested this LDAP plugin with b2evo 5.0.5 recently and it seems to me that the plugin is incompatible with the current structure of the user database. The following error occures after installing and configuring the plugin and when I try to log in with a valid ldap account.

b2evolution error: MySQL error! / Unknown column 'user_validated' in 'field list'(Errno=1054) / Your query: DataObject::dbinsert()INSERT INTO evo_users (user_login, user_pass, user_locale, user_email, user_level, user_created_datetime, user_profileupdate_date, user_grp_ID, user_status, user_unsubscribe_key, user_nickname, user_validated, user_idmode, user_ip, user_domain, user_notify, user_showonline) / VALUES ('xxxxx', 'xxxxx', 'fi-FI', '', 1, '2013-08-07 18:05:17', '2013-08-07', '11', 'new', 'xxxxx', 'xxxxx', '1', 'namefl', '1.1.1.1', 'some.where.com', '1', '1') in /xxxx/5.0.5/blogs/inc/_core/model/db/_db.class.php at line 664 / REQUEST_URI: /blogs/htsrv/login.php / HTTP_REFERER: https://xxxx/blogs/admin.php

(Private fields substituded with xxxxx.) I suppose the plugin succeeded in authentication but failed in creating the user to the b2evo user database.

Would it be possible that someone familiar with b2evo plugin development could check this out and make any necessary fixes to make it support current b2evo? Or can someone else test it to confirm if the plugin actually works or not? I'm running CentOS based Linux with OpenLDAP.

Regards,
Mikael Jokela

Aug 08, 2013 02:07

If someone tackles this, please don't write directly to the DB. Please create a User object and than user User::db_save() to save it. That way the plugin won't break when we change the DB.


Form is loading...

powered by b2evolution – This forum is powered by b2evolution CMS, a complete engine for your website.