| [MOD] LDAP Login to Active Directory with Bind [message #7946] |
Fri, 23 February 2007 02:38  |
rcave
Messages: 13
Registered: June 2006
|
phpCollab guest |
|
|
Here are code changes that allow you to login from phpCollab to Active Directory using a bind username/password. I haven't tested this code against a normal LDAP server without bind (it should bind anonymously). It would be great if somebody could test with their current setup and let me know if it works.
All changes were made to phpCollab 2.5 rc3
============================
includes/library.php
============================
Add these functions:
// Changes for LDAP authentication to Active Directory start
//
// This code has been modified from code originally found in:
// Mantis - a PHP based bugtracking system
// Copyright (C) 2000-2002 Kenzaburo Ito - kenito@300baud.org
// Copyright (C) 2002-2006 Mantis Team - mantisbt-dev@lists.sourceforge.net
// Under GNU GENERAL PUBLIC LICENSE Version 2, June 1991
//
function is_blank( $p_var ) {
$p_var = trim( $p_var );
$str_len = strlen( $p_var );
if ( 0 == $str_len ) {
return true;
}
return false;
}
function ldap_connect_bind( $p_binddn = '', $p_password = '' ) {
global $configLDAP;
$t_ldap_server = $configLDAP[ldapserver];
$t_ldap_port = $configLDAP[ldapport];
$t_ds = @ldap_connect ( $t_ldap_server, $t_ldap_port );
if ( $t_ds > 0 ) {
# If no Bind DN and Password is set, attempt to login as the configured
# Bind DN.
if ( is_blank( $p_binddn ) && is_blank( $p_password ) ) {
$p_binddn = $configLDAP[ldap_bind_dn];
$p_password = $configLDAP[ldap_bind_passwd];
}
if ( !is_blank( $p_binddn ) && !is_blank( $p_password ) ) {
$t_br = @ldap_bind( $t_ds, $p_binddn, $p_password );
} else {
# Either the Bind DN or the Password are empty, so attempt an anonymous bind.
$t_br = @ldap_bind( $t_ds );
}
if ( !$t_br ) {
trigger_error( $strings['ldap_auth_failed'], ERROR );
}
} else {
trigger_error( $strings['ldap_server_connect_failed'], ERROR );
}
return $t_ds;
}
function ldap_authenticate( $t_username, $p_password ) {
global $configLDAP;
// if password is empty and ldap allows anonymous login, then
// the user will be able to login, hence, we need to check
// for this special case.
if ( is_blank( $p_password ) ) {
return false;
}
$t_ldap_root_dn = $configLDAP[searchroot];
$t_ldap_uid_field = $configLDAP[uid];
$t_search_filter = "$t_ldap_uid_field=$t_username";
$t_search_attrs = array( $t_ldap_uid_field, 'dn' );
$t_ds = ldap_connect_bind();
# Search for the user id
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_info = ldap_get_entries( $t_ds, $t_sr );
$t_authenticated = false;
if ( $t_info ) {
# Try to authenticate to each until we get a match
for ( $i = 0 ; $i < $t_info['count'] ; $i++ ) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
$t_authenticated = true;
break; # Don't need to go any further
}
}
}
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );
return $t_authenticated;
}
// Changes for LDAP authentication to Active Directory end
Modify function is_password_match() to use the LDAP new authentication. You should be able to swap the original function with this one.
/**
* Checks for password match using the globally specified login method
* @param string $formUsername User name to test
* @param string $formPassword User name password to test
* @param string $storedPassword Password stored in database
* @access public
**/
function is_password_match($formUsername, $formPassword, $storedPassword )
{
global $loginMethod, $useLDAP, $configLDAP;
if($useLDAP == "true")
{
if($formUsername == "admin")
{
switch ($loginMethod)
{
case MD5:
if (md5($formPassword) == $storedPassword)
{
return true;
}
else
{
return false;
}
case CRYPT:
$salt = substr($storedPassword, 0, 2 );
if (crypt($formPassword,$salt) == $storedPassword)
{
return true;
}
else
{
return false;
}
case PLAIN:
if ($formPassword == $storedPassword)
{
return true;
}
else
{
return false;
}
return false;
}
}
// Changes for LDAP authentication to Active Directory start
$result = ldap_authenticate( $formUsername, $formPassword);
return $result;
/*
$conn = ldap_connect($configLDAP[ldapserver]);
$sr = ldap_search($conn, $configLDAP[searchroot], "uid=$formUsername");
$info = ldap_get_entries($conn, $sr);
$user_dn = $info[0]["dn"];
if(!$bind = @ldap_bind($conn, $user_dn, $formPassword))
return false;
else
return true;
*/
// Changes for LDAP authentication to Active Directory end
}
else
{
switch ($loginMethod)
{
case MD5:
if (md5($formPassword) == $storedPassword)
{
return true;
}
else
{
return false;
}
case CRYPT:
$salt = substr($storedPassword, 0, 2 );
if (crypt($formPassword,$salt) == $storedPassword)
{
return true;
}
else
{
return false;
}
case PLAIN:
if ($formPassword == $storedPassword)
{
return true;
}
else
{
return false;
}
return false;
}
}
}
============================
includes/settings.php
============================
Modify your settings to use the new parameters.
Change:
# enable LDAP
$useLDAP = "false";
$configLDAP[ldapserver] = "your.ldap.server";
$configLDAP[searchroot] = "ou=People,dc=YourCompany,dc=com";
With:
# enable LDAP
$useLDAP = "true";
$configLDAP[ldapserver] = "your.ldap.server";
$configLDAP[searchroot] = "ou=People,dc=YourCompany,dc=com";
$configLDAP[ldapport] = "389"; // Default is port 389
$configLDAP[uid] = "sAMAccountName"; // or appropriate bind user
$configLDAP[ldap_bind_dn] = "CN=CommonName,CN=Users,DC=YourCompany,DC=com";
$configLDAP[ldap_bind_passwd] = "<bind_password>";
[Updated on: Fri, 23 February 2007 02:39] Report message to a moderator |
|
|
|
|
|
|
|
|
|
phpCollab Community
Members
Search
Help
Login
Home
