[Xerte] Configuration of LDAP authentication andthelogin_library.php file

Johnathan Kemp johnathan.kemp at cxstaffs.co.uk
Tue May 19 13:44:57 BST 2009


Hello Pat,
 
Many thanks for your detailed reply. I will work through it and your
reply about Xerte setup after lunch.
 
I should just add that it appears with respect to my having a working
LDAP login that I spoke to soon :-(
 
With the original version of the login_library.php file I could not log
in at all.
 
When I changed it to use the sAMAccountName (the field that contains the
user name we use to login on our network) I was able to log on to my
Toolkits site. However it appears that the password is being ignored. As
long as a valid sAMAccountName is entered then you are in - whatever
password you use.
 
There is also an issue with the length of the user name accepted in the
login box, as the current settings are to small. I think this has
already been raised by someone else.
 
Any thoughts would be most appreciated.
 
Kind regards
 
Johnathan
 
 

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714


 

 

________________________________

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 19 May 2009 13:29
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of LDAP authentication
andthelogin_library.php file



Hello

 

Ignore the installer on that front. I need to change a line.

 

You need to separate the hosts with $$$ as the delimiter.

 

As a caveat this is new territory for an install. We've done a proof of
concept using two LDAP strings here, but never three. It should be
scalable, but there is also the situation at present that certain
features (peer review, lockfile emails when a shared template editor
window closes) are not guaranteed to work (early assumptions in the code
limit it).

 

I have been debating whether or not to store an email in the
logindetails table - but this requires altering that table and I am a
bit reluctant to do this before we release version 1.5. It is an
omission on my part, but it's one of those problems when developing open
source is how to keep the system relatively stable.

 

If you have a PHP developer person I would suspect these modifications
would take under an hour or so to make (I could tell you precisely what
to change). But you would have a slightly custom install for a few files
(index.php, website_code/php/peer/peer_review.php and
website_code/php/versioncontrol/template_close.php) and a slightly
different login_details table.

 

So for the LDAP

 

I would do 

 

Host1$$$Host2$$$Host3 for hosts

Port1$$$Port2$$$Port3 for ports

And so on for each variable for the LDAP settings (bind dn, basedn,
password).

 

Reiterating my lack of LDAP knowledge - I don't understand this to any
great level - sAMAccountName - appears to be a good default academic
value for searching. The case sensitivity issues has occurred before
with one install. Maybe I could resolve this with a PHP string function
of some nature.

 

I've had two people feedback on LDAP so far (hence number of
login_library bug fixes) but I am not sure how best to proceed. I have
been mulling over making a post installer test suite - including an LDAP
page to help people work out why their settings don't like the code. We
also have the issue that we can't predict how IT literate people
installing the code are. I think the installer does a pretty good job at
the moment, though I could see scope for it providing more support - but
these things all take time. It's also very likely a lot of people
installing the code won't care for LDAP as they'll be authenticating to
something else.

 

 

I am not aware of what the LDAP filters do, but the code needs them and
they are used in the LDAP filter function, so I called them LDAP filter
1 and LDAP filter 2. Not the most original or informative, but again, I
plead ignorance on this front. 

 

I could see a case that the LDAP function "learns", or maybe just uses
an if not statement on the givenName attribute. My worry would be how
many "given names" are there - what do our non-English (apologies for
taxonomy) LDAP usernames appear as? 

I don't think you've misunderstood anything either - we are just at the
very edge of the code here and I am grateful for your feedback.

 

I hope this helps.

 

Pat

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 19 May 2009 12:55
To: xerte at lists.nottingham.ac.uk
Subject: [Xerte] Configuration of LDAP authentication and
thelogin_library.php file

 

Hello Xerte Team,

 

I now have a Xerte On-line Toolkits site that I can log on to using
LDAP, but I had some fun getting it set up and would like to clarify a
couple of things.

 

In the site setup I have set up a single ldap host, however I would like
to have three, would the correct syntax be

 

999.999.999.999\n999.999.999.999\n999.999.999.999 

 

for this, using the \n as a separator of the IP addresses, rather than a
";" ?

 

Is it possible to specify more than one ldap base and if so would it be
correct to use "\n" as the separator between bases?

 

Is there somewhere in the setup that is intended to specify the LDAP
field that will be used in the login process, so that when a username is
entered in the login form it is matched to the correct LDAP field when
checking the user name and password against LDAP? I set "The first LDAP
filter is" box to sAMAccountName but found that the login_library.php
file was using the "dn" field to match against. It was only after
working my way back through the Xerte code that I found out why I could
not log on. I had to edit lines 48 and 171 of login_library.php to use
sAMAccountName rather than dn. Similarly lines 8 and 131 refer to
"givenname" whereas our LDAP field is "givenName" so I had to edit these
as well.

 

I have to admit I am not sure what your intended use is for the fields
in the set up "The first LDAP filter" and "The second LDAP filter".

 

How practical would it be to include in the LDAP set up fields for the
LDAP values that will be

a) matched to the user id entered at login

b) used to gather the user first name

c) used to gather the user last name

 

So that discrepancies between different systems can be accommodated
without the need to edit code?

 

Or have I misunderstood something?

 

Kind regards

 

Johnathan

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714

 

 

________________________________

This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX

This email and any files transmitted with it are confidential and are intended solely for the use of the individual(s) or entity(s) to whom they are addressed. All messages are monitored for virus, high risk files and inappropriate content. As a result users should be aware that this mail maybe accessed, read and the right is reserved to reject, return, remove attachments or delete if considered to be inappropriate or unsuitable. Liability cannot be accepted for any loss or damage arising from this email (or any attachments) or from scripts or any virus transmitted.

This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Connexions Staffordshire. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately reply to the sender or notify postmaster at cxstaffs.co.uk


Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford, Staffordshire, ST16 2PX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20090519/3642c293/attachment.html


More information about the Xerte mailing list