[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile
Johnathan Kemp
johnathan.kemp at cxstaffs.co.uk
Thu May 21 16:58:11 BST 2009
I mentioned that I had left ldap filter blank in my email of 20th May
:-)
I have extracted the authenticate_to_host function to a separate test
page that I can test outside of xerte by passing it values that match
those that get passed to it from within Xerte.
I have heavily commented it so that I can track the process of logging
on through the code.
I will keep your original code rather than substituting in the
sAMAccountName for the dn and try different values for the LDAP_filter
function.
Things will go quiet for a few days now as I must spend some time on
another project, but I hope to pick up with this in early June.
Many thanks for your help.
Kind regards
Johnathan
Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/>
01785 355714
________________________________
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 21 May 2009 14:37
To: Xerte discussion list
Subject: RE:
[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile
It wasn't meant to replace login_library.
Please no one do that on a proper install.
It was a standalone LDAP tester, built around the toolkits code.
The unable to bind message is what you want though - in theory - it is
saying, this password is wrong.
Line 64 is what returns the entry array (the same one that you check on
line 185).
I've spent a while trying to replicate this, and it seems like it might
be that you've left ldap filter blank
Try setting 'dn' back, and changing your ldap filter to cn, or cn=
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 21 May 2009 13:20
To: Xerte discussion list
Subject: RE:
[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile
Hello Pat,
Thanks for the script.
I initially commented out the first lines that set the
$xerte_toolkits_site-> values and used the file as a replacement for
login_library.php
This resulted in an "unable to bind" message for line 185.
I replaced the reference to 'dn' with sAMAccountName and then was logged
in to Xerte even though the password I supplied was incorrect, though
there was an "unable to bind" message then for line 64. I replaced the
'dn' reference again with a sAMAccountName and that ended any further
errors.
I then changed the $xerte_toolkits_site-> lines to echo out their
values.
All the values echoed out the matching values that are contained in the
database settings for the site.
I have deleted the server settings and dn values from the output below
so as not to make them public but the rest is as it was output.
It appears that the connection to ldap is working, the matching of the
entered username is correctly taking place and values from the LDAP
account are being returned, but that there is no check taking place of
the password, other than that one has been entered. So as long as you
enter a valid ldap account name you are in! Any ideas as to why this may
be happening will be most welcome.
Output starts with the value LDAP_preference, there is no value entered
in our database for LDAP_filter.
Kind regards
Johnathan
sAMAccountName
Array
(
[count] => 0
)
Array
(
[count] => 0
)
Array
(
[count] => 0
)
Array
(
[count] => 0
)
Array
(
[count] => 1
[0] => Array
(
[sn] => Array
(
[count] => 1
[0] => Kemp
)
[0] => sn
[givenname] => Array
(
[count] => 1
[0] => Johnathan
)
[1] => givenname
[count] => 2
[dn] => CN=Johnathan Kemp, etc... )
)
Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/>
01785 355714
________________________________
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 20 May 2009 15:58
To: Xerte discussion list
Subject: RE:
[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile
Hello,
So if you're using an LDAP password that means it's the same as we have
here, and ours works.
For reference - the "lighter" version is without the password.
I would imagine the problem has come with the changed code and how the
LDAP seach occurs.
I've attached an script with a few more options in.
Basically you'll get LDAP error messages (they are usually suppressed)
and see the array LDAP returns.
Pat
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 20 May 2009 15:15
To: Xerte discussion list
Subject: RE: [Xerte]
ConfigurationofLDAPauthenticationandthelogin_library.phpfile
Hello Pat,
Sorry about missing the password bit.
On the ldap page displayed by management.php I have
An ldap password
The ldap base required to find the user accounts
The ldap bind that uniquely identifies the ldap account
ldap main filter set to sAMAccountName
No value set in the ldap second filter.
I copied the code from your authenticate_to_host function in
login_library.php and ran the code by setting variables to provide it
with the equivalent of the inputs the function expects
Once the code is edited to replace line 171
if(@ldap_bind($ds, $entry[0]['dn'], $password)) {
with
if(@ldap_bind($ds, $entry[0]['sAMAccountName'], $password)) {
the code then executes returning true from line 179
It only returns true if the LDAP password is correct and the value for
$toolkits_username is a valid ldap sAMAccountName.
It will return true if the value for $password is "" a wrong password or
the correct password.
Is there any way I could be running the "lighter version" without
realising it?
Kind regards
Johnathan
Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/>
01785 355714
________________________________
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 20 May 2009 13:36
To: Xerte discussion list
Subject: RE: [Xerte] Configuration
ofLDAPauthenticationandthelogin_library.phpfile
Thank you Monaco
Are you using an LDAP password for the host, or the "lighter" version?
Yours
Terry
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 20 May 2009 09:24
To: Xerte discussion list
Subject: RE: [Xerte] Configuration
ofLDAPauthenticationandthelogin_library.php file
OK the results of the Monaco jury are
No user name / No password = please enter your username and password
Username wrong / password wrong = sorry that password combination was
not correct
Username right / no password = please enter your password
Username right / wrong password = successful log in
Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/>
01785 355714
________________________________
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 19 May 2009 13:45
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of
LDAPauthenticationandthelogin_library.php file
Are supplying an LDAP password?
Try the following combos
No user name / No password
Username wrong / password wrong
Username right / no password
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 19 May 2009 13:45
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of LDAP
authenticationandthelogin_library.php file
Hello Pat,
Many thanks for your detailed reply. I will work through it and your
reply about Xerte setup after lunch.
I should just add that it appears with respect to my having a working
LDAP login that I spoke to soon :-(
With the original version of the login_library.php file I could not log
in at all.
When I changed it to use the sAMAccountName (the field that contains the
user name we use to login on our network) I was able to log on to my
Toolkits site. However it appears that the password is being ignored. As
long as a valid sAMAccountName is entered then you are in - whatever
password you use.
There is also an issue with the length of the user name accepted in the
login box, as the current settings are to small. I think this has
already been raised by someone else.
Any thoughts would be most appreciated.
Kind regards
Johnathan
Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/>
01785 355714
________________________________
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 19 May 2009 13:29
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of LDAP authentication
andthelogin_library.php file
Hello
Ignore the installer on that front. I need to change a line.
You need to separate the hosts with $$$ as the delimiter.
As a caveat this is new territory for an install. We've done a proof of
concept using two LDAP strings here, but never three. It should be
scalable, but there is also the situation at present that certain
features (peer review, lockfile emails when a shared template editor
window closes) are not guaranteed to work (early assumptions in the code
limit it).
I have been debating whether or not to store an email in the
logindetails table - but this requires altering that table and I am a
bit reluctant to do this before we release version 1.5. It is an
omission on my part, but it's one of those problems when developing open
source is how to keep the system relatively stable.
If you have a PHP developer person I would suspect these modifications
would take under an hour or so to make (I could tell you precisely what
to change). But you would have a slightly custom install for a few files
(index.php, website_code/php/peer/peer_review.php and
website_code/php/versioncontrol/template_close.php) and a slightly
different login_details table.
So for the LDAP
I would do
Host1$$$Host2$$$Host3 for hosts
Port1$$$Port2$$$Port3 for ports
And so on for each variable for the LDAP settings (bind dn, basedn,
password).
Reiterating my lack of LDAP knowledge - I don't understand this to any
great level - sAMAccountName - appears to be a good default academic
value for searching. The case sensitivity issues has occurred before
with one install. Maybe I could resolve this with a PHP string function
of some nature.
I've had two people feedback on LDAP so far (hence number of
login_library bug fixes) but I am not sure how best to proceed. I have
been mulling over making a post installer test suite - including an LDAP
page to help people work out why their settings don't like the code. We
also have the issue that we can't predict how IT literate people
installing the code are. I think the installer does a pretty good job at
the moment, though I could see scope for it providing more support - but
these things all take time. It's also very likely a lot of people
installing the code won't care for LDAP as they'll be authenticating to
something else.
I am not aware of what the LDAP filters do, but the code needs them and
they are used in the LDAP filter function, so I called them LDAP filter
1 and LDAP filter 2. Not the most original or informative, but again, I
plead ignorance on this front.
I could see a case that the LDAP function "learns", or maybe just uses
an if not statement on the givenName attribute. My worry would be how
many "given names" are there - what do our non-English (apologies for
taxonomy) LDAP usernames appear as?
I don't think you've misunderstood anything either - we are just at the
very edge of the code here and I am grateful for your feedback.
I hope this helps.
Pat
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 19 May 2009 12:55
To: xerte at lists.nottingham.ac.uk
Subject: [Xerte] Configuration of LDAP authentication and
thelogin_library.php file
Hello Xerte Team,
I now have a Xerte On-line Toolkits site that I can log on to using
LDAP, but I had some fun getting it set up and would like to clarify a
couple of things.
In the site setup I have set up a single ldap host, however I would like
to have three, would the correct syntax be
999.999.999.999\n999.999.999.999\n999.999.999.999
for this, using the \n as a separator of the IP addresses, rather than a
";" ?
Is it possible to specify more than one ldap base and if so would it be
correct to use "\n" as the separator between bases?
Is there somewhere in the setup that is intended to specify the LDAP
field that will be used in the login process, so that when a username is
entered in the login form it is matched to the correct LDAP field when
checking the user name and password against LDAP? I set "The first LDAP
filter is" box to sAMAccountName but found that the login_library.php
file was using the "dn" field to match against. It was only after
working my way back through the Xerte code that I found out why I could
not log on. I had to edit lines 48 and 171 of login_library.php to use
sAMAccountName rather than dn. Similarly lines 8 and 131 refer to
"givenname" whereas our LDAP field is "givenName" so I had to edit these
as well.
I have to admit I am not sure what your intended use is for the fields
in the set up "The first LDAP filter" and "The second LDAP filter".
How practical would it be to include in the LDAP set up fields for the
LDAP values that will be
a) matched to the user id entered at login
b) used to gather the user first name
c) used to gather the user last name
So that discrepancies between different systems can be accommodated
without the need to edit code?
Or have I misunderstood something?
Kind regards
Johnathan
Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/>
01785 355714
________________________________
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX
________________________________
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX
________________________________
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX
________________________________
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX
________________________________
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX
This email and any files transmitted with it are confidential and are intended solely for the use of the individual(s) or entity(s) to whom they are addressed. All messages are monitored for virus, high risk files and inappropriate content. As a result users should be aware that this mail maybe accessed, read and the right is reserved to reject, return, remove attachments or delete if considered to be inappropriate or unsuitable. Liability cannot be accepted for any loss or damage arising from this email (or any attachments) or from scripts or any virus transmitted.
This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Connexions Staffordshire. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford, Staffordshire, ST16 2PX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20090521/28f2f25a/attachment.html
More information about the Xerte
mailing list